diff options
Diffstat (limited to 'etc')
102 files changed, 601 insertions, 223 deletions
diff --git a/etc/apparmor/firejail-local b/etc/apparmor/firejail-local index e7236b0bc..557204d75 100644 --- a/etc/apparmor/firejail-local +++ b/etc/apparmor/firejail-local | |||
@@ -1,12 +1,12 @@ | |||
1 | # Site-specific additions and overrides for 'firejail-default'. | 1 | # Site-specific additions and overrides for 'firejail-default'. |
2 | # For more details, please see /etc/apparmor.d/local/README. | 2 | # For more details, please see /etc/apparmor.d/local/README. |
3 | 3 | ||
4 | # Here are some examples to allow running programs from home directory. | 4 | # Here are some examples to allow running programs from your home directory. |
5 | # Don't enable all of these, just pick a specific one or write a custom rule | 5 | # Don't enable all of these, just pick a specific one or write a custom rule |
6 | # instead as done below for torbrowser-launcher. | 6 | # instead as done below for torbrowser-launcher. |
7 | #owner @HOME/** ix, | 7 | #owner @HOME/** ix, |
8 | #owner @HOME/bin/** ix | 8 | #owner @HOME/bin/** ix, |
9 | #owner @HOME/.local/bin/** ix | 9 | #owner @HOME/.local/bin/** ix, |
10 | 10 | ||
11 | # Uncomment to opt-in to apparmor for brave + ipfs | 11 | # Uncomment to opt-in to apparmor for brave + ipfs |
12 | #owner @{HOME}/.config/BraveSoftware/Brave-Browser/oecghfpdmkjlhnfpmmjegjacfimiafjp/*/** ix, | 12 | #owner @{HOME}/.config/BraveSoftware/Brave-Browser/oecghfpdmkjlhnfpmmjegjacfimiafjp/*/** ix, |
diff --git a/etc/inc/allow-python2.inc b/etc/inc/allow-python2.inc index b0525e2e1..0d4ab8c35 100644 --- a/etc/inc/allow-python2.inc +++ b/etc/inc/allow-python2.inc | |||
@@ -2,6 +2,7 @@ | |||
2 | # Persistent customizations should go in a .local file. | 2 | # Persistent customizations should go in a .local file. |
3 | include allow-python2.local | 3 | include allow-python2.local |
4 | 4 | ||
5 | noblacklist ${HOME}/.local/lib/python2* | ||
5 | noblacklist ${PATH}/python2* | 6 | noblacklist ${PATH}/python2* |
6 | noblacklist /usr/include/python2* | 7 | noblacklist /usr/include/python2* |
7 | noblacklist /usr/lib/python2* | 8 | noblacklist /usr/lib/python2* |
diff --git a/etc/inc/allow-python3.inc b/etc/inc/allow-python3.inc index d968886b0..0693fb7e7 100644 --- a/etc/inc/allow-python3.inc +++ b/etc/inc/allow-python3.inc | |||
@@ -2,6 +2,7 @@ | |||
2 | # Persistent customizations should go in a .local file. | 2 | # Persistent customizations should go in a .local file. |
3 | include allow-python3.local | 3 | include allow-python3.local |
4 | 4 | ||
5 | noblacklist ${HOME}/.local/lib/python3* | ||
5 | noblacklist ${PATH}/python3* | 6 | noblacklist ${PATH}/python3* |
6 | noblacklist /usr/include/python3* | 7 | noblacklist /usr/include/python3* |
7 | noblacklist /usr/lib/python3* | 8 | noblacklist /usr/lib/python3* |
diff --git a/etc/inc/disable-common.inc b/etc/inc/disable-common.inc index 65159b951..4277100ce 100644 --- a/etc/inc/disable-common.inc +++ b/etc/inc/disable-common.inc | |||
@@ -69,6 +69,9 @@ blacklist ${HOME}/.xsessionrc | |||
69 | blacklist /etc/X11/Xsession.d | 69 | blacklist /etc/X11/Xsession.d |
70 | blacklist /etc/xdg/autostart | 70 | blacklist /etc/xdg/autostart |
71 | read-only ${HOME}/.Xauthority | 71 | read-only ${HOME}/.Xauthority |
72 | read-only ${HOME}/.config/awesome/autorun.sh | ||
73 | read-only ${HOME}/.config/openbox/autostart | ||
74 | read-only ${HOME}/.config/openbox/environment | ||
72 | 75 | ||
73 | # Session manager | 76 | # Session manager |
74 | # see #3358 | 77 | # see #3358 |
@@ -123,6 +126,7 @@ read-only ${HOME}/.config/kio_httprc | |||
123 | read-only ${HOME}/.config/kiorc | 126 | read-only ${HOME}/.config/kiorc |
124 | read-only ${HOME}/.config/kioslaverc | 127 | read-only ${HOME}/.config/kioslaverc |
125 | read-only ${HOME}/.config/ksslcablacklist | 128 | read-only ${HOME}/.config/ksslcablacklist |
129 | read-only ${HOME}/.config/lxqt | ||
126 | read-only ${HOME}/.kde/share/apps/konsole | 130 | read-only ${HOME}/.kde/share/apps/konsole |
127 | read-only ${HOME}/.kde/share/apps/kssl | 131 | read-only ${HOME}/.kde/share/apps/kssl |
128 | read-only ${HOME}/.kde/share/config/*notifyrc | 132 | read-only ${HOME}/.kde/share/config/*notifyrc |
@@ -329,6 +333,7 @@ read-only ${HOME}/.ssh/config.d | |||
329 | # Initialization files that allow arbitrary command execution | 333 | # Initialization files that allow arbitrary command execution |
330 | read-only ${HOME}/.caffrc | 334 | read-only ${HOME}/.caffrc |
331 | read-only ${HOME}/.cargo/env | 335 | read-only ${HOME}/.cargo/env |
336 | read-only ${HOME}/.config/mpv | ||
332 | read-only ${HOME}/.config/nano | 337 | read-only ${HOME}/.config/nano |
333 | read-only ${HOME}/.config/nvim | 338 | read-only ${HOME}/.config/nvim |
334 | read-only ${HOME}/.config/pkcs11 | 339 | read-only ${HOME}/.config/pkcs11 |
@@ -337,6 +342,7 @@ read-only ${HOME}/.elinks | |||
337 | read-only ${HOME}/.emacs | 342 | read-only ${HOME}/.emacs |
338 | read-only ${HOME}/.emacs.d | 343 | read-only ${HOME}/.emacs.d |
339 | read-only ${HOME}/.exrc | 344 | read-only ${HOME}/.exrc |
345 | read-only ${HOME}/.gnupg/gpg.conf | ||
340 | read-only ${HOME}/.gvimrc | 346 | read-only ${HOME}/.gvimrc |
341 | read-only ${HOME}/.homesick | 347 | read-only ${HOME}/.homesick |
342 | read-only ${HOME}/.iscreenrc | 348 | read-only ${HOME}/.iscreenrc |
@@ -345,6 +351,7 @@ read-only ${HOME}/.local/share/cool-retro-term | |||
345 | read-only ${HOME}/.local/share/nvim | 351 | read-only ${HOME}/.local/share/nvim |
346 | read-only ${HOME}/.local/state/nvim | 352 | read-only ${HOME}/.local/state/nvim |
347 | read-only ${HOME}/.mailcap | 353 | read-only ${HOME}/.mailcap |
354 | read-only ${HOME}/.mozilla/firefox/profiles.ini | ||
348 | read-only ${HOME}/.msmtprc | 355 | read-only ${HOME}/.msmtprc |
349 | read-only ${HOME}/.mutt/muttrc | 356 | read-only ${HOME}/.mutt/muttrc |
350 | read-only ${HOME}/.muttrc | 357 | read-only ${HOME}/.muttrc |
@@ -366,6 +373,10 @@ read-only ${HOME}/_gvimrc | |||
366 | read-only ${HOME}/_vimrc | 373 | read-only ${HOME}/_vimrc |
367 | read-only ${HOME}/dotfiles | 374 | read-only ${HOME}/dotfiles |
368 | 375 | ||
376 | # System package managers and AUR helpers | ||
377 | blacklist ${HOME}/.config/cower | ||
378 | read-only ${HOME}/.config/cower/config | ||
379 | |||
369 | # Make directories commonly found in $PATH read-only | 380 | # Make directories commonly found in $PATH read-only |
370 | read-only ${HOME}/.bin | 381 | read-only ${HOME}/.bin |
371 | read-only ${HOME}/.cargo/bin | 382 | read-only ${HOME}/.cargo/bin |
@@ -391,6 +402,11 @@ read-only ${HOME}/.config/user-dirs.dirs | |||
391 | read-only ${HOME}/.config/user-dirs.locale | 402 | read-only ${HOME}/.config/user-dirs.locale |
392 | read-only ${HOME}/.local/share/mime | 403 | read-only ${HOME}/.local/share/mime |
393 | 404 | ||
405 | # Configuration files that do not allow arbitrary command execution but that | ||
406 | # are intended to be modified manually (in a text editor and/or by a program | ||
407 | # dedicated to managing them) | ||
408 | read-only ${HOME}/.config/MangoHud | ||
409 | |||
394 | # Write-protection for thumbnailer dir | 410 | # Write-protection for thumbnailer dir |
395 | read-only ${HOME}/.local/share/thumbnailers | 411 | read-only ${HOME}/.local/share/thumbnailers |
396 | 412 | ||
@@ -556,6 +572,7 @@ blacklist ${PATH}/ss | |||
556 | blacklist ${PATH}/traceroute | 572 | blacklist ${PATH}/traceroute |
557 | 573 | ||
558 | # other SUID binaries | 574 | # other SUID binaries |
575 | blacklist /opt/microsoft/msedge*/msedge-sandbox | ||
559 | blacklist /usr/lib/virtualbox | 576 | blacklist /usr/lib/virtualbox |
560 | blacklist /usr/lib64/virtualbox | 577 | blacklist /usr/lib64/virtualbox |
561 | 578 | ||
diff --git a/etc/inc/disable-interpreters.inc b/etc/inc/disable-interpreters.inc index ca43e5ed9..4e3590fed 100644 --- a/etc/inc/disable-interpreters.inc +++ b/etc/inc/disable-interpreters.inc | |||
@@ -61,6 +61,7 @@ blacklist /usr/lib64/ruby | |||
61 | 61 | ||
62 | # Programs using python: deluge, firefox addons, filezilla, cherrytree, xchat, hexchat, libreoffice, scribus | 62 | # Programs using python: deluge, firefox addons, filezilla, cherrytree, xchat, hexchat, libreoffice, scribus |
63 | # Python 2 | 63 | # Python 2 |
64 | blacklist ${HOME}/.local/lib/python2* | ||
64 | blacklist ${PATH}/python2* | 65 | blacklist ${PATH}/python2* |
65 | blacklist /usr/include/python2* | 66 | blacklist /usr/include/python2* |
66 | blacklist /usr/lib/python2* | 67 | blacklist /usr/lib/python2* |
@@ -70,6 +71,7 @@ blacklist /usr/share/python2* | |||
70 | # You will want to add noblacklist for python3 stuff in the firefox and/or chromium profiles if you use the Gnome connector (see Issue #2026) | 71 | # You will want to add noblacklist for python3 stuff in the firefox and/or chromium profiles if you use the Gnome connector (see Issue #2026) |
71 | 72 | ||
72 | # Python 3 | 73 | # Python 3 |
74 | blacklist ${HOME}/.local/lib/python3* | ||
73 | blacklist ${PATH}/python3* | 75 | blacklist ${PATH}/python3* |
74 | blacklist /usr/include/python3* | 76 | blacklist /usr/include/python3* |
75 | blacklist /usr/lib/python3* | 77 | blacklist /usr/lib/python3* |
diff --git a/etc/inc/disable-programs.inc b/etc/inc/disable-programs.inc index 3eb6c03d5..211111aaa 100644 --- a/etc/inc/disable-programs.inc +++ b/etc/inc/disable-programs.inc | |||
@@ -51,6 +51,7 @@ blacklist ${HOME}/.bibletime | |||
51 | blacklist ${HOME}/.bitcoin | 51 | blacklist ${HOME}/.bitcoin |
52 | blacklist ${HOME}/.blobby | 52 | blacklist ${HOME}/.blobby |
53 | blacklist ${HOME}/.bogofilter | 53 | blacklist ${HOME}/.bogofilter |
54 | blacklist ${HOME}/.bsfilter | ||
54 | blacklist ${HOME}/.bundle | 55 | blacklist ${HOME}/.bundle |
55 | blacklist ${HOME}/.bzf | 56 | blacklist ${HOME}/.bzf |
56 | blacklist ${HOME}/.cache/0ad | 57 | blacklist ${HOME}/.cache/0ad |
@@ -83,6 +84,7 @@ blacklist ${HOME}/.cache/Tox | |||
83 | blacklist ${HOME}/.cache/Zeal | 84 | blacklist ${HOME}/.cache/Zeal |
84 | blacklist ${HOME}/.cache/agenda | 85 | blacklist ${HOME}/.cache/agenda |
85 | blacklist ${HOME}/.cache/akonadi* | 86 | blacklist ${HOME}/.cache/akonadi* |
87 | blacklist ${HOME}/.cache/ani-cli | ||
86 | blacklist ${HOME}/.cache/atril | 88 | blacklist ${HOME}/.cache/atril |
87 | blacklist ${HOME}/.cache/attic | 89 | blacklist ${HOME}/.cache/attic |
88 | blacklist ${HOME}/.cache/audacity | 90 | blacklist ${HOME}/.cache/audacity |
@@ -318,6 +320,7 @@ blacklist ${HOME}/.config/PacmanLogViewer | |||
318 | blacklist ${HOME}/.config/PawelStolowski | 320 | blacklist ${HOME}/.config/PawelStolowski |
319 | blacklist ${HOME}/.config/Philipp Schmieder | 321 | blacklist ${HOME}/.config/Philipp Schmieder |
320 | blacklist ${HOME}/.config/Pinta | 322 | blacklist ${HOME}/.config/Pinta |
323 | blacklist ${HOME}/.config/Postman | ||
321 | blacklist ${HOME}/.config/QGIS | 324 | blacklist ${HOME}/.config/QGIS |
322 | blacklist ${HOME}/.config/QMediathekView | 325 | blacklist ${HOME}/.config/QMediathekView |
323 | blacklist ${HOME}/.config/QQ | 326 | blacklist ${HOME}/.config/QQ |
@@ -399,7 +402,6 @@ blacklist ${HOME}/.config/cmus | |||
399 | blacklist ${HOME}/.config/cointop | 402 | blacklist ${HOME}/.config/cointop |
400 | blacklist ${HOME}/.config/com.github.bleakgrey.tootle | 403 | blacklist ${HOME}/.config/com.github.bleakgrey.tootle |
401 | blacklist ${HOME}/.config/corebird | 404 | blacklist ${HOME}/.config/corebird |
402 | blacklist ${HOME}/.config/cower | ||
403 | blacklist ${HOME}/.config/coyim | 405 | blacklist ${HOME}/.config/coyim |
404 | blacklist ${HOME}/.config/d-feet | 406 | blacklist ${HOME}/.config/d-feet |
405 | blacklist ${HOME}/.config/darktable | 407 | blacklist ${HOME}/.config/darktable |
@@ -410,6 +412,7 @@ blacklist ${HOME}/.config/digikam | |||
410 | blacklist ${HOME}/.config/digikamrc | 412 | blacklist ${HOME}/.config/digikamrc |
411 | blacklist ${HOME}/.config/discord | 413 | blacklist ${HOME}/.config/discord |
412 | blacklist ${HOME}/.config/discordcanary | 414 | blacklist ${HOME}/.config/discordcanary |
415 | blacklist ${HOME}/.config/discordptb | ||
413 | blacklist ${HOME}/.config/dkl | 416 | blacklist ${HOME}/.config/dkl |
414 | blacklist ${HOME}/.config/dnox | 417 | blacklist ${HOME}/.config/dnox |
415 | blacklist ${HOME}/.config/dolphin-emu | 418 | blacklist ${HOME}/.config/dolphin-emu |
@@ -477,6 +480,7 @@ blacklist ${HOME}/.config/inox | |||
477 | blacklist ${HOME}/.config/iridium | 480 | blacklist ${HOME}/.config/iridium |
478 | blacklist ${HOME}/.config/itch | 481 | blacklist ${HOME}/.config/itch |
479 | blacklist ${HOME}/.config/jami | 482 | blacklist ${HOME}/.config/jami |
483 | blacklist ${HOME}/.config/jami.net | ||
480 | blacklist ${HOME}/.config/jd-gui.cfg | 484 | blacklist ${HOME}/.config/jd-gui.cfg |
481 | blacklist ${HOME}/.config/jgit | 485 | blacklist ${HOME}/.config/jgit |
482 | blacklist ${HOME}/.config/k3brc | 486 | blacklist ${HOME}/.config/k3brc |
@@ -517,6 +521,7 @@ blacklist ${HOME}/.config/leafpad | |||
517 | blacklist ${HOME}/.config/libreoffice | 521 | blacklist ${HOME}/.config/libreoffice |
518 | blacklist ${HOME}/.config/liferea | 522 | blacklist ${HOME}/.config/liferea |
519 | blacklist ${HOME}/.config/linphone | 523 | blacklist ${HOME}/.config/linphone |
524 | blacklist ${HOME}/.config/lobster | ||
520 | blacklist ${HOME}/.config/lugaru | 525 | blacklist ${HOME}/.config/lugaru |
521 | blacklist ${HOME}/.config/lutris | 526 | blacklist ${HOME}/.config/lutris |
522 | blacklist ${HOME}/.config/lximage-qt | 527 | blacklist ${HOME}/.config/lximage-qt |
@@ -952,6 +957,7 @@ blacklist ${HOME}/.local/share/kwrite | |||
952 | blacklist ${HOME}/.local/share/kxmlgui5/* | 957 | blacklist ${HOME}/.local/share/kxmlgui5/* |
953 | blacklist ${HOME}/.local/share/liferea | 958 | blacklist ${HOME}/.local/share/liferea |
954 | blacklist ${HOME}/.local/share/linphone | 959 | blacklist ${HOME}/.local/share/linphone |
960 | blacklist ${HOME}/.local/share/lobster | ||
955 | blacklist ${HOME}/.local/share/local-mail | 961 | blacklist ${HOME}/.local/share/local-mail |
956 | blacklist ${HOME}/.local/share/lollypop | 962 | blacklist ${HOME}/.local/share/lollypop |
957 | blacklist ${HOME}/.local/share/love | 963 | blacklist ${HOME}/.local/share/love |
@@ -1027,6 +1033,7 @@ blacklist ${HOME}/.local/share/wormux | |||
1027 | blacklist ${HOME}/.local/share/xplayer | 1033 | blacklist ${HOME}/.local/share/xplayer |
1028 | blacklist ${HOME}/.local/share/xreader | 1034 | blacklist ${HOME}/.local/share/xreader |
1029 | blacklist ${HOME}/.local/share/zathura | 1035 | blacklist ${HOME}/.local/share/zathura |
1036 | blacklist ${HOME}/.local/state/ani-cli | ||
1030 | blacklist ${HOME}/.local/state/audacity | 1037 | blacklist ${HOME}/.local/state/audacity |
1031 | blacklist ${HOME}/.local/state/pipewire | 1038 | blacklist ${HOME}/.local/state/pipewire |
1032 | blacklist ${HOME}/.lv2 | 1039 | blacklist ${HOME}/.lv2 |
@@ -1177,6 +1184,7 @@ blacklist ${HOME}/Arduino | |||
1177 | blacklist ${HOME}/Monero/wallets | 1184 | blacklist ${HOME}/Monero/wallets |
1178 | blacklist ${HOME}/Nextcloud | 1185 | blacklist ${HOME}/Nextcloud |
1179 | blacklist ${HOME}/Nextcloud/Notes | 1186 | blacklist ${HOME}/Nextcloud/Notes |
1187 | blacklist ${HOME}/Postman | ||
1180 | blacklist ${HOME}/Seafile/.seafile-data | 1188 | blacklist ${HOME}/Seafile/.seafile-data |
1181 | blacklist ${HOME}/SoftMaker | 1189 | blacklist ${HOME}/SoftMaker |
1182 | blacklist ${HOME}/Standard Notes Backups | 1190 | blacklist ${HOME}/Standard Notes Backups |
diff --git a/etc/inc/whitelist-common.inc b/etc/inc/whitelist-common.inc index c9f21b2dc..cae059f89 100644 --- a/etc/inc/whitelist-common.inc +++ b/etc/inc/whitelist-common.inc | |||
@@ -10,16 +10,12 @@ whitelist ${HOME}/.asoundrc | |||
10 | whitelist ${HOME}/.config/ibus | 10 | whitelist ${HOME}/.config/ibus |
11 | whitelist ${HOME}/.config/mimeapps.list | 11 | whitelist ${HOME}/.config/mimeapps.list |
12 | whitelist ${HOME}/.config/pkcs11 | 12 | whitelist ${HOME}/.config/pkcs11 |
13 | read-only ${HOME}/.config/pkcs11 | ||
14 | whitelist ${HOME}/.config/user-dirs.dirs | 13 | whitelist ${HOME}/.config/user-dirs.dirs |
15 | read-only ${HOME}/.config/user-dirs.dirs | ||
16 | whitelist ${HOME}/.config/user-dirs.locale | 14 | whitelist ${HOME}/.config/user-dirs.locale |
17 | read-only ${HOME}/.config/user-dirs.locale | ||
18 | whitelist ${HOME}/.drirc | 15 | whitelist ${HOME}/.drirc |
19 | whitelist ${HOME}/.icons | 16 | whitelist ${HOME}/.icons |
20 | ?HAS_APPIMAGE: whitelist ${HOME}/.local/share/appimagekit | 17 | ?HAS_APPIMAGE: whitelist ${HOME}/.local/share/appimagekit |
21 | whitelist ${HOME}/.local/share/applications | 18 | whitelist ${HOME}/.local/share/applications |
22 | read-only ${HOME}/.local/share/applications | ||
23 | whitelist ${HOME}/.local/share/icons | 19 | whitelist ${HOME}/.local/share/icons |
24 | whitelist ${HOME}/.local/share/mime | 20 | whitelist ${HOME}/.local/share/mime |
25 | whitelist ${HOME}/.mime.types | 21 | whitelist ${HOME}/.mime.types |
@@ -68,6 +64,7 @@ whitelist ${HOME}/.config/kdeglobals | |||
68 | whitelist ${HOME}/.config/kio_httprc | 64 | whitelist ${HOME}/.config/kio_httprc |
69 | whitelist ${HOME}/.config/kioslaverc | 65 | whitelist ${HOME}/.config/kioslaverc |
70 | whitelist ${HOME}/.config/ksslcablacklist | 66 | whitelist ${HOME}/.config/ksslcablacklist |
67 | whitelist ${HOME}/.config/lxqt | ||
71 | whitelist ${HOME}/.config/qt5ct | 68 | whitelist ${HOME}/.config/qt5ct |
72 | whitelist ${HOME}/.config/qt6ct | 69 | whitelist ${HOME}/.config/qt6ct |
73 | whitelist ${HOME}/.config/qtcurve | 70 | whitelist ${HOME}/.config/qtcurve |
diff --git a/etc/profile-a-l/DiscordPTB.profile b/etc/profile-a-l/DiscordPTB.profile new file mode 100644 index 000000000..4570f0103 --- /dev/null +++ b/etc/profile-a-l/DiscordPTB.profile | |||
@@ -0,0 +1,10 @@ | |||
1 | # Firejail profile for DiscordPTB | ||
2 | # This file is overwritten after every install/update | ||
3 | # Persistent local customizations | ||
4 | include DiscordPTB.local | ||
5 | # Persistent global definitions | ||
6 | # added by included profile | ||
7 | #include globals.local | ||
8 | |||
9 | # Redirect | ||
10 | include discord-ptb.profile | ||
diff --git a/etc/profile-a-l/agetpkg.profile b/etc/profile-a-l/agetpkg.profile index 7a36302f1..9ebbf1cb0 100644 --- a/etc/profile-a-l/agetpkg.profile +++ b/etc/profile-a-l/agetpkg.profile | |||
@@ -28,7 +28,6 @@ include whitelist-usr-share-common.inc | |||
28 | include whitelist-var-common.inc | 28 | include whitelist-var-common.inc |
29 | 29 | ||
30 | caps.drop all | 30 | caps.drop all |
31 | hostname agetpkg | ||
32 | ipc-namespace | 31 | ipc-namespace |
33 | machine-id | 32 | machine-id |
34 | netfilter | 33 | netfilter |
diff --git a/etc/profile-a-l/ani-cli.profile b/etc/profile-a-l/ani-cli.profile new file mode 100644 index 000000000..f05653719 --- /dev/null +++ b/etc/profile-a-l/ani-cli.profile | |||
@@ -0,0 +1,39 @@ | |||
1 | # Firejail profile for ani-cli | ||
2 | # Description: Shell script to watch Anime from the terminal | ||
3 | # This file is overwritten after every install/update | ||
4 | quiet | ||
5 | # Persistent local customizations | ||
6 | include ani-cli.local | ||
7 | # Persistent global definitions | ||
8 | # added by included profile | ||
9 | #include globals.local | ||
10 | |||
11 | noblacklist ${HOME}/.cache/ani-cli | ||
12 | noblacklist ${HOME}/.local/state/ani-cli | ||
13 | |||
14 | # Allow /bin/sh (blacklisted by disable-shell.inc) | ||
15 | include allow-bin-sh.inc | ||
16 | |||
17 | include disable-proc.inc | ||
18 | include disable-xdg.inc | ||
19 | |||
20 | mkdir ${HOME}/.cache/ani-cli | ||
21 | mkdir ${HOME}/.local/state/ani-cli | ||
22 | whitelist ${HOME}/.cache/ani-cli | ||
23 | whitelist ${HOME}/.local/state/ani-cli | ||
24 | include whitelist-run-common.inc | ||
25 | include whitelist-runuser-common.inc | ||
26 | |||
27 | #machine-id | ||
28 | nodvd | ||
29 | noprinters | ||
30 | notv | ||
31 | |||
32 | disable-mnt | ||
33 | private-bin ani-cli,aria2c,cat,cp,curl,cut,ffmpeg,fzf,grep,head,mkdir,mv,nl,nohup,patch,sed,sh,sort,tail,tput,tr,uname,wc | ||
34 | #private-cache | ||
35 | private-etc alsa,alternatives,asound.conf,ca-certificates,crypto-policies,fonts,host.conf,hostname,hosts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,locale,locale.alias,locale.conf,localtime,machine-id,mime.types,nsswitch.conf,pango,pki,protocols,pulse,resolv.conf,rpc,services,ssl,X11,xdg | ||
36 | private-tmp | ||
37 | |||
38 | # Redirect | ||
39 | include mpv.profile | ||
diff --git a/etc/profile-a-l/apostrophe.profile b/etc/profile-a-l/apostrophe.profile index 0655c2e6f..cc9c893de 100644 --- a/etc/profile-a-l/apostrophe.profile +++ b/etc/profile-a-l/apostrophe.profile | |||
@@ -1,5 +1,5 @@ | |||
1 | # Firejail profile for apostrophe | 1 | # Firejail profile for apostrophe |
2 | # Description: Distraction free Markdown editor for GNU/Linux made with GTK+ | 2 | # Description: Distraction free Markdown editor for GNU/Linux made with GTK |
3 | # This file is overwritten after every install/update | 3 | # This file is overwritten after every install/update |
4 | # Persistent local customizations | 4 | # Persistent local customizations |
5 | include apostrophe.local | 5 | include apostrophe.local |
diff --git a/etc/profile-a-l/archiver-common.profile b/etc/profile-a-l/archiver-common.profile index ef875c5b7..487e0c5f8 100644 --- a/etc/profile-a-l/archiver-common.profile +++ b/etc/profile-a-l/archiver-common.profile | |||
@@ -23,7 +23,6 @@ include disable-shell.inc | |||
23 | 23 | ||
24 | apparmor | 24 | apparmor |
25 | caps.drop all | 25 | caps.drop all |
26 | hostname archiver | ||
27 | ipc-namespace | 26 | ipc-namespace |
28 | machine-id | 27 | machine-id |
29 | net none | 28 | net none |
diff --git a/etc/profile-a-l/awesome.profile b/etc/profile-a-l/awesome.profile index d8c073c8d..910dd8a91 100644 --- a/etc/profile-a-l/awesome.profile +++ b/etc/profile-a-l/awesome.profile | |||
@@ -16,5 +16,4 @@ noroot | |||
16 | protocol unix,inet,inet6 | 16 | protocol unix,inet,inet6 |
17 | seccomp !chroot | 17 | seccomp !chroot |
18 | 18 | ||
19 | read-only ${HOME}/.config/awesome/autorun.sh | ||
20 | #restrict-namespaces | 19 | #restrict-namespaces |
diff --git a/etc/profile-a-l/blink-common-hardened.inc.profile b/etc/profile-a-l/blink-common-hardened.inc.profile new file mode 100644 index 000000000..c092a9746 --- /dev/null +++ b/etc/profile-a-l/blink-common-hardened.inc.profile | |||
@@ -0,0 +1,11 @@ | |||
1 | # This file is overwritten during software install. | ||
2 | # Persistent customizations should go in a .local file. | ||
3 | include blink-common-hardened.inc.local | ||
4 | |||
5 | caps.drop all | ||
6 | nonewprivs | ||
7 | noroot | ||
8 | protocol unix,inet,inet6,netlink | ||
9 | seccomp !chroot | ||
10 | |||
11 | #restrict-namespaces | ||
diff --git a/etc/profile-a-l/blink-common.profile b/etc/profile-a-l/blink-common.profile new file mode 100644 index 000000000..ff17dc479 --- /dev/null +++ b/etc/profile-a-l/blink-common.profile | |||
@@ -0,0 +1,40 @@ | |||
1 | # Firejail profile for blink-common | ||
2 | # Description: Common profile for Blink-based applications | ||
3 | # This file is overwritten after every install/update | ||
4 | # Persistent local customizations | ||
5 | include blink-common.local | ||
6 | # Persistent global definitions | ||
7 | # added by caller profile | ||
8 | #include globals.local | ||
9 | |||
10 | include disable-common.inc | ||
11 | include disable-devel.inc | ||
12 | include disable-exec.inc | ||
13 | include disable-interpreters.inc | ||
14 | include disable-programs.inc | ||
15 | include disable-xdg.inc | ||
16 | |||
17 | whitelist ${DOWNLOADS} | ||
18 | include whitelist-common.inc | ||
19 | #include whitelist-run-common.inc | ||
20 | include whitelist-runuser-common.inc | ||
21 | include whitelist-usr-share-common.inc | ||
22 | include whitelist-var-common.inc | ||
23 | |||
24 | # If your kernel allows the creation of user namespaces by unprivileged users | ||
25 | # (for example, if running `unshare -U echo enabled` prints "enabled"), you | ||
26 | # can add the next line to your blink-common.local. | ||
27 | #include blink-common-hardened.inc.profile | ||
28 | |||
29 | apparmor | ||
30 | caps.keep sys_admin,sys_chroot | ||
31 | netfilter | ||
32 | nodvd | ||
33 | nogroups | ||
34 | noinput | ||
35 | notv | ||
36 | |||
37 | disable-mnt | ||
38 | private-cache | ||
39 | |||
40 | dbus-system none | ||
diff --git a/etc/profile-a-l/bluefish.profile b/etc/profile-a-l/bluefish.profile index d24f76262..e65f76a60 100644 --- a/etc/profile-a-l/bluefish.profile +++ b/etc/profile-a-l/bluefish.profile | |||
@@ -1,5 +1,5 @@ | |||
1 | # Firejail profile for bluefish | 1 | # Firejail profile for bluefish |
2 | # Description: Advanced Gtk+ text editor for web and software development | 2 | # Description: Advanced GTK text editor for web and software development |
3 | # This file is overwritten after every install/update | 3 | # This file is overwritten after every install/update |
4 | # Persistent local customizations | 4 | # Persistent local customizations |
5 | include bluefish.local | 5 | include bluefish.local |
diff --git a/etc/profile-a-l/celluloid.profile b/etc/profile-a-l/celluloid.profile index 7b0f7bdf0..9f83b8232 100644 --- a/etc/profile-a-l/celluloid.profile +++ b/etc/profile-a-l/celluloid.profile | |||
@@ -1,5 +1,5 @@ | |||
1 | # Firejail profile for celluloid | 1 | # Firejail profile for celluloid |
2 | # Description: Simple GTK+ frontend for mpv | 2 | # Description: Simple GTK frontend for mpv |
3 | # This file is overwritten after every install/update | 3 | # This file is overwritten after every install/update |
4 | # Persistent local customizations | 4 | # Persistent local customizations |
5 | include celluloid.local | 5 | include celluloid.local |
diff --git a/etc/profile-a-l/chafa.profile b/etc/profile-a-l/chafa.profile index 72f79681d..f21a34f36 100644 --- a/etc/profile-a-l/chafa.profile +++ b/etc/profile-a-l/chafa.profile | |||
@@ -39,6 +39,7 @@ nosound | |||
39 | notv | 39 | notv |
40 | nou2f | 40 | nou2f |
41 | novideo | 41 | novideo |
42 | # block socket syscall to simulate empty protocol option (see #639) | ||
42 | seccomp socket | 43 | seccomp socket |
43 | seccomp.block-secondary | 44 | seccomp.block-secondary |
44 | tracelog | 45 | tracelog |
diff --git a/etc/profile-a-l/chromium-common-hardened.inc.profile b/etc/profile-a-l/chromium-common-hardened.inc.profile index c3944bd65..0e0416de1 100644 --- a/etc/profile-a-l/chromium-common-hardened.inc.profile +++ b/etc/profile-a-l/chromium-common-hardened.inc.profile | |||
@@ -1,11 +1,10 @@ | |||
1 | # This file is overwritten during software install. | 1 | # Firejail profile alias for blink-common-hardened.inc |
2 | # Persistent customizations should go in a .local file. | 2 | # This file is overwritten after every install/update |
3 | # Persistent local customizations | ||
3 | include chromium-common-hardened.inc.local | 4 | include chromium-common-hardened.inc.local |
5 | # Persistent global definitions | ||
6 | # added by caller profile | ||
7 | #include globals.local | ||
4 | 8 | ||
5 | caps.drop all | 9 | # Redirect |
6 | nonewprivs | 10 | include blink-common-hardened.inc.profile |
7 | noroot | ||
8 | protocol unix,inet,inet6,netlink | ||
9 | seccomp !chroot | ||
10 | |||
11 | #restrict-namespaces | ||
diff --git a/etc/profile-a-l/chromium-common.profile b/etc/profile-a-l/chromium-common.profile index f1f2f5f68..878e0fe1d 100644 --- a/etc/profile-a-l/chromium-common.profile +++ b/etc/profile-a-l/chromium-common.profile | |||
@@ -17,42 +17,21 @@ noblacklist /usr/lib/chromium/chrome-sandbox | |||
17 | # to have access to Gnome extensions (extensions.gnome.org) via browser connector | 17 | # to have access to Gnome extensions (extensions.gnome.org) via browser connector |
18 | #include allow-python3.inc | 18 | #include allow-python3.inc |
19 | 19 | ||
20 | include disable-common.inc | ||
21 | include disable-devel.inc | ||
22 | include disable-exec.inc | ||
23 | include disable-interpreters.inc | ||
24 | include disable-programs.inc | ||
25 | include disable-xdg.inc | ||
26 | |||
27 | mkdir ${HOME}/.local/share/pki | 20 | mkdir ${HOME}/.local/share/pki |
28 | mkdir ${HOME}/.pki | 21 | mkdir ${HOME}/.pki |
29 | whitelist ${DOWNLOADS} | ||
30 | whitelist ${HOME}/.local/share/pki | 22 | whitelist ${HOME}/.local/share/pki |
31 | whitelist ${HOME}/.pki | 23 | whitelist ${HOME}/.pki |
32 | whitelist /usr/share/mozilla/extensions | 24 | whitelist /usr/share/mozilla/extensions |
33 | whitelist /usr/share/webext | 25 | whitelist /usr/share/webext |
34 | include whitelist-common.inc | ||
35 | include whitelist-run-common.inc | 26 | include whitelist-run-common.inc |
36 | include whitelist-runuser-common.inc | ||
37 | include whitelist-usr-share-common.inc | ||
38 | include whitelist-var-common.inc | ||
39 | 27 | ||
40 | # If your kernel allows the creation of user namespaces by unprivileged users | 28 | # If your kernel allows the creation of user namespaces by unprivileged users |
41 | # (for example, if running `unshare -U echo enabled` prints "enabled"), you | 29 | # (for example, if running `unshare -U echo enabled` prints "enabled"), you |
42 | # can add the next line to your chromium-common.local. | 30 | # can add the next line to your chromium-common.local. |
43 | #include chromium-common-hardened.inc.profile | 31 | #include chromium-common-hardened.inc.profile |
44 | 32 | ||
45 | apparmor | ||
46 | caps.keep sys_admin,sys_chroot | ||
47 | netfilter | ||
48 | nodvd | ||
49 | nogroups | ||
50 | noinput | ||
51 | notv | ||
52 | ?BROWSER_DISABLE_U2F: nou2f | 33 | ?BROWSER_DISABLE_U2F: nou2f |
53 | 34 | ||
54 | disable-mnt | ||
55 | private-cache | ||
56 | ?BROWSER_DISABLE_U2F: private-dev | 35 | ?BROWSER_DISABLE_U2F: private-dev |
57 | #private-tmp - issues when using multiple browser sessions | 36 | #private-tmp - issues when using multiple browser sessions |
58 | 37 | ||
@@ -61,7 +40,9 @@ blacklist ${PATH}/wget | |||
61 | blacklist ${PATH}/wget2 | 40 | blacklist ${PATH}/wget2 |
62 | 41 | ||
63 | #dbus-user none - prevents access to passwords saved in GNOME Keyring and KWallet, also breaks Gnome connector. | 42 | #dbus-user none - prevents access to passwords saved in GNOME Keyring and KWallet, also breaks Gnome connector. |
64 | dbus-system none | ||
65 | 43 | ||
66 | # The file dialog needs to work without d-bus. | 44 | # The file dialog needs to work without d-bus. |
67 | ?HAS_NODBUS: env NO_CHROME_KDE_FILE_DIALOG=1 | 45 | ?HAS_NODBUS: env NO_CHROME_KDE_FILE_DIALOG=1 |
46 | |||
47 | # Redirect | ||
48 | include blink-common.profile | ||
diff --git a/etc/profile-a-l/claws-mail.profile b/etc/profile-a-l/claws-mail.profile index e0f1bca94..7fefc68b1 100644 --- a/etc/profile-a-l/claws-mail.profile +++ b/etc/profile-a-l/claws-mail.profile | |||
@@ -1,5 +1,5 @@ | |||
1 | # Firejail profile for claws-mail | 1 | # Firejail profile for claws-mail |
2 | # Description: Fast, lightweight and user-friendly GTK based email client | 2 | # Description: Fast, lightweight and user-friendly GTK-based email client |
3 | # This file is overwritten after every install/update | 3 | # This file is overwritten after every install/update |
4 | # Persistent local customizations | 4 | # Persistent local customizations |
5 | include claws-mail.local | 5 | include claws-mail.local |
diff --git a/etc/profile-a-l/clipit.profile b/etc/profile-a-l/clipit.profile index 504bce0b1..321d59783 100644 --- a/etc/profile-a-l/clipit.profile +++ b/etc/profile-a-l/clipit.profile | |||
@@ -1,5 +1,5 @@ | |||
1 | # Firejail profile for clipit | 1 | # Firejail profile for clipit |
2 | # Description: Lightweight GTK+ clipboard manager | 2 | # Description: Lightweight GTK clipboard manager |
3 | # This file is overwritten after every install/update | 3 | # This file is overwritten after every install/update |
4 | # Persistent local customizations | 4 | # Persistent local customizations |
5 | include clipit.local | 5 | include clipit.local |
diff --git a/etc/profile-a-l/com.github.bleakgrey.tootle.profile b/etc/profile-a-l/com.github.bleakgrey.tootle.profile index 8b7d2317c..180282869 100644 --- a/etc/profile-a-l/com.github.bleakgrey.tootle.profile +++ b/etc/profile-a-l/com.github.bleakgrey.tootle.profile | |||
@@ -1,5 +1,5 @@ | |||
1 | # Firejail profile for com.github.bleakgrey.tootle | 1 | # Firejail profile for com.github.bleakgrey.tootle |
2 | # Description: Gtk Mastodon client | 2 | # Description: GTK Mastodon client |
3 | # This file is overwritten after every install/update | 3 | # This file is overwritten after every install/update |
4 | # Persistent local customizations | 4 | # Persistent local customizations |
5 | include com.github.bleakgrey.tootle.local | 5 | include com.github.bleakgrey.tootle.local |
diff --git a/etc/profile-a-l/corebird.profile b/etc/profile-a-l/corebird.profile index 1774669f1..09f80d7bb 100644 --- a/etc/profile-a-l/corebird.profile +++ b/etc/profile-a-l/corebird.profile | |||
@@ -1,5 +1,5 @@ | |||
1 | # Firejail profile for corebird | 1 | # Firejail profile for corebird |
2 | # Description: Native Gtk+ Twitter client for the Linux desktop | 2 | # Description: Native GTK Twitter client for the Linux desktop |
3 | # This file is overwritten after every install/update | 3 | # This file is overwritten after every install/update |
4 | # Persistent local customizations | 4 | # Persistent local customizations |
5 | include corebird.local | 5 | include corebird.local |
diff --git a/etc/profile-a-l/cower.profile b/etc/profile-a-l/cower.profile index e896f3537..9b05b4416 100644 --- a/etc/profile-a-l/cower.profile +++ b/etc/profile-a-l/cower.profile | |||
@@ -45,5 +45,4 @@ private-dev | |||
45 | private-tmp | 45 | private-tmp |
46 | 46 | ||
47 | memory-deny-write-execute | 47 | memory-deny-write-execute |
48 | read-only ${HOME}/.config/cower/config | ||
49 | restrict-namespaces | 48 | restrict-namespaces |
diff --git a/etc/profile-a-l/deadbeef.profile b/etc/profile-a-l/deadbeef.profile index 4eb89503a..71afecd7a 100644 --- a/etc/profile-a-l/deadbeef.profile +++ b/etc/profile-a-l/deadbeef.profile | |||
@@ -1,5 +1,5 @@ | |||
1 | # Firejail profile for deadbeef | 1 | # Firejail profile for deadbeef |
2 | # Description: A GTK+ audio player for GNU/Linux | 2 | # Description: A GTK audio player for GNU/Linux |
3 | # This file is overwritten after every install/update | 3 | # This file is overwritten after every install/update |
4 | # Persistent local customizations | 4 | # Persistent local customizations |
5 | include deadbeef.local | 5 | include deadbeef.local |
diff --git a/etc/profile-a-l/dino-im.profile b/etc/profile-a-l/dino-im.profile index ae0549d3e..3f4e3a381 100644 --- a/etc/profile-a-l/dino-im.profile +++ b/etc/profile-a-l/dino-im.profile | |||
@@ -1,5 +1,5 @@ | |||
1 | # Firejail profile for dino-im | 1 | # Firejail profile for dino-im |
2 | # Description: Modern XMPP Chat Client using GTK+/Vala, Ubuntu specific bin name | 2 | # Description: Modern XMPP Chat Client using GTK/Vala, Ubuntu specific bin name |
3 | # This file is overwritten after every install/update | 3 | # This file is overwritten after every install/update |
4 | # Persistent local customizations | 4 | # Persistent local customizations |
5 | include dino-im.local | 5 | include dino-im.local |
diff --git a/etc/profile-a-l/dino.profile b/etc/profile-a-l/dino.profile index 1f7134ff2..fe2b59a1e 100644 --- a/etc/profile-a-l/dino.profile +++ b/etc/profile-a-l/dino.profile | |||
@@ -1,5 +1,5 @@ | |||
1 | # Firejail profile for dino | 1 | # Firejail profile for dino |
2 | # Description: Modern XMPP Chat Client using GTK+/Vala | 2 | # Description: Modern XMPP Chat Client using GTK/Vala |
3 | # This file is overwritten after every install/update | 3 | # This file is overwritten after every install/update |
4 | # Persistent local customizations | 4 | # Persistent local customizations |
5 | include dino.local | 5 | include dino.local |
diff --git a/etc/profile-a-l/discord-ptb.profile b/etc/profile-a-l/discord-ptb.profile new file mode 100644 index 000000000..c39c0d843 --- /dev/null +++ b/etc/profile-a-l/discord-ptb.profile | |||
@@ -0,0 +1,17 @@ | |||
1 | # Firejail profile for discord-ptb | ||
2 | # This file is overwritten after every install/update | ||
3 | # Persistent local customizations | ||
4 | include discord-ptb.local | ||
5 | # Persistent global definitions | ||
6 | include globals.local | ||
7 | |||
8 | noblacklist ${HOME}/.config/discordptb | ||
9 | |||
10 | mkdir ${HOME}/.config/discordptb | ||
11 | whitelist ${HOME}/.config/discordptb | ||
12 | |||
13 | private-bin discord-ptb,DiscordPTB | ||
14 | private-opt discord-ptb,DiscordPTB | ||
15 | |||
16 | # Redirect | ||
17 | include discord-common.profile | ||
diff --git a/etc/profile-a-l/electron-common.profile b/etc/profile-a-l/electron-common.profile index 73b6d1067..bb48d6332 100644 --- a/etc/profile-a-l/electron-common.profile +++ b/etc/profile-a-l/electron-common.profile | |||
@@ -7,40 +7,21 @@ include electron-common.local | |||
7 | noblacklist ${HOME}/.config/Electron | 7 | noblacklist ${HOME}/.config/Electron |
8 | noblacklist ${HOME}/.config/electron*-flag*.conf | 8 | noblacklist ${HOME}/.config/electron*-flag*.conf |
9 | 9 | ||
10 | include disable-common.inc | ||
11 | include disable-devel.inc | ||
12 | include disable-exec.inc | ||
13 | include disable-interpreters.inc | ||
14 | include disable-programs.inc | ||
15 | include disable-xdg.inc | ||
16 | |||
17 | whitelist ${DOWNLOADS} | ||
18 | whitelist ${HOME}/.config/Electron | 10 | whitelist ${HOME}/.config/Electron |
19 | whitelist ${HOME}/.config/electron*-flag*.conf | 11 | whitelist ${HOME}/.config/electron*-flag*.conf |
20 | include whitelist-common.inc | ||
21 | include whitelist-runuser-common.inc | ||
22 | include whitelist-usr-share-common.inc | ||
23 | include whitelist-var-common.inc | ||
24 | 12 | ||
25 | # If your kernel allows the creation of user namespaces by unprivileged users | 13 | # If your kernel allows the creation of user namespaces by unprivileged users |
26 | # (for example, if running `unshare -U echo enabled` prints "enabled"), you | 14 | # (for example, if running `unshare -U echo enabled` prints "enabled"), you |
27 | # can add the next line to your electron-common.local. | 15 | # can add the next line to your electron-common.local. |
28 | #include electron-common-hardened.inc.profile | 16 | #include electron-common-hardened.inc.profile |
29 | 17 | ||
30 | apparmor | ||
31 | caps.keep sys_admin,sys_chroot | ||
32 | netfilter | ||
33 | nodvd | ||
34 | nogroups | ||
35 | noinput | ||
36 | notv | ||
37 | nou2f | 18 | nou2f |
38 | novideo | 19 | novideo |
39 | 20 | ||
40 | disable-mnt | ||
41 | private-cache | ||
42 | private-dev | 21 | private-dev |
43 | private-tmp | 22 | private-tmp |
44 | 23 | ||
45 | dbus-user none | 24 | dbus-user none |
46 | dbus-system none | 25 | |
26 | # Redirect | ||
27 | include blink-common.profile | ||
diff --git a/etc/profile-a-l/electron-mail.profile b/etc/profile-a-l/electron-mail.profile index 9f4fabd68..766fe523b 100644 --- a/etc/profile-a-l/electron-mail.profile +++ b/etc/profile-a-l/electron-mail.profile | |||
@@ -24,7 +24,6 @@ whitelist ${HOME}/.config/electron-mail | |||
24 | # there isn't a Firefox instance running with the default profile; see #5352) | 24 | # there isn't a Firefox instance running with the default profile; see #5352) |
25 | noblacklist ${HOME}/.mozilla | 25 | noblacklist ${HOME}/.mozilla |
26 | whitelist ${HOME}/.mozilla/firefox/profiles.ini | 26 | whitelist ${HOME}/.mozilla/firefox/profiles.ini |
27 | read-only ${HOME}/.mozilla/firefox/profiles.ini | ||
28 | 27 | ||
29 | machine-id | 28 | machine-id |
30 | nosound | 29 | nosound |
diff --git a/etc/profile-a-l/element-desktop.profile b/etc/profile-a-l/element-desktop.profile index 48a826f2e..7b4994a85 100644 --- a/etc/profile-a-l/element-desktop.profile +++ b/etc/profile-a-l/element-desktop.profile | |||
@@ -18,6 +18,7 @@ whitelist /opt/Element | |||
18 | private-opt Element | 18 | private-opt Element |
19 | 19 | ||
20 | dbus-user filter | 20 | dbus-user filter |
21 | dbus-user.talk org.freedesktop.Notifications | ||
21 | dbus-user.talk org.freedesktop.secrets | 22 | dbus-user.talk org.freedesktop.secrets |
22 | 23 | ||
23 | # Redirect | 24 | # Redirect |
diff --git a/etc/profile-a-l/email-common.profile b/etc/profile-a-l/email-common.profile index bf5b67255..8eee662ad 100644 --- a/etc/profile-a-l/email-common.profile +++ b/etc/profile-a-l/email-common.profile | |||
@@ -8,6 +8,7 @@ include email-common.local | |||
8 | #include globals.local | 8 | #include globals.local |
9 | 9 | ||
10 | noblacklist ${HOME}/.bogofilter | 10 | noblacklist ${HOME}/.bogofilter |
11 | noblacklist ${HOME}/.bsfilter | ||
11 | noblacklist ${HOME}/.gnupg | 12 | noblacklist ${HOME}/.gnupg |
12 | noblacklist ${HOME}/.mozilla | 13 | noblacklist ${HOME}/.mozilla |
13 | noblacklist ${HOME}/.signature | 14 | noblacklist ${HOME}/.signature |
@@ -20,6 +21,9 @@ noblacklist /var/spool/mail | |||
20 | 21 | ||
21 | noblacklist ${DOCUMENTS} | 22 | noblacklist ${DOCUMENTS} |
22 | 23 | ||
24 | # Allow perl (blacklisted by disable-interpreters.inc) | ||
25 | include allow-perl.inc | ||
26 | |||
23 | include disable-common.inc | 27 | include disable-common.inc |
24 | include disable-devel.inc | 28 | include disable-devel.inc |
25 | include disable-exec.inc | 29 | include disable-exec.inc |
@@ -30,15 +34,18 @@ include disable-xdg.inc | |||
30 | mkdir ${HOME}/.gnupg | 34 | mkdir ${HOME}/.gnupg |
31 | mkfile ${HOME}/.config/mimeapps.list | 35 | mkfile ${HOME}/.config/mimeapps.list |
32 | mkfile ${HOME}/.signature | 36 | mkfile ${HOME}/.signature |
37 | whitelist ${HOME}/.bogofilter | ||
38 | whitelist ${HOME}/.bsfilter | ||
33 | whitelist ${HOME}/.config/mimeapps.list | 39 | whitelist ${HOME}/.config/mimeapps.list |
34 | whitelist ${HOME}/.mozilla/firefox/profiles.ini | ||
35 | whitelist ${HOME}/.gnupg | 40 | whitelist ${HOME}/.gnupg |
41 | whitelist ${HOME}/.mozilla/firefox/profiles.ini | ||
36 | whitelist ${HOME}/.signature | 42 | whitelist ${HOME}/.signature |
37 | whitelist ${DOCUMENTS} | 43 | whitelist ${DOCUMENTS} |
38 | whitelist ${DOWNLOADS} | 44 | whitelist ${DOWNLOADS} |
39 | # when storing mail outside the default ${HOME}/Mail path, 'whitelist' the custom path in your email-common.local | 45 | # when storing mail outside the default ${HOME}/Mail path, 'whitelist' the custom path in your email-common.local |
40 | whitelist ${HOME}/Mail | 46 | whitelist ${HOME}/Mail |
41 | whitelist ${RUNUSER}/gnupg | 47 | whitelist ${RUNUSER}/gnupg |
48 | whitelist /usr/share/bogofilter | ||
42 | whitelist /usr/share/gnupg | 49 | whitelist /usr/share/gnupg |
43 | whitelist /usr/share/gnupg2 | 50 | whitelist /usr/share/gnupg2 |
44 | whitelist /var/lib/clamav | 51 | whitelist /var/lib/clamav |
@@ -71,7 +78,7 @@ tracelog | |||
71 | # disable-mnt | 78 | # disable-mnt |
72 | private-cache | 79 | private-cache |
73 | private-dev | 80 | private-dev |
74 | private-etc @tls-ca,@x11,clamav,gnupg,hosts.conf,mailname,timezone | 81 | private-etc @tls-ca,@x11,bogofilter,bogofilter.cf,gnupg,hosts.conf,mailname,timezone |
75 | private-tmp | 82 | private-tmp |
76 | # encrypting and signing email | 83 | # encrypting and signing email |
77 | writable-run-user | 84 | writable-run-user |
@@ -86,6 +93,5 @@ dbus-user.talk org.gnome.seahorse.* | |||
86 | dbus-user.talk org.mozilla.* | 93 | dbus-user.talk org.mozilla.* |
87 | dbus-system none | 94 | dbus-system none |
88 | 95 | ||
89 | read-only ${HOME}/.mozilla/firefox/profiles.ini | ||
90 | read-only ${HOME}/.signature | 96 | read-only ${HOME}/.signature |
91 | restrict-namespaces | 97 | restrict-namespaces |
diff --git a/etc/profile-a-l/engrampa.profile b/etc/profile-a-l/engrampa.profile index 1118c3bf0..e1d107dc7 100644 --- a/etc/profile-a-l/engrampa.profile +++ b/etc/profile-a-l/engrampa.profile | |||
@@ -10,18 +10,21 @@ include disable-common.inc | |||
10 | include disable-devel.inc | 10 | include disable-devel.inc |
11 | include disable-exec.inc | 11 | include disable-exec.inc |
12 | include disable-interpreters.inc | 12 | include disable-interpreters.inc |
13 | include disable-proc.inc | ||
13 | include disable-programs.inc | 14 | include disable-programs.inc |
14 | 15 | ||
15 | include whitelist-var-common.inc | 16 | include whitelist-var-common.inc |
16 | 17 | ||
17 | apparmor | 18 | apparmor |
18 | caps.drop all | 19 | caps.drop all |
20 | machine-id | ||
19 | net none | 21 | net none |
20 | no3d | 22 | no3d |
21 | nodvd | 23 | nodvd |
22 | nogroups | 24 | nogroups |
23 | noinput | 25 | noinput |
24 | nonewprivs | 26 | nonewprivs |
27 | noprinters | ||
25 | noroot | 28 | noroot |
26 | nosound | 29 | nosound |
27 | notv | 30 | notv |
@@ -29,6 +32,7 @@ nou2f | |||
29 | novideo | 32 | novideo |
30 | protocol unix | 33 | protocol unix |
31 | seccomp | 34 | seccomp |
35 | seccomp.block-secondary | ||
32 | tracelog | 36 | tracelog |
33 | 37 | ||
34 | # private-bin engrampa | 38 | # private-bin engrampa |
diff --git a/etc/profile-a-l/file-roller.profile b/etc/profile-a-l/file-roller.profile index 4f39bec55..78e2751b3 100644 --- a/etc/profile-a-l/file-roller.profile +++ b/etc/profile-a-l/file-roller.profile | |||
@@ -29,6 +29,7 @@ nodvd | |||
29 | nogroups | 29 | nogroups |
30 | noinput | 30 | noinput |
31 | nonewprivs | 31 | nonewprivs |
32 | noprinters | ||
32 | noroot | 33 | noroot |
33 | nosound | 34 | nosound |
34 | notv | 35 | notv |
@@ -45,6 +46,10 @@ private-dev | |||
45 | private-etc @x11 | 46 | private-etc @x11 |
46 | # private-tmp | 47 | # private-tmp |
47 | 48 | ||
49 | dbus-user filter | ||
50 | dbus-user.own org.gnome.ArchiveManager1 | ||
51 | dbus-user.own org.gnome.FileRoller | ||
52 | dbus-user.talk ca.desrt.dconf | ||
48 | dbus-system none | 53 | dbus-system none |
49 | 54 | ||
50 | restrict-namespaces | 55 | restrict-namespaces |
diff --git a/etc/profile-a-l/file.profile b/etc/profile-a-l/file.profile index a5fd05bc7..78f1327c5 100644 --- a/etc/profile-a-l/file.profile +++ b/etc/profile-a-l/file.profile | |||
@@ -15,7 +15,6 @@ include disable-programs.inc | |||
15 | 15 | ||
16 | apparmor | 16 | apparmor |
17 | caps.drop all | 17 | caps.drop all |
18 | hostname file | ||
19 | ipc-namespace | 18 | ipc-namespace |
20 | machine-id | 19 | machine-id |
21 | net none | 20 | net none |
diff --git a/etc/profile-a-l/firefox.profile b/etc/profile-a-l/firefox.profile index 0e1d30958..42d59157c 100644 --- a/etc/profile-a-l/firefox.profile +++ b/etc/profile-a-l/firefox.profile | |||
@@ -14,6 +14,9 @@ include globals.local | |||
14 | # https://github.com/netblue30/firejail/wiki/Frequently-Asked-Questions#how-do-i-run-two-instances-of-firefox | 14 | # https://github.com/netblue30/firejail/wiki/Frequently-Asked-Questions#how-do-i-run-two-instances-of-firefox |
15 | # https://github.com/netblue30/firejail/issues/4206#issuecomment-824806968 | 15 | # https://github.com/netblue30/firejail/issues/4206#issuecomment-824806968 |
16 | 16 | ||
17 | # (Ignore entry from disable-common.inc) | ||
18 | ignore read-only ${HOME}/.mozilla/firefox/profiles.ini | ||
19 | |||
17 | noblacklist ${HOME}/.cache/mozilla | 20 | noblacklist ${HOME}/.cache/mozilla |
18 | noblacklist ${HOME}/.mozilla | 21 | noblacklist ${HOME}/.mozilla |
19 | noblacklist ${RUNUSER}/*firefox* | 22 | noblacklist ${RUNUSER}/*firefox* |
diff --git a/etc/profile-a-l/gajim.profile b/etc/profile-a-l/gajim.profile index c8414ad1b..7cef2dbbb 100644 --- a/etc/profile-a-l/gajim.profile +++ b/etc/profile-a-l/gajim.profile | |||
@@ -1,5 +1,5 @@ | |||
1 | # Firejail profile for gajim | 1 | # Firejail profile for gajim |
2 | # Description: GTK+-based Jabber client | 2 | # Description: GTK-based Jabber client |
3 | # This file is overwritten after every install/update | 3 | # This file is overwritten after every install/update |
4 | # Persistent local customizations | 4 | # Persistent local customizations |
5 | include gajim.local | 5 | include gajim.local |
diff --git a/etc/profile-a-l/galculator.profile b/etc/profile-a-l/galculator.profile index 96ded592d..44d62cc86 100644 --- a/etc/profile-a-l/galculator.profile +++ b/etc/profile-a-l/galculator.profile | |||
@@ -23,7 +23,6 @@ include whitelist-var-common.inc | |||
23 | 23 | ||
24 | apparmor | 24 | apparmor |
25 | caps.drop all | 25 | caps.drop all |
26 | #hostname galculator - breaks Arch Linux | ||
27 | #ipc-namespace | 26 | #ipc-namespace |
28 | net none | 27 | net none |
29 | nodvd | 28 | nodvd |
diff --git a/etc/profile-a-l/gallery-dl.profile b/etc/profile-a-l/gallery-dl.profile index 9c8200dc4..9643820e7 100644 --- a/etc/profile-a-l/gallery-dl.profile +++ b/etc/profile-a-l/gallery-dl.profile | |||
@@ -15,4 +15,4 @@ private-bin gallery-dl | |||
15 | private-etc gallery-dl.conf | 15 | private-etc gallery-dl.conf |
16 | 16 | ||
17 | # Redirect | 17 | # Redirect |
18 | include youtube-dl.profile | 18 | include yt-dlp.profile |
diff --git a/etc/profile-a-l/gdu.profile b/etc/profile-a-l/gdu.profile index 4eb94edf4..4066a1ebf 100644 --- a/etc/profile-a-l/gdu.profile +++ b/etc/profile-a-l/gdu.profile | |||
@@ -26,7 +26,7 @@ nosound | |||
26 | notv | 26 | notv |
27 | nou2f | 27 | nou2f |
28 | novideo | 28 | novideo |
29 | # block the socket syscall to simulate an be empty protocol line, see #639 | 29 | # block socket syscall to simulate empty protocol option (see #639) |
30 | seccomp socket | 30 | seccomp socket |
31 | seccomp.block-secondary | 31 | seccomp.block-secondary |
32 | x11 none | 32 | x11 none |
diff --git a/etc/profile-a-l/geary.profile b/etc/profile-a-l/geary.profile index a19a20ba7..ba0837780 100644 --- a/etc/profile-a-l/geary.profile +++ b/etc/profile-a-l/geary.profile | |||
@@ -91,5 +91,4 @@ dbus-user.talk org.gnome.evolution.dataserver.Sources5 | |||
91 | dbus-user.talk org.mozilla.* | 91 | dbus-user.talk org.mozilla.* |
92 | dbus-system none | 92 | dbus-system none |
93 | 93 | ||
94 | read-only ${HOME}/.mozilla/firefox/profiles.ini | ||
95 | restrict-namespaces | 94 | restrict-namespaces |
diff --git a/etc/profile-a-l/geekbench.profile b/etc/profile-a-l/geekbench.profile index 3a929774a..e8d4c013f 100644 --- a/etc/profile-a-l/geekbench.profile +++ b/etc/profile-a-l/geekbench.profile | |||
@@ -25,7 +25,6 @@ include whitelist-var-common.inc | |||
25 | 25 | ||
26 | apparmor | 26 | apparmor |
27 | caps.drop all | 27 | caps.drop all |
28 | hostname geekbench | ||
29 | ipc-namespace | 28 | ipc-namespace |
30 | machine-id | 29 | machine-id |
31 | netfilter | 30 | netfilter |
diff --git a/etc/profile-a-l/geeqie.profile b/etc/profile-a-l/geeqie.profile index 95adc6840..f81a49e4f 100644 --- a/etc/profile-a-l/geeqie.profile +++ b/etc/profile-a-l/geeqie.profile | |||
@@ -1,5 +1,5 @@ | |||
1 | # Firejail profile for geeqie | 1 | # Firejail profile for geeqie |
2 | # Description: Image viewer using GTK+ | 2 | # Description: Image viewer using GTK |
3 | # This file is overwritten after every install/update | 3 | # This file is overwritten after every install/update |
4 | # Persistent local customizations | 4 | # Persistent local customizations |
5 | include geeqie.local | 5 | include geeqie.local |
diff --git a/etc/profile-a-l/gtk-lbry-viewer.profile b/etc/profile-a-l/gtk-lbry-viewer.profile index e1fb53b16..6d143bbe0 100644 --- a/etc/profile-a-l/gtk-lbry-viewer.profile +++ b/etc/profile-a-l/gtk-lbry-viewer.profile | |||
@@ -1,12 +1,14 @@ | |||
1 | # Firejail profile for gtk-lbry-viewer | 1 | # Firejail profile for gtk-lbry-viewer |
2 | # Description: Gtk front-end to lbry-viewer | 2 | # Description: GTK front-end to lbry-viewer |
3 | # This file is overwritten after every install/update | 3 | # This file is overwritten after every install/update |
4 | # Persistent local customizations | 4 | # Persistent local customizations |
5 | include gtk-lbry-viewer.local | 5 | include gtk-lbry-viewer.local |
6 | # added by included profile | 6 | # added by included profile |
7 | #include globals.local | 7 | #include globals.local |
8 | 8 | ||
9 | ignore quiet | 9 | private-bin gtk-lbry-viewer |
10 | |||
11 | include gtk-youtube-viewers-common.profile | ||
10 | 12 | ||
11 | # Redirect | 13 | # Redirect |
12 | include lbry-viewer.profile | 14 | include lbry-viewer.profile |
diff --git a/etc/profile-a-l/gtk-pipe-viewer.profile b/etc/profile-a-l/gtk-pipe-viewer.profile index 9c212ff6e..059961742 100644 --- a/etc/profile-a-l/gtk-pipe-viewer.profile +++ b/etc/profile-a-l/gtk-pipe-viewer.profile | |||
@@ -1,12 +1,14 @@ | |||
1 | # Firejail profile for gtk-pipe-viewer | 1 | # Firejail profile for gtk-pipe-viewer |
2 | # Description: Gtk front-end to pipe-viewer | 2 | # Description: GTK front-end to pipe-viewer |
3 | # This file is overwritten after every install/update | 3 | # This file is overwritten after every install/update |
4 | # Persistent local customizations | 4 | # Persistent local customizations |
5 | include gtk-pipe-viewer.local | 5 | include gtk-pipe-viewer.local |
6 | # added by included profile | 6 | # added by included profile |
7 | #include globals.local | 7 | #include globals.local |
8 | 8 | ||
9 | ignore quiet | 9 | private-bin gtk-pipe-viewer |
10 | |||
11 | include gtk-youtube-viewers-common.profile | ||
10 | 12 | ||
11 | # Redirect | 13 | # Redirect |
12 | include pipe-viewer.profile | 14 | include pipe-viewer.profile |
diff --git a/etc/profile-a-l/gtk-straw-viewer.profile b/etc/profile-a-l/gtk-straw-viewer.profile index 978b3d896..5f1933258 100644 --- a/etc/profile-a-l/gtk-straw-viewer.profile +++ b/etc/profile-a-l/gtk-straw-viewer.profile | |||
@@ -1,12 +1,14 @@ | |||
1 | # Firejail profile for gtk-straw-viewer | 1 | # Firejail profile for gtk-straw-viewer |
2 | # Description: Gtk front-end to straw-viewer | 2 | # Description: GTK front-end to straw-viewer |
3 | # This file is overwritten after every install/update | 3 | # This file is overwritten after every install/update |
4 | # Persistent local customizations | 4 | # Persistent local customizations |
5 | include gtk-straw-viewer.local | 5 | include gtk-straw-viewer.local |
6 | # added by included profile | 6 | # added by included profile |
7 | #include globals.local | 7 | #include globals.local |
8 | 8 | ||
9 | ignore quiet | 9 | private-bin gtk-straw-viewer |
10 | |||
11 | include gtk-youtube-viewers-common.profile | ||
10 | 12 | ||
11 | # Redirect | 13 | # Redirect |
12 | include straw-viewer.profile | 14 | include straw-viewer.profile |
diff --git a/etc/profile-a-l/gtk-youtube-viewer.profile b/etc/profile-a-l/gtk-youtube-viewer.profile index c814f0fef..2bbd8910e 100644 --- a/etc/profile-a-l/gtk-youtube-viewer.profile +++ b/etc/profile-a-l/gtk-youtube-viewer.profile | |||
@@ -1,12 +1,14 @@ | |||
1 | # Firejail profile for gtk-youtube-viewer | 1 | # Firejail profile for gtk-youtube-viewer |
2 | # Description: Gtk front-end to youtube-viewer | 2 | # Description: GTK front-end to youtube-viewer |
3 | # This file is overwritten after every install/update | 3 | # This file is overwritten after every install/update |
4 | # Persistent local customizations | 4 | # Persistent local customizations |
5 | include gtk-youtube-viewer.local | 5 | include gtk-youtube-viewer.local |
6 | # added by included profile | 6 | # added by included profile |
7 | #include globals.local | 7 | #include globals.local |
8 | 8 | ||
9 | ignore quiet | 9 | private-bin gtk-youtube-viewer |
10 | |||
11 | include gtk-youtube-viewers-common.profile | ||
10 | 12 | ||
11 | # Redirect | 13 | # Redirect |
12 | include youtube-viewer.profile | 14 | include youtube-viewer.profile |
diff --git a/etc/profile-a-l/gtk-youtube-viewers-common.profile b/etc/profile-a-l/gtk-youtube-viewers-common.profile new file mode 100644 index 000000000..049448a23 --- /dev/null +++ b/etc/profile-a-l/gtk-youtube-viewers-common.profile | |||
@@ -0,0 +1,22 @@ | |||
1 | # Firejail profile for gtk-youtube-viewer clones | ||
2 | # Description: common profile for Trizen's gtk Youtube viewers | ||
3 | # This file is overwritten after every install/update | ||
4 | # Persistent local customizations | ||
5 | include gtk-youtube-viewers-common.local | ||
6 | # Persistent global definitions | ||
7 | # added by caller profile | ||
8 | #include globals.local | ||
9 | |||
10 | ignore quiet | ||
11 | |||
12 | # The lines below are needed to find the default Firefox profile name, to allow | ||
13 | # opening links in an existing instance of Firefox (note that it still fails if | ||
14 | # there isn't a Firefox instance running with the default profile; see #5352) | ||
15 | noblacklist ${HOME}/.mozilla | ||
16 | whitelist ${HOME}/.mozilla/firefox/profiles.ini | ||
17 | |||
18 | private-bin firefox,xterm | ||
19 | |||
20 | dbus-user filter | ||
21 | # allow D-Bus communication with firefox for opening links | ||
22 | dbus-user.talk org.mozilla.* | ||
diff --git a/etc/profile-a-l/gtk2-youtube-viewer.profile b/etc/profile-a-l/gtk2-youtube-viewer.profile index 787c7bd90..8ff09f4d2 100644 --- a/etc/profile-a-l/gtk2-youtube-viewer.profile +++ b/etc/profile-a-l/gtk2-youtube-viewer.profile | |||
@@ -1,17 +1,14 @@ | |||
1 | # Firejail profile for gtk2-youtube-viewer | 1 | # Firejail profile for gtk2-youtube-viewer |
2 | # Description: Gtk front-end to youtube-viewer | 2 | # Description: GTK front-end to youtube-viewer |
3 | # This file is overwritten after every install/update | 3 | # This file is overwritten after every install/update |
4 | # Persistent local customizations | 4 | # Persistent local customizations |
5 | include gtk2-youtube-viewer.local | 5 | include gtk2-youtube-viewer.local |
6 | # added by included profile | 6 | # added by included profile |
7 | #include globals.local | 7 | #include globals.local |
8 | 8 | ||
9 | ignore quiet | 9 | private-bin gtk2-youtube-viewer |
10 | 10 | ||
11 | noblacklist /tmp/.X11-unix | 11 | include gtk-youtube-viewers-common.profile |
12 | noblacklist ${RUNUSER} | ||
13 | |||
14 | include whitelist-runuser-common.inc | ||
15 | 12 | ||
16 | # Redirect | 13 | # Redirect |
17 | include youtube-viewer.profile | 14 | include youtube-viewer.profile |
diff --git a/etc/profile-a-l/gtk3-youtube-viewer.profile b/etc/profile-a-l/gtk3-youtube-viewer.profile index 988882622..fdcb438de 100644 --- a/etc/profile-a-l/gtk3-youtube-viewer.profile +++ b/etc/profile-a-l/gtk3-youtube-viewer.profile | |||
@@ -1,17 +1,14 @@ | |||
1 | # Firejail profile for gtk3-youtube-viewer | 1 | # Firejail profile for gtk3-youtube-viewer |
2 | # Description: Gtk front-end to youtube-viewer | 2 | # Description: GTK front-end to youtube-viewer |
3 | # This file is overwritten after every install/update | 3 | # This file is overwritten after every install/update |
4 | # Persistent local customizations | 4 | # Persistent local customizations |
5 | include gtk3-youtube-viewer.local | 5 | include gtk3-youtube-viewer.local |
6 | # added by included profile | 6 | # added by included profile |
7 | #include globals.local | 7 | #include globals.local |
8 | 8 | ||
9 | ignore quiet | 9 | private-bin gtk3-youtube-viewer |
10 | 10 | ||
11 | noblacklist /tmp/.X11-unix | 11 | include gtk-youtube-viewers-common.profile |
12 | noblacklist ${RUNUSER} | ||
13 | |||
14 | include whitelist-runuser-common.inc | ||
15 | 12 | ||
16 | # Redirect | 13 | # Redirect |
17 | include youtube-viewer.profile | 14 | include youtube-viewer.profile |
diff --git a/etc/profile-a-l/guvcview.profile b/etc/profile-a-l/guvcview.profile index 467bee3a0..0e4125791 100644 --- a/etc/profile-a-l/guvcview.profile +++ b/etc/profile-a-l/guvcview.profile | |||
@@ -1,5 +1,5 @@ | |||
1 | # Firejail profile for guvcview | 1 | # Firejail profile for guvcview |
2 | # Description: GTK+ base UVC Viewer | 2 | # Description: GTK-based UVC Viewer |
3 | # This file is overwritten after every install/update | 3 | # This file is overwritten after every install/update |
4 | # Persistent local customizations | 4 | # Persistent local customizations |
5 | include guvcview.local | 5 | include guvcview.local |
diff --git a/etc/profile-a-l/handbrake.profile b/etc/profile-a-l/handbrake.profile index 488665154..e0ef23cce 100644 --- a/etc/profile-a-l/handbrake.profile +++ b/etc/profile-a-l/handbrake.profile | |||
@@ -1,5 +1,5 @@ | |||
1 | # Firejail profile for handbrake | 1 | # Firejail profile for handbrake |
2 | # Description: Versatile DVD ripper and video transcoder (GTK+ GUI) | 2 | # Description: Versatile DVD ripper and video transcoder (GTK GUI) |
3 | # This file is overwritten after every install/update | 3 | # This file is overwritten after every install/update |
4 | # Persistent local customizations | 4 | # Persistent local customizations |
5 | include handbrake.local | 5 | include handbrake.local |
diff --git a/etc/profile-a-l/jami.profile b/etc/profile-a-l/jami.profile new file mode 100644 index 000000000..deff54bcd --- /dev/null +++ b/etc/profile-a-l/jami.profile | |||
@@ -0,0 +1,18 @@ | |||
1 | # Firejail profile for jami | ||
2 | # Description: An encrypted peer-to-peer messenger | ||
3 | # This file is overwritten after every install/update | ||
4 | # Persistent local customizations | ||
5 | include jami.local | ||
6 | # Persistent global definitions | ||
7 | # added by caller profile | ||
8 | #include globals.local | ||
9 | |||
10 | noblacklist ${HOME}/.config/jami.net | ||
11 | |||
12 | mkdir ${HOME}/.config/jami.net | ||
13 | mkdir ${HOME}/Videos/Jami | ||
14 | whitelist ${HOME}/.config/jami.net | ||
15 | whitelist ${HOME}/Videos/Jami | ||
16 | |||
17 | # Redirect | ||
18 | include jami-gnome.profile | ||
diff --git a/etc/profile-a-l/keepassxc.profile b/etc/profile-a-l/keepassxc.profile index f7959ca81..4e8c8e449 100644 --- a/etc/profile-a-l/keepassxc.profile +++ b/etc/profile-a-l/keepassxc.profile | |||
@@ -93,6 +93,7 @@ private-etc | |||
93 | private-tmp | 93 | private-tmp |
94 | 94 | ||
95 | dbus-user filter | 95 | dbus-user filter |
96 | dbus-user.own org.freedesktop.secrets | ||
96 | dbus-user.own org.keepassxc.KeePassXC.* | 97 | dbus-user.own org.keepassxc.KeePassXC.* |
97 | dbus-user.talk com.canonical.Unity | 98 | dbus-user.talk com.canonical.Unity |
98 | dbus-user.talk org.freedesktop.ScreenSaver | 99 | dbus-user.talk org.freedesktop.ScreenSaver |
diff --git a/etc/profile-a-l/kube.profile b/etc/profile-a-l/kube.profile index 5183a9327..5cf30ed40 100644 --- a/etc/profile-a-l/kube.profile +++ b/etc/profile-a-l/kube.profile | |||
@@ -77,5 +77,4 @@ dbus-user.talk org.freedesktop.secrets | |||
77 | dbus-user.talk org.freedesktop.Notifications | 77 | dbus-user.talk org.freedesktop.Notifications |
78 | dbus-system none | 78 | dbus-system none |
79 | 79 | ||
80 | read-only ${HOME}/.mozilla/firefox/profiles.ini | ||
81 | restrict-namespaces | 80 | restrict-namespaces |
diff --git a/etc/profile-a-l/lbry-viewer.profile b/etc/profile-a-l/lbry-viewer.profile index f6a02ac83..aad1330e0 100644 --- a/etc/profile-a-l/lbry-viewer.profile +++ b/etc/profile-a-l/lbry-viewer.profile | |||
@@ -15,7 +15,7 @@ mkdir ${HOME}/.cache/lbry-viewer | |||
15 | whitelist ${HOME}/.cache/lbry-viewer | 15 | whitelist ${HOME}/.cache/lbry-viewer |
16 | whitelist ${HOME}/.config/lbry-viewer | 16 | whitelist ${HOME}/.config/lbry-viewer |
17 | 17 | ||
18 | private-bin gtk-lbry-viewer,lbry-viewer | 18 | private-bin lbry-viewer |
19 | 19 | ||
20 | # Redirect | 20 | # Redirect |
21 | include youtube-viewers-common.profile | 21 | include youtube-viewers-common.profile |
diff --git a/etc/profile-a-l/leafpad.profile b/etc/profile-a-l/leafpad.profile index 27b27a20b..ef0029c73 100644 --- a/etc/profile-a-l/leafpad.profile +++ b/etc/profile-a-l/leafpad.profile | |||
@@ -1,5 +1,5 @@ | |||
1 | # Firejail profile for leafpad | 1 | # Firejail profile for leafpad |
2 | # Description: GTK+ based simple text editor | 2 | # Description: GTK-based simple text editor |
3 | # This file is overwritten after every install/update | 3 | # This file is overwritten after every install/update |
4 | # Persistent local customizations | 4 | # Persistent local customizations |
5 | include leafpad.local | 5 | include leafpad.local |
diff --git a/etc/profile-a-l/linuxqq.profile b/etc/profile-a-l/linuxqq.profile index 9157d910b..6ca8b8103 100644 --- a/etc/profile-a-l/linuxqq.profile +++ b/etc/profile-a-l/linuxqq.profile | |||
@@ -37,7 +37,5 @@ dbus-user.talk org.gnome.Mutter.IdleMonitor | |||
37 | dbus-user.talk org.mozilla.* | 37 | dbus-user.talk org.mozilla.* |
38 | ignore dbus-user none | 38 | ignore dbus-user none |
39 | 39 | ||
40 | read-only ${HOME}/.mozilla/firefox/profiles.ini | ||
41 | |||
42 | # Redirect | 40 | # Redirect |
43 | include electron-common.profile | 41 | include electron-common.profile |
diff --git a/etc/profile-a-l/lobster.profile b/etc/profile-a-l/lobster.profile new file mode 100644 index 000000000..2b0fc5275 --- /dev/null +++ b/etc/profile-a-l/lobster.profile | |||
@@ -0,0 +1,39 @@ | |||
1 | # Firejail profile for lobster | ||
2 | # Description: Shell script to watch Movies/Webseries/Shows from the terminal | ||
3 | # This file is overwritten after every install/update | ||
4 | quiet | ||
5 | # Persistent local customizations | ||
6 | include lobster.local | ||
7 | # Persistent global definitions | ||
8 | # added by included profile | ||
9 | #include globals.local | ||
10 | |||
11 | noblacklist ${HOME}/.config/lobster | ||
12 | noblacklist ${HOME}/.local/share/lobster | ||
13 | |||
14 | # Allow /bin/sh (blacklisted by disable-shell.inc) | ||
15 | include allow-bin-sh.inc | ||
16 | |||
17 | include disable-proc.inc | ||
18 | include disable-xdg.inc | ||
19 | |||
20 | mkdir ${HOME}/.config/lobster | ||
21 | mkdir ${HOME}/.local/share/lobster | ||
22 | whitelist ${HOME}/.config/lobster | ||
23 | whitelist ${HOME}/.local/share/lobster | ||
24 | include whitelist-run-common.inc | ||
25 | include whitelist-runuser-common.inc | ||
26 | |||
27 | #machine-id | ||
28 | nodvd | ||
29 | noprinters | ||
30 | notv | ||
31 | |||
32 | disable-mnt | ||
33 | private-bin curl,cut,fzf,grep,head,lobster,mv,patch,rm,sed,sh,tail,tput,tr,uname | ||
34 | #private-cache | ||
35 | private-etc alsa,alternatives,asound.conf,ca-certificates,crypto-policies,fonts,host.conf,hostname,hosts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,locale,locale.alias,locale.conf,localtime,machine-id,mime.types,nsswitch.conf,pango,pki,protocols,pulse,resolv.conf,rpc,services,ssl,X11,xdg | ||
36 | private-tmp | ||
37 | |||
38 | # Redirect | ||
39 | include mpv.profile | ||
diff --git a/etc/profile-m-z/Postman.profile b/etc/profile-m-z/Postman.profile new file mode 100644 index 000000000..d08acf60b --- /dev/null +++ b/etc/profile-m-z/Postman.profile | |||
@@ -0,0 +1,10 @@ | |||
1 | # Firejail profile for Postman | ||
2 | # This file is overwritten after every install/update | ||
3 | # Persistent local customizations | ||
4 | include Postman.local | ||
5 | # Persistent global definitions | ||
6 | # added by included profile | ||
7 | #include globals.local | ||
8 | |||
9 | # Redirect | ||
10 | include postman.profile | ||
diff --git a/etc/profile-m-z/makepkg.profile b/etc/profile-m-z/makepkg.profile index e9d245a6d..266d00395 100644 --- a/etc/profile-m-z/makepkg.profile +++ b/etc/profile-m-z/makepkg.profile | |||
@@ -19,7 +19,6 @@ blacklist ${RUNUSER}/wayland-* | |||
19 | 19 | ||
20 | # Enable severely restricted access to ${HOME}/.gnupg | 20 | # Enable severely restricted access to ${HOME}/.gnupg |
21 | noblacklist ${HOME}/.gnupg | 21 | noblacklist ${HOME}/.gnupg |
22 | read-only ${HOME}/.gnupg/gpg.conf | ||
23 | read-only ${HOME}/.gnupg/trustdb.gpg | 22 | read-only ${HOME}/.gnupg/trustdb.gpg |
24 | read-only ${HOME}/.gnupg/pubring.kbx | 23 | read-only ${HOME}/.gnupg/pubring.kbx |
25 | blacklist ${HOME}/.gnupg/random_seed | 24 | blacklist ${HOME}/.gnupg/random_seed |
diff --git a/etc/profile-m-z/marker.profile b/etc/profile-m-z/marker.profile index 2fb527ad5..e7daedea5 100644 --- a/etc/profile-m-z/marker.profile +++ b/etc/profile-m-z/marker.profile | |||
@@ -1,5 +1,5 @@ | |||
1 | # Firejail profile for marker | 1 | # Firejail profile for marker |
2 | # Description: Marker is a markdown editor for Linux made with Gtk+-3.0 | 2 | # Description: Marker is a markdown editor for Linux made with GTK |
3 | # This file is overwritten after every install/update | 3 | # This file is overwritten after every install/update |
4 | # Persistent local customizations | 4 | # Persistent local customizations |
5 | include marker.local | 5 | include marker.local |
diff --git a/etc/profile-m-z/mdr.profile b/etc/profile-m-z/mdr.profile index d3b3c6d48..7b83d61e1 100644 --- a/etc/profile-m-z/mdr.profile +++ b/etc/profile-m-z/mdr.profile | |||
@@ -21,7 +21,6 @@ include whitelist-var-common.inc | |||
21 | 21 | ||
22 | apparmor | 22 | apparmor |
23 | caps.drop all | 23 | caps.drop all |
24 | hostname mdr | ||
25 | ipc-namespace | 24 | ipc-namespace |
26 | machine-id | 25 | machine-id |
27 | net none | 26 | net none |
diff --git a/etc/profile-m-z/microsoft-edge-beta.profile b/etc/profile-m-z/microsoft-edge-beta.profile index 63844ad70..6843c11c7 100644 --- a/etc/profile-m-z/microsoft-edge-beta.profile +++ b/etc/profile-m-z/microsoft-edge-beta.profile | |||
@@ -1,5 +1,5 @@ | |||
1 | # Firejail profile for Microsoft Edge Beta | 1 | # Firejail profile for Microsoft Edge Beta |
2 | # Description: Web browser from Microsoft,beta channel | 2 | # Description: Web browser from Microsoft, beta channel |
3 | # This file is overwritten after every install/update | 3 | # This file is overwritten after every install/update |
4 | # Persistent local customizations | 4 | # Persistent local customizations |
5 | include microsoft-edge-beta.local | 5 | include microsoft-edge-beta.local |
@@ -8,6 +8,7 @@ include globals.local | |||
8 | 8 | ||
9 | noblacklist ${HOME}/.cache/microsoft-edge-beta | 9 | noblacklist ${HOME}/.cache/microsoft-edge-beta |
10 | noblacklist ${HOME}/.config/microsoft-edge-beta | 10 | noblacklist ${HOME}/.config/microsoft-edge-beta |
11 | noblacklist /opt/microsoft/msedge-beta/msedge-sandbox | ||
11 | 12 | ||
12 | mkdir ${HOME}/.cache/microsoft-edge-beta | 13 | mkdir ${HOME}/.cache/microsoft-edge-beta |
13 | mkdir ${HOME}/.config/microsoft-edge-beta | 14 | mkdir ${HOME}/.config/microsoft-edge-beta |
@@ -15,6 +16,8 @@ whitelist ${HOME}/.cache/microsoft-edge-beta | |||
15 | whitelist ${HOME}/.config/microsoft-edge-beta | 16 | whitelist ${HOME}/.config/microsoft-edge-beta |
16 | 17 | ||
17 | whitelist /opt/microsoft/msedge-beta | 18 | whitelist /opt/microsoft/msedge-beta |
19 | # private-opt might break the file-copy-limit, see #5307 | ||
20 | #private-opt microsoft | ||
18 | 21 | ||
19 | # Redirect | 22 | # Redirect |
20 | include chromium-common.profile | 23 | include chromium-common.profile |
diff --git a/etc/profile-m-z/microsoft-edge-dev.profile b/etc/profile-m-z/microsoft-edge-dev.profile index b01fd7c25..b9cdaf98b 100644 --- a/etc/profile-m-z/microsoft-edge-dev.profile +++ b/etc/profile-m-z/microsoft-edge-dev.profile | |||
@@ -1,5 +1,5 @@ | |||
1 | # Firejail profile for Microsoft Edge Dev | 1 | # Firejail profile for Microsoft Edge Dev |
2 | # Description: Web browser from Microsoft,dev channel | 2 | # Description: Web browser from Microsoft, dev channel |
3 | # This file is overwritten after every install/update | 3 | # This file is overwritten after every install/update |
4 | # Persistent local customizations | 4 | # Persistent local customizations |
5 | include microsoft-edge-dev.local | 5 | include microsoft-edge-dev.local |
@@ -8,6 +8,7 @@ include globals.local | |||
8 | 8 | ||
9 | noblacklist ${HOME}/.cache/microsoft-edge-dev | 9 | noblacklist ${HOME}/.cache/microsoft-edge-dev |
10 | noblacklist ${HOME}/.config/microsoft-edge-dev | 10 | noblacklist ${HOME}/.config/microsoft-edge-dev |
11 | noblacklist /opt/microsoft/msedge-dev/msedge-sandbox | ||
11 | 12 | ||
12 | mkdir ${HOME}/.cache/microsoft-edge-dev | 13 | mkdir ${HOME}/.cache/microsoft-edge-dev |
13 | mkdir ${HOME}/.config/microsoft-edge-dev | 14 | mkdir ${HOME}/.config/microsoft-edge-dev |
@@ -15,6 +16,8 @@ whitelist ${HOME}/.cache/microsoft-edge-dev | |||
15 | whitelist ${HOME}/.config/microsoft-edge-dev | 16 | whitelist ${HOME}/.config/microsoft-edge-dev |
16 | 17 | ||
17 | whitelist /opt/microsoft/msedge-dev | 18 | whitelist /opt/microsoft/msedge-dev |
19 | # private-opt might break file-copy-limit, see #5307 | ||
20 | #private-opt microsoft | ||
18 | 21 | ||
19 | # Redirect | 22 | # Redirect |
20 | include chromium-common.profile | 23 | include chromium-common.profile |
diff --git a/etc/profile-m-z/microsoft-edge-stable.profile b/etc/profile-m-z/microsoft-edge-stable.profile new file mode 100644 index 000000000..c5b2b4301 --- /dev/null +++ b/etc/profile-m-z/microsoft-edge-stable.profile | |||
@@ -0,0 +1,11 @@ | |||
1 | # Firejail profile for Microsoft Edge Stable | ||
2 | # Description: Web browser from Microsoft, stable channel | ||
3 | # This file is overwritten after every install/update | ||
4 | # Persistent local customizations | ||
5 | include microsoft-edge-stable.local | ||
6 | # Persistent global definitions | ||
7 | # added by included profile | ||
8 | #include globals.local | ||
9 | |||
10 | # Redirect | ||
11 | include microsoft-edge.profile | ||
diff --git a/etc/profile-m-z/microsoft-edge.profile b/etc/profile-m-z/microsoft-edge.profile index 4cd8c85a5..ededb9cbd 100644 --- a/etc/profile-m-z/microsoft-edge.profile +++ b/etc/profile-m-z/microsoft-edge.profile | |||
@@ -1,5 +1,5 @@ | |||
1 | # Firejail profile for Microsoft Edge | 1 | # Firejail profile for Microsoft Edge |
2 | # Description: Web browser from Microsoft,stable channel | 2 | # Description: Web browser from Microsoft, stable channel |
3 | # This file is overwritten after every install/update | 3 | # This file is overwritten after every install/update |
4 | # Persistent local customizations | 4 | # Persistent local customizations |
5 | include microsoft-edge.local | 5 | include microsoft-edge.local |
@@ -8,6 +8,7 @@ include globals.local | |||
8 | 8 | ||
9 | noblacklist ${HOME}/.cache/microsoft-edge | 9 | noblacklist ${HOME}/.cache/microsoft-edge |
10 | noblacklist ${HOME}/.config/microsoft-edge | 10 | noblacklist ${HOME}/.config/microsoft-edge |
11 | noblacklist /opt/microsoft/msedge/msedge-sandbox | ||
11 | 12 | ||
12 | mkdir ${HOME}/.cache/microsoft-edge | 13 | mkdir ${HOME}/.cache/microsoft-edge |
13 | mkdir ${HOME}/.config/microsoft-edge | 14 | mkdir ${HOME}/.config/microsoft-edge |
@@ -15,6 +16,8 @@ whitelist ${HOME}/.cache/microsoft-edge | |||
15 | whitelist ${HOME}/.config/microsoft-edge | 16 | whitelist ${HOME}/.config/microsoft-edge |
16 | 17 | ||
17 | whitelist /opt/microsoft/msedge | 18 | whitelist /opt/microsoft/msedge |
19 | # private-opt might break default file-copy-limit, see #5307 | ||
20 | #private-opt microsoft | ||
18 | 21 | ||
19 | # Redirect | 22 | # Redirect |
20 | include chromium-common.profile | 23 | include chromium-common.profile |
diff --git a/etc/profile-m-z/mov-cli.profile b/etc/profile-m-z/mov-cli.profile new file mode 100644 index 000000000..74d630e24 --- /dev/null +++ b/etc/profile-m-z/mov-cli.profile | |||
@@ -0,0 +1,29 @@ | |||
1 | # Firejail profile for mov-cli | ||
2 | # Description: Python script for watching movies and TV shows via the terminal | ||
3 | # This file is overwritten after every install/update | ||
4 | quiet | ||
5 | # Persistent local customizations | ||
6 | include mov-cli.local | ||
7 | # Persistent global definitions | ||
8 | # added by included profile | ||
9 | #include globals.local | ||
10 | |||
11 | include disable-proc.inc | ||
12 | include disable-xdg.inc | ||
13 | |||
14 | include whitelist-run-common.inc | ||
15 | include whitelist-runuser-common.inc | ||
16 | |||
17 | #machine-id | ||
18 | nodvd | ||
19 | noprinters | ||
20 | notv | ||
21 | |||
22 | disable-mnt | ||
23 | private-bin ffmpeg,fzf,mov-cli | ||
24 | #private-cache | ||
25 | private-etc alsa,alternatives,asound.conf,ca-certificates,crypto-policies,fonts,host.conf,hostname,hosts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,locale,locale.alias,locale.conf,localtime,machine-id,mime.types,nsswitch.conf,pango,pki,protocols,pulse,resolv.conf,rpc,services,ssl,X11,xdg | ||
26 | private-tmp | ||
27 | |||
28 | # Redirect | ||
29 | include mpv.profile | ||
diff --git a/etc/profile-m-z/mp3splt-gtk.profile b/etc/profile-m-z/mp3splt-gtk.profile index ed344ba3f..682b0173d 100644 --- a/etc/profile-m-z/mp3splt-gtk.profile +++ b/etc/profile-m-z/mp3splt-gtk.profile | |||
@@ -1,5 +1,5 @@ | |||
1 | # Firejail profile for mp3splt-gtk | 1 | # Firejail profile for mp3splt-gtk |
2 | # Description: Gtk utility for mp3/ogg splitting without decoding | 2 | # Description: GTK utility for mp3/ogg splitting without decoding |
3 | # This file is overwritten after every install/update | 3 | # This file is overwritten after every install/update |
4 | # Persistent local customizations | 4 | # Persistent local customizations |
5 | include mp3splt-gtk.local | 5 | include mp3splt-gtk.local |
diff --git a/etc/profile-m-z/mpv.profile b/etc/profile-m-z/mpv.profile index c9706999a..85f414562 100644 --- a/etc/profile-m-z/mpv.profile +++ b/etc/profile-m-z/mpv.profile | |||
@@ -11,13 +11,13 @@ include globals.local | |||
11 | # edit ~/.config/mpv/foobar.conf: | 11 | # edit ~/.config/mpv/foobar.conf: |
12 | # screenshot-directory=~/Pictures | 12 | # screenshot-directory=~/Pictures |
13 | 13 | ||
14 | # Mpv has a powerful lua-API, some off these lua-scripts interact | 14 | # mpv has a powerful Lua API and some of the Lua scripts interact with |
15 | # with external resources which are blocked by firejail. In such cases | 15 | # external resources which are blocked by firejail. In such cases you need to |
16 | # you need to allow these resources by | 16 | # allow these resources by: |
17 | # - adding additional binaries to private-bin | 17 | # - noblacklisting additional paths |
18 | # - whitelisting additional paths | 18 | # - whitelisting additional paths |
19 | # - noblacklisting paths | 19 | # - adding additional binaries to private-bin |
20 | # - weaking the dbus-policy | 20 | # - changing/weakening the D-Bus policy |
21 | # - ... | 21 | # - ... |
22 | # | 22 | # |
23 | # Often these scripts require a shell: | 23 | # Often these scripts require a shell: |
@@ -75,10 +75,12 @@ nonewprivs | |||
75 | noroot | 75 | noroot |
76 | nou2f | 76 | nou2f |
77 | protocol unix,inet,inet6,netlink | 77 | protocol unix,inet,inet6,netlink |
78 | seccomp | 78 | seccomp !set_mempolicy |
79 | seccomp.block-secondary | 79 | seccomp.block-secondary |
80 | tracelog | 80 | tracelog |
81 | 81 | ||
82 | # mpv links to libluajit, so no need to reference "lua*" in private-bin: | ||
83 | # https://github.com/netblue30/firejail/pull/5711#discussion_r1125622615 | ||
82 | private-bin env,mpv,python*,waf,youtube-dl,yt-dlp | 84 | private-bin env,mpv,python*,waf,youtube-dl,yt-dlp |
83 | # private-cache causes slow OSD, see #2838 | 85 | # private-cache causes slow OSD, see #2838 |
84 | #private-cache | 86 | #private-cache |
diff --git a/etc/profile-m-z/openbox.profile b/etc/profile-m-z/openbox.profile index 2da867dec..9b566a42b 100644 --- a/etc/profile-m-z/openbox.profile +++ b/etc/profile-m-z/openbox.profile | |||
@@ -16,6 +16,4 @@ noroot | |||
16 | protocol unix,inet,inet6 | 16 | protocol unix,inet,inet6 |
17 | seccomp !chroot | 17 | seccomp !chroot |
18 | 18 | ||
19 | read-only ${HOME}/.config/openbox/autostart | ||
20 | read-only ${HOME}/.config/openbox/environment | ||
21 | #restrict-namespaces | 19 | #restrict-namespaces |
diff --git a/etc/profile-m-z/pidgin.profile b/etc/profile-m-z/pidgin.profile index 2dc49a28d..d78478687 100644 --- a/etc/profile-m-z/pidgin.profile +++ b/etc/profile-m-z/pidgin.profile | |||
@@ -36,7 +36,7 @@ nonewprivs | |||
36 | noroot | 36 | noroot |
37 | notv | 37 | notv |
38 | nou2f | 38 | nou2f |
39 | protocol unix,inet,inet6 | 39 | protocol unix,inet,inet6,netlink |
40 | seccomp | 40 | seccomp |
41 | # shell none | 41 | # shell none |
42 | tracelog | 42 | tracelog |
diff --git a/etc/profile-m-z/pipe-viewer.profile b/etc/profile-m-z/pipe-viewer.profile index 3de064311..77393274e 100644 --- a/etc/profile-m-z/pipe-viewer.profile +++ b/etc/profile-m-z/pipe-viewer.profile | |||
@@ -15,7 +15,7 @@ mkdir ${HOME}/.cache/pipe-viewer | |||
15 | whitelist ${HOME}/.cache/pipe-viewer | 15 | whitelist ${HOME}/.cache/pipe-viewer |
16 | whitelist ${HOME}/.config/pipe-viewer | 16 | whitelist ${HOME}/.config/pipe-viewer |
17 | 17 | ||
18 | private-bin gtk-pipe-viewer,pipe-viewer | 18 | private-bin pipe-viewer |
19 | 19 | ||
20 | # Redirect | 20 | # Redirect |
21 | include youtube-viewers-common.profile | 21 | include youtube-viewers-common.profile |
diff --git a/etc/profile-m-z/pngquant.profile b/etc/profile-m-z/pngquant.profile index 34199a08d..481bade92 100644 --- a/etc/profile-m-z/pngquant.profile +++ b/etc/profile-m-z/pngquant.profile | |||
@@ -38,7 +38,7 @@ nosound | |||
38 | notv | 38 | notv |
39 | nou2f | 39 | nou2f |
40 | novideo | 40 | novideo |
41 | # block the socket syscall to simulate an be empty protocol line, see #639 | 41 | # block socket syscall to simulate empty protocol option (see #639) |
42 | seccomp socket | 42 | seccomp socket |
43 | tracelog | 43 | tracelog |
44 | x11 none | 44 | x11 none |
diff --git a/etc/profile-m-z/porn-cli.profile b/etc/profile-m-z/porn-cli.profile new file mode 100644 index 000000000..f33ff439c --- /dev/null +++ b/etc/profile-m-z/porn-cli.profile | |||
@@ -0,0 +1,14 @@ | |||
1 | # Firejail profile for porn-cli | ||
2 | # Description: Python script for watching porn via the terminal | ||
3 | # This file is overwritten after every install/update | ||
4 | quiet | ||
5 | # Persistent local customizations | ||
6 | include porn-cli.local | ||
7 | # Persistent global definitions | ||
8 | # added by included profile | ||
9 | #include globals.local | ||
10 | |||
11 | private-bin porn-cli | ||
12 | |||
13 | # Redirect | ||
14 | include mov-cli.profile | ||
diff --git a/etc/profile-m-z/postman.profile b/etc/profile-m-z/postman.profile new file mode 100644 index 000000000..c8f00584d --- /dev/null +++ b/etc/profile-m-z/postman.profile | |||
@@ -0,0 +1,28 @@ | |||
1 | # Firejail profile for postman | ||
2 | # Description: API testing platform | ||
3 | # This file is overwritten after every install/update | ||
4 | # Persistent local customizations | ||
5 | include postman.local | ||
6 | # Persistent global definitions | ||
7 | include globals.local | ||
8 | |||
9 | noblacklist ${HOME}/.config/Postman | ||
10 | noblacklist ${HOME}/Postman | ||
11 | |||
12 | mkdir ${HOME}/.config/Postman | ||
13 | mkdir ${HOME}/Postman | ||
14 | whitelist ${HOME}/.config/Postman | ||
15 | whitelist ${HOME}/Postman | ||
16 | include whitelist-run-common.inc | ||
17 | |||
18 | protocol unix,inet,inet6,netlink | ||
19 | |||
20 | private-bin electron,electron[0-9],electron[0-9][0-9],locale,node,Postman,postman,sh | ||
21 | private-etc alternatives,ca-certificates,crypto-policies,fonts,hosts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,localtime,nsswitch.conf,pki,resolv.conf,ssl | ||
22 | # private-opt breaks file-copy-limit, use a whitelist instead of draining RAM | ||
23 | # https://github.com/netblue30/firejail/discussions/5307 | ||
24 | #private-opt postman | ||
25 | whitelist /opt/postman | ||
26 | |||
27 | # Redirect | ||
28 | include electron-common.profile | ||
diff --git a/etc/profile-m-z/pycharm-professional.profile b/etc/profile-m-z/pycharm-professional.profile index 126f5cec8..b61089d36 100644 --- a/etc/profile-m-z/pycharm-professional.profile +++ b/etc/profile-m-z/pycharm-professional.profile | |||
@@ -1,7 +1,7 @@ | |||
1 | # Firejail profilen alias for pycharm-professional | 1 | # Firejail profilen alias for pycharm-professional |
2 | # This file is overwritten after every install/update | 2 | # This file is overwritten after every install/update |
3 | # Persistent local customizations | 3 | # Persistent local customizations |
4 | include pyucharm-professional.local | 4 | include pycharm-professional.local |
5 | # Persistent global definitions | 5 | # Persistent global definitions |
6 | # added by included profile | 6 | # added by included profile |
7 | #include globals.local | 7 | #include globals.local |
diff --git a/etc/profile-m-z/qpdf.profile b/etc/profile-m-z/qpdf.profile index 0c1e09e92..edec7cf0a 100644 --- a/etc/profile-m-z/qpdf.profile +++ b/etc/profile-m-z/qpdf.profile | |||
@@ -31,7 +31,6 @@ include whitelist-var-common.inc | |||
31 | 31 | ||
32 | apparmor | 32 | apparmor |
33 | caps.drop all | 33 | caps.drop all |
34 | hostname qpdf | ||
35 | ipc-namespace | 34 | ipc-namespace |
36 | machine-id | 35 | machine-id |
37 | net none | 36 | net none |
@@ -46,7 +45,7 @@ nosound | |||
46 | notv | 45 | notv |
47 | nou2f | 46 | nou2f |
48 | novideo | 47 | novideo |
49 | # block the socket syscall to simulate an be empty protocol line, see #639 | 48 | # block socket syscall to simulate empty protocol option (see #639) |
50 | seccomp socket | 49 | seccomp socket |
51 | tracelog | 50 | tracelog |
52 | x11 none | 51 | x11 none |
diff --git a/etc/profile-m-z/qutebrowser.profile b/etc/profile-m-z/qutebrowser.profile index 0d35dbbad..9062c8c18 100644 --- a/etc/profile-m-z/qutebrowser.profile +++ b/etc/profile-m-z/qutebrowser.profile | |||
@@ -62,6 +62,9 @@ private-etc @tls-ca | |||
62 | private-tmp | 62 | private-tmp |
63 | 63 | ||
64 | dbus-user filter | 64 | dbus-user filter |
65 | # qutebrowser-qt6 uses a newer chrome version which uses the name 'chromium' | ||
66 | # see https://github.com/qutebrowser/qutebrowser/issues/7431 | ||
67 | dbus-user.own org.mpris.MediaPlayer2.chromium.* | ||
65 | dbus-user.own org.mpris.MediaPlayer2.qutebrowser.* | 68 | dbus-user.own org.mpris.MediaPlayer2.qutebrowser.* |
66 | dbus-user.talk org.freedesktop.Notifications | 69 | dbus-user.talk org.freedesktop.Notifications |
67 | # Add the next line to your qutebrowser.local to allow screen sharing under wayland. | 70 | # Add the next line to your qutebrowser.local to allow screen sharing under wayland. |
diff --git a/etc/profile-m-z/remmina.profile b/etc/profile-m-z/remmina.profile index 208f57710..1fb0c0626 100644 --- a/etc/profile-m-z/remmina.profile +++ b/etc/profile-m-z/remmina.profile | |||
@@ -1,5 +1,5 @@ | |||
1 | # Firejail profile for remmina | 1 | # Firejail profile for remmina |
2 | # Description: GTK+ Remote Desktop Client | 2 | # Description: GTK Remote Desktop Client |
3 | # This file is overwritten after every install/update | 3 | # This file is overwritten after every install/update |
4 | # Persistent local customizations | 4 | # Persistent local customizations |
5 | include remmina.local | 5 | include remmina.local |
diff --git a/etc/profile-m-z/signal-desktop.profile b/etc/profile-m-z/signal-desktop.profile index a26b41524..3e1899ef3 100644 --- a/etc/profile-m-z/signal-desktop.profile +++ b/etc/profile-m-z/signal-desktop.profile | |||
@@ -14,7 +14,6 @@ noblacklist ${HOME}/.config/Signal | |||
14 | # These lines are needed to allow Firefox to open links | 14 | # These lines are needed to allow Firefox to open links |
15 | noblacklist ${HOME}/.mozilla | 15 | noblacklist ${HOME}/.mozilla |
16 | whitelist ${HOME}/.mozilla/firefox/profiles.ini | 16 | whitelist ${HOME}/.mozilla/firefox/profiles.ini |
17 | read-only ${HOME}/.mozilla/firefox/profiles.ini | ||
18 | 17 | ||
19 | mkdir ${HOME}/.config/Signal | 18 | mkdir ${HOME}/.config/Signal |
20 | whitelist ${HOME}/.config/Signal | 19 | whitelist ${HOME}/.config/Signal |
diff --git a/etc/profile-m-z/softmaker-common.profile b/etc/profile-m-z/softmaker-common.profile index f130176c1..7ce6748d1 100644 --- a/etc/profile-m-z/softmaker-common.profile +++ b/etc/profile-m-z/softmaker-common.profile | |||
@@ -42,7 +42,7 @@ tracelog | |||
42 | private-bin freeoffice-planmaker,freeoffice-presentations,freeoffice-textmaker,planmaker18,planmaker18free,presentations18,presentations18free,sh,textmaker18,textmaker18free | 42 | private-bin freeoffice-planmaker,freeoffice-presentations,freeoffice-textmaker,planmaker18,planmaker18free,presentations18,presentations18free,sh,textmaker18,textmaker18free |
43 | private-cache | 43 | private-cache |
44 | private-dev | 44 | private-dev |
45 | private-etc @tls-ca,SoftMaker | 45 | private-etc @tls-ca,fstab,SoftMaker |
46 | private-tmp | 46 | private-tmp |
47 | 47 | ||
48 | dbus-user none | 48 | dbus-user none |
diff --git a/etc/profile-m-z/standard-notes.profile b/etc/profile-m-z/standard-notes.profile new file mode 100644 index 000000000..db96cc80f --- /dev/null +++ b/etc/profile-m-z/standard-notes.profile | |||
@@ -0,0 +1,10 @@ | |||
1 | # Firejail profile for standard-notes | ||
2 | # This file is overwritten after every install/update | ||
3 | # Persistent local customizations | ||
4 | include standard-notes.local | ||
5 | # Persistent global definitions | ||
6 | # added by included profile | ||
7 | #include globals.local | ||
8 | |||
9 | # Redirect | ||
10 | include standardnotes-desktop.profile | ||
diff --git a/etc/profile-m-z/standardnotes-desktop.profile b/etc/profile-m-z/standardnotes-desktop.profile index 95dc35741..3fe0963a9 100644 --- a/etc/profile-m-z/standardnotes-desktop.profile +++ b/etc/profile-m-z/standardnotes-desktop.profile | |||
@@ -18,6 +18,10 @@ mkdir ${HOME}/Standard Notes Backups | |||
18 | mkdir ${HOME}/.config/Standard Notes | 18 | mkdir ${HOME}/.config/Standard Notes |
19 | whitelist ${HOME}/Standard Notes Backups | 19 | whitelist ${HOME}/Standard Notes Backups |
20 | whitelist ${HOME}/.config/Standard Notes | 20 | whitelist ${HOME}/.config/Standard Notes |
21 | include whitelist-common.inc | ||
22 | include whitelist-run-common.inc | ||
23 | include whitelist-runuser-common.inc | ||
24 | include whitelist-usr-share-common.inc | ||
21 | include whitelist-var-common.inc | 25 | include whitelist-var-common.inc |
22 | 26 | ||
23 | apparmor | 27 | apparmor |
diff --git a/etc/profile-m-z/steam.profile b/etc/profile-m-z/steam.profile index a5b4d5d87..63d629a32 100644 --- a/etc/profile-m-z/steam.profile +++ b/etc/profile-m-z/steam.profile | |||
@@ -181,5 +181,4 @@ private-tmp | |||
181 | #dbus-user none | 181 | #dbus-user none |
182 | #dbus-system none | 182 | #dbus-system none |
183 | 183 | ||
184 | read-only ${HOME}/.config/MangoHud | ||
185 | #restrict-namespaces | 184 | #restrict-namespaces |
diff --git a/etc/profile-m-z/straw-viewer.profile b/etc/profile-m-z/straw-viewer.profile index 513abc21b..48f83fabc 100644 --- a/etc/profile-m-z/straw-viewer.profile +++ b/etc/profile-m-z/straw-viewer.profile | |||
@@ -15,7 +15,7 @@ mkdir ${HOME}/.cache/straw-viewer | |||
15 | whitelist ${HOME}/.cache/straw-viewer | 15 | whitelist ${HOME}/.cache/straw-viewer |
16 | whitelist ${HOME}/.config/straw-viewer | 16 | whitelist ${HOME}/.config/straw-viewer |
17 | 17 | ||
18 | private-bin gtk-straw-viewer,straw-viewer | 18 | private-bin straw-viewer |
19 | 19 | ||
20 | # Redirect | 20 | # Redirect |
21 | include youtube-viewers-common.profile | 21 | include youtube-viewers-common.profile |
diff --git a/etc/profile-m-z/sylpheed.profile b/etc/profile-m-z/sylpheed.profile index 6abef85f0..5fb35aa04 100644 --- a/etc/profile-m-z/sylpheed.profile +++ b/etc/profile-m-z/sylpheed.profile | |||
@@ -1,5 +1,5 @@ | |||
1 | # Firejail profile for sylpheed | 1 | # Firejail profile for sylpheed |
2 | # Description: Light weight e-mail client with GTK+ | 2 | # Description: Lightweight e-mail client made with GTK |
3 | # This file is overwritten after every install/update | 3 | # This file is overwritten after every install/update |
4 | # Persistent local customizations | 4 | # Persistent local customizations |
5 | include sylpheed.local | 5 | include sylpheed.local |
diff --git a/etc/profile-m-z/tesseract.profile b/etc/profile-m-z/tesseract.profile index 54568b7d3..5babfb8d2 100644 --- a/etc/profile-m-z/tesseract.profile +++ b/etc/profile-m-z/tesseract.profile | |||
@@ -31,7 +31,6 @@ include whitelist-var-common.inc | |||
31 | 31 | ||
32 | apparmor | 32 | apparmor |
33 | caps.drop all | 33 | caps.drop all |
34 | hostname tesseract | ||
35 | ipc-namespace | 34 | ipc-namespace |
36 | machine-id | 35 | machine-id |
37 | net none | 36 | net none |
diff --git a/etc/profile-m-z/thunderbird.profile b/etc/profile-m-z/thunderbird.profile index 1ac80bc9a..5df207e25 100644 --- a/etc/profile-m-z/thunderbird.profile +++ b/etc/profile-m-z/thunderbird.profile | |||
@@ -24,7 +24,6 @@ writable-run-user | |||
24 | # These lines are needed to allow Firefox to load your profile when clicking a link in an email | 24 | # These lines are needed to allow Firefox to load your profile when clicking a link in an email |
25 | noblacklist ${HOME}/.mozilla | 25 | noblacklist ${HOME}/.mozilla |
26 | whitelist ${HOME}/.mozilla/firefox/profiles.ini | 26 | whitelist ${HOME}/.mozilla/firefox/profiles.ini |
27 | read-only ${HOME}/.mozilla/firefox/profiles.ini | ||
28 | 27 | ||
29 | noblacklist ${HOME}/.cache/thunderbird | 28 | noblacklist ${HOME}/.cache/thunderbird |
30 | noblacklist ${HOME}/.gnupg | 29 | noblacklist ${HOME}/.gnupg |
diff --git a/etc/profile-m-z/trojita.profile b/etc/profile-m-z/trojita.profile index 378c8a1b7..ba68ccb53 100644 --- a/etc/profile-m-z/trojita.profile +++ b/etc/profile-m-z/trojita.profile | |||
@@ -60,5 +60,4 @@ dbus-user filter | |||
60 | dbus-user.talk org.freedesktop.secrets | 60 | dbus-user.talk org.freedesktop.secrets |
61 | dbus-system none | 61 | dbus-system none |
62 | 62 | ||
63 | read-only ${HOME}/.mozilla/firefox/profiles.ini | ||
64 | restrict-namespaces | 63 | restrict-namespaces |
diff --git a/etc/profile-m-z/tutanota-desktop.profile b/etc/profile-m-z/tutanota-desktop.profile index 4af8b9292..55e4a4392 100644 --- a/etc/profile-m-z/tutanota-desktop.profile +++ b/etc/profile-m-z/tutanota-desktop.profile | |||
@@ -1,5 +1,5 @@ | |||
1 | # Firejail profile for tutanota-desktop | 1 | # Firejail profile for tutanota-desktop |
2 | # Description: Encrypted email client | 2 | # Description: Official desktop client for the Tutanota E2E encrypted email provider |
3 | # This file is overwritten after every install/update | 3 | # This file is overwritten after every install/update |
4 | # Persistent local customizations | 4 | # Persistent local customizations |
5 | include tutanota-desktop.local | 5 | include tutanota-desktop.local |
@@ -9,8 +9,13 @@ include globals.local | |||
9 | noblacklist ${HOME}/.config/tuta_integration | 9 | noblacklist ${HOME}/.config/tuta_integration |
10 | noblacklist ${HOME}/.config/tutanota-desktop | 10 | noblacklist ${HOME}/.config/tutanota-desktop |
11 | 11 | ||
12 | ignore dbus-user none | ||
13 | ignore disable-mnt | ||
12 | ignore noexec /tmp | 14 | ignore noexec /tmp |
13 | 15 | ||
16 | # sh is needed to allow Firefox to open links | ||
17 | include allow-bin-sh.inc | ||
18 | |||
14 | include disable-shell.inc | 19 | include disable-shell.inc |
15 | 20 | ||
16 | mkdir ${HOME}/.config/tuta_integration | 21 | mkdir ${HOME}/.config/tuta_integration |
@@ -18,14 +23,25 @@ mkdir ${HOME}/.config/tutanota-desktop | |||
18 | whitelist ${HOME}/.config/tuta_integration | 23 | whitelist ${HOME}/.config/tuta_integration |
19 | whitelist ${HOME}/.config/tutanota-desktop | 24 | whitelist ${HOME}/.config/tutanota-desktop |
20 | 25 | ||
21 | # These lines are needed to allow Firefox to open links | 26 | # The lines below are needed to find the default Firefox profile name, to allow |
27 | # opening links in an existing instance of Firefox (note that it still fails if | ||
28 | # there isn't a Firefox instance running with the default profile; see #5352) | ||
22 | noblacklist ${HOME}/.mozilla | 29 | noblacklist ${HOME}/.mozilla |
23 | whitelist ${HOME}/.mozilla/firefox/profiles.ini | 30 | whitelist ${HOME}/.mozilla/firefox/profiles.ini |
24 | read-only ${HOME}/.mozilla/firefox/profiles.ini | 31 | |
32 | machine-id | ||
33 | nosound | ||
25 | 34 | ||
26 | ?HAS_APPIMAGE: ignore private-dev | 35 | ?HAS_APPIMAGE: ignore private-dev |
27 | private-etc @tls-ca | 36 | private-etc @tls-ca |
28 | private-opt tutanota-desktop | 37 | private-opt tutanota-desktop |
29 | 38 | ||
39 | dbus-user filter | ||
40 | dbus-user.talk org.freedesktop.Notifications | ||
41 | dbus-user.talk org.freedesktop.secrets | ||
42 | dbus-user.talk org.gnome.keyring.SystemPrompter | ||
43 | # allow D-Bus communication with firefox for opening links | ||
44 | dbus-user.talk org.mozilla.* | ||
45 | |||
30 | # Redirect | 46 | # Redirect |
31 | include electron-common.profile | 47 | include electron-common.profile |
diff --git a/etc/profile-m-z/unf.profile b/etc/profile-m-z/unf.profile index aac99aed5..cdfd72a5b 100644 --- a/etc/profile-m-z/unf.profile +++ b/etc/profile-m-z/unf.profile | |||
@@ -24,7 +24,6 @@ include whitelist-var-common.inc | |||
24 | 24 | ||
25 | apparmor | 25 | apparmor |
26 | caps.drop all | 26 | caps.drop all |
27 | hostname unf | ||
28 | ipc-namespace | 27 | ipc-namespace |
29 | machine-id | 28 | machine-id |
30 | net none | 29 | net none |
diff --git a/etc/profile-m-z/url-eater.profile b/etc/profile-m-z/url-eater.profile new file mode 100644 index 000000000..a894ff0f6 --- /dev/null +++ b/etc/profile-m-z/url-eater.profile | |||
@@ -0,0 +1,58 @@ | |||
1 | # Firejail profile for url-eater | ||
2 | # Description: Clean unnecessary parameters from URLs copied to clipboard | ||
3 | # This file is overwritten after every install/update | ||
4 | # Persistent local customizations | ||
5 | include url-eater.local | ||
6 | # Persistent global definitions | ||
7 | include globals.local | ||
8 | |||
9 | include disable-common.inc | ||
10 | include disable-devel.inc | ||
11 | include disable-exec.inc | ||
12 | include disable-interpreters.inc | ||
13 | include disable-proc.inc | ||
14 | include disable-programs.inc | ||
15 | include disable-shell.inc | ||
16 | include disable-xdg.inc | ||
17 | |||
18 | include whitelist-common.inc | ||
19 | include whitelist-run-common.inc | ||
20 | include whitelist-runuser-common.inc | ||
21 | include whitelist-usr-share-common.inc | ||
22 | include whitelist-var-common.inc | ||
23 | |||
24 | apparmor | ||
25 | caps.drop all | ||
26 | ipc-namespace | ||
27 | machine-id | ||
28 | net none | ||
29 | no3d | ||
30 | nodvd | ||
31 | nogroups | ||
32 | noinput | ||
33 | nonewprivs | ||
34 | noprinters | ||
35 | noroot | ||
36 | nosound | ||
37 | notv | ||
38 | nou2f | ||
39 | novideo | ||
40 | protocol unix | ||
41 | seccomp | ||
42 | seccomp.block-secondary | ||
43 | tracelog | ||
44 | |||
45 | disable-mnt | ||
46 | private-bin url-eater | ||
47 | private-cache | ||
48 | private-dev | ||
49 | private-etc url-eater.kdl | ||
50 | private-lib | ||
51 | #private-tmp # breaks on Arch | ||
52 | |||
53 | dbus-user none | ||
54 | dbus-system none | ||
55 | |||
56 | memory-deny-write-execute | ||
57 | read-only ${HOME} | ||
58 | restrict-namespaces | ||
diff --git a/etc/profile-m-z/uudeview.profile b/etc/profile-m-z/uudeview.profile index a6d2a65e9..9a9915669 100644 --- a/etc/profile-m-z/uudeview.profile +++ b/etc/profile-m-z/uudeview.profile | |||
@@ -19,7 +19,6 @@ include disable-shell.inc | |||
19 | include whitelist-usr-share-common.inc | 19 | include whitelist-usr-share-common.inc |
20 | 20 | ||
21 | caps.drop all | 21 | caps.drop all |
22 | hostname uudeview | ||
23 | ipc-namespace | 22 | ipc-namespace |
24 | machine-id | 23 | machine-id |
25 | net none | 24 | net none |
diff --git a/etc/profile-m-z/whois.profile b/etc/profile-m-z/whois.profile index 8958564ef..8265e1ff8 100644 --- a/etc/profile-m-z/whois.profile +++ b/etc/profile-m-z/whois.profile | |||
@@ -22,7 +22,6 @@ include whitelist-var-common.inc | |||
22 | 22 | ||
23 | apparmor | 23 | apparmor |
24 | caps.drop all | 24 | caps.drop all |
25 | hostname whois | ||
26 | ipc-namespace | 25 | ipc-namespace |
27 | machine-id | 26 | machine-id |
28 | netfilter | 27 | netfilter |
diff --git a/etc/profile-m-z/youtube-dl.profile b/etc/profile-m-z/youtube-dl.profile index 8376b4989..9e81d745d 100644 --- a/etc/profile-m-z/youtube-dl.profile +++ b/etc/profile-m-z/youtube-dl.profile | |||
@@ -5,63 +5,17 @@ quiet | |||
5 | # Persistent local customizations | 5 | # Persistent local customizations |
6 | include youtube-dl.local | 6 | include youtube-dl.local |
7 | # Persistent global definitions | 7 | # Persistent global definitions |
8 | include globals.local | 8 | # added by included profile |
9 | 9 | #include globals.local | |
10 | # breaks when installed under ${HOME} via `pip install --user` (see #2833) | ||
11 | ignore noexec ${HOME} | ||
12 | 10 | ||
13 | noblacklist ${HOME}/.cache/youtube-dl | 11 | noblacklist ${HOME}/.cache/youtube-dl |
14 | noblacklist ${HOME}/.config/youtube-dl | 12 | noblacklist ${HOME}/.config/youtube-dl |
15 | noblacklist ${HOME}/.netrc | ||
16 | noblacklist ${MUSIC} | ||
17 | noblacklist ${VIDEOS} | ||
18 | 13 | ||
19 | # Allow python (blacklisted by disable-interpreters.inc) | 14 | # Allow python (blacklisted by disable-interpreters.inc) |
20 | include allow-python2.inc | 15 | include allow-python2.inc |
21 | include allow-python3.inc | ||
22 | |||
23 | blacklist /tmp/.X11-unix | ||
24 | blacklist ${RUNUSER} | ||
25 | |||
26 | include disable-common.inc | ||
27 | include disable-devel.inc | ||
28 | include disable-exec.inc | ||
29 | include disable-interpreters.inc | ||
30 | include disable-programs.inc | ||
31 | include disable-shell.inc | ||
32 | include disable-xdg.inc | ||
33 | |||
34 | include whitelist-usr-share-common.inc | ||
35 | include whitelist-var-common.inc | ||
36 | |||
37 | apparmor | ||
38 | caps.drop all | ||
39 | ipc-namespace | ||
40 | machine-id | ||
41 | netfilter | ||
42 | no3d | ||
43 | nodvd | ||
44 | nogroups | ||
45 | noinput | ||
46 | nonewprivs | ||
47 | noroot | ||
48 | nosound | ||
49 | notv | ||
50 | nou2f | ||
51 | novideo | ||
52 | protocol unix,inet,inet6 | ||
53 | seccomp | ||
54 | seccomp.block-secondary | ||
55 | tracelog | ||
56 | |||
57 | private-bin env,ffmpeg,python*,youtube-dl | ||
58 | private-cache | ||
59 | private-dev | ||
60 | private-etc @tls-ca,mime.types,youtube-dl.conf | ||
61 | private-tmp | ||
62 | 16 | ||
63 | dbus-user none | 17 | private-bin youtube-dl |
64 | dbus-system none | 18 | private-etc youtube-dl.conf |
65 | 19 | ||
66 | #memory-deny-write-execute - breaks on Arch (see issue #1803) | 20 | # Redirect |
67 | restrict-namespaces | 21 | include yt-dlp.profile |
diff --git a/etc/profile-m-z/youtube-viewer.profile b/etc/profile-m-z/youtube-viewer.profile index 825599fcc..4a0e26540 100644 --- a/etc/profile-m-z/youtube-viewer.profile +++ b/etc/profile-m-z/youtube-viewer.profile | |||
@@ -15,7 +15,7 @@ mkdir ${HOME}/.config/youtube-viewer | |||
15 | whitelist ${HOME}/.cache/youtube-viewer | 15 | whitelist ${HOME}/.cache/youtube-viewer |
16 | whitelist ${HOME}/.config/youtube-viewer | 16 | whitelist ${HOME}/.config/youtube-viewer |
17 | 17 | ||
18 | private-bin gtk-youtube-viewer,gtk2-youtube-viewer,gtk3-youtube-viewer,youtube-viewer | 18 | private-bin youtube-viewer |
19 | 19 | ||
20 | # Redirect | 20 | # Redirect |
21 | include youtube-viewers-common.profile | 21 | include youtube-viewers-common.profile |
diff --git a/etc/profile-m-z/youtube-viewers-common.profile b/etc/profile-m-z/youtube-viewers-common.profile index 9ef90eb92..c9d2ea53b 100644 --- a/etc/profile-m-z/youtube-viewers-common.profile +++ b/etc/profile-m-z/youtube-viewers-common.profile | |||
@@ -8,6 +8,7 @@ include youtube-viewers-common.local | |||
8 | #include globals.local | 8 | #include globals.local |
9 | 9 | ||
10 | noblacklist ${HOME}/.cache/youtube-dl | 10 | noblacklist ${HOME}/.cache/youtube-dl |
11 | noblacklist ${HOME}/.config/mpv | ||
11 | 12 | ||
12 | # Allow lua (blacklisted by disable-interpreters.inc) | 13 | # Allow lua (blacklisted by disable-interpreters.inc) |
13 | include allow-lua.inc | 14 | include allow-lua.inc |
@@ -19,13 +20,6 @@ include allow-perl.inc | |||
19 | include allow-python2.inc | 20 | include allow-python2.inc |
20 | include allow-python3.inc | 21 | include allow-python3.inc |
21 | 22 | ||
22 | # The lines below are needed to find the default Firefox profile name, to allow | ||
23 | # opening links in an existing instance of Firefox (note that it still fails if | ||
24 | # there isn't a Firefox instance running with the default profile; see #5352) | ||
25 | noblacklist ${HOME}/.mozilla | ||
26 | whitelist ${HOME}/.mozilla/firefox/profiles.ini | ||
27 | read-only ${HOME}/.mozilla/firefox/profiles.ini | ||
28 | |||
29 | include disable-common.inc | 23 | include disable-common.inc |
30 | include disable-devel.inc | 24 | include disable-devel.inc |
31 | include disable-exec.inc | 25 | include disable-exec.inc |
@@ -35,7 +29,9 @@ include disable-xdg.inc | |||
35 | 29 | ||
36 | whitelist ${DOWNLOADS} | 30 | whitelist ${DOWNLOADS} |
37 | whitelist ${HOME}/.cache/youtube-dl/youtube-sigfuncs | 31 | whitelist ${HOME}/.cache/youtube-dl/youtube-sigfuncs |
32 | whitelist ${HOME}/.config/mpv | ||
38 | include whitelist-common.inc | 33 | include whitelist-common.inc |
34 | include whitelist-run-common.inc | ||
39 | include whitelist-runuser-common.inc | 35 | include whitelist-runuser-common.inc |
40 | include whitelist-usr-share-common.inc | 36 | include whitelist-usr-share-common.inc |
41 | include whitelist-var-common.inc | 37 | include whitelist-var-common.inc |
@@ -56,16 +52,12 @@ seccomp | |||
56 | tracelog | 52 | tracelog |
57 | 53 | ||
58 | disable-mnt | 54 | disable-mnt |
59 | private-bin bash,ffmpeg,ffprobe,firefox,mpv,perl,python*,sh,smplayer,stty,wget,wget2,which,xterm,youtube-dl,yt-dlp | 55 | private-bin bash,ffmpeg,ffprobe,mpv,perl,python*,sh,smplayer,stty,wget,wget2,which,youtube-dl,yt-dlp |
60 | private-cache | 56 | private-cache |
61 | private-dev | 57 | private-dev |
62 | private-etc @tls-ca,@x11,host.conf,mime.types | 58 | private-etc @tls-ca,@x11,host.conf,mime.types |
63 | private-tmp | 59 | private-tmp |
64 | 60 | ||
65 | dbus-user filter | ||
66 | # allow D-Bus communication with firefox for opening links | ||
67 | dbus-user.talk org.mozilla.* | ||
68 | |||
69 | dbus-system none | 61 | dbus-system none |
70 | 62 | ||
71 | restrict-namespaces | 63 | restrict-namespaces |
diff --git a/etc/profile-m-z/yt-dlp.profile b/etc/profile-m-z/yt-dlp.profile index 49d4b3b56..97f9e620a 100644 --- a/etc/profile-m-z/yt-dlp.profile +++ b/etc/profile-m-z/yt-dlp.profile | |||
@@ -5,17 +5,73 @@ quiet | |||
5 | # Persistent local customizations | 5 | # Persistent local customizations |
6 | include yt-dlp.local | 6 | include yt-dlp.local |
7 | # Persistent global definitions | 7 | # Persistent global definitions |
8 | # added by included profile | 8 | include globals.local |
9 | #include globals.local | 9 | |
10 | # If you installed via pip under ${HOME} | ||
11 | # add 'ignore noexec ${HOME}' in yt-dlp.local. | ||
12 | # AppArmor needs to allow it too, | ||
13 | # add 'ignore apparmor' in yt-dlp.local | ||
14 | # OR in /etc/apparmor.d/local/firejail-default add: | ||
15 | # 'owner @HOME/.local/bin/** ix,' | ||
16 | # 'owner @HOME/.local/lib/python*/** ix,' | ||
17 | # then run the command | ||
18 | # 'sudo apparmor_parser -r /etc/apparmor.d/firejail-default' | ||
10 | 19 | ||
11 | noblacklist ${HOME}/.cache/yt-dlp | 20 | noblacklist ${HOME}/.cache/yt-dlp |
12 | noblacklist ${HOME}/.config/yt-dlp | 21 | noblacklist ${HOME}/.config/yt-dlp |
13 | noblacklist ${HOME}/.config/yt-dlp.conf | 22 | noblacklist ${HOME}/.config/yt-dlp.conf |
14 | noblacklist ${HOME}/yt-dlp.conf | 23 | noblacklist ${HOME}/yt-dlp.conf |
15 | noblacklist ${HOME}/yt-dlp.conf.txt | 24 | noblacklist ${HOME}/yt-dlp.conf.txt |
25 | noblacklist ${HOME}/.netrc | ||
26 | noblacklist ${MUSIC} | ||
27 | noblacklist ${VIDEOS} | ||
28 | |||
29 | # Allow python (blacklisted by disable-interpreters.inc) | ||
30 | include allow-python3.inc | ||
31 | |||
32 | blacklist /tmp/.X11-unix | ||
33 | blacklist ${RUNUSER} | ||
34 | |||
35 | include disable-common.inc | ||
36 | include disable-devel.inc | ||
37 | include disable-exec.inc | ||
38 | include disable-interpreters.inc | ||
39 | include disable-programs.inc | ||
40 | include disable-shell.inc | ||
41 | include disable-xdg.inc | ||
42 | |||
43 | include whitelist-usr-share-common.inc | ||
44 | include whitelist-var-common.inc | ||
45 | |||
46 | apparmor | ||
47 | caps.drop all | ||
48 | ipc-namespace | ||
49 | machine-id | ||
50 | netfilter | ||
51 | no3d | ||
52 | nodvd | ||
53 | nogroups | ||
54 | noinput | ||
55 | nonewprivs | ||
56 | noroot | ||
57 | nosound | ||
58 | notv | ||
59 | nou2f | ||
60 | novideo | ||
61 | protocol unix,inet,inet6 | ||
62 | seccomp | ||
63 | seccomp.block-secondary | ||
64 | tracelog | ||
65 | |||
66 | private-bin env,ffmpeg,ffprobe,python*,yt-dlp | ||
67 | private-cache | ||
68 | private-dev | ||
69 | private-etc @tls-ca,mime.types,yt-dlp.conf | ||
70 | private-tmp | ||
71 | |||
72 | dbus-user none | ||
73 | dbus-system none | ||
16 | 74 | ||
17 | private-bin ffprobe,yt-dlp | 75 | memory-deny-write-execute |
18 | private-etc yt-dlp.conf | ||
19 | 76 | ||
20 | # Redirect | 77 | restrict-namespaces |
21 | include youtube-dl.profile | ||
diff --git a/etc/profile-m-z/zeal.profile b/etc/profile-m-z/zeal.profile index caf9eab63..09a1d37a3 100644 --- a/etc/profile-m-z/zeal.profile +++ b/etc/profile-m-z/zeal.profile | |||
@@ -23,7 +23,6 @@ include disable-xdg.inc | |||
23 | # This also requires dbus-user filtering (see below). | 23 | # This also requires dbus-user filtering (see below). |
24 | noblacklist ${HOME}/.mozilla | 24 | noblacklist ${HOME}/.mozilla |
25 | whitelist ${HOME}/.mozilla/firefox/profiles.ini | 25 | whitelist ${HOME}/.mozilla/firefox/profiles.ini |
26 | read-only ${HOME}/.mozilla/firefox/profiles.ini | ||
27 | 26 | ||
28 | mkdir ${HOME}/.cache/Zeal | 27 | mkdir ${HOME}/.cache/Zeal |
29 | mkdir ${HOME}/.config/Zeal | 28 | mkdir ${HOME}/.config/Zeal |
diff --git a/etc/templates/profile.template b/etc/templates/profile.template index fd328f36c..b88566f54 100644 --- a/etc/templates/profile.template +++ b/etc/templates/profile.template | |||
@@ -221,6 +221,8 @@ include globals.local | |||
221 | #dbus-user.talk org.freedesktop.Notifications | 221 | #dbus-user.talk org.freedesktop.Notifications |
222 | #dbus-system none | 222 | #dbus-system none |
223 | 223 | ||
224 | # Note: read-only entries should usually go in disable-common.inc (especially | ||
225 | # entries for configuration files that allow arbitrary command execution). | ||
224 | ##deterministic-shutdown | 226 | ##deterministic-shutdown |
225 | ##env VAR=VALUE | 227 | ##env VAR=VALUE |
226 | ##join-or-start NAME | 228 | ##join-or-start NAME |