aboutsummaryrefslogtreecommitdiffstats
path: root/etc
diff options
context:
space:
mode:
Diffstat (limited to 'etc')
-rw-r--r--etc/QMediathekView.profile54
-rw-r--r--etc/aria2c.profile45
-rw-r--r--etc/authenticator.profile49
-rw-r--r--etc/bsdcat.profile6
-rw-r--r--etc/bsdcpio.profile6
-rw-r--r--etc/bsdtar.profile2
-rw-r--r--etc/checkbashisms.profile49
-rw-r--r--etc/claws-mail.profile5
-rw-r--r--etc/desktop.profile44
-rw-r--r--etc/devilspie.profile49
-rw-r--r--etc/devilspie2.profile49
-rw-r--r--etc/disable-programs.inc9
-rw-r--r--etc/easystroke.profile45
-rw-r--r--etc/file.profile4
-rw-r--r--etc/min.profile50
-rw-r--r--etc/strings.profile4
16 files changed, 468 insertions, 2 deletions
diff --git a/etc/QMediathekView.profile b/etc/QMediathekView.profile
new file mode 100644
index 000000000..558f62f0e
--- /dev/null
+++ b/etc/QMediathekView.profile
@@ -0,0 +1,54 @@
1# Firejail profile for QMediathekView
2# Description: Search, download or stream files from mediathek.de
3# This file is overwritten after every install/update
4# Persistent local customizations
5include /etc/firejail/QMediathekView.local
6# Persistent global definitions
7include /etc/firejail/globals.local
8
9noblacklist ${HOME}/.config/QMediathekView
10noblacklist ${HOME}/.local/share/QMediathekView
11
12noblacklist ${HOME}/.config/mpv
13noblacklist ${HOME}/.config/smplayer
14noblacklist ${HOME}/.config/totem
15noblacklist ${HOME}/.config/vlc
16noblacklist ${HOME}/.config/xplayer
17noblacklist ${HOME}/.local/share/totem
18noblacklist ${HOME}/.local/share/xplayer
19noblacklist ${HOME}/.mplayer
20
21include /etc/firejail/disable-common.inc
22include /etc/firejail/disable-devel.inc
23include /etc/firejail/disable-interpreters.inc
24include /etc/firejail/disable-passwdmgr.inc
25include /etc/firejail/disable-programs.inc
26
27include /etc/firejail/whitelist-var-common.inc
28
29caps.drop all
30netfilter
31# no3d
32# nodbus
33nodvd
34nogroups
35nonewprivs
36noroot
37notv
38nou2f
39protocol unix,inet,inet6
40seccomp
41shell none
42tracelog
43
44disable-mnt
45private-bin QMediathekView,mplayer,mpv,smplayer,totem,vlc,xplayer
46private-cache
47private-dev
48# private-etc none
49# private-lib
50private-tmp
51
52# memory-deny-write-execute - breaks on Arch
53noexec ${HOME}
54noexec /tmp
diff --git a/etc/aria2c.profile b/etc/aria2c.profile
new file mode 100644
index 000000000..4231c58ff
--- /dev/null
+++ b/etc/aria2c.profile
@@ -0,0 +1,45 @@
1# Firejail profile for aria2c
2# Description: Download utility that supports HTTP(S), FTP, BitTorrent and Metalink
3# This file is overwritten after every install/update
4# Persistent local customizations
5include /etc/firejail/aria2c.local
6# Persistent global definitions
7include /etc/firejail/globals.local
8
9noblacklist ${HOME}/.aria2
10
11include /etc/firejail/disable-common.inc
12include /etc/firejail/disable-devel.inc
13include /etc/firejail/disable-interpreters.inc
14include /etc/firejail/disable-passwdmgr.inc
15include /etc/firejail/disable-programs.inc
16include /etc/firejail/disable-xdg.inc
17
18caps.drop all
19ipc-namespace
20netfilter
21no3d
22nodbus
23nodvd
24nogroups
25nonewprivs
26noroot
27nosound
28notv
29novideo
30protocol unix,inet,inet6
31seccomp
32shell none
33
34disable-mnt
35# private
36private-bin aria2c,gzip
37private-cache
38private-dev
39private-etc ca-certificates,ssl
40private-lib libreadline.so.*
41private-tmp
42
43memory-deny-write-execute
44noexec ${HOME}
45noexec /tmp
diff --git a/etc/authenticator.profile b/etc/authenticator.profile
new file mode 100644
index 000000000..f10abdda8
--- /dev/null
+++ b/etc/authenticator.profile
@@ -0,0 +1,49 @@
1# Firejail profile for authenticator
2# Description: 2FA code generator for GNOME
3# This file is overwritten after every install/update
4# Persistent local customizations
5include /etc/firejail/authenticator.local
6# Persistent global definitions
7include /etc/firejail/globals.local
8
9# blacklisted in 'disable-programs.local'
10noblacklist ${HOME}/.config/Authenticator
11
12# Allow python 3.x (blacklisted by disable-interpreters.inc)
13noblacklist ${PATH}/python3*
14noblacklist /usr/lib/python3*
15
16include /etc/firejail/disable-common.inc
17include /etc/firejail/disable-devel.inc
18include /etc/firejail/disable-interpreters.inc
19include /etc/firejail/disable-passwdmgr.inc
20include /etc/firejail/disable-programs.inc
21
22# apparmor
23caps.drop all
24net none
25no3d
26# nodbus - makes settings immutable
27nodvd
28nogroups
29nonewprivs
30noroot
31nosound
32notv
33# novideo
34nou2f
35protocol unix
36seccomp
37shell none
38
39disable-mnt
40# private-bin authenticator
41private-cache
42private-dev
43private-etc fonts,ld.so.cache
44# private-lib
45private-tmp
46
47# memory-deny-write-execute - breaks on Arch
48noexec ${HOME}
49noexec /tmp
diff --git a/etc/bsdcat.profile b/etc/bsdcat.profile
new file mode 100644
index 000000000..b900eb4bf
--- /dev/null
+++ b/etc/bsdcat.profile
@@ -0,0 +1,6 @@
1# Firejail profile alias for bsdtar
2# This file is overwritten after every install/update
3
4
5# Redirect
6include /etc/firejail/bsdtar.profile
diff --git a/etc/bsdcpio.profile b/etc/bsdcpio.profile
new file mode 100644
index 000000000..b900eb4bf
--- /dev/null
+++ b/etc/bsdcpio.profile
@@ -0,0 +1,6 @@
1# Firejail profile alias for bsdtar
2# This file is overwritten after every install/update
3
4
5# Redirect
6include /etc/firejail/bsdtar.profile
diff --git a/etc/bsdtar.profile b/etc/bsdtar.profile
index d8ace6aaf..57220ef4a 100644
--- a/etc/bsdtar.profile
+++ b/etc/bsdtar.profile
@@ -34,6 +34,6 @@ shell none
34tracelog 34tracelog
35 35
36# support compressed archives 36# support compressed archives
37private-bin sh,bash,bsdtar,gtar,compress,gzip,lzma,xz,bzip2,lbzip2,lzip,lzop,lz4,libarchive 37private-bin sh,bash,bsdcat,bsdcpio,bsdtar,gtar,compress,gzip,lzma,xz,bzip2,lbzip2,lzip,lzop,lz4,libarchive
38private-dev 38private-dev
39private-etc passwd,group,localtime 39private-etc passwd,group,localtime
diff --git a/etc/checkbashisms.profile b/etc/checkbashisms.profile
new file mode 100644
index 000000000..c8b8be04e
--- /dev/null
+++ b/etc/checkbashisms.profile
@@ -0,0 +1,49 @@
1# Firejail profile for checkbashisms
2# Description: Lint tool for shell scripts
3# This file is overwritten after every install/update
4quiet
5# Persistent local customizations
6include /etc/firejail/checkbashisms.local
7# Persistent global definitions
8include /etc/firejail/globals.local
9
10noblacklist ${DOCUMENTS}
11
12# Allow perl (blacklisted by disable-interpreters.inc)
13noblacklist ${PATH}/cpan*
14noblacklist ${PATH}/core_perl
15noblacklist ${PATH}/perl
16noblacklist /usr/lib/perl*
17noblacklist /usr/share/perl*
18
19include /etc/firejail/disable-common.inc
20include /etc/firejail/disable-devel.inc
21include /etc/firejail/disable-interpreters.inc
22include /etc/firejail/disable-passwdmgr.inc
23include /etc/firejail/disable-programs.inc
24include /etc/firejail/disable-xdg.inc
25
26include /etc/firejail/whitelist-var-common.inc
27
28caps.drop all
29ipc-namespace
30net none
31no3d
32nodbus
33nodvd
34nogroups
35nonewprivs
36noroot
37nosound
38notv
39novideo
40protocol unix
41seccomp
42shell none
43
44private-dev
45private-tmp
46
47memory-deny-write-execute
48noexec ${HOME}
49noexec /tmp
diff --git a/etc/claws-mail.profile b/etc/claws-mail.profile
index cb8ae6a80..0274fd66b 100644
--- a/etc/claws-mail.profile
+++ b/etc/claws-mail.profile
@@ -16,19 +16,24 @@ include /etc/firejail/disable-interpreters.inc
16include /etc/firejail/disable-passwdmgr.inc 16include /etc/firejail/disable-passwdmgr.inc
17include /etc/firejail/disable-programs.inc 17include /etc/firejail/disable-programs.inc
18 18
19include /etc/firejail/whitelist-common.inc
20
19caps.drop all 21caps.drop all
20netfilter 22netfilter
23no3d
21nodvd 24nodvd
22nogroups 25nogroups
23nonewprivs 26nonewprivs
24noroot 27noroot
25nosound 28nosound
26notv 29notv
30nou2f
27novideo 31novideo
28protocol unix,inet,inet6 32protocol unix,inet,inet6
29seccomp 33seccomp
30shell none 34shell none
31 35
36private-cache
32private-dev 37private-dev
33private-tmp 38private-tmp
34 39
diff --git a/etc/desktop.profile b/etc/desktop.profile
new file mode 100644
index 000000000..8bfa885a3
--- /dev/null
+++ b/etc/desktop.profile
@@ -0,0 +1,44 @@
1# Firejail profile for desktop
2# Description: Extend your GitHub workflow beyond your browser with GitHub Desktop
3# This file is overwritten after every install/update
4# Persistent local customizations
5include /etc/firejail/github-desktop.local
6# Persistent global definitions
7include /etc/firejail/globals.local
8
9whitelist ${HOME}/.gitconfig
10whitelist ${HOME}/.config/GitHub Desktop
11
12include /etc/firejail/disable-common.inc
13include /etc/firejail/disable-passwdmgr.inc
14include /etc/firejail/disable-programs.inc
15include /etc/firejail/disable-devel.inc
16include /etc/firejail/disable-interpreters.inc
17
18include /etc/firejail/whitelist-common.inc
19
20caps.drop all
21netfilter
22# no3d
23nodvd
24nogroups
25nonewprivs
26noroot
27nosound
28notv
29nou2f
30novideo
31protocol unix,inet,inet6,netlink
32seccomp
33
34disable-mnt
35# private-bin Atom,desktop
36# private-cache
37# private-dev
38# private-etc none
39# private-lib
40# private-tmp
41
42# memory-deny-write-execute
43# noexec ${HOME}
44# noexec /tmp
diff --git a/etc/devilspie.profile b/etc/devilspie.profile
new file mode 100644
index 000000000..dbfb05798
--- /dev/null
+++ b/etc/devilspie.profile
@@ -0,0 +1,49 @@
1# Firejail profile for devilspie
2# Description: Window matching daemon
3# This file is overwritten after every install/update
4# Persistent local customizations
5include /etc/firejail/devilspie.local
6# Persistent global definitions
7include /etc/firejail/globals.local
8
9noblacklist ${HOME}/.devilspie
10
11include /etc/firejail/disable-common.inc
12include /etc/firejail/disable-devel.inc
13include /etc/firejail/disable-interpreters.inc
14include /etc/firejail/disable-passwdmgr.inc
15include /etc/firejail/disable-programs.inc
16
17caps.drop all
18ipc-namespace
19machine-id
20net none
21no3d
22nodbus
23nodvd
24nogroups
25nonewprivs
26noroot
27nosound
28notv
29nou2f
30novideo
31protocol unix
32seccomp
33shell none
34tracelog
35
36disable-mnt
37private-bin devilspie
38private-cache
39private-dev
40private-etc none
41private-lib gconv
42private-tmp
43
44memory-deny-write-execute
45noexec ${HOME}
46noexec /tmp
47
48# devilspie will never write anything
49read-only ${HOME}
diff --git a/etc/devilspie2.profile b/etc/devilspie2.profile
new file mode 100644
index 000000000..3a9a9659a
--- /dev/null
+++ b/etc/devilspie2.profile
@@ -0,0 +1,49 @@
1# Firejail profile for devilspie2
2# Description: Window matching daemon (Lua)
3# This file is overwritten after every install/update
4# Persistent local customizations
5include /etc/firejail/devilspie2.local
6# Persistent global definitions
7include /etc/firejail/globals.local
8
9noblacklist ${HOME}/.config/devilspie2
10
11include /etc/firejail/disable-common.inc
12include /etc/firejail/disable-devel.inc
13include /etc/firejail/disable-interpreters.inc
14include /etc/firejail/disable-passwdmgr.inc
15include /etc/firejail/disable-programs.inc
16
17caps.drop all
18ipc-namespace
19machine-id
20net none
21no3d
22nodbus
23nodvd
24nogroups
25nonewprivs
26noroot
27nosound
28notv
29nou2f
30novideo
31protocol unix
32seccomp
33shell none
34tracelog
35
36disable-mnt
37private-bin devilspie2
38private-cache
39private-dev
40private-etc none
41private-lib gconv
42private-tmp
43
44memory-deny-write-execute
45noexec ${HOME}
46noexec /tmp
47
48# devilspie2 will never write anything
49read-only ${HOME}
diff --git a/etc/disable-programs.inc b/etc/disable-programs.inc
index 1213e4f24..6fa0eed26 100644
--- a/etc/disable-programs.inc
+++ b/etc/disable-programs.inc
@@ -32,6 +32,7 @@ blacklist ${HOME}/.aMule
32blacklist ${HOME}/.android 32blacklist ${HOME}/.android
33blacklist ${HOME}/.anydesk 33blacklist ${HOME}/.anydesk
34blacklist ${HOME}/.arduino15 34blacklist ${HOME}/.arduino15
35blacklist ${HOME}/.aria2
35blacklist ${HOME}/.arm 36blacklist ${HOME}/.arm
36blacklist ${HOME}/.asunder_album_genre 37blacklist ${HOME}/.asunder_album_genre
37blacklist ${HOME}/.asunder_album_title 38blacklist ${HOME}/.asunder_album_title
@@ -46,6 +47,7 @@ blacklist ${HOME}/.config/0ad
46blacklist ${HOME}/.config/2048-qt 47blacklist ${HOME}/.config/2048-qt
47blacklist ${HOME}/.config/Atom 48blacklist ${HOME}/.config/Atom
48blacklist ${HOME}/.config/Audaciousrc 49blacklist ${HOME}/.config/Audaciousrc
50blacklist ${HOME}/.config/Authenticator
49blacklist ${HOME}/.config/Beaker Browser 51blacklist ${HOME}/.config/Beaker Browser
50blacklist ${HOME}/.config/Brackets 52blacklist ${HOME}/.config/Brackets
51blacklist ${HOME}/.config/Clementine 53blacklist ${HOME}/.config/Clementine
@@ -55,6 +57,7 @@ blacklist ${HOME}/.config/Franz
55blacklist ${HOME}/.config/FreeCAD 57blacklist ${HOME}/.config/FreeCAD
56blacklist ${HOME}/.config/Fritzing 58blacklist ${HOME}/.config/Fritzing
57blacklist ${HOME}/.config/GIMP 59blacklist ${HOME}/.config/GIMP
60blacklist ${HOME}/.config/GitHub Desktop
58blacklist ${HOME}/.config/Gitter 61blacklist ${HOME}/.config/Gitter
59blacklist ${HOME}/.config/Google 62blacklist ${HOME}/.config/Google
60blacklist ${HOME}/.config/Google Play Music Desktop Player 63blacklist ${HOME}/.config/Google Play Music Desktop Player
@@ -63,6 +66,7 @@ blacklist ${HOME}/.config/INRIA
63blacklist ${HOME}/.config/InSilmaril 66blacklist ${HOME}/.config/InSilmaril
64blacklist ${HOME}/.config/Luminance 67blacklist ${HOME}/.config/Luminance
65blacklist ${HOME}/.config/Meltytech 68blacklist ${HOME}/.config/Meltytech
69blacklist ${HOME}/.config/Min
66blacklist ${HOME}/.config/Mousepad 70blacklist ${HOME}/.config/Mousepad
67blacklist ${HOME}/.config/Mumble 71blacklist ${HOME}/.config/Mumble
68blacklist ${HOME}/.config/MusE 72blacklist ${HOME}/.config/MusE
@@ -70,6 +74,7 @@ blacklist ${HOME}/.config/MuseScore
70blacklist ${HOME}/.config/MusicBrainz 74blacklist ${HOME}/.config/MusicBrainz
71blacklist ${HOME}/.config/Nylas Mail 75blacklist ${HOME}/.config/Nylas Mail
72blacklist ${HOME}/.config/Qlipper 76blacklist ${HOME}/.config/Qlipper
77blacklist ${HOME}/.config/QMediathekView
73blacklist ${HOME}/.config/QuiteRss 78blacklist ${HOME}/.config/QuiteRss
74blacklist ${HOME}/.config/QuiteRssrc 79blacklist ${HOME}/.config/QuiteRssrc
75blacklist ${HOME}/.config/Rambox 80blacklist ${HOME}/.config/Rambox
@@ -111,6 +116,7 @@ blacklist ${HOME}/.config/corebird
111blacklist ${HOME}/.config/darktable 116blacklist ${HOME}/.config/darktable
112blacklist ${HOME}/.config/deadbeef 117blacklist ${HOME}/.config/deadbeef
113blacklist ${HOME}/.config/deluge 118blacklist ${HOME}/.config/deluge
119blacklist ${HOME}/.config/devilspie2
114blacklist ${HOME}/.config/digikam 120blacklist ${HOME}/.config/digikam
115blacklist ${HOME}/.config/digikamrc 121blacklist ${HOME}/.config/digikamrc
116blacklist ${HOME}/.config/discord 122blacklist ${HOME}/.config/discord
@@ -252,11 +258,13 @@ blacklist ${HOME}/.config/zoomus.conf
252blacklist ${HOME}/.conkeror.mozdev.org 258blacklist ${HOME}/.conkeror.mozdev.org
253blacklist ${HOME}/.curlrc 259blacklist ${HOME}/.curlrc
254blacklist ${HOME}/.dashcore 260blacklist ${HOME}/.dashcore
261blacklist ${HOME}/.devilspie
255blacklist ${HOME}/.dia 262blacklist ${HOME}/.dia
256blacklist ${HOME}/.dillo 263blacklist ${HOME}/.dillo
257blacklist ${HOME}/.dooble 264blacklist ${HOME}/.dooble
258blacklist ${HOME}/.dosbox 265blacklist ${HOME}/.dosbox
259blacklist ${HOME}/.dropbox* 266blacklist ${HOME}/.dropbox*
267blacklist ${HOME}/.easystroke
260blacklist ${HOME}/.electron-cache 268blacklist ${HOME}/.electron-cache
261blacklist ${HOME}/.electrum* 269blacklist ${HOME}/.electrum*
262blacklist ${HOME}/.elinks 270blacklist ${HOME}/.elinks
@@ -360,6 +368,7 @@ blacklist ${HOME}/.local/share/3909/PapersPlease
360blacklist ${HOME}/.local/share/Empathy 368blacklist ${HOME}/.local/share/Empathy
361blacklist ${HOME}/.local/share/JetBrains 369blacklist ${HOME}/.local/share/JetBrains
362blacklist ${HOME}/.local/share/Mumble 370blacklist ${HOME}/.local/share/Mumble
371blacklist ${HOME}/.local/share/QMediathekView
363blacklist ${HOME}/.local/share/QuiteRss 372blacklist ${HOME}/.local/share/QuiteRss
364blacklist ${HOME}/.local/share/Ricochet 373blacklist ${HOME}/.local/share/Ricochet
365blacklist ${HOME}/.local/share/Steam 374blacklist ${HOME}/.local/share/Steam
diff --git a/etc/easystroke.profile b/etc/easystroke.profile
new file mode 100644
index 000000000..6fac08a5d
--- /dev/null
+++ b/etc/easystroke.profile
@@ -0,0 +1,45 @@
1# Firejail profile for easystroke
2# Description: Control your desktop using mouse gestures
3# This file is overwritten after every install/update
4# Persistent local customizations
5include /etc/firejail/easystroke.local
6# Persistent global definitions
7include /etc/firejail/globals.local
8
9noblacklist ${HOME}/.easystroke
10
11include /etc/firejail/disable-common.inc
12include /etc/firejail/disable-devel.inc
13include /etc/firejail/disable-interpreters.inc
14include /etc/firejail/disable-passwdmgr.inc
15include /etc/firejail/disable-programs.inc
16
17caps.drop all
18ipc-namespace
19machine-id
20net none
21no3d
22# nodbus
23nodvd
24nogroups
25nonewprivs
26noroot
27nosound
28notv
29nou2f
30novideo
31protocol unix
32seccomp
33shell none
34
35disable-mnt
36private-bin easystroke
37private-cache
38private-dev
39private-etc fonts
40private-lib gdk-pixbuf-2.*,gio,gvfs/libgvfscommon.so,libgconf-2.so.*,librsvg-2.so.*
41private-tmp
42
43memory-deny-write-execute
44noexec ${HOME}
45noexec /tmp
diff --git a/etc/file.profile b/etc/file.profile
index 5d1227520..00e18de20 100644
--- a/etc/file.profile
+++ b/etc/file.profile
@@ -30,10 +30,12 @@ shell none
30tracelog 30tracelog
31x11 none 31x11 none
32 32
33private-bin file 33#private-bin file
34private-cache
34private-dev 35private-dev
35private-etc magic.mgc,magic,localtime 36private-etc magic.mgc,magic,localtime
36private-lib 37private-lib
38private-tmp
37 39
38memory-deny-write-execute 40memory-deny-write-execute
39noexec ${HOME} 41noexec ${HOME}
diff --git a/etc/min.profile b/etc/min.profile
new file mode 100644
index 000000000..91c6fce3c
--- /dev/null
+++ b/etc/min.profile
@@ -0,0 +1,50 @@
1# Firejail profile for min
2# Description: A faster, smarter web browser.
3# This file is overwritten after every install/update
4# Persistent local customizations
5include /etc/firejail/min.local
6# Persistent global definitions
7include /etc/firejail/globals.local
8
9noblacklist ${HOME}/.config/Min
10
11noblacklist ${HOME}/.pki
12
13include /etc/firejail/disable-common.inc
14include /etc/firejail/disable-devel.inc
15include /etc/firejail/disable-interpreters.inc
16include /etc/firejail/disable-programs.inc
17
18mkdir ${HOME}/.pki
19whitelist ${DOWNLOADS}
20whitelist ${HOME}/.pki
21include /etc/firejail/whitelist-common.inc
22include /etc/firejail/whitelist-var-common.inc
23
24caps.drop all
25# ipc-namespace
26# machine-id breaks pulse audio; it should work fine in setups where sound is not required
27#machine-id
28netfilter
29# no3d
30nodbus
31nodvd
32nogroups
33nonewprivs
34noroot
35notv
36protocol unix,inet,inet6
37seccomp
38shell none
39
40disable-mnt
41# private-bin min
42private-cache
43private-dev
44# private-etc below works fine on most distributions. There are some problems on CentOS.
45private-etc ca-certificates,ssl,machine-id,dconf,selinux,passwd,group,hostname,hosts,localtime,nsswitch.conf,resolv.conf,xdg,gtk-2.0,gtk-3.0,X11,pango,fonts,mime.types,mailcap,asound.conf,pulse,pki,crypto-policies,ld.so.cache
46private-tmp
47
48# memory-deny-write-execute
49noexec ${HOME}
50noexec /tmp
diff --git a/etc/strings.profile b/etc/strings.profile
index 5bea9525f..ae2fbf18f 100644
--- a/etc/strings.profile
+++ b/etc/strings.profile
@@ -21,9 +21,13 @@ shell none
21tracelog 21tracelog
22 22
23private-bin strings 23private-bin strings
24private-cache
24private-dev 25private-dev
26private-etc none
25private-lib 27private-lib
26 28
27memory-deny-write-execute 29memory-deny-write-execute
30noexec ${HOME}
31noexec /tmp
28 32
29include /etc/firejail/default.profile 33include /etc/firejail/default.profile
generated by cgit v1.2.3-70-g09d2 (git 2.46.0) at 2024-09-01 14:18:44 +0000