aboutsummaryrefslogtreecommitdiffstats
path: root/etc
diff options
context:
space:
mode:
Diffstat (limited to 'etc')
-rw-r--r--etc/apparmor/firejail-local6
-rw-r--r--etc/inc/disable-programs.inc6
-rw-r--r--etc/profile-a-l/DiscordPTB.profile10
-rw-r--r--etc/profile-a-l/ani-cli.profile41
-rw-r--r--etc/profile-a-l/discord-ptb.profile17
-rw-r--r--etc/profile-a-l/email-common.profile1
-rw-r--r--etc/profile-a-l/lobster.profile41
-rw-r--r--etc/profile-m-z/mpv.profile14
-rw-r--r--etc/profile-m-z/porn-cli.profile14
9 files changed, 141 insertions, 9 deletions
diff --git a/etc/apparmor/firejail-local b/etc/apparmor/firejail-local
index e7236b0bc..557204d75 100644
--- a/etc/apparmor/firejail-local
+++ b/etc/apparmor/firejail-local
@@ -1,12 +1,12 @@
1# Site-specific additions and overrides for 'firejail-default'. 1# Site-specific additions and overrides for 'firejail-default'.
2# For more details, please see /etc/apparmor.d/local/README. 2# For more details, please see /etc/apparmor.d/local/README.
3 3
4# Here are some examples to allow running programs from home directory. 4# Here are some examples to allow running programs from your home directory.
5# Don't enable all of these, just pick a specific one or write a custom rule 5# Don't enable all of these, just pick a specific one or write a custom rule
6# instead as done below for torbrowser-launcher. 6# instead as done below for torbrowser-launcher.
7#owner @HOME/** ix, 7#owner @HOME/** ix,
8#owner @HOME/bin/** ix 8#owner @HOME/bin/** ix,
9#owner @HOME/.local/bin/** ix 9#owner @HOME/.local/bin/** ix,
10 10
11# Uncomment to opt-in to apparmor for brave + ipfs 11# Uncomment to opt-in to apparmor for brave + ipfs
12#owner @{HOME}/.config/BraveSoftware/Brave-Browser/oecghfpdmkjlhnfpmmjegjacfimiafjp/*/** ix, 12#owner @{HOME}/.config/BraveSoftware/Brave-Browser/oecghfpdmkjlhnfpmmjegjacfimiafjp/*/** ix,
diff --git a/etc/inc/disable-programs.inc b/etc/inc/disable-programs.inc
index 3eb6c03d5..71b513935 100644
--- a/etc/inc/disable-programs.inc
+++ b/etc/inc/disable-programs.inc
@@ -51,6 +51,7 @@ blacklist ${HOME}/.bibletime
51blacklist ${HOME}/.bitcoin 51blacklist ${HOME}/.bitcoin
52blacklist ${HOME}/.blobby 52blacklist ${HOME}/.blobby
53blacklist ${HOME}/.bogofilter 53blacklist ${HOME}/.bogofilter
54blacklist ${HOME}/.bsfilter
54blacklist ${HOME}/.bundle 55blacklist ${HOME}/.bundle
55blacklist ${HOME}/.bzf 56blacklist ${HOME}/.bzf
56blacklist ${HOME}/.cache/0ad 57blacklist ${HOME}/.cache/0ad
@@ -83,6 +84,7 @@ blacklist ${HOME}/.cache/Tox
83blacklist ${HOME}/.cache/Zeal 84blacklist ${HOME}/.cache/Zeal
84blacklist ${HOME}/.cache/agenda 85blacklist ${HOME}/.cache/agenda
85blacklist ${HOME}/.cache/akonadi* 86blacklist ${HOME}/.cache/akonadi*
87blacklist ${HOME}/.cache/ani-cli
86blacklist ${HOME}/.cache/atril 88blacklist ${HOME}/.cache/atril
87blacklist ${HOME}/.cache/attic 89blacklist ${HOME}/.cache/attic
88blacklist ${HOME}/.cache/audacity 90blacklist ${HOME}/.cache/audacity
@@ -410,6 +412,7 @@ blacklist ${HOME}/.config/digikam
410blacklist ${HOME}/.config/digikamrc 412blacklist ${HOME}/.config/digikamrc
411blacklist ${HOME}/.config/discord 413blacklist ${HOME}/.config/discord
412blacklist ${HOME}/.config/discordcanary 414blacklist ${HOME}/.config/discordcanary
415blacklist ${HOME}/.config/discordptb
413blacklist ${HOME}/.config/dkl 416blacklist ${HOME}/.config/dkl
414blacklist ${HOME}/.config/dnox 417blacklist ${HOME}/.config/dnox
415blacklist ${HOME}/.config/dolphin-emu 418blacklist ${HOME}/.config/dolphin-emu
@@ -517,6 +520,7 @@ blacklist ${HOME}/.config/leafpad
517blacklist ${HOME}/.config/libreoffice 520blacklist ${HOME}/.config/libreoffice
518blacklist ${HOME}/.config/liferea 521blacklist ${HOME}/.config/liferea
519blacklist ${HOME}/.config/linphone 522blacklist ${HOME}/.config/linphone
523blacklist ${HOME}/.config/lobster
520blacklist ${HOME}/.config/lugaru 524blacklist ${HOME}/.config/lugaru
521blacklist ${HOME}/.config/lutris 525blacklist ${HOME}/.config/lutris
522blacklist ${HOME}/.config/lximage-qt 526blacklist ${HOME}/.config/lximage-qt
@@ -952,6 +956,7 @@ blacklist ${HOME}/.local/share/kwrite
952blacklist ${HOME}/.local/share/kxmlgui5/* 956blacklist ${HOME}/.local/share/kxmlgui5/*
953blacklist ${HOME}/.local/share/liferea 957blacklist ${HOME}/.local/share/liferea
954blacklist ${HOME}/.local/share/linphone 958blacklist ${HOME}/.local/share/linphone
959blacklist ${HOME}/.local/share/lobster
955blacklist ${HOME}/.local/share/local-mail 960blacklist ${HOME}/.local/share/local-mail
956blacklist ${HOME}/.local/share/lollypop 961blacklist ${HOME}/.local/share/lollypop
957blacklist ${HOME}/.local/share/love 962blacklist ${HOME}/.local/share/love
@@ -1027,6 +1032,7 @@ blacklist ${HOME}/.local/share/wormux
1027blacklist ${HOME}/.local/share/xplayer 1032blacklist ${HOME}/.local/share/xplayer
1028blacklist ${HOME}/.local/share/xreader 1033blacklist ${HOME}/.local/share/xreader
1029blacklist ${HOME}/.local/share/zathura 1034blacklist ${HOME}/.local/share/zathura
1035blacklist ${HOME}/.local/state/ani-cli
1030blacklist ${HOME}/.local/state/audacity 1036blacklist ${HOME}/.local/state/audacity
1031blacklist ${HOME}/.local/state/pipewire 1037blacklist ${HOME}/.local/state/pipewire
1032blacklist ${HOME}/.lv2 1038blacklist ${HOME}/.lv2
diff --git a/etc/profile-a-l/DiscordPTB.profile b/etc/profile-a-l/DiscordPTB.profile
new file mode 100644
index 000000000..4570f0103
--- /dev/null
+++ b/etc/profile-a-l/DiscordPTB.profile
@@ -0,0 +1,10 @@
1# Firejail profile for DiscordPTB
2# This file is overwritten after every install/update
3# Persistent local customizations
4include DiscordPTB.local
5# Persistent global definitions
6# added by included profile
7#include globals.local
8
9# Redirect
10include discord-ptb.profile
diff --git a/etc/profile-a-l/ani-cli.profile b/etc/profile-a-l/ani-cli.profile
new file mode 100644
index 000000000..270dffaed
--- /dev/null
+++ b/etc/profile-a-l/ani-cli.profile
@@ -0,0 +1,41 @@
1# Firejail profile for ani-cli
2# Description: Shell script to watch Anime from the terminal
3# This file is overwritten after every install/update
4quiet
5# Persistent local customizations
6include ani-cli.local
7# Persistent global definitions
8# added by included profile
9#include globals.local
10
11noblacklist ${HOME}/.cache/ani-cli
12noblacklist ${HOME}/.local/state/ani-cli
13
14# Allow /bin/sh (blacklisted by disable-shell.inc)
15include allow-bin-sh.inc
16
17include disable-proc.inc
18include disable-xdg.inc
19
20mkdir ${HOME}/.cache/ani-cli
21mkdir ${HOME}/.local/state/ani-cli
22whitelist ${HOME}/.cache/ani-cli
23whitelist ${HOME}/.local/state/ani-cli
24include whitelist-run-common.inc
25include whitelist-runuser-common.inc
26
27#machine-id
28nodvd
29noprinters
30notv
31
32disable-mnt
33private-bin ani-cli,aria2c,cat,cp,curl,cut,ffmpeg,fzf,grep,head,mkdir,mv,nl,sed,sh,sort,tput,tr,uname,wc
34#private-cache
35private-etc alsa,alternatives,asound.conf,ca-certificates,crypto-policies,fonts,host.conf,hostname,hosts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,locale,locale.alias,locale.conf,localtime,machine-id,mime.types,nsswitch.conf,pango,pki,protocols,pulse,resolv.conf,rpc,services,ssl,X11,xdg
36private-tmp
37
38read-only ${HOME}/.config/mpv
39
40# Redirect
41include mpv.profile
diff --git a/etc/profile-a-l/discord-ptb.profile b/etc/profile-a-l/discord-ptb.profile
new file mode 100644
index 000000000..c39c0d843
--- /dev/null
+++ b/etc/profile-a-l/discord-ptb.profile
@@ -0,0 +1,17 @@
1# Firejail profile for discord-ptb
2# This file is overwritten after every install/update
3# Persistent local customizations
4include discord-ptb.local
5# Persistent global definitions
6include globals.local
7
8noblacklist ${HOME}/.config/discordptb
9
10mkdir ${HOME}/.config/discordptb
11whitelist ${HOME}/.config/discordptb
12
13private-bin discord-ptb,DiscordPTB
14private-opt discord-ptb,DiscordPTB
15
16# Redirect
17include discord-common.profile
diff --git a/etc/profile-a-l/email-common.profile b/etc/profile-a-l/email-common.profile
index 86442d441..0a44a62a3 100644
--- a/etc/profile-a-l/email-common.profile
+++ b/etc/profile-a-l/email-common.profile
@@ -8,6 +8,7 @@ include email-common.local
8#include globals.local 8#include globals.local
9 9
10noblacklist ${HOME}/.bogofilter 10noblacklist ${HOME}/.bogofilter
11noblacklist ${HOME}/.bsfilter
11noblacklist ${HOME}/.gnupg 12noblacklist ${HOME}/.gnupg
12noblacklist ${HOME}/.mozilla 13noblacklist ${HOME}/.mozilla
13noblacklist ${HOME}/.signature 14noblacklist ${HOME}/.signature
diff --git a/etc/profile-a-l/lobster.profile b/etc/profile-a-l/lobster.profile
new file mode 100644
index 000000000..01928c775
--- /dev/null
+++ b/etc/profile-a-l/lobster.profile
@@ -0,0 +1,41 @@
1# Firejail profile for lobster
2# Description: Shell script to watch Movies/Webseries/Shows from the terminal
3# This file is overwritten after every install/update
4quiet
5# Persistent local customizations
6include lobster.local
7# Persistent global definitions
8# added by included profile
9#include globals.local
10
11noblacklist ${HOME}/.config/lobster
12noblacklist ${HOME}/.local/share/lobster
13
14# Allow /bin/sh (blacklisted by disable-shell.inc)
15include allow-bin-sh.inc
16
17include disable-proc.inc
18include disable-xdg.inc
19
20mkdir ${HOME}/.config/lobster
21mkdir ${HOME}/.local/share/lobster
22whitelist ${HOME}/.config/lobster
23whitelist ${HOME}/.local/share/lobster
24include whitelist-run-common.inc
25include whitelist-runuser-common.inc
26
27#machine-id
28nodvd
29noprinters
30notv
31
32disable-mnt
33private-bin curl,cut,fzf,grep,head,lobster,mv,patch,rm,sed,sh,tail,tput,tr,uname
34#private-cache
35private-etc alsa,alternatives,asound.conf,ca-certificates,crypto-policies,fonts,host.conf,hostname,hosts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,locale,locale.alias,locale.conf,localtime,machine-id,mime.types,nsswitch.conf,pango,pki,protocols,pulse,resolv.conf,rpc,services,ssl,X11,xdg
36private-tmp
37
38read-only ${HOME}/.config/mpv
39
40# Redirect
41include mpv.profile
diff --git a/etc/profile-m-z/mpv.profile b/etc/profile-m-z/mpv.profile
index c9706999a..9dcc9dec3 100644
--- a/etc/profile-m-z/mpv.profile
+++ b/etc/profile-m-z/mpv.profile
@@ -11,13 +11,13 @@ include globals.local
11# edit ~/.config/mpv/foobar.conf: 11# edit ~/.config/mpv/foobar.conf:
12# screenshot-directory=~/Pictures 12# screenshot-directory=~/Pictures
13 13
14# Mpv has a powerful lua-API, some off these lua-scripts interact 14# mpv has a powerful Lua API and some of the Lua scripts interact with
15# with external resources which are blocked by firejail. In such cases 15# external resources which are blocked by firejail. In such cases you need to
16# you need to allow these resources by 16# allow these resources by:
17# - adding additional binaries to private-bin 17# - noblacklisting additional paths
18# - whitelisting additional paths 18# - whitelisting additional paths
19# - noblacklisting paths 19# - adding additional binaries to private-bin
20# - weaking the dbus-policy 20# - changing/weakening the D-Bus policy
21# - ... 21# - ...
22# 22#
23# Often these scripts require a shell: 23# Often these scripts require a shell:
@@ -79,6 +79,8 @@ seccomp
79seccomp.block-secondary 79seccomp.block-secondary
80tracelog 80tracelog
81 81
82# mpv links to libluajit, so no need to reference "lua*" in private-bin:
83# https://github.com/netblue30/firejail/pull/5711#discussion_r1125622615
82private-bin env,mpv,python*,waf,youtube-dl,yt-dlp 84private-bin env,mpv,python*,waf,youtube-dl,yt-dlp
83# private-cache causes slow OSD, see #2838 85# private-cache causes slow OSD, see #2838
84#private-cache 86#private-cache
diff --git a/etc/profile-m-z/porn-cli.profile b/etc/profile-m-z/porn-cli.profile
new file mode 100644
index 000000000..f33ff439c
--- /dev/null
+++ b/etc/profile-m-z/porn-cli.profile
@@ -0,0 +1,14 @@
1# Firejail profile for porn-cli
2# Description: Python script for watching porn via the terminal
3# This file is overwritten after every install/update
4quiet
5# Persistent local customizations
6include porn-cli.local
7# Persistent global definitions
8# added by included profile
9#include globals.local
10
11private-bin porn-cli
12
13# Redirect
14include mov-cli.profile