aboutsummaryrefslogtreecommitdiffstats
path: root/etc
diff options
context:
space:
mode:
Diffstat (limited to 'etc')
-rw-r--r--etc/akonadi_control.profile45
-rw-r--r--etc/blender-2.8.profile6
-rw-r--r--etc/disable-common.inc1
-rw-r--r--etc/disable-programs.inc11
-rw-r--r--etc/evince-previewer.profile10
-rw-r--r--etc/evince-thumbnailer.profile10
-rw-r--r--etc/gnome-recipes.profile45
-rw-r--r--etc/kate.profile3
-rw-r--r--etc/kmail.profile23
-rw-r--r--etc/knotes.profile10
-rw-r--r--etc/kwrite.profile3
-rw-r--r--etc/openbox.profile3
-rw-r--r--etc/spotify.profile2
-rw-r--r--etc/thunderbird-beta.profile8
14 files changed, 174 insertions, 6 deletions
diff --git a/etc/akonadi_control.profile b/etc/akonadi_control.profile
new file mode 100644
index 000000000..0443774dd
--- /dev/null
+++ b/etc/akonadi_control.profile
@@ -0,0 +1,45 @@
1# Firejail profile for akonadi_control
2# Persistent local customizations
3include /etc/firejail/akonadi_control.local
4# Persistent global definitions
5include /etc/firejail/globals.local
6
7noblacklist ${HOME}/.cache/akonadi*
8noblacklist ${HOME}/.config/akonadi*
9noblacklist ${HOME}/.config/baloorc
10noblacklist ${HOME}/.local/share/akonadi/*
11noblacklist ${HOME}/.local/share/contacts
12noblacklist ${HOME}/.local/share/local-mail
13noblacklist /usr/sbin
14
15include /etc/firejail/disable-common.inc
16include /etc/firejail/disable-devel.inc
17include /etc/firejail/disable-passwdmgr.inc
18include /etc/firejail/disable-programs.inc
19
20include /etc/firejail/whitelist-var-common.inc
21
22# depending on your setup it might be possible to
23# enable some of the commented options below
24
25# apparmor
26caps.drop all
27ipc-namespace
28no3d
29netfilter
30nodvd
31nogroups
32# nonewprivs
33# noroot
34nosound
35notv
36novideo
37# protocol unix,inet,inet6
38# seccomp.drop @cpu-emulation,@debug,@obsolete,@privileged,@resources,add_key,fanotify_init,io_cancel,io_destroy,kcmp,keyctl,name_to_handle_at,ni_syscall,open_by_handle_at,personality,process_vm_readv,ptrace,remap_file_pages,request_key,syslog,umount,userfaultfd,vmsplice
39tracelog
40
41private-dev
42# private-tmp - breaks programs that depend on akonadi
43
44noexec ${HOME}
45noexec /tmp
diff --git a/etc/blender-2.8.profile b/etc/blender-2.8.profile
new file mode 100644
index 000000000..4b907018e
--- /dev/null
+++ b/etc/blender-2.8.profile
@@ -0,0 +1,6 @@
1# Firejail profile alias for blender
2# This file is overwritten after every install/update
3
4
5# Redirect
6include /etc/firejail/blender.profile
diff --git a/etc/disable-common.inc b/etc/disable-common.inc
index 19be56f86..e5de0b61f 100644
--- a/etc/disable-common.inc
+++ b/etc/disable-common.inc
@@ -75,6 +75,7 @@ blacklist ${HOME}/.kde4/share/config/plasma-desktop-appletsrc
75blacklist ${HOME}/.local/share/kglobalaccel 75blacklist ${HOME}/.local/share/kglobalaccel
76blacklist ${HOME}/.local/share/kwin 76blacklist ${HOME}/.local/share/kwin
77blacklist ${HOME}/.local/share/plasma 77blacklist ${HOME}/.local/share/plasma
78blacklist ${HOME}/.local/share/plasmashell
78blacklist ${HOME}/.local/share/solid 79blacklist ${HOME}/.local/share/solid
79read-only ${HOME}/.cache/ksycoca5_* 80read-only ${HOME}/.cache/ksycoca5_*
80read-only ${HOME}/.config/*notifyrc 81read-only ${HOME}/.config/*notifyrc
diff --git a/etc/disable-programs.inc b/etc/disable-programs.inc
index 0d542c6d8..de88cbc24 100644
--- a/etc/disable-programs.inc
+++ b/etc/disable-programs.inc
@@ -73,6 +73,7 @@ blacklist ${HOME}/.config/Slack
73blacklist ${HOME}/.config/Thunar 73blacklist ${HOME}/.config/Thunar
74blacklist ${HOME}/.config/VirtualBox 74blacklist ${HOME}/.config/VirtualBox
75blacklist ${HOME}/.config/Wire 75blacklist ${HOME}/.config/Wire
76blacklist ${HOME}/.config/akonadi*
76blacklist ${HOME}/.config/akregatorrc 77blacklist ${HOME}/.config/akregatorrc
77blacklist ${HOME}/.config/ardour4 78blacklist ${HOME}/.config/ardour4
78blacklist ${HOME}/.config/ardour5 79blacklist ${HOME}/.config/ardour5
@@ -106,6 +107,7 @@ blacklist ${HOME}/.config/digikam
106blacklist ${HOME}/.config/digikamrc 107blacklist ${HOME}/.config/digikamrc
107blacklist ${HOME}/.config/dolphinrc 108blacklist ${HOME}/.config/dolphinrc
108blacklist ${HOME}/.config/dragonplayerrc 109blacklist ${HOME}/.config/dragonplayerrc
110blacklist ${HOME}/.config/emailidentities
109blacklist ${HOME}/.config/enchant 111blacklist ${HOME}/.config/enchant
110blacklist ${HOME}/.config/eog 112blacklist ${HOME}/.config/eog
111blacklist ${HOME}/.config/epiphany 113blacklist ${HOME}/.config/epiphany
@@ -144,6 +146,7 @@ blacklist ${HOME}/.config/katevirc
144blacklist ${HOME}/.config/kdenliverc 146blacklist ${HOME}/.config/kdenliverc
145blacklist ${HOME}/.config/kgetrc 147blacklist ${HOME}/.config/kgetrc
146blacklist ${HOME}/.config/klipperrc 148blacklist ${HOME}/.config/klipperrc
149blacklist ${HOME}/.config/kmail2rc
147blacklist ${HOME}/.config/kritarc 150blacklist ${HOME}/.config/kritarc
148blacklist ${HOME}/.config/kwriterc 151blacklist ${HOME}/.config/kwriterc
149blacklist ${HOME}/.config/kdeconnect 152blacklist ${HOME}/.config/kdeconnect
@@ -346,18 +349,21 @@ blacklist ${HOME}/.local/share/SuperHexagon
346blacklist ${HOME}/.local/share/TelegramDesktop 349blacklist ${HOME}/.local/share/TelegramDesktop
347blacklist ${HOME}/.local/share/Terraria 350blacklist ${HOME}/.local/share/Terraria
348blacklist ${HOME}/.local/share/TpLogger 351blacklist ${HOME}/.local/share/TpLogger
352blacklist ${HOME}/.local/share/akonadi/*
349blacklist ${HOME}/.local/share/akregator 353blacklist ${HOME}/.local/share/akregator
350blacklist ${HOME}/.local/share/aspyr-media 354blacklist ${HOME}/.local/share/aspyr-media
351blacklist ${HOME}/.local/share/baloo 355blacklist ${HOME}/.local/share/baloo
352blacklist ${HOME}/.local/share/caja-python 356blacklist ${HOME}/.local/share/caja-python
353blacklist ${HOME}/.local/share/cdprojektred 357blacklist ${HOME}/.local/share/cdprojektred
354blacklist ${HOME}/.local/share/clipit 358blacklist ${HOME}/.local/share/clipit
359blacklist ${HOME}/.local/share/contacts
355blacklist ${HOME}/.local/share/data/Mumble 360blacklist ${HOME}/.local/share/data/Mumble
356blacklist ${HOME}/.local/share/data/MusE 361blacklist ${HOME}/.local/share/data/MusE
357blacklist ${HOME}/.local/share/data/MuseScore 362blacklist ${HOME}/.local/share/data/MuseScore
358blacklist ${HOME}/.local/share/data/qBittorrent 363blacklist ${HOME}/.local/share/data/qBittorrent
359blacklist ${HOME}/.local/share/dino 364blacklist ${HOME}/.local/share/dino
360blacklist ${HOME}/.local/share/dolphin 365blacklist ${HOME}/.local/share/dolphin
366blacklist ${HOME}/.local/share/emailidentities
361blacklist ${HOME}/.local/share/epiphany 367blacklist ${HOME}/.local/share/epiphany
362blacklist ${HOME}/.local/share/evolution 368blacklist ${HOME}/.local/share/evolution
363blacklist ${HOME}/.local/share/feral-interactive 369blacklist ${HOME}/.local/share/feral-interactive
@@ -369,6 +375,7 @@ blacklist ${HOME}/.local/share/gnome-2048
369blacklist ${HOME}/.local/share/gnome-chess 375blacklist ${HOME}/.local/share/gnome-chess
370blacklist ${HOME}/.local/share/gnome-music 376blacklist ${HOME}/.local/share/gnome-music
371blacklist ${HOME}/.local/share/gnome-photos 377blacklist ${HOME}/.local/share/gnome-photos
378blacklist ${HOME}/.local/share/gnome-recipes
372blacklist ${HOME}/.local/share/gnome-ring 379blacklist ${HOME}/.local/share/gnome-ring
373blacklist ${HOME}/.local/share/gnome-twitch 380blacklist ${HOME}/.local/share/gnome-twitch
374blacklist ${HOME}/.local/share/gwenview 381blacklist ${HOME}/.local/share/gwenview
@@ -376,11 +383,13 @@ blacklist ${HOME}/.local/share/kaffeine
376blacklist ${HOME}/.local/share/kate 383blacklist ${HOME}/.local/share/kate
377blacklist ${HOME}/.local/share/kdenlive 384blacklist ${HOME}/.local/share/kdenlive
378blacklist ${HOME}/.local/share/kget 385blacklist ${HOME}/.local/share/kget
386blacklist ${HOME}/.local/share/kmail2
379blacklist ${HOME}/.local/share/krita 387blacklist ${HOME}/.local/share/krita
380blacklist ${HOME}/.local/share/ktorrentrc 388blacklist ${HOME}/.local/share/ktorrentrc
381blacklist ${HOME}/.local/share/ktorrent 389blacklist ${HOME}/.local/share/ktorrent
382blacklist ${HOME}/.local/share/kwrite 390blacklist ${HOME}/.local/share/kwrite
383blacklist ${HOME}/.local/share/liferea 391blacklist ${HOME}/.local/share/liferea
392blacklist ${HOME}/.local/share/local-mail
384blacklist ${HOME}/.local/share/lollypop 393blacklist ${HOME}/.local/share/lollypop
385blacklist ${HOME}/.local/share/maps-places.json 394blacklist ${HOME}/.local/share/maps-places.json
386blacklist ${HOME}/.local/share/meld 395blacklist ${HOME}/.local/share/meld
@@ -397,6 +406,7 @@ blacklist ${HOME}/.local/share/okular
397blacklist ${HOME}/.local/share/orage 406blacklist ${HOME}/.local/share/orage
398blacklist ${HOME}/.local/share/org.kde.gwenview 407blacklist ${HOME}/.local/share/org.kde.gwenview
399blacklist ${HOME}/.local/share/pix 408blacklist ${HOME}/.local/share/pix
409blacklist ${HOME}/.local/share/plasma_notes
400blacklist ${HOME}/.local/share/psi+ 410blacklist ${HOME}/.local/share/psi+
401blacklist ${HOME}/.local/share/qpdfview 411blacklist ${HOME}/.local/share/qpdfview
402blacklist ${HOME}/.local/share/qutebrowser 412blacklist ${HOME}/.local/share/qutebrowser
@@ -495,6 +505,7 @@ blacklist ${HOME}/.cache/Franz
495blacklist ${HOME}/.cache/INRIA 505blacklist ${HOME}/.cache/INRIA
496blacklist ${HOME}/.cache/MusicBrainz 506blacklist ${HOME}/.cache/MusicBrainz
497blacklist ${HOME}/.cache/QuiteRss 507blacklist ${HOME}/.cache/QuiteRss
508blacklist ${HOME}/.cache/akonadi*
498blacklist ${HOME}/.cache/attic 509blacklist ${HOME}/.cache/attic
499blacklist ${HOME}/.cache/borg 510blacklist ${HOME}/.cache/borg
500blacklist ${HOME}/.cache/calibre 511blacklist ${HOME}/.cache/calibre
diff --git a/etc/evince-previewer.profile b/etc/evince-previewer.profile
new file mode 100644
index 000000000..d5bc6db33
--- /dev/null
+++ b/etc/evince-previewer.profile
@@ -0,0 +1,10 @@
1# Firejail profile for evince-previewer
2# This file is overwritten after every install/update
3# Persistent local customizations
4include /etc/firejail/evince-previewer.local
5# Persistent global definitions
6include /etc/firejail/globals.local
7
8
9# Redirect
10include /etc/firejail/evince.profile
diff --git a/etc/evince-thumbnailer.profile b/etc/evince-thumbnailer.profile
new file mode 100644
index 000000000..abc21632d
--- /dev/null
+++ b/etc/evince-thumbnailer.profile
@@ -0,0 +1,10 @@
1# Firejail profile for evince-thumbnailer
2# This file is overwritten after every install/update
3# Persistent local customizations
4include /etc/firejail/evince-thumbnailer.local
5# Persistent global definitions
6include /etc/firejail/globals.local
7
8
9# Redirect
10include /etc/firejail/evince.profile
diff --git a/etc/gnome-recipes.profile b/etc/gnome-recipes.profile
new file mode 100644
index 000000000..2392440a6
--- /dev/null
+++ b/etc/gnome-recipes.profile
@@ -0,0 +1,45 @@
1# Firejail profile for gnome-recipes
2# This file is overwritten after every install/update
3# Persistent local customizations
4include /etc/firejail/gnome-recipes.local
5# Persistent global definitions
6include /etc/firejail/globals.local
7
8
9noblacklist ${HOME}/.local/share/gnome-recipes
10
11include /etc/firejail/disable-common.inc
12include /etc/firejail/disable-devel.inc
13include /etc/firejail/disable-passwdmgr.inc
14include /etc/firejail/disable-programs.inc
15
16mkdir ${HOME}/.cache/gnome-recipes
17whitelist ${HOME}/.cache/gnome-recipes
18include /etc/firejail/whitelist-common.inc
19include /etc/firejail/whitelist-var-common.inc
20
21caps.drop all
22ipc-namespace
23netfilter
24nodvd
25nogroups
26nonewprivs
27noroot
28nosound
29notv
30novideo
31protocol unix,inet,inet6
32seccomp
33shell none
34
35disable-mnt
36private-bin gnome-recipes,tar
37private-dev
38private-etc ca-certificates,fonts,ssl
39# private-lib works for me with Gnome Shell 3.26.2, Mutter WM (Arch Linux)
40# not widely tested though, leaving it to devs discretion to enable it later
41#private-lib gdk-pixbuf-2.0,gio,gvfs/libgvfscommon.so,libgconf-2.so.4,libgnutls.so.30,libjpeg.so.8,libp11-kit.so.0,libproxy.so.1,librsvg-2.so.2
42private-tmp
43
44noexec ${HOME}
45noexec /tmp
diff --git a/etc/kate.profile b/etc/kate.profile
index a3d2be6b2..5042077e5 100644
--- a/etc/kate.profile
+++ b/etc/kate.profile
@@ -42,4 +42,7 @@ private-dev
42# private-etc fonts,kde4rc,kde5rc,ld.so.cache,machine-id,xdg 42# private-etc fonts,kde4rc,kde5rc,ld.so.cache,machine-id,xdg
43private-tmp 43private-tmp
44 44
45# noexec ${HOME}
46noexec /tmp
47
45join-or-start kate 48join-or-start kate
diff --git a/etc/kmail.profile b/etc/kmail.profile
index ca774f4ec..952af55c8 100644
--- a/etc/kmail.profile
+++ b/etc/kmail.profile
@@ -5,6 +5,19 @@ include /etc/firejail/kmail.local
5# Persistent global definitions 5# Persistent global definitions
6include /etc/firejail/globals.local 6include /etc/firejail/globals.local
7 7
8# if akonadi has a mysql backend, starting it inside this sandbox will fail.
9# one solution is to have akonadi already running when kmail is launched
10
11noblacklist ${HOME}/.cache/akonadi*
12noblacklist ${HOME}/.config/akonadi*
13noblacklist ${HOME}/.config/baloorc
14noblacklist ${HOME}/.config/emailidentities
15noblacklist ${HOME}/.config/kmail2rc
16noblacklist ${HOME}/.local/share/akonadi/*
17noblacklist ${HOME}/.local/share/contacts
18noblacklist ${HOME}/.local/share/emailidentities
19noblacklist ${HOME}/.local/share/kmail2
20noblacklist ${HOME}/.local/share/local-mail
8noblacklist ${HOME}/.gnupg 21noblacklist ${HOME}/.gnupg
9 22
10include /etc/firejail/disable-common.inc 23include /etc/firejail/disable-common.inc
@@ -12,6 +25,7 @@ include /etc/firejail/disable-devel.inc
12include /etc/firejail/disable-passwdmgr.inc 25include /etc/firejail/disable-passwdmgr.inc
13include /etc/firejail/disable-programs.inc 26include /etc/firejail/disable-programs.inc
14 27
28# apparmor
15caps.drop all 29caps.drop all
16netfilter 30netfilter
17nodvd 31nodvd
@@ -22,11 +36,14 @@ nosound
22notv 36notv
23novideo 37novideo
24protocol unix,inet,inet6,netlink 38protocol unix,inet,inet6,netlink
25# blacklisting of chroot system calls breaks kmail 39# we need to allow chroot and ioprio_set system calls
26seccomp.drop @clock,@cpu-emulation,@debug,@module,@obsolete,@raw-io,@reboot,@resources,@swap,acct,add_key,bpf,fanotify_init,io_cancel,io_destroy,io_getevents,io_setup,io_submit,ioprio_set,kcmp,keyctl,mount,name_to_handle_at,nfsservctl,ni_syscall,open_by_handle_at,personality,pivot_root,process_vm_readv,ptrace,remap_file_pages,request_key,setdomainname,sethostname,syslog,umount,umount2,userfaultfd,vhangup,vmsplice 40seccomp.drop @clock,@cpu-emulation,@debug,@module,@obsolete,@raw-io,@reboot,@resources,@swap,acct,add_key,bpf,fanotify_init,io_cancel,io_destroy,io_getevents,io_setup,io_submit,kcmp,keyctl,mount,name_to_handle_at,nfsservctl,ni_syscall,open_by_handle_at,personality,pivot_root,process_vm_readv,ptrace,remap_file_pages,request_key,setdomainname,sethostname,syslog,umount,umount2,userfaultfd,vhangup,vmsplice
27# tracelog 41# tracelog
28# writable-run-user is needed for signing and encrypting emails 42# writable-run-user is needed for signing and encrypting emails
29writable-run-user 43writable-run-user
30 44
31private-dev 45private-dev
32# private-tmp - breaks akonadi and opening of email attachments 46# private-tmp - interrupts connection to akonadi, breaks opening of email attachments
47
48noexec ${HOME}
49noexec /tmp
diff --git a/etc/knotes.profile b/etc/knotes.profile
index 94ada7855..091c3a8e5 100644
--- a/etc/knotes.profile
+++ b/etc/knotes.profile
@@ -5,10 +5,12 @@ include /etc/firejail/knotes.local
5# Persistent global definitions 5# Persistent global definitions
6include /etc/firejail/globals.local 6include /etc/firejail/globals.local
7 7
8noblacklist ${HOME}/.config/akonadi*
8noblacklist ${HOME}/.config/knotesrc 9noblacklist ${HOME}/.config/knotesrc
10noblacklist ${HOME}/.local/share/akonadi/*
9 11
10include /etc/firejail/disable-common.inc 12include /etc/firejail/disable-common.inc
11# include /etc/firejail/disable-devel.inc 13include /etc/firejail/disable-devel.inc
12include /etc/firejail/disable-passwdmgr.inc 14include /etc/firejail/disable-passwdmgr.inc
13include /etc/firejail/disable-programs.inc 15include /etc/firejail/disable-programs.inc
14 16
@@ -22,10 +24,14 @@ nonewprivs
22noroot 24noroot
23nosound 25nosound
24notv 26notv
27novideo
25protocol unix 28protocol unix
26seccomp 29seccomp
27shell none 30shell none
28tracelog 31tracelog
29 32
30private-dev 33private-dev
31#private-tmp - problems on kubuntu 17.04 34# private-tmp - interrupts connection to akonadi
35
36noexec ${HOME}
37noexec /tmp
diff --git a/etc/kwrite.profile b/etc/kwrite.profile
index a785f3541..1c4e50b77 100644
--- a/etc/kwrite.profile
+++ b/etc/kwrite.profile
@@ -43,4 +43,7 @@ private-dev
43private-etc fonts,kde4rc,kde5rc,ld.so.cache,machine-id,pulse,xdg 43private-etc fonts,kde4rc,kde5rc,ld.so.cache,machine-id,pulse,xdg
44private-tmp 44private-tmp
45 45
46noexec ${HOME}
47noexec /tmp
48
46join-or-start kwrite 49join-or-start kwrite
diff --git a/etc/openbox.profile b/etc/openbox.profile
index 5bab7ce7d..ec4b47c29 100644
--- a/etc/openbox.profile
+++ b/etc/openbox.profile
@@ -14,3 +14,6 @@ netfilter
14noroot 14noroot
15protocol unix,inet,inet6 15protocol unix,inet,inet6
16seccomp 16seccomp
17
18read-only ${HOME}/.config/openbox/autostart
19read-only ${HOME}/.config/openbox/environment
diff --git a/etc/spotify.profile b/etc/spotify.profile
index c973783a9..5a6227a8a 100644
--- a/etc/spotify.profile
+++ b/etc/spotify.profile
@@ -44,7 +44,7 @@ tracelog
44disable-mnt 44disable-mnt
45private-bin spotify,bash,sh,zenity 45private-bin spotify,bash,sh,zenity
46private-dev 46private-dev
47private-etc fonts,group,ld.so.cache,machine-id,pulse,resolv.conf 47private-etc fonts,ld.so.cache,machine-id,pulse,resolv.conf
48private-opt spotify 48private-opt spotify
49private-tmp 49private-tmp
50 50
diff --git a/etc/thunderbird-beta.profile b/etc/thunderbird-beta.profile
new file mode 100644
index 000000000..73d2419da
--- /dev/null
+++ b/etc/thunderbird-beta.profile
@@ -0,0 +1,8 @@
1# Firejail profile alias for thunderbird-beta
2# This file is overwritten after every install/update
3
4
5whitelist /opt/thunderbird-beta
6
7# Redirect
8include /etc/firejail/thunderbird.profile
generated by cgit v1.2.3-54-g00ecf (git 2.45.2) at 2024-07-19 16:01:21 +0000