aboutsummaryrefslogtreecommitdiffstats
path: root/etc
diff options
context:
space:
mode:
Diffstat (limited to 'etc')
-rw-r--r--etc/apparmor/firejail-default4
-rw-r--r--etc/inc/disable-common.inc12
-rw-r--r--etc/inc/disable-devel.inc1
-rw-r--r--etc/inc/disable-programs.inc39
-rw-r--r--etc/inc/disable-write-mnt.inc8
-rw-r--r--etc/inc/whitelist-players.inc10
-rw-r--r--etc/profile-a-l/balsa.profile78
-rw-r--r--etc/profile-a-l/celluloid.profile6
-rw-r--r--etc/profile-a-l/chromium-freeworld.profile5
-rw-r--r--etc/profile-a-l/cola.profile10
-rw-r--r--etc/profile-a-l/dbus-send.profile59
-rw-r--r--etc/profile-a-l/default.profile1
-rw-r--r--etc/profile-a-l/electron-mail.profile8
-rw-r--r--etc/profile-a-l/eo-common.profile1
-rw-r--r--etc/profile-a-l/eog.profile9
-rw-r--r--etc/profile-a-l/equalx.profile63
-rw-r--r--etc/profile-a-l/fdns.profile8
-rw-r--r--etc/profile-a-l/firefox.profile2
-rw-r--r--etc/profile-a-l/flameshot.profile5
-rw-r--r--etc/profile-a-l/fractal.profile54
-rw-r--r--etc/profile-a-l/geary.profile12
-rw-r--r--etc/profile-a-l/git-cola.profile29
-rw-r--r--etc/profile-a-l/gnome-builder.profile4
-rw-r--r--etc/profile-a-l/gnome-passwordsafe.profile5
-rw-r--r--etc/profile-a-l/hedgewars.profile2
-rw-r--r--etc/profile-a-l/kazam.profile54
-rw-r--r--etc/profile-a-l/kube.profile81
-rw-r--r--etc/profile-m-z/man.profile65
-rw-r--r--etc/profile-m-z/menulibre.profile62
-rw-r--r--etc/profile-m-z/minitube.profile2
-rw-r--r--etc/profile-m-z/mirage.profile59
-rw-r--r--etc/profile-m-z/mplayer.profile6
-rw-r--r--etc/profile-m-z/mpsyt.profile4
-rw-r--r--etc/profile-m-z/mpv.profile21
-rw-r--r--etc/profile-m-z/musictube.profile57
-rw-r--r--etc/profile-m-z/notify-send.profile60
-rw-r--r--etc/profile-m-z/onboard.profile55
-rw-r--r--etc/profile-m-z/openarena.profile2
-rw-r--r--etc/profile-m-z/peek.profile24
-rw-r--r--etc/profile-m-z/pidgin.profile2
-rw-r--r--etc/profile-m-z/psi.profile78
-rw-r--r--etc/profile-m-z/qrencode.profile58
-rw-r--r--etc/profile-m-z/quaternion.profile54
-rw-r--r--etc/profile-m-z/redeclipse.profile9
-rw-r--r--etc/profile-m-z/rhythmbox.profile6
-rw-r--r--etc/profile-m-z/smplayer.profile6
-rw-r--r--etc/profile-m-z/smuxi-frontend-gnome.profile55
-rw-r--r--etc/profile-m-z/spectral.profile53
-rw-r--r--etc/profile-m-z/supertuxkart.profile1
-rw-r--r--etc/profile-m-z/telegram.profile2
-rw-r--r--etc/profile-m-z/totem.profile11
-rw-r--r--etc/profile-m-z/trojita.profile63
-rw-r--r--etc/profile-m-z/twitch.profile36
-rw-r--r--etc/profile-m-z/virtualbox.profile1
-rw-r--r--etc/profile-m-z/vlc.profile8
-rw-r--r--etc/profile-m-z/vmware.profile2
-rw-r--r--etc/profile-m-z/warsow.profile3
-rw-r--r--etc/profile-m-z/wire-desktop.profile2
-rw-r--r--etc/profile-m-z/xournalpp.profile26
-rw-r--r--etc/profile-m-z/xplayer.profile6
-rw-r--r--etc/profile-m-z/youtube.profile37
-rw-r--r--etc/profile-m-z/youtubemusic-nativefier.profile38
-rw-r--r--etc/profile-m-z/ytmdesktop.profile39
-rw-r--r--etc/templates/profile.template1
-rw-r--r--etc/templates/syscalls.txt7
65 files changed, 1509 insertions, 82 deletions
diff --git a/etc/apparmor/firejail-default b/etc/apparmor/firejail-default
index 68e20d9b9..e396ae7d9 100644
--- a/etc/apparmor/firejail-default
+++ b/etc/apparmor/firejail-default
@@ -2,6 +2,10 @@
2# Generic Firejail AppArmor profile 2# Generic Firejail AppArmor profile
3######################################### 3#########################################
4 4
5# AppArmor 3.0 uses the @{run} variable in <abstractions/dbus-strict>
6# and <abstractions/dbus-session-strict>.
7#include <tunables/global>
8
5########## 9##########
6# A simple PID declaration based on Ubuntu's @{pid} 10# A simple PID declaration based on Ubuntu's @{pid}
7# Ubuntu keeps it under tunables/kernelvars and include it via tunables/global. 11# Ubuntu keeps it under tunables/kernelvars and include it via tunables/global.
diff --git a/etc/inc/disable-common.inc b/etc/inc/disable-common.inc
index c7516ab42..b2be4270e 100644
--- a/etc/inc/disable-common.inc
+++ b/etc/inc/disable-common.inc
@@ -472,14 +472,9 @@ blacklist /.snapshots
472# flatpak 472# flatpak
473blacklist ${HOME}/.cache/flatpak 473blacklist ${HOME}/.cache/flatpak
474blacklist ${HOME}/.config/flatpak 474blacklist ${HOME}/.config/flatpak
475blacklist ${HOME}/.local/share/flatpak/app 475noblacklist ${HOME}/.local/share/flatpak/exports
476blacklist ${HOME}/.local/share/flatpak/appstream
477blacklist ${HOME}/.local/share/flatpak/db
478read-only ${HOME}/.local/share/flatpak/exports 476read-only ${HOME}/.local/share/flatpak/exports
479blacklist ${HOME}/.local/share/flatpak/oci 477blacklist ${HOME}/.local/share/flatpak/*
480blacklist ${HOME}/.local/share/flatpak/overrides
481blacklist ${HOME}/.local/share/flatpak/repo
482blacklist ${HOME}/.local/share/flatpak/runtime
483blacklist ${HOME}/.var 478blacklist ${HOME}/.var
484blacklist ${RUNUSER}/app 479blacklist ${RUNUSER}/app
485blacklist ${RUNUSER}/doc 480blacklist ${RUNUSER}/doc
@@ -487,7 +482,8 @@ blacklist ${RUNUSER}/.dbus-proxy
487blacklist ${RUNUSER}/.flatpak 482blacklist ${RUNUSER}/.flatpak
488blacklist ${RUNUSER}/.flatpak-helper 483blacklist ${RUNUSER}/.flatpak-helper
489blacklist /usr/share/flatpak 484blacklist /usr/share/flatpak
490blacklist /var/lib/flatpak 485noblacklist /var/lib/flatpak/exports
486blacklist /var/lib/flatpak/*
491# most of the time bwrap is SUID binary 487# most of the time bwrap is SUID binary
492blacklist ${PATH}/bwrap 488blacklist ${PATH}/bwrap
493 489
diff --git a/etc/inc/disable-devel.inc b/etc/inc/disable-devel.inc
index e1ba13380..e74b1b40b 100644
--- a/etc/inc/disable-devel.inc
+++ b/etc/inc/disable-devel.inc
@@ -49,6 +49,7 @@ blacklist ${PATH}/openssl-1.0
49blacklist ${PATH}/rust-gdb 49blacklist ${PATH}/rust-gdb
50blacklist ${PATH}/rust-lldb 50blacklist ${PATH}/rust-lldb
51blacklist ${PATH}/rustc 51blacklist ${PATH}/rustc
52blacklist ${HOME}/.rustup
52 53
53# tcc - Tiny C Compiler 54# tcc - Tiny C Compiler
54blacklist ${PATH}/tcc 55blacklist ${PATH}/tcc
diff --git a/etc/inc/disable-programs.inc b/etc/inc/disable-programs.inc
index e5dd9cb59..42d690c94 100644
--- a/etc/inc/disable-programs.inc
+++ b/etc/inc/disable-programs.inc
@@ -37,6 +37,7 @@ blacklist ${HOME}/.VirtualBox
37blacklist ${HOME}/.WebStorm* 37blacklist ${HOME}/.WebStorm*
38blacklist ${HOME}/.Wolfram Research 38blacklist ${HOME}/.Wolfram Research
39blacklist ${HOME}/.ZAP 39blacklist ${HOME}/.ZAP
40blacklist ${HOME}/.abook
40blacklist ${HOME}/.aMule 41blacklist ${HOME}/.aMule
41blacklist ${HOME}/.android 42blacklist ${HOME}/.android
42blacklist ${HOME}/.anydesk 43blacklist ${HOME}/.anydesk
@@ -49,6 +50,7 @@ blacklist ${HOME}/.asunder_album_title
49blacklist ${HOME}/.atom 50blacklist ${HOME}/.atom
50blacklist ${HOME}/.attic 51blacklist ${HOME}/.attic
51blacklist ${HOME}/.audacity-data 52blacklist ${HOME}/.audacity-data
53blacklist ${HOME}/.balsa
52blacklist ${HOME}/.bcast5 54blacklist ${HOME}/.bcast5
53blacklist ${HOME}/.bibletime 55blacklist ${HOME}/.bibletime
54blacklist ${HOME}/.bitcoin 56blacklist ${HOME}/.bitcoin
@@ -83,6 +85,7 @@ blacklist ${HOME}/.config/Debauchee/Barrier.conf
83blacklist ${HOME}/.config/Dharkael 85blacklist ${HOME}/.config/Dharkael
84blacklist ${HOME}/.config/Element 86blacklist ${HOME}/.config/Element
85blacklist ${HOME}/.config/Element (Riot) 87blacklist ${HOME}/.config/Element (Riot)
88blacklist ${HOME}/.config/ENCOM
86blacklist ${HOME}/.config/Enox 89blacklist ${HOME}/.config/Enox
87blacklist ${HOME}/.config/Ferdi 90blacklist ${HOME}/.config/Ferdi
88blacklist ${HOME}/.config/Flavio Tordini 91blacklist ${HOME}/.config/Flavio Tordini
@@ -122,6 +125,7 @@ blacklist ${HOME}/.config/QMediathekView
122blacklist ${HOME}/.config/Qlipper 125blacklist ${HOME}/.config/Qlipper
123blacklist ${HOME}/.config/QuiteRss 126blacklist ${HOME}/.config/QuiteRss
124blacklist ${HOME}/.config/QuiteRssrc 127blacklist ${HOME}/.config/QuiteRssrc
128blacklist ${HOME}/.config/Quotient
125blacklist ${HOME}/.config/Rambox 129blacklist ${HOME}/.config/Rambox
126blacklist ${HOME}/.config/Riot 130blacklist ${HOME}/.config/Riot
127blacklist ${HOME}/.config/Rocket.Chat 131blacklist ${HOME}/.config/Rocket.Chat
@@ -131,11 +135,14 @@ blacklist ${HOME}/.config/Slack
131blacklist ${HOME}/.config/Standard Notes 135blacklist ${HOME}/.config/Standard Notes
132blacklist ${HOME}/.config/SubDownloader 136blacklist ${HOME}/.config/SubDownloader
133blacklist ${HOME}/.config/Thunar 137blacklist ${HOME}/.config/Thunar
138blacklist ${HOME}/.config/Twitch
134blacklist ${HOME}/.config/Unknown Organization 139blacklist ${HOME}/.config/Unknown Organization
135blacklist ${HOME}/.config/VirtualBox 140blacklist ${HOME}/.config/VirtualBox
136blacklist ${HOME}/.config/Wire 141blacklist ${HOME}/.config/Wire
142blacklist ${HOME}/.config/Youtube
137blacklist ${HOME}/.config/Zeal 143blacklist ${HOME}/.config/Zeal
138blacklist ${HOME}/.config/ZeGrapher Project 144blacklist ${HOME}/.config/ZeGrapher Project
145blacklist ${HOME}/.config/aacs
139blacklist ${HOME}/.config/abiword 146blacklist ${HOME}/.config/abiword
140blacklist ${HOME}/.config/agenda 147blacklist ${HOME}/.config/agenda
141blacklist ${HOME}/.config/akonadi* 148blacklist ${HOME}/.config/akonadi*
@@ -203,10 +210,13 @@ blacklist ${HOME}/.config/emailidentities
203blacklist ${HOME}/.config/enchant 210blacklist ${HOME}/.config/enchant
204blacklist ${HOME}/.config/eog 211blacklist ${HOME}/.config/eog
205blacklist ${HOME}/.config/epiphany 212blacklist ${HOME}/.config/epiphany
213blacklist ${HOME}/.config/equalx
206blacklist ${HOME}/.config/evince 214blacklist ${HOME}/.config/evince
207blacklist ${HOME}/.config/evolution 215blacklist ${HOME}/.config/evolution
208blacklist ${HOME}/.config/falkon 216blacklist ${HOME}/.config/falkon
209blacklist ${HOME}/.config/filezilla 217blacklist ${HOME}/.config/filezilla
218blacklist ${HOME}/.config/flameshot
219blacklist ${HOME}/.config/flaska.net
210blacklist ${HOME}/.config/flowblade 220blacklist ${HOME}/.config/flowblade
211blacklist ${HOME}/.config/font-manager 221blacklist ${HOME}/.config/font-manager
212blacklist ${HOME}/.config/freecol 222blacklist ${HOME}/.config/freecol
@@ -214,6 +224,7 @@ blacklist ${HOME}/.config/gajim
214blacklist ${HOME}/.config/galculator 224blacklist ${HOME}/.config/galculator
215blacklist ${HOME}/.config/gconf 225blacklist ${HOME}/.config/gconf
216blacklist ${HOME}/.config/geany 226blacklist ${HOME}/.config/geany
227blacklist ${HOME}/.config/geary
217blacklist ${HOME}/.config/gedit 228blacklist ${HOME}/.config/gedit
218blacklist ${HOME}/.config/geeqie 229blacklist ${HOME}/.config/geeqie
219blacklist ${HOME}/.config/ghb 230blacklist ${HOME}/.config/ghb
@@ -258,6 +269,7 @@ blacklist ${HOME}/.config/katerc
258blacklist ${HOME}/.config/kateschemarc 269blacklist ${HOME}/.config/kateschemarc
259blacklist ${HOME}/.config/katesyntaxhighlightingrc 270blacklist ${HOME}/.config/katesyntaxhighlightingrc
260blacklist ${HOME}/.config/katevirc 271blacklist ${HOME}/.config/katevirc
272blacklist ${HOME}/.config/kazam
261blacklist ${HOME}/.config/kdeconnect 273blacklist ${HOME}/.config/kdeconnect
262blacklist ${HOME}/.config/kdenliverc 274blacklist ${HOME}/.config/kdenliverc
263blacklist ${HOME}/.config/kfindrc 275blacklist ${HOME}/.config/kfindrc
@@ -274,6 +286,7 @@ blacklist ${HOME}/.config/konversation.notifyrc
274blacklist ${HOME}/.config/kritarc 286blacklist ${HOME}/.config/kritarc
275blacklist ${HOME}/.config/ktorrentrc 287blacklist ${HOME}/.config/ktorrentrc
276blacklist ${HOME}/.config/ktouch2rc 288blacklist ${HOME}/.config/ktouch2rc
289blacklist ${HOME}/.config/kube
277blacklist ${HOME}/.config/kwriterc 290blacklist ${HOME}/.config/kwriterc
278blacklist ${HOME}/.config/leafpad 291blacklist ${HOME}/.config/leafpad
279blacklist ${HOME}/.config/libreoffice 292blacklist ${HOME}/.config/libreoffice
@@ -281,6 +294,7 @@ blacklist ${HOME}/.config/liferea
281blacklist ${HOME}/.config/lugaru 294blacklist ${HOME}/.config/lugaru
282blacklist ${HOME}/.config/lximage-qt 295blacklist ${HOME}/.config/lximage-qt
283blacklist ${HOME}/.config/mailtransports 296blacklist ${HOME}/.config/mailtransports
297blacklist ${HOME}/.local/share/man
284blacklist ${HOME}/.config/mana 298blacklist ${HOME}/.config/mana
285blacklist ${HOME}/.config/mate-calc 299blacklist ${HOME}/.config/mate-calc
286blacklist ${HOME}/.config/mate/eom 300blacklist ${HOME}/.config/mate/eom
@@ -291,6 +305,7 @@ blacklist ${HOME}/.config/menulibre.cfg
291blacklist ${HOME}/.config/mfusion 305blacklist ${HOME}/.config/mfusion
292blacklist ${HOME}/.config/Microsoft 306blacklist ${HOME}/.config/Microsoft
293blacklist ${HOME}/.config/midori 307blacklist ${HOME}/.config/midori
308blacklist ${HOME}/.config/mirage
294blacklist ${HOME}/.config/mono 309blacklist ${HOME}/.config/mono
295blacklist ${HOME}/.config/mpDris2 310blacklist ${HOME}/.config/mpDris2
296blacklist ${HOME}/.config/mpd 311blacklist ${HOME}/.config/mpd
@@ -312,6 +327,7 @@ blacklist ${HOME}/.config/nuclear
312blacklist ${HOME}/.config/obs-studio 327blacklist ${HOME}/.config/obs-studio
313blacklist ${HOME}/.config/okularpartrc 328blacklist ${HOME}/.config/okularpartrc
314blacklist ${HOME}/.config/okularrc 329blacklist ${HOME}/.config/okularrc
330blacklist ${HOME}/.config/onboard
315blacklist ${HOME}/.config/onionshare 331blacklist ${HOME}/.config/onionshare
316blacklist ${HOME}/.config/onlyoffice 332blacklist ${HOME}/.config/onlyoffice
317blacklist ${HOME}/.config/opera 333blacklist ${HOME}/.config/opera
@@ -331,6 +347,7 @@ blacklist ${HOME}/.config/pluma
331blacklist ${HOME}/.config/ppsspp 347blacklist ${HOME}/.config/ppsspp
332blacklist ${HOME}/.config/pragha 348blacklist ${HOME}/.config/pragha
333blacklist ${HOME}/.config/profanity 349blacklist ${HOME}/.config/profanity
350blacklist ${HOME}/.config/psi
334blacklist ${HOME}/.config/psi+ 351blacklist ${HOME}/.config/psi+
335blacklist ${HOME}/.config/qBittorrent 352blacklist ${HOME}/.config/qBittorrent
336blacklist ${HOME}/.config/qBittorrentrc 353blacklist ${HOME}/.config/qBittorrentrc
@@ -346,10 +363,12 @@ blacklist ${HOME}/.config/rtv
346blacklist ${HOME}/.config/scribus 363blacklist ${HOME}/.config/scribus
347blacklist ${HOME}/.config/scribusrc 364blacklist ${HOME}/.config/scribusrc
348blacklist ${HOME}/.config/sinew.in 365blacklist ${HOME}/.config/sinew.in
366blacklist ${HOME}/.config/sink
349blacklist ${HOME}/.config/skypeforlinux 367blacklist ${HOME}/.config/skypeforlinux
350blacklist ${HOME}/.config/slimjet 368blacklist ${HOME}/.config/slimjet
351blacklist ${HOME}/.config/smplayer 369blacklist ${HOME}/.config/smplayer
352blacklist ${HOME}/.config/smtube 370blacklist ${HOME}/.config/smtube
371blacklist ${HOME}/.config/smuxi
353blacklist ${HOME}/.config/snox 372blacklist ${HOME}/.config/snox
354blacklist ${HOME}/.config/sound-juicer 373blacklist ${HOME}/.config/sound-juicer
355blacklist ${HOME}/.config/specialmailcollectionsrc 374blacklist ${HOME}/.config/specialmailcollectionsrc
@@ -396,6 +415,8 @@ blacklist ${HOME}/.config/yandex-browser
396blacklist ${HOME}/.config/yandex-browser-beta 415blacklist ${HOME}/.config/yandex-browser-beta
397blacklist ${HOME}/.config/yelp 416blacklist ${HOME}/.config/yelp
398blacklist ${HOME}/.config/youtube-dl 417blacklist ${HOME}/.config/youtube-dl
418blacklist ${HOME}/.config/youtubemusic-nativefier-040164
419blacklist ${HOME}/.config/youtube-music-desktop-app
399blacklist ${HOME}/.config/youtube-viewer 420blacklist ${HOME}/.config/youtube-viewer
400blacklist ${HOME}/.config/zathura 421blacklist ${HOME}/.config/zathura
401blacklist ${HOME}/.config/zoomus.conf 422blacklist ${HOME}/.config/zoomus.conf
@@ -418,6 +439,7 @@ blacklist ${HOME}/.electrum*
418blacklist ${HOME}/.elinks 439blacklist ${HOME}/.elinks
419blacklist ${HOME}/.emacs 440blacklist ${HOME}/.emacs
420blacklist ${HOME}/.emacs.d 441blacklist ${HOME}/.emacs.d
442blacklist ${HOME}/.equalx
421blacklist ${HOME}/.ethereum 443blacklist ${HOME}/.ethereum
422blacklist ${HOME}/.etr 444blacklist ${HOME}/.etr
423blacklist ${HOME}/.filezilla 445blacklist ${HOME}/.filezilla
@@ -541,6 +563,7 @@ blacklist ${HOME}/.local/share/Kingsoft
541blacklist ${HOME}/.local/share/Mendeley Ltd. 563blacklist ${HOME}/.local/share/Mendeley Ltd.
542blacklist ${HOME}/.local/share/Mumble 564blacklist ${HOME}/.local/share/Mumble
543blacklist ${HOME}/.local/share/PBE 565blacklist ${HOME}/.local/share/PBE
566blacklist ${HOME}/.local/share/Psi
544blacklist ${HOME}/.local/share/QGIS 567blacklist ${HOME}/.local/share/QGIS
545blacklist ${HOME}/.local/share/QMediathekView 568blacklist ${HOME}/.local/share/QMediathekView
546blacklist ${HOME}/.local/share/QuiteRss 569blacklist ${HOME}/.local/share/QuiteRss
@@ -626,6 +649,7 @@ blacklist ${HOME}/.local/share/krita
626blacklist ${HOME}/.local/share/ktorrent 649blacklist ${HOME}/.local/share/ktorrent
627blacklist ${HOME}/.local/share/ktorrentrc 650blacklist ${HOME}/.local/share/ktorrentrc
628blacklist ${HOME}/.local/share/ktouch 651blacklist ${HOME}/.local/share/ktouch
652blacklist ${HOME}/.local/share/kube
629blacklist ${HOME}/.local/share/kwrite 653blacklist ${HOME}/.local/share/kwrite
630blacklist ${HOME}/.local/share/kxmlgui5/* 654blacklist ${HOME}/.local/share/kxmlgui5/*
631blacklist ${HOME}/.local/share/liferea 655blacklist ${HOME}/.local/share/liferea
@@ -637,6 +661,7 @@ blacklist ${HOME}/.local/share/mana
637blacklist ${HOME}/.local/share/maps-places.json 661blacklist ${HOME}/.local/share/maps-places.json
638blacklist ${HOME}/.local/share/meld 662blacklist ${HOME}/.local/share/meld
639blacklist ${HOME}/.local/share/midori 663blacklist ${HOME}/.local/share/midori
664blacklist ${HOME}/.local/share/mirage
640blacklist ${HOME}/.local/share/multimc 665blacklist ${HOME}/.local/share/multimc
641blacklist ${HOME}/.local/share/multimc5 666blacklist ${HOME}/.local/share/multimc5
642blacklist ${HOME}/.local/share/mupen64plus 667blacklist ${HOME}/.local/share/mupen64plus
@@ -657,6 +682,7 @@ blacklist ${HOME}/.local/share/Paradox Interactive
657blacklist ${HOME}/.local/share/pix 682blacklist ${HOME}/.local/share/pix
658blacklist ${HOME}/.local/share/plasma_notes 683blacklist ${HOME}/.local/share/plasma_notes
659blacklist ${HOME}/.local/share/profanity 684blacklist ${HOME}/.local/share/profanity
685blacklist ${HOME}/.local/share/psi
660blacklist ${HOME}/.local/share/psi+ 686blacklist ${HOME}/.local/share/psi+
661blacklist ${HOME}/.local/share/quadrapassel 687blacklist ${HOME}/.local/share/quadrapassel
662blacklist ${HOME}/.local/share/qpdfview 688blacklist ${HOME}/.local/share/qpdfview
@@ -666,6 +692,8 @@ blacklist ${HOME}/.local/share/rhythmbox
666blacklist ${HOME}/.local/share/rtv 692blacklist ${HOME}/.local/share/rtv
667blacklist ${HOME}/.local/share/scribus 693blacklist ${HOME}/.local/share/scribus
668blacklist ${HOME}/.local/share/signal-cli 694blacklist ${HOME}/.local/share/signal-cli
695blacklist ${HOME}/.local/share/sink
696blacklist ${HOME}/.local/share/smuxi
669blacklist ${HOME}/.local/share/spotify 697blacklist ${HOME}/.local/share/spotify
670blacklist ${HOME}/.local/share/steam 698blacklist ${HOME}/.local/share/steam
671blacklist ${HOME}/.local/share/strawberry 699blacklist ${HOME}/.local/share/strawberry
@@ -798,6 +826,7 @@ blacklist ${HOME}/.xmind
798blacklist ${HOME}/.xmms 826blacklist ${HOME}/.xmms
799blacklist ${HOME}/.xmr-stak 827blacklist ${HOME}/.xmr-stak
800blacklist ${HOME}/.xonotic 828blacklist ${HOME}/.xonotic
829blacklist ${HOME}/.xournalpp
801blacklist ${HOME}/.xpdfrc 830blacklist ${HOME}/.xpdfrc
802blacklist ${HOME}/.zoom 831blacklist ${HOME}/.zoom
803blacklist /tmp/akonadi-* 832blacklist /tmp/akonadi-*
@@ -815,6 +844,7 @@ blacklist ${HOME}/.cache/8pecxstudios
815blacklist ${HOME}/.cache/Authenticator 844blacklist ${HOME}/.cache/Authenticator
816blacklist ${HOME}/.cache/BraveSoftware 845blacklist ${HOME}/.cache/BraveSoftware
817blacklist ${HOME}/.cache/Clementine 846blacklist ${HOME}/.cache/Clementine
847blacklist ${HOME}/.cache/ENCOM/Spectral
818blacklist ${HOME}/.cache/Enox 848blacklist ${HOME}/.cache/Enox
819blacklist ${HOME}/.cache/Enpass 849blacklist ${HOME}/.cache/Enpass
820blacklist ${HOME}/.cache/Ferdi 850blacklist ${HOME}/.cache/Ferdi
@@ -824,7 +854,9 @@ blacklist ${HOME}/.cache/INRIA
824blacklist ${HOME}/.cache/MusicBrainz 854blacklist ${HOME}/.cache/MusicBrainz
825blacklist ${HOME}/.cache/NewsFlashGTK 855blacklist ${HOME}/.cache/NewsFlashGTK
826blacklist ${HOME}/.cache/Otter 856blacklist ${HOME}/.cache/Otter
857blacklist ${HOME}/.cache/Psi
827blacklist ${HOME}/.cache/QuiteRss 858blacklist ${HOME}/.cache/QuiteRss
859blacklist ${HOME}/.cache/Quotient/quaternion
828blacklist ${HOME}/.cache/Shortwave 860blacklist ${HOME}/.cache/Shortwave
829blacklist ${HOME}/.cache/Tox 861blacklist ${HOME}/.cache/Tox
830blacklist ${HOME}/.cache/Zeal 862blacklist ${HOME}/.cache/Zeal
@@ -852,10 +884,13 @@ blacklist ${HOME}/.cache/epiphany
852blacklist ${HOME}/.cache/evolution 884blacklist ${HOME}/.cache/evolution
853blacklist ${HOME}/.cache/falkon 885blacklist ${HOME}/.cache/falkon
854blacklist ${HOME}/.cache/feedreader 886blacklist ${HOME}/.cache/feedreader
887blacklist ${HOME}/.cache/flaska.net/trojita
855blacklist ${HOME}/.cache/font-manager 888blacklist ${HOME}/.cache/font-manager
856blacklist ${HOME}/.cache/fossamail 889blacklist ${HOME}/.cache/fossamail
890blacklist ${HOME}/.cache/fractal
857blacklist ${HOME}/.cache/freecol 891blacklist ${HOME}/.cache/freecol
858blacklist ${HOME}/.cache/gajim 892blacklist ${HOME}/.cache/gajim
893blacklist ${HOME}/.cache/geary
859blacklist ${HOME}/.cache/gegl-0.4 894blacklist ${HOME}/.cache/gegl-0.4
860blacklist ${HOME}/.cache/geeqie 895blacklist ${HOME}/.cache/geeqie
861blacklist ${HOME}/.cache/gfeeds 896blacklist ${HOME}/.cache/gfeeds
@@ -889,12 +924,14 @@ blacklist ${HOME}/.cache/krunnerbookmarkrunnerfirefoxdbfile.sqlite*
889blacklist ${HOME}/.cache/kscreenlocker_greet 924blacklist ${HOME}/.cache/kscreenlocker_greet
890blacklist ${HOME}/.cache/ksmserver-logout-greeter 925blacklist ${HOME}/.cache/ksmserver-logout-greeter
891blacklist ${HOME}/.cache/ksplashqml 926blacklist ${HOME}/.cache/ksplashqml
927blacklist ${HOME}/.cache/kube
892blacklist ${HOME}/.cache/kwin 928blacklist ${HOME}/.cache/kwin
893blacklist ${HOME}/.cache/libgweather 929blacklist ${HOME}/.cache/libgweather
894blacklist ${HOME}/.cache/liferea 930blacklist ${HOME}/.cache/liferea
895blacklist ${HOME}/.cache/Mendeley Ltd. 931blacklist ${HOME}/.cache/Mendeley Ltd.
896blacklist ${HOME}/.cache/midori 932blacklist ${HOME}/.cache/midori
897blacklist ${HOME}/.cache/minetest 933blacklist ${HOME}/.cache/minetest
934blacklist ${HOME}/.cache/mirage
898blacklist ${HOME}/.cache/moonchild productions/basilisk 935blacklist ${HOME}/.cache/moonchild productions/basilisk
899blacklist ${HOME}/.cache/moonchild productions/pale moon 936blacklist ${HOME}/.cache/moonchild productions/pale moon
900blacklist ${HOME}/.cache/mozilla 937blacklist ${HOME}/.cache/mozilla
@@ -920,12 +957,14 @@ blacklist ${HOME}/.cache/peek
920blacklist ${HOME}/.cache/pip 957blacklist ${HOME}/.cache/pip
921blacklist ${HOME}/.cache/plasmashell 958blacklist ${HOME}/.cache/plasmashell
922blacklist ${HOME}/.cache/plasmashellbookmarkrunnerfirefoxdbfile.sqlite* 959blacklist ${HOME}/.cache/plasmashellbookmarkrunnerfirefoxdbfile.sqlite*
960blacklist ${HOME}/.cache/psi
923blacklist ${HOME}/.cache/qBittorrent 961blacklist ${HOME}/.cache/qBittorrent
924blacklist ${HOME}/.cache/qupzilla 962blacklist ${HOME}/.cache/qupzilla
925blacklist ${HOME}/.cache/qutebrowser 963blacklist ${HOME}/.cache/qutebrowser
926blacklist ${HOME}/.cache/rhythmbox 964blacklist ${HOME}/.cache/rhythmbox
927blacklist ${HOME}/.cache/simple-scan 965blacklist ${HOME}/.cache/simple-scan
928blacklist ${HOME}/.cache/slimjet 966blacklist ${HOME}/.cache/slimjet
967blacklist ${HOME}/.cache/smuxi
929blacklist ${HOME}/.cache/snox 968blacklist ${HOME}/.cache/snox
930blacklist ${HOME}/.cache/spotify 969blacklist ${HOME}/.cache/spotify
931blacklist ${HOME}/.cache/strawberry 970blacklist ${HOME}/.cache/strawberry
diff --git a/etc/inc/disable-write-mnt.inc b/etc/inc/disable-write-mnt.inc
new file mode 100644
index 000000000..3990cf760
--- /dev/null
+++ b/etc/inc/disable-write-mnt.inc
@@ -0,0 +1,8 @@
1# This file is overwritten during software install.
2# Persistent customizations should go in a .local file.
3include disable-write-mnt.local
4
5read-only /mnt
6read-only /media
7read-only /run/mount
8read-only /run/media
diff --git a/etc/inc/whitelist-players.inc b/etc/inc/whitelist-players.inc
new file mode 100644
index 000000000..0e473768b
--- /dev/null
+++ b/etc/inc/whitelist-players.inc
@@ -0,0 +1,10 @@
1# Local customizations come here
2include whitelist-players.local
3
4# common whitelist for all media players
5
6whitelist ${DESKTOP}
7whitelist ${DOWNLOADS}
8whitelist ${MUSIC}
9whitelist ${PICTURES}
10whitelist ${VIDEOS}
diff --git a/etc/profile-a-l/balsa.profile b/etc/profile-a-l/balsa.profile
new file mode 100644
index 000000000..a401ac592
--- /dev/null
+++ b/etc/profile-a-l/balsa.profile
@@ -0,0 +1,78 @@
1# Firejail profile for balsa
2# Description: GNOME mail client
3# This file is overwritten after every install/update
4# Persistent local customizations
5include balsa.local
6# Persistent global definitions
7include globals.local
8
9noblacklist ${HOME}/.balsa
10noblacklist ${HOME}/.gnupg
11noblacklist ${HOME}/.mozilla
12noblacklist ${HOME}/mail
13noblacklist /var/mail
14noblacklist /var/spool/mail
15
16include disable-common.inc
17include disable-devel.inc
18include disable-exec.inc
19include disable-interpreters.inc
20include disable-passwdmgr.inc
21include disable-programs.inc
22include disable-shell.inc
23include disable-xdg.inc
24
25mkdir ${HOME}/.balsa
26mkdir ${HOME}/.gnupg
27mkdir ${HOME}/mail
28whitelist ${HOME}/.balsa
29whitelist ${HOME}/.gnupg
30whitelist ${HOME}/.mozilla/firefox/profiles.ini
31whitelist ${HOME}/mail
32whitelist ${RUNUSER}/gnupg
33whitelist /usr/share/balsa
34whitelist /usr/share/gnupg
35whitelist /usr/share/gnupg2
36whitelist /var/mail
37whitelist /var/spool/mail
38include whitelist-common.inc
39include whitelist-runuser-common.inc
40include whitelist-usr-share-common.inc
41include whitelist-var-common.inc
42
43apparmor
44caps.drop all
45netfilter
46no3d
47nodvd
48nogroups
49nonewprivs
50noroot
51nosound
52notv
53nou2f
54novideo
55protocol unix,inet,inet6
56seccomp
57shell none
58tracelog
59
60# disable-mnt
61# Add "gpg,gpg2,gpg-agent,pinentry-curses,pinentry-emacs,pinentry-fltk,pinentry-gnome3,pinentry-gtk,pinentry-gtk2,pinentry-gtk-2,pinentry-qt,pinentry-qt4,pinentry-tty,pinentry-x2go,pinentry-kwallet" for gpg
62# Add "ignore private-bin" for hyperlinks or have a look at the private-bins in firefox.profile and firefox-common.profile.
63private-bin balsa,balsa-ab
64private-cache
65private-dev
66private-etc alternatives,ca-certificates,crypto-policies,dconf,fonts,gcrypt,groups,gtk-2.0,gtk-3.0,hostname,hosts,mailname,passwd,pki,resolv.conf,selinux,ssl,xdg
67private-tmp
68writable-run-user
69writable-var
70
71dbus-user filter
72dbus-user.own org.desktop.Balsa
73dbus-user.talk ca.desrt.dconf
74dbus-user.talk org.freedesktop.secrets
75dbus-user.talk org.freedesktop.Notifications
76dbus-system none
77
78read-only ${HOME}/.mozilla/firefox/profiles.ini
diff --git a/etc/profile-a-l/celluloid.profile b/etc/profile-a-l/celluloid.profile
index 54d3f742f..888367899 100644
--- a/etc/profile-a-l/celluloid.profile
+++ b/etc/profile-a-l/celluloid.profile
@@ -28,12 +28,8 @@ mkdir ${HOME}/.config/youtube-dl
28whitelist ${HOME}/.config/celluloid 28whitelist ${HOME}/.config/celluloid
29whitelist ${HOME}/.config/gnome-mpv 29whitelist ${HOME}/.config/gnome-mpv
30whitelist ${HOME}/.config/youtube-dl 30whitelist ${HOME}/.config/youtube-dl
31whitelist ${DESKTOP}
32whitelist ${DOWNLOADS}
33whitelist ${MUSIC}
34whitelist ${PICTURES}
35whitelist ${VIDEOS}
36include whitelist-common.inc 31include whitelist-common.inc
32include whitelist-players.inc
37include whitelist-runuser-common.inc 33include whitelist-runuser-common.inc
38include whitelist-usr-share-common.inc 34include whitelist-usr-share-common.inc
39include whitelist-var-common.inc 35include whitelist-var-common.inc
diff --git a/etc/profile-a-l/chromium-freeworld.profile b/etc/profile-a-l/chromium-freeworld.profile
new file mode 100644
index 000000000..a1de85afa
--- /dev/null
+++ b/etc/profile-a-l/chromium-freeworld.profile
@@ -0,0 +1,5 @@
1# Firejail profile for chromium-freeworld
2# This file is overwritten after every install/update
3
4# Redirect
5include chromium.profile
diff --git a/etc/profile-a-l/cola.profile b/etc/profile-a-l/cola.profile
new file mode 100644
index 000000000..e5debfd82
--- /dev/null
+++ b/etc/profile-a-l/cola.profile
@@ -0,0 +1,10 @@
1# Firejail profile for cola
2# Description: Linux native frontend for Git,alternative call for git-cola
3# This file is overwritten after every install/update
4# Persistent local customizations
5include cola.local
6# Persistent global definitions
7include globals.local
8
9# Redirect
10include git-cola.profile \ No newline at end of file
diff --git a/etc/profile-a-l/dbus-send.profile b/etc/profile-a-l/dbus-send.profile
new file mode 100644
index 000000000..76a14d99b
--- /dev/null
+++ b/etc/profile-a-l/dbus-send.profile
@@ -0,0 +1,59 @@
1# Firejail profile for dbus-send
2# Description: Send a message to a message bus
3# This file is overwritten after every install/update
4quiet
5# Persistent local customizations
6include dbus-send.local
7# Persistent global definitions
8include globals.local
9
10blacklist /tmp/.X11-unix
11blacklist ${RUNUSER}/wayland-*
12
13include disable-common.inc
14include disable-devel.inc
15include disable-exec.inc
16include disable-interpreters.inc
17include disable-passwdmgr.inc
18include disable-programs.inc
19include disable-shell.inc
20include disable-write-mnt.inc
21include disable-xdg.inc
22
23include whitelist-common.inc
24include whitelist-runuser-common.inc
25include whitelist-usr-share-common.inc
26include whitelist-var-common.inc
27
28apparmor
29caps.drop all
30ipc-namespace
31machine-id
32# Breaks abstract sockets
33#net none
34netfilter
35no3d
36nodvd
37nogroups
38nonewprivs
39noroot
40nosound
41notv
42nou2f
43novideo
44protocol unix
45seccomp
46shell none
47tracelog
48
49disable-mnt
50private
51private-bin dbus-send
52private-cache
53private-dev
54private-etc alternatives,dbus-1
55private-lib libpcre2-8.so.0
56private-tmp
57
58memory-deny-write-execute
59read-only ${HOME}
diff --git a/etc/profile-a-l/default.profile b/etc/profile-a-l/default.profile
index 74314cf92..7eb7660dd 100644
--- a/etc/profile-a-l/default.profile
+++ b/etc/profile-a-l/default.profile
@@ -14,6 +14,7 @@ include disable-common.inc
14# include disable-interpreters.inc 14# include disable-interpreters.inc
15include disable-passwdmgr.inc 15include disable-passwdmgr.inc
16include disable-programs.inc 16include disable-programs.inc
17# include disable-write-mnt.inc
17# include disable-xdg.inc 18# include disable-xdg.inc
18 19
19# include whitelist-common.inc 20# include whitelist-common.inc
diff --git a/etc/profile-a-l/electron-mail.profile b/etc/profile-a-l/electron-mail.profile
index 39366470f..5957d4316 100644
--- a/etc/profile-a-l/electron-mail.profile
+++ b/etc/profile-a-l/electron-mail.profile
@@ -8,8 +8,6 @@ include globals.local
8 8
9noblacklist ${HOME}/.config/electron-mail 9noblacklist ${HOME}/.config/electron-mail
10 10
11whitelist ${DOWNLOADS}
12
13include disable-common.inc 11include disable-common.inc
14include disable-devel.inc 12include disable-devel.inc
15include disable-exec.inc 13include disable-exec.inc
@@ -21,8 +19,10 @@ include disable-xdg.inc
21 19
22mkdir ${HOME}/.config/electron-mail 20mkdir ${HOME}/.config/electron-mail
23whitelist ${HOME}/.config/electron-mail 21whitelist ${HOME}/.config/electron-mail
22whitelist ${DOWNLOADS}
24 23
25include whitelist-common.inc 24include whitelist-common.inc
25include whitelist-runuser-common.inc
26include whitelist-usr-share-common.inc 26include whitelist-usr-share-common.inc
27include whitelist-var-common.inc 27include whitelist-var-common.inc
28 28
@@ -45,12 +45,12 @@ shell none
45private-bin electron-mail 45private-bin electron-mail
46private-cache 46private-cache
47private-dev 47private-dev
48private-etc alternatives,fonts 48private-etc alternatives,ca-certificates,crypto-policies,fonts,gtk-2.0,gtk-3.0,nsswitch.conf,pki,resolv.conf,selinux,ssl,xdg
49private-opt ElectronMail 49private-opt ElectronMail
50private-tmp 50private-tmp
51 51
52# breaks tray functionality 52# breaks tray functionality
53# dbus-user none 53# dbus-user none
54# dbus-system none 54dbus-system none
55 55
56# memory-deny-write-execute - breaks on Arch 56# memory-deny-write-execute - breaks on Arch
diff --git a/etc/profile-a-l/eo-common.profile b/etc/profile-a-l/eo-common.profile
index 80c704c6b..e8b49a395 100644
--- a/etc/profile-a-l/eo-common.profile
+++ b/etc/profile-a-l/eo-common.profile
@@ -17,6 +17,7 @@ include disable-exec.inc
17include disable-interpreters.inc 17include disable-interpreters.inc
18include disable-passwdmgr.inc 18include disable-passwdmgr.inc
19include disable-programs.inc 19include disable-programs.inc
20include disable-write-mnt.inc
20 21
21include whitelist-runuser-common.inc 22include whitelist-runuser-common.inc
22include whitelist-usr-share-common.inc 23include whitelist-usr-share-common.inc
diff --git a/etc/profile-a-l/eog.profile b/etc/profile-a-l/eog.profile
index 0d0153fc2..aabef65fc 100644
--- a/etc/profile-a-l/eog.profile
+++ b/etc/profile-a-l/eog.profile
@@ -15,9 +15,12 @@ whitelist /usr/share/eog
15# or put 'ignore private-bin', 'ignore private-etc' and 'ignore private-lib' in your eog.local 15# or put 'ignore private-bin', 'ignore private-etc' and 'ignore private-lib' in your eog.local
16private-bin eog 16private-bin eog
17 17
18dbus-user filter 18
19dbus-user.own org.gnome.eog 19# broken on Debian 10 (buster) running LXDE got the folowing error:
20dbus-user.talk ca.desrt.dconf 20# Failed to register: GDBus.Error:org.freedesktop.DBus.Error.ServiceUnknown: org.freedesktop.DBus.Error.ServiceUnknown
21#dbus-user filter
22#dbus-user.own org.gnome.eog
23#dbus-user.talk ca.desrt.dconf
21dbus-system none 24dbus-system none
22 25
23# Redirect 26# Redirect
diff --git a/etc/profile-a-l/equalx.profile b/etc/profile-a-l/equalx.profile
new file mode 100644
index 000000000..58b053041
--- /dev/null
+++ b/etc/profile-a-l/equalx.profile
@@ -0,0 +1,63 @@
1# Firejail profile for equalx
2# Description: A graphical editor for writing LaTeX equations
3# This file is overwritten after every install/update
4# Persistent local customizations
5include equalx.local
6# Persistent global definitions
7include globals.local
8
9noblacklist ${HOME}/.config/equalx
10noblacklist ${HOME}/.equalx
11
12include disable-common.inc
13include disable-devel.inc
14include disable-exec.inc
15include disable-interpreters.inc
16include disable-passwdmgr.inc
17include disable-programs.inc
18include disable-shell.inc
19include disable-xdg.inc
20
21mkdir ${HOME}/.config/equalx
22mkdir ${HOME}/.equalx
23whitelist ${HOME}/.config/equalx
24whitelist ${HOME}/.equalx
25whitelist /usr/share/poppler
26whitelist /usr/share/ghostscript
27whitelist /usr/share/texlive
28whitelist /usr/share/equalx
29whitelist /var/lib/texmf
30include whitelist-common.inc
31include whitelist-runuser-common.inc
32include whitelist-usr-share-common.inc
33include whitelist-var-common.inc
34
35apparmor
36caps.drop all
37machine-id
38net none
39no3d
40nodvd
41nogroups
42nonewprivs
43noroot
44nosound
45notv
46nou2f
47novideo
48protocol unix
49seccomp
50shell none
51tracelog
52
53disable-mnt
54private-bin equalx,gs,pdflatex,pdftocairo
55private-cache
56private-dev
57private-etc equalx,equalx.conf,fonts,gtk-2.0,latexmk.conf,machine-id,papersize,passwd,texlive,Trolltech.conf
58private-tmp
59
60dbus-user none
61dbus-system none
62
63memory-deny-write-execute
diff --git a/etc/profile-a-l/fdns.profile b/etc/profile-a-l/fdns.profile
index 179540806..31cb1776c 100644
--- a/etc/profile-a-l/fdns.profile
+++ b/etc/profile-a-l/fdns.profile
@@ -29,20 +29,20 @@ no3d
29nodvd 29nodvd
30nogroups 30nogroups
31nonewprivs 31nonewprivs
32# noroot 32noroot
33nosound 33nosound
34notv 34notv
35nou2f 35nou2f
36novideo 36novideo
37protocol unix,inet,inet6 37protocol unix,inet,inet6,netlink
38#seccomp 38#seccomp
39#shell none 39#shell none
40 40
41disable-mnt 41disable-mnt
42private 42private
43private-bin bash,fdns,sh 43private-bin bash,fdns,sh
44# private-cache 44private-cache
45private-dev 45#private-dev
46private-etc ca-certificates,crypto-policies,fdns,ld.so.cache,ld.so.preload,localtime,nsswitch.conf,passwd,pki,ssl 46private-etc ca-certificates,crypto-policies,fdns,ld.so.cache,ld.so.preload,localtime,nsswitch.conf,passwd,pki,ssl
47# private-lib 47# private-lib
48private-tmp 48private-tmp
diff --git a/etc/profile-a-l/firefox.profile b/etc/profile-a-l/firefox.profile
index 337311ed8..ce2013c57 100644
--- a/etc/profile-a-l/firefox.profile
+++ b/etc/profile-a-l/firefox.profile
@@ -24,7 +24,7 @@ include whitelist-usr-share-common.inc
24# firefox requires a shell to launch on Arch. 24# firefox requires a shell to launch on Arch.
25#private-bin bash,dbus-launch,dbus-send,env,firefox,sh,which 25#private-bin bash,dbus-launch,dbus-send,env,firefox,sh,which
26# Fedora use shell scripts to launch firefox, at least this is required 26# Fedora use shell scripts to launch firefox, at least this is required
27#private-bin basename,bash,cat,dirname,expr,false,firefox,firefox-wayland,ln,mkdir,pidof,rm,rmdir,sed,sh,tclsh,true,uname 27#private-bin basename,bash,cat,dirname,expr,false,firefox,firefox-wayland,getenforce,ln,mkdir,pidof,restorecon,rm,rmdir,sed,sh,tclsh,true,uname
28# private-etc must first be enabled in firefox-common.profile 28# private-etc must first be enabled in firefox-common.profile
29#private-etc firefox 29#private-etc firefox
30 30
diff --git a/etc/profile-a-l/flameshot.profile b/etc/profile-a-l/flameshot.profile
index 7c41417ec..357354e70 100644
--- a/etc/profile-a-l/flameshot.profile
+++ b/etc/profile-a-l/flameshot.profile
@@ -9,6 +9,7 @@ include globals.local
9 9
10noblacklist ${PICTURES} 10noblacklist ${PICTURES}
11noblacklist ${HOME}/.config/Dharkael 11noblacklist ${HOME}/.config/Dharkael
12noblacklist ${HOME}/.config/flameshot
12 13
13include disable-common.inc 14include disable-common.inc
14include disable-devel.inc 15include disable-devel.inc
@@ -19,8 +20,11 @@ include disable-programs.inc
19include disable-shell.inc 20include disable-shell.inc
20include disable-xdg.inc 21include disable-xdg.inc
21 22
23#mkdir ${HOME}/.config/Dharkael
24#mkdir ${HOME}/.config/flameshot
22#whitelist ${PICTURES} 25#whitelist ${PICTURES}
23#whitelist ${HOME}/.config/Dharkael 26#whitelist ${HOME}/.config/Dharkael
27#whitelist ${HOME}/.config/flameshot
24whitelist /usr/share/flameshot 28whitelist /usr/share/flameshot
25#include whitelist-common.inc 29#include whitelist-common.inc
26include whitelist-runuser-common.inc 30include whitelist-runuser-common.inc
@@ -53,4 +57,5 @@ private-tmp
53 57
54dbus-user filter 58dbus-user filter
55dbus-user.own org.dharkael.Flameshot 59dbus-user.own org.dharkael.Flameshot
60dbus-user.own org.flameshot.Flameshot
56dbus-system none 61dbus-system none
diff --git a/etc/profile-a-l/fractal.profile b/etc/profile-a-l/fractal.profile
new file mode 100644
index 000000000..ab907eb0d
--- /dev/null
+++ b/etc/profile-a-l/fractal.profile
@@ -0,0 +1,54 @@
1# Firejail profile for fractal
2# Description: Desktop client for Matrix
3# This file is overwritten after every install/update
4# Persistent local customizations
5include fractal.local
6# Persistent global definitions
7include globals.local
8
9noblacklist ${HOME}/.cache/fractal
10
11include disable-common.inc
12include disable-devel.inc
13include disable-exec.inc
14include disable-interpreters.inc
15include disable-passwdmgr.inc
16include disable-programs.inc
17include disable-shell.inc
18include disable-xdg.inc
19
20mkdir ${HOME}/.cache/fractal
21whitelist ${HOME}/.cache/fractal
22whitelist ${DOWNLOADS}
23include whitelist-common.inc
24include whitelist-runuser-common.inc
25include whitelist-usr-share-common.inc
26include whitelist-var-common.inc
27
28apparmor
29caps.drop all
30netfilter
31nodvd
32nogroups
33nonewprivs
34noroot
35notv
36nou2f
37protocol unix,inet,inet6
38seccomp
39shell none
40tracelog
41
42disable-mnt
43private-bin fractal
44private-cache
45private-dev
46private-etc alsa,alternatives,asound.conf,ca-certificates,crypto-policies,fonts,gtk-2.0,gtk-3.0,host.conf,hostname,hosts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,locale,locale.alias,locale.conf,mime.types,nsswitch.conf,pki,pulse,resolv.conf,selinux,ssl,X11,xdg
47private-tmp
48
49dbus-user filter
50dbus-user.own org.gnome.Fractal
51dbus-user.talk ca.desrt.dconf
52dbus-user.talk org.freedesktop.secrets
53dbus-user.talk org.freedesktop.Notifications
54dbus-system none
diff --git a/etc/profile-a-l/geary.profile b/etc/profile-a-l/geary.profile
index fa01d04b7..118ed62ca 100644
--- a/etc/profile-a-l/geary.profile
+++ b/etc/profile-a-l/geary.profile
@@ -10,24 +10,24 @@ include geary.local
10# Users have Geary set to open a browser by clicking a link in an email 10# Users have Geary set to open a browser by clicking a link in an email
11# We are not allowed to blacklist browser-specific directories 11# We are not allowed to blacklist browser-specific directories
12 12
13ignore dbus-user none 13ignore dbus-user filter
14ignore dbus-system none 14ignore dbus-system none
15ignore private-tmp 15ignore private-tmp
16 16
17noblacklist ${HOME}/.gnupg 17noblacklist ${HOME}/.cache/geary
18noblacklist ${HOME}/.config/geary
18noblacklist ${HOME}/.local/share/geary 19noblacklist ${HOME}/.local/share/geary
19 20
20mkdir ${HOME}/.gnupg 21mkdir ${HOME}/.cache/geary
21mkdir ${HOME}/.config/geary 22mkdir ${HOME}/.config/geary
22mkdir ${HOME}/.local/share/geary 23mkdir ${HOME}/.local/share/geary
23whitelist ${HOME}/.gnupg 24whitelist ${HOME}/.cache/geary
24whitelist ${HOME}/.config/geary 25whitelist ${HOME}/.config/geary
25whitelist ${HOME}/.local/share/geary 26whitelist ${HOME}/.local/share/geary
27whitelist /usr/share/geary
26 28
27read-only ${HOME}/.config/mimeapps.list 29read-only ${HOME}/.config/mimeapps.list
28 30
29whitelist /usr/share/geary
30
31# allow Mozilla browsers 31# allow Mozilla browsers
32# Redirect 32# Redirect
33include firefox.profile 33include firefox.profile
diff --git a/etc/profile-a-l/git-cola.profile b/etc/profile-a-l/git-cola.profile
index 30e80f519..4708078dd 100644
--- a/etc/profile-a-l/git-cola.profile
+++ b/etc/profile-a-l/git-cola.profile
@@ -12,6 +12,7 @@ noblacklist ${HOME}/.gitconfig
12noblacklist ${HOME}/.git-credentials 12noblacklist ${HOME}/.git-credentials
13noblacklist ${HOME}/.gnupg 13noblacklist ${HOME}/.gnupg
14noblacklist ${HOME}/.ssh 14noblacklist ${HOME}/.ssh
15noblacklist ${HOME}/.subversion
15noblacklist ${HOME}/.config/git 16noblacklist ${HOME}/.config/git
16noblacklist ${HOME}/.config/git-cola 17noblacklist ${HOME}/.config/git-cola
17# Put your editor,diff viewer config path below and uncomment to load settings 18# Put your editor,diff viewer config path below and uncomment to load settings
@@ -28,7 +29,19 @@ include disable-passwdmgr.inc
28include disable-programs.inc 29include disable-programs.inc
29include disable-xdg.inc 30include disable-xdg.inc
30 31
32whitelist ${RUNUSER}/gnupg
33whitelist ${RUNUSER}/keyring
34# Whitelist your editor, diff viewer, gnupg path below in /usr/share/
35whitelist /usr/share/git
36whitelist /usr/share/git-cola
37whitelist /usr/share/git-core
38whitelist /usr/share/git-gui
39whitelist /usr/share/gitk
40whitelist /usr/share/gitweb
41whitelist /usr/share/gnupg
42whitelist /usr/share/gnupg2
31include whitelist-runuser-common.inc 43include whitelist-runuser-common.inc
44include whitelist-usr-share-common.inc
32include whitelist-var-common.inc 45include whitelist-var-common.inc
33 46
34apparmor 47apparmor
@@ -49,18 +62,22 @@ seccomp
49shell none 62shell none
50tracelog 63tracelog
51 64
52# private-bin atom,bash,colordiff,emacs,fldiff,geany,gedit,git,git gui,git-cola,git-dag,gitk,gpg,gvim,leafpad,meld,mousepad,nano,notepadqq,python*,sh,ssh,vim,vimdiff,which,xed 65# Add your own diff viewer,editor,pinentry program
66# pinentry-curses,pinentry-emacs,pinentry-fltk,pinentry-gnome3,pinentry-gtk,pinentry-gtk2,pinentry-gtk-2,pinentry-qt,pinentry-qt4,pinentry-tty,pinentry-x2go,pinentry-kwallet" for gpg
67private-bin basename,bash,cola,envsubst,gettext,git,git-cola,git-dag,git-gui,gitk,gpg,gpg-agent,nano,ps,python*,sh,ssh,ssh-agent,tclsh,tr,wc,which,xed
53private-cache 68private-cache
54private-dev 69private-dev
55# Comment if you sign commits with GPG 70private-etc alternatives,ca-certificates,crypto-policies,dconf,fonts,gcrypt,gitconfig,gtk-2.0,gtk-3.0,host.conf,hostname,hosts,localtime,login.defs,machine-id,mime.types,nsswitch.conf,passwd,pki,resolv.conf,selinux,ssh,ssl,X11,xdg
56private-etc alternatives,ca-certificates,crypto-policies,fonts,gtk-2.0,gtk-3.0,host.conf,hostname,hosts,localtime,login.defs,machine-id,mime.types,nsswitch.conf,passwd,pki,resolv.conf,selinux,ssl,X11,xdg
57private-tmp 71private-tmp
72writable-run-user
58 73
59dbus-user filter 74# Breaks meld as diff viewer
75# dbus-user filter
60# Uncomment if you need keyring access 76# Uncomment if you need keyring access
61# dbus-user.talk org.freedesktop.secrets 77# dbus-user.talk org.freedesktop.secrets
62dbus-system none 78dbus-system none
63 79
64read-only ${HOME}/.ssh
65read-only ${HOME}/.gnupg
66read-only ${HOME}/.git-credentials 80read-only ${HOME}/.git-credentials
81
82# Comment if you need to allow hosts
83read-only ${HOME}/.ssh
diff --git a/etc/profile-a-l/gnome-builder.profile b/etc/profile-a-l/gnome-builder.profile
index 7a684dd59..8f637902c 100644
--- a/etc/profile-a-l/gnome-builder.profile
+++ b/etc/profile-a-l/gnome-builder.profile
@@ -6,6 +6,8 @@ include gnome-builder.local
6# Persistent global definitions 6# Persistent global definitions
7include globals.local 7include globals.local
8 8
9noblacklist ${HOME}/.bash_history
10
9noblacklist ${HOME}/.cache/gnome-builder 11noblacklist ${HOME}/.cache/gnome-builder
10noblacklist ${HOME}/.config/gnome-builder 12noblacklist ${HOME}/.config/gnome-builder
11noblacklist ${HOME}/.local/share/gnome-builder 13noblacklist ${HOME}/.local/share/gnome-builder
@@ -34,3 +36,5 @@ seccomp
34shell none 36shell none
35 37
36private-dev 38private-dev
39
40read-write ${HOME}/.bash_history
diff --git a/etc/profile-a-l/gnome-passwordsafe.profile b/etc/profile-a-l/gnome-passwordsafe.profile
index 615be7873..ed430b654 100644
--- a/etc/profile-a-l/gnome-passwordsafe.profile
+++ b/etc/profile-a-l/gnome-passwordsafe.profile
@@ -52,3 +52,8 @@ private-cache
52private-dev 52private-dev
53private-etc dconf,fonts,gtk-3.0,passwd 53private-etc dconf,fonts,gtk-3.0,passwd
54private-tmp 54private-tmp
55
56dbus-user filter
57dbus-user.own org.gnome.PasswordSafe
58dbus-user.talk ca.desrt.dconf
59dbus-system none
diff --git a/etc/profile-a-l/hedgewars.profile b/etc/profile-a-l/hedgewars.profile
index 898a07a5f..8ac07d3da 100644
--- a/etc/profile-a-l/hedgewars.profile
+++ b/etc/profile-a-l/hedgewars.profile
@@ -8,6 +8,8 @@ include globals.local
8 8
9noblacklist ${HOME}/.hedgewars 9noblacklist ${HOME}/.hedgewars
10 10
11include allow-lua.inc
12
11include disable-common.inc 13include disable-common.inc
12include disable-devel.inc 14include disable-devel.inc
13include disable-interpreters.inc 15include disable-interpreters.inc
diff --git a/etc/profile-a-l/kazam.profile b/etc/profile-a-l/kazam.profile
new file mode 100644
index 000000000..9899ff195
--- /dev/null
+++ b/etc/profile-a-l/kazam.profile
@@ -0,0 +1,54 @@
1# Firejail profile for kazam
2# Description: Screen capture tool
3# This file is overwritten after every install/update
4# Persistent local customizations
5include kazam.local
6# Persistent global definitions
7include globals.local
8
9ignore noexec ${HOME}
10
11noblacklist ${PICTURES}
12noblacklist ${VIDEOS}
13noblacklist ${HOME}/.config/kazam
14
15include allow-python2.inc
16include allow-python3.inc
17
18include disable-common.inc
19include disable-devel.inc
20include disable-exec.inc
21include disable-interpreters.inc
22include disable-programs.inc
23include disable-passwdmgr.inc
24include disable-shell.inc
25include disable-xdg.inc
26
27whitelist /usr/share/kazam
28include whitelist-runuser-common.inc
29include whitelist-usr-share-common.inc
30include whitelist-var-common.inc
31
32apparmor
33caps.drop all
34net none
35nodvd
36nogroups
37nonewprivs
38noroot
39notv
40nou2f
41novideo
42protocol unix
43seccomp
44shell none
45tracelog
46
47disable-mnt
48# private-bin kazam,python*
49private-cache
50private-dev
51private-etc alsa,alternatives,asound.conf,dconf,fonts,gtk-2.0,gtk-3.0,machine-id,pulse,selinux,X11,xdg
52private-tmp
53
54dbus-system none
diff --git a/etc/profile-a-l/kube.profile b/etc/profile-a-l/kube.profile
new file mode 100644
index 000000000..cf3a69fd7
--- /dev/null
+++ b/etc/profile-a-l/kube.profile
@@ -0,0 +1,81 @@
1# Firejail profile for kube
2# Description: Qt mail client
3# This file is overwritten after every install/update
4# Persistent local customizations
5include kube.local
6# Persistent global definitions
7include globals.local
8
9noblacklist ${HOME}/.gnupg
10noblacklist ${HOME}/.mozilla
11noblacklist ${HOME}/.cache/kube
12noblacklist ${HOME}/.config/kube
13noblacklist ${HOME}/.config/sink
14noblacklist ${HOME}/.local/share/kube
15noblacklist ${HOME}/.local/share/sink
16
17include disable-common.inc
18include disable-devel.inc
19include disable-exec.inc
20include disable-interpreters.inc
21include disable-passwdmgr.inc
22include disable-programs.inc
23include disable-shell.inc
24include disable-xdg.inc
25
26mkdir ${HOME}/.gnupg
27mkdir ${HOME}/.cache/kube
28mkdir ${HOME}/.config/kube
29mkdir ${HOME}/.config/sink
30mkdir ${HOME}/.local/share/kube
31mkdir ${HOME}/.local/share/sink
32whitelist ${HOME}/.gnupg
33whitelist ${HOME}/.mozilla/firefox/profiles.ini
34whitelist ${HOME}/.cache/kube
35whitelist ${HOME}/.config/kube
36whitelist ${HOME}/.config/sink
37whitelist ${HOME}/.local/share/kube
38whitelist ${HOME}/.local/share/sink
39whitelist ${RUNUSER}/gnupg
40whitelist /usr/share/kube
41whitelist /usr/share/gnupg
42whitelist /usr/share/gnupg2
43include whitelist-common.inc
44include whitelist-runuser-common.inc
45include whitelist-usr-share-common.inc
46include whitelist-var-common.inc
47
48apparmor
49caps.drop all
50netfilter
51no3d
52nodvd
53nogroups
54nonewprivs
55noroot
56nosound
57notv
58nou2f
59novideo
60protocol unix,inet,inet6
61seccomp
62shell none
63tracelog
64
65# disable-mnt
66# Add "gpg,gpg2,gpg-agent,pinentry-curses,pinentry-emacs,pinentry-fltk,pinentry-gnome3,pinentry-gtk,pinentry-gtk2,pinentry-gtk-2,pinentry-qt,pinentry-qt4,pinentry-tty,pinentry-x2go,pinentry-kwallet" for gpg
67# Add "ignore private-bin" for hyperlinks or have a look at the private-bins in firefox.profile and firefox-common.profile.
68private-bin kube,sink_synchronizer
69private-cache
70private-dev
71private-etc alternatives,ca-certificates,crypto-policies,fonts,gcrypt,gtk-2.0,gtk-3.0,hostname,hosts,pki,resolv.conf,selinux,ssl,xdg
72private-tmp
73writable-run-user
74
75dbus-user filter
76dbus-user.talk ca.desrt.dconf
77dbus-user.talk org.freedesktop.secrets
78dbus-user.talk org.freedesktop.Notifications
79dbus-system none
80
81read-only ${HOME}/.mozilla/firefox/profiles.ini
diff --git a/etc/profile-m-z/man.profile b/etc/profile-m-z/man.profile
new file mode 100644
index 000000000..6f74e6da3
--- /dev/null
+++ b/etc/profile-m-z/man.profile
@@ -0,0 +1,65 @@
1# Firejail profile for man
2# Description: manpage viewer
3quiet
4# This file is overwritten after every install/update
5# Persistent local customizations
6include man.local
7# Persistent global definitions
8include globals.local
9
10blacklist ${RUNUSER}
11
12noblacklist ${HOME}/.local/share/man
13
14include disable-common.inc
15include disable-devel.inc
16include disable-exec.inc
17include disable-interpreters.inc
18include disable-passwdmgr.inc
19include disable-programs.inc
20include disable-xdg.inc
21
22mkdir ${HOME}/.local/share/man
23whitelist ${HOME}/.local/share/man
24whitelist ${HOME}/.manpath
25whitelist /usr/share/groff
26whitelist /usr/share/info
27whitelist /usr/share/lintian
28whitelist /usr/share/locale
29whitelist /usr/share/man
30whitelist /var/cache/man
31include whitelist-common.inc
32include whitelist-usr-share-common.inc
33include whitelist-var-common.inc
34
35apparmor
36caps.drop all
37ipc-namespace
38machine-id
39net none
40no3d
41nodvd
42nogroups
43nonewprivs
44noroot
45nosound
46notv
47novideo
48nou2f
49protocol unix
50seccomp
51shell none
52tracelog
53x11 none
54
55disable-mnt
56private-bin apropos,bash,cat,catman,col,gpreconv,groff,grotty,gunzip,gzip,less,man,most,nroff,preconv,sed,sh,tbl,tr,troff,whatis,which,xtotroff,zcat,zsoelim
57private-cache
58private-dev
59private-etc alternatives,fonts,locale,locale.alias,locale.conf,man_db.conf,manpath.config,selinux,sysless,xdg
60private-tmp
61
62dbus-user none
63dbus-system none
64
65memory-deny-write-execute
diff --git a/etc/profile-m-z/menulibre.profile b/etc/profile-m-z/menulibre.profile
new file mode 100644
index 000000000..3468bc22d
--- /dev/null
+++ b/etc/profile-m-z/menulibre.profile
@@ -0,0 +1,62 @@
1# Firejail profile for menulibre
2# Description: Create desktop and menu launchers easily
3# This file is overwritten after every install/update
4# Persistent local customizations
5include menulibre.local
6# Persistent global definitions
7include globals.local
8
9include allow-python2.inc
10include allow-python3.inc
11
12include disable-common.inc
13include disable-devel.inc
14include disable-exec.inc
15include disable-interpreters.inc
16include disable-programs.inc
17include disable-passwdmgr.inc
18include disable-xdg.inc
19
20# Whitelist your system icon directory,varies by distro
21whitelist /usr/share/app-info
22whitelist /usr/share/desktop-directories
23whitelist /usr/share/icons
24whitelist /usr/share/menulibre
25whitelist /var/lib/app-info/icons
26whitelist /var/lib/flatpak/exports/share/applications
27whitelist /var/lib/flatpak/exports/share/icons
28include whitelist-runuser-common.inc
29include whitelist-usr-share-common.inc
30include whitelist-var-common.inc
31
32apparmor
33caps.drop all
34machine-id
35net none
36nodvd
37no3d
38nogroups
39nonewprivs
40noroot
41nosound
42notv
43nou2f
44novideo
45protocol unix
46seccomp
47shell none
48tracelog
49
50disable-mnt
51private-cache
52private-dev
53private-etc alternatives,dconf,fonts,gtk-3.0,locale.alias,locale.conf,mime.types,nsswitch.conf,passwd,pki,selinux,X11,xdg
54private-tmp
55
56dbus-user none
57dbus-system none
58
59read-write ${HOME}/.config/menus
60read-write ${HOME}/.gnome/apps
61read-write ${HOME}/.local/share/applications
62read-write ${HOME}/.local/share/flatpak/exports
diff --git a/etc/profile-m-z/minitube.profile b/etc/profile-m-z/minitube.profile
index 2c70978a9..39ecc7127 100644
--- a/etc/profile-m-z/minitube.profile
+++ b/etc/profile-m-z/minitube.profile
@@ -46,7 +46,7 @@ notv
46nou2f 46nou2f
47novideo 47novideo
48protocol unix,inet,inet6,netlink 48protocol unix,inet,inet6,netlink
49seccomp 49seccomp !kcmp
50shell none 50shell none
51tracelog 51tracelog
52 52
diff --git a/etc/profile-m-z/mirage.profile b/etc/profile-m-z/mirage.profile
new file mode 100644
index 000000000..4a5f12aec
--- /dev/null
+++ b/etc/profile-m-z/mirage.profile
@@ -0,0 +1,59 @@
1# Firejail profile for mirage
2# Description: Desktop client for Matrix
3# This file is overwritten after every install/update
4# Persistent local customizations
5include mirage.local
6# Persistent global definitions
7include globals.local
8
9noblacklist ${HOME}/.cache/mirage
10noblacklist ${HOME}/.config/mirage
11noblacklist ${HOME}/.local/share/mirage
12
13include allow-python2.inc
14include allow-python3.inc
15
16include disable-common.inc
17include disable-devel.inc
18include disable-exec.inc
19include disable-interpreters.inc
20include disable-passwdmgr.inc
21include disable-programs.inc
22include disable-shell.inc
23include disable-xdg.inc
24
25mkdir ${HOME}/.cache/mirage
26mkdir ${HOME}/.config/mirage
27mkdir ${HOME}/.local/share/mirage
28whitelist ${HOME}/.cache/mirage
29whitelist ${HOME}/.config/mirage
30whitelist ${HOME}/.local/share/mirage
31whitelist ${DOWNLOADS}
32include whitelist-common.inc
33include whitelist-runuser-common.inc
34include whitelist-usr-share-common.inc
35include whitelist-var-common.inc
36
37apparmor
38caps.drop all
39netfilter
40nodvd
41nogroups
42nonewprivs
43noroot
44notv
45nou2f
46protocol unix,inet,inet6
47seccomp
48shell none
49tracelog
50
51disable-mnt
52private-bin mirage
53private-cache
54private-dev
55private-etc alsa,alternatives,asound.conf,ca-certificates,crypto-policies,fonts,gtk-2.0,gtk-3.0,host.conf,hostname,hosts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,locale,locale.alias,locale.conf,mime.types,nsswitch.conf,pki,pulse,resolv.conf,selinux,ssl,X11,xdg
56private-tmp
57
58dbus-user none
59dbus-system none
diff --git a/etc/profile-m-z/mplayer.profile b/etc/profile-m-z/mplayer.profile
index f4f862cb9..31a6caa9a 100644
--- a/etc/profile-m-z/mplayer.profile
+++ b/etc/profile-m-z/mplayer.profile
@@ -18,12 +18,8 @@ include disable-programs.inc
18read-only ${DESKTOP} 18read-only ${DESKTOP}
19mkdir ${HOME}/.mplayer 19mkdir ${HOME}/.mplayer
20whitelist ${HOME}/.mplayer 20whitelist ${HOME}/.mplayer
21whitelist ${DESKTOP}
22whitelist ${DOWNLOADS}
23whitelist ${MUSIC}
24whitelist ${PICTURES}
25whitelist ${VIDEOS}
26include whitelist-common.inc 21include whitelist-common.inc
22include whitelist-players.inc
27include whitelist-usr-share-common.inc 23include whitelist-usr-share-common.inc
28include whitelist-var-common.inc 24include whitelist-var-common.inc
29 25
diff --git a/etc/profile-m-z/mpsyt.profile b/etc/profile-m-z/mpsyt.profile
index e0c6ff1c8..addeeac44 100644
--- a/etc/profile-m-z/mpsyt.profile
+++ b/etc/profile-m-z/mpsyt.profile
@@ -40,10 +40,8 @@ whitelist ${HOME}/.config/youtube-dl
40whitelist ${HOME}/.mplayer 40whitelist ${HOME}/.mplayer
41whitelist ${HOME}/.netrc 41whitelist ${HOME}/.netrc
42whitelist ${HOME}/mps 42whitelist ${HOME}/mps
43whitelist ${DOWNLOADS}
44whitelist ${MUSIC}
45whitelist ${VIDEOS}
46include whitelist-common.inc 43include whitelist-common.inc
44include whitelist-players.inc
47include whitelist-var-common.inc 45include whitelist-var-common.inc
48 46
49apparmor 47apparmor
diff --git a/etc/profile-m-z/mpv.profile b/etc/profile-m-z/mpv.profile
index 5ca684eb5..389b64535 100644
--- a/etc/profile-m-z/mpv.profile
+++ b/etc/profile-m-z/mpv.profile
@@ -11,6 +11,19 @@ include globals.local
11# edit ~/.config/mpv/foobar.conf: 11# edit ~/.config/mpv/foobar.conf:
12# screenshot-directory=~/Pictures 12# screenshot-directory=~/Pictures
13 13
14# Mpv has a powerfull lua-API, some off these lua-scripts interact
15# with external resources which are blocked by firejail. In such cases
16# you need to allow these resources by
17# - adding additional binaries to private-bin
18# - whitelisting additional paths
19# - noblacklisting paths
20# - weaking the dbus-policy
21# - ...
22#
23# Often these scripts require a shell:
24#noblacklist ${PATH}/sh
25#private-bin sh
26
14noblacklist ${HOME}/.config/mpv 27noblacklist ${HOME}/.config/mpv
15noblacklist ${HOME}/.config/youtube-dl 28noblacklist ${HOME}/.config/youtube-dl
16noblacklist ${HOME}/.netrc 29noblacklist ${HOME}/.netrc
@@ -36,12 +49,8 @@ mkfile ${HOME}/.netrc
36whitelist ${HOME}/.config/mpv 49whitelist ${HOME}/.config/mpv
37whitelist ${HOME}/.config/youtube-dl 50whitelist ${HOME}/.config/youtube-dl
38whitelist ${HOME}/.netrc 51whitelist ${HOME}/.netrc
39whitelist ${DESKTOP}
40whitelist ${DOWNLOADS}
41whitelist ${MUSIC}
42whitelist ${PICTURES}
43whitelist ${VIDEOS}
44include whitelist-common.inc 52include whitelist-common.inc
53include whitelist-players.inc
45whitelist /usr/share/lua 54whitelist /usr/share/lua
46whitelist /usr/share/lua* 55whitelist /usr/share/lua*
47whitelist /usr/share/vulkan 56whitelist /usr/share/vulkan
@@ -61,7 +70,7 @@ seccomp
61shell none 70shell none
62tracelog 71tracelog
63 72
64private-bin env,mpv,python*,youtube-dl 73private-bin env,mpv,python*,waf,youtube-dl
65# private-cache causes slow OSD, see #2838 74# private-cache causes slow OSD, see #2838
66#private-cache 75#private-cache
67private-dev 76private-dev
diff --git a/etc/profile-m-z/musictube.profile b/etc/profile-m-z/musictube.profile
new file mode 100644
index 000000000..955df698d
--- /dev/null
+++ b/etc/profile-m-z/musictube.profile
@@ -0,0 +1,57 @@
1# Firejail profile for musictube
2# Description: Stream music
3# This file is overwritten after every install/update
4# Persistent local customizations
5include musictube.local
6# Persistent global definitions
7include globals.local
8
9noblacklist ${HOME}/.cache/Flavio Tordini
10noblacklist ${HOME}/.config/Flavio Tordini
11noblacklist ${HOME}/.local/share/Flavio Tordini
12
13include disable-common.inc
14include disable-devel.inc
15include disable-exec.inc
16include disable-interpreters.inc
17include disable-passwdmgr.inc
18include disable-programs.inc
19include disable-shell.inc
20include disable-xdg.inc
21
22mkdir ${HOME}/.cache/Flavio Tordini
23mkdir ${HOME}/.config/Flavio Tordini
24mkdir ${HOME}/.local/share/Flavio Tordini
25whitelist ${HOME}/.cache/Flavio Tordini
26whitelist ${HOME}/.config/Flavio Tordini
27whitelist ${HOME}/.local/share/Flavio Tordini
28whitelist /usr/share/musictube
29include whitelist-common.inc
30include whitelist-runuser-common.inc
31include whitelist-usr-share-common.inc
32include whitelist-var-common.inc
33
34apparmor
35caps.drop all
36netfilter
37nodvd
38nogroups
39nonewprivs
40noroot
41notv
42nou2f
43novideo
44protocol unix,inet,inet6,netlink
45seccomp
46shell none
47tracelog
48
49disable-mnt
50private-bin musictube
51private-cache
52private-dev
53private-etc alsa,alternatives,asound.conf,ca-certificates,crypto-policies,drirc,fonts,gtk-2.0,gtk-3.0,host.conf,hostname,hosts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,machine-id,mime.types,nsswitch.conf,pki,pulse,resolv.conf,selinux,ssl,X11,xdg
54private-tmp
55
56dbus-user none
57dbus-system none
diff --git a/etc/profile-m-z/notify-send.profile b/etc/profile-m-z/notify-send.profile
new file mode 100644
index 000000000..ff292f409
--- /dev/null
+++ b/etc/profile-m-z/notify-send.profile
@@ -0,0 +1,60 @@
1# Firejail profile for notify-send
2# Description: a program to send desktop notifications
3# This file is overwritten after every install/update
4quiet
5# Persistent local customizations
6include notify-send.local
7# Persistent global definitions
8include globals.local
9
10blacklist ${RUNUSER}/wayland-*
11
12include disable-common.inc
13include disable-devel.inc
14include disable-exec.inc
15include disable-interpreters.inc
16include disable-passwdmgr.inc
17include disable-programs.inc
18include disable-shell.inc
19include disable-write-mnt.inc
20include disable-xdg.inc
21
22include whitelist-common.inc
23include whitelist-runuser-common.inc
24include whitelist-usr-share-common.inc
25include whitelist-var-common.inc
26
27apparmor
28caps.drop all
29ipc-namespace
30machine-id
31net none
32no3d
33nodvd
34nogroups
35nonewprivs
36noroot
37nosound
38notv
39nou2f
40novideo
41protocol unix
42seccomp
43shell none
44tracelog
45x11 none
46
47disable-mnt
48private
49private-bin notify-send
50private-cache
51private-dev
52private-etc none
53private-tmp
54
55dbus-user filter
56dbus-user.talk org.freedesktop.Notifications
57dbus-system none
58
59memory-deny-write-execute
60read-only ${HOME}
diff --git a/etc/profile-m-z/onboard.profile b/etc/profile-m-z/onboard.profile
new file mode 100644
index 000000000..3a235a677
--- /dev/null
+++ b/etc/profile-m-z/onboard.profile
@@ -0,0 +1,55 @@
1# Firejail profile for onboard
2# Description: On-screen keyboard
3# This file is overwritten after every install/update
4# Persistent local customizations
5include onboard.local
6# Persistent global definitions
7include globals.local
8
9noblacklist ${HOME}/.config/onboard
10
11include allow-python2.inc
12include allow-python3.inc
13
14include disable-common.inc
15include disable-devel.inc
16include disable-exec.inc
17include disable-interpreters.inc
18include disable-programs.inc
19include disable-passwdmgr.inc
20include disable-shell.inc
21include disable-xdg.inc
22
23mkdir ${HOME}/.config/onboard
24whitelist ${HOME}/.config/onboard
25whitelist /usr/share/onboard
26include whitelist-common.inc
27include whitelist-usr-share-common.inc
28include whitelist-runuser-common.inc
29include whitelist-var-common.inc
30
31apparmor
32caps.drop all
33machine-id
34net none
35nodvd
36no3d
37nogroups
38nonewprivs
39noroot
40notv
41nou2f
42novideo
43protocol unix
44seccomp
45shell none
46tracelog
47
48disable-mnt
49private-cache
50private-bin onboard,python*,tput
51private-dev
52private-etc alternatives,dbus-1,dconf,fonts,gtk-2.0,gtk-3.0,locale,locale.alias,locale.conf,mime.types,selinux,X11,xdg
53private-tmp
54
55dbus-system none
diff --git a/etc/profile-m-z/openarena.profile b/etc/profile-m-z/openarena.profile
index 45682fc31..88d5d0e1e 100644
--- a/etc/profile-m-z/openarena.profile
+++ b/etc/profile-m-z/openarena.profile
@@ -21,7 +21,7 @@ whitelist ${HOME}/.openarena
21whitelist /usr/share/openarena 21whitelist /usr/share/openarena
22include whitelist-common.inc 22include whitelist-common.inc
23include whitelist-runuser-common.inc 23include whitelist-runuser-common.inc
24include whitelist-usr-share-common.in 24include whitelist-usr-share-common.inc
25include whitelist-var-common.inc 25include whitelist-var-common.inc
26 26
27apparmor 27apparmor
diff --git a/etc/profile-m-z/peek.profile b/etc/profile-m-z/peek.profile
index 66fdd6496..28a7da404 100644
--- a/etc/profile-m-z/peek.profile
+++ b/etc/profile-m-z/peek.profile
@@ -17,7 +17,18 @@ include disable-passwdmgr.inc
17include disable-programs.inc 17include disable-programs.inc
18include disable-xdg.inc 18include disable-xdg.inc
19 19
20#mkdir ${HOME}/.cache/peek
21#whitelist ${HOME}/.cache/peek
22#whitelist ${PICTURES}
23#whitelist ${VIDEOS}
24#include whitelist-common.inc
25include whitelist-runuser-common.inc
26include whitelist-usr-share-common.inc
27include whitelist-var-common.inc
28
29apparmor
20caps.drop all 30caps.drop all
31machine-id
21net none 32net none
22no3d 33no3d
23nodvd 34nodvd
@@ -31,13 +42,20 @@ novideo
31protocol unix 42protocol unix
32seccomp 43seccomp
33shell none 44shell none
45tracelog
34 46
35# private-bin breaks gif mode, mp4 and webm mode work fine however 47disable-mnt
36# private-bin convert,ffmpeg,peek 48private-bin bash,convert,ffmpeg,firejail,fish,peek,sh,which,zsh
37private-dev 49private-dev
50private-etc dconf,firejail,fonts,gtk-3.0,login.defs,pango,passwd,X11
38private-tmp 51private-tmp
39 52
40dbus-user none 53dbus-user filter
54dbus-user.own com.uploadedlobster.peek
55dbus-user.talk ca.desrt.dconf
56dbus-user.talk org.freedesktop.FileManager1
57dbus-user.talk org.freedesktop.Notifications
58dbus-user.talk org.gnome.Shell.Screencast
41dbus-system none 59dbus-system none
42 60
43memory-deny-write-execute 61memory-deny-write-execute
diff --git a/etc/profile-m-z/pidgin.profile b/etc/profile-m-z/pidgin.profile
index 2e4215744..e81e78ca7 100644
--- a/etc/profile-m-z/pidgin.profile
+++ b/etc/profile-m-z/pidgin.profile
@@ -21,6 +21,8 @@ include disable-xdg.inc
21 21
22mkdir ${HOME}/.purple 22mkdir ${HOME}/.purple
23whitelist ${HOME}/.purple 23whitelist ${HOME}/.purple
24whitelist ${DOWNLOADS}
25whitelist ${PICTURES}
24include whitelist-common.inc 26include whitelist-common.inc
25include whitelist-usr-share-common.inc 27include whitelist-usr-share-common.inc
26include whitelist-var-common.inc 28include whitelist-var-common.inc
diff --git a/etc/profile-m-z/psi.profile b/etc/profile-m-z/psi.profile
new file mode 100644
index 000000000..d3112ae95
--- /dev/null
+++ b/etc/profile-m-z/psi.profile
@@ -0,0 +1,78 @@
1# Firejail profile for psi
2# Description: Native XMPP client with GPG support
3# This file is overwritten after every install/update
4# Persistent local customizations
5include psi.local
6# Persistent global definitions
7include globals.local
8
9# Uncomment for GPG
10# noblacklist ${HOME}/.gnupg
11noblacklist ${HOME}/.cache/psi
12noblacklist ${HOME}/.cache/Psi
13noblacklist ${HOME}/.config/psi
14noblacklist ${HOME}/.local/share/psi
15noblacklist ${HOME}/.local/share/Psi
16
17include disable-common.inc
18include disable-devel.inc
19include disable-exec.inc
20include disable-interpreters.inc
21include disable-passwdmgr.inc
22include disable-programs.inc
23include disable-shell.inc
24include disable-xdg.inc
25
26# Uncomment for GPG
27# mkdir ${HOME}/.gnupg
28mkdir ${HOME}/.cache/psi
29mkdir ${HOME}/.cache/Psi
30mkdir ${HOME}/.config/psi
31mkdir ${HOME}/.local/share/psi
32mkdir ${HOME}/.local/share/Psi
33# Uncomment for GPG
34# whitelist ${HOME}/.gnupg
35whitelist ${HOME}/.cache/psi
36whitelist ${HOME}/.cache/Psi
37whitelist ${HOME}/.config/psi
38whitelist ${HOME}/.local/share/psi
39whitelist ${HOME}/.local/share/Psi
40whitelist ${DOWNLOADS}
41# Uncomment for GPG
42# whitelist /usr/share/gnupg
43# whitelist /usr/share/gnupg2
44whitelist /usr/share/psi
45# Uncomment for GPG
46# whitelist ${RUNUSER}/gnupg
47# whitelist ${RUNUSER}/keyring
48include whitelist-common.inc
49include whitelist-runuser-common.inc
50include whitelist-usr-share-common.inc
51include whitelist-var-common.inc
52
53apparmor
54caps.drop all
55netfilter
56nodvd
57nogroups
58nonewprivs
59noroot
60notv
61novideo
62nou2f
63protocol unix,inet,inet6,netlink
64seccomp !chroot
65shell none
66# breaks on Arch
67# tracelog
68
69disable-mnt
70# Add "gpg,gpg2,gpg-agent,pinentry-curses,pinentry-emacs,pinentry-fltk,pinentry-gnome3,pinentry-gtk,pinentry-gtk2,pinentry-gtk-2,pinentry-qt,pinentry-qt4,pinentry-tty,pinentry-x2go,pinentry-kwallet" for GPG
71private-bin getopt,psi
72private-cache
73private-dev
74private-etc alsa,alternatives,asound.conf,ca-certificates,crypto-policies,drirc,fonts,gcrypt,group,hostname,hosts,ld.so.cache,ld.so.conf,machine-id,passwd,pki,pulse,resolv.conf,selinux,ssl,xdg
75private-tmp
76
77dbus-user none
78dbus-system none
diff --git a/etc/profile-m-z/qrencode.profile b/etc/profile-m-z/qrencode.profile
new file mode 100644
index 000000000..5e49a342a
--- /dev/null
+++ b/etc/profile-m-z/qrencode.profile
@@ -0,0 +1,58 @@
1# Firejail profile for qrencode
2# Description: Encode input data in a QR Code and save as a PNG or EPS image.
3# This file is overwritten after every install/update
4quiet
5# Persistent local customizations
6include qrencode.local
7# Persistent global definitions
8include globals.local
9
10blacklist ${RUNUSER}/wayland-*
11blacklist ${RUNUSER}
12
13include disable-common.inc
14include disable-devel.inc
15include disable-exec.inc
16include disable-interpreters.inc
17include disable-passwdmgr.inc
18include disable-programs.inc
19include disable-shell.inc
20include disable-write-mnt.inc
21include disable-xdg.inc
22
23include whitelist-runuser-common.inc
24include whitelist-usr-share-common.inc
25include whitelist-var-common.inc
26
27apparmor
28caps.drop all
29ipc-namespace
30machine-id
31net none
32no3d
33nodvd
34nogroups
35nonewprivs
36noroot
37nosound
38notv
39nou2f
40novideo
41protocol unix
42seccomp
43shell none
44tracelog
45x11 none
46
47disable-mnt
48private-bin qrencode
49private-cache
50private-dev
51private-etc none
52private-lib libpcre2-8.so.0
53private-tmp
54
55dbus-user none
56dbus-system none
57
58memory-deny-write-execute
diff --git a/etc/profile-m-z/quaternion.profile b/etc/profile-m-z/quaternion.profile
new file mode 100644
index 000000000..2133c74d3
--- /dev/null
+++ b/etc/profile-m-z/quaternion.profile
@@ -0,0 +1,54 @@
1# Firejail profile for quaternion
2# Description: Desktop client for Matrix
3# This file is overwritten after every install/update
4# Persistent local customizations
5include quaternion.local
6# Persistent global definitions
7include globals.local
8
9noblacklist ${HOME}/.cache/Quotient/quaternion
10noblacklist ${HOME}/.config/Quotient
11
12include disable-common.inc
13include disable-devel.inc
14include disable-exec.inc
15include disable-interpreters.inc
16include disable-passwdmgr.inc
17include disable-programs.inc
18include disable-shell.inc
19include disable-xdg.inc
20
21mkdir ${HOME}/.cache/Quotient/quaternion
22mkdir ${HOME}/.config/Quotient
23whitelist ${HOME}/.cache/Quotient/quaternion
24whitelist ${HOME}/.config/Quotient
25whitelist ${DOWNLOADS}
26whitelist /usr/share/Quotient/quaternion
27include whitelist-common.inc
28include whitelist-runuser-common.inc
29include whitelist-usr-share-common.inc
30include whitelist-var-common.inc
31
32apparmor
33caps.drop all
34netfilter
35nodvd
36nogroups
37nonewprivs
38noroot
39notv
40nou2f
41protocol unix,inet,inet6,netlink
42seccomp
43shell none
44tracelog
45
46disable-mnt
47private-bin quaternion
48private-cache
49private-dev
50private-etc alsa,alternatives,asound.conf,ca-certificates,crypto-policies,fonts,gtk-2.0,gtk-3.0,host.conf,hostname,hosts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,locale,locale.alias,locale.conf,mime.types,nsswitch.conf,pki,pulse,resolv.conf,selinux,ssl,X11,xdg
51private-tmp
52
53dbus-user none
54dbus-system none
diff --git a/etc/profile-m-z/redeclipse.profile b/etc/profile-m-z/redeclipse.profile
index bb1ad56d3..a29205e14 100644
--- a/etc/profile-m-z/redeclipse.profile
+++ b/etc/profile-m-z/redeclipse.profile
@@ -14,10 +14,14 @@ include disable-exec.inc
14include disable-interpreters.inc 14include disable-interpreters.inc
15include disable-passwdmgr.inc 15include disable-passwdmgr.inc
16include disable-programs.inc 16include disable-programs.inc
17include disable-xdg.inc
17 18
18mkdir ${HOME}/.redeclipse 19mkdir ${HOME}/.redeclipse
19whitelist ${HOME}/.redeclipse 20whitelist ${HOME}/.redeclipse
21whitelist /usr/share/redeclipse
20include whitelist-common.inc 22include whitelist-common.inc
23include whitelist-runuser-common.inc
24include whitelist-usr-share-common.inc
21include whitelist-var-common.inc 25include whitelist-var-common.inc
22 26
23caps.drop all 27caps.drop all
@@ -32,8 +36,13 @@ novideo
32protocol unix,inet,inet6 36protocol unix,inet,inet6
33seccomp 37seccomp
34shell none 38shell none
39tracelog
35 40
36disable-mnt 41disable-mnt
42#private-bin redeclipse,sh,man
43private-cache
37private-dev 44private-dev
38private-tmp 45private-tmp
39 46
47dbus-user none
48dbus-system none
diff --git a/etc/profile-m-z/rhythmbox.profile b/etc/profile-m-z/rhythmbox.profile
index b76f2b947..f906ec31d 100644
--- a/etc/profile-m-z/rhythmbox.profile
+++ b/etc/profile-m-z/rhythmbox.profile
@@ -14,6 +14,9 @@ noblacklist ${HOME}/.local/share/rhythmbox
14include allow-python2.inc 14include allow-python2.inc
15include allow-python3.inc 15include allow-python3.inc
16 16
17# Allow lua (blacklisted by disable-interpreters.inc)
18include allow-lua.inc
19
17include disable-common.inc 20include disable-common.inc
18include disable-devel.inc 21include disable-devel.inc
19include disable-exec.inc 22include disable-exec.inc
@@ -26,6 +29,7 @@ include disable-xdg.inc
26whitelist /usr/share/rhythmbox 29whitelist /usr/share/rhythmbox
27whitelist /usr/share/lua 30whitelist /usr/share/lua
28whitelist /usr/share/libquvi-scripts 31whitelist /usr/share/libquvi-scripts
32whitelist /usr/share/tracker
29include whitelist-runuser-common.inc 33include whitelist-runuser-common.inc
30include whitelist-usr-share-common.inc 34include whitelist-usr-share-common.inc
31include whitelist-var-common.inc 35include whitelist-var-common.inc
@@ -54,6 +58,6 @@ dbus-user.own org.mpris.MediaPlayer2.rhythmbox
54dbus-user.own org.gnome.UPnP.MediaServer2.Rhythmbox 58dbus-user.own org.gnome.UPnP.MediaServer2.Rhythmbox
55dbus-user.talk ca.desrt.dconf 59dbus-user.talk ca.desrt.dconf
56dbus-user.talk org.freedesktop.Notifications 60dbus-user.talk org.freedesktop.Notifications
57dbus-system none 61dbus-user.talk org.gnome.SettingsDaemon.MediaKeys
58dbus-system filter 62dbus-system filter
59dbus-system.talk org.freedesktop.Avahi 63dbus-system.talk org.freedesktop.Avahi
diff --git a/etc/profile-m-z/smplayer.profile b/etc/profile-m-z/smplayer.profile
index 3fb6fc349..8ffc47ff6 100644
--- a/etc/profile-m-z/smplayer.profile
+++ b/etc/profile-m-z/smplayer.profile
@@ -10,7 +10,7 @@ noblacklist ${HOME}/.config/smplayer
10noblacklist ${HOME}/.config/youtube-dl 10noblacklist ${HOME}/.config/youtube-dl
11noblacklist ${HOME}/.mplayer 11noblacklist ${HOME}/.mplayer
12 12
13# Allow python (blacklisted by disable-interpreters.inc) 13include allow-lua.inc
14include allow-python2.inc 14include allow-python2.inc
15include allow-python3.inc 15include allow-python3.inc
16 16
@@ -26,7 +26,9 @@ include disable-programs.inc
26include disable-shell.inc 26include disable-shell.inc
27include disable-xdg.inc 27include disable-xdg.inc
28 28
29whitelist /usr/share/lua*
29whitelist /usr/share/smplayer 30whitelist /usr/share/smplayer
31whitelist /usr/share/vulkan
30include whitelist-usr-share-common.inc 32include whitelist-usr-share-common.inc
31include whitelist-var-common.inc 33include whitelist-var-common.inc
32 34
@@ -41,7 +43,7 @@ protocol unix,inet,inet6,netlink
41seccomp 43seccomp
42shell none 44shell none
43 45
44private-bin env,mplayer,mpv,python*,smplayer,smtube,youtube-dl 46private-bin env,mplayer,mpv,python*,smplayer,smtube,waf,youtube-dl
45private-dev 47private-dev
46private-tmp 48private-tmp
47 49
diff --git a/etc/profile-m-z/smuxi-frontend-gnome.profile b/etc/profile-m-z/smuxi-frontend-gnome.profile
new file mode 100644
index 000000000..541e5a1c4
--- /dev/null
+++ b/etc/profile-m-z/smuxi-frontend-gnome.profile
@@ -0,0 +1,55 @@
1# Firejail profile for smuxi-frontend-gnome
2# Description: Multi protocol chat client with Twitter support
3# This file is overwritten after every install/update
4# Persistent local customizations
5include smuxi-frontend-gnome.local
6# Persistent global definitions
7include globals.local
8
9noblacklist ${HOME}/.cache/smuxi
10noblacklist ${HOME}/.config/smuxi
11noblacklist ${HOME}/.local/share/smuxi
12
13include disable-common.inc
14include disable-devel.inc
15include disable-exec.inc
16include disable-interpreters.inc
17include disable-passwdmgr.inc
18include disable-programs.inc
19include disable-xdg.inc
20
21mkdir ${HOME}/.cache/smuxi
22mkdir ${HOME}/.config/smuxi
23mkdir ${HOME}/.local/share/smuxi
24whitelist ${HOME}/.cache/smuxi
25whitelist ${HOME}/.config/smuxi
26whitelist ${HOME}/.local/share/smuxi
27whitelist ${DOWNLOADS}
28include whitelist-common.inc
29include whitelist-runuser-common.inc
30include whitelist-usr-share-common.inc
31include whitelist-var-common.inc
32
33apparmor
34caps.drop all
35netfilter
36nodvd
37nogroups
38nonewprivs
39noroot
40notv
41nou2f
42protocol unix,inet,inet6,netlink
43seccomp
44shell none
45tracelog
46
47disable-mnt
48private-bin bash,mono,mono-sgen,sh,smuxi-frontend-gnome
49private-cache
50private-dev
51private-etc alsa,alternatives,asound.conf,ca-certificates,crypto-policies,fonts,hostname,hosts,ld.so.cache,ld.so.conf,machine-id,mono,passwd,pki,pulse,resolv.conf,selinux,ssl,xdg
52private-tmp
53
54dbus-user none
55dbus-system none
diff --git a/etc/profile-m-z/spectral.profile b/etc/profile-m-z/spectral.profile
new file mode 100644
index 000000000..d7f94e144
--- /dev/null
+++ b/etc/profile-m-z/spectral.profile
@@ -0,0 +1,53 @@
1# Firejail profile for spectral
2# Description: Desktop client for Matrix
3# This file is overwritten after every install/update
4# Persistent local customizations
5include spectral.local
6# Persistent global definitions
7include globals.local
8
9noblacklist ${HOME}/.cache/ENCOM/Spectral
10noblacklist ${HOME}/.config/ENCOM
11
12include disable-common.inc
13include disable-devel.inc
14include disable-exec.inc
15include disable-interpreters.inc
16include disable-passwdmgr.inc
17include disable-programs.inc
18include disable-shell.inc
19include disable-xdg.inc
20
21mkdir ${HOME}/.cache/ENCOM/Spectral
22mkdir ${HOME}/.config/ENCOM
23whitelist ${HOME}/.cache/ENCOM/Spectral
24whitelist ${HOME}/.config/ENCOM
25whitelist ${DOWNLOADS}
26include whitelist-common.inc
27include whitelist-runuser-common.inc
28include whitelist-usr-share-common.inc
29include whitelist-var-common.inc
30
31apparmor
32caps.drop all
33netfilter
34nodvd
35nogroups
36nonewprivs
37noroot
38notv
39nou2f
40protocol unix,inet,inet6,netlink
41seccomp
42shell none
43tracelog
44
45disable-mnt
46private-cache
47private-bin spectral
48private-dev
49private-etc alsa,alternatives,asound.conf,ca-certificates,crypto-policies,fonts,gtk-2.0,gtk-3.0,host.conf,hostname,hosts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,locale,locale.alias,locale.conf,mime.types,nsswitch.conf,pki,pulse,resolv.conf,selinux,ssl,X11,xdg
50private-tmp
51
52dbus-user none
53dbus-system none
diff --git a/etc/profile-m-z/supertuxkart.profile b/etc/profile-m-z/supertuxkart.profile
index ce69c8b4b..40b996794 100644
--- a/etc/profile-m-z/supertuxkart.profile
+++ b/etc/profile-m-z/supertuxkart.profile
@@ -27,6 +27,7 @@ whitelist ${HOME}/.cache/supertuxkart
27whitelist ${HOME}/.local/share/supertuxkart 27whitelist ${HOME}/.local/share/supertuxkart
28whitelist /usr/share/supertuxkart 28whitelist /usr/share/supertuxkart
29include whitelist-common.inc 29include whitelist-common.inc
30include whitelist-runuser-common.inc
30include whitelist-usr-share-common.inc 31include whitelist-usr-share-common.inc
31include whitelist-var-common.inc 32include whitelist-var-common.inc
32 33
diff --git a/etc/profile-m-z/telegram.profile b/etc/profile-m-z/telegram.profile
index 8e0741458..4100a9572 100644
--- a/etc/profile-m-z/telegram.profile
+++ b/etc/profile-m-z/telegram.profile
@@ -20,7 +20,7 @@ nodvd
20nonewprivs 20nonewprivs
21noroot 21noroot
22notv 22notv
23protocol unix,inet,inet6 23protocol unix,inet,inet6,netlink
24seccomp 24seccomp
25 25
26disable-mnt 26disable-mnt
diff --git a/etc/profile-m-z/totem.profile b/etc/profile-m-z/totem.profile
index abbbba6c3..7bb2f3e2d 100644
--- a/etc/profile-m-z/totem.profile
+++ b/etc/profile-m-z/totem.profile
@@ -28,12 +28,11 @@ mkdir ${HOME}/.config/totem
28mkdir ${HOME}/.local/share/totem 28mkdir ${HOME}/.local/share/totem
29whitelist ${HOME}/.config/totem 29whitelist ${HOME}/.config/totem
30whitelist ${HOME}/.local/share/totem 30whitelist ${HOME}/.local/share/totem
31whitelist ${DESKTOP} 31whitelist /usr/share/totem
32whitelist ${DOWNLOADS}
33whitelist ${MUSIC}
34whitelist ${PICTURES}
35whitelist ${VIDEOS}
36include whitelist-common.inc 32include whitelist-common.inc
33include whitelist-players.inc
34include whitelist-runuser-common.inc
35include whitelist-usr-share-common.inc
37include whitelist-var-common.inc 36include whitelist-var-common.inc
38 37
39# apparmor - makes settings immutable 38# apparmor - makes settings immutable
@@ -57,4 +56,4 @@ private-tmp
57 56
58# makes settings immutable 57# makes settings immutable
59# dbus-user none 58# dbus-user none
60# dbus-system none 59dbus-system none
diff --git a/etc/profile-m-z/trojita.profile b/etc/profile-m-z/trojita.profile
new file mode 100644
index 000000000..a8641af85
--- /dev/null
+++ b/etc/profile-m-z/trojita.profile
@@ -0,0 +1,63 @@
1# Firejail profile for trojita
2# Description: Qt mail client
3# This file is overwritten after every install/update
4# Persistent local customizations
5include trojita.local
6# Persistent global definitions
7include globals.local
8
9noblacklist ${HOME}/.abook
10noblacklist ${HOME}/.mozilla
11noblacklist ${HOME}/.cache/flaska.net/trojita
12noblacklist ${HOME}/.config/flaska.net
13
14include disable-common.inc
15include disable-devel.inc
16include disable-exec.inc
17include disable-interpreters.inc
18include disable-passwdmgr.inc
19include disable-programs.inc
20include disable-shell.inc
21include disable-xdg.inc
22
23mkdir ${HOME}/.abook
24mkdir ${HOME}/.cache/flaska.net/trojita
25mkdir ${HOME}/.config/flaska.net
26whitelist ${HOME}/.abook
27whitelist ${HOME}/.mozilla/firefox/profiles.ini
28whitelist ${HOME}/.cache/flaska.net/trojita
29whitelist ${HOME}/.config/flaska.net
30include whitelist-common.inc
31include whitelist-runuser-common.inc
32include whitelist-usr-share-common.inc
33include whitelist-var-common.inc
34
35apparmor
36caps.drop all
37netfilter
38no3d
39nodvd
40nogroups
41nonewprivs
42noroot
43nosound
44notv
45nou2f
46novideo
47protocol unix,inet,inet6,netlink
48seccomp
49shell none
50tracelog
51
52# disable-mnt
53# Add "ignore private-bin" for hyperlinks or have a look at the private-bins in firefox.profile and firefox-common.profile.
54private-bin trojita
55private-cache
56private-dev
57private-etc alternatives,ca-certificates,crypto-policies,fonts,hostname,hosts,pki,resolv.conf,selinux,ssl,xdg
58private-tmp
59
60dbus-user none
61dbus-system none
62
63read-only ${HOME}/.mozilla/firefox/profiles.ini
diff --git a/etc/profile-m-z/twitch.profile b/etc/profile-m-z/twitch.profile
new file mode 100644
index 000000000..3c50344f1
--- /dev/null
+++ b/etc/profile-m-z/twitch.profile
@@ -0,0 +1,36 @@
1# Firejail profile for twitch
2# Description: Unofficial electron based desktop warpper for Twitch
3# This file is overwritten after every install/update
4# Persistent local customizations
5include twitch.local
6# Persistent global definitions
7include globals.local
8
9noblacklist ${HOME}/.config/Twitch
10
11include disable-devel.inc
12include disable-exec.inc
13include disable-interpreters.inc
14include disable-shell.inc
15include disable-xdg.inc
16
17mkdir ${HOME}/.config/Twitch
18whitelist ${HOME}/.config/Twitch
19include whitelist-common.inc
20include whitelist-runuser-common.inc
21include whitelist-usr-share-common.inc
22include whitelist-var-common.inc
23
24seccomp !chroot
25shell none
26
27disable-mnt
28private-bin twitch
29private-cache
30private-dev
31private-etc alsa,alternatives,asound.conf,ati,bumblebee,ca-certificates,crypto-policies,drirc,fonts,gtk-2.0,gtk-3.0,host.conf,hostname,hosts,mime.types,nsswitch.conf,nvidia,pki,pulse,resolv.conf,selinux,ssl,X11,xdg
32private-opt Twitch
33private-tmp
34
35# Redirect
36include electron.profile
diff --git a/etc/profile-m-z/virtualbox.profile b/etc/profile-m-z/virtualbox.profile
index 12bef5d1f..7a49ad88a 100644
--- a/etc/profile-m-z/virtualbox.profile
+++ b/etc/profile-m-z/virtualbox.profile
@@ -26,6 +26,7 @@ mkdir ${HOME}/VirtualBox VMs
26whitelist ${HOME}/.config/VirtualBox 26whitelist ${HOME}/.config/VirtualBox
27whitelist ${HOME}/VirtualBox VMs 27whitelist ${HOME}/VirtualBox VMs
28whitelist ${DOWNLOADS} 28whitelist ${DOWNLOADS}
29whitelist /usr/share/virtualbox
29include whitelist-common.inc 30include whitelist-common.inc
30include whitelist-runuser-common.inc 31include whitelist-runuser-common.inc
31include whitelist-usr-share-common.inc 32include whitelist-usr-share-common.inc
diff --git a/etc/profile-m-z/vlc.profile b/etc/profile-m-z/vlc.profile
index 07a1b5fc0..fc8efe089 100644
--- a/etc/profile-m-z/vlc.profile
+++ b/etc/profile-m-z/vlc.profile
@@ -8,6 +8,7 @@ include globals.local
8 8
9noblacklist ${HOME}/.cache/vlc 9noblacklist ${HOME}/.cache/vlc
10noblacklist ${HOME}/.config/vlc 10noblacklist ${HOME}/.config/vlc
11noblacklist ${HOME}/.config/aacs
11noblacklist ${HOME}/.local/share/vlc 12noblacklist ${HOME}/.local/share/vlc
12 13
13include disable-common.inc 14include disable-common.inc
@@ -23,13 +24,10 @@ mkdir ${HOME}/.config/vlc
23mkdir ${HOME}/.local/share/vlc 24mkdir ${HOME}/.local/share/vlc
24whitelist ${HOME}/.cache/vlc 25whitelist ${HOME}/.cache/vlc
25whitelist ${HOME}/.config/vlc 26whitelist ${HOME}/.config/vlc
27whitelist ${HOME}/.config/aacs
26whitelist ${HOME}/.local/share/vlc 28whitelist ${HOME}/.local/share/vlc
27whitelist ${DESKTOP}
28whitelist ${DOWNLOADS}
29whitelist ${MUSIC}
30whitelist ${PICTURES}
31whitelist ${VIDEOS}
32include whitelist-common.inc 29include whitelist-common.inc
30include whitelist-players.inc
33include whitelist-var-common.inc 31include whitelist-var-common.inc
34 32
35#apparmor - on Ubuntu 18.04 it refuses to start without dbus access 33#apparmor - on Ubuntu 18.04 it refuses to start without dbus access
diff --git a/etc/profile-m-z/vmware.profile b/etc/profile-m-z/vmware.profile
index 720b69773..493c53936 100644
--- a/etc/profile-m-z/vmware.profile
+++ b/etc/profile-m-z/vmware.profile
@@ -34,6 +34,6 @@ shell none
34tracelog 34tracelog
35 35
36#disable-mnt 36#disable-mnt
37private-etc alsa,asound.conf,ca-certificates,conf.d,crypto-policies,dconf,fonts,gtk-2.0,gtk-3.0,hostname,hosts,ld.so.cache,localtime,machine-id,pki,pulse,resolv.conf,ssl,vmware,vmware-installer,vmware-vix 37#private-etc alsa,asound.conf,ca-certificates,conf.d,crypto-policies,dconf,fonts,gtk-2.0,gtk-3.0,hostname,hosts,ld.so.cache,localtime,machine-id,pki,pulse,resolv.conf,ssl,vmware,vmware-installer,vmware-vix
38dbus-user none 38dbus-user none
39dbus-system none 39dbus-system none
diff --git a/etc/profile-m-z/warsow.profile b/etc/profile-m-z/warsow.profile
index d8cd5557e..178e0c7b1 100644
--- a/etc/profile-m-z/warsow.profile
+++ b/etc/profile-m-z/warsow.profile
@@ -24,7 +24,10 @@ mkdir ${HOME}/.cache/warsow-2.1
24mkdir ${HOME}/.local/share/warsow-2.1 24mkdir ${HOME}/.local/share/warsow-2.1
25whitelist ${HOME}/.cache/warsow-2.1 25whitelist ${HOME}/.cache/warsow-2.1
26whitelist ${HOME}/.local/share/warsow-2.1 26whitelist ${HOME}/.local/share/warsow-2.1
27whitelist /usr/share/warsow
27include whitelist-common.inc 28include whitelist-common.inc
29include whitelist-runuser-common.inc
30include whitelist-usr-share-common.inc
28include whitelist-var-common.inc 31include whitelist-var-common.inc
29 32
30caps.drop all 33caps.drop all
diff --git a/etc/profile-m-z/wire-desktop.profile b/etc/profile-m-z/wire-desktop.profile
index 8f6014dc3..d265c6bae 100644
--- a/etc/profile-m-z/wire-desktop.profile
+++ b/etc/profile-m-z/wire-desktop.profile
@@ -27,7 +27,7 @@ seccomp !chroot
27shell none 27shell none
28 28
29disable-mnt 29disable-mnt
30private-bin bash,electron,electron4,electron6,env,sh,wire-desktop 30private-bin bash,electron,electron[0-9],electron[0-9][0-9],env,sh,wire-desktop
31private-dev 31private-dev
32private-etc alternatives,ca-certificates,crypto-policies,fonts,machine-id,pki,resolv.conf,ssl 32private-etc alternatives,ca-certificates,crypto-policies,fonts,machine-id,pki,resolv.conf,ssl
33private-tmp 33private-tmp
diff --git a/etc/profile-m-z/xournalpp.profile b/etc/profile-m-z/xournalpp.profile
new file mode 100644
index 000000000..03deb514a
--- /dev/null
+++ b/etc/profile-m-z/xournalpp.profile
@@ -0,0 +1,26 @@
1# Firejail profile for xournalpp
2# Description: Handwriting note-taking software with PDF annotation support
3# This file is overwritten after every install/update
4# Persistent local customizations
5include xournalpp.local
6# Persistent global definitions
7# added by included profile
8#include globals.local
9
10noblacklist ${HOME}/.xournalpp
11
12whitelist /usr/share/texlive
13whitelist /usr/share/xournalpp
14whitelist /var/lib/texmf
15include whitelist-runuser-common.inc
16
17#mkdir ${HOME}/.xournalpp
18#whitelist ${HOME}/.xournalpp
19#whitelist ${DOCUMENTS}
20#include whitelist-common.inc
21
22private-bin kpsewhich,pdflatex,xournalpp
23private-etc latexmk.conf,texlive
24
25# Redirect
26include xournal.profile
diff --git a/etc/profile-m-z/xplayer.profile b/etc/profile-m-z/xplayer.profile
index 555d8e9a4..d22d04818 100644
--- a/etc/profile-m-z/xplayer.profile
+++ b/etc/profile-m-z/xplayer.profile
@@ -24,12 +24,8 @@ mkdir ${HOME}/.config/xplayer
24mkdir ${HOME}/.local/share/xplayer 24mkdir ${HOME}/.local/share/xplayer
25whitelist ${HOME}/.config/xplayer 25whitelist ${HOME}/.config/xplayer
26whitelist ${HOME}/.local/share/xplayer 26whitelist ${HOME}/.local/share/xplayer
27whitelist ${DESKTOP}
28whitelist ${DOWNLOADS}
29whitelist ${MUSIC}
30whitelist ${PICTURES}
31whitelist ${VIDEOS}
32include whitelist-common.inc 27include whitelist-common.inc
28include whitelist-players.inc
33include whitelist-var-common.inc 29include whitelist-var-common.inc
34 30
35# apparmor - makes settings immutable 31# apparmor - makes settings immutable
diff --git a/etc/profile-m-z/youtube.profile b/etc/profile-m-z/youtube.profile
new file mode 100644
index 000000000..a6c7750a9
--- /dev/null
+++ b/etc/profile-m-z/youtube.profile
@@ -0,0 +1,37 @@
1# Firejail profile for youtube
2# Description: Unofficial electron based desktop warpper for YouTube
3# This file is overwritten after every install/update
4# Persistent local customizations
5include youtube.local
6# Persistent global definitions
7include globals.local
8
9noblacklist ${HOME}/.config/Youtube
10
11include disable-devel.inc
12include disable-exec.inc
13include disable-interpreters.inc
14include disable-shell.inc
15include disable-xdg.inc
16
17mkdir ${HOME}/.config/Youtube
18whitelist ${HOME}/.config/Youtube
19include whitelist-common.inc
20include whitelist-runuser-common.inc
21include whitelist-usr-share-common.inc
22include whitelist-var-common.inc
23
24novideo
25seccomp !chroot
26shell none
27
28disable-mnt
29private-bin youtube
30private-cache
31private-dev
32private-etc alsa,alternatives,asound.conf,ati,bumblebee,ca-certificates,crypto-policies,drirc,fonts,gtk-2.0,gtk-3.0,host.conf,hostname,hosts,mime.types,nsswitch.conf,nvidia,pki,pulse,resolv.conf,selinux,ssl,X11,xdg
33private-opt Youtube
34private-tmp
35
36# Redirect
37include electron.profile
diff --git a/etc/profile-m-z/youtubemusic-nativefier.profile b/etc/profile-m-z/youtubemusic-nativefier.profile
new file mode 100644
index 000000000..3a94a5707
--- /dev/null
+++ b/etc/profile-m-z/youtubemusic-nativefier.profile
@@ -0,0 +1,38 @@
1# Firejail profile for youtubemusic-nativefier
2# Description: Unofficial electron based desktop warpper for YouTube Music
3# This file is overwritten after every install/update
4# Persistent local customizations
5include youtube.local
6# Persistent global definitions
7include globals.local
8
9noblacklist ${HOME}/.config/youtubemusic-nativefier-040164
10
11include disable-devel.inc
12include disable-exec.inc
13include disable-interpreters.inc
14include disable-shell.inc
15include disable-xdg.inc
16
17mkdir ${HOME}/.config/youtubemusic-nativefier-040164
18whitelist ${HOME}/.config/youtubemusic-nativefier-040164
19include whitelist-common.inc
20include whitelist-runuser-common.inc
21include whitelist-usr-share-common.inc
22include whitelist-var-common.inc
23
24nou2f
25novideo
26seccomp !chroot
27shell none
28
29disable-mnt
30private-bin youtubemusic-nativefier
31private-cache
32private-dev
33private-etc alsa,alternatives,asound.conf,ati,bumblebee,ca-certificates,crypto-policies,drirc,fonts,gtk-2.0,gtk-3.0,host.conf,hostname,hosts,mime.types,nsswitch.conf,nvidia,pki,pulse,resolv.conf,selinux,ssl,X11,xdg
34private-opt youtubemusic-nativefier
35private-tmp
36
37# Redirect
38include electron.profile
diff --git a/etc/profile-m-z/ytmdesktop.profile b/etc/profile-m-z/ytmdesktop.profile
new file mode 100644
index 000000000..5c37b838b
--- /dev/null
+++ b/etc/profile-m-z/ytmdesktop.profile
@@ -0,0 +1,39 @@
1# Firejail profile for ytmdesktop
2# Description: Unofficial electron based desktop warpper for YouTube Music
3# This file is overwritten after every install/update
4# Persistent local customizations
5include youtube.local
6# Persistent global definitions
7include globals.local
8
9ignore dbus-user none
10
11noblacklist ${HOME}/.config/youtube-music-desktop-app
12
13include disable-devel.inc
14include disable-exec.inc
15include disable-interpreters.inc
16include disable-xdg.inc
17
18mkdir ${HOME}/.config/youtube-music-desktop-app
19whitelist ${HOME}/.config/youtube-music-desktop-app
20include whitelist-common.inc
21include whitelist-runuser-common.inc
22include whitelist-usr-share-common.inc
23include whitelist-var-common.inc
24
25nou2f
26novideo
27seccomp !chroot
28shell none
29
30disable-mnt
31# private-bin env,ytmdesktop
32private-cache
33private-dev
34private-etc alsa,alternatives,asound.conf,ati,bumblebee,ca-certificates,crypto-policies,drirc,fonts,gtk-2.0,gtk-3.0,host.conf,hostname,hosts,mime.types,nsswitch.conf,nvidia,pki,pulse,resolv.conf,selinux,ssl,X11,xdg
35# private-opt
36private-tmp
37
38# Redirect
39include electron.profile
diff --git a/etc/templates/profile.template b/etc/templates/profile.template
index 02d9fa076..d57306aee 100644
--- a/etc/templates/profile.template
+++ b/etc/templates/profile.template
@@ -110,6 +110,7 @@ include globals.local
110#include disable-passwdmgr.inc 110#include disable-passwdmgr.inc
111#include disable-programs.inc 111#include disable-programs.inc
112#include disable-shell.inc 112#include disable-shell.inc
113#include disable-write-mnt.inc
113#include disable-xdg.inc 114#include disable-xdg.inc
114 115
115# This section often mirrors noblacklist section above. The idea is 116# This section often mirrors noblacklist section above. The idea is
diff --git a/etc/templates/syscalls.txt b/etc/templates/syscalls.txt
index ea3b5a6b0..c454887dd 100644
--- a/etc/templates/syscalls.txt
+++ b/etc/templates/syscalls.txt
@@ -33,7 +33,7 @@ Definition of groups
33@clock=adjtimex,clock_adjtime,clock_settime,settimeofday,stime 33@clock=adjtimex,clock_adjtime,clock_settime,settimeofday,stime
34@cpu-emulation=modify_ldt,subpage_prot,switch_endian,vm86,vm86old 34@cpu-emulation=modify_ldt,subpage_prot,switch_endian,vm86,vm86old
35@debug=lookup_dcookie,perf_event_open,process_vm_writev,rtas,s390_runtime_instr,sys_debug_setcontext 35@debug=lookup_dcookie,perf_event_open,process_vm_writev,rtas,s390_runtime_instr,sys_debug_setcontext
36@default=@clock,@cpu-emulation,@debug,@module,@obsolete,@raw-io,@reboot,@swap,open_by_handle_at,name_to_handle_at,ioprio_set,ni_syscall,syslog,fanotify_init,kcmp,add_key,request_key,mbind,migrate_pages,move_pages,keyctl,io_setup,io_destroy,io_getevents,io_submit,io_cancel,remap_file_pages,set_mempolicyvmsplice,umount,userfaultfd,acct,bpf,chroot,mount,nfsservctl,pivot_root,setdomainname,sethostname,umount2,vhangup 36@default=@clock,@cpu-emulation,@debug,@module,@mount,@obsolete,@raw-io,@reboot,@swap,open_by_handle_at,name_to_handle_at,ioprio_set,ni_syscall,syslog,fanotify_init,kcmp,add_key,request_key,mbind,migrate_pages,move_pages,keyctl,io_setup,io_destroy,io_getevents,io_submit,io_cancel,remap_file_pages,set_mempolicyvmsplice,userfaultfd,acct,bpf,nfsservctl,setdomainname,sethostname,vhangup
37@default-nodebuggers=@default,ptrace,personality,process_vm_readv 37@default-nodebuggers=@default,ptrace,personality,process_vm_readv
38@default-keep=execve,prctl 38@default-keep=execve,prctl
39@file-system=access,chdir,chmod,close,creat,faccessat,fallocate,fchdir,fchmod,fchmodat,fcntl,fcntl64,fgetxattr,flistxattr,fremovexattr,fsetxattr,fstat,fstat64,fstatat64,fstatfs,fstatfs64,ftruncate,ftruncate64,futimesat,getcwd,getdents,getdents64,getxattr,inotify_add_watch,inotify_init,inotify_init1,inotify_rm_watch,lgetxattr,link,linkat,listxattr,llistxattr,lremovexattr,lsetxattr,lstat,lstat64,mkdir,mkdirat,mknod,mknodat,mmap,mmap2,munmap,newfstatat,oldfstat,oldlstat,oldstat,open,openat,readlink,readlinkat,removexattr,rename,renameat,renameat2,rmdir,setxattr,stat,stat64,statfs,statfs64,statx,symlink,symlinkat,truncate,truncate64,unlink,unlinkat,utime,utimensat,utimes 39@file-system=access,chdir,chmod,close,creat,faccessat,fallocate,fchdir,fchmod,fchmodat,fcntl,fcntl64,fgetxattr,flistxattr,fremovexattr,fsetxattr,fstat,fstat64,fstatat64,fstatfs,fstatfs64,ftruncate,ftruncate64,futimesat,getcwd,getdents,getdents64,getxattr,inotify_add_watch,inotify_init,inotify_init1,inotify_rm_watch,lgetxattr,link,linkat,listxattr,llistxattr,lremovexattr,lsetxattr,lstat,lstat64,mkdir,mkdirat,mknod,mknodat,mmap,mmap2,munmap,newfstatat,oldfstat,oldlstat,oldstat,open,openat,readlink,readlinkat,removexattr,rename,renameat,renameat2,rmdir,setxattr,stat,stat64,statfs,statfs64,statx,symlink,symlinkat,truncate,truncate64,unlink,unlinkat,utime,utimensat,utimes
@@ -62,15 +62,14 @@ Inheritance of groups
62 62
63+---------------+ 63+---------------+
64| @default-keep | 64| @default-keep |
65| @mount |
66+---------------+ 65+---------------+
67 66
68+----------------+ +---------+ +--------+ +--------------+ 67+----------------+ +---------+ +--------+ +--------------+
69| @cpu-emulation | | @clock | | @chown | | @aio | 68| @cpu-emulation | | @clock | | @chown | | @aio |
70| @debug | | @module | +--------+ | @basic-io | 69| @debug | | @module | +--------+ | @basic-io |
71| @obsolete | | @raw-io | : : | @file-system | 70| @obsolete | | @raw-io | : : | @file-system |
72+----------------+ | @reboot | : : | @io-event | 71| @mount | | @reboot | : : | @io-event |
73 : | @swap | : : | @ipc | 72+----------------+ | @swap | : : | @ipc |
74 : +---------+ : : | @keyring | 73 : +---------+ : : | @keyring |
75 : : : : : | @memlock | 74 : : : : : | @memlock |
76 : ..............: : : : | @network-io | 75 : ..............: : : : | @network-io |
generated by cgit v1.2.3-70-g09d2 (git 2.46.0) at 2024-09-12 01:27:28 +0000