aboutsummaryrefslogtreecommitdiffstats
path: root/etc
diff options
context:
space:
mode:
Diffstat (limited to 'etc')
-rw-r--r--etc/akonadi_control.profile45
-rw-r--r--etc/disable-programs.inc9
-rw-r--r--etc/gnome-recipes.profile45
-rw-r--r--etc/kmail.profile22
-rw-r--r--etc/knotes.profile10
-rw-r--r--etc/openbox.profile3
6 files changed, 129 insertions, 5 deletions
diff --git a/etc/akonadi_control.profile b/etc/akonadi_control.profile
new file mode 100644
index 000000000..0443774dd
--- /dev/null
+++ b/etc/akonadi_control.profile
@@ -0,0 +1,45 @@
1# Firejail profile for akonadi_control
2# Persistent local customizations
3include /etc/firejail/akonadi_control.local
4# Persistent global definitions
5include /etc/firejail/globals.local
6
7noblacklist ${HOME}/.cache/akonadi*
8noblacklist ${HOME}/.config/akonadi*
9noblacklist ${HOME}/.config/baloorc
10noblacklist ${HOME}/.local/share/akonadi/*
11noblacklist ${HOME}/.local/share/contacts
12noblacklist ${HOME}/.local/share/local-mail
13noblacklist /usr/sbin
14
15include /etc/firejail/disable-common.inc
16include /etc/firejail/disable-devel.inc
17include /etc/firejail/disable-passwdmgr.inc
18include /etc/firejail/disable-programs.inc
19
20include /etc/firejail/whitelist-var-common.inc
21
22# depending on your setup it might be possible to
23# enable some of the commented options below
24
25# apparmor
26caps.drop all
27ipc-namespace
28no3d
29netfilter
30nodvd
31nogroups
32# nonewprivs
33# noroot
34nosound
35notv
36novideo
37# protocol unix,inet,inet6
38# seccomp.drop @cpu-emulation,@debug,@obsolete,@privileged,@resources,add_key,fanotify_init,io_cancel,io_destroy,kcmp,keyctl,name_to_handle_at,ni_syscall,open_by_handle_at,personality,process_vm_readv,ptrace,remap_file_pages,request_key,syslog,umount,userfaultfd,vmsplice
39tracelog
40
41private-dev
42# private-tmp - breaks programs that depend on akonadi
43
44noexec ${HOME}
45noexec /tmp
diff --git a/etc/disable-programs.inc b/etc/disable-programs.inc
index 0d542c6d8..3f0d7b337 100644
--- a/etc/disable-programs.inc
+++ b/etc/disable-programs.inc
@@ -73,6 +73,7 @@ blacklist ${HOME}/.config/Slack
73blacklist ${HOME}/.config/Thunar 73blacklist ${HOME}/.config/Thunar
74blacklist ${HOME}/.config/VirtualBox 74blacklist ${HOME}/.config/VirtualBox
75blacklist ${HOME}/.config/Wire 75blacklist ${HOME}/.config/Wire
76blacklist ${HOME}/.config/akonadi*
76blacklist ${HOME}/.config/akregatorrc 77blacklist ${HOME}/.config/akregatorrc
77blacklist ${HOME}/.config/ardour4 78blacklist ${HOME}/.config/ardour4
78blacklist ${HOME}/.config/ardour5 79blacklist ${HOME}/.config/ardour5
@@ -106,6 +107,7 @@ blacklist ${HOME}/.config/digikam
106blacklist ${HOME}/.config/digikamrc 107blacklist ${HOME}/.config/digikamrc
107blacklist ${HOME}/.config/dolphinrc 108blacklist ${HOME}/.config/dolphinrc
108blacklist ${HOME}/.config/dragonplayerrc 109blacklist ${HOME}/.config/dragonplayerrc
110blacklist ${HOME}/.config/emailidentities
109blacklist ${HOME}/.config/enchant 111blacklist ${HOME}/.config/enchant
110blacklist ${HOME}/.config/eog 112blacklist ${HOME}/.config/eog
111blacklist ${HOME}/.config/epiphany 113blacklist ${HOME}/.config/epiphany
@@ -144,6 +146,7 @@ blacklist ${HOME}/.config/katevirc
144blacklist ${HOME}/.config/kdenliverc 146blacklist ${HOME}/.config/kdenliverc
145blacklist ${HOME}/.config/kgetrc 147blacklist ${HOME}/.config/kgetrc
146blacklist ${HOME}/.config/klipperrc 148blacklist ${HOME}/.config/klipperrc
149blacklist ${HOME}/.config/kmail2rc
147blacklist ${HOME}/.config/kritarc 150blacklist ${HOME}/.config/kritarc
148blacklist ${HOME}/.config/kwriterc 151blacklist ${HOME}/.config/kwriterc
149blacklist ${HOME}/.config/kdeconnect 152blacklist ${HOME}/.config/kdeconnect
@@ -346,12 +349,14 @@ blacklist ${HOME}/.local/share/SuperHexagon
346blacklist ${HOME}/.local/share/TelegramDesktop 349blacklist ${HOME}/.local/share/TelegramDesktop
347blacklist ${HOME}/.local/share/Terraria 350blacklist ${HOME}/.local/share/Terraria
348blacklist ${HOME}/.local/share/TpLogger 351blacklist ${HOME}/.local/share/TpLogger
352blacklist ${HOME}/.local/share/akonadi/*
349blacklist ${HOME}/.local/share/akregator 353blacklist ${HOME}/.local/share/akregator
350blacklist ${HOME}/.local/share/aspyr-media 354blacklist ${HOME}/.local/share/aspyr-media
351blacklist ${HOME}/.local/share/baloo 355blacklist ${HOME}/.local/share/baloo
352blacklist ${HOME}/.local/share/caja-python 356blacklist ${HOME}/.local/share/caja-python
353blacklist ${HOME}/.local/share/cdprojektred 357blacklist ${HOME}/.local/share/cdprojektred
354blacklist ${HOME}/.local/share/clipit 358blacklist ${HOME}/.local/share/clipit
359blacklist ${HOME}/.local/share/contacts
355blacklist ${HOME}/.local/share/data/Mumble 360blacklist ${HOME}/.local/share/data/Mumble
356blacklist ${HOME}/.local/share/data/MusE 361blacklist ${HOME}/.local/share/data/MusE
357blacklist ${HOME}/.local/share/data/MuseScore 362blacklist ${HOME}/.local/share/data/MuseScore
@@ -369,6 +374,7 @@ blacklist ${HOME}/.local/share/gnome-2048
369blacklist ${HOME}/.local/share/gnome-chess 374blacklist ${HOME}/.local/share/gnome-chess
370blacklist ${HOME}/.local/share/gnome-music 375blacklist ${HOME}/.local/share/gnome-music
371blacklist ${HOME}/.local/share/gnome-photos 376blacklist ${HOME}/.local/share/gnome-photos
377blacklist ${HOME}/.local/share/gnome-recipes
372blacklist ${HOME}/.local/share/gnome-ring 378blacklist ${HOME}/.local/share/gnome-ring
373blacklist ${HOME}/.local/share/gnome-twitch 379blacklist ${HOME}/.local/share/gnome-twitch
374blacklist ${HOME}/.local/share/gwenview 380blacklist ${HOME}/.local/share/gwenview
@@ -376,11 +382,13 @@ blacklist ${HOME}/.local/share/kaffeine
376blacklist ${HOME}/.local/share/kate 382blacklist ${HOME}/.local/share/kate
377blacklist ${HOME}/.local/share/kdenlive 383blacklist ${HOME}/.local/share/kdenlive
378blacklist ${HOME}/.local/share/kget 384blacklist ${HOME}/.local/share/kget
385blacklist ${HOME}/.local/share/kmail2
379blacklist ${HOME}/.local/share/krita 386blacklist ${HOME}/.local/share/krita
380blacklist ${HOME}/.local/share/ktorrentrc 387blacklist ${HOME}/.local/share/ktorrentrc
381blacklist ${HOME}/.local/share/ktorrent 388blacklist ${HOME}/.local/share/ktorrent
382blacklist ${HOME}/.local/share/kwrite 389blacklist ${HOME}/.local/share/kwrite
383blacklist ${HOME}/.local/share/liferea 390blacklist ${HOME}/.local/share/liferea
391blacklist ${HOME}/.local/share/local-mail
384blacklist ${HOME}/.local/share/lollypop 392blacklist ${HOME}/.local/share/lollypop
385blacklist ${HOME}/.local/share/maps-places.json 393blacklist ${HOME}/.local/share/maps-places.json
386blacklist ${HOME}/.local/share/meld 394blacklist ${HOME}/.local/share/meld
@@ -495,6 +503,7 @@ blacklist ${HOME}/.cache/Franz
495blacklist ${HOME}/.cache/INRIA 503blacklist ${HOME}/.cache/INRIA
496blacklist ${HOME}/.cache/MusicBrainz 504blacklist ${HOME}/.cache/MusicBrainz
497blacklist ${HOME}/.cache/QuiteRss 505blacklist ${HOME}/.cache/QuiteRss
506blacklist ${HOME}/.cache/akonadi*
498blacklist ${HOME}/.cache/attic 507blacklist ${HOME}/.cache/attic
499blacklist ${HOME}/.cache/borg 508blacklist ${HOME}/.cache/borg
500blacklist ${HOME}/.cache/calibre 509blacklist ${HOME}/.cache/calibre
diff --git a/etc/gnome-recipes.profile b/etc/gnome-recipes.profile
new file mode 100644
index 000000000..2392440a6
--- /dev/null
+++ b/etc/gnome-recipes.profile
@@ -0,0 +1,45 @@
1# Firejail profile for gnome-recipes
2# This file is overwritten after every install/update
3# Persistent local customizations
4include /etc/firejail/gnome-recipes.local
5# Persistent global definitions
6include /etc/firejail/globals.local
7
8
9noblacklist ${HOME}/.local/share/gnome-recipes
10
11include /etc/firejail/disable-common.inc
12include /etc/firejail/disable-devel.inc
13include /etc/firejail/disable-passwdmgr.inc
14include /etc/firejail/disable-programs.inc
15
16mkdir ${HOME}/.cache/gnome-recipes
17whitelist ${HOME}/.cache/gnome-recipes
18include /etc/firejail/whitelist-common.inc
19include /etc/firejail/whitelist-var-common.inc
20
21caps.drop all
22ipc-namespace
23netfilter
24nodvd
25nogroups
26nonewprivs
27noroot
28nosound
29notv
30novideo
31protocol unix,inet,inet6
32seccomp
33shell none
34
35disable-mnt
36private-bin gnome-recipes,tar
37private-dev
38private-etc ca-certificates,fonts,ssl
39# private-lib works for me with Gnome Shell 3.26.2, Mutter WM (Arch Linux)
40# not widely tested though, leaving it to devs discretion to enable it later
41#private-lib gdk-pixbuf-2.0,gio,gvfs/libgvfscommon.so,libgconf-2.so.4,libgnutls.so.30,libjpeg.so.8,libp11-kit.so.0,libproxy.so.1,librsvg-2.so.2
42private-tmp
43
44noexec ${HOME}
45noexec /tmp
diff --git a/etc/kmail.profile b/etc/kmail.profile
index ca774f4ec..3ee8370cb 100644
--- a/etc/kmail.profile
+++ b/etc/kmail.profile
@@ -5,6 +5,18 @@ include /etc/firejail/kmail.local
5# Persistent global definitions 5# Persistent global definitions
6include /etc/firejail/globals.local 6include /etc/firejail/globals.local
7 7
8# if akonadi has a mysql backend, starting it inside this sandbox will fail
9# one solution is to have akonadi already running when kmail is launched
10
11noblacklist ${HOME}/.cache/akonadi*
12noblacklist ${HOME}/.config/akonadi*
13noblacklist ${HOME}/.config/baloorc
14noblacklist ${HOME}/.config/emailidentities
15noblacklist ${HOME}/.config/kmail2rc
16noblacklist ${HOME}/.local/share/akonadi/*
17noblacklist ${HOME}/.local/share/contacts
18noblacklist ${HOME}/.local/share/kmail2
19noblacklist ${HOME}/.local/share/local-mail
8noblacklist ${HOME}/.gnupg 20noblacklist ${HOME}/.gnupg
9 21
10include /etc/firejail/disable-common.inc 22include /etc/firejail/disable-common.inc
@@ -12,6 +24,7 @@ include /etc/firejail/disable-devel.inc
12include /etc/firejail/disable-passwdmgr.inc 24include /etc/firejail/disable-passwdmgr.inc
13include /etc/firejail/disable-programs.inc 25include /etc/firejail/disable-programs.inc
14 26
27# apparmor
15caps.drop all 28caps.drop all
16netfilter 29netfilter
17nodvd 30nodvd
@@ -22,11 +35,14 @@ nosound
22notv 35notv
23novideo 36novideo
24protocol unix,inet,inet6,netlink 37protocol unix,inet,inet6,netlink
25# blacklisting of chroot system calls breaks kmail 38# we need to allow chroot and ioprio_set system calls
26seccomp.drop @clock,@cpu-emulation,@debug,@module,@obsolete,@raw-io,@reboot,@resources,@swap,acct,add_key,bpf,fanotify_init,io_cancel,io_destroy,io_getevents,io_setup,io_submit,ioprio_set,kcmp,keyctl,mount,name_to_handle_at,nfsservctl,ni_syscall,open_by_handle_at,personality,pivot_root,process_vm_readv,ptrace,remap_file_pages,request_key,setdomainname,sethostname,syslog,umount,umount2,userfaultfd,vhangup,vmsplice 39seccomp.drop @clock,@cpu-emulation,@debug,@module,@obsolete,@raw-io,@reboot,@resources,@swap,acct,add_key,bpf,fanotify_init,io_cancel,io_destroy,io_getevents,io_setup,io_submit,kcmp,keyctl,mount,name_to_handle_at,nfsservctl,ni_syscall,open_by_handle_at,personality,pivot_root,process_vm_readv,ptrace,remap_file_pages,request_key,setdomainname,sethostname,syslog,umount,umount2,userfaultfd,vhangup,vmsplice
27# tracelog 40# tracelog
28# writable-run-user is needed for signing and encrypting emails 41# writable-run-user is needed for signing and encrypting emails
29writable-run-user 42writable-run-user
30 43
31private-dev 44private-dev
32# private-tmp - breaks akonadi and opening of email attachments 45# private-tmp - interrupts connection to akonadi, breaks opening of email attachments
46
47noexec ${HOME}
48noexec /tmp
diff --git a/etc/knotes.profile b/etc/knotes.profile
index 94ada7855..091c3a8e5 100644
--- a/etc/knotes.profile
+++ b/etc/knotes.profile
@@ -5,10 +5,12 @@ include /etc/firejail/knotes.local
5# Persistent global definitions 5# Persistent global definitions
6include /etc/firejail/globals.local 6include /etc/firejail/globals.local
7 7
8noblacklist ${HOME}/.config/akonadi*
8noblacklist ${HOME}/.config/knotesrc 9noblacklist ${HOME}/.config/knotesrc
10noblacklist ${HOME}/.local/share/akonadi/*
9 11
10include /etc/firejail/disable-common.inc 12include /etc/firejail/disable-common.inc
11# include /etc/firejail/disable-devel.inc 13include /etc/firejail/disable-devel.inc
12include /etc/firejail/disable-passwdmgr.inc 14include /etc/firejail/disable-passwdmgr.inc
13include /etc/firejail/disable-programs.inc 15include /etc/firejail/disable-programs.inc
14 16
@@ -22,10 +24,14 @@ nonewprivs
22noroot 24noroot
23nosound 25nosound
24notv 26notv
27novideo
25protocol unix 28protocol unix
26seccomp 29seccomp
27shell none 30shell none
28tracelog 31tracelog
29 32
30private-dev 33private-dev
31#private-tmp - problems on kubuntu 17.04 34# private-tmp - interrupts connection to akonadi
35
36noexec ${HOME}
37noexec /tmp
diff --git a/etc/openbox.profile b/etc/openbox.profile
index 5bab7ce7d..ec4b47c29 100644
--- a/etc/openbox.profile
+++ b/etc/openbox.profile
@@ -14,3 +14,6 @@ netfilter
14noroot 14noroot
15protocol unix,inet,inet6 15protocol unix,inet,inet6
16seccomp 16seccomp
17
18read-only ${HOME}/.config/openbox/autostart
19read-only ${HOME}/.config/openbox/environment
generated by cgit v1.2.3-54-g00ecf (git 2.45.2) at 2024-07-19 19:49:13 +0000