diff options
Diffstat (limited to 'etc')
-rw-r--r-- | etc/firejail.config | 2 | ||||
-rw-r--r-- | etc/inc/disable-programs.inc | 3 | ||||
-rw-r--r-- | etc/profile-a-l/balsa.profile | 2 | ||||
-rw-r--r-- | etc/profile-a-l/cola.profile | 2 | ||||
-rw-r--r-- | etc/profile-a-l/eog.profile | 2 | ||||
-rw-r--r-- | etc/profile-a-l/evince.profile | 2 | ||||
-rw-r--r-- | etc/profile-a-l/goldendict.profile | 57 | ||||
-rw-r--r-- | etc/profile-a-l/librewolf.profile | 1 | ||||
-rw-r--r-- | etc/profile-m-z/microsoft-edge-beta.profile | 2 | ||||
-rw-r--r-- | etc/profile-m-z/mpv.profile | 2 | ||||
-rw-r--r-- | etc/profile-m-z/softmaker-common.profile | 6 | ||||
-rw-r--r-- | etc/profile-m-z/straw-viewer.profile | 2 | ||||
-rw-r--r-- | etc/profile-m-z/youtube-viewer.profile | 2 | ||||
-rw-r--r-- | etc/templates/profile.template | 2 |
14 files changed, 74 insertions, 13 deletions
diff --git a/etc/firejail.config b/etc/firejail.config index 2e355586b..aec152b85 100644 --- a/etc/firejail.config +++ b/etc/firejail.config | |||
@@ -63,7 +63,7 @@ | |||
63 | # a file argument, the default filter is hardcoded (see man 1 firejail). This | 63 | # a file argument, the default filter is hardcoded (see man 1 firejail). This |
64 | # configuration entry allows the user to change the default by specifying | 64 | # configuration entry allows the user to change the default by specifying |
65 | # a file containing the filter configuration. The filter file format is the | 65 | # a file containing the filter configuration. The filter file format is the |
66 | # format of iptables-save and iptable-restore commands. Example: | 66 | # format of iptables-save and iptables-restore commands. Example: |
67 | # netfilter-default /etc/iptables.iptables.rules | 67 | # netfilter-default /etc/iptables.iptables.rules |
68 | 68 | ||
69 | # Enable or disable networking features, default enabled. | 69 | # Enable or disable networking features, default enabled. |
diff --git a/etc/inc/disable-programs.inc b/etc/inc/disable-programs.inc index 444446156..e77ceb41c 100644 --- a/etc/inc/disable-programs.inc +++ b/etc/inc/disable-programs.inc | |||
@@ -77,6 +77,7 @@ blacklist ${HOME}/.config/Element | |||
77 | blacklist ${HOME}/.config/Element (Riot) | 77 | blacklist ${HOME}/.config/Element (Riot) |
78 | blacklist ${HOME}/.config/Enox | 78 | blacklist ${HOME}/.config/Enox |
79 | blacklist ${HOME}/.config/Epic | 79 | blacklist ${HOME}/.config/Epic |
80 | blacklist ${HOME}/.config/Exodus | ||
80 | blacklist ${HOME}/.config/Ferdi | 81 | blacklist ${HOME}/.config/Ferdi |
81 | blacklist ${HOME}/.config/Flavio Tordini | 82 | blacklist ${HOME}/.config/Flavio Tordini |
82 | blacklist ${HOME}/.config/Franz | 83 | blacklist ${HOME}/.config/Franz |
@@ -501,6 +502,7 @@ blacklist ${HOME}/.gitconfig | |||
501 | blacklist ${HOME}/.gl-117 | 502 | blacklist ${HOME}/.gl-117 |
502 | blacklist ${HOME}/.glaxiumrc | 503 | blacklist ${HOME}/.glaxiumrc |
503 | blacklist ${HOME}/.gnome/gnome-schedule | 504 | blacklist ${HOME}/.gnome/gnome-schedule |
505 | blacklist ${HOME}/.goldendict | ||
504 | blacklist ${HOME}/.googleearth | 506 | blacklist ${HOME}/.googleearth |
505 | blacklist ${HOME}/.gradle | 507 | blacklist ${HOME}/.gradle |
506 | blacklist ${HOME}/.gramps | 508 | blacklist ${HOME}/.gramps |
@@ -966,6 +968,7 @@ blacklist ${HOME}/.cache/Enpass | |||
966 | blacklist ${HOME}/.cache/Ferdi | 968 | blacklist ${HOME}/.cache/Ferdi |
967 | blacklist ${HOME}/.cache/Flavio Tordini | 969 | blacklist ${HOME}/.cache/Flavio Tordini |
968 | blacklist ${HOME}/.cache/Franz | 970 | blacklist ${HOME}/.cache/Franz |
971 | blacklist ${HOME}/.cache/GoldenDict | ||
969 | blacklist ${HOME}/.cache/INRIA | 972 | blacklist ${HOME}/.cache/INRIA |
970 | blacklist ${HOME}/.cache/INRIA/Natron | 973 | blacklist ${HOME}/.cache/INRIA/Natron |
971 | blacklist ${HOME}/.cache/KDE/neochat | 974 | blacklist ${HOME}/.cache/KDE/neochat |
diff --git a/etc/profile-a-l/balsa.profile b/etc/profile-a-l/balsa.profile index 595f1dd50..2080aad62 100644 --- a/etc/profile-a-l/balsa.profile +++ b/etc/profile-a-l/balsa.profile | |||
@@ -79,4 +79,4 @@ dbus-user.talk org.freedesktop.secrets | |||
79 | dbus-user.talk org.gnome.keyring.SystemPrompter | 79 | dbus-user.talk org.gnome.keyring.SystemPrompter |
80 | dbus-system none | 80 | dbus-system none |
81 | 81 | ||
82 | read-only ${HOME}/.mozilla/firefox/profiles.ini \ No newline at end of file | 82 | read-only ${HOME}/.mozilla/firefox/profiles.ini |
diff --git a/etc/profile-a-l/cola.profile b/etc/profile-a-l/cola.profile index e5debfd82..97bf6d394 100644 --- a/etc/profile-a-l/cola.profile +++ b/etc/profile-a-l/cola.profile | |||
@@ -7,4 +7,4 @@ include cola.local | |||
7 | include globals.local | 7 | include globals.local |
8 | 8 | ||
9 | # Redirect | 9 | # Redirect |
10 | include git-cola.profile \ No newline at end of file | 10 | include git-cola.profile |
diff --git a/etc/profile-a-l/eog.profile b/etc/profile-a-l/eog.profile index 5892374bd..65e5c6e69 100644 --- a/etc/profile-a-l/eog.profile +++ b/etc/profile-a-l/eog.profile | |||
@@ -18,7 +18,7 @@ whitelist /usr/share/eog | |||
18 | 18 | ||
19 | private-bin eog | 19 | private-bin eog |
20 | 20 | ||
21 | # broken on Debian 10 (buster) running LXDE got the folowing error: | 21 | # broken on Debian 10 (buster) running LXDE got the following error: |
22 | # Failed to register: GDBus.Error:org.freedesktop.DBus.Error.ServiceUnknown: org.freedesktop.DBus.Error.ServiceUnknown | 22 | # Failed to register: GDBus.Error:org.freedesktop.DBus.Error.ServiceUnknown: org.freedesktop.DBus.Error.ServiceUnknown |
23 | #dbus-user filter | 23 | #dbus-user filter |
24 | #dbus-user.own org.gnome.eog | 24 | #dbus-user.own org.gnome.eog |
diff --git a/etc/profile-a-l/evince.profile b/etc/profile-a-l/evince.profile index abb6f6692..63e456488 100644 --- a/etc/profile-a-l/evince.profile +++ b/etc/profile-a-l/evince.profile | |||
@@ -56,7 +56,7 @@ private-cache | |||
56 | private-dev | 56 | private-dev |
57 | private-etc alternatives,fonts,group,ld.so.cache,ld.so.preload,machine-id,passwd | 57 | private-etc alternatives,fonts,group,ld.so.cache,ld.so.preload,machine-id,passwd |
58 | # private-lib might break two-page-view on some systems | 58 | # private-lib might break two-page-view on some systems |
59 | private-lib evince,gcc/*/*/libgcc_s.so.*,gcc/*/*/libstdc++.so.*,gconv,gdk-pixbuf-2.*,gio,gvfs/libgvfscommon.so,libdjvulibre.so.*,libgconf-2.so.*,libgraphite2.so.*,libpoppler-glib.so.*,librsvg-2.so.*,libspectre.so.* | 59 | private-lib evince,gcc/*/*/libgcc_s.so.*,gcc/*/*/libstdc++.so.*,gconv,gdk-pixbuf-2.*,gio,gvfs/libgvfscommon.so,libarchive.so.*,libdjvulibre.so.*,libgconf-2.so.*,libgraphite2.so.*,libpoppler-glib.so.*,librsvg-2.so.*,libspectre.so.* |
60 | private-tmp | 60 | private-tmp |
61 | 61 | ||
62 | # dbus-user filtering might break two-page-view on some systems | 62 | # dbus-user filtering might break two-page-view on some systems |
diff --git a/etc/profile-a-l/goldendict.profile b/etc/profile-a-l/goldendict.profile new file mode 100644 index 000000000..59a572319 --- /dev/null +++ b/etc/profile-a-l/goldendict.profile | |||
@@ -0,0 +1,57 @@ | |||
1 | # Firejail profile for goldendict | ||
2 | # This file is overwritten after every install/update | ||
3 | # Persistent local customizations | ||
4 | include goldendict.local | ||
5 | # Persistent global definitions | ||
6 | include globals.local | ||
7 | |||
8 | noblacklist ${HOME}/.goldendict | ||
9 | noblacklist ${HOME}/.cache/GoldenDict | ||
10 | |||
11 | include disable-common.inc | ||
12 | include disable-devel.inc | ||
13 | include disable-exec.inc | ||
14 | include disable-interpreters.inc | ||
15 | include disable-programs.inc | ||
16 | include disable-shell.inc | ||
17 | include disable-xdg.inc | ||
18 | |||
19 | mkdir ${HOME}/.goldendict | ||
20 | mkdir ${HOME}/.cache/GoldenDict | ||
21 | whitelist ${HOME}/.goldendict | ||
22 | whitelist ${HOME}/.cache/GoldenDict | ||
23 | # The default path of dictionaries | ||
24 | whitelist /usr/share/stardict/dic | ||
25 | include whitelist-common.inc | ||
26 | include whitelist-runuser-common.inc | ||
27 | include whitelist-usr-share-common.inc | ||
28 | include whitelist-var-common.inc | ||
29 | |||
30 | apparmor | ||
31 | caps.drop all | ||
32 | netfilter | ||
33 | # no3d leads to the libGL MESA-LOADER errors | ||
34 | #no3d | ||
35 | nodvd | ||
36 | nogroups | ||
37 | noinput | ||
38 | nonewprivs | ||
39 | noroot | ||
40 | notv | ||
41 | nou2f | ||
42 | novideo | ||
43 | protocol unix,inet,inet6,netlink | ||
44 | seccomp | ||
45 | seccomp.block-secondary | ||
46 | shell none | ||
47 | tracelog | ||
48 | |||
49 | disable-mnt | ||
50 | private-bin goldendict | ||
51 | private-cache | ||
52 | private-dev | ||
53 | private-etc ca-certificates,crypto-policies,fonts,ld.so.preload,machine-id,nsswitch.conf,pki,resolv.conf,ssl | ||
54 | private-tmp | ||
55 | |||
56 | dbus-user none | ||
57 | dbus-system none | ||
diff --git a/etc/profile-a-l/librewolf.profile b/etc/profile-a-l/librewolf.profile index c9f5221f7..ebffbbabf 100644 --- a/etc/profile-a-l/librewolf.profile +++ b/etc/profile-a-l/librewolf.profile | |||
@@ -36,6 +36,7 @@ include whitelist-usr-share-common.inc | |||
36 | #private-etc librewolf | 36 | #private-etc librewolf |
37 | 37 | ||
38 | dbus-user filter | 38 | dbus-user filter |
39 | dbus-user.own org.mozilla.librewolf.* | ||
39 | # Add the next line to your librewolf.local to enable native notifications. | 40 | # Add the next line to your librewolf.local to enable native notifications. |
40 | #dbus-user.talk org.freedesktop.Notifications | 41 | #dbus-user.talk org.freedesktop.Notifications |
41 | # Add the next line to your librewolf.local to allow inhibiting screensavers. | 42 | # Add the next line to your librewolf.local to allow inhibiting screensavers. |
diff --git a/etc/profile-m-z/microsoft-edge-beta.profile b/etc/profile-m-z/microsoft-edge-beta.profile index 34d9f470a..095038f08 100644 --- a/etc/profile-m-z/microsoft-edge-beta.profile +++ b/etc/profile-m-z/microsoft-edge-beta.profile | |||
@@ -17,4 +17,4 @@ whitelist ${HOME}/.config/microsoft-edge-beta | |||
17 | private-opt microsoft | 17 | private-opt microsoft |
18 | 18 | ||
19 | # Redirect | 19 | # Redirect |
20 | include chromium-common.profile \ No newline at end of file | 20 | include chromium-common.profile |
diff --git a/etc/profile-m-z/mpv.profile b/etc/profile-m-z/mpv.profile index fa433b672..74402a8de 100644 --- a/etc/profile-m-z/mpv.profile +++ b/etc/profile-m-z/mpv.profile | |||
@@ -11,7 +11,7 @@ include globals.local | |||
11 | # edit ~/.config/mpv/foobar.conf: | 11 | # edit ~/.config/mpv/foobar.conf: |
12 | # screenshot-directory=~/Pictures | 12 | # screenshot-directory=~/Pictures |
13 | 13 | ||
14 | # Mpv has a powerfull lua-API, some off these lua-scripts interact | 14 | # Mpv has a powerful lua-API, some off these lua-scripts interact |
15 | # with external resources which are blocked by firejail. In such cases | 15 | # with external resources which are blocked by firejail. In such cases |
16 | # you need to allow these resources by | 16 | # you need to allow these resources by |
17 | # - adding additional binaries to private-bin | 17 | # - adding additional binaries to private-bin |
diff --git a/etc/profile-m-z/softmaker-common.profile b/etc/profile-m-z/softmaker-common.profile index ebdd5c1f8..47468a531 100644 --- a/etc/profile-m-z/softmaker-common.profile +++ b/etc/profile-m-z/softmaker-common.profile | |||
@@ -6,9 +6,9 @@ include softmaker-common.local | |||
6 | # added by caller profile | 6 | # added by caller profile |
7 | #include globals.local | 7 | #include globals.local |
8 | 8 | ||
9 | # The offical packages install the desktop file under /usr/local/share/applications | 9 | # The official packages install the desktop file under /usr/local/share/applications |
10 | # with an absolute Exec line. These files are NOT handelt by firecfg, | 10 | # with an absolute Exec line. These files are NOT handled by firecfg, |
11 | # therefore you must manualy copy them in you home and remove '/usr/bin/'. | 11 | # therefore you must manually copy them in you home and remove '/usr/bin/'. |
12 | 12 | ||
13 | noblacklist ${HOME}/SoftMaker | 13 | noblacklist ${HOME}/SoftMaker |
14 | 14 | ||
diff --git a/etc/profile-m-z/straw-viewer.profile b/etc/profile-m-z/straw-viewer.profile index d73927f2a..513abc21b 100644 --- a/etc/profile-m-z/straw-viewer.profile +++ b/etc/profile-m-z/straw-viewer.profile | |||
@@ -18,4 +18,4 @@ whitelist ${HOME}/.config/straw-viewer | |||
18 | private-bin gtk-straw-viewer,straw-viewer | 18 | private-bin gtk-straw-viewer,straw-viewer |
19 | 19 | ||
20 | # Redirect | 20 | # Redirect |
21 | include youtube-viewers-common.profile \ No newline at end of file | 21 | include youtube-viewers-common.profile |
diff --git a/etc/profile-m-z/youtube-viewer.profile b/etc/profile-m-z/youtube-viewer.profile index b54dd37ad..825599fcc 100644 --- a/etc/profile-m-z/youtube-viewer.profile +++ b/etc/profile-m-z/youtube-viewer.profile | |||
@@ -18,4 +18,4 @@ whitelist ${HOME}/.config/youtube-viewer | |||
18 | private-bin gtk-youtube-viewer,gtk2-youtube-viewer,gtk3-youtube-viewer,youtube-viewer | 18 | private-bin gtk-youtube-viewer,gtk2-youtube-viewer,gtk3-youtube-viewer,youtube-viewer |
19 | 19 | ||
20 | # Redirect | 20 | # Redirect |
21 | include youtube-viewers-common.profile \ No newline at end of file | 21 | include youtube-viewers-common.profile |
diff --git a/etc/templates/profile.template b/etc/templates/profile.template index e580a0c0c..7628313e0 100644 --- a/etc/templates/profile.template +++ b/etc/templates/profile.template | |||
@@ -204,7 +204,7 @@ include globals.local | |||
204 | 204 | ||
205 | # Since 0.9.63 also a more granular control of dbus is supported. | 205 | # Since 0.9.63 also a more granular control of dbus is supported. |
206 | # To get the dbus-addresses an application needs access to you can | 206 | # To get the dbus-addresses an application needs access to you can |
207 | # check with flatpak (when the application is distriputed that way): | 207 | # check with flatpak (when the application is distributed that way): |
208 | # flatpak remote-info --show-metadata flathub <APP-ID> | 208 | # flatpak remote-info --show-metadata flathub <APP-ID> |
209 | # Notes: | 209 | # Notes: |
210 | # - flatpak implicitly allows an app to own <APP-ID> on the session bus | 210 | # - flatpak implicitly allows an app to own <APP-ID> on the session bus |