diff options
Diffstat (limited to 'etc')
89 files changed, 817 insertions, 161 deletions
diff --git a/etc/code-oss.profile b/etc/code-oss.profile new file mode 100644 index 000000000..6d45d5994 --- /dev/null +++ b/etc/code-oss.profile | |||
@@ -0,0 +1,10 @@ | |||
1 | # Firejail profile alias for Visual Studio Code | ||
2 | # This file is overwritten after every install/update | ||
3 | # Persistent local customizations | ||
4 | include code-oss.local | ||
5 | # Persistent global definitions | ||
6 | # added by included profile | ||
7 | #include globals.local | ||
8 | |||
9 | # Redirect | ||
10 | include code.profile | ||
diff --git a/etc/code.profile b/etc/code.profile index 293308187..b7740414c 100644 --- a/etc/code.profile +++ b/etc/code.profile | |||
@@ -8,6 +8,7 @@ include globals.local | |||
8 | noblacklist ${HOME}/.vscode | 8 | noblacklist ${HOME}/.vscode |
9 | noblacklist ${HOME}/.vscode-oss | 9 | noblacklist ${HOME}/.vscode-oss |
10 | noblacklist ${HOME}/.config/Code | 10 | noblacklist ${HOME}/.config/Code |
11 | noblacklist ${HOME}/.config/Code - OSS | ||
11 | 12 | ||
12 | include disable-common.inc | 13 | include disable-common.inc |
13 | include disable-passwdmgr.inc | 14 | include disable-passwdmgr.inc |
diff --git a/etc/dconf-editor.profile b/etc/dconf-editor.profile index 5f498f58c..abaf5acd5 100644 --- a/etc/dconf-editor.profile +++ b/etc/dconf-editor.profile | |||
@@ -41,6 +41,6 @@ private-etc alternatives,fonts | |||
41 | private-lib | 41 | private-lib |
42 | private-tmp | 42 | private-tmp |
43 | 43 | ||
44 | memory-deny-write-execute | 44 | # memory-deny-write-execute |
45 | noexec ${HOME} | 45 | noexec ${HOME} |
46 | noexec /tmp | 46 | noexec /tmp |
diff --git a/etc/disable-programs.inc b/etc/disable-programs.inc index 6b87c0715..7e39f7d3d 100644 --- a/etc/disable-programs.inc +++ b/etc/disable-programs.inc | |||
@@ -62,6 +62,7 @@ blacklist ${HOME}/.config/Brackets | |||
62 | blacklist ${HOME}/.config/BraveSoftware | 62 | blacklist ${HOME}/.config/BraveSoftware |
63 | blacklist ${HOME}/.config/Clementine | 63 | blacklist ${HOME}/.config/Clementine |
64 | blacklist ${HOME}/.config/Code | 64 | blacklist ${HOME}/.config/Code |
65 | blacklist ${HOME}/.config/Code - OSS | ||
65 | blacklist ${HOME}/.config/Code Industry | 66 | blacklist ${HOME}/.config/Code Industry |
66 | blacklist ${HOME}/.config/Cryptocat | 67 | blacklist ${HOME}/.config/Cryptocat |
67 | blacklist ${HOME}/.config/Enox | 68 | blacklist ${HOME}/.config/Enox |
@@ -238,6 +239,7 @@ blacklist ${HOME}/.config/pitivi | |||
238 | blacklist ${HOME}/.config/pix | 239 | blacklist ${HOME}/.config/pix |
239 | blacklist ${HOME}/.config/pluma | 240 | blacklist ${HOME}/.config/pluma |
240 | blacklist ${HOME}/.config/ppsspp | 241 | blacklist ${HOME}/.config/ppsspp |
242 | blacklist ${HOME}/.config/pragha | ||
241 | blacklist ${HOME}/.config/psi+ | 243 | blacklist ${HOME}/.config/psi+ |
242 | blacklist ${HOME}/.config/qBittorrent | 244 | blacklist ${HOME}/.config/qBittorrent |
243 | blacklist ${HOME}/.config/qBittorrentrc | 245 | blacklist ${HOME}/.config/qBittorrentrc |
@@ -562,6 +564,7 @@ blacklist ${HOME}/.thunderbird | |||
562 | blacklist ${HOME}/.tilp | 564 | blacklist ${HOME}/.tilp |
563 | blacklist ${HOME}/.tooling | 565 | blacklist ${HOME}/.tooling |
564 | blacklist ${HOME}/.tor-browser-* | 566 | blacklist ${HOME}/.tor-browser-* |
567 | blacklist ${HOME}/.tor-browser_* | ||
565 | blacklist ${HOME}/.ts3client | 568 | blacklist ${HOME}/.ts3client |
566 | blacklist ${HOME}/.tuxguitar* | 569 | blacklist ${HOME}/.tuxguitar* |
567 | blacklist ${HOME}/.unknown-horizons | 570 | blacklist ${HOME}/.unknown-horizons |
diff --git a/etc/discord-common.profile b/etc/discord-common.profile index c453d77d0..44b42aefa 100644 --- a/etc/discord-common.profile +++ b/etc/discord-common.profile | |||
@@ -32,5 +32,4 @@ private-dev | |||
32 | private-etc alternatives,fonts,machine-id,localtime,ld.so.cache,ca-certificates,ssl,pki,crypto-policies,resolv.conf | 32 | private-etc alternatives,fonts,machine-id,localtime,ld.so.cache,ca-certificates,ssl,pki,crypto-policies,resolv.conf |
33 | private-tmp | 33 | private-tmp |
34 | 34 | ||
35 | noexec ${HOME} | ||
36 | noexec /tmp | 35 | noexec /tmp |
diff --git a/etc/eog.profile b/etc/eog.profile index 0ba40901c..32b648bd9 100644 --- a/etc/eog.profile +++ b/etc/eog.profile | |||
@@ -45,6 +45,6 @@ private-etc alternatives,fonts | |||
45 | private-lib eog,gdk-pixbuf-2.*,gio,girepository-1.*,gvfs,libgconf-2.so.* | 45 | private-lib eog,gdk-pixbuf-2.*,gio,girepository-1.*,gvfs,libgconf-2.so.* |
46 | private-tmp | 46 | private-tmp |
47 | 47 | ||
48 | memory-deny-write-execute | 48 | # memory-deny-write-execute |
49 | noexec ${HOME} | 49 | noexec ${HOME} |
50 | noexec /tmp | 50 | noexec /tmp |
diff --git a/etc/evince-previewer.profile b/etc/evince-previewer.profile index e43bb2da8..bd1ea6aa9 100644 --- a/etc/evince-previewer.profile +++ b/etc/evince-previewer.profile | |||
@@ -3,7 +3,8 @@ | |||
3 | # Persistent local customizations | 3 | # Persistent local customizations |
4 | include evince-previewer.local | 4 | include evince-previewer.local |
5 | # Persistent global definitions | 5 | # Persistent global definitions |
6 | include globals.local | 6 | # added by included profile |
7 | #include globals.local | ||
7 | 8 | ||
8 | 9 | ||
9 | # Redirect | 10 | # Redirect |
diff --git a/etc/evince-thumbnailer.profile b/etc/evince-thumbnailer.profile index 4036e1ecb..d11d4e1e1 100644 --- a/etc/evince-thumbnailer.profile +++ b/etc/evince-thumbnailer.profile | |||
@@ -3,7 +3,8 @@ | |||
3 | # Persistent local customizations | 3 | # Persistent local customizations |
4 | include evince-thumbnailer.local | 4 | include evince-thumbnailer.local |
5 | # Persistent global definitions | 5 | # Persistent global definitions |
6 | include globals.local | 6 | # added by included profile |
7 | #include globals.local | ||
7 | 8 | ||
8 | 9 | ||
9 | # Redirect | 10 | # Redirect |
diff --git a/etc/evince.profile b/etc/evince.profile index e9b530ece..c10e3b04f 100644 --- a/etc/evince.profile +++ b/etc/evince.profile | |||
@@ -20,7 +20,7 @@ include whitelist-var-common.inc | |||
20 | 20 | ||
21 | caps.drop all | 21 | caps.drop all |
22 | machine-id | 22 | machine-id |
23 | # net none breaks AppArmor on Ubuntu systems | 23 | # net none - breaks AppArmor on Ubuntu systems |
24 | netfilter | 24 | netfilter |
25 | no3d | 25 | no3d |
26 | nodbus | 26 | nodbus |
@@ -38,13 +38,12 @@ shell none | |||
38 | tracelog | 38 | tracelog |
39 | 39 | ||
40 | private-bin evince,evince-previewer,evince-thumbnailer | 40 | private-bin evince,evince-previewer,evince-thumbnailer |
41 | private-cache | ||
41 | private-dev | 42 | private-dev |
42 | private-etc alternatives,fonts,machine-id | 43 | private-etc alternatives,fonts,group,machine-id,passwd |
43 | |||
44 | private-lib evince,gdk-pixbuf-2.*,gio,gvfs/libgvfscommon.so,libdjvulibre.so.*,libgconf-2.so.*,libpoppler-glib.so.*,librsvg-2.so.*,gconv | 44 | private-lib evince,gdk-pixbuf-2.*,gio,gvfs/libgvfscommon.so,libdjvulibre.so.*,libgconf-2.so.*,libpoppler-glib.so.*,librsvg-2.so.*,gconv |
45 | |||
46 | private-tmp | 45 | private-tmp |
47 | 46 | ||
48 | #memory-deny-write-execute - breaks application on Archlinux, issue 1803 | 47 | # memory-deny-write-execute - might break application (https://github.com/netblue30/firejail/issues/1803) |
49 | noexec ${HOME} | 48 | noexec ${HOME} |
50 | noexec /tmp | 49 | noexec /tmp |
diff --git a/etc/ffmpeg.profile b/etc/ffmpeg.profile index 44b5d5530..aa7a91928 100644 --- a/etc/ffmpeg.profile +++ b/etc/ffmpeg.profile | |||
@@ -7,28 +7,35 @@ include ffmpeg.local | |||
7 | # Persistent global definitions | 7 | # Persistent global definitions |
8 | include globals.local | 8 | include globals.local |
9 | 9 | ||
10 | noblacklist ${MUSIC} | ||
11 | noblacklist ${VIDEOS} | ||
12 | |||
10 | include disable-common.inc | 13 | include disable-common.inc |
11 | include disable-devel.inc | 14 | include disable-devel.inc |
12 | include disable-interpreters.inc | 15 | include disable-interpreters.inc |
13 | include disable-passwdmgr.inc | 16 | include disable-passwdmgr.inc |
14 | include disable-programs.inc | 17 | include disable-programs.inc |
18 | include disable-xdg.inc | ||
15 | 19 | ||
16 | include whitelist-var-common.inc | 20 | include whitelist-var-common.inc |
17 | 21 | ||
18 | apparmor | 22 | apparmor |
19 | caps.drop all | 23 | caps.drop all |
24 | ipc-namespace | ||
20 | machine-id | 25 | machine-id |
21 | net none | 26 | netfilter |
27 | # no3d might break HW accelerated de/encoding - comment when appropriate | ||
22 | no3d | 28 | no3d |
23 | nodbus | 29 | nodbus |
24 | nodvd | 30 | nodvd |
31 | nogroups | ||
32 | nonewprivs | ||
33 | noroot | ||
25 | nosound | 34 | nosound |
26 | notv | 35 | notv |
27 | nou2f | 36 | nou2f |
28 | novideo | 37 | novideo |
29 | nonewprivs | 38 | protocol inet,inet6 |
30 | noroot | ||
31 | # protocol none - needs to be implemented! | ||
32 | seccomp | 39 | seccomp |
33 | # seccomp.keep futex,write,read,munmap,fstat,mprotect,mmap,open,close,stat,lseek,brk,rt_sigaction,rt_sigprocmask,ioctl,access,select,madvise,getpid,clone,execve,fcntl,getdents,readlink,getrlimit,getrusage,statfs,getpriority,setpriority,arch_prctl,sched_getaffinity,set_tid_address,set_robust_list,getrandom | 40 | # seccomp.keep futex,write,read,munmap,fstat,mprotect,mmap,open,close,stat,lseek,brk,rt_sigaction,rt_sigprocmask,ioctl,access,select,madvise,getpid,clone,execve,fcntl,getdents,readlink,getrlimit,getrusage,statfs,getpriority,setpriority,arch_prctl,sched_getaffinity,set_tid_address,set_robust_list,getrandom |
34 | shell none | 41 | shell none |
@@ -37,6 +44,7 @@ tracelog | |||
37 | private-bin ffmpeg | 44 | private-bin ffmpeg |
38 | private-cache | 45 | private-cache |
39 | private-dev | 46 | private-dev |
47 | private-etc alternatives,pki,pkcs11,hosts,ssl,ca-certificates,resolv.conf | ||
40 | private-tmp | 48 | private-tmp |
41 | 49 | ||
42 | # memory-deny-write-execute - it breaks old versions of ffmpeg | 50 | # memory-deny-write-execute - it breaks old versions of ffmpeg |
diff --git a/etc/ffmpegthumbnailer.profile b/etc/ffmpegthumbnailer.profile new file mode 100644 index 000000000..6ab35e9a0 --- /dev/null +++ b/etc/ffmpegthumbnailer.profile | |||
@@ -0,0 +1,15 @@ | |||
1 | # Firejail profile for ffmpegthumbnailer | ||
2 | # Description: FFmpeg-based video thumbnailer | ||
3 | # This file is overwritten after every install/update | ||
4 | # Persistent local customizations | ||
5 | include ffmpegthumbnailer.local | ||
6 | # Persistent global definitions | ||
7 | # added by included profile | ||
8 | #include globals.local | ||
9 | |||
10 | private-bin ffmpegthumbnailer | ||
11 | private-lib libffmpegthumbnailer.so.* | ||
12 | |||
13 | |||
14 | # Redirect | ||
15 | include ffmpeg.profile | ||
diff --git a/etc/ffplay.profile b/etc/ffplay.profile new file mode 100644 index 000000000..00da400bd --- /dev/null +++ b/etc/ffplay.profile | |||
@@ -0,0 +1,14 @@ | |||
1 | # Firejail profile for ffplay | ||
2 | # Description: FFmpeg-based media player | ||
3 | # This file is overwritten after every install/update | ||
4 | # Persistent local customizations | ||
5 | include ffplay.local | ||
6 | # Persistent global definitions | ||
7 | # added by included profile | ||
8 | #include globals.local | ||
9 | |||
10 | private-bin ffplay | ||
11 | |||
12 | |||
13 | # Redirect | ||
14 | include ffmpeg.profile | ||
diff --git a/etc/ffprobe.profile b/etc/ffprobe.profile new file mode 100644 index 000000000..166cc8b46 --- /dev/null +++ b/etc/ffprobe.profile | |||
@@ -0,0 +1,14 @@ | |||
1 | # Firejail profile for ffprobe | ||
2 | # Description: FFmpeg-based media prober | ||
3 | # This file is overwritten after every install/update | ||
4 | # Persistent local customizations | ||
5 | include ffprobe.local | ||
6 | # Persistent global definitions | ||
7 | # added by included profile | ||
8 | #include globals.local | ||
9 | |||
10 | private-bin ffprobe | ||
11 | |||
12 | |||
13 | # Redirect | ||
14 | include ffmpeg.profile | ||
diff --git a/etc/file-roller.profile b/etc/file-roller.profile index 9bd83b2b7..c23ed53f5 100644 --- a/etc/file-roller.profile +++ b/etc/file-roller.profile | |||
@@ -40,6 +40,6 @@ private-dev | |||
40 | # private-etc alternatives,fonts | 40 | # private-etc alternatives,fonts |
41 | # private-tmp | 41 | # private-tmp |
42 | 42 | ||
43 | memory-deny-write-execute | 43 | # memory-deny-write-execute |
44 | noexec ${HOME} | 44 | noexec ${HOME} |
45 | noexec /tmp | 45 | noexec /tmp |
diff --git a/etc/firefox-common.profile b/etc/firefox-common.profile index 69920aa5f..3089b7ce8 100644 --- a/etc/firefox-common.profile +++ b/etc/firefox-common.profile | |||
@@ -6,7 +6,7 @@ include firefox-common.local | |||
6 | # already included by caller profile | 6 | # already included by caller profile |
7 | #include globals.local | 7 | #include globals.local |
8 | 8 | ||
9 | # uncomment the following line to allow access to common programs/addons/plugins | 9 | # Uncomment the following line to allow access to common programs/addons/plugins. |
10 | #include firefox-common-addons.inc | 10 | #include firefox-common-addons.inc |
11 | 11 | ||
12 | noblacklist ${HOME}/.pki | 12 | noblacklist ${HOME}/.pki |
@@ -27,25 +27,27 @@ include whitelist-var-common.inc | |||
27 | 27 | ||
28 | apparmor | 28 | apparmor |
29 | caps.drop all | 29 | caps.drop all |
30 | # machine-id breaks pulse audio; it should work fine in setups where sound is not required | 30 | # machine-id breaks pulse audio; it should work fine in setups where sound is not required. |
31 | #machine-id | 31 | #machine-id |
32 | netfilter | 32 | netfilter |
33 | # Breaks Gnome connector and KDE Connect | 33 | # Breaks Gnome connector and KDE Connect. |
34 | # Also seems to break Ubuntu titlebar menu | 34 | # Also seems to break Ubuntu titlebar menu. |
35 | # Also breaks enigmail apparently? | 35 | # Also breaks enigmail apparently? |
36 | # During a stream on Plasma it prevents the mechanism to temporarily bypass the power management, i.e. to keep the screen on | 36 | # During a stream on Plasma it prevents the mechanism to temporarily bypass the power management, i.e. to keep the screen on. |
37 | # Therefore disable if you use that | 37 | # Therefore disable if you use that. |
38 | nodbus | 38 | nodbus |
39 | nodvd | 39 | nodvd |
40 | nogroups | 40 | nogroups |
41 | nonewprivs | 41 | nonewprivs |
42 | # noroot breaks GTK_USE_PORTAL=1 usage, see https://github.com/netblue30/firejail/issues/2506. | ||
42 | noroot | 43 | noroot |
43 | notv | 44 | notv |
44 | ?BROWSER_DISABLE_U2F: nou2f | 45 | ?BROWSER_DISABLE_U2F: nou2f |
45 | protocol unix,inet,inet6,netlink | 46 | protocol unix,inet,inet6,netlink |
47 | # The below seccomp configuration still permits chroot syscall. See https://github.com/netblue30/firejail/issues/2506 for possible workarounds. | ||
46 | seccomp.drop @clock,@cpu-emulation,@debug,@module,@obsolete,@raw-io,@reboot,@resources,@swap,acct,add_key,bpf,fanotify_init,io_cancel,io_destroy,io_getevents,io_setup,io_submit,ioprio_set,kcmp,keyctl,mount,name_to_handle_at,nfsservctl,ni_syscall,open_by_handle_at,personality,pivot_root,process_vm_readv,ptrace,remap_file_pages,request_key,setdomainname,sethostname,syslog,umount,umount2,userfaultfd,vhangup,vmsplice | 48 | seccomp.drop @clock,@cpu-emulation,@debug,@module,@obsolete,@raw-io,@reboot,@resources,@swap,acct,add_key,bpf,fanotify_init,io_cancel,io_destroy,io_getevents,io_setup,io_submit,ioprio_set,kcmp,keyctl,mount,name_to_handle_at,nfsservctl,ni_syscall,open_by_handle_at,personality,pivot_root,process_vm_readv,ptrace,remap_file_pages,request_key,setdomainname,sethostname,syslog,umount,umount2,userfaultfd,vhangup,vmsplice |
47 | shell none | 49 | shell none |
48 | #disable tracelog, it breaks or causes major issues with many firefox based browsers, see github issue #1930 | 50 | # Disable tracelog, it breaks or causes major issues with many firefox based browsers, see https://github.com/netblue30/firejail/issues/1930. |
49 | #tracelog | 51 | #tracelog |
50 | 52 | ||
51 | disable-mnt | 53 | disable-mnt |
@@ -54,6 +56,6 @@ private-dev | |||
54 | #private-etc alternatives,ca-certificates,ssl,machine-id,dconf,selinux,passwd,group,hostname,hosts,localtime,nsswitch.conf,resolv.conf,xdg,gtk-2.0,gtk-3.0,X11,pango,fonts,mime.types,mailcap,asound.conf,pulse,pki,crypto-policies,ld.so.cache | 56 | #private-etc alternatives,ca-certificates,ssl,machine-id,dconf,selinux,passwd,group,hostname,hosts,localtime,nsswitch.conf,resolv.conf,xdg,gtk-2.0,gtk-3.0,X11,pango,fonts,mime.types,mailcap,asound.conf,pulse,pki,crypto-policies,ld.so.cache |
55 | private-tmp | 57 | private-tmp |
56 | 58 | ||
57 | # breaks DRM binaries | 59 | # Breaks DRM binaries. |
58 | #noexec ${HOME} | 60 | #noexec ${HOME} |
59 | noexec /tmp | 61 | noexec /tmp |
diff --git a/etc/flameshot.profile b/etc/flameshot.profile index 1c5f90f42..39a23c813 100644 --- a/etc/flameshot.profile +++ b/etc/flameshot.profile | |||
@@ -1,6 +1,7 @@ | |||
1 | # Firejail profile for flameshot | 1 | # Firejail profile for flameshot |
2 | # Description: Powerful yet simple-to-use screenshot software | 2 | # Description: Powerful yet simple-to-use screenshot software |
3 | # This file is overwritten after every install/update | 3 | # This file is overwritten after every install/update |
4 | quiet | ||
4 | # Persistent local customizations | 5 | # Persistent local customizations |
5 | include flameshot.local | 6 | include flameshot.local |
6 | # Persistent global definitions | 7 | # Persistent global definitions |
diff --git a/etc/gconf-editor.profile b/etc/gconf-editor.profile index 20cc5c36f..e9756f8af 100644 --- a/etc/gconf-editor.profile +++ b/etc/gconf-editor.profile | |||
@@ -4,46 +4,9 @@ | |||
4 | # Persistent local customizations | 4 | # Persistent local customizations |
5 | include gconf-editor.local | 5 | include gconf-editor.local |
6 | # Persistent global definitions | 6 | # Persistent global definitions |
7 | include globals.local | 7 | # added by included profile |
8 | #include globals.local | ||
8 | 9 | ||
9 | noblacklist ${HOME}/.config/gconf | ||
10 | 10 | ||
11 | include disable-common.inc | 11 | # Redirect |
12 | include disable-devel.inc | 12 | include gconf.profile |
13 | include disable-interpreters.inc | ||
14 | include disable-passwdmgr.inc | ||
15 | include disable-programs.inc | ||
16 | include disable-xdg.inc | ||
17 | |||
18 | whitelist ${HOME}/.config/gconf | ||
19 | include whitelist-common.inc | ||
20 | |||
21 | apparmor | ||
22 | caps.drop all | ||
23 | machine-id | ||
24 | net none | ||
25 | no3d | ||
26 | nodvd | ||
27 | nogroups | ||
28 | nonewprivs | ||
29 | noroot | ||
30 | nosound | ||
31 | notv | ||
32 | nou2f | ||
33 | novideo | ||
34 | protocol unix | ||
35 | seccomp | ||
36 | shell none | ||
37 | tracelog | ||
38 | |||
39 | disable-mnt | ||
40 | private-bin gconf-editor | ||
41 | private-cache | ||
42 | private-dev | ||
43 | private-etc alternatives,fonts | ||
44 | private-lib | ||
45 | private-tmp | ||
46 | |||
47 | memory-deny-write-execute | ||
48 | noexec ${HOME} | ||
49 | noexec /tmp | ||
diff --git a/etc/gconf-merge-schema.profile b/etc/gconf-merge-schema.profile new file mode 100644 index 000000000..411b7b815 --- /dev/null +++ b/etc/gconf-merge-schema.profile | |||
@@ -0,0 +1,12 @@ | |||
1 | # Firejail profile for gconf-merge-schema | ||
2 | # Description: An obsolete configuration database system (CLI utility) | ||
3 | # This file is overwritten after every install/update | ||
4 | # Persistent local customizations | ||
5 | include gconf-merge-schema.local | ||
6 | # Persistent global definitions | ||
7 | # added by included profile | ||
8 | #include globals.local | ||
9 | |||
10 | |||
11 | # Redirect | ||
12 | include gconf.profile | ||
diff --git a/etc/gconf-merge-tree.profile b/etc/gconf-merge-tree.profile new file mode 100644 index 000000000..66a4226ca --- /dev/null +++ b/etc/gconf-merge-tree.profile | |||
@@ -0,0 +1,12 @@ | |||
1 | # Firejail profile for gconf-merge-tree | ||
2 | # Description: An obsolete configuration database system (CLI utility) | ||
3 | # This file is overwritten after every install/update | ||
4 | # Persistent local customizations | ||
5 | include gconf-merge-tree.local | ||
6 | # Persistent global definitions | ||
7 | # added by included profile | ||
8 | #include globals.local | ||
9 | |||
10 | |||
11 | # Redirect | ||
12 | include gconf.profile | ||
diff --git a/etc/gconf.profile b/etc/gconf.profile new file mode 100644 index 000000000..94af21833 --- /dev/null +++ b/etc/gconf.profile | |||
@@ -0,0 +1,57 @@ | |||
1 | # Firejail profile for gconf | ||
2 | # Description: An obsolete configuration database system | ||
3 | # This file is overwritten after every install/update | ||
4 | # Persistent local customizations | ||
5 | include gconf.local | ||
6 | # Persistent global definitions | ||
7 | include globals.local | ||
8 | |||
9 | noblacklist ${HOME}/.config/gconf | ||
10 | |||
11 | # Allow python2 (blacklisted by disable-interpreters.inc) | ||
12 | noblacklist ${PATH}/python2* | ||
13 | #noblacklist ${PATH}/python3* | ||
14 | noblacklist /usr/lib/python2* | ||
15 | #noblacklist /usr/lib/python3* | ||
16 | |||
17 | include disable-common.inc | ||
18 | include disable-devel.inc | ||
19 | include disable-interpreters.inc | ||
20 | include disable-passwdmgr.inc | ||
21 | include disable-programs.inc | ||
22 | include disable-xdg.inc | ||
23 | |||
24 | mkdir ${HOME}/.config/gconf | ||
25 | whitelist ${HOME}/.config/gconf | ||
26 | include whitelist-common.inc | ||
27 | |||
28 | apparmor | ||
29 | caps.drop all | ||
30 | ipc-namespace | ||
31 | machine-id | ||
32 | net none | ||
33 | no3d | ||
34 | nodvd | ||
35 | nogroups | ||
36 | nonewprivs | ||
37 | noroot | ||
38 | nosound | ||
39 | notv | ||
40 | nou2f | ||
41 | novideo | ||
42 | protocol unix | ||
43 | seccomp | ||
44 | shell none | ||
45 | tracelog | ||
46 | |||
47 | disable-mnt | ||
48 | private-bin gconf-editor,gconf-merge-*,gconfpkg,gconftool-2,gsettings-*-convert,python2* | ||
49 | private-cache | ||
50 | private-dev | ||
51 | private-etc alternatives,fonts,gconf | ||
52 | private-lib libpython*,python2* | ||
53 | private-tmp | ||
54 | |||
55 | memory-deny-write-execute | ||
56 | noexec ${HOME} | ||
57 | noexec /tmp | ||
diff --git a/etc/gconfpkg.profile b/etc/gconfpkg.profile new file mode 100644 index 000000000..1793ce072 --- /dev/null +++ b/etc/gconfpkg.profile | |||
@@ -0,0 +1,12 @@ | |||
1 | # Firejail profile for gconfpkg | ||
2 | # Description: An obsolete configuration database system (CLI utility) | ||
3 | # This file is overwritten after every install/update | ||
4 | # Persistent local customizations | ||
5 | include gconfpkg.local | ||
6 | # Persistent global definitions | ||
7 | # added by included profile | ||
8 | #include globals.local | ||
9 | |||
10 | |||
11 | # Redirect | ||
12 | include gconf.profile | ||
diff --git a/etc/gconftool-2.profile b/etc/gconftool-2.profile new file mode 100644 index 000000000..59a2242a7 --- /dev/null +++ b/etc/gconftool-2.profile | |||
@@ -0,0 +1,12 @@ | |||
1 | # Firejail profile for gconftool-2 | ||
2 | # Description: An obsolete configuration database system (CLI utility) | ||
3 | # This file is overwritten after every install/update | ||
4 | # Persistent local customizations | ||
5 | include gconftool-2.local | ||
6 | # Persistent global definitions | ||
7 | # added by included profile | ||
8 | #include globals.local | ||
9 | |||
10 | |||
11 | # Redirect | ||
12 | include gconf.profile | ||
diff --git a/etc/geekbench.profile b/etc/geekbench.profile index c6e45b7d0..425fb7bb5 100644 --- a/etc/geekbench.profile +++ b/etc/geekbench.profile | |||
@@ -13,7 +13,7 @@ include disable-passwdmgr.inc | |||
13 | include disable-programs.inc | 13 | include disable-programs.inc |
14 | include disable-xdg.inc | 14 | include disable-xdg.inc |
15 | 15 | ||
16 | inclue whitelist-var-common.inc | 16 | include whitelist-var-common.inc |
17 | 17 | ||
18 | apparmor | 18 | apparmor |
19 | caps.drop all | 19 | caps.drop all |
@@ -40,7 +40,7 @@ disable-mnt | |||
40 | private-bin bash,geekbenc*,sh | 40 | private-bin bash,geekbenc*,sh |
41 | private-cache | 41 | private-cache |
42 | private-dev | 42 | private-dev |
43 | private-etc alternatives,groups,passwd,lsb-release | 43 | private-etc alternatives,group,passwd,lsb-release |
44 | private-lib libstdc++.so.* | 44 | private-lib libstdc++.so.* |
45 | private-opt none | 45 | private-opt none |
46 | private-tmp | 46 | private-tmp |
@@ -49,5 +49,4 @@ private-tmp | |||
49 | noexec ${HOME} | 49 | noexec ${HOME} |
50 | noexec /tmp | 50 | noexec /tmp |
51 | 51 | ||
52 | # never write anything | ||
53 | read-only ${HOME} | 52 | read-only ${HOME} |
diff --git a/etc/gnome-calculator.profile b/etc/gnome-calculator.profile index 79c878833..eb124a4e8 100644 --- a/etc/gnome-calculator.profile +++ b/etc/gnome-calculator.profile | |||
@@ -44,6 +44,6 @@ private-dev | |||
44 | #private-lib gdk-pixbuf-2.*,gio,girepository-1.*,gvfs,libgconf-2.so.*,libgnutls.so.*,libproxy.so.*,librsvg-2.so.*,libxml2.so.* | 44 | #private-lib gdk-pixbuf-2.*,gio,girepository-1.*,gvfs,libgconf-2.so.*,libgnutls.so.*,libproxy.so.*,librsvg-2.so.*,libxml2.so.* |
45 | private-tmp | 45 | private-tmp |
46 | 46 | ||
47 | memory-deny-write-execute | 47 | # memory-deny-write-execute |
48 | noexec ${HOME} | 48 | noexec ${HOME} |
49 | noexec /tmp | 49 | noexec /tmp |
diff --git a/etc/gnome-clocks.profile b/etc/gnome-clocks.profile index 83ece0fce..32a7ca918 100644 --- a/etc/gnome-clocks.profile +++ b/etc/gnome-clocks.profile | |||
@@ -6,7 +6,6 @@ include gnome-clocks.local | |||
6 | # Persistent global definitions | 6 | # Persistent global definitions |
7 | include globals.local | 7 | include globals.local |
8 | 8 | ||
9 | |||
10 | include disable-common.inc | 9 | include disable-common.inc |
11 | include disable-devel.inc | 10 | include disable-devel.inc |
12 | include disable-interpreters.inc | 11 | include disable-interpreters.inc |
@@ -14,8 +13,10 @@ include disable-passwdmgr.inc | |||
14 | include disable-programs.inc | 13 | include disable-programs.inc |
15 | include disable-xdg.inc | 14 | include disable-xdg.inc |
16 | 15 | ||
16 | include whitelist-common.inc | ||
17 | include whitelist-var-common.inc | 17 | include whitelist-var-common.inc |
18 | 18 | ||
19 | apparmor | ||
19 | caps.drop all | 20 | caps.drop all |
20 | netfilter | 21 | netfilter |
21 | no3d | 22 | no3d |
@@ -32,9 +33,10 @@ shell none | |||
32 | tracelog | 33 | tracelog |
33 | 34 | ||
34 | disable-mnt | 35 | disable-mnt |
35 | # private-bin gnome-clocks | 36 | private-bin gnome-clocks,gsound-play |
37 | private-cache | ||
36 | private-dev | 38 | private-dev |
37 | # private-etc alternatives,fonts,ca-certificates,ssl,pki,crypto-policies | 39 | private-etc alternatives,fonts,ca-certificates,ssl,pki,crypto-policies,machine-id,hosts,pkcs11,localtime,gtk-3.0,dconf |
38 | private-tmp | 40 | private-tmp |
39 | 41 | ||
40 | noexec ${HOME} | 42 | noexec ${HOME} |
diff --git a/etc/gpicview.profile b/etc/gpicview.profile index c43475615..4c66e3772 100644 --- a/etc/gpicview.profile +++ b/etc/gpicview.profile | |||
@@ -38,7 +38,7 @@ tracelog | |||
38 | private-bin gpicview | 38 | private-bin gpicview |
39 | private-cache | 39 | private-cache |
40 | private-dev | 40 | private-dev |
41 | private-etc alternatives,fonts,groups,passwd | 41 | private-etc alternatives,fonts,group,passwd |
42 | private-lib | 42 | private-lib |
43 | private-tmp | 43 | private-tmp |
44 | 44 | ||
diff --git a/etc/gsettings-data-convert.profile b/etc/gsettings-data-convert.profile new file mode 100644 index 000000000..21a232440 --- /dev/null +++ b/etc/gsettings-data-convert.profile | |||
@@ -0,0 +1,12 @@ | |||
1 | # Firejail profile for gsettings-data-convert | ||
2 | # Description: An obsolete configuration database system (CLI utility) | ||
3 | # This file is overwritten after every install/update | ||
4 | # Persistent local customizations | ||
5 | include gsettings-data-convert.local | ||
6 | # Persistent global definitions | ||
7 | # added by included profile | ||
8 | #include globals.local | ||
9 | |||
10 | |||
11 | # Redirect | ||
12 | include gconf.profile | ||
diff --git a/etc/gsettings-schema-convert.profile b/etc/gsettings-schema-convert.profile new file mode 100644 index 000000000..2dbf4fb44 --- /dev/null +++ b/etc/gsettings-schema-convert.profile | |||
@@ -0,0 +1,12 @@ | |||
1 | # Firejail profile for gsettings-schema-convert | ||
2 | # Description: An obsolete configuration database system (CLI utility) | ||
3 | # This file is overwritten after every install/update | ||
4 | # Persistent local customizations | ||
5 | include gsettings-schema-convert.local | ||
6 | # Persistent global definitions | ||
7 | # added by included profile | ||
8 | #include globals.local | ||
9 | |||
10 | |||
11 | # Redirect | ||
12 | include gconf.profile | ||
diff --git a/etc/keepassxc.profile b/etc/keepassxc.profile index d565373f4..f0546beda 100644 --- a/etc/keepassxc.profile +++ b/etc/keepassxc.profile | |||
@@ -48,7 +48,7 @@ private-tmp | |||
48 | # 2.2.4 crashes on database open | 48 | # 2.2.4 crashes on database open |
49 | # memory-deny-write-execute | 49 | # memory-deny-write-execute |
50 | noexec ${HOME} | 50 | noexec ${HOME} |
51 | # noexec /tmp | 51 | noexec /tmp |
52 | 52 | ||
53 | # Mutex is stored in /tmp by default, which is broken by private-tmp | 53 | # Mutex is stored in /tmp by default, which is broken by private-tmp |
54 | join-or-start keepassxc | 54 | join-or-start keepassxc |
diff --git a/etc/patch.profile b/etc/patch.profile index 26542e229..c0937bfc5 100644 --- a/etc/patch.profile +++ b/etc/patch.profile | |||
@@ -36,7 +36,7 @@ shell none | |||
36 | 36 | ||
37 | private-bin patch,red | 37 | private-bin patch,red |
38 | private-dev | 38 | private-dev |
39 | private-lib | 39 | private-lib libfakeroot |
40 | 40 | ||
41 | memory-deny-write-execute | 41 | memory-deny-write-execute |
42 | noexec ${HOME} | 42 | noexec ${HOME} |
diff --git a/etc/pavucontrol.profile b/etc/pavucontrol.profile index 159846a28..6bda9e7d3 100644 --- a/etc/pavucontrol.profile +++ b/etc/pavucontrol.profile | |||
@@ -15,9 +15,6 @@ include disable-passwdmgr.inc | |||
15 | include disable-programs.inc | 15 | include disable-programs.inc |
16 | include disable-xdg.inc | 16 | include disable-xdg.inc |
17 | 17 | ||
18 | mkfile ${HOME}/.config/pavucontrol.ini | ||
19 | whitelist ${HOME}/.config/pavucontrol.ini | ||
20 | include whitelist-common.inc | ||
21 | include whitelist-var-common.inc | 18 | include whitelist-var-common.inc |
22 | 19 | ||
23 | apparmor | 20 | apparmor |
diff --git a/etc/hardinfo.profile b/etc/pragha.profile index 6be3044b4..a595caee9 100644 --- a/etc/hardinfo.profile +++ b/etc/pragha.profile | |||
@@ -1,38 +1,39 @@ | |||
1 | # Firejail profile for hardinfo | 1 | # Firejail profile for pragha |
2 | # Description: A system information and benchmark tool | 2 | # Description: A lightweight GTK music player |
3 | # This file is overwritten after every install/update | 3 | # This file is overwritten after every install/update |
4 | # Persistent local customizations | 4 | # Persistent local customizations |
5 | include hardinfo.local | 5 | include pragha.local |
6 | # Persistent global definitions | 6 | # Persistent global definitions |
7 | include globals.local | 7 | include globals.local |
8 | 8 | ||
9 | noblacklist ${HOME}/.config/pragha | ||
10 | noblacklist ${MUSIC} | ||
11 | |||
9 | include disable-common.inc | 12 | include disable-common.inc |
10 | include disable-devel.inc | 13 | include disable-devel.inc |
14 | include disable-interpreters.inc | ||
11 | include disable-passwdmgr.inc | 15 | include disable-passwdmgr.inc |
12 | include disable-programs.inc | 16 | include disable-programs.inc |
13 | include disable-xdg.inc | 17 | include disable-xdg.inc |
14 | 18 | ||
15 | apparmor | 19 | include whitelist-var-common.inc |
20 | |||
16 | caps.drop all | 21 | caps.drop all |
17 | machine-id | ||
18 | ipc-namespace | ||
19 | netfilter | 22 | netfilter |
20 | nodbus | 23 | no3d |
21 | nodvd | ||
22 | nogroups | 24 | nogroups |
23 | nonewprivs | 25 | nonewprivs |
24 | noroot | 26 | noroot |
25 | nosound | 27 | notv |
26 | nou2f | 28 | nou2f |
29 | novideo | ||
27 | protocol unix,inet,inet6 | 30 | protocol unix,inet,inet6 |
28 | seccomp | 31 | seccomp |
29 | shell none | 32 | shell none |
30 | 33 | ||
31 | disable-mnt | ||
32 | private-cache | ||
33 | private-dev | 34 | private-dev |
35 | private-etc alternatives,asound.conf,ca-certificates,fonts,host.conf,hostname,hosts,pulse,resolv.conf,ssl,pki,crypto-policies,gtk-3.0,xdg,machine-id | ||
34 | private-tmp | 36 | private-tmp |
35 | 37 | ||
36 | # memory-deny-write-execute - Breaks on Arch | ||
37 | noexec ${HOME} | 38 | noexec ${HOME} |
38 | noexec /tmp | 39 | noexec /tmp |
diff --git a/etc/qt-faststart.profile b/etc/qt-faststart.profile new file mode 100644 index 000000000..51bc1b298 --- /dev/null +++ b/etc/qt-faststart.profile | |||
@@ -0,0 +1,14 @@ | |||
1 | # Firejail profile for qt-faststart | ||
2 | # Description: FFmpeg-based media utility | ||
3 | # This file is overwritten after every install/update | ||
4 | # Persistent local customizations | ||
5 | include qt-faststart.local | ||
6 | # Persistent global definitions | ||
7 | # added by included profile | ||
8 | #include globals.local | ||
9 | |||
10 | private-bin qt-faststart | ||
11 | |||
12 | |||
13 | # Redirect | ||
14 | include ffmpeg.profile | ||
diff --git a/etc/sol.profile b/etc/sol.profile index e5a356f68..c194eed05 100644 --- a/etc/sol.profile +++ b/etc/sol.profile | |||
@@ -39,6 +39,6 @@ private-cache | |||
39 | private-dev | 39 | private-dev |
40 | private-tmp | 40 | private-tmp |
41 | 41 | ||
42 | memory-deny-write-execute | 42 | # memory-deny-write-execute |
43 | noexec ${HOME} | 43 | noexec ${HOME} |
44 | noexec /tmp | 44 | noexec /tmp |
diff --git a/etc/spectre-meltdown-checker.profile b/etc/spectre-meltdown-checker.profile index 350f10632..b43047401 100644 --- a/etc/spectre-meltdown-checker.profile +++ b/etc/spectre-meltdown-checker.profile | |||
@@ -44,7 +44,7 @@ shell none | |||
44 | 44 | ||
45 | disable-mnt | 45 | disable-mnt |
46 | private | 46 | private |
47 | private-bin awk,bzip2,cat,coreos-install,cpucontrol,cut,dd,dmesg,dnf,echo,grep,gunzip,gz,gzip,head,id,kldload,kldstat,liblz4-tool,lzop,mktemp,modinfo,modprobe,mount,nm,objdump,od,perl,printf,readelf,rm,sed,seq,sh,sort,spectre-meltdown-checker,spectre-meltdown-checker.sh,stat,strings,sysctl,tail,test,toolbox,tr,uname,which,xz-utils | 47 | private-bin awk,bzip2,cat,coreos-install,cpucontrol,cut,dd,dirname,dmesg,dnf,echo,grep,gunzip,gz,gzip,head,id,kldload,kldstat,liblz4-tool,lzop,mktemp,modinfo,modprobe,mount,nm,objdump,od,perl,printf,readelf,rm,sed,seq,sh,sort,spectre-meltdown-checker,spectre-meltdown-checker.sh,stat,strings,sysctl,tail,test,toolbox,tr,uname,which,xz-utils |
48 | private-cache | 48 | private-cache |
49 | private-tmp | 49 | private-tmp |
50 | 50 | ||
diff --git a/etc/sqlitebrowser.profile b/etc/sqlitebrowser.profile index 6bdd437cd..8122079e1 100644 --- a/etc/sqlitebrowser.profile +++ b/etc/sqlitebrowser.profile | |||
@@ -18,10 +18,11 @@ include disable-xdg.inc | |||
18 | 18 | ||
19 | include whitelist-var-common.inc | 19 | include whitelist-var-common.inc |
20 | 20 | ||
21 | apparmor | ||
21 | caps.drop all | 22 | caps.drop all |
22 | net none | 23 | ipc-namespace |
23 | no3d | 24 | netfilter |
24 | nodbus | 25 | # nodbus - breaks proxy creation |
25 | nodvd | 26 | nodvd |
26 | nogroups | 27 | nogroups |
27 | nonewprivs | 28 | nonewprivs |
@@ -30,15 +31,16 @@ nosound | |||
30 | notv | 31 | notv |
31 | nou2f | 32 | nou2f |
32 | novideo | 33 | novideo |
33 | protocol unix | 34 | protocol unix,inet,inet6,netlink |
34 | seccomp | 35 | seccomp |
35 | shell none | 36 | shell none |
36 | 37 | ||
37 | private-bin sqlitebrowser | 38 | private-bin sqlitebrowser |
38 | private-cache | 39 | private-cache |
39 | private-dev | 40 | private-dev |
41 | private-etc alternatives,ca-certificates,crypto-policies,fonts,group,machine-id,passwd,pki,ssl | ||
40 | private-tmp | 42 | private-tmp |
41 | 43 | ||
42 | # memory-deny-write-execute - breaks on Arch | 44 | memory-deny-write-execute |
43 | noexec ${HOME} | 45 | noexec ${HOME} |
44 | noexec /tmp | 46 | noexec /tmp |
diff --git a/etc/start-tor-browser.desktop.profile b/etc/start-tor-browser.desktop.profile index 2b01eca88..a61038157 100644 --- a/etc/start-tor-browser.desktop.profile +++ b/etc/start-tor-browser.desktop.profile | |||
@@ -1,66 +1,75 @@ | |||
1 | # Firejail profile alias for torbrowser-launcher | 1 | # Firejail profile alias for torbrowser-launcher |
2 | # This file is overwritten after every install/update | 2 | # This file is overwritten after every install/update |
3 | 3 | # Persistent local customizations | |
4 | 4 | include start-tor-browser.desktop.local | |
5 | noblacklist ${HOME}/.tor-browser-ar: | 5 | |
6 | mkdir ${HOME}/.tor-browser-ar: | 6 | |
7 | whitelist ${HOME}/.tor-browser-ar: | 7 | noblacklist ${HOME}/.tor-browser-* |
8 | 8 | noblacklist ${HOME}/.tor-browser_* | |
9 | noblacklist ${HOME}/.tor-browser-en: | 9 | |
10 | mkdir ${HOME}/.tor-browser-en: | 10 | whitelist ${HOME}/.tor-browser-ar |
11 | whitelist ${HOME}/.tor-browser-en: | 11 | whitelist ${HOME}/.tor-browser-ca |
12 | 12 | whitelist ${HOME}/.tor-browser-cs | |
13 | noblacklist ${HOME}/.tor-browser-en-us: | 13 | whitelist ${HOME}/.tor-browser-da |
14 | mkdir ${HOME}/.tor-browser-en-us: | 14 | whitelist ${HOME}/.tor-browser-de |
15 | whitelist ${HOME}/.tor-browser-en-us: | 15 | whitelist ${HOME}/.tor-browser-el |
16 | 16 | whitelist ${HOME}/.tor-browser-en | |
17 | noblacklist ${HOME}/.tor-browser-es: | 17 | whitelist ${HOME}/.tor-browser-en-us |
18 | mkdir ${HOME}/.tor-browser-es: | 18 | whitelist ${HOME}/.tor-browser-es |
19 | whitelist ${HOME}/.tor-browser-es: | 19 | whitelist ${HOME}/.tor-browser-es-es |
20 | 20 | whitelist ${HOME}/.tor-browser-fa | |
21 | noblacklist ${HOME}/.tor-browser-es-es: | 21 | whitelist ${HOME}/.tor-browser-fr |
22 | mkdir ${HOME}/.tor-browser-es-es: | 22 | whitelist ${HOME}/.tor-browser-ga-ie |
23 | whitelist ${HOME}/.tor-browser-es-es: | 23 | whitelist ${HOME}/.tor-browser-he |
24 | 24 | whitelist ${HOME}/.tor-browser-hu | |
25 | noblacklist ${HOME}/.tor-browser-fa: | 25 | whitelist ${HOME}/.tor-browser-id |
26 | mkdir ${HOME}/.tor-browser-fa: | 26 | whitelist ${HOME}/.tor-browser-is |
27 | whitelist ${HOME}/.tor-browser-fa: | 27 | whitelist ${HOME}/.tor-browser-it |
28 | 28 | whitelist ${HOME}/.tor-browser-ja | |
29 | noblacklist ${HOME}/.tor-browser-fr: | 29 | whitelist ${HOME}/.tor-browser-ka |
30 | mkdir ${HOME}/.tor-browser-fr: | 30 | whitelist ${HOME}/.tor-browser-ko |
31 | whitelist ${HOME}/.tor-browser-fr: | 31 | whitelist ${HOME}/.tor-browser-nb |
32 | 32 | whitelist ${HOME}/.tor-browser-nl | |
33 | noblacklist ${HOME}/.tor-browser-it: | 33 | whitelist ${HOME}/.tor-browser-pl |
34 | mkdir ${HOME}/.tor-browser-it: | 34 | whitelist ${HOME}/.tor-browser-pt-br |
35 | whitelist ${HOME}/.tor-browser-it: | 35 | whitelist ${HOME}/.tor-browser-ru |
36 | 36 | whitelist ${HOME}/.tor-browser-sv-se | |
37 | noblacklist ${HOME}/.tor-browser-ja: | 37 | whitelist ${HOME}/.tor-browser-tr |
38 | mkdir ${HOME}/.tor-browser-ja: | 38 | whitelist ${HOME}/.tor-browser-vi |
39 | whitelist ${HOME}/.tor-browser-ja: | 39 | whitelist ${HOME}/.tor-browser-zh-cn |
40 | 40 | whitelist ${HOME}/.tor-browser-zh-tw | |
41 | noblacklist ${HOME}/.tor-browser-ko: | 41 | |
42 | mkdir ${HOME}/.tor-browser-ko: | 42 | whitelist ${HOME}/.tor-browser_ar |
43 | whitelist ${HOME}/.tor-browser-ko: | 43 | whitelist ${HOME}/.tor-browser_ca |
44 | 44 | whitelist ${HOME}/.tor-browser_cs | |
45 | noblacklist ${HOME}/.tor-browser-pl: | 45 | whitelist ${HOME}/.tor-browser_da |
46 | mkdir ${HOME}/.tor-browser-pl: | 46 | whitelist ${HOME}/.tor-browser_de |
47 | whitelist ${HOME}/.tor-browser-pl: | 47 | whitelist ${HOME}/.tor-browser_el |
48 | 48 | whitelist ${HOME}/.tor-browser_en | |
49 | noblacklist ${HOME}/.tor-browser-pt-br: | 49 | whitelist ${HOME}/.tor-browser_en_US |
50 | mkdir ${HOME}/.tor-browser-pt-br: | 50 | whitelist ${HOME}/.tor-browser_es |
51 | whitelist ${HOME}/.tor-browser-pt-br: | 51 | whitelist ${HOME}/.tor-browser_es-ES |
52 | 52 | whitelist ${HOME}/.tor-browser_fa | |
53 | noblacklist ${HOME}/.tor-browser-ru: | 53 | whitelist ${HOME}/.tor-browser_fr |
54 | mkdir ${HOME}/.tor-browser-ru: | 54 | whitelist ${HOME}/.tor-browser_ga-IE |
55 | whitelist ${HOME}/.tor-browser-ru: | 55 | whitelist ${HOME}/.tor-browser_he |
56 | 56 | whitelist ${HOME}/.tor-browser_hu | |
57 | noblacklist ${HOME}/.tor-browser-vi: | 57 | whitelist ${HOME}/.tor-browser_id |
58 | mkdir ${HOME}/.tor-browser-vi: | 58 | whitelist ${HOME}/.tor-browser_is |
59 | whitelist ${HOME}/.tor-browser-vi: | 59 | whitelist ${HOME}/.tor-browser_it |
60 | 60 | whitelist ${HOME}/.tor-browser_ja | |
61 | noblacklist ${HOME}/.tor-browser-zh-cn: | 61 | whitelist ${HOME}/.tor-browser_ka |
62 | mkdir ${HOME}/.tor-browser-zh-cn: | 62 | whitelist ${HOME}/.tor-browser_ko |
63 | whitelist ${HOME}/.tor-browser-zh-cn: | 63 | whitelist ${HOME}/.tor-browser_nb |
64 | whitelist ${HOME}/.tor-browser_nl | ||
65 | whitelist ${HOME}/.tor-browser_pl | ||
66 | whitelist ${HOME}/.tor-browser_pt-BR | ||
67 | whitelist ${HOME}/.tor-browser_ru | ||
68 | whitelist ${HOME}/.tor-browser_sv-SE | ||
69 | whitelist ${HOME}/.tor-browser_tr | ||
70 | whitelist ${HOME}/.tor-browser_vi | ||
71 | whitelist ${HOME}/.tor-browser_zh-CN | ||
72 | whitelist ${HOME}/.tor-browser_zh-TW | ||
64 | 73 | ||
65 | # Redirect | 74 | # Redirect |
66 | include torbrowser-launcher.profile | 75 | include torbrowser-launcher.profile |
diff --git a/etc/strings.profile b/etc/strings.profile index 9f6518645..ca7bd0922 100644 --- a/etc/strings.profile +++ b/etc/strings.profile | |||
@@ -25,7 +25,7 @@ private-bin strings | |||
25 | private-cache | 25 | private-cache |
26 | private-dev | 26 | private-dev |
27 | private-etc alternatives | 27 | private-etc alternatives |
28 | private-lib | 28 | private-lib libfakeroot |
29 | 29 | ||
30 | memory-deny-write-execute | 30 | memory-deny-write-execute |
31 | noexec ${HOME} | 31 | noexec ${HOME} |
diff --git a/etc/sysprof-cli.profile b/etc/sysprof-cli.profile index 28d279d77..62672b22b 100644 --- a/etc/sysprof-cli.profile +++ b/etc/sysprof-cli.profile | |||
@@ -13,6 +13,8 @@ nodbus | |||
13 | private-bin sysprof-cli | 13 | private-bin sysprof-cli |
14 | private-lib | 14 | private-lib |
15 | 15 | ||
16 | memory-deny-write-execute | ||
17 | |||
16 | 18 | ||
17 | # Redirect | 19 | # Redirect |
18 | include sysprof.profile | 20 | include sysprof.profile |
diff --git a/etc/sysprof.profile b/etc/sysprof.profile index a3135d001..eedf4c4b4 100644 --- a/etc/sysprof.profile +++ b/etc/sysprof.profile | |||
@@ -42,6 +42,6 @@ private-etc alternatives,fonts,ld.so.cache,machine-id,ssl | |||
42 | #private-lib gdk-pixbuf-2.*,gio,gtk3,gvfs/libgvfscommon.so,libgconf-2.so.*,librsvg-2.so.*,libsysprof-2.so,libsysprof-ui-2.so | 42 | #private-lib gdk-pixbuf-2.*,gio,gtk3,gvfs/libgvfscommon.so,libgconf-2.so.*,librsvg-2.so.*,libsysprof-2.so,libsysprof-ui-2.so |
43 | private-tmp | 43 | private-tmp |
44 | 44 | ||
45 | memory-deny-write-execute | 45 | # memory-deny-write-execute - Breaks GUI on Arch |
46 | noexec ${HOME} | 46 | noexec ${HOME} |
47 | noexec /tmp | 47 | noexec /tmp |
diff --git a/etc/tar.profile b/etc/tar.profile index b13f0c9b7..e1cfe9c80 100644 --- a/etc/tar.profile +++ b/etc/tar.profile | |||
@@ -27,7 +27,7 @@ tracelog | |||
27 | private-bin sh,bash,tar,gtar,compress,gzip,lzma,xz,bzip2,lbzip2,lzip,lzop | 27 | private-bin sh,bash,tar,gtar,compress,gzip,lzma,xz,bzip2,lbzip2,lzip,lzop |
28 | private-dev | 28 | private-dev |
29 | private-etc alternatives,passwd,group,localtime | 29 | private-etc alternatives,passwd,group,localtime |
30 | private-lib | 30 | private-lib libfakeroot |
31 | 31 | ||
32 | # Debian based distributions need this for 'dpkg --unpack' (incl. synaptic) | 32 | # Debian based distributions need this for 'dpkg --unpack' (incl. synaptic) |
33 | writable-var | 33 | writable-var |
diff --git a/etc/tor-browser-ca.profile b/etc/tor-browser-ca.profile new file mode 100644 index 000000000..db70a7109 --- /dev/null +++ b/etc/tor-browser-ca.profile | |||
@@ -0,0 +1,10 @@ | |||
1 | # Firejail profile alias for torbrowser-launcher | ||
2 | # This file is overwritten after every install/update | ||
3 | |||
4 | noblacklist ${HOME}/.tor-browser-ca | ||
5 | |||
6 | mkdir ${HOME}/.tor-browser-ca | ||
7 | whitelist ${HOME}/.tor-browser-ca | ||
8 | |||
9 | # Redirect | ||
10 | include torbrowser-launcher.profile | ||
diff --git a/etc/tor-browser-cs.profile b/etc/tor-browser-cs.profile new file mode 100644 index 000000000..77b271b68 --- /dev/null +++ b/etc/tor-browser-cs.profile | |||
@@ -0,0 +1,10 @@ | |||
1 | # Firejail profile alias for torbrowser-launcher | ||
2 | # This file is overwritten after every install/update | ||
3 | |||
4 | noblacklist ${HOME}/.tor-browser-cs | ||
5 | |||
6 | mkdir ${HOME}/.tor-browser-cs | ||
7 | whitelist ${HOME}/.tor-browser-cs | ||
8 | |||
9 | # Redirect | ||
10 | include torbrowser-launcher.profile | ||
diff --git a/etc/tor-browser-da.profile b/etc/tor-browser-da.profile new file mode 100644 index 000000000..3b9fff9a4 --- /dev/null +++ b/etc/tor-browser-da.profile | |||
@@ -0,0 +1,10 @@ | |||
1 | # Firejail profile alias for torbrowser-launcher | ||
2 | # This file is overwritten after every install/update | ||
3 | |||
4 | noblacklist ${HOME}/.tor-browser-da | ||
5 | |||
6 | mkdir ${HOME}/.tor-browser-da | ||
7 | whitelist ${HOME}/.tor-browser-da | ||
8 | |||
9 | # Redirect | ||
10 | include torbrowser-launcher.profile | ||
diff --git a/etc/tor-browser-de.profile b/etc/tor-browser-de.profile new file mode 100644 index 000000000..3b4f7f94f --- /dev/null +++ b/etc/tor-browser-de.profile | |||
@@ -0,0 +1,10 @@ | |||
1 | # Firejail profile alias for torbrowser-launcher | ||
2 | # This file is overwritten after every install/update | ||
3 | |||
4 | noblacklist ${HOME}/.tor-browser-de | ||
5 | |||
6 | mkdir ${HOME}/.tor-browser-de | ||
7 | whitelist ${HOME}/.tor-browser-de | ||
8 | |||
9 | # Redirect | ||
10 | include torbrowser-launcher.profile | ||
diff --git a/etc/tor-browser-el.profile b/etc/tor-browser-el.profile new file mode 100644 index 000000000..b978b6042 --- /dev/null +++ b/etc/tor-browser-el.profile | |||
@@ -0,0 +1,10 @@ | |||
1 | # Firejail profile alias for torbrowser-launcher | ||
2 | # This file is overwritten after every install/update | ||
3 | |||
4 | noblacklist ${HOME}/.tor-browser-el | ||
5 | |||
6 | mkdir ${HOME}/.tor-browser-el | ||
7 | whitelist ${HOME}/.tor-browser-el | ||
8 | |||
9 | # Redirect | ||
10 | include torbrowser-launcher.profile | ||
diff --git a/etc/tor-browser-ga-ie.profile b/etc/tor-browser-ga-ie.profile new file mode 100644 index 000000000..994897a87 --- /dev/null +++ b/etc/tor-browser-ga-ie.profile | |||
@@ -0,0 +1,10 @@ | |||
1 | # Firejail profile alias for torbrowser-launcher | ||
2 | # This file is overwritten after every install/update | ||
3 | |||
4 | noblacklist ${HOME}/.tor-browser-ga-ie | ||
5 | |||
6 | mkdir ${HOME}/.tor-browser-ga-ie | ||
7 | whitelist ${HOME}/.tor-browser-ga-ie | ||
8 | |||
9 | # Redirect | ||
10 | include torbrowser-launcher.profile | ||
diff --git a/etc/tor-browser-he.profile b/etc/tor-browser-he.profile new file mode 100644 index 000000000..6367b4c0a --- /dev/null +++ b/etc/tor-browser-he.profile | |||
@@ -0,0 +1,10 @@ | |||
1 | # Firejail profile alias for torbrowser-launcher | ||
2 | # This file is overwritten after every install/update | ||
3 | |||
4 | noblacklist ${HOME}/.tor-browser-he | ||
5 | |||
6 | mkdir ${HOME}/.tor-browser-he | ||
7 | whitelist ${HOME}/.tor-browser-he | ||
8 | |||
9 | # Redirect | ||
10 | include torbrowser-launcher.profile | ||
diff --git a/etc/tor-browser-hu.profile b/etc/tor-browser-hu.profile new file mode 100644 index 000000000..68e79833e --- /dev/null +++ b/etc/tor-browser-hu.profile | |||
@@ -0,0 +1,10 @@ | |||
1 | # Firejail profile alias for torbrowser-launcher | ||
2 | # This file is overwritten after every install/update | ||
3 | |||
4 | noblacklist ${HOME}/.tor-browser-hu | ||
5 | |||
6 | mkdir ${HOME}/.tor-browser-hu | ||
7 | whitelist ${HOME}/.tor-browser-hu | ||
8 | |||
9 | # Redirect | ||
10 | include torbrowser-launcher.profile | ||
diff --git a/etc/tor-browser-id.profile b/etc/tor-browser-id.profile new file mode 100644 index 000000000..85b455ba2 --- /dev/null +++ b/etc/tor-browser-id.profile | |||
@@ -0,0 +1,10 @@ | |||
1 | # Firejail profile alias for torbrowser-launcher | ||
2 | # This file is overwritten after every install/update | ||
3 | |||
4 | noblacklist ${HOME}/.tor-browser-id | ||
5 | |||
6 | mkdir ${HOME}/.tor-browser-id | ||
7 | whitelist ${HOME}/.tor-browser-id | ||
8 | |||
9 | # Redirect | ||
10 | include torbrowser-launcher.profile | ||
diff --git a/etc/tor-browser-is.profile b/etc/tor-browser-is.profile new file mode 100644 index 000000000..48e88db71 --- /dev/null +++ b/etc/tor-browser-is.profile | |||
@@ -0,0 +1,10 @@ | |||
1 | # Firejail profile alias for torbrowser-launcher | ||
2 | # This file is overwritten after every install/update | ||
3 | |||
4 | noblacklist ${HOME}/.tor-browser-is | ||
5 | |||
6 | mkdir ${HOME}/.tor-browser-is | ||
7 | whitelist ${HOME}/.tor-browser-is | ||
8 | |||
9 | # Redirect | ||
10 | include torbrowser-launcher.profile | ||
diff --git a/etc/tor-browser-ka.profile b/etc/tor-browser-ka.profile new file mode 100644 index 000000000..173b85e5c --- /dev/null +++ b/etc/tor-browser-ka.profile | |||
@@ -0,0 +1,10 @@ | |||
1 | # Firejail profile alias for torbrowser-launcher | ||
2 | # This file is overwritten after every install/update | ||
3 | |||
4 | noblacklist ${HOME}/.tor-browser-ka | ||
5 | |||
6 | mkdir ${HOME}/.tor-browser-ka | ||
7 | whitelist ${HOME}/.tor-browser-ka | ||
8 | |||
9 | # Redirect | ||
10 | include torbrowser-launcher.profile | ||
diff --git a/etc/tor-browser-nb.profile b/etc/tor-browser-nb.profile new file mode 100644 index 000000000..d1352dd80 --- /dev/null +++ b/etc/tor-browser-nb.profile | |||
@@ -0,0 +1,10 @@ | |||
1 | # Firejail profile alias for torbrowser-launcher | ||
2 | # This file is overwritten after every install/update | ||
3 | |||
4 | noblacklist ${HOME}/.tor-browser-nb | ||
5 | |||
6 | mkdir ${HOME}/.tor-browser-nb | ||
7 | whitelist ${HOME}/.tor-browser-nb | ||
8 | |||
9 | # Redirect | ||
10 | include torbrowser-launcher.profile | ||
diff --git a/etc/tor-browser-nl.profile b/etc/tor-browser-nl.profile new file mode 100644 index 000000000..d4443cca2 --- /dev/null +++ b/etc/tor-browser-nl.profile | |||
@@ -0,0 +1,10 @@ | |||
1 | # Firejail profile alias for torbrowser-launcher | ||
2 | # This file is overwritten after every install/update | ||
3 | |||
4 | noblacklist ${HOME}/.tor-browser-nl | ||
5 | |||
6 | mkdir ${HOME}/.tor-browser-nl | ||
7 | whitelist ${HOME}/.tor-browser-nl | ||
8 | |||
9 | # Redirect | ||
10 | include torbrowser-launcher.profile | ||
diff --git a/etc/tor-browser-sv-se.profile b/etc/tor-browser-sv-se.profile new file mode 100644 index 000000000..c8544262f --- /dev/null +++ b/etc/tor-browser-sv-se.profile | |||
@@ -0,0 +1,10 @@ | |||
1 | # Firejail profile alias for torbrowser-launcher | ||
2 | # This file is overwritten after every install/update | ||
3 | |||
4 | noblacklist ${HOME}/.tor-browser-sv-se | ||
5 | |||
6 | mkdir ${HOME}/.tor-browser-sv-se | ||
7 | whitelist ${HOME}/.tor-browser-sv-se | ||
8 | |||
9 | # Redirect | ||
10 | include torbrowser-launcher.profile | ||
diff --git a/etc/tor-browser-tr.profile b/etc/tor-browser-tr.profile new file mode 100644 index 000000000..2343fa8de --- /dev/null +++ b/etc/tor-browser-tr.profile | |||
@@ -0,0 +1,10 @@ | |||
1 | # Firejail profile alias for torbrowser-launcher | ||
2 | # This file is overwritten after every install/update | ||
3 | |||
4 | noblacklist ${HOME}/.tor-browser-tr | ||
5 | |||
6 | mkdir ${HOME}/.tor-browser-tr | ||
7 | whitelist ${HOME}/.tor-browser-tr | ||
8 | |||
9 | # Redirect | ||
10 | include torbrowser-launcher.profile | ||
diff --git a/etc/tor-browser-zh-tw.profile b/etc/tor-browser-zh-tw.profile new file mode 100644 index 000000000..6fe09c6c1 --- /dev/null +++ b/etc/tor-browser-zh-tw.profile | |||
@@ -0,0 +1,10 @@ | |||
1 | # Firejail profile alias for torbrowser-launcher | ||
2 | # This file is overwritten after every install/update | ||
3 | |||
4 | noblacklist ${HOME}/.tor-browser-zh-tw | ||
5 | |||
6 | mkdir ${HOME}/.tor-browser-zh-tw | ||
7 | whitelist ${HOME}/.tor-browser-zh-tw | ||
8 | |||
9 | # Redirect | ||
10 | include torbrowser-launcher.profile | ||
diff --git a/etc/tor-browser_ar.profile b/etc/tor-browser_ar.profile new file mode 100644 index 000000000..1e1f5ce35 --- /dev/null +++ b/etc/tor-browser_ar.profile | |||
@@ -0,0 +1,10 @@ | |||
1 | # Firejail profile alias for torbrowser-launcher | ||
2 | # This file is overwritten after every install/update | ||
3 | |||
4 | noblacklist ${HOME}/.tor-browser_ar | ||
5 | |||
6 | mkdir ${HOME}/.tor-browser_ar | ||
7 | whitelist ${HOME}/.tor-browser_ar | ||
8 | |||
9 | # Redirect | ||
10 | include torbrowser-launcher.profile | ||
diff --git a/etc/tor-browser_ca.profile b/etc/tor-browser_ca.profile new file mode 100644 index 000000000..e114b6051 --- /dev/null +++ b/etc/tor-browser_ca.profile | |||
@@ -0,0 +1,10 @@ | |||
1 | # Firejail profile alias for torbrowser-launcher | ||
2 | # This file is overwritten after every install/update | ||
3 | |||
4 | noblacklist ${HOME}/.tor-browser_ca | ||
5 | |||
6 | mkdir ${HOME}/.tor-browser_ca | ||
7 | whitelist ${HOME}/.tor-browser_ca | ||
8 | |||
9 | # Redirect | ||
10 | include torbrowser-launcher.profile | ||
diff --git a/etc/tor-browser_cs.profile b/etc/tor-browser_cs.profile new file mode 100644 index 000000000..498068bc6 --- /dev/null +++ b/etc/tor-browser_cs.profile | |||
@@ -0,0 +1,10 @@ | |||
1 | # Firejail profile alias for torbrowser-launcher | ||
2 | # This file is overwritten after every install/update | ||
3 | |||
4 | noblacklist ${HOME}/.tor-browser_cs | ||
5 | |||
6 | mkdir ${HOME}/.tor-browser_cs | ||
7 | whitelist ${HOME}/.tor-browser_cs | ||
8 | |||
9 | # Redirect | ||
10 | include torbrowser-launcher.profile | ||
diff --git a/etc/tor-browser_da.profile b/etc/tor-browser_da.profile new file mode 100644 index 000000000..5c25c03c8 --- /dev/null +++ b/etc/tor-browser_da.profile | |||
@@ -0,0 +1,10 @@ | |||
1 | # Firejail profile alias for torbrowser-launcher | ||
2 | # This file is overwritten after every install/update | ||
3 | |||
4 | noblacklist ${HOME}/.tor-browser_da | ||
5 | |||
6 | mkdir ${HOME}/.tor-browser_da | ||
7 | whitelist ${HOME}/.tor-browser_da | ||
8 | |||
9 | # Redirect | ||
10 | include torbrowser-launcher.profile | ||
diff --git a/etc/tor-browser_de.profile b/etc/tor-browser_de.profile new file mode 100644 index 000000000..d530e7dbe --- /dev/null +++ b/etc/tor-browser_de.profile | |||
@@ -0,0 +1,10 @@ | |||
1 | # Firejail profile alias for torbrowser-launcher | ||
2 | # This file is overwritten after every install/update | ||
3 | |||
4 | noblacklist ${HOME}/.tor-browser_de | ||
5 | |||
6 | mkdir ${HOME}/.tor-browser_de | ||
7 | whitelist ${HOME}/.tor-browser_de | ||
8 | |||
9 | # Redirect | ||
10 | include torbrowser-launcher.profile | ||
diff --git a/etc/tor-browser_el.profile b/etc/tor-browser_el.profile new file mode 100644 index 000000000..67d5ab440 --- /dev/null +++ b/etc/tor-browser_el.profile | |||
@@ -0,0 +1,10 @@ | |||
1 | # Firejail profile alias for torbrowser-launcher | ||
2 | # This file is overwritten after every install/update | ||
3 | |||
4 | noblacklist ${HOME}/.tor-browser_el | ||
5 | |||
6 | mkdir ${HOME}/.tor-browser_el | ||
7 | whitelist ${HOME}/.tor-browser_el | ||
8 | |||
9 | # Redirect | ||
10 | include torbrowser-launcher.profile | ||
diff --git a/etc/tor-browser_en-US.profile b/etc/tor-browser_en-US.profile new file mode 100644 index 000000000..b298ab2b8 --- /dev/null +++ b/etc/tor-browser_en-US.profile | |||
@@ -0,0 +1,10 @@ | |||
1 | # Firejail profile alias for torbrowser-launcher | ||
2 | # This file is overwritten after every install/update | ||
3 | |||
4 | noblacklist ${HOME}/.tor-browser_en-US | ||
5 | |||
6 | mkdir ${HOME}/.tor-browser_en-US | ||
7 | whitelist ${HOME}/.tor-browser_en-US | ||
8 | |||
9 | # Redirect | ||
10 | include torbrowser-launcher.profile | ||
diff --git a/etc/tor-browser_en.profile b/etc/tor-browser_en.profile new file mode 100644 index 000000000..6bb0616b1 --- /dev/null +++ b/etc/tor-browser_en.profile | |||
@@ -0,0 +1,10 @@ | |||
1 | # Firejail profile alias for torbrowser-launcher | ||
2 | # This file is overwritten after every install/update | ||
3 | |||
4 | noblacklist ${HOME}/.tor-browser_en | ||
5 | |||
6 | mkdir ${HOME}/.tor-browser_en | ||
7 | whitelist ${HOME}/.tor-browser_en | ||
8 | |||
9 | # Redirect | ||
10 | include torbrowser-launcher.profile | ||
diff --git a/etc/tor-browser_es-ES.profile b/etc/tor-browser_es-ES.profile new file mode 100644 index 000000000..78f57ffe5 --- /dev/null +++ b/etc/tor-browser_es-ES.profile | |||
@@ -0,0 +1,10 @@ | |||
1 | # Firejail profile alias for torbrowser-launcher | ||
2 | # This file is overwritten after every install/update | ||
3 | |||
4 | noblacklist ${HOME}/.tor-browser_es-ES | ||
5 | |||
6 | mkdir ${HOME}/.tor-browser_es-ES | ||
7 | whitelist ${HOME}/.tor-browser_es-ES | ||
8 | |||
9 | # Redirect | ||
10 | include torbrowser-launcher.profile | ||
diff --git a/etc/tor-browser_es.profile b/etc/tor-browser_es.profile new file mode 100644 index 000000000..ea34a07c9 --- /dev/null +++ b/etc/tor-browser_es.profile | |||
@@ -0,0 +1,10 @@ | |||
1 | # Firejail profile alias for torbrowser-launcher | ||
2 | # This file is overwritten after every install/update | ||
3 | |||
4 | noblacklist ${HOME}/.tor-browser_es | ||
5 | |||
6 | mkdir ${HOME}/.tor-browser_es | ||
7 | whitelist ${HOME}/.tor-browser_es | ||
8 | |||
9 | # Redirect | ||
10 | include torbrowser-launcher.profile | ||
diff --git a/etc/tor-browser_fa.profile b/etc/tor-browser_fa.profile new file mode 100644 index 000000000..fbc416ce5 --- /dev/null +++ b/etc/tor-browser_fa.profile | |||
@@ -0,0 +1,10 @@ | |||
1 | # Firejail profile alias for torbrowser-launcher | ||
2 | # This file is overwritten after every install/update | ||
3 | |||
4 | noblacklist ${HOME}/.tor-browser_fa | ||
5 | |||
6 | mkdir ${HOME}/.tor-browser_fa | ||
7 | whitelist ${HOME}/.tor-browser_fa | ||
8 | |||
9 | # Redirect | ||
10 | include torbrowser-launcher.profile | ||
diff --git a/etc/tor-browser_fr.profile b/etc/tor-browser_fr.profile new file mode 100644 index 000000000..caea6db5b --- /dev/null +++ b/etc/tor-browser_fr.profile | |||
@@ -0,0 +1,10 @@ | |||
1 | # Firejail profile alias for torbrowser-launcher | ||
2 | # This file is overwritten after every install/update | ||
3 | |||
4 | noblacklist ${HOME}/.tor-browser_fr | ||
5 | |||
6 | mkdir ${HOME}/.tor-browser_fr | ||
7 | whitelist ${HOME}/.tor-browser_fr | ||
8 | |||
9 | # Redirect | ||
10 | include torbrowser-launcher.profile | ||
diff --git a/etc/tor-browser_ga-IE.profile b/etc/tor-browser_ga-IE.profile new file mode 100644 index 000000000..6342daebf --- /dev/null +++ b/etc/tor-browser_ga-IE.profile | |||
@@ -0,0 +1,10 @@ | |||
1 | # Firejail profile alias for torbrowser-launcher | ||
2 | # This file is overwritten after every install/update | ||
3 | |||
4 | noblacklist ${HOME}/.tor-browser_ga-IE | ||
5 | |||
6 | mkdir ${HOME}/.tor-browser_ga-IE | ||
7 | whitelist ${HOME}/.tor-browser_ga-IE | ||
8 | |||
9 | # Redirect | ||
10 | include torbrowser-launcher.profile | ||
diff --git a/etc/tor-browser_he.profile b/etc/tor-browser_he.profile new file mode 100644 index 000000000..cc4150620 --- /dev/null +++ b/etc/tor-browser_he.profile | |||
@@ -0,0 +1,10 @@ | |||
1 | # Firejail profile alias for torbrowser-launcher | ||
2 | # This file is overwritten after every install/update | ||
3 | |||
4 | noblacklist ${HOME}/.tor-browser_he | ||
5 | |||
6 | mkdir ${HOME}/.tor-browser_he | ||
7 | whitelist ${HOME}/.tor-browser_he | ||
8 | |||
9 | # Redirect | ||
10 | include torbrowser-launcher.profile | ||
diff --git a/etc/tor-browser_hu.profile b/etc/tor-browser_hu.profile new file mode 100644 index 000000000..952a0b68a --- /dev/null +++ b/etc/tor-browser_hu.profile | |||
@@ -0,0 +1,10 @@ | |||
1 | # Firejail profile alias for torbrowser-launcher | ||
2 | # This file is overwritten after every install/update | ||
3 | |||
4 | noblacklist ${HOME}/.tor-browser_hu | ||
5 | |||
6 | mkdir ${HOME}/.tor-browser_hu | ||
7 | whitelist ${HOME}/.tor-browser_hu | ||
8 | |||
9 | # Redirect | ||
10 | include torbrowser-launcher.profile | ||
diff --git a/etc/tor-browser_id.profile b/etc/tor-browser_id.profile new file mode 100644 index 000000000..a006b27c0 --- /dev/null +++ b/etc/tor-browser_id.profile | |||
@@ -0,0 +1,10 @@ | |||
1 | # Firejail profile alias for torbrowser-launcher | ||
2 | # This file is overwritten after every install/update | ||
3 | |||
4 | noblacklist ${HOME}/.tor-browser_id | ||
5 | |||
6 | mkdir ${HOME}/.tor-browser_id | ||
7 | whitelist ${HOME}/.tor-browser_id | ||
8 | |||
9 | # Redirect | ||
10 | include torbrowser-launcher.profile | ||
diff --git a/etc/tor-browser_is.profile b/etc/tor-browser_is.profile new file mode 100644 index 000000000..038e0fabb --- /dev/null +++ b/etc/tor-browser_is.profile | |||
@@ -0,0 +1,10 @@ | |||
1 | # Firejail profile alias for torbrowser-launcher | ||
2 | # This file is overwritten after every install/update | ||
3 | |||
4 | noblacklist ${HOME}/.tor-browser_is | ||
5 | |||
6 | mkdir ${HOME}/.tor-browser_is | ||
7 | whitelist ${HOME}/.tor-browser_is | ||
8 | |||
9 | # Redirect | ||
10 | include torbrowser-launcher.profile | ||
diff --git a/etc/tor-browser_it.profile b/etc/tor-browser_it.profile new file mode 100644 index 000000000..3d2566994 --- /dev/null +++ b/etc/tor-browser_it.profile | |||
@@ -0,0 +1,10 @@ | |||
1 | # Firejail profile alias for torbrowser-launcher | ||
2 | # This file is overwritten after every install/update | ||
3 | |||
4 | noblacklist ${HOME}/.tor-browser_it | ||
5 | |||
6 | mkdir ${HOME}/.tor-browser_it | ||
7 | whitelist ${HOME}/.tor-browser_it | ||
8 | |||
9 | # Redirect | ||
10 | include torbrowser-launcher.profile | ||
diff --git a/etc/tor-browser_ja.profile b/etc/tor-browser_ja.profile new file mode 100644 index 000000000..08c942bcd --- /dev/null +++ b/etc/tor-browser_ja.profile | |||
@@ -0,0 +1,10 @@ | |||
1 | # Firejail profile alias for torbrowser-launcher | ||
2 | # This file is overwritten after every install/update | ||
3 | |||
4 | noblacklist ${HOME}/.tor-browser_ja | ||
5 | |||
6 | mkdir ${HOME}/.tor-browser_ja | ||
7 | whitelist ${HOME}/.tor-browser_ja | ||
8 | |||
9 | # Redirect | ||
10 | include torbrowser-launcher.profile | ||
diff --git a/etc/tor-browser_ka.profile b/etc/tor-browser_ka.profile new file mode 100644 index 000000000..97664be4d --- /dev/null +++ b/etc/tor-browser_ka.profile | |||
@@ -0,0 +1,10 @@ | |||
1 | # Firejail profile alias for torbrowser-launcher | ||
2 | # This file is overwritten after every install/update | ||
3 | |||
4 | noblacklist ${HOME}/.tor-browser_ka | ||
5 | |||
6 | mkdir ${HOME}/.tor-browser_ka | ||
7 | whitelist ${HOME}/.tor-browser_ka | ||
8 | |||
9 | # Redirect | ||
10 | include torbrowser-launcher.profile | ||
diff --git a/etc/tor-browser_ko.profile b/etc/tor-browser_ko.profile new file mode 100644 index 000000000..98cf1e3e1 --- /dev/null +++ b/etc/tor-browser_ko.profile | |||
@@ -0,0 +1,10 @@ | |||
1 | # Firejail profile alias for torbrowser-launcher | ||
2 | # This file is overwritten after every install/update | ||
3 | |||
4 | noblacklist ${HOME}/.tor-browser_ko | ||
5 | |||
6 | mkdir ${HOME}/.tor-browser_ko | ||
7 | whitelist ${HOME}/.tor-browser_ko | ||
8 | |||
9 | # Redirect | ||
10 | include torbrowser-launcher.profile | ||
diff --git a/etc/tor-browser_nb.profile b/etc/tor-browser_nb.profile new file mode 100644 index 000000000..6df840573 --- /dev/null +++ b/etc/tor-browser_nb.profile | |||
@@ -0,0 +1,10 @@ | |||
1 | # Firejail profile alias for torbrowser-launcher | ||
2 | # This file is overwritten after every install/update | ||
3 | |||
4 | noblacklist ${HOME}/.tor-browser_nb | ||
5 | |||
6 | mkdir ${HOME}/.tor-browser_nb | ||
7 | whitelist ${HOME}/.tor-browser_nb | ||
8 | |||
9 | # Redirect | ||
10 | include torbrowser-launcher.profile | ||
diff --git a/etc/tor-browser_nl.profile b/etc/tor-browser_nl.profile new file mode 100644 index 000000000..3f545f888 --- /dev/null +++ b/etc/tor-browser_nl.profile | |||
@@ -0,0 +1,10 @@ | |||
1 | # Firejail profile alias for torbrowser-launcher | ||
2 | # This file is overwritten after every install/update | ||
3 | |||
4 | noblacklist ${HOME}/.tor-browser_nl | ||
5 | |||
6 | mkdir ${HOME}/.tor-browser_nl | ||
7 | whitelist ${HOME}/.tor-browser_nl | ||
8 | |||
9 | # Redirect | ||
10 | include torbrowser-launcher.profile | ||
diff --git a/etc/tor-browser_pl.profile b/etc/tor-browser_pl.profile new file mode 100644 index 000000000..4e04dc027 --- /dev/null +++ b/etc/tor-browser_pl.profile | |||
@@ -0,0 +1,10 @@ | |||
1 | # Firejail profile alias for torbrowser-launcher | ||
2 | # This file is overwritten after every install/update | ||
3 | |||
4 | noblacklist ${HOME}/.tor-browser_pl | ||
5 | |||
6 | mkdir ${HOME}/.tor-browser_pl | ||
7 | whitelist ${HOME}/.tor-browser_pl | ||
8 | |||
9 | # Redirect | ||
10 | include torbrowser-launcher.profile | ||
diff --git a/etc/tor-browser_pt-BR.profile b/etc/tor-browser_pt-BR.profile new file mode 100644 index 000000000..7f864886c --- /dev/null +++ b/etc/tor-browser_pt-BR.profile | |||
@@ -0,0 +1,10 @@ | |||
1 | # Firejail profile alias for torbrowser-launcher | ||
2 | # This file is overwritten after every install/update | ||
3 | |||
4 | noblacklist ${HOME}/.tor-browser_pt-BR | ||
5 | |||
6 | mkdir ${HOME}/.tor-browser_pt-BR | ||
7 | whitelist ${HOME}/.tor-browser_pt-BR | ||
8 | |||
9 | # Redirect | ||
10 | include torbrowser-launcher.profile | ||
diff --git a/etc/tor-browser_ru.profile b/etc/tor-browser_ru.profile new file mode 100644 index 000000000..2fae6fbe7 --- /dev/null +++ b/etc/tor-browser_ru.profile | |||
@@ -0,0 +1,10 @@ | |||
1 | # Firejail profile alias for torbrowser-launcher | ||
2 | # This file is overwritten after every install/update | ||
3 | |||
4 | noblacklist ${HOME}/.tor-browser_ru | ||
5 | |||
6 | mkdir ${HOME}/.tor-browser_ru | ||
7 | whitelist ${HOME}/.tor-browser_ru | ||
8 | |||
9 | # Redirect | ||
10 | include torbrowser-launcher.profile | ||
diff --git a/etc/tor-browser_sv-SE.profile b/etc/tor-browser_sv-SE.profile new file mode 100644 index 000000000..2157f8d2b --- /dev/null +++ b/etc/tor-browser_sv-SE.profile | |||
@@ -0,0 +1,10 @@ | |||
1 | # Firejail profile alias for torbrowser-launcher | ||
2 | # This file is overwritten after every install/update | ||
3 | |||
4 | noblacklist ${HOME}/.tor-browser_sv-SE | ||
5 | |||
6 | mkdir ${HOME}/.tor-browser_sv-SE | ||
7 | whitelist ${HOME}/.tor-browser_sv-SE | ||
8 | |||
9 | # Redirect | ||
10 | include torbrowser-launcher.profile | ||
diff --git a/etc/tor-browser_tr.profile b/etc/tor-browser_tr.profile new file mode 100644 index 000000000..20ac246ca --- /dev/null +++ b/etc/tor-browser_tr.profile | |||
@@ -0,0 +1,10 @@ | |||
1 | # Firejail profile alias for torbrowser-launcher | ||
2 | # This file is overwritten after every install/update | ||
3 | |||
4 | noblacklist ${HOME}/.tor-browser_tr | ||
5 | |||
6 | mkdir ${HOME}/.tor-browser_tr | ||
7 | whitelist ${HOME}/.tor-browser_tr | ||
8 | |||
9 | # Redirect | ||
10 | include torbrowser-launcher.profile | ||
diff --git a/etc/tor-browser_vi.profile b/etc/tor-browser_vi.profile new file mode 100644 index 000000000..4faa06ff6 --- /dev/null +++ b/etc/tor-browser_vi.profile | |||
@@ -0,0 +1,10 @@ | |||
1 | # Firejail profile alias for torbrowser-launcher | ||
2 | # This file is overwritten after every install/update | ||
3 | |||
4 | noblacklist ${HOME}/.tor-browser_vi | ||
5 | |||
6 | mkdir ${HOME}/.tor-browser_vi | ||
7 | whitelist ${HOME}/.tor-browser_vi | ||
8 | |||
9 | # Redirect | ||
10 | include torbrowser-launcher.profile | ||
diff --git a/etc/tor-browser_zh-CN.profile b/etc/tor-browser_zh-CN.profile new file mode 100644 index 000000000..e4d8215e6 --- /dev/null +++ b/etc/tor-browser_zh-CN.profile | |||
@@ -0,0 +1,10 @@ | |||
1 | # Firejail profile alias for torbrowser-launcher | ||
2 | # This file is overwritten after every install/update | ||
3 | |||
4 | noblacklist ${HOME}/.tor-browser_zh-CN | ||
5 | |||
6 | mkdir ${HOME}/.tor-browser_zh-CN | ||
7 | whitelist ${HOME}/.tor-browser_zh-CN | ||
8 | |||
9 | # Redirect | ||
10 | include torbrowser-launcher.profile | ||
diff --git a/etc/tor-browser_zh-TW.profile b/etc/tor-browser_zh-TW.profile new file mode 100644 index 000000000..8a28015a6 --- /dev/null +++ b/etc/tor-browser_zh-TW.profile | |||
@@ -0,0 +1,10 @@ | |||
1 | # Firejail profile alias for torbrowser-launcher | ||
2 | # This file is overwritten after every install/update | ||
3 | |||
4 | noblacklist ${HOME}/.tor-browser_zh-TW | ||
5 | |||
6 | mkdir ${HOME}/.tor-browser_zh-TW | ||
7 | whitelist ${HOME}/.tor-browser_zh-TW | ||
8 | |||
9 | # Redirect | ||
10 | include torbrowser-launcher.profile | ||
diff --git a/etc/wire-desktop.profile b/etc/wire-desktop.profile index e974e4304..3953de614 100644 --- a/etc/wire-desktop.profile +++ b/etc/wire-desktop.profile | |||
@@ -35,7 +35,7 @@ shell none | |||
35 | # it is not in PATH. To use Wire with firejail, run "firejail /opt/wire-desktop/wire-desktop" | 35 | # it is not in PATH. To use Wire with firejail, run "firejail /opt/wire-desktop/wire-desktop" |
36 | 36 | ||
37 | disable-mnt | 37 | disable-mnt |
38 | private-bin wire-desktop | 38 | private-bin wire-desktop,bash,sh,env,electron |
39 | private-dev | 39 | private-dev |
40 | private-etc alternatives,fonts,machine-id,resolv.conf,ca-certificates,ssl,pki,crypto-policies | 40 | private-etc alternatives,fonts,machine-id,resolv.conf,ca-certificates,ssl,pki,crypto-policies |
41 | private-tmp | 41 | private-tmp |