diff options
Diffstat (limited to 'etc')
-rw-r--r-- | etc/bitlbee.profile | 1 | ||||
-rw-r--r-- | etc/disable-common.inc | 12 | ||||
-rw-r--r-- | etc/disable-programs.inc | 1 | ||||
-rw-r--r-- | etc/neverball.profile | 37 | ||||
-rw-r--r-- | etc/server.profile | 2 | ||||
-rw-r--r-- | etc/steam.profile | 18 | ||||
-rw-r--r-- | etc/xonotic.profile | 1 |
7 files changed, 67 insertions, 5 deletions
diff --git a/etc/bitlbee.profile b/etc/bitlbee.profile index 0b61e7b9f..1b7b2c258 100644 --- a/etc/bitlbee.profile +++ b/etc/bitlbee.profile | |||
@@ -7,6 +7,7 @@ include /etc/firejail/globals.local | |||
7 | 7 | ||
8 | noblacklist /sbin | 8 | noblacklist /sbin |
9 | noblacklist /usr/sbin | 9 | noblacklist /usr/sbin |
10 | noblacklist /var/log | ||
10 | 11 | ||
11 | include /etc/firejail/disable-common.inc | 12 | include /etc/firejail/disable-common.inc |
12 | include /etc/firejail/disable-devel.inc | 13 | include /etc/firejail/disable-devel.inc |
diff --git a/etc/disable-common.inc b/etc/disable-common.inc index c220b9c50..294ff6bcb 100644 --- a/etc/disable-common.inc +++ b/etc/disable-common.inc | |||
@@ -107,15 +107,27 @@ blacklist ${PATH}/zuluCrypt-cli | |||
107 | blacklist ${PATH}/zuluMount-cli | 107 | blacklist ${PATH}/zuluMount-cli |
108 | 108 | ||
109 | # var | 109 | # var |
110 | blacklist /var/cache/apt | ||
111 | blacklist /var/cache/pacman | ||
112 | blacklist /var/lib/apt | ||
113 | blacklist /var/lib/clamav | ||
114 | blacklist /var/lib/dkms | ||
110 | blacklist /var/lib/mysql/mysql.sock | 115 | blacklist /var/lib/mysql/mysql.sock |
111 | blacklist /var/lib/mysqld/mysql.sock | 116 | blacklist /var/lib/mysqld/mysql.sock |
117 | blacklist /var/lib/pacman | ||
118 | blacklist /var/lib/systemd | ||
119 | blacklist /var/lib/upower | ||
120 | blacklist /var/log | ||
112 | blacklist /var/mail | 121 | blacklist /var/mail |
122 | blacklist /var/opt | ||
113 | blacklist /var/run/acpid.socket | 123 | blacklist /var/run/acpid.socket |
114 | blacklist /var/run/docker.sock | 124 | blacklist /var/run/docker.sock |
115 | blacklist /var/run/minissdpd.sock | 125 | blacklist /var/run/minissdpd.sock |
116 | blacklist /var/run/mysql/mysqld.sock | 126 | blacklist /var/run/mysql/mysqld.sock |
117 | blacklist /var/run/mysqld/mysqld.sock | 127 | blacklist /var/run/mysqld/mysqld.sock |
118 | blacklist /var/run/rpcbind.sock | 128 | blacklist /var/run/rpcbind.sock |
129 | blacklist /var/run/screens | ||
130 | blacklist /var/run/systemd | ||
119 | blacklist /var/spool/anacron | 131 | blacklist /var/spool/anacron |
120 | blacklist /var/spool/cron | 132 | blacklist /var/spool/cron |
121 | 133 | ||
diff --git a/etc/disable-programs.inc b/etc/disable-programs.inc index 7b0e6e9eb..d02377036 100644 --- a/etc/disable-programs.inc +++ b/etc/disable-programs.inc | |||
@@ -334,6 +334,7 @@ blacklist ${HOME}/.multimc5 | |||
334 | blacklist ${HOME}/.mutt | 334 | blacklist ${HOME}/.mutt |
335 | blacklist ${HOME}/.mutt/muttrc | 335 | blacklist ${HOME}/.mutt/muttrc |
336 | blacklist ${HOME}/.muttrc | 336 | blacklist ${HOME}/.muttrc |
337 | blacklist ${HOME}/.neverball | ||
337 | blacklist ${HOME}/.nv | 338 | blacklist ${HOME}/.nv |
338 | blacklist ${HOME}/.nylas-mail | 339 | blacklist ${HOME}/.nylas-mail |
339 | blacklist ${HOME}/.openinvaders | 340 | blacklist ${HOME}/.openinvaders |
diff --git a/etc/neverball.profile b/etc/neverball.profile new file mode 100644 index 000000000..6a9a3a577 --- /dev/null +++ b/etc/neverball.profile | |||
@@ -0,0 +1,37 @@ | |||
1 | # Firejail profile for neverball | ||
2 | # This file is overwritten after every install/update | ||
3 | # Persistent local customizations | ||
4 | include /etc/firejail/neverball.local | ||
5 | # Persistent global definitions | ||
6 | include /etc/firejail/globals.local | ||
7 | |||
8 | noblacklist ${HOME}/.neverball | ||
9 | |||
10 | include /etc/firejail/disable-common.inc | ||
11 | include /etc/firejail/disable-devel.inc | ||
12 | include /etc/firejail/disable-passwdmgr.inc | ||
13 | include /etc/firejail/disable-programs.inc | ||
14 | |||
15 | mkdir ${HOME}/.neverball | ||
16 | whitelist ${HOME}/.neverball | ||
17 | include /etc/firejail/whitelist-common.inc | ||
18 | |||
19 | caps.drop all | ||
20 | netfilter | ||
21 | nodvd | ||
22 | nogroups | ||
23 | nonewprivs | ||
24 | noroot | ||
25 | notv | ||
26 | novideo | ||
27 | protocol unix,netlink | ||
28 | seccomp | ||
29 | shell none | ||
30 | |||
31 | disable-mnt | ||
32 | private-bin neverball | ||
33 | private-dev | ||
34 | private-tmp | ||
35 | |||
36 | noexec ${HOME} | ||
37 | noexec /tmp | ||
diff --git a/etc/server.profile b/etc/server.profile index 04ef555de..edd4666e1 100644 --- a/etc/server.profile +++ b/etc/server.profile | |||
@@ -13,6 +13,8 @@ blacklist /tmp/.X11-unix | |||
13 | 13 | ||
14 | noblacklist /sbin | 14 | noblacklist /sbin |
15 | noblacklist /usr/sbin | 15 | noblacklist /usr/sbin |
16 | # noblacklist /var/log | ||
17 | # noblacklist /var/opt | ||
16 | 18 | ||
17 | include /etc/firejail/disable-common.inc | 19 | include /etc/firejail/disable-common.inc |
18 | # include /etc/firejail/disable-devel.inc | 20 | # include /etc/firejail/disable-devel.inc |
diff --git a/etc/steam.profile b/etc/steam.profile index 96899038a..227162e1f 100644 --- a/etc/steam.profile +++ b/etc/steam.profile | |||
@@ -5,12 +5,17 @@ include /etc/firejail/steam.local | |||
5 | # Persistent global definitions | 5 | # Persistent global definitions |
6 | include /etc/firejail/globals.local | 6 | include /etc/firejail/globals.local |
7 | 7 | ||
8 | noblacklist ${HOME}/.Steam | ||
9 | noblacklist ${HOME}/.Steampath | ||
10 | noblacklist ${HOME}/.Steampid | ||
11 | noblacklist ${HOME}/.java | 8 | noblacklist ${HOME}/.java |
9 | noblacklist ${HOME}/.killingfloor | ||
10 | noblacklist ${HOME}/.local/share/3909/PapersPlease | ||
11 | noblacklist ${HOME}/.local/share/aspyr-media | ||
12 | noblacklist ${HOME}/.local/share/cdprojektred | ||
13 | noblacklist ${HOME}/.local/share/feral-interactive | ||
12 | noblacklist ${HOME}/.local/share/Steam | 14 | noblacklist ${HOME}/.local/share/Steam |
13 | noblacklist ${HOME}/.local/share/steam | 15 | noblacklist ${HOME}/.local/share/SuperHexagon |
16 | noblacklist ${HOME}/.local/share/Terraria | ||
17 | noblacklist ${HOME}/.local/share/vpltd | ||
18 | noblacklist ${HOME}/.local/share/vulkan | ||
14 | noblacklist ${HOME}/.steam | 19 | noblacklist ${HOME}/.steam |
15 | noblacklist ${HOME}/.steampath | 20 | noblacklist ${HOME}/.steampath |
16 | noblacklist ${HOME}/.steampid | 21 | noblacklist ${HOME}/.steampid |
@@ -29,12 +34,15 @@ nogroups | |||
29 | nonewprivs | 34 | nonewprivs |
30 | noroot | 35 | noroot |
31 | notv | 36 | notv |
32 | # novideo | 37 | # novideo should be commented for VR |
38 | novideo | ||
33 | protocol unix,inet,inet6,netlink | 39 | protocol unix,inet,inet6,netlink |
34 | seccomp | 40 | seccomp |
35 | shell none | 41 | shell none |
36 | # tracelog disabled as it breaks integrated browser | 42 | # tracelog disabled as it breaks integrated browser |
37 | # tracelog | 43 | # tracelog |
38 | 44 | ||
45 | # private-dev should be commented for controllers | ||
39 | private-dev | 46 | private-dev |
47 | private-etc asound.conf,ca-certificates,dbus-1,drirc,fonts,group,gtk-2.0,gtk-3.0,host.conf,hostname,hosts,ld.so.cache,ld.so.preload,localtime,lsb-release,machine-id,mime.types,passwd,pulse,resolv.conf,ssl | ||
40 | private-tmp | 48 | private-tmp |
diff --git a/etc/xonotic.profile b/etc/xonotic.profile index c7db00daf..fefeac76b 100644 --- a/etc/xonotic.profile +++ b/etc/xonotic.profile | |||
@@ -31,6 +31,7 @@ shell none | |||
31 | disable-mnt | 31 | disable-mnt |
32 | private-bin xonotic-sdl,xonotic-glx,blind-id | 32 | private-bin xonotic-sdl,xonotic-glx,blind-id |
33 | private-dev | 33 | private-dev |
34 | private-etc asound.conf,ca-certificates,drirc,fonts,host.conf,hostname,hosts,ld.so.cache,ld.so.preload,localtime,nsswitch.conf,pulse,resolv.conf,ssl | ||
34 | private-tmp | 35 | private-tmp |
35 | 36 | ||
36 | noexec ${HOME} | 37 | noexec ${HOME} |