diff options
Diffstat (limited to 'etc')
-rw-r--r-- | etc/akonadi_control.profile | 45 | ||||
-rw-r--r-- | etc/blender-2.8.profile | 6 | ||||
-rw-r--r-- | etc/disable-common.inc | 1 | ||||
-rw-r--r-- | etc/disable-programs.inc | 11 | ||||
-rw-r--r-- | etc/evince-previewer.profile | 10 | ||||
-rw-r--r-- | etc/evince-thumbnailer.profile | 10 | ||||
-rw-r--r-- | etc/gnome-recipes.profile | 45 | ||||
-rw-r--r-- | etc/kate.profile | 3 | ||||
-rw-r--r-- | etc/kmail.profile | 23 | ||||
-rw-r--r-- | etc/knotes.profile | 10 | ||||
-rw-r--r-- | etc/kwrite.profile | 3 | ||||
-rw-r--r-- | etc/openbox.profile | 3 | ||||
-rw-r--r-- | etc/spotify.profile | 2 | ||||
-rw-r--r-- | etc/thunderbird-beta.profile | 8 |
14 files changed, 174 insertions, 6 deletions
diff --git a/etc/akonadi_control.profile b/etc/akonadi_control.profile new file mode 100644 index 000000000..0443774dd --- /dev/null +++ b/etc/akonadi_control.profile | |||
@@ -0,0 +1,45 @@ | |||
1 | # Firejail profile for akonadi_control | ||
2 | # Persistent local customizations | ||
3 | include /etc/firejail/akonadi_control.local | ||
4 | # Persistent global definitions | ||
5 | include /etc/firejail/globals.local | ||
6 | |||
7 | noblacklist ${HOME}/.cache/akonadi* | ||
8 | noblacklist ${HOME}/.config/akonadi* | ||
9 | noblacklist ${HOME}/.config/baloorc | ||
10 | noblacklist ${HOME}/.local/share/akonadi/* | ||
11 | noblacklist ${HOME}/.local/share/contacts | ||
12 | noblacklist ${HOME}/.local/share/local-mail | ||
13 | noblacklist /usr/sbin | ||
14 | |||
15 | include /etc/firejail/disable-common.inc | ||
16 | include /etc/firejail/disable-devel.inc | ||
17 | include /etc/firejail/disable-passwdmgr.inc | ||
18 | include /etc/firejail/disable-programs.inc | ||
19 | |||
20 | include /etc/firejail/whitelist-var-common.inc | ||
21 | |||
22 | # depending on your setup it might be possible to | ||
23 | # enable some of the commented options below | ||
24 | |||
25 | # apparmor | ||
26 | caps.drop all | ||
27 | ipc-namespace | ||
28 | no3d | ||
29 | netfilter | ||
30 | nodvd | ||
31 | nogroups | ||
32 | # nonewprivs | ||
33 | # noroot | ||
34 | nosound | ||
35 | notv | ||
36 | novideo | ||
37 | # protocol unix,inet,inet6 | ||
38 | # seccomp.drop @cpu-emulation,@debug,@obsolete,@privileged,@resources,add_key,fanotify_init,io_cancel,io_destroy,kcmp,keyctl,name_to_handle_at,ni_syscall,open_by_handle_at,personality,process_vm_readv,ptrace,remap_file_pages,request_key,syslog,umount,userfaultfd,vmsplice | ||
39 | tracelog | ||
40 | |||
41 | private-dev | ||
42 | # private-tmp - breaks programs that depend on akonadi | ||
43 | |||
44 | noexec ${HOME} | ||
45 | noexec /tmp | ||
diff --git a/etc/blender-2.8.profile b/etc/blender-2.8.profile new file mode 100644 index 000000000..4b907018e --- /dev/null +++ b/etc/blender-2.8.profile | |||
@@ -0,0 +1,6 @@ | |||
1 | # Firejail profile alias for blender | ||
2 | # This file is overwritten after every install/update | ||
3 | |||
4 | |||
5 | # Redirect | ||
6 | include /etc/firejail/blender.profile | ||
diff --git a/etc/disable-common.inc b/etc/disable-common.inc index 19be56f86..e5de0b61f 100644 --- a/etc/disable-common.inc +++ b/etc/disable-common.inc | |||
@@ -75,6 +75,7 @@ blacklist ${HOME}/.kde4/share/config/plasma-desktop-appletsrc | |||
75 | blacklist ${HOME}/.local/share/kglobalaccel | 75 | blacklist ${HOME}/.local/share/kglobalaccel |
76 | blacklist ${HOME}/.local/share/kwin | 76 | blacklist ${HOME}/.local/share/kwin |
77 | blacklist ${HOME}/.local/share/plasma | 77 | blacklist ${HOME}/.local/share/plasma |
78 | blacklist ${HOME}/.local/share/plasmashell | ||
78 | blacklist ${HOME}/.local/share/solid | 79 | blacklist ${HOME}/.local/share/solid |
79 | read-only ${HOME}/.cache/ksycoca5_* | 80 | read-only ${HOME}/.cache/ksycoca5_* |
80 | read-only ${HOME}/.config/*notifyrc | 81 | read-only ${HOME}/.config/*notifyrc |
diff --git a/etc/disable-programs.inc b/etc/disable-programs.inc index 0d542c6d8..de88cbc24 100644 --- a/etc/disable-programs.inc +++ b/etc/disable-programs.inc | |||
@@ -73,6 +73,7 @@ blacklist ${HOME}/.config/Slack | |||
73 | blacklist ${HOME}/.config/Thunar | 73 | blacklist ${HOME}/.config/Thunar |
74 | blacklist ${HOME}/.config/VirtualBox | 74 | blacklist ${HOME}/.config/VirtualBox |
75 | blacklist ${HOME}/.config/Wire | 75 | blacklist ${HOME}/.config/Wire |
76 | blacklist ${HOME}/.config/akonadi* | ||
76 | blacklist ${HOME}/.config/akregatorrc | 77 | blacklist ${HOME}/.config/akregatorrc |
77 | blacklist ${HOME}/.config/ardour4 | 78 | blacklist ${HOME}/.config/ardour4 |
78 | blacklist ${HOME}/.config/ardour5 | 79 | blacklist ${HOME}/.config/ardour5 |
@@ -106,6 +107,7 @@ blacklist ${HOME}/.config/digikam | |||
106 | blacklist ${HOME}/.config/digikamrc | 107 | blacklist ${HOME}/.config/digikamrc |
107 | blacklist ${HOME}/.config/dolphinrc | 108 | blacklist ${HOME}/.config/dolphinrc |
108 | blacklist ${HOME}/.config/dragonplayerrc | 109 | blacklist ${HOME}/.config/dragonplayerrc |
110 | blacklist ${HOME}/.config/emailidentities | ||
109 | blacklist ${HOME}/.config/enchant | 111 | blacklist ${HOME}/.config/enchant |
110 | blacklist ${HOME}/.config/eog | 112 | blacklist ${HOME}/.config/eog |
111 | blacklist ${HOME}/.config/epiphany | 113 | blacklist ${HOME}/.config/epiphany |
@@ -144,6 +146,7 @@ blacklist ${HOME}/.config/katevirc | |||
144 | blacklist ${HOME}/.config/kdenliverc | 146 | blacklist ${HOME}/.config/kdenliverc |
145 | blacklist ${HOME}/.config/kgetrc | 147 | blacklist ${HOME}/.config/kgetrc |
146 | blacklist ${HOME}/.config/klipperrc | 148 | blacklist ${HOME}/.config/klipperrc |
149 | blacklist ${HOME}/.config/kmail2rc | ||
147 | blacklist ${HOME}/.config/kritarc | 150 | blacklist ${HOME}/.config/kritarc |
148 | blacklist ${HOME}/.config/kwriterc | 151 | blacklist ${HOME}/.config/kwriterc |
149 | blacklist ${HOME}/.config/kdeconnect | 152 | blacklist ${HOME}/.config/kdeconnect |
@@ -346,18 +349,21 @@ blacklist ${HOME}/.local/share/SuperHexagon | |||
346 | blacklist ${HOME}/.local/share/TelegramDesktop | 349 | blacklist ${HOME}/.local/share/TelegramDesktop |
347 | blacklist ${HOME}/.local/share/Terraria | 350 | blacklist ${HOME}/.local/share/Terraria |
348 | blacklist ${HOME}/.local/share/TpLogger | 351 | blacklist ${HOME}/.local/share/TpLogger |
352 | blacklist ${HOME}/.local/share/akonadi/* | ||
349 | blacklist ${HOME}/.local/share/akregator | 353 | blacklist ${HOME}/.local/share/akregator |
350 | blacklist ${HOME}/.local/share/aspyr-media | 354 | blacklist ${HOME}/.local/share/aspyr-media |
351 | blacklist ${HOME}/.local/share/baloo | 355 | blacklist ${HOME}/.local/share/baloo |
352 | blacklist ${HOME}/.local/share/caja-python | 356 | blacklist ${HOME}/.local/share/caja-python |
353 | blacklist ${HOME}/.local/share/cdprojektred | 357 | blacklist ${HOME}/.local/share/cdprojektred |
354 | blacklist ${HOME}/.local/share/clipit | 358 | blacklist ${HOME}/.local/share/clipit |
359 | blacklist ${HOME}/.local/share/contacts | ||
355 | blacklist ${HOME}/.local/share/data/Mumble | 360 | blacklist ${HOME}/.local/share/data/Mumble |
356 | blacklist ${HOME}/.local/share/data/MusE | 361 | blacklist ${HOME}/.local/share/data/MusE |
357 | blacklist ${HOME}/.local/share/data/MuseScore | 362 | blacklist ${HOME}/.local/share/data/MuseScore |
358 | blacklist ${HOME}/.local/share/data/qBittorrent | 363 | blacklist ${HOME}/.local/share/data/qBittorrent |
359 | blacklist ${HOME}/.local/share/dino | 364 | blacklist ${HOME}/.local/share/dino |
360 | blacklist ${HOME}/.local/share/dolphin | 365 | blacklist ${HOME}/.local/share/dolphin |
366 | blacklist ${HOME}/.local/share/emailidentities | ||
361 | blacklist ${HOME}/.local/share/epiphany | 367 | blacklist ${HOME}/.local/share/epiphany |
362 | blacklist ${HOME}/.local/share/evolution | 368 | blacklist ${HOME}/.local/share/evolution |
363 | blacklist ${HOME}/.local/share/feral-interactive | 369 | blacklist ${HOME}/.local/share/feral-interactive |
@@ -369,6 +375,7 @@ blacklist ${HOME}/.local/share/gnome-2048 | |||
369 | blacklist ${HOME}/.local/share/gnome-chess | 375 | blacklist ${HOME}/.local/share/gnome-chess |
370 | blacklist ${HOME}/.local/share/gnome-music | 376 | blacklist ${HOME}/.local/share/gnome-music |
371 | blacklist ${HOME}/.local/share/gnome-photos | 377 | blacklist ${HOME}/.local/share/gnome-photos |
378 | blacklist ${HOME}/.local/share/gnome-recipes | ||
372 | blacklist ${HOME}/.local/share/gnome-ring | 379 | blacklist ${HOME}/.local/share/gnome-ring |
373 | blacklist ${HOME}/.local/share/gnome-twitch | 380 | blacklist ${HOME}/.local/share/gnome-twitch |
374 | blacklist ${HOME}/.local/share/gwenview | 381 | blacklist ${HOME}/.local/share/gwenview |
@@ -376,11 +383,13 @@ blacklist ${HOME}/.local/share/kaffeine | |||
376 | blacklist ${HOME}/.local/share/kate | 383 | blacklist ${HOME}/.local/share/kate |
377 | blacklist ${HOME}/.local/share/kdenlive | 384 | blacklist ${HOME}/.local/share/kdenlive |
378 | blacklist ${HOME}/.local/share/kget | 385 | blacklist ${HOME}/.local/share/kget |
386 | blacklist ${HOME}/.local/share/kmail2 | ||
379 | blacklist ${HOME}/.local/share/krita | 387 | blacklist ${HOME}/.local/share/krita |
380 | blacklist ${HOME}/.local/share/ktorrentrc | 388 | blacklist ${HOME}/.local/share/ktorrentrc |
381 | blacklist ${HOME}/.local/share/ktorrent | 389 | blacklist ${HOME}/.local/share/ktorrent |
382 | blacklist ${HOME}/.local/share/kwrite | 390 | blacklist ${HOME}/.local/share/kwrite |
383 | blacklist ${HOME}/.local/share/liferea | 391 | blacklist ${HOME}/.local/share/liferea |
392 | blacklist ${HOME}/.local/share/local-mail | ||
384 | blacklist ${HOME}/.local/share/lollypop | 393 | blacklist ${HOME}/.local/share/lollypop |
385 | blacklist ${HOME}/.local/share/maps-places.json | 394 | blacklist ${HOME}/.local/share/maps-places.json |
386 | blacklist ${HOME}/.local/share/meld | 395 | blacklist ${HOME}/.local/share/meld |
@@ -397,6 +406,7 @@ blacklist ${HOME}/.local/share/okular | |||
397 | blacklist ${HOME}/.local/share/orage | 406 | blacklist ${HOME}/.local/share/orage |
398 | blacklist ${HOME}/.local/share/org.kde.gwenview | 407 | blacklist ${HOME}/.local/share/org.kde.gwenview |
399 | blacklist ${HOME}/.local/share/pix | 408 | blacklist ${HOME}/.local/share/pix |
409 | blacklist ${HOME}/.local/share/plasma_notes | ||
400 | blacklist ${HOME}/.local/share/psi+ | 410 | blacklist ${HOME}/.local/share/psi+ |
401 | blacklist ${HOME}/.local/share/qpdfview | 411 | blacklist ${HOME}/.local/share/qpdfview |
402 | blacklist ${HOME}/.local/share/qutebrowser | 412 | blacklist ${HOME}/.local/share/qutebrowser |
@@ -495,6 +505,7 @@ blacklist ${HOME}/.cache/Franz | |||
495 | blacklist ${HOME}/.cache/INRIA | 505 | blacklist ${HOME}/.cache/INRIA |
496 | blacklist ${HOME}/.cache/MusicBrainz | 506 | blacklist ${HOME}/.cache/MusicBrainz |
497 | blacklist ${HOME}/.cache/QuiteRss | 507 | blacklist ${HOME}/.cache/QuiteRss |
508 | blacklist ${HOME}/.cache/akonadi* | ||
498 | blacklist ${HOME}/.cache/attic | 509 | blacklist ${HOME}/.cache/attic |
499 | blacklist ${HOME}/.cache/borg | 510 | blacklist ${HOME}/.cache/borg |
500 | blacklist ${HOME}/.cache/calibre | 511 | blacklist ${HOME}/.cache/calibre |
diff --git a/etc/evince-previewer.profile b/etc/evince-previewer.profile new file mode 100644 index 000000000..d5bc6db33 --- /dev/null +++ b/etc/evince-previewer.profile | |||
@@ -0,0 +1,10 @@ | |||
1 | # Firejail profile for evince-previewer | ||
2 | # This file is overwritten after every install/update | ||
3 | # Persistent local customizations | ||
4 | include /etc/firejail/evince-previewer.local | ||
5 | # Persistent global definitions | ||
6 | include /etc/firejail/globals.local | ||
7 | |||
8 | |||
9 | # Redirect | ||
10 | include /etc/firejail/evince.profile | ||
diff --git a/etc/evince-thumbnailer.profile b/etc/evince-thumbnailer.profile new file mode 100644 index 000000000..abc21632d --- /dev/null +++ b/etc/evince-thumbnailer.profile | |||
@@ -0,0 +1,10 @@ | |||
1 | # Firejail profile for evince-thumbnailer | ||
2 | # This file is overwritten after every install/update | ||
3 | # Persistent local customizations | ||
4 | include /etc/firejail/evince-thumbnailer.local | ||
5 | # Persistent global definitions | ||
6 | include /etc/firejail/globals.local | ||
7 | |||
8 | |||
9 | # Redirect | ||
10 | include /etc/firejail/evince.profile | ||
diff --git a/etc/gnome-recipes.profile b/etc/gnome-recipes.profile new file mode 100644 index 000000000..2392440a6 --- /dev/null +++ b/etc/gnome-recipes.profile | |||
@@ -0,0 +1,45 @@ | |||
1 | # Firejail profile for gnome-recipes | ||
2 | # This file is overwritten after every install/update | ||
3 | # Persistent local customizations | ||
4 | include /etc/firejail/gnome-recipes.local | ||
5 | # Persistent global definitions | ||
6 | include /etc/firejail/globals.local | ||
7 | |||
8 | |||
9 | noblacklist ${HOME}/.local/share/gnome-recipes | ||
10 | |||
11 | include /etc/firejail/disable-common.inc | ||
12 | include /etc/firejail/disable-devel.inc | ||
13 | include /etc/firejail/disable-passwdmgr.inc | ||
14 | include /etc/firejail/disable-programs.inc | ||
15 | |||
16 | mkdir ${HOME}/.cache/gnome-recipes | ||
17 | whitelist ${HOME}/.cache/gnome-recipes | ||
18 | include /etc/firejail/whitelist-common.inc | ||
19 | include /etc/firejail/whitelist-var-common.inc | ||
20 | |||
21 | caps.drop all | ||
22 | ipc-namespace | ||
23 | netfilter | ||
24 | nodvd | ||
25 | nogroups | ||
26 | nonewprivs | ||
27 | noroot | ||
28 | nosound | ||
29 | notv | ||
30 | novideo | ||
31 | protocol unix,inet,inet6 | ||
32 | seccomp | ||
33 | shell none | ||
34 | |||
35 | disable-mnt | ||
36 | private-bin gnome-recipes,tar | ||
37 | private-dev | ||
38 | private-etc ca-certificates,fonts,ssl | ||
39 | # private-lib works for me with Gnome Shell 3.26.2, Mutter WM (Arch Linux) | ||
40 | # not widely tested though, leaving it to devs discretion to enable it later | ||
41 | #private-lib gdk-pixbuf-2.0,gio,gvfs/libgvfscommon.so,libgconf-2.so.4,libgnutls.so.30,libjpeg.so.8,libp11-kit.so.0,libproxy.so.1,librsvg-2.so.2 | ||
42 | private-tmp | ||
43 | |||
44 | noexec ${HOME} | ||
45 | noexec /tmp | ||
diff --git a/etc/kate.profile b/etc/kate.profile index a3d2be6b2..5042077e5 100644 --- a/etc/kate.profile +++ b/etc/kate.profile | |||
@@ -42,4 +42,7 @@ private-dev | |||
42 | # private-etc fonts,kde4rc,kde5rc,ld.so.cache,machine-id,xdg | 42 | # private-etc fonts,kde4rc,kde5rc,ld.so.cache,machine-id,xdg |
43 | private-tmp | 43 | private-tmp |
44 | 44 | ||
45 | # noexec ${HOME} | ||
46 | noexec /tmp | ||
47 | |||
45 | join-or-start kate | 48 | join-or-start kate |
diff --git a/etc/kmail.profile b/etc/kmail.profile index ca774f4ec..952af55c8 100644 --- a/etc/kmail.profile +++ b/etc/kmail.profile | |||
@@ -5,6 +5,19 @@ include /etc/firejail/kmail.local | |||
5 | # Persistent global definitions | 5 | # Persistent global definitions |
6 | include /etc/firejail/globals.local | 6 | include /etc/firejail/globals.local |
7 | 7 | ||
8 | # if akonadi has a mysql backend, starting it inside this sandbox will fail. | ||
9 | # one solution is to have akonadi already running when kmail is launched | ||
10 | |||
11 | noblacklist ${HOME}/.cache/akonadi* | ||
12 | noblacklist ${HOME}/.config/akonadi* | ||
13 | noblacklist ${HOME}/.config/baloorc | ||
14 | noblacklist ${HOME}/.config/emailidentities | ||
15 | noblacklist ${HOME}/.config/kmail2rc | ||
16 | noblacklist ${HOME}/.local/share/akonadi/* | ||
17 | noblacklist ${HOME}/.local/share/contacts | ||
18 | noblacklist ${HOME}/.local/share/emailidentities | ||
19 | noblacklist ${HOME}/.local/share/kmail2 | ||
20 | noblacklist ${HOME}/.local/share/local-mail | ||
8 | noblacklist ${HOME}/.gnupg | 21 | noblacklist ${HOME}/.gnupg |
9 | 22 | ||
10 | include /etc/firejail/disable-common.inc | 23 | include /etc/firejail/disable-common.inc |
@@ -12,6 +25,7 @@ include /etc/firejail/disable-devel.inc | |||
12 | include /etc/firejail/disable-passwdmgr.inc | 25 | include /etc/firejail/disable-passwdmgr.inc |
13 | include /etc/firejail/disable-programs.inc | 26 | include /etc/firejail/disable-programs.inc |
14 | 27 | ||
28 | # apparmor | ||
15 | caps.drop all | 29 | caps.drop all |
16 | netfilter | 30 | netfilter |
17 | nodvd | 31 | nodvd |
@@ -22,11 +36,14 @@ nosound | |||
22 | notv | 36 | notv |
23 | novideo | 37 | novideo |
24 | protocol unix,inet,inet6,netlink | 38 | protocol unix,inet,inet6,netlink |
25 | # blacklisting of chroot system calls breaks kmail | 39 | # we need to allow chroot and ioprio_set system calls |
26 | seccomp.drop @clock,@cpu-emulation,@debug,@module,@obsolete,@raw-io,@reboot,@resources,@swap,acct,add_key,bpf,fanotify_init,io_cancel,io_destroy,io_getevents,io_setup,io_submit,ioprio_set,kcmp,keyctl,mount,name_to_handle_at,nfsservctl,ni_syscall,open_by_handle_at,personality,pivot_root,process_vm_readv,ptrace,remap_file_pages,request_key,setdomainname,sethostname,syslog,umount,umount2,userfaultfd,vhangup,vmsplice | 40 | seccomp.drop @clock,@cpu-emulation,@debug,@module,@obsolete,@raw-io,@reboot,@resources,@swap,acct,add_key,bpf,fanotify_init,io_cancel,io_destroy,io_getevents,io_setup,io_submit,kcmp,keyctl,mount,name_to_handle_at,nfsservctl,ni_syscall,open_by_handle_at,personality,pivot_root,process_vm_readv,ptrace,remap_file_pages,request_key,setdomainname,sethostname,syslog,umount,umount2,userfaultfd,vhangup,vmsplice |
27 | # tracelog | 41 | # tracelog |
28 | # writable-run-user is needed for signing and encrypting emails | 42 | # writable-run-user is needed for signing and encrypting emails |
29 | writable-run-user | 43 | writable-run-user |
30 | 44 | ||
31 | private-dev | 45 | private-dev |
32 | # private-tmp - breaks akonadi and opening of email attachments | 46 | # private-tmp - interrupts connection to akonadi, breaks opening of email attachments |
47 | |||
48 | noexec ${HOME} | ||
49 | noexec /tmp | ||
diff --git a/etc/knotes.profile b/etc/knotes.profile index 94ada7855..091c3a8e5 100644 --- a/etc/knotes.profile +++ b/etc/knotes.profile | |||
@@ -5,10 +5,12 @@ include /etc/firejail/knotes.local | |||
5 | # Persistent global definitions | 5 | # Persistent global definitions |
6 | include /etc/firejail/globals.local | 6 | include /etc/firejail/globals.local |
7 | 7 | ||
8 | noblacklist ${HOME}/.config/akonadi* | ||
8 | noblacklist ${HOME}/.config/knotesrc | 9 | noblacklist ${HOME}/.config/knotesrc |
10 | noblacklist ${HOME}/.local/share/akonadi/* | ||
9 | 11 | ||
10 | include /etc/firejail/disable-common.inc | 12 | include /etc/firejail/disable-common.inc |
11 | # include /etc/firejail/disable-devel.inc | 13 | include /etc/firejail/disable-devel.inc |
12 | include /etc/firejail/disable-passwdmgr.inc | 14 | include /etc/firejail/disable-passwdmgr.inc |
13 | include /etc/firejail/disable-programs.inc | 15 | include /etc/firejail/disable-programs.inc |
14 | 16 | ||
@@ -22,10 +24,14 @@ nonewprivs | |||
22 | noroot | 24 | noroot |
23 | nosound | 25 | nosound |
24 | notv | 26 | notv |
27 | novideo | ||
25 | protocol unix | 28 | protocol unix |
26 | seccomp | 29 | seccomp |
27 | shell none | 30 | shell none |
28 | tracelog | 31 | tracelog |
29 | 32 | ||
30 | private-dev | 33 | private-dev |
31 | #private-tmp - problems on kubuntu 17.04 | 34 | # private-tmp - interrupts connection to akonadi |
35 | |||
36 | noexec ${HOME} | ||
37 | noexec /tmp | ||
diff --git a/etc/kwrite.profile b/etc/kwrite.profile index a785f3541..1c4e50b77 100644 --- a/etc/kwrite.profile +++ b/etc/kwrite.profile | |||
@@ -43,4 +43,7 @@ private-dev | |||
43 | private-etc fonts,kde4rc,kde5rc,ld.so.cache,machine-id,pulse,xdg | 43 | private-etc fonts,kde4rc,kde5rc,ld.so.cache,machine-id,pulse,xdg |
44 | private-tmp | 44 | private-tmp |
45 | 45 | ||
46 | noexec ${HOME} | ||
47 | noexec /tmp | ||
48 | |||
46 | join-or-start kwrite | 49 | join-or-start kwrite |
diff --git a/etc/openbox.profile b/etc/openbox.profile index 5bab7ce7d..ec4b47c29 100644 --- a/etc/openbox.profile +++ b/etc/openbox.profile | |||
@@ -14,3 +14,6 @@ netfilter | |||
14 | noroot | 14 | noroot |
15 | protocol unix,inet,inet6 | 15 | protocol unix,inet,inet6 |
16 | seccomp | 16 | seccomp |
17 | |||
18 | read-only ${HOME}/.config/openbox/autostart | ||
19 | read-only ${HOME}/.config/openbox/environment | ||
diff --git a/etc/spotify.profile b/etc/spotify.profile index c973783a9..5a6227a8a 100644 --- a/etc/spotify.profile +++ b/etc/spotify.profile | |||
@@ -44,7 +44,7 @@ tracelog | |||
44 | disable-mnt | 44 | disable-mnt |
45 | private-bin spotify,bash,sh,zenity | 45 | private-bin spotify,bash,sh,zenity |
46 | private-dev | 46 | private-dev |
47 | private-etc fonts,group,ld.so.cache,machine-id,pulse,resolv.conf | 47 | private-etc fonts,ld.so.cache,machine-id,pulse,resolv.conf |
48 | private-opt spotify | 48 | private-opt spotify |
49 | private-tmp | 49 | private-tmp |
50 | 50 | ||
diff --git a/etc/thunderbird-beta.profile b/etc/thunderbird-beta.profile new file mode 100644 index 000000000..73d2419da --- /dev/null +++ b/etc/thunderbird-beta.profile | |||
@@ -0,0 +1,8 @@ | |||
1 | # Firejail profile alias for thunderbird-beta | ||
2 | # This file is overwritten after every install/update | ||
3 | |||
4 | |||
5 | whitelist /opt/thunderbird-beta | ||
6 | |||
7 | # Redirect | ||
8 | include /etc/firejail/thunderbird.profile | ||