diff options
Diffstat (limited to 'etc')
64 files changed, 585 insertions, 719 deletions
diff --git a/etc/abrowser.profile b/etc/abrowser.profile index 5c964bad1..d757d6f49 100644 --- a/etc/abrowser.profile +++ b/etc/abrowser.profile | |||
| @@ -7,42 +7,15 @@ include /etc/firejail/globals.local | |||
| 7 | 7 | ||
| 8 | noblacklist ${HOME}/.cache/mozilla | 8 | noblacklist ${HOME}/.cache/mozilla |
| 9 | noblacklist ${HOME}/.mozilla | 9 | noblacklist ${HOME}/.mozilla |
| 10 | noblacklist ${HOME}/.pki | ||
| 11 | |||
| 12 | include /etc/firejail/disable-common.inc | ||
| 13 | include /etc/firejail/disable-devel.inc | ||
| 14 | include /etc/firejail/disable-programs.inc | ||
| 15 | 10 | ||
| 16 | mkdir ${HOME}/.cache/mozilla/abrowser | 11 | mkdir ${HOME}/.cache/mozilla/abrowser |
| 17 | mkdir ${HOME}/.mozilla | 12 | mkdir ${HOME}/.mozilla |
| 18 | whitelist ${DOWNLOADS} | ||
| 19 | whitelist ${HOME}/.cache/gnome-mplayer/plugin | ||
| 20 | whitelist ${HOME}/.cache/mozilla/abrowser | 13 | whitelist ${HOME}/.cache/mozilla/abrowser |
| 21 | whitelist ${HOME}/.config/gnome-mplayer | ||
| 22 | whitelist ${HOME}/.config/pipelight-silverlight5.1 | ||
| 23 | whitelist ${HOME}/.config/pipelight-widevine | ||
| 24 | whitelist ${HOME}/.keysnail.js | ||
| 25 | whitelist ${HOME}/.lastpass | ||
| 26 | whitelist ${HOME}/.mozilla | 14 | whitelist ${HOME}/.mozilla |
| 27 | whitelist ${HOME}/.pentadactyl | ||
| 28 | whitelist ${HOME}/.pentadactylrc | ||
| 29 | whitelist ${HOME}/.pki | ||
| 30 | whitelist ${HOME}/.vimperator | ||
| 31 | whitelist ${HOME}/.vimperatorrc | ||
| 32 | whitelist ${HOME}/.wine-pipelight | ||
| 33 | whitelist ${HOME}/.wine-pipelight64 | ||
| 34 | whitelist ${HOME}/.zotero | ||
| 35 | whitelist ${HOME}/dwhelper | ||
| 36 | include /etc/firejail/whitelist-common.inc | ||
| 37 | 15 | ||
| 38 | caps.drop all | 16 | # private-etc must first be enabled in firefox-common.profile |
| 39 | netfilter | 17 | #private-etc abrowser |
| 40 | nodvd | 18 | |
| 41 | nonewprivs | ||
| 42 | noroot | ||
| 43 | notv | ||
| 44 | protocol unix,inet,inet6,netlink | ||
| 45 | seccomp | ||
| 46 | tracelog | ||
| 47 | 19 | ||
| 48 | # private-etc passwd,group,hostname,hosts,localtime,nsswitch.conf,resolv.conf,gtk-2.0,pango,fonts,iceweasel,firefox,adobe,mime.types,mailcap,asound.conf,pulse | 20 | # Redirect |
| 21 | include /etc/firejail/firefox-common.profile | ||
diff --git a/etc/akregator.profile b/etc/akregator.profile index f2e5ea341..2c49ef9f0 100644 --- a/etc/akregator.profile +++ b/etc/akregator.profile | |||
| @@ -17,6 +17,7 @@ mkfile ${HOME}/.config/akregatorrc | |||
| 17 | mkdir ${HOME}/.local/share/akregator | 17 | mkdir ${HOME}/.local/share/akregator |
| 18 | whitelist ${HOME}/.config/akregatorrc | 18 | whitelist ${HOME}/.config/akregatorrc |
| 19 | whitelist ${HOME}/.local/share/akregator | 19 | whitelist ${HOME}/.local/share/akregator |
| 20 | whitelist ${HOME}/.local/share/kssl | ||
| 20 | include /etc/firejail/whitelist-common.inc | 21 | include /etc/firejail/whitelist-common.inc |
| 21 | 22 | ||
| 22 | include /etc/firejail/whitelist-var-common.inc | 23 | include /etc/firejail/whitelist-var-common.inc |
diff --git a/etc/audacity.profile b/etc/audacity.profile index e173fa65a..ea1d38132 100644 --- a/etc/audacity.profile +++ b/etc/audacity.profile | |||
| @@ -17,7 +17,7 @@ include /etc/firejail/disable-programs.inc | |||
| 17 | include /etc/firejail/whitelist-var-common.inc | 17 | include /etc/firejail/whitelist-var-common.inc |
| 18 | 18 | ||
| 19 | caps.drop all | 19 | caps.drop all |
| 20 | net none | 20 | #net none |
| 21 | no3d | 21 | no3d |
| 22 | nodvd | 22 | nodvd |
| 23 | nogroups | 23 | nogroups |
diff --git a/etc/bnox.profile b/etc/bnox.profile index 4270755c8..3207a2923 100644 --- a/etc/bnox.profile +++ b/etc/bnox.profile | |||
| @@ -7,30 +7,11 @@ include /etc/firejail/globals.local | |||
| 7 | 7 | ||
| 8 | noblacklist ${HOME}/.cache/bnox | 8 | noblacklist ${HOME}/.cache/bnox |
| 9 | noblacklist ${HOME}/.config/bnox | 9 | noblacklist ${HOME}/.config/bnox |
| 10 | noblacklist ${HOME}/.pki | ||
| 11 | |||
| 12 | include /etc/firejail/disable-common.inc | ||
| 13 | include /etc/firejail/disable-programs.inc | ||
| 14 | 10 | ||
| 15 | mkdir ${HOME}/.cache/bnox | 11 | mkdir ${HOME}/.cache/bnox |
| 16 | mkdir ${HOME}/.config/bnox | 12 | mkdir ${HOME}/.config/bnox |
| 17 | mkdir ${HOME}/.pki | ||
| 18 | whitelist ${DOWNLOADS} | ||
| 19 | whitelist ${HOME}/.cache/bnox | 13 | whitelist ${HOME}/.cache/bnox |
| 20 | whitelist ${HOME}/.config/bnox | 14 | whitelist ${HOME}/.config/bnox |
| 21 | whitelist ${HOME}/.pki | ||
| 22 | include /etc/firejail/whitelist-common.inc | ||
| 23 | include /etc/firejail/whitelist-var-common.inc | ||
| 24 | |||
| 25 | caps.keep sys_chroot,sys_admin | ||
| 26 | netfilter | ||
| 27 | nodvd | ||
| 28 | nogroups | ||
| 29 | notv | ||
| 30 | shell none | ||
| 31 | |||
| 32 | private-dev | ||
| 33 | # private-tmp - problems with multiple browser sessions | ||
| 34 | 15 | ||
| 35 | noexec ${HOME} | 16 | # Redirect |
| 36 | noexec /tmp | 17 | include /etc/firejail/chromium-common.profile |
diff --git a/etc/brave.profile b/etc/brave.profile index 668e8a244..f37ac2a05 100644 --- a/etc/brave.profile +++ b/etc/brave.profile | |||
| @@ -8,31 +8,10 @@ include /etc/firejail/globals.local | |||
| 8 | noblacklist ${HOME}/.config/brave | 8 | noblacklist ${HOME}/.config/brave |
| 9 | # brave uses gpg for built-in password manager | 9 | # brave uses gpg for built-in password manager |
| 10 | noblacklist ${HOME}/.gnupg | 10 | noblacklist ${HOME}/.gnupg |
| 11 | noblacklist ${HOME}/.pki | ||
| 12 | |||
| 13 | include /etc/firejail/disable-common.inc | ||
| 14 | include /etc/firejail/disable-devel.inc | ||
| 15 | include /etc/firejail/disable-programs.inc | ||
| 16 | 11 | ||
| 17 | mkdir ${HOME}/.config/brave | 12 | mkdir ${HOME}/.config/brave |
| 18 | mkdir ${HOME}/.pki | ||
| 19 | whitelist ${DOWNLOADS} | ||
| 20 | whitelist ${HOME}/.config/KeePass | ||
| 21 | whitelist ${HOME}/.config/brave | 13 | whitelist ${HOME}/.config/brave |
| 22 | whitelist ${HOME}/.config/keepass | 14 | whitelist ${HOME}/.gnupg |
| 23 | whitelist ${HOME}/.config/lastpass | ||
| 24 | whitelist ${HOME}/.keepass | ||
| 25 | whitelist ${HOME}/.lastpass | ||
| 26 | whitelist ${HOME}/.pki | ||
| 27 | include /etc/firejail/whitelist-common.inc | ||
| 28 | |||
| 29 | # caps.drop all | ||
| 30 | netfilter | ||
| 31 | # nonewprivs | ||
| 32 | # noroot | ||
| 33 | nodvd | ||
| 34 | notv | ||
| 35 | # protocol unix,inet,inet6,netlink | ||
| 36 | # seccomp | ||
| 37 | 15 | ||
| 38 | disable-mnt | 16 | # Redirect |
| 17 | include /etc/firejail/chromium-common.profile | ||
diff --git a/etc/chromium-common.profile b/etc/chromium-common.profile new file mode 100644 index 000000000..5c5215309 --- /dev/null +++ b/etc/chromium-common.profile | |||
| @@ -0,0 +1,32 @@ | |||
| 1 | # Firejail profile for chromium-common | ||
| 2 | # This file is overwritten after every install/update | ||
| 3 | # Persistent local customizations | ||
| 4 | include /etc/firejail/chromium-common.local | ||
| 5 | # Persistent global definitions | ||
| 6 | include /etc/firejail/globals.local | ||
| 7 | |||
| 8 | noblacklist ${HOME}/.pki | ||
| 9 | |||
| 10 | include /etc/firejail/disable-common.inc | ||
| 11 | include /etc/firejail/disable-devel.inc | ||
| 12 | include /etc/firejail/disable-programs.inc | ||
| 13 | |||
| 14 | mkdir ${HOME}/.pki | ||
| 15 | whitelist ${DOWNLOADS} | ||
| 16 | whitelist ${HOME}/.pki | ||
| 17 | include /etc/firejail/whitelist-common.inc | ||
| 18 | include /etc/firejail/whitelist-var-common.inc | ||
| 19 | |||
| 20 | caps.keep sys_chroot,sys_admin | ||
| 21 | netfilter | ||
| 22 | nodvd | ||
| 23 | nogroups | ||
| 24 | notv | ||
| 25 | shell none | ||
| 26 | |||
| 27 | disable-mnt | ||
| 28 | private-dev | ||
| 29 | # private-tmp - problems with multiple browser sessions | ||
| 30 | |||
| 31 | noexec ${HOME} | ||
| 32 | noexec /tmp | ||
diff --git a/etc/chromium.profile b/etc/chromium.profile index 64d790121..ad9f9af33 100644 --- a/etc/chromium.profile +++ b/etc/chromium.profile | |||
| @@ -8,34 +8,14 @@ include /etc/firejail/globals.local | |||
| 8 | noblacklist ${HOME}/.cache/chromium | 8 | noblacklist ${HOME}/.cache/chromium |
| 9 | noblacklist ${HOME}/.config/chromium | 9 | noblacklist ${HOME}/.config/chromium |
| 10 | noblacklist ${HOME}/.config/chromium-flags.conf | 10 | noblacklist ${HOME}/.config/chromium-flags.conf |
| 11 | noblacklist ${HOME}/.pki | ||
| 12 | |||
| 13 | include /etc/firejail/disable-common.inc | ||
| 14 | include /etc/firejail/disable-devel.inc | ||
| 15 | include /etc/firejail/disable-programs.inc | ||
| 16 | 11 | ||
| 17 | mkdir ${HOME}/.cache/chromium | 12 | mkdir ${HOME}/.cache/chromium |
| 18 | mkdir ${HOME}/.config/chromium | 13 | mkdir ${HOME}/.config/chromium |
| 19 | mkdir ${HOME}/.pki | ||
| 20 | whitelist ${DOWNLOADS} | ||
| 21 | whitelist ${HOME}/.cache/chromium | 14 | whitelist ${HOME}/.cache/chromium |
| 22 | whitelist ${HOME}/.config/chromium | 15 | whitelist ${HOME}/.config/chromium |
| 23 | whitelist ${HOME}/.config/chromium-flags.conf | 16 | whitelist ${HOME}/.config/chromium-flags.conf |
| 24 | whitelist ${HOME}/.pki | ||
| 25 | include /etc/firejail/whitelist-common.inc | ||
| 26 | include /etc/firejail/whitelist-var-common.inc | ||
| 27 | |||
| 28 | caps.keep sys_chroot,sys_admin | ||
| 29 | netfilter | ||
| 30 | nodvd | ||
| 31 | nogroups | ||
| 32 | notv | ||
| 33 | shell none | ||
| 34 | 17 | ||
| 35 | disable-mnt | ||
| 36 | # private-bin chromium,chromium-browser,chromedriver | 18 | # private-bin chromium,chromium-browser,chromedriver |
| 37 | private-dev | ||
| 38 | # private-tmp - problems with multiple browser sessions | ||
| 39 | 19 | ||
| 40 | noexec ${HOME} | 20 | # Redirect |
| 41 | noexec /tmp | 21 | include /etc/firejail/chromium-common.profile |
diff --git a/etc/clementine.profile b/etc/clementine.profile index a736f7bf9..ccf6f9c97 100644 --- a/etc/clementine.profile +++ b/etc/clementine.profile | |||
| @@ -5,6 +5,7 @@ include /etc/firejail/clementine.local | |||
| 5 | # Persistent global definitions | 5 | # Persistent global definitions |
| 6 | include /etc/firejail/globals.local | 6 | include /etc/firejail/globals.local |
| 7 | 7 | ||
| 8 | noblacklist ${HOME}/.cache/Clementine | ||
| 8 | noblacklist ${HOME}/.config/Clementine | 9 | noblacklist ${HOME}/.config/Clementine |
| 9 | 10 | ||
| 10 | include /etc/firejail/disable-common.inc | 11 | include /etc/firejail/disable-common.inc |
diff --git a/etc/cliqz.profile b/etc/cliqz.profile index 086dfa233..4ff96311d 100644 --- a/etc/cliqz.profile +++ b/etc/cliqz.profile | |||
| @@ -7,77 +7,14 @@ include /etc/firejail/globals.local | |||
| 7 | 7 | ||
| 8 | noblacklist ${HOME}/.cache/cliqz | 8 | noblacklist ${HOME}/.cache/cliqz |
| 9 | noblacklist ${HOME}/.config/cliqz | 9 | noblacklist ${HOME}/.config/cliqz |
| 10 | noblacklist ${HOME}/.config/okularpartrc | ||
| 11 | noblacklist ${HOME}/.config/okularrc | ||
| 12 | noblacklist ${HOME}/.config/qpdfview | ||
| 13 | noblacklist ${HOME}/.kde/share/apps/okular | ||
| 14 | noblacklist ${HOME}/.kde/share/config/okularpartrc | ||
| 15 | noblacklist ${HOME}/.kde/share/config/okularrc | ||
| 16 | noblacklist ${HOME}/.kde4/share/apps/okular | ||
| 17 | noblacklist ${HOME}/.kde4/share/config/okularpartrc | ||
| 18 | noblacklist ${HOME}/.kde4/share/config/okularrc | ||
| 19 | # noblacklist ${HOME}/.local/share/gnome-shell/extensions | ||
| 20 | noblacklist ${HOME}/.local/share/okular | ||
| 21 | noblacklist ${HOME}/.local/share/qpdfview | ||
| 22 | 10 | ||
| 23 | noblacklist ${HOME}/.pki | 11 | mkdir ${HOME}/.cache/cliqz |
| 12 | mkdir ${HOME}/.config/cliqz | ||
| 13 | whitelist ${HOME}/.cache/cliqz | ||
| 14 | whitelist ${HOME}/.config/cliqz | ||
| 24 | 15 | ||
| 25 | include /etc/firejail/disable-common.inc | 16 | # private-etc must first be enabled in firefox-common.profile |
| 26 | include /etc/firejail/disable-devel.inc | 17 | #private-etc cliqz |
| 27 | include /etc/firejail/disable-programs.inc | ||
| 28 | 18 | ||
| 29 | mkdir ${HOME}/.cache/mozilla/firefox | 19 | # Redirect |
| 30 | mkdir ${HOME}/.mozilla | 20 | include /etc/firejail/firefox-common.profile |
| 31 | mkdir ${HOME}/.pki | ||
| 32 | whitelist ${DOWNLOADS} | ||
| 33 | whitelist ${HOME}/.cache/gnome-mplayer/plugin | ||
| 34 | whitelist ${HOME}/.cache/mozilla/firefox | ||
| 35 | whitelist ${HOME}/.config/gnome-mplayer | ||
| 36 | whitelist ${HOME}/.config/okularpartrc | ||
| 37 | whitelist ${HOME}/.config/okularrc | ||
| 38 | whitelist ${HOME}/.config/pipelight-silverlight5.1 | ||
| 39 | whitelist ${HOME}/.config/pipelight-widevine | ||
| 40 | whitelist ${HOME}/.config/qpdfview | ||
| 41 | whitelist ${HOME}/.kde/share/apps/okular | ||
| 42 | whitelist ${HOME}/.kde/share/config/okularpartrc | ||
| 43 | whitelist ${HOME}/.kde/share/config/okularrc | ||
| 44 | whitelist ${HOME}/.kde4/share/apps/okular | ||
| 45 | whitelist ${HOME}/.kde4/share/config/okularpartrc | ||
| 46 | whitelist ${HOME}/.kde4/share/config/okularrc | ||
| 47 | whitelist ${HOME}/.keysnail.js | ||
| 48 | whitelist ${HOME}/.lastpass | ||
| 49 | whitelist ${HOME}/.local/share/gnome-shell/extensions | ||
| 50 | whitelist ${HOME}/.local/share/okular | ||
| 51 | whitelist ${HOME}/.local/share/qpdfview | ||
| 52 | whitelist ${HOME}/.mozilla | ||
| 53 | whitelist ${HOME}/.pentadactyl | ||
| 54 | whitelist ${HOME}/.pentadactylrc | ||
| 55 | whitelist ${HOME}/.pki | ||
| 56 | whitelist ${HOME}/.vimperator | ||
| 57 | whitelist ${HOME}/.vimperatorrc | ||
| 58 | whitelist ${HOME}/.wine-pipelight | ||
| 59 | whitelist ${HOME}/.wine-pipelight64 | ||
| 60 | whitelist ${HOME}/.zotero | ||
| 61 | whitelist ${HOME}/dwhelper | ||
| 62 | include /etc/firejail/whitelist-common.inc | ||
| 63 | include /etc/firejail/whitelist-var-common.inc | ||
| 64 | |||
| 65 | caps.drop all | ||
| 66 | netfilter | ||
| 67 | nodvd | ||
| 68 | nogroups | ||
| 69 | nonewprivs | ||
| 70 | noroot | ||
| 71 | notv | ||
| 72 | protocol unix,inet,inet6,netlink | ||
| 73 | seccomp | ||
| 74 | shell none | ||
| 75 | tracelog | ||
| 76 | |||
| 77 | # private-bin firefox,which,sh,dbus-launch,dbus-send,env | ||
| 78 | private-dev | ||
| 79 | # private-etc passwd,group,hostname,hosts,localtime,nsswitch.conf,resolv.conf,xdg,gtk-2.0,gtk-3.0,X11,pango,fonts,firefox,mime.types,mailcap,asound.conf,pulse | ||
| 80 | private-tmp | ||
| 81 | |||
| 82 | noexec ${HOME} | ||
| 83 | noexec /tmp | ||
diff --git a/etc/cyberfox.profile b/etc/cyberfox.profile index 66cd27461..ce51906ba 100644 --- a/etc/cyberfox.profile +++ b/etc/cyberfox.profile | |||
| @@ -7,67 +7,15 @@ include /etc/firejail/globals.local | |||
| 7 | 7 | ||
| 8 | noblacklist ${HOME}/.8pecxstudios | 8 | noblacklist ${HOME}/.8pecxstudios |
| 9 | noblacklist ${HOME}/.cache/8pecxstudios | 9 | noblacklist ${HOME}/.cache/8pecxstudios |
| 10 | noblacklist ${HOME}/.config/okularpartrc | ||
| 11 | noblacklist ${HOME}/.config/okularrc | ||
| 12 | noblacklist ${HOME}/.config/qpdfview | ||
| 13 | noblacklist ${HOME}/.kde/share/apps/okular | ||
| 14 | noblacklist ${HOME}/.kde4/share/apps/okular | ||
| 15 | noblacklist ${HOME}/.local/share/okular | ||
| 16 | noblacklist ${HOME}/.local/share/qpdfview | ||
| 17 | noblacklist ${HOME}/.pki | ||
| 18 | |||
| 19 | include /etc/firejail/disable-common.inc | ||
| 20 | include /etc/firejail/disable-devel.inc | ||
| 21 | include /etc/firejail/disable-programs.inc | ||
| 22 | 10 | ||
| 23 | mkdir ${HOME}/.8pecxstudios | 11 | mkdir ${HOME}/.8pecxstudios |
| 24 | mkdir ${HOME}/.cache/8pecxstudios | 12 | mkdir ${HOME}/.cache/8pecxstudios |
| 25 | mkdir ${HOME}/.pki | ||
| 26 | whitelist ${DOWNLOADS} | ||
| 27 | whitelist ${HOME}/.8pecxstudios | 13 | whitelist ${HOME}/.8pecxstudios |
| 28 | whitelist ${HOME}/.cache/8pecxstudios | 14 | whitelist ${HOME}/.cache/8pecxstudios |
| 29 | whitelist ${HOME}/.cache/gnome-mplayer/plugin | ||
| 30 | whitelist ${HOME}/.config/gnome-mplayer | ||
| 31 | whitelist ${HOME}/.config/okularpartrc | ||
| 32 | whitelist ${HOME}/.config/okularrc | ||
| 33 | whitelist ${HOME}/.config/pipelight-silverlight5.1 | ||
| 34 | whitelist ${HOME}/.config/pipelight-widevine | ||
| 35 | whitelist ${HOME}/.config/qpdfview | ||
| 36 | whitelist ${HOME}/.kde/share/apps/okular | ||
| 37 | whitelist ${HOME}/.kde4/share/apps/okular | ||
| 38 | whitelist ${HOME}/.keysnail.js | ||
| 39 | whitelist ${HOME}/.lastpass | ||
| 40 | whitelist ${HOME}/.local/share/okular | ||
| 41 | whitelist ${HOME}/.local/share/qpdfview | ||
| 42 | whitelist ${HOME}/.pentadactyl | ||
| 43 | whitelist ${HOME}/.pentadactylrc | ||
| 44 | whitelist ${HOME}/.pki | ||
| 45 | whitelist ${HOME}/.vimperator | ||
| 46 | whitelist ${HOME}/.vimperatorrc | ||
| 47 | whitelist ${HOME}/.wine-pipelight | ||
| 48 | whitelist ${HOME}/.wine-pipelight64 | ||
| 49 | whitelist ${HOME}/.zotero | ||
| 50 | whitelist ${HOME}/dwhelper | ||
| 51 | include /etc/firejail/whitelist-common.inc | ||
| 52 | |||
| 53 | caps.drop all | ||
| 54 | netfilter | ||
| 55 | nodvd | ||
| 56 | nogroups | ||
| 57 | nonewprivs | ||
| 58 | noroot | ||
| 59 | notv | ||
| 60 | protocol unix,inet,inet6,netlink | ||
| 61 | seccomp | ||
| 62 | shell none | ||
| 63 | tracelog | ||
| 64 | 15 | ||
| 65 | disable-mnt | ||
| 66 | # private-bin cyberfox,which,sh,dbus-launch,dbus-send,env | 16 | # private-bin cyberfox,which,sh,dbus-launch,dbus-send,env |
| 67 | private-dev | 17 | # private-etc must first be enabled in firefox-common.profile |
| 68 | private-dev | 18 | #private-etc cyberfox |
| 69 | # private-etc passwd,group,hostname,hosts,localtime,nsswitch.conf,resolv.conf,xdg,gtk-2.0,gtk-3.0,X11,pango,fonts,cyberfox,mime.types,mailcap,asound.conf,pulse | ||
| 70 | private-tmp | ||
| 71 | 19 | ||
| 72 | noexec ${HOME} | 20 | # Redirect |
| 73 | noexec /tmp | 21 | include /etc/firejail/firefox-common.profile |
diff --git a/etc/disable-common.inc b/etc/disable-common.inc index 91c554f2e..54a292bc2 100644 --- a/etc/disable-common.inc +++ b/etc/disable-common.inc | |||
| @@ -7,7 +7,10 @@ blacklist-nolog ${HOME}/.*_history | |||
| 7 | blacklist-nolog ${HOME}/.adobe | 7 | blacklist-nolog ${HOME}/.adobe |
| 8 | blacklist-nolog ${HOME}/.cache/greenclip* | 8 | blacklist-nolog ${HOME}/.cache/greenclip* |
| 9 | blacklist-nolog ${HOME}/.history | 9 | blacklist-nolog ${HOME}/.history |
| 10 | blacklist-nolog ${HOME}/.kde/share/apps/klipper | ||
| 11 | blacklist-nolog ${HOME}/.kde4/share/apps/klipper | ||
| 10 | blacklist-nolog ${HOME}/.local/share/fish/fish_history | 12 | blacklist-nolog ${HOME}/.local/share/fish/fish_history |
| 13 | blacklist-nolog ${HOME}/.local/share/klipper | ||
| 11 | blacklist-nolog ${HOME}/.macromedia | 14 | blacklist-nolog ${HOME}/.macromedia |
| 12 | blacklist-nolog /tmp/clipmenu* | 15 | blacklist-nolog /tmp/clipmenu* |
| 13 | 16 | ||
| @@ -42,20 +45,21 @@ blacklist /etc/X11/Xsession.d | |||
| 42 | blacklist /etc/xdg/autostart | 45 | blacklist /etc/xdg/autostart |
| 43 | 46 | ||
| 44 | # KDE config | 47 | # KDE config |
| 45 | blacklist ${HOME}/.config/*.notifyrc | ||
| 46 | blacklist ${HOME}/.config/khotkeysrc | 48 | blacklist ${HOME}/.config/khotkeysrc |
| 47 | blacklist ${HOME}/.config/krunnerrc | 49 | blacklist ${HOME}/.config/krunnerrc |
| 50 | blacklist ${HOME}/.config/ksslcertificatemanager | ||
| 48 | blacklist ${HOME}/.config/kwinrc | 51 | blacklist ${HOME}/.config/kwinrc |
| 49 | blacklist ${HOME}/.config/kwinrulesrc | 52 | blacklist ${HOME}/.config/kwinrulesrc |
| 50 | blacklist ${HOME}/.config/plasma-org.kde.plasma.desktop-appletsrc | 53 | blacklist ${HOME}/.config/plasma-org.kde.plasma.desktop-appletsrc |
| 54 | blacklist ${HOME}/.config/plasmashellrc | ||
| 51 | blacklist ${HOME}/.config/plasmavaultrc | 55 | blacklist ${HOME}/.config/plasmavaultrc |
| 52 | blacklist ${HOME}/.kde/share/apps/konsole | 56 | blacklist ${HOME}/.kde/share/apps/konsole |
| 53 | blacklist ${HOME}/.kde/share/apps/kwin | 57 | blacklist ${HOME}/.kde/share/apps/kwin |
| 54 | blacklist ${HOME}/.kde/share/apps/plasma | 58 | blacklist ${HOME}/.kde/share/apps/plasma |
| 55 | blacklist ${HOME}/.kde/share/apps/solid | 59 | blacklist ${HOME}/.kde/share/apps/solid |
| 56 | blacklist ${HOME}/.kde/share/config/*.notifyrc | ||
| 57 | blacklist ${HOME}/.kde/share/config/khotkeysrc | 60 | blacklist ${HOME}/.kde/share/config/khotkeysrc |
| 58 | blacklist ${HOME}/.kde/share/config/krunnerrc | 61 | blacklist ${HOME}/.kde/share/config/krunnerrc |
| 62 | blacklist ${HOME}/.kde/share/config/ksslcertificatemanager | ||
| 59 | blacklist ${HOME}/.kde/share/config/kwinrc | 63 | blacklist ${HOME}/.kde/share/config/kwinrc |
| 60 | blacklist ${HOME}/.kde/share/config/kwinrulesrc | 64 | blacklist ${HOME}/.kde/share/config/kwinrulesrc |
| 61 | blacklist ${HOME}/.kde/share/config/plasma-desktop-appletsrc | 65 | blacklist ${HOME}/.kde/share/config/plasma-desktop-appletsrc |
| @@ -63,9 +67,9 @@ blacklist ${HOME}/.kde4/share/apps/konsole | |||
| 63 | blacklist ${HOME}/.kde4/share/apps/kwin | 67 | blacklist ${HOME}/.kde4/share/apps/kwin |
| 64 | blacklist ${HOME}/.kde4/share/apps/plasma | 68 | blacklist ${HOME}/.kde4/share/apps/plasma |
| 65 | blacklist ${HOME}/.kde4/share/apps/solid | 69 | blacklist ${HOME}/.kde4/share/apps/solid |
| 66 | blacklist ${HOME}/.kde4/share/config/*.notifyrc | ||
| 67 | blacklist ${HOME}/.kde4/share/config/khotkeysrc | 70 | blacklist ${HOME}/.kde4/share/config/khotkeysrc |
| 68 | blacklist ${HOME}/.kde4/share/config/krunnerrc | 71 | blacklist ${HOME}/.kde4/share/config/krunnerrc |
| 72 | blacklist ${HOME}/.kde4/share/config/ksslcertificatemanager | ||
| 69 | blacklist ${HOME}/.kde4/share/config/kwinrc | 73 | blacklist ${HOME}/.kde4/share/config/kwinrc |
| 70 | blacklist ${HOME}/.kde4/share/config/kwinrulesrc | 74 | blacklist ${HOME}/.kde4/share/config/kwinrulesrc |
| 71 | blacklist ${HOME}/.kde4/share/config/plasma-desktop-appletsrc | 75 | blacklist ${HOME}/.kde4/share/config/plasma-desktop-appletsrc |
| @@ -74,15 +78,29 @@ blacklist ${HOME}/.local/share/konsole | |||
| 74 | blacklist ${HOME}/.local/share/kwin | 78 | blacklist ${HOME}/.local/share/kwin |
| 75 | blacklist ${HOME}/.local/share/plasma | 79 | blacklist ${HOME}/.local/share/plasma |
| 76 | blacklist ${HOME}/.local/share/solid | 80 | blacklist ${HOME}/.local/share/solid |
| 81 | read-only ${HOME}/.cache/ksycoca5_* | ||
| 82 | read-only ${HOME}/.config/*notifyrc | ||
| 77 | read-only ${HOME}/.config/kdeglobals | 83 | read-only ${HOME}/.config/kdeglobals |
| 84 | read-only ${HOME}/.config/kio_httprc | ||
| 85 | read-only ${HOME}/.config/kiorc | ||
| 78 | read-only ${HOME}/.config/kioslaverc | 86 | read-only ${HOME}/.config/kioslaverc |
| 87 | read-only ${HOME}/.config/ksslcablacklist | ||
| 88 | read-only ${HOME}/.kde/share/apps/kssl | ||
| 89 | read-only ${HOME}/.kde/share/config/*notifyrc | ||
| 79 | read-only ${HOME}/.kde/share/config/kdeglobals | 90 | read-only ${HOME}/.kde/share/config/kdeglobals |
| 91 | read-only ${HOME}/.kde/share/config/kio_httprc | ||
| 80 | read-only ${HOME}/.kde/share/config/kioslaverc | 92 | read-only ${HOME}/.kde/share/config/kioslaverc |
| 93 | read-only ${HOME}/.kde/share/config/ksslcablacklist | ||
| 81 | read-only ${HOME}/.kde/share/kde4/services | 94 | read-only ${HOME}/.kde/share/kde4/services |
| 95 | read-only ${HOME}/.kde4/share/apps/kssl | ||
| 96 | read-only ${HOME}/.kde4/share/config/*notifyrc | ||
| 82 | read-only ${HOME}/.kde4/share/config/kdeglobals | 97 | read-only ${HOME}/.kde4/share/config/kdeglobals |
| 98 | read-only ${HOME}/.kde4/share/config/kio_httprc | ||
| 83 | read-only ${HOME}/.kde4/share/config/kioslaverc | 99 | read-only ${HOME}/.kde4/share/config/kioslaverc |
| 100 | read-only ${HOME}/.kde4/share/config/ksslcablacklist | ||
| 84 | read-only ${HOME}/.kde4/share/kde4/services | 101 | read-only ${HOME}/.kde4/share/kde4/services |
| 85 | read-only ${HOME}/.local/share/kservices5 | 102 | read-only ${HOME}/.local/share/kservices5 |
| 103 | read-only ${HOME}/.local/share/kssl | ||
| 86 | 104 | ||
| 87 | # kdeinit socket | 105 | # kdeinit socket |
| 88 | blacklist /run/user/*/kdeinit5__* | 106 | blacklist /run/user/*/kdeinit5__* |
| @@ -236,6 +254,7 @@ read-only ${HOME}/bin | |||
| 236 | blacklist ${HOME}/.local/share/Trash | 254 | blacklist ${HOME}/.local/share/Trash |
| 237 | 255 | ||
| 238 | # Write-protection for desktop entries | 256 | # Write-protection for desktop entries |
| 257 | read-only ${HOME}/.config/menus | ||
| 239 | read-only ${HOME}/.local/share/applications | 258 | read-only ${HOME}/.local/share/applications |
| 240 | 259 | ||
| 241 | # top secret | 260 | # top secret |
diff --git a/etc/disable-programs.inc b/etc/disable-programs.inc index 8cfcaa838..8e72dc47e 100644 --- a/etc/disable-programs.inc +++ b/etc/disable-programs.inc | |||
| @@ -129,11 +129,15 @@ blacklist ${HOME}/.config/iridium | |||
| 129 | blacklist ${HOME}/.config/itch | 129 | blacklist ${HOME}/.config/itch |
| 130 | blacklist ${HOME}/.config/jd-gui.cfg | 130 | blacklist ${HOME}/.config/jd-gui.cfg |
| 131 | blacklist ${HOME}/.config/k3brc | 131 | blacklist ${HOME}/.config/k3brc |
| 132 | blacklist ${HOME}/.config/kaffeinerc | ||
| 132 | blacklist ${HOME}/.config/katepartrc | 133 | blacklist ${HOME}/.config/katepartrc |
| 133 | blacklist ${HOME}/.config/katerc | 134 | blacklist ${HOME}/.config/katerc |
| 134 | blacklist ${HOME}/.config/kateschemarc | 135 | blacklist ${HOME}/.config/kateschemarc |
| 135 | blacklist ${HOME}/.config/katesyntaxhighlightingrc | 136 | blacklist ${HOME}/.config/katesyntaxhighlightingrc |
| 136 | blacklist ${HOME}/.config/katevirc | 137 | blacklist ${HOME}/.config/katevirc |
| 138 | blacklist ${HOME}/.config/kdenliverc | ||
| 139 | blacklist ${HOME}/.config/kgetrc | ||
| 140 | blacklist ${HOME}/.config/klipperrc | ||
| 137 | blacklist ${HOME}/.config/kritarc | 141 | blacklist ${HOME}/.config/kritarc |
| 138 | blacklist ${HOME}/.config/kwriterc | 142 | blacklist ${HOME}/.config/kwriterc |
| 139 | blacklist ${HOME}/.config/kdeconnect | 143 | blacklist ${HOME}/.config/kdeconnect |
| @@ -258,6 +262,7 @@ blacklist ${HOME}/.java | |||
| 258 | blacklist ${HOME}/.jitsi | 262 | blacklist ${HOME}/.jitsi |
| 259 | blacklist ${HOME}/.kde/share/apps/digikam | 263 | blacklist ${HOME}/.kde/share/apps/digikam |
| 260 | blacklist ${HOME}/.kde/share/apps/gwenview | 264 | blacklist ${HOME}/.kde/share/apps/gwenview |
| 265 | blacklist ${HOME}/.kde/share/apps/kaffeine | ||
| 261 | blacklist ${HOME}/.kde/share/apps/kcookiejar | 266 | blacklist ${HOME}/.kde/share/apps/kcookiejar |
| 262 | blacklist ${HOME}/.kde/share/apps/kget | 267 | blacklist ${HOME}/.kde/share/apps/kget |
| 263 | blacklist ${HOME}/.kde/share/apps/khtml | 268 | blacklist ${HOME}/.kde/share/apps/khtml |
| @@ -272,9 +277,11 @@ blacklist ${HOME}/.kde/share/config/baloorc | |||
| 272 | blacklist ${HOME}/.kde/share/config/digikam | 277 | blacklist ${HOME}/.kde/share/config/digikam |
| 273 | blacklist ${HOME}/.kde/share/config/gwenviewrc | 278 | blacklist ${HOME}/.kde/share/config/gwenviewrc |
| 274 | blacklist ${HOME}/.kde/share/config/k3brc | 279 | blacklist ${HOME}/.kde/share/config/k3brc |
| 280 | blacklist ${HOME}/.kde/share/config/kaffeinerc | ||
| 275 | blacklist ${HOME}/.kde/share/config/kcookiejarrc | 281 | blacklist ${HOME}/.kde/share/config/kcookiejarrc |
| 276 | blacklist ${HOME}/.kde/share/config/kgetrc | 282 | blacklist ${HOME}/.kde/share/config/kgetrc |
| 277 | blacklist ${HOME}/.kde/share/config/khtmlrc | 283 | blacklist ${HOME}/.kde/share/config/khtmlrc |
| 284 | blacklist ${HOME}/.kde/share/config/klipperrc | ||
| 278 | blacklist ${HOME}/.kde/share/config/konq_history | 285 | blacklist ${HOME}/.kde/share/config/konq_history |
| 279 | blacklist ${HOME}/.kde/share/config/konqsidebartngrc | 286 | blacklist ${HOME}/.kde/share/config/konqsidebartngrc |
| 280 | blacklist ${HOME}/.kde/share/config/konquerorrc | 287 | blacklist ${HOME}/.kde/share/config/konquerorrc |
| @@ -285,6 +292,7 @@ blacklist ${HOME}/.kde/share/config/okularpartrc | |||
| 285 | blacklist ${HOME}/.kde/share/config/okularrc | 292 | blacklist ${HOME}/.kde/share/config/okularrc |
| 286 | blacklist ${HOME}/.kde4/share/apps/digikam | 293 | blacklist ${HOME}/.kde4/share/apps/digikam |
| 287 | blacklist ${HOME}/.kde4/share/apps/gwenview | 294 | blacklist ${HOME}/.kde4/share/apps/gwenview |
| 295 | blacklist ${HOME}/.kde4/share/apps/kaffeine | ||
| 288 | blacklist ${HOME}/.kde4/share/apps/kcookiejar | 296 | blacklist ${HOME}/.kde4/share/apps/kcookiejar |
| 289 | blacklist ${HOME}/.kde4/share/apps/kget | 297 | blacklist ${HOME}/.kde4/share/apps/kget |
| 290 | blacklist ${HOME}/.kde4/share/apps/khtml | 298 | blacklist ${HOME}/.kde4/share/apps/khtml |
| @@ -298,9 +306,11 @@ blacklist ${HOME}/.kde4/share/config/baloofilerc | |||
| 298 | blacklist ${HOME}/.kde4/share/config/digikam | 306 | blacklist ${HOME}/.kde4/share/config/digikam |
| 299 | blacklist ${HOME}/.kde4/share/config/gwenviewrc | 307 | blacklist ${HOME}/.kde4/share/config/gwenviewrc |
| 300 | blacklist ${HOME}/.kde4/share/config/k3brc | 308 | blacklist ${HOME}/.kde4/share/config/k3brc |
| 309 | blacklist ${HOME}/.kde4/share/config/kaffeinerc | ||
| 301 | blacklist ${HOME}/.kde4/share/config/kcookiejarrc | 310 | blacklist ${HOME}/.kde4/share/config/kcookiejarrc |
| 302 | blacklist ${HOME}/.kde4/share/config/kgetrc | 311 | blacklist ${HOME}/.kde4/share/config/kgetrc |
| 303 | blacklist ${HOME}/.kde4/share/config/khtmlrc | 312 | blacklist ${HOME}/.kde4/share/config/khtmlrc |
| 313 | blacklist ${HOME}/.kde4/share/config/klipperrc | ||
| 304 | blacklist ${HOME}/.kde4/share/config/konq_history | 314 | blacklist ${HOME}/.kde4/share/config/konq_history |
| 305 | blacklist ${HOME}/.kde4/share/config/konqsidebartngrc | 315 | blacklist ${HOME}/.kde4/share/config/konqsidebartngrc |
| 306 | blacklist ${HOME}/.kde4/share/config/konquerorrc | 316 | blacklist ${HOME}/.kde4/share/config/konquerorrc |
| @@ -338,6 +348,7 @@ blacklist ${HOME}/.local/share/clipit | |||
| 338 | blacklist ${HOME}/.local/share/data/Mumble | 348 | blacklist ${HOME}/.local/share/data/Mumble |
| 339 | blacklist ${HOME}/.local/share/data/MusE | 349 | blacklist ${HOME}/.local/share/data/MusE |
| 340 | blacklist ${HOME}/.local/share/data/MuseScore | 350 | blacklist ${HOME}/.local/share/data/MuseScore |
| 351 | blacklist ${HOME}/.local/share/data/qBittorrent | ||
| 341 | blacklist ${HOME}/.local/share/dino | 352 | blacklist ${HOME}/.local/share/dino |
| 342 | blacklist ${HOME}/.local/share/dolphin | 353 | blacklist ${HOME}/.local/share/dolphin |
| 343 | blacklist ${HOME}/.local/share/epiphany | 354 | blacklist ${HOME}/.local/share/epiphany |
| @@ -354,7 +365,11 @@ blacklist ${HOME}/.local/share/gnome-photos | |||
| 354 | blacklist ${HOME}/.local/share/gnome-ring | 365 | blacklist ${HOME}/.local/share/gnome-ring |
| 355 | blacklist ${HOME}/.local/share/gnome-twitch | 366 | blacklist ${HOME}/.local/share/gnome-twitch |
| 356 | blacklist ${HOME}/.local/share/gwenview | 367 | blacklist ${HOME}/.local/share/gwenview |
| 368 | blacklist ${HOME}/.local/share/kaffeine | ||
| 357 | blacklist ${HOME}/.local/share/kate | 369 | blacklist ${HOME}/.local/share/kate |
| 370 | blacklist ${HOME}/.local/share/kdenlive | ||
| 371 | blacklist ${HOME}/.local/share/kget | ||
| 372 | blacklist ${HOME}/.local/share/krita | ||
| 358 | blacklist ${HOME}/.local/share/ktorrentrc | 373 | blacklist ${HOME}/.local/share/ktorrentrc |
| 359 | blacklist ${HOME}/.local/share/ktorrent | 374 | blacklist ${HOME}/.local/share/ktorrent |
| 360 | blacklist ${HOME}/.local/share/kwrite | 375 | blacklist ${HOME}/.local/share/kwrite |
| @@ -416,6 +431,7 @@ blacklist ${HOME}/.passwd-s3fs | |||
| 416 | blacklist ${HOME}/.pingus | 431 | blacklist ${HOME}/.pingus |
| 417 | blacklist ${HOME}/.purple | 432 | blacklist ${HOME}/.purple |
| 418 | blacklist ${HOME}/.qemu-launcher | 433 | blacklist ${HOME}/.qemu-launcher |
| 434 | blacklist ${HOME}/.redeclipse | ||
| 419 | blacklist ${HOME}/.remmina | 435 | blacklist ${HOME}/.remmina |
| 420 | blacklist ${HOME}/.repo_.gitconfig.json | 436 | blacklist ${HOME}/.repo_.gitconfig.json |
| 421 | blacklist ${HOME}/.repoconfig | 437 | blacklist ${HOME}/.repoconfig |
| @@ -435,6 +451,7 @@ blacklist ${HOME}/.sylpheed-2.0 | |||
| 435 | blacklist ${HOME}/.synfig | 451 | blacklist ${HOME}/.synfig |
| 436 | blacklist ${HOME}/.tconn | 452 | blacklist ${HOME}/.tconn |
| 437 | blacklist ${HOME}/.thunderbird | 453 | blacklist ${HOME}/.thunderbird |
| 454 | blacklist ${HOME}/.tilp | ||
| 438 | blacklist ${HOME}/.tooling | 455 | blacklist ${HOME}/.tooling |
| 439 | blacklist ${HOME}/.tor-browser-* | 456 | blacklist ${HOME}/.tor-browser-* |
| 440 | blacklist ${HOME}/.ts3client | 457 | blacklist ${HOME}/.ts3client |
| @@ -453,6 +470,7 @@ blacklist ${HOME}/.wireshark | |||
| 453 | blacklist ${HOME}/.wine64 | 470 | blacklist ${HOME}/.wine64 |
| 454 | blacklist ${HOME}/.xiphos | 471 | blacklist ${HOME}/.xiphos |
| 455 | blacklist ${HOME}/.xmms | 472 | blacklist ${HOME}/.xmms |
| 473 | blacklist ${HOME}/.xmr-stak | ||
| 456 | blacklist ${HOME}/.xonotic | 474 | blacklist ${HOME}/.xonotic |
| 457 | blacklist ${HOME}/.xpdfrc | 475 | blacklist ${HOME}/.xpdfrc |
| 458 | blacklist ${HOME}/.zoom | 476 | blacklist ${HOME}/.zoom |
| @@ -463,6 +481,7 @@ blacklist /tmp/ssh-* | |||
| 463 | # ~/.cache directory | 481 | # ~/.cache directory |
| 464 | blacklist ${HOME}/.cache/0ad | 482 | blacklist ${HOME}/.cache/0ad |
| 465 | blacklist ${HOME}/.cache/8pecxstudios | 483 | blacklist ${HOME}/.cache/8pecxstudios |
| 484 | blacklist ${HOME}/.cache/Clementine | ||
| 466 | blacklist ${HOME}/.cache/Franz | 485 | blacklist ${HOME}/.cache/Franz |
| 467 | blacklist ${HOME}/.cache/INRIA | 486 | blacklist ${HOME}/.cache/INRIA |
| 468 | blacklist ${HOME}/.cache/MusicBrainz | 487 | blacklist ${HOME}/.cache/MusicBrainz |
| @@ -475,6 +494,8 @@ blacklist ${HOME}/.cache/chromium | |||
| 475 | blacklist ${HOME}/.cache/chromium-dev | 494 | blacklist ${HOME}/.cache/chromium-dev |
| 476 | blacklist ${HOME}/.cache/cliqz | 495 | blacklist ${HOME}/.cache/cliqz |
| 477 | blacklist ${HOME}/.cache/darktable | 496 | blacklist ${HOME}/.cache/darktable |
| 497 | blacklist ${HOME}/.cache/discover | ||
| 498 | blacklist ${HOME}/.cache/dolphin | ||
| 478 | blacklist ${HOME}/.cache/epiphany | 499 | blacklist ${HOME}/.cache/epiphany |
| 479 | blacklist ${HOME}/.cache/evolution | 500 | blacklist ${HOME}/.cache/evolution |
| 480 | blacklist ${HOME}/.cache/fossamail | 501 | blacklist ${HOME}/.cache/fossamail |
| @@ -488,6 +509,13 @@ blacklist ${HOME}/.cache/icedove | |||
| 488 | blacklist ${HOME}/.cache/INRIA/Natron | 509 | blacklist ${HOME}/.cache/INRIA/Natron |
| 489 | blacklist ${HOME}/.cache/inox | 510 | blacklist ${HOME}/.cache/inox |
| 490 | blacklist ${HOME}/.cache/iridium | 511 | blacklist ${HOME}/.cache/iridium |
| 512 | blacklist ${HOME}/.cache/kdenlive | ||
| 513 | blacklist ${HOME}/.cache/kinfocenter | ||
| 514 | blacklist ${HOME}/.cache/krunner | ||
| 515 | blacklist ${HOME}/.cache/kscreenlocker_greet | ||
| 516 | blacklist ${HOME}/.cache/ksmserver-logout-greeter | ||
| 517 | blacklist ${HOME}/.cache/ksplashqml | ||
| 518 | blacklist ${HOME}/.cache/kwin | ||
| 491 | blacklist ${HOME}/.cache/libgweather | 519 | blacklist ${HOME}/.cache/libgweather |
| 492 | blacklist ${HOME}/.cache/liferea | 520 | blacklist ${HOME}/.cache/liferea |
| 493 | blacklist ${HOME}/.cache/midori | 521 | blacklist ${HOME}/.cache/midori |
| @@ -496,17 +524,20 @@ blacklist ${HOME}/.cache/mozilla | |||
| 496 | blacklist ${HOME}/.cache/mutt | 524 | blacklist ${HOME}/.cache/mutt |
| 497 | blacklist ${HOME}/.cache/nheko/nheko | 525 | blacklist ${HOME}/.cache/nheko/nheko |
| 498 | blacklist ${HOME}/.cache/netsurf | 526 | blacklist ${HOME}/.cache/netsurf |
| 527 | blacklist ${HOME}/.cache/okular | ||
| 499 | blacklist ${HOME}/.cache/opera | 528 | blacklist ${HOME}/.cache/opera |
| 500 | blacklist ${HOME}/.cache/opera-beta | 529 | blacklist ${HOME}/.cache/opera-beta |
| 501 | blacklist ${HOME}/.cache/org.gnome.Books | 530 | blacklist ${HOME}/.cache/org.gnome.Books |
| 502 | blacklist ${HOME}/.cache/pdfmod | 531 | blacklist ${HOME}/.cache/pdfmod |
| 503 | blacklist ${HOME}/.cache/peek | 532 | blacklist ${HOME}/.cache/peek |
| 533 | blacklist ${HOME}/.cache/plasmashell | ||
| 504 | blacklist ${HOME}/.cache/qBittorrent | 534 | blacklist ${HOME}/.cache/qBittorrent |
| 505 | blacklist ${HOME}/.cache/qupzilla | 535 | blacklist ${HOME}/.cache/qupzilla |
| 506 | blacklist ${HOME}/.cache/qutebrowser | 536 | blacklist ${HOME}/.cache/qutebrowser |
| 507 | blacklist ${HOME}/.cache/simple-scan | 537 | blacklist ${HOME}/.cache/simple-scan |
| 508 | blacklist ${HOME}/.cache/slimjet | 538 | blacklist ${HOME}/.cache/slimjet |
| 509 | blacklist ${HOME}/.cache/spotify | 539 | blacklist ${HOME}/.cache/spotify |
| 540 | blacklist ${HOME}/.cache/systemsettings | ||
| 510 | blacklist ${HOME}/.cache/telepathy | 541 | blacklist ${HOME}/.cache/telepathy |
| 511 | blacklist ${HOME}/.cache/thunderbird | 542 | blacklist ${HOME}/.cache/thunderbird |
| 512 | blacklist ${HOME}/.cache/torbrowser | 543 | blacklist ${HOME}/.cache/torbrowser |
diff --git a/etc/dnox.profile b/etc/dnox.profile index d6626c048..505884ca6 100644 --- a/etc/dnox.profile +++ b/etc/dnox.profile | |||
| @@ -7,30 +7,11 @@ include /etc/firejail/globals.local | |||
| 7 | 7 | ||
| 8 | noblacklist ${HOME}/.cache/dnox | 8 | noblacklist ${HOME}/.cache/dnox |
| 9 | noblacklist ${HOME}/.config/dnox | 9 | noblacklist ${HOME}/.config/dnox |
| 10 | noblacklist ${HOME}/.pki | ||
| 11 | |||
| 12 | include /etc/firejail/disable-common.inc | ||
| 13 | include /etc/firejail/disable-programs.inc | ||
| 14 | 10 | ||
| 15 | mkdir ${HOME}/.cache/dnox | 11 | mkdir ${HOME}/.cache/dnox |
| 16 | mkdir ${HOME}/.config/dnox | 12 | mkdir ${HOME}/.config/dnox |
| 17 | mkdir ${HOME}/.pki | ||
| 18 | whitelist ${DOWNLOADS} | ||
| 19 | whitelist ${HOME}/.cache/dnox | 13 | whitelist ${HOME}/.cache/dnox |
| 20 | whitelist ${HOME}/.config/dnox | 14 | whitelist ${HOME}/.config/dnox |
| 21 | whitelist ${HOME}/.pki | ||
| 22 | include /etc/firejail/whitelist-common.inc | ||
| 23 | include /etc/firejail/whitelist-var-common.inc | ||
| 24 | |||
| 25 | caps.keep sys_chroot,sys_admin | ||
| 26 | netfilter | ||
| 27 | nodvd | ||
| 28 | nogroups | ||
| 29 | notv | ||
| 30 | shell none | ||
| 31 | |||
| 32 | private-dev | ||
| 33 | # private-tmp - problems with multiple browser sessions | ||
| 34 | 15 | ||
| 35 | noexec ${HOME} | 16 | # Redirect |
| 36 | noexec /tmp | 17 | include /etc/firejail/chromium-common.profile |
diff --git a/etc/dolphin.profile b/etc/dolphin.profile index c1604826e..ce167b7a7 100644 --- a/etc/dolphin.profile +++ b/etc/dolphin.profile | |||
| @@ -8,7 +8,8 @@ include /etc/firejail/globals.local | |||
| 8 | # warning: firejail is currently not effectively constraining dolphin since used services are started by kdeinit5 | 8 | # warning: firejail is currently not effectively constraining dolphin since used services are started by kdeinit5 |
| 9 | 9 | ||
| 10 | noblacklist ${HOME}/.local/share/Trash | 10 | noblacklist ${HOME}/.local/share/Trash |
| 11 | # noblacklist ${HOME}/.config/dolphinrc - diable-programs.inc is disabled, see below | 11 | # noblacklist ${HOME}/.cache/dolphin - disable-programs.inc is disabled, see below |
| 12 | # noblacklist ${HOME}/.config/dolphinrc | ||
| 12 | # noblacklist ${HOME}/.local/share/dolphin | 13 | # noblacklist ${HOME}/.local/share/dolphin |
| 13 | 14 | ||
| 14 | include /etc/firejail/disable-common.inc | 15 | include /etc/firejail/disable-common.inc |
diff --git a/etc/dragon.profile b/etc/dragon.profile index 76544010f..6fa6ec65e 100644 --- a/etc/dragon.profile +++ b/etc/dragon.profile | |||
| @@ -16,7 +16,6 @@ include /etc/firejail/whitelist-var-common.inc | |||
| 16 | 16 | ||
| 17 | caps.drop all | 17 | caps.drop all |
| 18 | netfilter | 18 | netfilter |
| 19 | nodvd | ||
| 20 | nogroups | 19 | nogroups |
| 21 | nonewprivs | 20 | nonewprivs |
| 22 | noroot | 21 | noroot |
diff --git a/etc/enox.profile b/etc/enox.profile new file mode 100644 index 000000000..cc5403719 --- /dev/null +++ b/etc/enox.profile | |||
| @@ -0,0 +1,36 @@ | |||
| 1 | # Firejail profile for dnox | ||
| 2 | # This file is overwritten after every install/update | ||
| 3 | # Persistent local customizations | ||
| 4 | include /etc/firejail/enox.local | ||
| 5 | # Persistent global definitions | ||
| 6 | include /etc/firejail/globals.local | ||
| 7 | |||
| 8 | noblacklist ${HOME}/.cache/Enox | ||
| 9 | noblacklist ${HOME}/.config/Enox | ||
| 10 | noblacklist ${HOME}/.pki | ||
| 11 | |||
| 12 | include /etc/firejail/disable-common.inc | ||
| 13 | include /etc/firejail/disable-programs.inc | ||
| 14 | |||
| 15 | mkdir ${HOME}/.cache/dnox | ||
| 16 | mkdir ${HOME}/.config/dnox | ||
| 17 | mkdir ${HOME}/.pki | ||
| 18 | whitelist ${DOWNLOADS} | ||
| 19 | whitelist ${HOME}/.cache/Enox | ||
| 20 | whitelist ${HOME}/.config/Enox | ||
| 21 | whitelist ${HOME}/.pki | ||
| 22 | include /etc/firejail/whitelist-common.inc | ||
| 23 | include /etc/firejail/whitelist-var-common.inc | ||
| 24 | |||
| 25 | caps.keep sys_chroot,sys_admin | ||
| 26 | netfilter | ||
| 27 | nodvd | ||
| 28 | nogroups | ||
| 29 | notv | ||
| 30 | shell none | ||
| 31 | |||
| 32 | private-dev | ||
| 33 | # private-tmp - problems with multiple browser sessions | ||
| 34 | |||
| 35 | noexec ${HOME} | ||
| 36 | noexec /tmp | ||
diff --git a/etc/firefox-common-addons.inc b/etc/firefox-common-addons.inc new file mode 100644 index 000000000..b237c3c05 --- /dev/null +++ b/etc/firefox-common-addons.inc | |||
| @@ -0,0 +1,55 @@ | |||
| 1 | # This file is overwritten during software install. | ||
| 2 | # Persistent customizations should go in a .local file. | ||
| 3 | include /etc/firejail/firefox-common-addons.local | ||
| 4 | |||
| 5 | noblacklist ${HOME}/.config/kgetrc | ||
| 6 | noblacklist ${HOME}/.config/okularpartrc | ||
| 7 | noblacklist ${HOME}/.config/okularrc | ||
| 8 | noblacklist ${HOME}/.config/qpdfview | ||
| 9 | noblacklist ${HOME}/.kde/share/apps/kget | ||
| 10 | noblacklist ${HOME}/.kde/share/apps/okular | ||
| 11 | noblacklist ${HOME}/.kde/share/config/kgetrc | ||
| 12 | noblacklist ${HOME}/.kde/share/config/okularpartrc | ||
| 13 | noblacklist ${HOME}/.kde/share/config/okularrc | ||
| 14 | noblacklist ${HOME}/.kde4/share/apps/kget | ||
| 15 | noblacklist ${HOME}/.kde4/share/apps/okular | ||
| 16 | noblacklist ${HOME}/.kde4/share/config/kgetrc | ||
| 17 | noblacklist ${HOME}/.kde4/share/config/okularpartrc | ||
| 18 | noblacklist ${HOME}/.kde4/share/config/okularrc | ||
| 19 | # noblacklist ${HOME}/.local/share/gnome-shell/extensions | ||
| 20 | noblacklist ${HOME}/.local/share/kget | ||
| 21 | noblacklist ${HOME}/.local/share/okular | ||
| 22 | noblacklist ${HOME}/.local/share/qpdfview | ||
| 23 | |||
| 24 | whitelist ${HOME}/.cache/gnome-mplayer/plugin | ||
| 25 | whitelist ${HOME}/.config/gnome-mplayer | ||
| 26 | whitelist ${HOME}/.config/kgetrc | ||
| 27 | whitelist ${HOME}/.config/okularpartrc | ||
| 28 | whitelist ${HOME}/.config/okularrc | ||
| 29 | whitelist ${HOME}/.config/pipelight-silverlight5.1 | ||
| 30 | whitelist ${HOME}/.config/pipelight-widevine | ||
| 31 | whitelist ${HOME}/.config/qpdfview | ||
| 32 | whitelist ${HOME}/.kde/share/apps/kget | ||
| 33 | whitelist ${HOME}/.kde/share/apps/okular | ||
| 34 | whitelist ${HOME}/.kde/share/config/kgetrc | ||
| 35 | whitelist ${HOME}/.kde/share/config/okularpartrc | ||
| 36 | whitelist ${HOME}/.kde/share/config/okularrc | ||
| 37 | whitelist ${HOME}/.kde4/share/apps/kget | ||
| 38 | whitelist ${HOME}/.kde4/share/apps/okular | ||
| 39 | whitelist ${HOME}/.kde4/share/config/kgetrc | ||
| 40 | whitelist ${HOME}/.kde4/share/config/okularpartrc | ||
| 41 | whitelist ${HOME}/.kde4/share/config/okularrc | ||
| 42 | whitelist ${HOME}/.keysnail.js | ||
| 43 | whitelist ${HOME}/.lastpass | ||
| 44 | whitelist ${HOME}/.local/share/gnome-shell/extensions | ||
| 45 | whitelist ${HOME}/.local/share/kget | ||
| 46 | whitelist ${HOME}/.local/share/okular | ||
| 47 | whitelist ${HOME}/.local/share/qpdfview | ||
| 48 | whitelist ${HOME}/.pentadactyl | ||
| 49 | whitelist ${HOME}/.pentadactylrc | ||
| 50 | whitelist ${HOME}/.vimperator | ||
| 51 | whitelist ${HOME}/.vimperatorrc | ||
| 52 | whitelist ${HOME}/.wine-pipelight | ||
| 53 | whitelist ${HOME}/.wine-pipelight64 | ||
| 54 | whitelist ${HOME}/.zotero | ||
| 55 | whitelist ${HOME}/dwhelper | ||
diff --git a/etc/firefox-common.profile b/etc/firefox-common.profile new file mode 100644 index 000000000..0c4271edc --- /dev/null +++ b/etc/firefox-common.profile | |||
| @@ -0,0 +1,44 @@ | |||
| 1 | # Firejail profile for firefox-common | ||
| 2 | # This file is overwritten after every install/update | ||
| 3 | # Persistent local customizations | ||
| 4 | include /etc/firejail/firefox-common.local | ||
| 5 | # Persistent global definitions | ||
| 6 | include /etc/firejail/globals.local | ||
| 7 | |||
| 8 | # uncomment the following line to allow access to common programs/addons/plugins | ||
| 9 | #include /etc/firejail/firefox-common-addons.inc | ||
| 10 | |||
| 11 | noblacklist ${HOME}/.pki | ||
| 12 | |||
| 13 | include /etc/firejail/disable-common.inc | ||
| 14 | include /etc/firejail/disable-devel.inc | ||
| 15 | include /etc/firejail/disable-programs.inc | ||
| 16 | |||
| 17 | mkdir ${HOME}/.pki | ||
| 18 | whitelist ${DOWNLOADS} | ||
| 19 | whitelist ${HOME}/.pki | ||
| 20 | include /etc/firejail/whitelist-common.inc | ||
| 21 | include /etc/firejail/whitelist-var-common.inc | ||
| 22 | |||
| 23 | caps.drop all | ||
| 24 | # machine-id breaks pulse audio; it should work fine in setups where sound is not required | ||
| 25 | #machine-id | ||
| 26 | netfilter | ||
| 27 | nodvd | ||
| 28 | nogroups | ||
| 29 | nonewprivs | ||
| 30 | noroot | ||
| 31 | notv | ||
| 32 | protocol unix,inet,inet6,netlink | ||
| 33 | seccomp | ||
| 34 | shell none | ||
| 35 | tracelog | ||
| 36 | |||
| 37 | disable-mnt | ||
| 38 | private-dev | ||
| 39 | # private-etc below works fine on most distributions. There are some problems on CentOS. | ||
| 40 | #private-etc ca-certificates,ssl,machine-id,dconf,selinux,passwd,group,hostname,hosts,localtime,nsswitch.conf,resolv.conf,xdg,gtk-2.0,gtk-3.0,X11,pango,fonts,mime.types,mailcap,asound.conf,pulse,pki,crypto-policies | ||
| 41 | private-tmp | ||
| 42 | |||
| 43 | noexec ${HOME} | ||
| 44 | noexec /tmp | ||
diff --git a/etc/firefox.profile b/etc/firefox.profile index 079cb1536..0ab6a6141 100644 --- a/etc/firefox.profile +++ b/etc/firefox.profile | |||
| @@ -6,90 +6,17 @@ include /etc/firejail/firefox.local | |||
| 6 | include /etc/firejail/globals.local | 6 | include /etc/firejail/globals.local |
| 7 | 7 | ||
| 8 | noblacklist ${HOME}/.cache/mozilla | 8 | noblacklist ${HOME}/.cache/mozilla |
| 9 | noblacklist ${HOME}/.config/okularpartrc | ||
| 10 | noblacklist ${HOME}/.config/okularrc | ||
| 11 | noblacklist ${HOME}/.config/qpdfview | ||
| 12 | noblacklist ${HOME}/.kde/share/apps/kget | ||
| 13 | noblacklist ${HOME}/.kde/share/apps/okular | ||
| 14 | noblacklist ${HOME}/.kde/share/config/kgetrc | ||
| 15 | noblacklist ${HOME}/.kde/share/config/okularpartrc | ||
| 16 | noblacklist ${HOME}/.kde/share/config/okularrc | ||
| 17 | noblacklist ${HOME}/.kde4/share/apps/kget | ||
| 18 | noblacklist ${HOME}/.kde4/share/apps/okular | ||
| 19 | noblacklist ${HOME}/.kde4/share/config/kgetrc | ||
| 20 | noblacklist ${HOME}/.kde4/share/config/okularpartrc | ||
| 21 | noblacklist ${HOME}/.kde4/share/config/okularrc | ||
| 22 | # noblacklist ${HOME}/.local/share/gnome-shell/extensions | ||
| 23 | noblacklist ${HOME}/.local/share/okular | ||
| 24 | noblacklist ${HOME}/.local/share/qpdfview | ||
| 25 | noblacklist ${HOME}/.mozilla | 9 | noblacklist ${HOME}/.mozilla |
| 26 | noblacklist ${HOME}/.pki | ||
| 27 | |||
| 28 | include /etc/firejail/disable-common.inc | ||
| 29 | include /etc/firejail/disable-devel.inc | ||
| 30 | include /etc/firejail/disable-programs.inc | ||
| 31 | 10 | ||
| 32 | mkdir ${HOME}/.cache/mozilla/firefox | 11 | mkdir ${HOME}/.cache/mozilla/firefox |
| 33 | mkdir ${HOME}/.mozilla | 12 | mkdir ${HOME}/.mozilla |
| 34 | mkdir ${HOME}/.pki | ||
| 35 | whitelist ${DOWNLOADS} | ||
| 36 | whitelist ${HOME}/.cache/gnome-mplayer/plugin | ||
| 37 | whitelist ${HOME}/.cache/mozilla/firefox | 13 | whitelist ${HOME}/.cache/mozilla/firefox |
| 38 | whitelist ${HOME}/.config/gnome-mplayer | ||
| 39 | whitelist ${HOME}/.config/okularpartrc | ||
| 40 | whitelist ${HOME}/.config/okularrc | ||
| 41 | whitelist ${HOME}/.config/pipelight-silverlight5.1 | ||
| 42 | whitelist ${HOME}/.config/pipelight-widevine | ||
| 43 | whitelist ${HOME}/.config/qpdfview | ||
| 44 | whitelist ${HOME}/.kde/share/apps/kget | ||
| 45 | whitelist ${HOME}/.kde/share/apps/okular | ||
| 46 | whitelist ${HOME}/.kde/share/config/kgetrc | ||
| 47 | whitelist ${HOME}/.kde/share/config/okularpartrc | ||
| 48 | whitelist ${HOME}/.kde/share/config/okularrc | ||
| 49 | whitelist ${HOME}/.kde4/share/apps/kget | ||
| 50 | whitelist ${HOME}/.kde4/share/apps/okular | ||
| 51 | whitelist ${HOME}/.kde4/share/config/kgetrc | ||
| 52 | whitelist ${HOME}/.kde4/share/config/okularpartrc | ||
| 53 | whitelist ${HOME}/.kde4/share/config/okularrc | ||
| 54 | whitelist ${HOME}/.keysnail.js | ||
| 55 | whitelist ${HOME}/.lastpass | ||
| 56 | whitelist ${HOME}/.local/share/gnome-shell/extensions | ||
| 57 | whitelist ${HOME}/.local/share/okular | ||
| 58 | whitelist ${HOME}/.local/share/qpdfview | ||
| 59 | whitelist ${HOME}/.mozilla | 14 | whitelist ${HOME}/.mozilla |
| 60 | whitelist ${HOME}/.pentadactyl | ||
| 61 | whitelist ${HOME}/.pentadactylrc | ||
| 62 | whitelist ${HOME}/.pki | ||
| 63 | whitelist ${HOME}/.vimperator | ||
| 64 | whitelist ${HOME}/.vimperatorrc | ||
| 65 | whitelist ${HOME}/.wine-pipelight | ||
| 66 | whitelist ${HOME}/.wine-pipelight64 | ||
| 67 | whitelist ${HOME}/.zotero | ||
| 68 | whitelist ${HOME}/dwhelper | ||
| 69 | include /etc/firejail/whitelist-common.inc | ||
| 70 | include /etc/firejail/whitelist-var-common.inc | ||
| 71 | |||
| 72 | caps.drop all | ||
| 73 | # machine-id breaks pulse audio; it should work fine in setups where sound is not required | ||
| 74 | #machine-id | ||
| 75 | netfilter | ||
| 76 | nodvd | ||
| 77 | nogroups | ||
| 78 | nonewprivs | ||
| 79 | noroot | ||
| 80 | notv | ||
| 81 | protocol unix,inet,inet6,netlink | ||
| 82 | seccomp | ||
| 83 | shell none | ||
| 84 | tracelog | ||
| 85 | 15 | ||
| 86 | disable-mnt | ||
| 87 | # firefox requires a shell to launch on Arch. | 16 | # firefox requires a shell to launch on Arch. |
| 88 | # private-bin firefox,which,sh,dbus-launch,dbus-send,env,bash | 17 | #private-bin firefox,which,sh,dbus-launch,dbus-send,env,bash |
| 89 | private-dev | 18 | # private-etc must first be enabled in firefox-common.profile |
| 90 | # private-etc below works fine on most distributions. There are some problems on CentOS. | 19 | #private-etc firefox |
| 91 | # private-etc iceweasel,ca-certificates,ssl,machine-id,dconf,selinux,passwd,group,hostname,hosts,localtime,nsswitch.conf,resolv.conf,xdg,gtk-2.0,gtk-3.0,X11,pango,fonts,firefox,mime.types,mailcap,asound.conf,pulse,pki,crypto-policies | ||
| 92 | private-tmp | ||
| 93 | 20 | ||
| 94 | noexec ${HOME} | 21 | # Redirect |
| 95 | noexec /tmp | 22 | include /etc/firejail/firefox-common.profile |
diff --git a/etc/firejail-default b/etc/firejail-default index eb50d6c65..859f8683a 100644 --- a/etc/firejail-default +++ b/etc/firejail-default | |||
| @@ -8,38 +8,66 @@ | |||
| 8 | # We don't know if this definition is available outside Debian and Ubuntu, so | 8 | # We don't know if this definition is available outside Debian and Ubuntu, so |
| 9 | # we declare our own here. | 9 | # we declare our own here. |
| 10 | ########## | 10 | ########## |
| 11 | @{PID}={[1-9],[1-9][0-9],[1-9][0-9][0-9],[1-9][0-9][0-9][0-9],[1-9][0-9][0-9][0-9][0-9],[1-9][0-9][0-9][0-9][0-9][0-9]} | 11 | @{PID}={[1-9],[1-9][0-9],[1-9][0-9][0-9],[1-9][0-9][0-9][0-9],[1-9][0-9][0-9][0-9][0-9],[1-9][0-9][0-9][0-9][0-9][0-9],[1-4][0-9][0-9][0-9][0-9][0-9][0-9]} |
| 12 | 12 | ||
| 13 | profile firejail-default flags=(attach_disconnected,mediate_deleted) { | 13 | profile firejail-default flags=(attach_disconnected,mediate_deleted) { |
| 14 | 14 | ||
| 15 | ########## | 15 | ########## |
| 16 | # D-Bus is a huge security hole. Uncomment this line if you need D-Bus | 16 | # D-Bus is a huge security hole. Uncomment those lines if you need D-Bus |
| 17 | # functionality. | 17 | # functionality. |
| 18 | ########## | 18 | ########## |
| 19 | ##include <abstractions/dbus-strict> | ||
| 20 | ##include <abstractions/dbus-session-strict> | ||
| 19 | #dbus, | 21 | #dbus, |
| 20 | 22 | ||
| 21 | ########## | 23 | ########## |
| 22 | # Mask /proc and /sys information leakage. The configuration here is barely | 24 | # Line starting with /run/firejail/mnt/oroot deal with --overlay sandboxes |
| 23 | # enough to run "top" or "ps aux". | ||
| 24 | ########## | 25 | ########## |
| 25 | / r, | 26 | / r, |
| 26 | /{usr,bin,sbin,dev,etc,home,root,lib,media,mnt,opt,srv,tmp,var}** mrwlk, | 27 | /{usr,bin,sbin,dev,etc,home,root,lib,media,mnt,opt,srv,tmp,var}** mrwlk, |
| 28 | /run/firejail/mnt/oroot/{usr,bin,sbin,dev,etc,home,root,lib,media,mnt,opt,srv,tmp,var}** mrwlk, | ||
| 29 | |||
| 27 | /{,var/}run/ r, | 30 | /{,var/}run/ r, |
| 28 | /{,var/}run/** r, | 31 | /{,var/}run/** r, |
| 29 | /{,var/}run/user/**/dconf/ rw, | 32 | /run/firejail/mnt/oroot/{,var/}run/ r, |
| 30 | /{,var/}run/user/**/dconf/user rw, | 33 | /run/firejail/mnt/oroot/{,var/}run/** r, |
| 31 | /{,var/}run/user/**/pulse/ rw, | 34 | |
| 32 | /{,var/}run/user/**/pulse/** rw, | 35 | owner /{,var/}run/user/**/dconf/ rw, |
| 33 | /{,var/}run/user/**/*.slave-socket rwl, | 36 | owner /{,var/}run/user/**/dconf/user rw, |
| 34 | /{,var/}run/user/**/#@{PID} rw, | 37 | owner /{,var/}run/user/**/pulse/ rw, |
| 35 | /{,var/}run/user/**/orcexec.* rwkm, | 38 | owner /{,var/}run/user/**/pulse/** rw, |
| 39 | owner /{,var/}run/user/**/*.slave-socket rwl, | ||
| 40 | owner /{,var/}run/user/**/#@{PID} rw, | ||
| 41 | owner /{,var/}run/user/**/orcexec.* rwkm, | ||
| 42 | owner /run/firejail/mnt/oroot/{,var/}run/user/**/dconf/ rw, | ||
| 43 | owner /run/firejail/mnt/oroot/{,var/}run/user/**/dconf/user rw, | ||
| 44 | owner /run/firejail/mnt/oroot/{,var/}run/user/**/pulse/ rw, | ||
| 45 | owner /run/firejail/mnt/oroot/{,var/}run/user/**/pulse/** rw, | ||
| 46 | owner /run/firejail/mnt/oroot/{,var/}run/user/**/*.slave-socket rwl, | ||
| 47 | owner /run/firejail/mnt/oroot/{,var/}run/user/**/#@{PID} rw, | ||
| 48 | owner /run/firejail/mnt/oroot/{,var/}run/user/**/orcexec.* rwkm, | ||
| 49 | |||
| 36 | /{,var/}run/firejail/mnt/fslogger r, | 50 | /{,var/}run/firejail/mnt/fslogger r, |
| 37 | /{,var/}run/firejail/appimage r, | 51 | /{,var/}run/firejail/appimage r, |
| 38 | /{,var/}run/firejail/appimage/** r, | 52 | /{,var/}run/firejail/appimage/** r, |
| 39 | /{,var/}run/firejail/appimage/** ix, | 53 | /{,var/}run/firejail/appimage/** ix, |
| 54 | /run/firejail/mnt/oroot/{,var/}run/firejail/mnt/fslogger r, | ||
| 55 | /run/firejail/mnt/oroot/{,var/}run/firejail/appimage r, | ||
| 56 | /run/firejail/mnt/oroot/{,var/}run/firejail/appimage/** r, | ||
| 57 | /run/firejail/mnt/oroot/{,var/}run/firejail/appimage/** ix, | ||
| 58 | |||
| 40 | /{run,dev}/shm/ r, | 59 | /{run,dev}/shm/ r, |
| 41 | /{run,dev}/shm/** rmwk, | 60 | owner /{run,dev}/shm/** rmwk, |
| 61 | /run/firejail/mnt/oroot/{run,dev}/shm/ r, | ||
| 62 | owner /run/firejail/mnt/oroot/{run,dev}/shm/** rmwk, | ||
| 42 | 63 | ||
| 64 | # Needed for wine | ||
| 65 | /{,var/}run/firejail/profile/@{PID} w, | ||
| 66 | |||
| 67 | ########## | ||
| 68 | # Mask /proc and /sys information leakage. The configuration here is barely | ||
| 69 | # enough to run "top" or "ps aux". | ||
| 70 | ########## | ||
| 43 | /proc/ r, | 71 | /proc/ r, |
| 44 | /proc/meminfo r, | 72 | /proc/meminfo r, |
| 45 | /proc/cpuinfo r, | 73 | /proc/cpuinfo r, |
| @@ -49,6 +77,7 @@ profile firejail-default flags=(attach_disconnected,mediate_deleted) { | |||
| 49 | /proc/stat r, | 77 | /proc/stat r, |
| 50 | /proc/sys/kernel/pid_max r, | 78 | /proc/sys/kernel/pid_max r, |
| 51 | /proc/sys/kernel/shmmax r, | 79 | /proc/sys/kernel/shmmax r, |
| 80 | /proc/sys/kernel/yama/ptrace_scope r, | ||
| 52 | /proc/sys/vm/overcommit_memory r, | 81 | /proc/sys/vm/overcommit_memory r, |
| 53 | /proc/sys/vm/overcommit_ratio r, | 82 | /proc/sys/vm/overcommit_ratio r, |
| 54 | /proc/sys/kernel/random/uuid r, | 83 | /proc/sys/kernel/random/uuid r, |
| @@ -70,15 +99,22 @@ profile firejail-default flags=(attach_disconnected,mediate_deleted) { | |||
| 70 | /proc/@{PID}/statm r, | 99 | /proc/@{PID}/statm r, |
| 71 | /proc/@{PID}/status r, | 100 | /proc/@{PID}/status r, |
| 72 | /proc/@{PID}/task/@{PID}/stat r, | 101 | /proc/@{PID}/task/@{PID}/stat r, |
| 102 | /proc/@{PID}/task/@{PID}/status r, | ||
| 73 | /proc/@{PID}/maps r, | 103 | /proc/@{PID}/maps r, |
| 104 | /proc/@{PID}/mem r, | ||
| 74 | /proc/@{PID}/mounts r, | 105 | /proc/@{PID}/mounts r, |
| 75 | /proc/@{PID}/mountinfo r, | 106 | /proc/@{PID}/mountinfo r, |
| 107 | deny /proc/@{PID}/oom_adj w, | ||
| 76 | /proc/@{PID}/oom_score_adj r, | 108 | /proc/@{PID}/oom_score_adj r, |
| 109 | deny /proc/@{PID}/oom_score_adj w, | ||
| 77 | /proc/@{PID}/auxv r, | 110 | /proc/@{PID}/auxv r, |
| 78 | /proc/@{PID}/net/dev r, | 111 | /proc/@{PID}/net/dev r, |
| 79 | /proc/@{PID}/loginuid r, | 112 | /proc/@{PID}/loginuid r, |
| 80 | /proc/@{PID}/environ r, | 113 | /proc/@{PID}/environ r, |
| 81 | 114 | ||
| 115 | # Needed by chromium crash handler. Uncomment if you need it. | ||
| 116 | #ptrace (trace tracedby), | ||
| 117 | |||
| 82 | ########## | 118 | ########## |
| 83 | # Allow running programs only from well-known system directories. If you need | 119 | # Allow running programs only from well-known system directories. If you need |
| 84 | # to run programs from your home directory, uncomment /home line. | 120 | # to run programs from your home directory, uncomment /home line. |
| @@ -96,6 +132,23 @@ profile firejail-default flags=(attach_disconnected,mediate_deleted) { | |||
| 96 | /opt/** r, | 132 | /opt/** r, |
| 97 | /opt/** ix, | 133 | /opt/** ix, |
| 98 | #/home/** ix, | 134 | #/home/** ix, |
| 135 | /run/firejail/mnt/oroot/lib/** ix, | ||
| 136 | /run/firejail/mnt/oroot/lib64/** ix, | ||
| 137 | /run/firejail/mnt/oroot/bin/** ix, | ||
| 138 | /run/firejail/mnt/oroot/sbin/** ix, | ||
| 139 | /run/firejail/mnt/oroot/usr/bin/** ix, | ||
| 140 | /run/firejail/mnt/oroot/usr/sbin/** ix, | ||
| 141 | /run/firejail/mnt/oroot/usr/local/** ix, | ||
| 142 | /run/firejail/mnt/oroot/usr/lib/** ix, | ||
| 143 | /run/firejail/mnt/oroot/usr/games/** ix, | ||
| 144 | /run/firejail/mnt/oroot/opt/ r, | ||
| 145 | /run/firejail/mnt/oroot/opt/** r, | ||
| 146 | /run/firejail/mnt/oroot/opt/** ix, | ||
| 147 | |||
| 148 | ########## | ||
| 149 | # Allow acces to cups printing socket | ||
| 150 | ########## | ||
| 151 | /run/cups/cups.sock w, | ||
| 99 | 152 | ||
| 100 | ########## | 153 | ########## |
| 101 | # Allow all networking functionality, and control it from Firejail. | 154 | # Allow all networking functionality, and control it from Firejail. |
diff --git a/etc/flashpeak-slimjet.profile b/etc/flashpeak-slimjet.profile index d9be8b9c5..63f9d19a9 100644 --- a/etc/flashpeak-slimjet.profile +++ b/etc/flashpeak-slimjet.profile | |||
| @@ -5,35 +5,13 @@ include /etc/firejail/flashpeak-slimjet.local | |||
| 5 | # Persistent global definitions | 5 | # Persistent global definitions |
| 6 | include /etc/firejail/globals.local | 6 | include /etc/firejail/globals.local |
| 7 | 7 | ||
| 8 | # This is a whitelisted profile, the internal browser sandbox | ||
| 9 | # is disabled because it requires sudo password. The command | ||
| 10 | # to run it is as follows: | ||
| 11 | # firejail flashpeak-slimjet --no-sandbox | ||
| 12 | |||
| 13 | noblacklist ${HOME}/.cache/slimjet | 8 | noblacklist ${HOME}/.cache/slimjet |
| 14 | noblacklist ${HOME}/.config/slimjet | 9 | noblacklist ${HOME}/.config/slimjet |
| 15 | noblacklist ${HOME}/.pki | ||
| 16 | |||
| 17 | include /etc/firejail/disable-common.inc | ||
| 18 | include /etc/firejail/disable-devel.inc | ||
| 19 | include /etc/firejail/disable-programs.inc | ||
| 20 | 10 | ||
| 21 | mkdir ${HOME}/.cache/slimjet | 11 | mkdir ${HOME}/.cache/slimjet |
| 22 | mkdir ${HOME}/.config/slimjet | 12 | mkdir ${HOME}/.config/slimjet |
| 23 | mkdir ${HOME}/.pki | ||
| 24 | whitelist ${DOWNLOADS} | ||
| 25 | whitelist ${HOME}/.cache/slimjet | 13 | whitelist ${HOME}/.cache/slimjet |
| 26 | whitelist ${HOME}/.config/slimjet | 14 | whitelist ${HOME}/.config/slimjet |
| 27 | whitelist ${HOME}/.pki | ||
| 28 | include /etc/firejail/whitelist-common.inc | ||
| 29 | |||
| 30 | caps.drop all | ||
| 31 | netfilter | ||
| 32 | nodvd | ||
| 33 | nonewprivs | ||
| 34 | noroot | ||
| 35 | notv | ||
| 36 | protocol unix,inet,inet6,netlink | ||
| 37 | seccomp | ||
| 38 | 15 | ||
| 39 | disable-mnt | 16 | # Redirect |
| 17 | include /etc/firejail/chromium-common.profile | ||
diff --git a/etc/google-chrome-beta.profile b/etc/google-chrome-beta.profile index 9c7306b85..ab16558ea 100644 --- a/etc/google-chrome-beta.profile +++ b/etc/google-chrome-beta.profile | |||
| @@ -7,30 +7,11 @@ include /etc/firejail/globals.local | |||
| 7 | 7 | ||
| 8 | noblacklist ${HOME}/.cache/google-chrome-beta | 8 | noblacklist ${HOME}/.cache/google-chrome-beta |
| 9 | noblacklist ${HOME}/.config/google-chrome-beta | 9 | noblacklist ${HOME}/.config/google-chrome-beta |
| 10 | noblacklist ${HOME}/.pki | ||
| 11 | |||
| 12 | include /etc/firejail/disable-common.inc | ||
| 13 | include /etc/firejail/disable-devel.inc | ||
| 14 | include /etc/firejail/disable-programs.inc | ||
| 15 | 10 | ||
| 16 | mkdir ${HOME}/.cache/google-chrome-beta | 11 | mkdir ${HOME}/.cache/google-chrome-beta |
| 17 | mkdir ${HOME}/.config/google-chrome-beta | 12 | mkdir ${HOME}/.config/google-chrome-beta |
| 18 | mkdir ${HOME}/.pki | ||
| 19 | whitelist ${DOWNLOADS} | ||
| 20 | whitelist ${HOME}/.cache/google-chrome-beta | 13 | whitelist ${HOME}/.cache/google-chrome-beta |
| 21 | whitelist ${HOME}/.config/google-chrome-beta | 14 | whitelist ${HOME}/.config/google-chrome-beta |
| 22 | whitelist ${HOME}/.pki | ||
| 23 | include /etc/firejail/whitelist-common.inc | ||
| 24 | |||
| 25 | caps.keep sys_chroot,sys_admin | ||
| 26 | netfilter | ||
| 27 | nodvd | ||
| 28 | nogroups | ||
| 29 | notv | ||
| 30 | shell none | ||
| 31 | |||
| 32 | private-dev | ||
| 33 | # private-tmp - problems with multiple browser sessions | ||
| 34 | 15 | ||
| 35 | noexec ${HOME} | 16 | # Redirect |
| 36 | noexec /tmp | 17 | include /etc/firejail/chromium-common.profile |
diff --git a/etc/google-chrome-unstable.profile b/etc/google-chrome-unstable.profile index bb05b3e99..b7d0eccf3 100644 --- a/etc/google-chrome-unstable.profile +++ b/etc/google-chrome-unstable.profile | |||
| @@ -7,30 +7,11 @@ include /etc/firejail/globals.local | |||
| 7 | 7 | ||
| 8 | noblacklist ${HOME}/.cache/google-chrome-unstable | 8 | noblacklist ${HOME}/.cache/google-chrome-unstable |
| 9 | noblacklist ${HOME}/.config/google-chrome-unstable | 9 | noblacklist ${HOME}/.config/google-chrome-unstable |
| 10 | noblacklist ${HOME}/.pki | ||
| 11 | |||
| 12 | include /etc/firejail/disable-common.inc | ||
| 13 | include /etc/firejail/disable-devel.inc | ||
| 14 | include /etc/firejail/disable-programs.inc | ||
| 15 | 10 | ||
| 16 | mkdir ${HOME}/.cache/google-chrome-unstable | 11 | mkdir ${HOME}/.cache/google-chrome-unstable |
| 17 | mkdir ${HOME}/.config/google-chrome-unstable | 12 | mkdir ${HOME}/.config/google-chrome-unstable |
| 18 | mkdir ${HOME}/.pki | ||
| 19 | whitelist ${DOWNLOADS} | ||
| 20 | whitelist ${HOME}/.cache/google-chrome-unstable | 13 | whitelist ${HOME}/.cache/google-chrome-unstable |
| 21 | whitelist ${HOME}/.config/google-chrome-unstable | 14 | whitelist ${HOME}/.config/google-chrome-unstable |
| 22 | whitelist ${HOME}/.pki | ||
| 23 | include /etc/firejail/whitelist-common.inc | ||
| 24 | |||
| 25 | caps.keep sys_chroot,sys_admin | ||
| 26 | netfilter | ||
| 27 | nodvd | ||
| 28 | nogroups | ||
| 29 | notv | ||
| 30 | shell none | ||
| 31 | |||
| 32 | private-dev | ||
| 33 | # private-tmp - problems with multiple browser sessions | ||
| 34 | 15 | ||
| 35 | noexec ${HOME} | 16 | # Redirect |
| 36 | noexec /tmp | 17 | include /etc/firejail/chromium-common.profile |
diff --git a/etc/google-chrome.profile b/etc/google-chrome.profile index 19ebfa974..6e44190ae 100644 --- a/etc/google-chrome.profile +++ b/etc/google-chrome.profile | |||
| @@ -7,32 +7,11 @@ include /etc/firejail/globals.local | |||
| 7 | 7 | ||
| 8 | noblacklist ${HOME}/.cache/google-chrome | 8 | noblacklist ${HOME}/.cache/google-chrome |
| 9 | noblacklist ${HOME}/.config/google-chrome | 9 | noblacklist ${HOME}/.config/google-chrome |
| 10 | noblacklist ${HOME}/.pki | ||
| 11 | |||
| 12 | include /etc/firejail/disable-common.inc | ||
| 13 | include /etc/firejail/disable-devel.inc | ||
| 14 | include /etc/firejail/disable-programs.inc | ||
| 15 | 10 | ||
| 16 | mkdir ${HOME}/.cache/google-chrome | 11 | mkdir ${HOME}/.cache/google-chrome |
| 17 | mkdir ${HOME}/.config/google-chrome | 12 | mkdir ${HOME}/.config/google-chrome |
| 18 | mkdir ${HOME}/.pki | ||
| 19 | whitelist ${DOWNLOADS} | ||
| 20 | whitelist ${HOME}/.cache/google-chrome | 13 | whitelist ${HOME}/.cache/google-chrome |
| 21 | whitelist ${HOME}/.config/google-chrome | 14 | whitelist ${HOME}/.config/google-chrome |
| 22 | whitelist ${HOME}/.pki | ||
| 23 | include /etc/firejail/whitelist-common.inc | ||
| 24 | include /etc/firejail/whitelist-var-common.inc | ||
| 25 | |||
| 26 | caps.keep sys_chroot,sys_admin | ||
| 27 | netfilter | ||
| 28 | nodvd | ||
| 29 | nogroups | ||
| 30 | notv | ||
| 31 | shell none | ||
| 32 | |||
| 33 | disable-mnt | ||
| 34 | private-dev | ||
| 35 | # private-tmp - problems with multiple browser sessions | ||
| 36 | 15 | ||
| 37 | noexec ${HOME} | 16 | # Redirect |
| 38 | noexec /tmp | 17 | include /etc/firejail/chromium-common.profile |
diff --git a/etc/gwenview.profile b/etc/gwenview.profile index 8ad3ac5f3..58e059087 100644 --- a/etc/gwenview.profile +++ b/etc/gwenview.profile | |||
| @@ -39,7 +39,7 @@ tracelog | |||
| 39 | 39 | ||
| 40 | private-bin gwenview,gimp*,kbuildsycoca4,kdeinit4 | 40 | private-bin gwenview,gimp*,kbuildsycoca4,kdeinit4 |
| 41 | private-dev | 41 | private-dev |
| 42 | # private-etc X11 | 42 | private-etc fonts,gimp,gtk-2.0,kde4rc,kde5rc,ld.so.cache,machine-id,xdg |
| 43 | 43 | ||
| 44 | # memory-deny-write-execute | 44 | # memory-deny-write-execute |
| 45 | noexec ${HOME} | 45 | noexec ${HOME} |
diff --git a/etc/hexchat.profile b/etc/hexchat.profile index 634ced575..02f8e9eeb 100644 --- a/etc/hexchat.profile +++ b/etc/hexchat.profile | |||
| @@ -6,6 +6,7 @@ include /etc/firejail/hexchat.local | |||
| 6 | include /etc/firejail/globals.local | 6 | include /etc/firejail/globals.local |
| 7 | 7 | ||
| 8 | noblacklist ${HOME}/.config/hexchat | 8 | noblacklist ${HOME}/.config/hexchat |
| 9 | noblacklist /usr/share/perl* | ||
| 9 | # noblacklist /usr/lib/python2* | 10 | # noblacklist /usr/lib/python2* |
| 10 | # noblacklist /usr/lib/python3* | 11 | # noblacklist /usr/lib/python3* |
| 11 | 12 | ||
diff --git a/etc/icecat.profile b/etc/icecat.profile index 9e5526c95..42e762c21 100644 --- a/etc/icecat.profile +++ b/etc/icecat.profile | |||
| @@ -7,46 +7,14 @@ include /etc/firejail/globals.local | |||
| 7 | 7 | ||
| 8 | noblacklist ${HOME}/.cache/mozilla | 8 | noblacklist ${HOME}/.cache/mozilla |
| 9 | noblacklist ${HOME}/.mozilla | 9 | noblacklist ${HOME}/.mozilla |
| 10 | noblacklist ${HOME}/.pki | ||
| 11 | |||
| 12 | include /etc/firejail/disable-common.inc | ||
| 13 | include /etc/firejail/disable-devel.inc | ||
| 14 | include /etc/firejail/disable-programs.inc | ||
| 15 | 10 | ||
| 16 | mkdir ${HOME}/.cache/mozilla/icecat | 11 | mkdir ${HOME}/.cache/mozilla/icecat |
| 17 | mkdir ${HOME}/.mozilla | 12 | mkdir ${HOME}/.mozilla |
| 18 | whitelist ${DOWNLOADS} | ||
| 19 | whitelist ${HOME}/.cache/gnome-mplayer/plugin | ||
| 20 | whitelist ${HOME}/.cache/mozilla/icecat | 13 | whitelist ${HOME}/.cache/mozilla/icecat |
| 21 | whitelist ${HOME}/.config/gnome-mplayer | ||
| 22 | whitelist ${HOME}/.config/pipelight-silverlight5.1 | ||
| 23 | whitelist ${HOME}/.config/pipelight-widevine | ||
| 24 | whitelist ${HOME}/.keysnail.js | ||
| 25 | whitelist ${HOME}/.lastpass | ||
| 26 | whitelist ${HOME}/.mozilla | 14 | whitelist ${HOME}/.mozilla |
| 27 | whitelist ${HOME}/.pentadactyl | ||
| 28 | whitelist ${HOME}/.pentadactylrc | ||
| 29 | whitelist ${HOME}/.pki | ||
| 30 | whitelist ${HOME}/.vimperator | ||
| 31 | whitelist ${HOME}/.vimperatorrc | ||
| 32 | whitelist ${HOME}/.wine-pipelight | ||
| 33 | whitelist ${HOME}/.wine-pipelight64 | ||
| 34 | whitelist ${HOME}/.zotero | ||
| 35 | whitelist ${HOME}/dwhelper | ||
| 36 | include /etc/firejail/whitelist-common.inc | ||
| 37 | |||
| 38 | caps.drop all | ||
| 39 | netfilter | ||
| 40 | nodvd | ||
| 41 | nonewprivs | ||
| 42 | noroot | ||
| 43 | notv | ||
| 44 | protocol unix,inet,inet6,netlink | ||
| 45 | seccomp | ||
| 46 | tracelog | ||
| 47 | 15 | ||
| 48 | disable-mnt | 16 | # private-etc must first be enabled in firefox-common.profile |
| 49 | # private-etc passwd,group,hostname,hosts,localtime,nsswitch.conf,resolv.conf,gtk-2.0,pango,fonts,iceweasel,firefox,adobe,mime.types,mailcap,asound.conf,pulse | 17 | #private-etc icecat |
| 50 | 18 | ||
| 51 | noexec ${HOME} | 19 | # Redirect |
| 52 | noexec /tmp | 20 | include /etc/firejail/firefox-common.profile |
diff --git a/etc/iceweasel.profile b/etc/iceweasel.profile index f6b57dde0..51f15aa1b 100644 --- a/etc/iceweasel.profile +++ b/etc/iceweasel.profile | |||
| @@ -5,6 +5,8 @@ include /etc/firejail/iceweasel.local | |||
| 5 | # Persistent global definitions | 5 | # Persistent global definitions |
| 6 | include /etc/firejail/globals.local | 6 | include /etc/firejail/globals.local |
| 7 | 7 | ||
| 8 | # private-etc must first be enabled in firefox-common.profile | ||
| 9 | #private-etc iceweasel | ||
| 8 | 10 | ||
| 9 | # Redirect | 11 | # Redirect |
| 10 | include /etc/firejail/firefox.profile | 12 | include /etc/firejail/firefox.profile |
diff --git a/etc/idea.profile b/etc/idea.profile new file mode 100644 index 000000000..623d71734 --- /dev/null +++ b/etc/idea.profile | |||
| @@ -0,0 +1,10 @@ | |||
| 1 | # Firejail profile for idea | ||
| 2 | # This file is overwritten after every install/update | ||
| 3 | # Persistent local customizations | ||
| 4 | include /etc/firejail/idea.local | ||
| 5 | # Persistent global definitions | ||
| 6 | include /etc/firejail/globals.local | ||
| 7 | |||
| 8 | |||
| 9 | # Redirect | ||
| 10 | include /etc/firejail/idea.sh.profile | ||
diff --git a/etc/inox.profile b/etc/inox.profile index fbc654434..652761c54 100644 --- a/etc/inox.profile +++ b/etc/inox.profile | |||
| @@ -7,30 +7,11 @@ include /etc/firejail/globals.local | |||
| 7 | 7 | ||
| 8 | noblacklist ${HOME}/.cache/inox | 8 | noblacklist ${HOME}/.cache/inox |
| 9 | noblacklist ${HOME}/.config/inox | 9 | noblacklist ${HOME}/.config/inox |
| 10 | noblacklist ${HOME}/.pki | ||
| 11 | |||
| 12 | include /etc/firejail/disable-common.inc | ||
| 13 | include /etc/firejail/disable-programs.inc | ||
| 14 | 10 | ||
| 15 | mkdir ${HOME}/.cache/inox | 11 | mkdir ${HOME}/.cache/inox |
| 16 | mkdir ${HOME}/.config/inox | 12 | mkdir ${HOME}/.config/inox |
| 17 | mkdir ${HOME}/.pki | ||
| 18 | whitelist ${DOWNLOADS} | ||
| 19 | whitelist ${HOME}/.cache/inox | 13 | whitelist ${HOME}/.cache/inox |
| 20 | whitelist ${HOME}/.config/inox | 14 | whitelist ${HOME}/.config/inox |
| 21 | whitelist ${HOME}/.pki | ||
| 22 | include /etc/firejail/whitelist-common.inc | ||
| 23 | include /etc/firejail/whitelist-var-common.inc | ||
| 24 | |||
| 25 | caps.keep sys_chroot,sys_admin | ||
| 26 | netfilter | ||
| 27 | nodvd | ||
| 28 | nogroups | ||
| 29 | notv | ||
| 30 | shell none | ||
| 31 | |||
| 32 | private-dev | ||
| 33 | # private-tmp - problems with multiple browser sessions | ||
| 34 | 15 | ||
| 35 | noexec ${HOME} | 16 | # Redirect |
| 36 | noexec /tmp | 17 | include /etc/firejail/chromium-common.profile |
diff --git a/etc/iridium.profile b/etc/iridium.profile index 76026722f..2869c3070 100644 --- a/etc/iridium.profile +++ b/etc/iridium.profile | |||
| @@ -8,30 +8,10 @@ include /etc/firejail/globals.local | |||
| 8 | noblacklist ${HOME}/.cache/iridium | 8 | noblacklist ${HOME}/.cache/iridium |
| 9 | noblacklist ${HOME}/.config/iridium | 9 | noblacklist ${HOME}/.config/iridium |
| 10 | 10 | ||
| 11 | include /etc/firejail/disable-common.inc | ||
| 12 | # chromium/iridium is distributed with a perl script on Arch | ||
| 13 | # include /etc/firejail/disable-devel.inc | ||
| 14 | include /etc/firejail/disable-programs.inc | ||
| 15 | |||
| 16 | mkdir ${HOME}/.cache/iridium | 11 | mkdir ${HOME}/.cache/iridium |
| 17 | mkdir ${HOME}/.config/iridium | 12 | mkdir ${HOME}/.config/iridium |
| 18 | mkdir ${HOME}/.pki | ||
| 19 | whitelist ${DOWNLOADS} | ||
| 20 | whitelist ${HOME}/.cache/iridium | 13 | whitelist ${HOME}/.cache/iridium |
| 21 | whitelist ${HOME}/.config/iridium | 14 | whitelist ${HOME}/.config/iridium |
| 22 | whitelist ${HOME}/.pki | ||
| 23 | include /etc/firejail/whitelist-common.inc | ||
| 24 | include /etc/firejail/whitelist-var-common.inc | ||
| 25 | |||
| 26 | caps.keep sys_chroot,sys_admin | ||
| 27 | netfilter | ||
| 28 | nodvd | ||
| 29 | nogroups | ||
| 30 | notv | ||
| 31 | shell none | ||
| 32 | |||
| 33 | private-dev | ||
| 34 | # private-tmp - problems with multiple browser sessions | ||
| 35 | 15 | ||
| 36 | noexec ${HOME} | 16 | # Redirect |
| 37 | noexec /tmp | 17 | include /etc/firejail/chromium-common.profile |
diff --git a/etc/kaffeine.profile b/etc/kaffeine.profile new file mode 100644 index 000000000..07280ab6d --- /dev/null +++ b/etc/kaffeine.profile | |||
| @@ -0,0 +1,37 @@ | |||
| 1 | # Firejail profile for kaffeine | ||
| 2 | # This file is overwritten after every install/update | ||
| 3 | # Persistent local customizations | ||
| 4 | include /etc/firejail/kaffeine.local | ||
| 5 | # Persistent global definitions | ||
| 6 | include /etc/firejail/globals.local | ||
| 7 | |||
| 8 | noblacklist ${HOME}/.config/kaffeinerc | ||
| 9 | noblacklist ${HOME}/.kde/share/apps/kaffeine | ||
| 10 | noblacklist ${HOME}/.kde/share/config/kaffeinerc | ||
| 11 | noblacklist ${HOME}/.kde4/share/apps/kaffeine | ||
| 12 | noblacklist ${HOME}/.kde4/share/config/kaffeinerc | ||
| 13 | noblacklist ${HOME}/.local/share/kaffeine | ||
| 14 | |||
| 15 | include /etc/firejail/disable-common.inc | ||
| 16 | include /etc/firejail/disable-devel.inc | ||
| 17 | include /etc/firejail/disable-passwdmgr.inc | ||
| 18 | include /etc/firejail/disable-programs.inc | ||
| 19 | |||
| 20 | include /etc/firejail/whitelist-var-common.inc | ||
| 21 | |||
| 22 | caps.drop all | ||
| 23 | netfilter | ||
| 24 | nogroups | ||
| 25 | nonewprivs | ||
| 26 | noroot | ||
| 27 | novideo | ||
| 28 | protocol unix,inet,inet6 | ||
| 29 | seccomp | ||
| 30 | shell none | ||
| 31 | |||
| 32 | # private-bin kaffeine | ||
| 33 | private-dev | ||
| 34 | private-tmp | ||
| 35 | |||
| 36 | noexec ${HOME} | ||
| 37 | noexec /tmp | ||
diff --git a/etc/kdenlive.profile b/etc/kdenlive.profile index 871706b02..b6d48356d 100644 --- a/etc/kdenlive.profile +++ b/etc/kdenlive.profile | |||
| @@ -6,6 +6,9 @@ include /etc/firejail/kdenlive.local | |||
| 6 | include /etc/firejail/globals.local | 6 | include /etc/firejail/globals.local |
| 7 | 7 | ||
| 8 | # blacklist /run/user/*/bus | 8 | # blacklist /run/user/*/bus |
| 9 | noblacklist ${HOME}/.cache/kdenlive | ||
| 10 | noblacklist ${HOME}/.config/kdenliverc | ||
| 11 | noblacklist ${HOME}/.local/share/kdenlive | ||
| 9 | 12 | ||
| 10 | include /etc/firejail/disable-common.inc | 13 | include /etc/firejail/disable-common.inc |
| 11 | include /etc/firejail/disable-devel.inc | 14 | include /etc/firejail/disable-devel.inc |
| @@ -25,7 +28,7 @@ shell none | |||
| 25 | 28 | ||
| 26 | private-bin kdenlive,kdenlive_render,dbus-launch,melt,ffmpeg,ffplay,ffprobe,dvdauthor,genisoimage,vlc,xine,kdeinit5,kshell5,kdeinit5_shutdown,kdeinit5_wrapper,kdeinit4,kshell4,kdeinit4_shutdown,kdeinit4_wrapper | 29 | private-bin kdenlive,kdenlive_render,dbus-launch,melt,ffmpeg,ffplay,ffprobe,dvdauthor,genisoimage,vlc,xine,kdeinit5,kshell5,kdeinit5_shutdown,kdeinit5_wrapper,kdeinit4,kshell4,kdeinit4_shutdown,kdeinit4_wrapper |
| 27 | private-dev | 30 | private-dev |
| 28 | # private-etc fonts,alternatives,X11,pulse,passwd | 31 | # private-etc alternatives,fonts,kde4rc,kde5rc,ld.so.cache,machine-id,passwd,xdg,X11 |
| 29 | 32 | ||
| 30 | # noexec ${HOME} | 33 | # noexec ${HOME} |
| 31 | noexec /tmp | 34 | noexec /tmp |
diff --git a/etc/kget.profile b/etc/kget.profile index 25c66e044..c4e073c2b 100644 --- a/etc/kget.profile +++ b/etc/kget.profile | |||
| @@ -5,10 +5,12 @@ include /etc/firejail/kget.local | |||
| 5 | # Persistent global definitions | 5 | # Persistent global definitions |
| 6 | include /etc/firejail/globals.local | 6 | include /etc/firejail/globals.local |
| 7 | 7 | ||
| 8 | noblacklist ${HOME}/.config/kgetrc | ||
| 8 | noblacklist ${HOME}/.kde/share/apps/kget | 9 | noblacklist ${HOME}/.kde/share/apps/kget |
| 9 | noblacklist ${HOME}/.kde/share/config/kgetrc | 10 | noblacklist ${HOME}/.kde/share/config/kgetrc |
| 10 | noblacklist ${HOME}/.kde4/share/apps/kget | 11 | noblacklist ${HOME}/.kde4/share/apps/kget |
| 11 | noblacklist ${HOME}/.kde4/share/config/kgetrc | 12 | noblacklist ${HOME}/.kde4/share/config/kgetrc |
| 13 | noblacklist ${HOME}/.local/share/kget | ||
| 12 | 14 | ||
| 13 | include /etc/firejail/disable-common.inc | 15 | include /etc/firejail/disable-common.inc |
| 14 | include /etc/firejail/disable-devel.inc | 16 | include /etc/firejail/disable-devel.inc |
diff --git a/etc/kmail.profile b/etc/kmail.profile index 7aad57987..ca774f4ec 100644 --- a/etc/kmail.profile +++ b/etc/kmail.profile | |||
| @@ -25,6 +25,8 @@ protocol unix,inet,inet6,netlink | |||
| 25 | # blacklisting of chroot system calls breaks kmail | 25 | # blacklisting of chroot system calls breaks kmail |
| 26 | seccomp.drop @clock,@cpu-emulation,@debug,@module,@obsolete,@raw-io,@reboot,@resources,@swap,acct,add_key,bpf,fanotify_init,io_cancel,io_destroy,io_getevents,io_setup,io_submit,ioprio_set,kcmp,keyctl,mount,name_to_handle_at,nfsservctl,ni_syscall,open_by_handle_at,personality,pivot_root,process_vm_readv,ptrace,remap_file_pages,request_key,setdomainname,sethostname,syslog,umount,umount2,userfaultfd,vhangup,vmsplice | 26 | seccomp.drop @clock,@cpu-emulation,@debug,@module,@obsolete,@raw-io,@reboot,@resources,@swap,acct,add_key,bpf,fanotify_init,io_cancel,io_destroy,io_getevents,io_setup,io_submit,ioprio_set,kcmp,keyctl,mount,name_to_handle_at,nfsservctl,ni_syscall,open_by_handle_at,personality,pivot_root,process_vm_readv,ptrace,remap_file_pages,request_key,setdomainname,sethostname,syslog,umount,umount2,userfaultfd,vhangup,vmsplice |
| 27 | # tracelog | 27 | # tracelog |
| 28 | # writable-run-user is needed for signing and encrypting emails | ||
| 29 | writable-run-user | ||
| 28 | 30 | ||
| 29 | private-dev | 31 | private-dev |
| 30 | # private-tmp | 32 | # private-tmp - breaks akonadi and opening of email attachments |
diff --git a/etc/krita.profile b/etc/krita.profile index 0d2b62c5d..c621e2c72 100644 --- a/etc/krita.profile +++ b/etc/krita.profile | |||
| @@ -7,6 +7,7 @@ include /etc/firejail/globals.local | |||
| 7 | 7 | ||
| 8 | # blacklist /run/user/*/bus | 8 | # blacklist /run/user/*/bus |
| 9 | noblacklist ${HOME}/.config/kritarc | 9 | noblacklist ${HOME}/.config/kritarc |
| 10 | noblacklist ${HOME}/.local/share/krita | ||
| 10 | 11 | ||
| 11 | include /etc/firejail/disable-common.inc | 12 | include /etc/firejail/disable-common.inc |
| 12 | include /etc/firejail/disable-devel.inc | 13 | include /etc/firejail/disable-devel.inc |
diff --git a/etc/krunner.profile b/etc/krunner.profile index 606b67677..1e97f4290 100644 --- a/etc/krunner.profile +++ b/etc/krunner.profile | |||
| @@ -5,12 +5,15 @@ include /etc/firejail/krunner.local | |||
| 5 | # Persistent global definitions | 5 | # Persistent global definitions |
| 6 | include /etc/firejail/globals.local | 6 | include /etc/firejail/globals.local |
| 7 | 7 | ||
| 8 | # start a program in krunner: program will run with this generic profile | 8 | # - programs started in krunner run with this generic profile. |
| 9 | # open a file in krunner: file viewer will run with its own profile (if firejailed automatically) | 9 | # - when a file is opened in krunner, the file viewer runs in its own sandbox |
| 10 | # with its own profile, if it is sandboxed automatically. | ||
| 10 | 11 | ||
| 12 | # noblacklist ${HOME}/.cache/krunner | ||
| 11 | noblacklist ${HOME}/.config/krunnerrc | 13 | noblacklist ${HOME}/.config/krunnerrc |
| 12 | noblacklist ${HOME}/.kde/share/config/krunnerrc | 14 | noblacklist ${HOME}/.kde/share/config/krunnerrc |
| 13 | noblacklist ${HOME}/.kde4/share/config/krunnerrc | 15 | noblacklist ${HOME}/.kde4/share/config/krunnerrc |
| 16 | # noblacklist ${HOME}/.local/share/baloo | ||
| 14 | 17 | ||
| 15 | include /etc/firejail/disable-common.inc | 18 | include /etc/firejail/disable-common.inc |
| 16 | # include /etc/firejail/disable-devel.inc | 19 | # include /etc/firejail/disable-devel.inc |
| @@ -21,6 +24,7 @@ include /etc/firejail/whitelist-var-common.inc | |||
| 21 | 24 | ||
| 22 | caps.drop all | 25 | caps.drop all |
| 23 | netfilter | 26 | netfilter |
| 27 | nogroups | ||
| 24 | nonewprivs | 28 | nonewprivs |
| 25 | noroot | 29 | noroot |
| 26 | protocol unix,inet,inet6 | 30 | protocol unix,inet,inet6 |
diff --git a/etc/kwin_x11.profile b/etc/kwin_x11.profile index 91bb62efc..534e7cd51 100644 --- a/etc/kwin_x11.profile +++ b/etc/kwin_x11.profile | |||
| @@ -5,6 +5,7 @@ include /etc/firejail/kwin_x11.local | |||
| 5 | # Persistent global definitions | 5 | # Persistent global definitions |
| 6 | include /etc/firejail/globals.local | 6 | include /etc/firejail/globals.local |
| 7 | 7 | ||
| 8 | noblacklist ${HOME}/.cache/kwin | ||
| 8 | noblacklist ${HOME}/.config/kwinrc | 9 | noblacklist ${HOME}/.config/kwinrc |
| 9 | noblacklist ${HOME}/.config/kwinrulesrc | 10 | noblacklist ${HOME}/.config/kwinrulesrc |
| 10 | noblacklist ${HOME}/.local/share/kwin | 11 | noblacklist ${HOME}/.local/share/kwin |
| @@ -33,7 +34,7 @@ tracelog | |||
| 33 | disable-mnt | 34 | disable-mnt |
| 34 | private-bin kwin_x11 | 35 | private-bin kwin_x11 |
| 35 | private-dev | 36 | private-dev |
| 36 | private-etc drirc,fonts,ld.so.cache,machine-id,xdg | 37 | private-etc drirc,fonts,kde5rc,ld.so.cache,machine-id,xdg |
| 37 | private-tmp | 38 | private-tmp |
| 38 | 39 | ||
| 39 | noexec ${HOME} | 40 | noexec ${HOME} |
diff --git a/etc/libreoffice.profile b/etc/libreoffice.profile index 3548a75ad..220e0f02c 100644 --- a/etc/libreoffice.profile +++ b/etc/libreoffice.profile | |||
| @@ -34,3 +34,5 @@ private-tmp | |||
| 34 | 34 | ||
| 35 | noexec ${HOME} | 35 | noexec ${HOME} |
| 36 | noexec /tmp | 36 | noexec /tmp |
| 37 | |||
| 38 | join-or-start libreoffice | ||
diff --git a/etc/okular.profile b/etc/okular.profile index 31b773852..d98d4792f 100644 --- a/etc/okular.profile +++ b/etc/okular.profile | |||
| @@ -7,6 +7,7 @@ include /etc/firejail/globals.local | |||
| 7 | 7 | ||
| 8 | # blacklist /run/user/*/bus | 8 | # blacklist /run/user/*/bus |
| 9 | 9 | ||
| 10 | noblacklist ${HOME}/.cache/okular | ||
| 10 | noblacklist ${HOME}/.config/okularpartrc | 11 | noblacklist ${HOME}/.config/okularpartrc |
| 11 | noblacklist ${HOME}/.config/okularrc | 12 | noblacklist ${HOME}/.config/okularrc |
| 12 | noblacklist ${HOME}/.kde/share/apps/okular | 13 | noblacklist ${HOME}/.kde/share/apps/okular |
| @@ -42,7 +43,7 @@ tracelog | |||
| 42 | 43 | ||
| 43 | private-bin okular,kbuildsycoca4,kdeinit4,lpr | 44 | private-bin okular,kbuildsycoca4,kdeinit4,lpr |
| 44 | private-dev | 45 | private-dev |
| 45 | private-etc alternatives,cups,fonts,ld.so.cache,machine-id | 46 | private-etc alternatives,cups,fonts,kde4rc,kde5rc,ld.so.cache,machine-id,xdg |
| 46 | # private-tmp - on KDE we need access to the real /tmp for data exchange with email clients | 47 | # private-tmp - on KDE we need access to the real /tmp for data exchange with email clients |
| 47 | 48 | ||
| 48 | # memory-deny-write-execute | 49 | # memory-deny-write-execute |
diff --git a/etc/onionshare-gui.profile b/etc/onionshare-gui.profile index 7220f7e1c..8cbe5be7f 100644 --- a/etc/onionshare-gui.profile +++ b/etc/onionshare-gui.profile | |||
| @@ -12,6 +12,8 @@ include /etc/firejail/disable-devel.inc | |||
| 12 | include /etc/firejail/disable-passwdmgr.inc | 12 | include /etc/firejail/disable-passwdmgr.inc |
| 13 | include /etc/firejail/disable-programs.inc | 13 | include /etc/firejail/disable-programs.inc |
| 14 | 14 | ||
| 15 | include /etc/firejail/whitelist-var-common.inc | ||
| 16 | |||
| 15 | caps.drop all | 17 | caps.drop all |
| 16 | ipc-namespace | 18 | ipc-namespace |
| 17 | netfilter | 19 | netfilter |
diff --git a/etc/opera-beta.profile b/etc/opera-beta.profile index 3fe86d26c..38a3152d2 100644 --- a/etc/opera-beta.profile +++ b/etc/opera-beta.profile | |||
| @@ -5,24 +5,13 @@ include /etc/firejail/opera-beta.local | |||
| 5 | # Persistent global definitions | 5 | # Persistent global definitions |
| 6 | include /etc/firejail/globals.local | 6 | include /etc/firejail/globals.local |
| 7 | 7 | ||
| 8 | noblacklist ${HOME}/.cache/opera | ||
| 8 | noblacklist ${HOME}/.config/opera-beta | 9 | noblacklist ${HOME}/.config/opera-beta |
| 9 | noblacklist ${HOME}/.pki | ||
| 10 | |||
| 11 | include /etc/firejail/disable-common.inc | ||
| 12 | include /etc/firejail/disable-devel.inc | ||
| 13 | include /etc/firejail/disable-programs.inc | ||
| 14 | 10 | ||
| 15 | mkdir ${HOME}/.cache/opera | 11 | mkdir ${HOME}/.cache/opera |
| 16 | mkdir ${HOME}/.config/opera-beta | 12 | mkdir ${HOME}/.config/opera-beta |
| 17 | mkdir ${HOME}/.pki | ||
| 18 | whitelist ${DOWNLOADS} | ||
| 19 | whitelist ${HOME}/.cache/opera | 13 | whitelist ${HOME}/.cache/opera |
| 20 | whitelist ${HOME}/.config/opera-beta | 14 | whitelist ${HOME}/.config/opera-beta |
| 21 | whitelist ${HOME}/.pki | ||
| 22 | include /etc/firejail/whitelist-common.inc | ||
| 23 | |||
| 24 | netfilter | ||
| 25 | nodvd | ||
| 26 | notv | ||
| 27 | 15 | ||
| 28 | disable-mnt | 16 | # Redirect |
| 17 | include /etc/firejail/chromium-common.profile | ||
diff --git a/etc/opera.profile b/etc/opera.profile index fed7564b2..c0138c555 100644 --- a/etc/opera.profile +++ b/etc/opera.profile | |||
| @@ -8,25 +8,13 @@ include /etc/firejail/globals.local | |||
| 8 | noblacklist ${HOME}/.cache/opera | 8 | noblacklist ${HOME}/.cache/opera |
| 9 | noblacklist ${HOME}/.config/opera | 9 | noblacklist ${HOME}/.config/opera |
| 10 | noblacklist ${HOME}/.opera | 10 | noblacklist ${HOME}/.opera |
| 11 | noblacklist ${HOME}/.pki | ||
| 12 | |||
| 13 | include /etc/firejail/disable-common.inc | ||
| 14 | include /etc/firejail/disable-devel.inc | ||
| 15 | include /etc/firejail/disable-programs.inc | ||
| 16 | 11 | ||
| 17 | mkdir ${HOME}/.cache/opera | 12 | mkdir ${HOME}/.cache/opera |
| 18 | mkdir ${HOME}/.config/opera | 13 | mkdir ${HOME}/.config/opera |
| 19 | mkdir ${HOME}/.opera | 14 | mkdir ${HOME}/.opera |
| 20 | mkdir ${HOME}/.pki | ||
| 21 | whitelist ${DOWNLOADS} | ||
| 22 | whitelist ${HOME}/.cache/opera | 15 | whitelist ${HOME}/.cache/opera |
| 23 | whitelist ${HOME}/.config/opera | 16 | whitelist ${HOME}/.config/opera |
| 24 | whitelist ${HOME}/.opera | 17 | whitelist ${HOME}/.opera |
| 25 | whitelist ${HOME}/.pki | ||
| 26 | include /etc/firejail/whitelist-common.inc | ||
| 27 | |||
| 28 | netfilter | ||
| 29 | nodvd | ||
| 30 | notv | ||
| 31 | 18 | ||
| 32 | disable-mnt | 19 | # Redirect |
| 20 | include /etc/firejail/chromium-common.profile | ||
diff --git a/etc/palemoon.profile b/etc/palemoon.profile index 1112a9bb7..ff7087e55 100644 --- a/etc/palemoon.profile +++ b/etc/palemoon.profile | |||
| @@ -8,53 +8,15 @@ include /etc/firejail/globals.local | |||
| 8 | noblacklist ${HOME}/.cache/moonchild productions/pale moon | 8 | noblacklist ${HOME}/.cache/moonchild productions/pale moon |
| 9 | noblacklist ${HOME}/.moonchild productions/pale moon | 9 | noblacklist ${HOME}/.moonchild productions/pale moon |
| 10 | 10 | ||
| 11 | include /etc/firejail/disable-common.inc | ||
| 12 | include /etc/firejail/disable-devel.inc | ||
| 13 | include /etc/firejail/disable-programs.inc | ||
| 14 | |||
| 15 | # These are uncommented in the Firefox profile. If you run into trouble you may | ||
| 16 | # want to uncomment (some of) them. | ||
| 17 | #whitelist ${HOME}/dwhelper | ||
| 18 | #whitelist ${HOME}/.zotero | ||
| 19 | #whitelist ${HOME}/.vimperatorrc | ||
| 20 | #whitelist ${HOME}/.vimperator | ||
| 21 | #whitelist ${HOME}/.pentadactylrc | ||
| 22 | #whitelist ${HOME}/.pentadactyl | ||
| 23 | #whitelist ${HOME}/.keysnail.js | ||
| 24 | #whitelist ${HOME}/.config/gnome-mplayer | ||
| 25 | #whitelist ${HOME}/.cache/gnome-mplayer/plugin | ||
| 26 | #whitelist ${HOME}/.pki | ||
| 27 | #whitelist ${HOME}/.lastpass | ||
| 28 | |||
| 29 | # For silverlight | ||
| 30 | #whitelist ${HOME}/.wine-pipelight | ||
| 31 | #whitelist ${HOME}/.wine-pipelight64 | ||
| 32 | #whitelist ${HOME}/.config/pipelight-widevine | ||
| 33 | #whitelist ${HOME}/.config/pipelight-silverlight5.1 | ||
| 34 | |||
| 35 | mkdir ${HOME}/.cache/moonchild productions/pale moon | 11 | mkdir ${HOME}/.cache/moonchild productions/pale moon |
| 36 | mkdir ${HOME}/.moonchild productions | 12 | mkdir ${HOME}/.moonchild productions |
| 37 | whitelist ${DOWNLOADS} | ||
| 38 | whitelist ${HOME}/.cache/moonchild productions/pale moon | 13 | whitelist ${HOME}/.cache/moonchild productions/pale moon |
| 39 | whitelist ${HOME}/.moonchild productions | 14 | whitelist ${HOME}/.moonchild productions |
| 40 | include /etc/firejail/whitelist-common.inc | ||
| 41 | |||
| 42 | caps.drop all | ||
| 43 | netfilter | ||
| 44 | nodvd | ||
| 45 | nogroups | ||
| 46 | nonewprivs | ||
| 47 | noroot | ||
| 48 | notv | ||
| 49 | protocol unix,inet,inet6,netlink | ||
| 50 | seccomp | ||
| 51 | shell none | ||
| 52 | tracelog | ||
| 53 | 15 | ||
| 54 | # private-bin palemoon | 16 | #private-bin palemoon |
| 55 | # private-dev (disabled for now as it will interfere with webcam use in palemoon) | 17 | # private-etc must first be enabled in firefox-common.profile |
| 56 | # private-etc passwd,group,hostname,hosts,localtime,nsswitch.conf,resolv.conf,gtk-2.0,pango,fonts,iceweasel,firefox,adobe,mime.types,mailcap,asound.conf,pulse | 18 | #private-etc palemoon |
| 57 | # private-opt palemoon | 19 | #private-opt palemoon |
| 58 | private-tmp | ||
| 59 | 20 | ||
| 60 | disable-mnt | 21 | # Redirect |
| 22 | include /etc/firejail/firefox-common.profile | ||
diff --git a/etc/xmr-stak-cpu.profile b/etc/pdfchain.profile index 9cc6e0c1f..d43c0911e 100644..100755 --- a/etc/xmr-stak-cpu.profile +++ b/etc/pdfchain.profile | |||
| @@ -1,40 +1,37 @@ | |||
| 1 | # Firejail profile for xmr-stak-cpu | 1 | # Firejail profile for pdfchain |
| 2 | # This file is overwritten after every install/update | 2 | # This file is overwritten after every install/update |
| 3 | # Persistent local customizations | 3 | # Persistent local customizations |
| 4 | include /etc/firejail/xmr-stak-cpu.local | 4 | include /etc/firejail/pdfchain.local |
| 5 | # Persistent global definitions | 5 | # Persistent global definitions |
| 6 | include /etc/firejail/globals.local | 6 | include /etc/firejail/globals.local |
| 7 | 7 | ||
| 8 | 8 | ||
| 9 | blacklist /run/user/*/bus | ||
| 10 | |||
| 9 | include /etc/firejail/disable-common.inc | 11 | include /etc/firejail/disable-common.inc |
| 12 | include /etc/firejail/disable-programs.inc | ||
| 10 | include /etc/firejail/disable-devel.inc | 13 | include /etc/firejail/disable-devel.inc |
| 11 | include /etc/firejail/disable-passwdmgr.inc | 14 | include /etc/firejail/disable-passwdmgr.inc |
| 12 | include /etc/firejail/disable-programs.inc | ||
| 13 | 15 | ||
| 14 | include /etc/firejail/whitelist-var-common.inc | 16 | include /etc/firejail/whitelist-var-common.inc |
| 15 | 17 | ||
| 16 | caps.drop all | 18 | caps.drop all |
| 17 | ipc-namespace | 19 | ipc-namespace |
| 18 | netfilter | 20 | net none |
| 19 | no3d | 21 | no3d |
| 20 | nodvd | ||
| 21 | nogroups | 22 | nogroups |
| 22 | nonewprivs | 23 | nonewprivs |
| 23 | noroot | 24 | noroot |
| 24 | nosound | 25 | nosound |
| 25 | notv | 26 | notv |
| 26 | novideo | 27 | novideo |
| 27 | protocol unix,inet,inet6 | 28 | protocol unix |
| 28 | seccomp | 29 | seccomp |
| 29 | shell none | 30 | shell none |
| 30 | 31 | ||
| 31 | disable-mnt | 32 | private-bin pdfchain,pdftk,sh |
| 32 | private | ||
| 33 | private-bin xmr-stak-cpu | ||
| 34 | private-dev | 33 | private-dev |
| 35 | private-etc xmr-stak-cpu.json | 34 | private-etc dconf,fonts,gtk-3.0,xdg |
| 36 | private-lib | ||
| 37 | private-opt none | ||
| 38 | private-tmp | 35 | private-tmp |
| 39 | 36 | ||
| 40 | memory-deny-write-execute | 37 | memory-deny-write-execute |
diff --git a/etc/pitivi.profile b/etc/pitivi.profile index f2640ed66..6df03e042 100644 --- a/etc/pitivi.profile +++ b/etc/pitivi.profile | |||
| @@ -13,6 +13,8 @@ include /etc/firejail/disable-devel.inc | |||
| 13 | include /etc/firejail/disable-passwdmgr.inc | 13 | include /etc/firejail/disable-passwdmgr.inc |
| 14 | include /etc/firejail/disable-programs.inc | 14 | include /etc/firejail/disable-programs.inc |
| 15 | 15 | ||
| 16 | include /etc/firejail/whitelist-var-common.inc | ||
| 17 | |||
| 16 | caps.drop all | 18 | caps.drop all |
| 17 | ipc-namespace | 19 | ipc-namespace |
| 18 | netfilter | 20 | netfilter |
diff --git a/etc/qbittorrent.profile b/etc/qbittorrent.profile index a01b1e9a8..da870ab76 100644 --- a/etc/qbittorrent.profile +++ b/etc/qbittorrent.profile | |||
| @@ -8,6 +8,7 @@ include /etc/firejail/globals.local | |||
| 8 | noblacklist ${HOME}/.cache/qBittorrent | 8 | noblacklist ${HOME}/.cache/qBittorrent |
| 9 | noblacklist ${HOME}/.config/qBittorrent | 9 | noblacklist ${HOME}/.config/qBittorrent |
| 10 | noblacklist ${HOME}/.config/qBittorrentrc | 10 | noblacklist ${HOME}/.config/qBittorrentrc |
| 11 | noblacklist ${HOME}/.local/share/data/qBittorrent | ||
| 11 | 12 | ||
| 12 | include /etc/firejail/disable-common.inc | 13 | include /etc/firejail/disable-common.inc |
| 13 | include /etc/firejail/disable-devel.inc | 14 | include /etc/firejail/disable-devel.inc |
diff --git a/etc/qtox.profile b/etc/qtox.profile index a8d980a18..648282db4 100644 --- a/etc/qtox.profile +++ b/etc/qtox.profile | |||
| @@ -33,7 +33,7 @@ tracelog | |||
| 33 | 33 | ||
| 34 | disable-mnt | 34 | disable-mnt |
| 35 | private-bin qtox | 35 | private-bin qtox |
| 36 | private-etc fonts,resolv.conf,ld.so.cache | 36 | private-etc fonts,resolv.conf,ld.so.cache,localtime |
| 37 | private-dev | 37 | private-dev |
| 38 | private-tmp | 38 | private-tmp |
| 39 | 39 | ||
diff --git a/etc/redeclipse.profile b/etc/redeclipse.profile new file mode 100644 index 000000000..f0a993c54 --- /dev/null +++ b/etc/redeclipse.profile | |||
| @@ -0,0 +1,37 @@ | |||
| 1 | # Firejail profile for redeclipse | ||
| 2 | # This file is overwritten after every install/update | ||
| 3 | # Persistent local customizations | ||
| 4 | include /etc/firejail/redeclipse.local | ||
| 5 | # Persistent global definitions | ||
| 6 | include /etc/firejail/globals.local | ||
| 7 | |||
| 8 | noblacklist ${HOME}/.redeclipse | ||
| 9 | |||
| 10 | include /etc/firejail/disable-common.inc | ||
| 11 | include /etc/firejail/disable-devel.inc | ||
| 12 | include /etc/firejail/disable-passwdmgr.inc | ||
| 13 | include /etc/firejail/disable-programs.inc | ||
| 14 | |||
| 15 | mkdir ${HOME}/.redeclipse | ||
| 16 | whitelist ${HOME}/.redeclipse | ||
| 17 | include /etc/firejail/whitelist-common.inc | ||
| 18 | include /etc/firejail/whitelist-var-common.inc | ||
| 19 | |||
| 20 | caps.drop all | ||
| 21 | netfilter | ||
| 22 | nodvd | ||
| 23 | nogroups | ||
| 24 | nonewprivs | ||
| 25 | noroot | ||
| 26 | notv | ||
| 27 | novideo | ||
| 28 | protocol unix,inet,inet6 | ||
| 29 | seccomp | ||
| 30 | shell none | ||
| 31 | |||
| 32 | disable-mnt | ||
| 33 | private-dev | ||
| 34 | private-tmp | ||
| 35 | |||
| 36 | noexec ${HOME} | ||
| 37 | noexec /tmp | ||
diff --git a/etc/remmina.profile b/etc/remmina.profile index 3bb6aa0b1..cc209b84a 100644 --- a/etc/remmina.profile +++ b/etc/remmina.profile | |||
| @@ -5,6 +5,7 @@ include /etc/firejail/remmina.local | |||
| 5 | # Persistent global definitions | 5 | # Persistent global definitions |
| 6 | include /etc/firejail/globals.local | 6 | include /etc/firejail/globals.local |
| 7 | 7 | ||
| 8 | noblacklist ${HOME}/.remmina | ||
| 8 | noblacklist ${HOME}/.config/remmina | 9 | noblacklist ${HOME}/.config/remmina |
| 9 | noblacklist ${HOME}/.local/share/remmina | 10 | noblacklist ${HOME}/.local/share/remmina |
| 10 | noblacklist ${HOME}/.ssh | 11 | noblacklist ${HOME}/.ssh |
| @@ -23,6 +24,7 @@ notv | |||
| 23 | novideo | 24 | novideo |
| 24 | protocol unix,inet,inet6 | 25 | protocol unix,inet,inet6 |
| 25 | seccomp | 26 | seccomp |
| 27 | # seccomp.keep access,arch_prctl,brk,chmod,clock_getres,clock_gettime,clone,close,connect,dup3,eventfd2,execve,fadvise64,fallocate,fcntl,flock,fstat,fstatfs,fsync,ftruncate,futex,getdents,getegid,geteuid,getgid,getpeername,getpid,getrandom,getresgid,getresuid,getsockname,getsockopt,gettid,getuid,inotify_add_watch,inotify_init1,inotify_rm_watch,ioctl,lseek,lstat,madvise,memfd_create,mmap,mprotect,mremap,munmap,nanosleep,open,openat,pipe,pipe2,poll,prctl,prlimit64,pwrite64,read,readlink,recvfrom,recvmsg,rename,rt_sigaction,rt_sigprocmask,sendmmsg,sendmsg,sendto,set_robust_list,setsockopt,set_tid_address,shmat,shmctl,shmdt,shmget,shutdown,socket,stat,statfs,sysinfo,tgkill,uname,utimensat,write,writev | ||
| 26 | shell none | 28 | shell none |
| 27 | 29 | ||
| 28 | private-dev | 30 | private-dev |
diff --git a/etc/scribus.profile b/etc/scribus.profile index 001b91387..8ce63fbf0 100644 --- a/etc/scribus.profile +++ b/etc/scribus.profile | |||
| @@ -8,6 +8,7 @@ include /etc/firejail/globals.local | |||
| 8 | blacklist /run/user/*/bus | 8 | blacklist /run/user/*/bus |
| 9 | 9 | ||
| 10 | # Support for PDF readers comes with Scribus 1.5 and higher | 10 | # Support for PDF readers comes with Scribus 1.5 and higher |
| 11 | noblacklist ${HOME}/.cache/okular | ||
| 11 | noblacklist ${HOME}/.config/okularpartrc | 12 | noblacklist ${HOME}/.config/okularpartrc |
| 12 | noblacklist ${HOME}/.config/okularrc | 13 | noblacklist ${HOME}/.config/okularrc |
| 13 | noblacklist ${HOME}/.config/scribus | 14 | noblacklist ${HOME}/.config/scribus |
diff --git a/etc/soundconverter.profile b/etc/soundconverter.profile index c27fb3819..1f64567ef 100644 --- a/etc/soundconverter.profile +++ b/etc/soundconverter.profile | |||
| @@ -5,8 +5,6 @@ include /etc/firejail/soundconverter.local | |||
| 5 | # Persistent global definitions | 5 | # Persistent global definitions |
| 6 | include /etc/firejail/globals.local | 6 | include /etc/firejail/globals.local |
| 7 | 7 | ||
| 8 | blacklist /run/user/*/bus | ||
| 9 | |||
| 10 | include /etc/firejail/disable-common.inc | 8 | include /etc/firejail/disable-common.inc |
| 11 | include /etc/firejail/disable-devel.inc | 9 | include /etc/firejail/disable-devel.inc |
| 12 | include /etc/firejail/disable-passwdmgr.inc | 10 | include /etc/firejail/disable-passwdmgr.inc |
diff --git a/etc/spotify.profile b/etc/spotify.profile index 736bd3520..fcd0ab92e 100644 --- a/etc/spotify.profile +++ b/etc/spotify.profile | |||
| @@ -42,7 +42,7 @@ shell none | |||
| 42 | tracelog | 42 | tracelog |
| 43 | 43 | ||
| 44 | disable-mnt | 44 | disable-mnt |
| 45 | private-bin spotify,bash,sh | 45 | private-bin spotify,bash,sh,zenity |
| 46 | private-dev | 46 | private-dev |
| 47 | private-etc fonts,machine-id,pulse,resolv.conf | 47 | private-etc fonts,machine-id,pulse,resolv.conf |
| 48 | private-opt spotify | 48 | private-opt spotify |
diff --git a/etc/steam.profile b/etc/steam.profile index 1e0fd57d1..4965d3a54 100644 --- a/etc/steam.profile +++ b/etc/steam.profile | |||
| @@ -29,6 +29,8 @@ include /etc/firejail/disable-devel.inc | |||
| 29 | include /etc/firejail/disable-passwdmgr.inc | 29 | include /etc/firejail/disable-passwdmgr.inc |
| 30 | include /etc/firejail/disable-programs.inc | 30 | include /etc/firejail/disable-programs.inc |
| 31 | 31 | ||
| 32 | include /etc/firejail/whitelist-var-common.inc | ||
| 33 | |||
| 32 | caps.drop all | 34 | caps.drop all |
| 33 | netfilter | 35 | netfilter |
| 34 | nodvd | 36 | nodvd |
diff --git a/etc/thunderbird.profile b/etc/thunderbird.profile index 226781332..6045d6d17 100644 --- a/etc/thunderbird.profile +++ b/etc/thunderbird.profile | |||
| @@ -21,14 +21,14 @@ whitelist ${HOME}/.cache/thunderbird | |||
| 21 | whitelist ${HOME}/.gnupg | 21 | whitelist ${HOME}/.gnupg |
| 22 | # whitelist ${HOME}/.icedove | 22 | # whitelist ${HOME}/.icedove |
| 23 | whitelist ${HOME}/.thunderbird | 23 | whitelist ${HOME}/.thunderbird |
| 24 | include /etc/firejail/whitelist-common.inc | ||
| 25 | include /etc/firejail/whitelist-var-common.inc | ||
| 26 | 24 | ||
| 27 | # We need the real /tmp for data exchange when xdg-open handles email attachments on KDE | 25 | # We need the real /tmp for data exchange when xdg-open handles email attachments on KDE |
| 28 | ignore private-tmp | 26 | ignore private-tmp |
| 29 | # machine-id breaks pulse audio; it should work fine in setups where sound is not required | 27 | # machine-id breaks audio in browsers; enable it when sound is not required |
| 30 | #machine-id | 28 | # machine-id |
| 31 | read-only ${HOME}/.config/mimeapps.list | 29 | read-only ${HOME}/.config/mimeapps.list |
| 30 | # writable-run-user is needed for signing and encrypting emails | ||
| 31 | writable-run-user | ||
| 32 | 32 | ||
| 33 | # allow browsers | 33 | # allow browsers |
| 34 | # Redirect | 34 | # Redirect |
diff --git a/etc/tilp.profile b/etc/tilp.profile new file mode 100644 index 000000000..a6165fbfe --- /dev/null +++ b/etc/tilp.profile | |||
| @@ -0,0 +1,34 @@ | |||
| 1 | # Firejail profile for tilp | ||
| 2 | # This file is overwritten after every install/update | ||
| 3 | # Persistent local customizations | ||
| 4 | include /etc/firejail/tilp.local | ||
| 5 | # Persistent global definitions | ||
| 6 | include /etc/firejail/globals.local | ||
| 7 | |||
| 8 | noblacklist ${HOME}/.tilp | ||
| 9 | |||
| 10 | include /etc/firejail/disable-common.inc | ||
| 11 | include /etc/firejail/disable-devel.inc | ||
| 12 | include /etc/firejail/disable-passwdmgr.inc | ||
| 13 | include /etc/firejail/disable-programs.inc | ||
| 14 | |||
| 15 | caps.drop all | ||
| 16 | net none | ||
| 17 | nodvd | ||
| 18 | nogroups | ||
| 19 | nonewprivs | ||
| 20 | noroot | ||
| 21 | notv | ||
| 22 | novideo | ||
| 23 | protocol unix,netlink | ||
| 24 | seccomp | ||
| 25 | shell none | ||
| 26 | tracelog | ||
| 27 | |||
| 28 | disable-mnt | ||
| 29 | private-bin tilp | ||
| 30 | private-etc fonts | ||
| 31 | private-tmp | ||
| 32 | |||
| 33 | noexec ${HOME} | ||
| 34 | noexec /tmp | ||
diff --git a/etc/torbrowser-launcher.profile b/etc/torbrowser-launcher.profile index b802478a2..02ef57cce 100644 --- a/etc/torbrowser-launcher.profile +++ b/etc/torbrowser-launcher.profile | |||
| @@ -13,9 +13,12 @@ include /etc/firejail/disable-devel.inc | |||
| 13 | include /etc/firejail/disable-passwdmgr.inc | 13 | include /etc/firejail/disable-passwdmgr.inc |
| 14 | include /etc/firejail/disable-programs.inc | 14 | include /etc/firejail/disable-programs.inc |
| 15 | 15 | ||
| 16 | mkdir ${HOME}/.config/torbrowser | ||
| 17 | mkdir ${HOME}/.local/share/torbrowser | ||
| 16 | whitelist ${HOME}/.config/torbrowser | 18 | whitelist ${HOME}/.config/torbrowser |
| 17 | whitelist ${HOME}/.local/share/torbrowser | 19 | whitelist ${HOME}/.local/share/torbrowser |
| 18 | include /etc/firejail/whitelist-common.inc | 20 | include /etc/firejail/whitelist-common.inc |
| 21 | include /etc/firejail/whitelist-var-common.inc | ||
| 19 | 22 | ||
| 20 | caps.drop all | 23 | caps.drop all |
| 21 | netfilter | 24 | netfilter |
| @@ -33,7 +36,7 @@ tracelog | |||
| 33 | disable-mnt | 36 | disable-mnt |
| 34 | private-bin bash,cp,dirname,env,expr,file,getconf,gpg,grep,id,ln,mkdir,python*,readlink,rm,sed,sh,tail,test,tor-browser-en,torbrowser-launcher | 37 | private-bin bash,cp,dirname,env,expr,file,getconf,gpg,grep,id,ln,mkdir,python*,readlink,rm,sed,sh,tail,test,tor-browser-en,torbrowser-launcher |
| 35 | private-dev | 38 | private-dev |
| 36 | private-etc fonts,hostname,hosts,resolv.conf,pki,ssl,ca-certificates,crypto-policies | 39 | private-etc fonts,hostname,hosts,resolv.conf,pki,ssl,ca-certificates,crypto-policies,alsa,asound.conf,pulse,machine-id |
| 37 | private-tmp | 40 | private-tmp |
| 38 | 41 | ||
| 39 | noexec /tmp | 42 | noexec /tmp |
diff --git a/etc/unbound.profile b/etc/unbound.profile index c03a25752..233e7464f 100644 --- a/etc/unbound.profile +++ b/etc/unbound.profile | |||
| @@ -15,6 +15,9 @@ include /etc/firejail/disable-devel.inc | |||
| 15 | include /etc/firejail/disable-passwdmgr.inc | 15 | include /etc/firejail/disable-passwdmgr.inc |
| 16 | include /etc/firejail/disable-programs.inc | 16 | include /etc/firejail/disable-programs.inc |
| 17 | 17 | ||
| 18 | whitelist /var/lib/unbound | ||
| 19 | whitelist /var/run | ||
| 20 | |||
| 18 | caps.keep net_bind_service,setgid,setuid,sys_chroot,sys_resource | 21 | caps.keep net_bind_service,setgid,setuid,sys_chroot,sys_resource |
| 19 | no3d | 22 | no3d |
| 20 | nodvd | 23 | nodvd |
| @@ -23,6 +26,7 @@ nosound | |||
| 23 | notv | 26 | notv |
| 24 | novideo | 27 | novideo |
| 25 | seccomp.drop mount,umount2,ptrace,kexec_load,kexec_file_load,open_by_handle_at,init_module,finit_module,delete_module,iopl,ioperm,swapon,swapoff,syslog,process_vm_readv,process_vm_writev,sysfs,_sysctl,adjtimex,clock_adjtime,lookup_dcookie,perf_event_open,fanotify_init,kcmp,add_key,request_key,keyctl,uselib,acct,modify_ldt,pivot_root,io_setup,io_destroy,io_getevents,io_submit,io_cancel,remap_file_pages,mbind,get_mempolicy,set_mempolicy,migrate_pages,move_pages,vmsplice,perf_event_open | 28 | seccomp.drop mount,umount2,ptrace,kexec_load,kexec_file_load,open_by_handle_at,init_module,finit_module,delete_module,iopl,ioperm,swapon,swapoff,syslog,process_vm_readv,process_vm_writev,sysfs,_sysctl,adjtimex,clock_adjtime,lookup_dcookie,perf_event_open,fanotify_init,kcmp,add_key,request_key,keyctl,uselib,acct,modify_ldt,pivot_root,io_setup,io_destroy,io_getevents,io_submit,io_cancel,remap_file_pages,mbind,get_mempolicy,set_mempolicy,migrate_pages,move_pages,vmsplice,perf_event_open |
| 29 | writable-var | ||
| 26 | 30 | ||
| 27 | disable-mnt | 31 | disable-mnt |
| 28 | private | 32 | private |
diff --git a/etc/vivaldi.profile b/etc/vivaldi.profile index 3a1f72f23..aeef58292 100644 --- a/etc/vivaldi.profile +++ b/etc/vivaldi.profile | |||
| @@ -8,28 +8,10 @@ include /etc/firejail/globals.local | |||
| 8 | noblacklist ${HOME}/.cache/vivaldi | 8 | noblacklist ${HOME}/.cache/vivaldi |
| 9 | noblacklist ${HOME}/.config/vivaldi | 9 | noblacklist ${HOME}/.config/vivaldi |
| 10 | 10 | ||
| 11 | include /etc/firejail/disable-common.inc | ||
| 12 | include /etc/firejail/disable-devel.inc | ||
| 13 | include /etc/firejail/disable-programs.inc | ||
| 14 | |||
| 15 | mkdir ${HOME}/.cache/vivaldi | 11 | mkdir ${HOME}/.cache/vivaldi |
| 16 | mkdir ${HOME}/.config/vivaldi | 12 | mkdir ${HOME}/.config/vivaldi |
| 17 | whitelist ${DOWNLOADS} | ||
| 18 | whitelist ${HOME}/.cache/vivaldi | 13 | whitelist ${HOME}/.cache/vivaldi |
| 19 | whitelist ${HOME}/.config/vivaldi | 14 | whitelist ${HOME}/.config/vivaldi |
| 20 | include /etc/firejail/whitelist-common.inc | ||
| 21 | include /etc/firejail/whitelist-var-common.inc | ||
| 22 | |||
| 23 | caps.keep sys_chroot,sys_admin | ||
| 24 | netfilter | ||
| 25 | nodvd | ||
| 26 | nogroups | ||
| 27 | notv | ||
| 28 | shell none | ||
| 29 | |||
| 30 | disable-mnt | ||
| 31 | private-dev | ||
| 32 | # private-tmp - problems with multiple browser sessions | ||
| 33 | 15 | ||
| 34 | noexec ${HOME} | 16 | # Redirect |
| 35 | noexec /tmp | 17 | include /etc/firejail/chromium-common.profile |
diff --git a/etc/waterfox.profile b/etc/waterfox.profile index b2abb3a5f..fdd299bbf 100644 --- a/etc/waterfox.profile +++ b/etc/waterfox.profile | |||
| @@ -7,83 +7,22 @@ include /etc/firejail/globals.local | |||
| 7 | 7 | ||
| 8 | noblacklist ${HOME}/.cache/mozilla | 8 | noblacklist ${HOME}/.cache/mozilla |
| 9 | noblacklist ${HOME}/.cache/waterfox | 9 | noblacklist ${HOME}/.cache/waterfox |
| 10 | noblacklist ${HOME}/.config/okularpartrc | ||
| 11 | noblacklist ${HOME}/.config/okularrc | ||
| 12 | noblacklist ${HOME}/.config/qpdfview | ||
| 13 | noblacklist ${HOME}/.kde/share/apps/okular | ||
| 14 | noblacklist ${HOME}/.kde/share/config/okularpartrc | ||
| 15 | noblacklist ${HOME}/.kde/share/config/okularrc | ||
| 16 | noblacklist ${HOME}/.kde4/share/apps/okular | ||
| 17 | noblacklist ${HOME}/.kde4/share/config/okularpartrc | ||
| 18 | noblacklist ${HOME}/.kde4/share/config/okularrc | ||
| 19 | # noblacklist ${HOME}/.local/share/gnome-shell/extensions | ||
| 20 | noblacklist ${HOME}/.local/share/okular | ||
| 21 | noblacklist ${HOME}/.local/share/qpdfview | ||
| 22 | noblacklist ${HOME}/.mozilla | 10 | noblacklist ${HOME}/.mozilla |
| 23 | noblacklist ${HOME}/.waterfox | 11 | noblacklist ${HOME}/.waterfox |
| 24 | noblacklist ${HOME}/.pki | ||
| 25 | |||
| 26 | include /etc/firejail/disable-common.inc | ||
| 27 | include /etc/firejail/disable-devel.inc | ||
| 28 | include /etc/firejail/disable-programs.inc | ||
| 29 | 12 | ||
| 30 | mkdir ${HOME}/.cache/mozilla/firefox | 13 | mkdir ${HOME}/.cache/mozilla/firefox |
| 31 | mkdir ${HOME}/.mozilla | 14 | mkdir ${HOME}/.mozilla |
| 32 | mkdir ${HOME}/.cache/waterfox | 15 | mkdir ${HOME}/.cache/waterfox |
| 33 | mkdir ${HOME}/.waterfox | 16 | mkdir ${HOME}/.waterfox |
| 34 | mkdir ${HOME}/.pki | ||
| 35 | whitelist ${DOWNLOADS} | ||
| 36 | whitelist ${HOME}/.cache/gnome-mplayer/plugin | ||
| 37 | whitelist ${HOME}/.cache/mozilla/firefox | 17 | whitelist ${HOME}/.cache/mozilla/firefox |
| 38 | whitelist ${HOME}/.cache/waterfox | 18 | whitelist ${HOME}/.cache/waterfox |
| 39 | whitelist ${HOME}/.config/gnome-mplayer | ||
| 40 | whitelist ${HOME}/.config/okularpartrc | ||
| 41 | whitelist ${HOME}/.config/okularrc | ||
| 42 | whitelist ${HOME}/.config/pipelight-silverlight5.1 | ||
| 43 | whitelist ${HOME}/.config/pipelight-widevine | ||
| 44 | whitelist ${HOME}/.config/qpdfview | ||
| 45 | whitelist ${HOME}/.kde/share/apps/okular | ||
| 46 | whitelist ${HOME}/.kde/share/config/okularpartrc | ||
| 47 | whitelist ${HOME}/.kde/share/config/okularrc | ||
| 48 | whitelist ${HOME}/.kde4/share/apps/okular | ||
| 49 | whitelist ${HOME}/.kde4/share/config/okularpartrc | ||
| 50 | whitelist ${HOME}/.kde4/share/config/okularrc | ||
| 51 | whitelist ${HOME}/.keysnail.js | ||
| 52 | whitelist ${HOME}/.lastpass | ||
| 53 | whitelist ${HOME}/.local/share/gnome-shell/extensions | ||
| 54 | whitelist ${HOME}/.local/share/okular | ||
| 55 | whitelist ${HOME}/.local/share/qpdfview | ||
| 56 | whitelist ${HOME}/.mozilla | 19 | whitelist ${HOME}/.mozilla |
| 57 | whitelist ${HOME}/.waterfox | 20 | whitelist ${HOME}/.waterfox |
| 58 | whitelist ${HOME}/.pentadactyl | ||
| 59 | whitelist ${HOME}/.pentadactylrc | ||
| 60 | whitelist ${HOME}/.pki | ||
| 61 | whitelist ${HOME}/.vimperator | ||
| 62 | whitelist ${HOME}/.vimperatorrc | ||
| 63 | whitelist ${HOME}/.wine-pipelight | ||
| 64 | whitelist ${HOME}/.wine-pipelight64 | ||
| 65 | whitelist ${HOME}/.zotero | ||
| 66 | whitelist ${HOME}/dwhelper | ||
| 67 | include /etc/firejail/whitelist-common.inc | ||
| 68 | include /etc/firejail/whitelist-var-common.inc | ||
| 69 | |||
| 70 | caps.drop all | ||
| 71 | netfilter | ||
| 72 | nodvd | ||
| 73 | nogroups | ||
| 74 | nonewprivs | ||
| 75 | noroot | ||
| 76 | notv | ||
| 77 | protocol unix,inet,inet6,netlink | ||
| 78 | seccomp | ||
| 79 | shell none | ||
| 80 | tracelog | ||
| 81 | 21 | ||
| 82 | # waterfox requires a shell to launch on Arch. We can possibly remove sh though. | 22 | # waterfox requires a shell to launch on Arch. We can possibly remove sh though. |
| 83 | # private-bin waterfox,which,sh,dbus-launch,dbus-send,env,bash | 23 | #private-bin waterfox,which,sh,dbus-launch,dbus-send,env,bash |
| 84 | private-dev | 24 | # private-etc must first be enabled in firefox-common.profile |
| 85 | # private-etc passwd,group,hostname,hosts,localtime,nsswitch.conf,resolv.conf,xdg,gtk-2.0,gtk-3.0,X11,pango,fonts,waterfox,mime.types,mailcap,asound.conf,pulse | 25 | #private-etc waterfox |
| 86 | private-tmp | ||
| 87 | 26 | ||
| 88 | noexec ${HOME} | 27 | # Redirect |
| 89 | noexec /tmp | 28 | include /etc/firejail/firefox-common.profile |
diff --git a/etc/whitelist-common.inc b/etc/whitelist-common.inc index 3beb11bfb..c664d5a53 100644 --- a/etc/whitelist-common.inc +++ b/etc/whitelist-common.inc | |||
| @@ -55,14 +55,20 @@ whitelist ${HOME}/.config/dconf | |||
| 55 | whitelist ${HOME}/.config/Kvantum | 55 | whitelist ${HOME}/.config/Kvantum |
| 56 | whitelist ${HOME}/.config/Trolltech.conf | 56 | whitelist ${HOME}/.config/Trolltech.conf |
| 57 | whitelist ${HOME}/.config/kdeglobals | 57 | whitelist ${HOME}/.config/kdeglobals |
| 58 | whitelist ${HOME}/.config/kio_httprc | ||
| 58 | whitelist ${HOME}/.config/kioslaverc | 59 | whitelist ${HOME}/.config/kioslaverc |
| 60 | whitelist ${HOME}/.config/ksslcablacklist | ||
| 59 | whitelist ${HOME}/.config/qt5ct | 61 | whitelist ${HOME}/.config/qt5ct |
| 60 | whitelist ${HOME}/.kde/share/config/kdeglobals | 62 | whitelist ${HOME}/.kde/share/config/kdeglobals |
| 63 | whitelist ${HOME}/.kde/share/config/kio_httprc | ||
| 61 | whitelist ${HOME}/.kde/share/config/kioslaverc | 64 | whitelist ${HOME}/.kde/share/config/kioslaverc |
| 65 | whitelist ${HOME}/.kde/share/config/ksslcablacklist | ||
| 62 | whitelist ${HOME}/.kde/share/config/oxygenrc | 66 | whitelist ${HOME}/.kde/share/config/oxygenrc |
| 63 | whitelist ${HOME}/.kde/share/icons | 67 | whitelist ${HOME}/.kde/share/icons |
| 64 | whitelist ${HOME}/.kde4/share/config/kdeglobals | 68 | whitelist ${HOME}/.kde4/share/config/kdeglobals |
| 69 | whitelist ${HOME}/.kde4/share/config/kio_httprc | ||
| 65 | whitelist ${HOME}/.kde4/share/config/kioslaverc | 70 | whitelist ${HOME}/.kde4/share/config/kioslaverc |
| 71 | whitelist ${HOME}/.kde4/share/config/ksslcablacklist | ||
| 66 | whitelist ${HOME}/.kde4/share/config/oxygenrc | 72 | whitelist ${HOME}/.kde4/share/config/oxygenrc |
| 67 | whitelist ${HOME}/.kde4/share/icons | 73 | whitelist ${HOME}/.kde4/share/icons |
| 68 | whitelist ${HOME}/.local/share/qt5ct | 74 | whitelist ${HOME}/.local/share/qt5ct |
diff --git a/etc/xmr-stak.profile b/etc/xmr-stak.profile new file mode 100644 index 000000000..151a4c694 --- /dev/null +++ b/etc/xmr-stak.profile | |||
| @@ -0,0 +1,44 @@ | |||
| 1 | # Firejail profile for xmr-stak | ||
| 2 | # This file is overwritten after every install/update | ||
| 3 | # Persistent local customizations | ||
| 4 | include /etc/firejail/xmr-stak.local | ||
| 5 | # Persistent global definitions | ||
| 6 | include /etc/firejail/globals.local | ||
| 7 | |||
| 8 | noblacklist ${HOME}/.xmr-stak | ||
| 9 | noblacklist /usr/lib/llvm* | ||
| 10 | |||
| 11 | include /etc/firejail/disable-common.inc | ||
| 12 | include /etc/firejail/disable-devel.inc | ||
| 13 | include /etc/firejail/disable-passwdmgr.inc | ||
| 14 | include /etc/firejail/disable-programs.inc | ||
| 15 | |||
| 16 | mkdir ${HOME}/.xmr-stak | ||
| 17 | include /etc/firejail/whitelist-var-common.inc | ||
| 18 | |||
| 19 | caps.drop all | ||
| 20 | ipc-namespace | ||
| 21 | netfilter | ||
| 22 | nodvd | ||
| 23 | nogroups | ||
| 24 | nonewprivs | ||
| 25 | noroot | ||
| 26 | nosound | ||
| 27 | notv | ||
| 28 | novideo | ||
| 29 | protocol unix,inet,inet6 | ||
| 30 | seccomp | ||
| 31 | shell none | ||
| 32 | |||
| 33 | disable-mnt | ||
| 34 | private ${HOME}/.xmr-stak | ||
| 35 | private-bin xmr-stak | ||
| 36 | private-dev | ||
| 37 | private-etc ca-certificates,crypto-policies,nsswitch.conf,pki,resolv.conf,ssl | ||
| 38 | #private-lib libxmrstak_opencl_backend,libxmrstak_cuda_backend | ||
| 39 | private-opt cuda | ||
| 40 | private-tmp | ||
| 41 | |||
| 42 | memory-deny-write-execute | ||
| 43 | noexec ${HOME} | ||
| 44 | noexec /tmp | ||
diff --git a/etc/xonotic.profile b/etc/xonotic.profile index d17d2b612..7a466db9b 100644 --- a/etc/xonotic.profile +++ b/etc/xonotic.profile | |||
| @@ -15,6 +15,7 @@ include /etc/firejail/disable-programs.inc | |||
| 15 | mkdir ${HOME}/.xonotic | 15 | mkdir ${HOME}/.xonotic |
| 16 | whitelist ${HOME}/.xonotic | 16 | whitelist ${HOME}/.xonotic |
| 17 | include /etc/firejail/whitelist-common.inc | 17 | include /etc/firejail/whitelist-common.inc |
| 18 | include /etc/firejail/whitelist-var-common.inc | ||
| 18 | 19 | ||
| 19 | caps.drop all | 20 | caps.drop all |
| 20 | netfilter | 21 | netfilter |
diff --git a/etc/yandex-browser.profile b/etc/yandex-browser.profile index 1c7769727..fdb7694a5 100644 --- a/etc/yandex-browser.profile +++ b/etc/yandex-browser.profile | |||
| @@ -9,35 +9,15 @@ noblacklist ${HOME}/.cache/yandex-browser | |||
| 9 | noblacklist ${HOME}/.cache/yandex-browser-beta | 9 | noblacklist ${HOME}/.cache/yandex-browser-beta |
| 10 | noblacklist ${HOME}/.config/yandex-browser | 10 | noblacklist ${HOME}/.config/yandex-browser |
| 11 | noblacklist ${HOME}/.config/yandex-browser-beta | 11 | noblacklist ${HOME}/.config/yandex-browser-beta |
| 12 | noblacklist ${HOME}/.pki | ||
| 13 | |||
| 14 | include /etc/firejail/disable-common.inc | ||
| 15 | include /etc/firejail/disable-devel.inc | ||
| 16 | include /etc/firejail/disable-programs.inc | ||
| 17 | 12 | ||
| 18 | mkdir ${HOME}/.cache/yandex-browser | 13 | mkdir ${HOME}/.cache/yandex-browser |
| 19 | mkdir ${HOME}/.cache/yandex-browser-beta | 14 | mkdir ${HOME}/.cache/yandex-browser-beta |
| 20 | mkdir ${HOME}/.config/yandex-browser | 15 | mkdir ${HOME}/.config/yandex-browser |
| 21 | mkdir ${HOME}/.config/yandex-browser-beta | 16 | mkdir ${HOME}/.config/yandex-browser-beta |
| 22 | mkdir ${HOME}/.pki | ||
| 23 | whitelist ${DOWNLOADS} | ||
| 24 | whitelist ${HOME}/.cache/yandex-browser | 17 | whitelist ${HOME}/.cache/yandex-browser |
| 25 | whitelist ${HOME}/.cache/yandex-browser-beta | 18 | whitelist ${HOME}/.cache/yandex-browser-beta |
| 26 | whitelist ${HOME}/.config/yandex-browser | 19 | whitelist ${HOME}/.config/yandex-browser |
| 27 | whitelist ${HOME}/.config/yandex-browser-beta | 20 | whitelist ${HOME}/.config/yandex-browser-beta |
| 28 | whitelist ${HOME}/.pki | ||
| 29 | include /etc/firejail/whitelist-common.inc | ||
| 30 | |||
| 31 | caps.keep sys_chroot,sys_admin | ||
| 32 | netfilter | ||
| 33 | nodvd | ||
| 34 | nogroups | ||
| 35 | notv | ||
| 36 | shell none | ||
| 37 | |||
| 38 | disable-mnt | ||
| 39 | private-dev | ||
| 40 | # private-tmp - problems with multiple browser sessions | ||
| 41 | 21 | ||
| 42 | noexec ${HOME} | 22 | # Redirect |
| 43 | noexec /tmp | 23 | include /etc/firejail/chromium-common.profile |