diff options
Diffstat (limited to 'etc')
-rw-r--r-- | etc/baloo_file.profile | 2 | ||||
-rw-r--r-- | etc/baloo_filemetadata_temp_extractor.profile | 11 | ||||
-rw-r--r-- | etc/bitlbee.profile | 1 | ||||
-rw-r--r-- | etc/clion.profile | 34 | ||||
-rw-r--r-- | etc/disable-common.inc | 6 | ||||
-rw-r--r-- | etc/disable-programs.inc | 3 | ||||
-rw-r--r-- | etc/discord.profile | 4 | ||||
-rw-r--r-- | etc/firefox-common-addons.inc | 13 | ||||
-rw-r--r-- | etc/firejail-default | 10 | ||||
-rw-r--r-- | etc/flowblade.profile | 6 | ||||
-rw-r--r-- | etc/less.profile | 2 | ||||
-rw-r--r-- | etc/musixmatch.profile | 1 | ||||
-rw-r--r-- | etc/openshot.profile | 6 | ||||
-rw-r--r-- | etc/ppsspp.profile | 42 | ||||
-rw-r--r-- | etc/ranger.profile | 10 | ||||
-rw-r--r-- | etc/scallion.profile | 42 | ||||
-rw-r--r-- | etc/skypeforlinux.profile | 2 | ||||
-rw-r--r-- | etc/uzbl-browser.profile | 7 | ||||
-rw-r--r-- | etc/zathura.profile | 3 |
19 files changed, 188 insertions, 17 deletions
diff --git a/etc/baloo_file.profile b/etc/baloo_file.profile index b71f66ba5..240573f44 100644 --- a/etc/baloo_file.profile +++ b/etc/baloo_file.profile | |||
@@ -35,7 +35,7 @@ seccomp.drop @cpu-emulation,@debug,@obsolete,@privileged,@resources,add_key,fano | |||
35 | shell none | 35 | shell none |
36 | # x11 xorg | 36 | # x11 xorg |
37 | 37 | ||
38 | private-bin baloo_file,baloo_file_extractor,kbuildsycoca4 | 38 | private-bin baloo_file,baloo_file_extractor,baloo_filemetadata_temp_extractor,kbuildsycoca4 |
39 | private-dev | 39 | private-dev |
40 | private-tmp | 40 | private-tmp |
41 | 41 | ||
diff --git a/etc/baloo_filemetadata_temp_extractor.profile b/etc/baloo_filemetadata_temp_extractor.profile new file mode 100644 index 000000000..6d09ecf40 --- /dev/null +++ b/etc/baloo_filemetadata_temp_extractor.profile | |||
@@ -0,0 +1,11 @@ | |||
1 | # Firejail profile for baloo_filemetadata_temp_extractor | ||
2 | # This file is overwritten after every install/update | ||
3 | # Persistent local customizations | ||
4 | quiet | ||
5 | include /etc/firejail/baloo_filemetadata_temp_extractor.local | ||
6 | # Persistent global definitions | ||
7 | include /etc/firejail/globals.local | ||
8 | |||
9 | |||
10 | # Redirect | ||
11 | include /etc/firejail/baloo_file.profile | ||
diff --git a/etc/bitlbee.profile b/etc/bitlbee.profile index b6baa66bc..1cd5d6a69 100644 --- a/etc/bitlbee.profile +++ b/etc/bitlbee.profile | |||
@@ -28,7 +28,6 @@ seccomp | |||
28 | disable-mnt | 28 | disable-mnt |
29 | private | 29 | private |
30 | private-dev | 30 | private-dev |
31 | private-dev | ||
32 | private-tmp | 31 | private-tmp |
33 | read-write /var/lib/bitlbee | 32 | read-write /var/lib/bitlbee |
34 | 33 | ||
diff --git a/etc/clion.profile b/etc/clion.profile new file mode 100644 index 000000000..115df72c4 --- /dev/null +++ b/etc/clion.profile | |||
@@ -0,0 +1,34 @@ | |||
1 | # Firejail profile for CLion | ||
2 | # This file is overwritten after every install/update | ||
3 | # Persistent local customizations | ||
4 | include /etc/firejail/clion.local | ||
5 | # Persistent global definitions | ||
6 | include /etc/firejail/globals.local | ||
7 | |||
8 | noblacklist ${HOME}/.CLion* | ||
9 | noblacklist ${HOME}/.gitconfig | ||
10 | noblacklist ${HOME}/.java | ||
11 | noblacklist ${HOME}/.local/share/JetBrains | ||
12 | noblacklist ${HOME}/.ssh | ||
13 | noblacklist ${HOME}/.tooling | ||
14 | |||
15 | include /etc/firejail/disable-common.inc | ||
16 | include /etc/firejail/disable-passwdmgr.inc | ||
17 | include /etc/firejail/disable-programs.inc | ||
18 | |||
19 | caps.drop all | ||
20 | netfilter | ||
21 | nodvd | ||
22 | nogroups | ||
23 | nonewprivs | ||
24 | noroot | ||
25 | notv | ||
26 | novideo | ||
27 | protocol unix,inet,inet6 | ||
28 | seccomp | ||
29 | shell none | ||
30 | |||
31 | private-dev | ||
32 | # private-tmp | ||
33 | |||
34 | noexec /tmp | ||
diff --git a/etc/disable-common.inc b/etc/disable-common.inc index ff5dc7b6b..71d4ad97b 100644 --- a/etc/disable-common.inc +++ b/etc/disable-common.inc | |||
@@ -116,6 +116,10 @@ blacklist /run/user/*/kdeinit5__* | |||
116 | # blacklist /tmp/ksocket-*/kdeinit4__* | 116 | # blacklist /tmp/ksocket-*/kdeinit4__* |
117 | # - causes issues when kdeinit4 gets killed; enable on KDE Plasma 4 | 117 | # - causes issues when kdeinit4 gets killed; enable on KDE Plasma 4 |
118 | 118 | ||
119 | # gnome | ||
120 | # contains extensions, last used times of applications, and notifications | ||
121 | blacklist ${HOME}/.local/share/gnome-shell | ||
122 | |||
119 | # systemd | 123 | # systemd |
120 | blacklist ${HOME}/.config/systemd | 124 | blacklist ${HOME}/.config/systemd |
121 | blacklist ${HOME}/.local/share/systemd | 125 | blacklist ${HOME}/.local/share/systemd |
@@ -160,7 +164,7 @@ blacklist /var/lib/mysql/mysql.sock | |||
160 | blacklist /var/lib/mysqld/mysql.sock | 164 | blacklist /var/lib/mysqld/mysql.sock |
161 | blacklist /var/lib/pacman | 165 | blacklist /var/lib/pacman |
162 | blacklist /var/lib/upower | 166 | blacklist /var/lib/upower |
163 | # blacklist /var/log - a virtual /var/log directory (mostly empty) is buid up by default for | 167 | # blacklist /var/log - a virtual /var/log directory (mostly empty) is build up by default for |
164 | # every sandbox, unless --writeble-var-log switch is activated | 168 | # every sandbox, unless --writeble-var-log switch is activated |
165 | blacklist /var/mail | 169 | blacklist /var/mail |
166 | blacklist /var/opt | 170 | blacklist /var/opt |
diff --git a/etc/disable-programs.inc b/etc/disable-programs.inc index b68dde0c4..d3dc87089 100644 --- a/etc/disable-programs.inc +++ b/etc/disable-programs.inc | |||
@@ -8,6 +8,7 @@ blacklist ${HOME}/.*coin | |||
8 | blacklist ${HOME}/.8pecxstudios | 8 | blacklist ${HOME}/.8pecxstudios |
9 | blacklist ${HOME}/.AndroidStudio* | 9 | blacklist ${HOME}/.AndroidStudio* |
10 | blacklist ${HOME}/.Atom | 10 | blacklist ${HOME}/.Atom |
11 | blacklist ${HOME}/.CLion* | ||
11 | blacklist ${HOME}/.FBReader | 12 | blacklist ${HOME}/.FBReader |
12 | blacklist ${HOME}/.FontForge | 13 | blacklist ${HOME}/.FontForge |
13 | blacklist ${HOME}/.IdeaIC* | 14 | blacklist ${HOME}/.IdeaIC* |
@@ -188,6 +189,7 @@ blacklist ${HOME}/.config/Pinta | |||
188 | blacklist ${HOME}/.config/pitivi | 189 | blacklist ${HOME}/.config/pitivi |
189 | blacklist ${HOME}/.config/pix | 190 | blacklist ${HOME}/.config/pix |
190 | blacklist ${HOME}/.config/pluma | 191 | blacklist ${HOME}/.config/pluma |
192 | blacklist ${HOME}/.config/ppsspp | ||
191 | blacklist ${HOME}/.config/psi+ | 193 | blacklist ${HOME}/.config/psi+ |
192 | blacklist ${HOME}/.config/qBittorrent | 194 | blacklist ${HOME}/.config/qBittorrent |
193 | blacklist ${HOME}/.config/qBittorrentrc | 195 | blacklist ${HOME}/.config/qBittorrentrc |
@@ -429,6 +431,7 @@ blacklist ${HOME}/.local/share/telepathy | |||
429 | blacklist ${HOME}/.local/share/terasology | 431 | blacklist ${HOME}/.local/share/terasology |
430 | blacklist ${HOME}/.local/share/torbrowser | 432 | blacklist ${HOME}/.local/share/torbrowser |
431 | blacklist ${HOME}/.local/share/totem | 433 | blacklist ${HOME}/.local/share/totem |
434 | blacklist ${HOME}/.local/share/uzbl | ||
432 | blacklist ${HOME}/.local/share/vlc | 435 | blacklist ${HOME}/.local/share/vlc |
433 | blacklist ${HOME}/.local/share/vpltd | 436 | blacklist ${HOME}/.local/share/vpltd |
434 | blacklist ${HOME}/.local/share/vulkan | 437 | blacklist ${HOME}/.local/share/vulkan |
diff --git a/etc/discord.profile b/etc/discord.profile index bb59ed42d..40deae2fc 100644 --- a/etc/discord.profile +++ b/etc/discord.profile | |||
@@ -24,9 +24,9 @@ novideo | |||
24 | protocol unix,inet,inet6,netlink | 24 | protocol unix,inet,inet6,netlink |
25 | seccomp | 25 | seccomp |
26 | 26 | ||
27 | private-bin discord,sh,xdg-mime | 27 | private-bin discord,sh,xdg-mime,tr,sed,echo,head,cut,xdg-open,grep,egrep |
28 | private-dev | 28 | private-dev |
29 | private-etc fonts | 29 | private-etc fonts,machine-id |
30 | private-tmp | 30 | private-tmp |
31 | 31 | ||
32 | noexec ${HOME} | 32 | noexec ${HOME} |
diff --git a/etc/firefox-common-addons.inc b/etc/firefox-common-addons.inc index b237c3c05..f5fd4aa5b 100644 --- a/etc/firefox-common-addons.inc +++ b/etc/firefox-common-addons.inc | |||
@@ -16,7 +16,6 @@ noblacklist ${HOME}/.kde4/share/apps/okular | |||
16 | noblacklist ${HOME}/.kde4/share/config/kgetrc | 16 | noblacklist ${HOME}/.kde4/share/config/kgetrc |
17 | noblacklist ${HOME}/.kde4/share/config/okularpartrc | 17 | noblacklist ${HOME}/.kde4/share/config/okularpartrc |
18 | noblacklist ${HOME}/.kde4/share/config/okularrc | 18 | noblacklist ${HOME}/.kde4/share/config/okularrc |
19 | # noblacklist ${HOME}/.local/share/gnome-shell/extensions | ||
20 | noblacklist ${HOME}/.local/share/kget | 19 | noblacklist ${HOME}/.local/share/kget |
21 | noblacklist ${HOME}/.local/share/okular | 20 | noblacklist ${HOME}/.local/share/okular |
22 | noblacklist ${HOME}/.local/share/qpdfview | 21 | noblacklist ${HOME}/.local/share/qpdfview |
@@ -41,7 +40,6 @@ whitelist ${HOME}/.kde4/share/config/okularpartrc | |||
41 | whitelist ${HOME}/.kde4/share/config/okularrc | 40 | whitelist ${HOME}/.kde4/share/config/okularrc |
42 | whitelist ${HOME}/.keysnail.js | 41 | whitelist ${HOME}/.keysnail.js |
43 | whitelist ${HOME}/.lastpass | 42 | whitelist ${HOME}/.lastpass |
44 | whitelist ${HOME}/.local/share/gnome-shell/extensions | ||
45 | whitelist ${HOME}/.local/share/kget | 43 | whitelist ${HOME}/.local/share/kget |
46 | whitelist ${HOME}/.local/share/okular | 44 | whitelist ${HOME}/.local/share/okular |
47 | whitelist ${HOME}/.local/share/qpdfview | 45 | whitelist ${HOME}/.local/share/qpdfview |
@@ -53,3 +51,14 @@ whitelist ${HOME}/.wine-pipelight | |||
53 | whitelist ${HOME}/.wine-pipelight64 | 51 | whitelist ${HOME}/.wine-pipelight64 |
54 | whitelist ${HOME}/.zotero | 52 | whitelist ${HOME}/.zotero |
55 | whitelist ${HOME}/dwhelper | 53 | whitelist ${HOME}/dwhelper |
54 | |||
55 | # GNOME Shell integration (chrome-gnome-shell) needs dbus and python 3 (blacklisted by disable-interpreters.inc) | ||
56 | noblacklist ${HOME}/.local/share/gnome-shell | ||
57 | whitelist ${HOME}/.local/share/gnome-shell | ||
58 | ignore nodbus | ||
59 | noblacklist ${PATH}/python3* | ||
60 | noblacklist /usr/lib/python3* | ||
61 | |||
62 | # Flash plugin | ||
63 | # private-etc must first be enabled in firefox-common.profile and in profiles including it. | ||
64 | #private-etc adobe | ||
diff --git a/etc/firejail-default b/etc/firejail-default index 2e48439f5..5cfb1b5ea 100644 --- a/etc/firejail-default +++ b/etc/firejail-default | |||
@@ -21,10 +21,10 @@ profile firejail-default flags=(attach_disconnected,mediate_deleted) { | |||
21 | #dbus, | 21 | #dbus, |
22 | 22 | ||
23 | ########## | 23 | ########## |
24 | # Allows to attach to a running program and modify the process memory. | 24 | # With ptrace it is possible to inspect and hijack running programs. Usually this |
25 | # May be needed by chromium crash handler. Uncomment if you need it. | 25 | # is needed only for debugging. To allow ptrace, uncomment the following line |
26 | ########## | 26 | ########## |
27 | #ptrace (trace tracedby), | 27 | #ptrace, |
28 | 28 | ||
29 | ########## | 29 | ########## |
30 | # Line starting with /run/firejail/mnt/oroot deal with --overlay sandboxes | 30 | # Line starting with /run/firejail/mnt/oroot deal with --overlay sandboxes |
@@ -133,8 +133,8 @@ network raw, | |||
133 | signal, | 133 | signal, |
134 | 134 | ||
135 | ########## | 135 | ########## |
136 | # We let Firejail deal with capabilities, | 136 | # We let Firejail deal with capabilities, but ensure that |
137 | # but mac_admin should be dropped in any case. | 137 | # some AppArmor related capabilities will not be available. |
138 | ########## | 138 | ########## |
139 | capability chown, | 139 | capability chown, |
140 | capability dac_override, | 140 | capability dac_override, |
diff --git a/etc/flowblade.profile b/etc/flowblade.profile index bad8538cf..e06107f0f 100644 --- a/etc/flowblade.profile +++ b/etc/flowblade.profile | |||
@@ -8,6 +8,12 @@ include /etc/firejail/globals.local | |||
8 | noblacklist ${HOME}/.config/flowblade | 8 | noblacklist ${HOME}/.config/flowblade |
9 | noblacklist ${HOME}/.flowblade | 9 | noblacklist ${HOME}/.flowblade |
10 | 10 | ||
11 | # Allow python (blacklisted by disable-interpreters.inc) | ||
12 | noblacklist ${PATH}/python2* | ||
13 | noblacklist ${PATH}/python3* | ||
14 | noblacklist /usr/lib/python2* | ||
15 | noblacklist /usr/lib/python3* | ||
16 | |||
11 | include /etc/firejail/disable-common.inc | 17 | include /etc/firejail/disable-common.inc |
12 | include /etc/firejail/disable-devel.inc | 18 | include /etc/firejail/disable-devel.inc |
13 | include /etc/firejail/disable-interpreters.inc | 19 | include /etc/firejail/disable-interpreters.inc |
diff --git a/etc/less.profile b/etc/less.profile index e2616ba4f..9b04329f2 100644 --- a/etc/less.profile +++ b/etc/less.profile | |||
@@ -20,7 +20,7 @@ shell none | |||
20 | tracelog | 20 | tracelog |
21 | writable-var-log | 21 | writable-var-log |
22 | 22 | ||
23 | # The user can have a custom coloring scritps configured in ${HOME}/.lessfilter. | 23 | # The user can have a custom coloring script configured in ${HOME}/.lessfilter. |
24 | # Enable private-bin and private-lib if you are not using any filter. | 24 | # Enable private-bin and private-lib if you are not using any filter. |
25 | # private-bin less | 25 | # private-bin less |
26 | # private-lib | 26 | # private-lib |
diff --git a/etc/musixmatch.profile b/etc/musixmatch.profile index 1a3ee5e6f..fce60e89e 100644 --- a/etc/musixmatch.profile +++ b/etc/musixmatch.profile | |||
@@ -24,7 +24,6 @@ notv | |||
24 | novideo | 24 | novideo |
25 | protocol unix,inet,inet6,netlink | 25 | protocol unix,inet,inet6,netlink |
26 | seccomp | 26 | seccomp |
27 | shell none | ||
28 | 27 | ||
29 | disable-mnt | 28 | disable-mnt |
30 | private-dev | 29 | private-dev |
diff --git a/etc/openshot.profile b/etc/openshot.profile index 114580f1e..832008564 100644 --- a/etc/openshot.profile +++ b/etc/openshot.profile | |||
@@ -8,6 +8,12 @@ include /etc/firejail/globals.local | |||
8 | noblacklist ${HOME}/.openshot | 8 | noblacklist ${HOME}/.openshot |
9 | noblacklist ${HOME}/.openshot_qt | 9 | noblacklist ${HOME}/.openshot_qt |
10 | 10 | ||
11 | # Allow python (blacklisted by disable-interpreters.inc) | ||
12 | noblacklist ${PATH}/python2* | ||
13 | noblacklist ${PATH}/python3* | ||
14 | noblacklist /usr/lib/python2* | ||
15 | noblacklist /usr/lib/python3* | ||
16 | |||
11 | include /etc/firejail/disable-common.inc | 17 | include /etc/firejail/disable-common.inc |
12 | include /etc/firejail/disable-devel.inc | 18 | include /etc/firejail/disable-devel.inc |
13 | include /etc/firejail/disable-interpreters.inc | 19 | include /etc/firejail/disable-interpreters.inc |
diff --git a/etc/ppsspp.profile b/etc/ppsspp.profile new file mode 100644 index 000000000..e19a7b42a --- /dev/null +++ b/etc/ppsspp.profile | |||
@@ -0,0 +1,42 @@ | |||
1 | # Firejail profile for ppsspp | ||
2 | # This file is overwritten after every install/update | ||
3 | # Persistent local customizations | ||
4 | include /etc/firejail/ppsspp.local | ||
5 | # Persistent global definitions | ||
6 | include /etc/firejail/globals.local | ||
7 | |||
8 | noblacklist ${HOME}/.config/ppsspp | ||
9 | # with >=llvm-4 mesa drivers need llvm stuff | ||
10 | noblacklist /usr/lib/llvm* | ||
11 | |||
12 | include /etc/firejail/disable-common.inc | ||
13 | include /etc/firejail/disable-devel.inc | ||
14 | include /etc/firejail/disable-interpreters.inc | ||
15 | include /etc/firejail/disable-passwdmgr.inc | ||
16 | include /etc/firejail/disable-programs.inc | ||
17 | |||
18 | include /etc/firejail/whitelist-var-common.inc | ||
19 | |||
20 | caps.drop all | ||
21 | ipc-namespace | ||
22 | netfilter | ||
23 | net none | ||
24 | nodbus | ||
25 | nodvd | ||
26 | nogroups | ||
27 | nonewprivs | ||
28 | noroot | ||
29 | notv | ||
30 | novideo | ||
31 | protocol unix,netlink | ||
32 | seccomp | ||
33 | shell none | ||
34 | |||
35 | # private-dev is disabled to allow controller support | ||
36 | #private-dev | ||
37 | private-etc asound.conf,ca-certificates,drirc,fonts,group,host.conf,hostname,hosts,ld.so.cache,ld.so.preload,localtime,nsswitch.conf,passwd,pulse,resolv.conf,ssl,pki,crypto-policies | ||
38 | private-opt ppsspp | ||
39 | private-tmp | ||
40 | |||
41 | noexec ${HOME} | ||
42 | noexec /tmp | ||
diff --git a/etc/ranger.profile b/etc/ranger.profile index 94b282669..ff65a057b 100644 --- a/etc/ranger.profile +++ b/etc/ranger.profile | |||
@@ -5,11 +5,19 @@ include /etc/firejail/ranger.local | |||
5 | # Persistent global definitions | 5 | # Persistent global definitions |
6 | include /etc/firejail/globals.local | 6 | include /etc/firejail/globals.local |
7 | 7 | ||
8 | noblacklist ${HOME}/.config/ranger | ||
9 | |||
10 | # Allow python (blacklisted by disable-interpreters.inc) | ||
11 | noblacklist ${PATH}/python2* | ||
12 | noblacklist ${PATH}/python3* | ||
13 | noblacklist /usr/lib/python2* | ||
14 | noblacklist /usr/lib/python3* | ||
15 | |||
16 | # Allow perl | ||
8 | # noblacklist ${PATH}/cpan* | 17 | # noblacklist ${PATH}/cpan* |
9 | noblacklist ${PATH}/perl | 18 | noblacklist ${PATH}/perl |
10 | noblacklist /usr/lib/perl* | 19 | noblacklist /usr/lib/perl* |
11 | noblacklist /usr/share/perl* | 20 | noblacklist /usr/share/perl* |
12 | noblacklist ${HOME}/.config/ranger | ||
13 | 21 | ||
14 | include /etc/firejail/disable-common.inc | 22 | include /etc/firejail/disable-common.inc |
15 | include /etc/firejail/disable-devel.inc | 23 | include /etc/firejail/disable-devel.inc |
diff --git a/etc/scallion.profile b/etc/scallion.profile new file mode 100644 index 000000000..645f0423c --- /dev/null +++ b/etc/scallion.profile | |||
@@ -0,0 +1,42 @@ | |||
1 | # Firejail profile for scallion | ||
2 | # This file is overwritten after every install/update | ||
3 | quiet | ||
4 | # Persistent local customizations | ||
5 | include /etc/firejail/scallion.local | ||
6 | # Persistent global definitions | ||
7 | include /etc/firejail/globals.local | ||
8 | |||
9 | noblacklist ${PATH}/llvm* | ||
10 | noblacklist /usr/lib/llvm* | ||
11 | noblacklist ${PATH}/openssl | ||
12 | noblacklist ${PATH}/openssl-1.0 | ||
13 | |||
14 | include /etc/firejail/disable-common.inc | ||
15 | include /etc/firejail/disable-interpreters.inc | ||
16 | include /etc/firejail/disable-passwdmgr.inc | ||
17 | include /etc/firejail/disable-programs.inc | ||
18 | |||
19 | include /etc/firejail/whitelist-var-common.inc | ||
20 | |||
21 | caps.drop all | ||
22 | ipc-namespace | ||
23 | net none | ||
24 | nodbus | ||
25 | nodvd | ||
26 | nogroups | ||
27 | nonewprivs | ||
28 | noroot | ||
29 | nosound | ||
30 | notv | ||
31 | novideo | ||
32 | protocol unix | ||
33 | seccomp | ||
34 | shell none | ||
35 | |||
36 | disable-mnt | ||
37 | private | ||
38 | private-dev | ||
39 | private-tmp | ||
40 | |||
41 | noexec ${HOME} | ||
42 | noexec /tmp | ||
diff --git a/etc/skypeforlinux.profile b/etc/skypeforlinux.profile index 015709247..c2270ce39 100644 --- a/etc/skypeforlinux.profile +++ b/etc/skypeforlinux.profile | |||
@@ -25,7 +25,7 @@ seccomp | |||
25 | shell none | 25 | shell none |
26 | 26 | ||
27 | disable-mnt | 27 | disable-mnt |
28 | #private-dev | 28 | # private-dev - needs /dev/disk |
29 | private-tmp | 29 | private-tmp |
30 | 30 | ||
31 | noexec ${HOME} | 31 | noexec ${HOME} |
diff --git a/etc/uzbl-browser.profile b/etc/uzbl-browser.profile index 0a3549c97..b8a3fa497 100644 --- a/etc/uzbl-browser.profile +++ b/etc/uzbl-browser.profile | |||
@@ -7,6 +7,13 @@ include /etc/firejail/globals.local | |||
7 | 7 | ||
8 | noblacklist ${HOME}/.config/uzbl | 8 | noblacklist ${HOME}/.config/uzbl |
9 | noblacklist ${HOME}/.gnupg | 9 | noblacklist ${HOME}/.gnupg |
10 | noblacklist ${HOME}/.local/share/uzbl | ||
11 | |||
12 | # Allow python (blacklisted by disable-interpreters.inc) | ||
13 | noblacklist ${PATH}/python2* | ||
14 | noblacklist ${PATH}/python3* | ||
15 | noblacklist /usr/lib/python2* | ||
16 | noblacklist /usr/lib/python3* | ||
10 | 17 | ||
11 | include /etc/firejail/disable-common.inc | 18 | include /etc/firejail/disable-common.inc |
12 | include /etc/firejail/disable-devel.inc | 19 | include /etc/firejail/disable-devel.inc |
diff --git a/etc/zathura.profile b/etc/zathura.profile index b47aeb0da..028e15ef5 100644 --- a/etc/zathura.profile +++ b/etc/zathura.profile | |||
@@ -15,6 +15,7 @@ include /etc/firejail/disable-passwdmgr.inc | |||
15 | include /etc/firejail/disable-programs.inc | 15 | include /etc/firejail/disable-programs.inc |
16 | 16 | ||
17 | caps.drop all | 17 | caps.drop all |
18 | machine-id | ||
18 | # net none | 19 | # net none |
19 | # nodbus | 20 | # nodbus |
20 | nodvd | 21 | nodvd |
@@ -29,7 +30,7 @@ shell none | |||
29 | 30 | ||
30 | private-bin zathura | 31 | private-bin zathura |
31 | private-dev | 32 | private-dev |
32 | private-etc fonts | 33 | private-etc fonts,machine-id |
33 | private-tmp | 34 | private-tmp |
34 | 35 | ||
35 | read-only ${HOME}/ | 36 | read-only ${HOME}/ |