diff options
Diffstat (limited to 'etc')
| -rw-r--r-- | etc/QMediathekView.profile | 54 | ||||
| -rw-r--r-- | etc/aria2c.profile | 45 | ||||
| -rw-r--r-- | etc/disable-programs.inc | 3 | ||||
| -rw-r--r-- | etc/file.profile | 4 | ||||
| -rw-r--r-- | etc/strings.profile | 4 |
5 files changed, 109 insertions, 1 deletions
diff --git a/etc/QMediathekView.profile b/etc/QMediathekView.profile new file mode 100644 index 000000000..558f62f0e --- /dev/null +++ b/etc/QMediathekView.profile | |||
| @@ -0,0 +1,54 @@ | |||
| 1 | # Firejail profile for QMediathekView | ||
| 2 | # Description: Search, download or stream files from mediathek.de | ||
| 3 | # This file is overwritten after every install/update | ||
| 4 | # Persistent local customizations | ||
| 5 | include /etc/firejail/QMediathekView.local | ||
| 6 | # Persistent global definitions | ||
| 7 | include /etc/firejail/globals.local | ||
| 8 | |||
| 9 | noblacklist ${HOME}/.config/QMediathekView | ||
| 10 | noblacklist ${HOME}/.local/share/QMediathekView | ||
| 11 | |||
| 12 | noblacklist ${HOME}/.config/mpv | ||
| 13 | noblacklist ${HOME}/.config/smplayer | ||
| 14 | noblacklist ${HOME}/.config/totem | ||
| 15 | noblacklist ${HOME}/.config/vlc | ||
| 16 | noblacklist ${HOME}/.config/xplayer | ||
| 17 | noblacklist ${HOME}/.local/share/totem | ||
| 18 | noblacklist ${HOME}/.local/share/xplayer | ||
| 19 | noblacklist ${HOME}/.mplayer | ||
| 20 | |||
| 21 | include /etc/firejail/disable-common.inc | ||
| 22 | include /etc/firejail/disable-devel.inc | ||
| 23 | include /etc/firejail/disable-interpreters.inc | ||
| 24 | include /etc/firejail/disable-passwdmgr.inc | ||
| 25 | include /etc/firejail/disable-programs.inc | ||
| 26 | |||
| 27 | include /etc/firejail/whitelist-var-common.inc | ||
| 28 | |||
| 29 | caps.drop all | ||
| 30 | netfilter | ||
| 31 | # no3d | ||
| 32 | # nodbus | ||
| 33 | nodvd | ||
| 34 | nogroups | ||
| 35 | nonewprivs | ||
| 36 | noroot | ||
| 37 | notv | ||
| 38 | nou2f | ||
| 39 | protocol unix,inet,inet6 | ||
| 40 | seccomp | ||
| 41 | shell none | ||
| 42 | tracelog | ||
| 43 | |||
| 44 | disable-mnt | ||
| 45 | private-bin QMediathekView,mplayer,mpv,smplayer,totem,vlc,xplayer | ||
| 46 | private-cache | ||
| 47 | private-dev | ||
| 48 | # private-etc none | ||
| 49 | # private-lib | ||
| 50 | private-tmp | ||
| 51 | |||
| 52 | # memory-deny-write-execute - breaks on Arch | ||
| 53 | noexec ${HOME} | ||
| 54 | noexec /tmp | ||
diff --git a/etc/aria2c.profile b/etc/aria2c.profile new file mode 100644 index 000000000..4231c58ff --- /dev/null +++ b/etc/aria2c.profile | |||
| @@ -0,0 +1,45 @@ | |||
| 1 | # Firejail profile for aria2c | ||
| 2 | # Description: Download utility that supports HTTP(S), FTP, BitTorrent and Metalink | ||
| 3 | # This file is overwritten after every install/update | ||
| 4 | # Persistent local customizations | ||
| 5 | include /etc/firejail/aria2c.local | ||
| 6 | # Persistent global definitions | ||
| 7 | include /etc/firejail/globals.local | ||
| 8 | |||
| 9 | noblacklist ${HOME}/.aria2 | ||
| 10 | |||
| 11 | include /etc/firejail/disable-common.inc | ||
| 12 | include /etc/firejail/disable-devel.inc | ||
| 13 | include /etc/firejail/disable-interpreters.inc | ||
| 14 | include /etc/firejail/disable-passwdmgr.inc | ||
| 15 | include /etc/firejail/disable-programs.inc | ||
| 16 | include /etc/firejail/disable-xdg.inc | ||
| 17 | |||
| 18 | caps.drop all | ||
| 19 | ipc-namespace | ||
| 20 | netfilter | ||
| 21 | no3d | ||
| 22 | nodbus | ||
| 23 | nodvd | ||
| 24 | nogroups | ||
| 25 | nonewprivs | ||
| 26 | noroot | ||
| 27 | nosound | ||
| 28 | notv | ||
| 29 | novideo | ||
| 30 | protocol unix,inet,inet6 | ||
| 31 | seccomp | ||
| 32 | shell none | ||
| 33 | |||
| 34 | disable-mnt | ||
| 35 | # private | ||
| 36 | private-bin aria2c,gzip | ||
| 37 | private-cache | ||
| 38 | private-dev | ||
| 39 | private-etc ca-certificates,ssl | ||
| 40 | private-lib libreadline.so.* | ||
| 41 | private-tmp | ||
| 42 | |||
| 43 | memory-deny-write-execute | ||
| 44 | noexec ${HOME} | ||
| 45 | noexec /tmp | ||
diff --git a/etc/disable-programs.inc b/etc/disable-programs.inc index c0dad2ee9..b050b8b25 100644 --- a/etc/disable-programs.inc +++ b/etc/disable-programs.inc | |||
| @@ -32,6 +32,7 @@ blacklist ${HOME}/.aMule | |||
| 32 | blacklist ${HOME}/.android | 32 | blacklist ${HOME}/.android |
| 33 | blacklist ${HOME}/.anydesk | 33 | blacklist ${HOME}/.anydesk |
| 34 | blacklist ${HOME}/.arduino15 | 34 | blacklist ${HOME}/.arduino15 |
| 35 | blacklist ${HOME}/.aria2 | ||
| 35 | blacklist ${HOME}/.arm | 36 | blacklist ${HOME}/.arm |
| 36 | blacklist ${HOME}/.asunder_album_genre | 37 | blacklist ${HOME}/.asunder_album_genre |
| 37 | blacklist ${HOME}/.asunder_album_title | 38 | blacklist ${HOME}/.asunder_album_title |
| @@ -71,6 +72,7 @@ blacklist ${HOME}/.config/MuseScore | |||
| 71 | blacklist ${HOME}/.config/MusicBrainz | 72 | blacklist ${HOME}/.config/MusicBrainz |
| 72 | blacklist ${HOME}/.config/Nylas Mail | 73 | blacklist ${HOME}/.config/Nylas Mail |
| 73 | blacklist ${HOME}/.config/Qlipper | 74 | blacklist ${HOME}/.config/Qlipper |
| 75 | blacklist ${HOME}/.config/QMediathekView | ||
| 74 | blacklist ${HOME}/.config/QuiteRss | 76 | blacklist ${HOME}/.config/QuiteRss |
| 75 | blacklist ${HOME}/.config/QuiteRssrc | 77 | blacklist ${HOME}/.config/QuiteRssrc |
| 76 | blacklist ${HOME}/.config/Rambox | 78 | blacklist ${HOME}/.config/Rambox |
| @@ -361,6 +363,7 @@ blacklist ${HOME}/.local/share/3909/PapersPlease | |||
| 361 | blacklist ${HOME}/.local/share/Empathy | 363 | blacklist ${HOME}/.local/share/Empathy |
| 362 | blacklist ${HOME}/.local/share/JetBrains | 364 | blacklist ${HOME}/.local/share/JetBrains |
| 363 | blacklist ${HOME}/.local/share/Mumble | 365 | blacklist ${HOME}/.local/share/Mumble |
| 366 | blacklist ${HOME}/.local/share/QMediathekView | ||
| 364 | blacklist ${HOME}/.local/share/QuiteRss | 367 | blacklist ${HOME}/.local/share/QuiteRss |
| 365 | blacklist ${HOME}/.local/share/Ricochet | 368 | blacklist ${HOME}/.local/share/Ricochet |
| 366 | blacklist ${HOME}/.local/share/Steam | 369 | blacklist ${HOME}/.local/share/Steam |
diff --git a/etc/file.profile b/etc/file.profile index 5d1227520..00e18de20 100644 --- a/etc/file.profile +++ b/etc/file.profile | |||
| @@ -30,10 +30,12 @@ shell none | |||
| 30 | tracelog | 30 | tracelog |
| 31 | x11 none | 31 | x11 none |
| 32 | 32 | ||
| 33 | private-bin file | 33 | #private-bin file |
| 34 | private-cache | ||
| 34 | private-dev | 35 | private-dev |
| 35 | private-etc magic.mgc,magic,localtime | 36 | private-etc magic.mgc,magic,localtime |
| 36 | private-lib | 37 | private-lib |
| 38 | private-tmp | ||
| 37 | 39 | ||
| 38 | memory-deny-write-execute | 40 | memory-deny-write-execute |
| 39 | noexec ${HOME} | 41 | noexec ${HOME} |
diff --git a/etc/strings.profile b/etc/strings.profile index 5bea9525f..ae2fbf18f 100644 --- a/etc/strings.profile +++ b/etc/strings.profile | |||
| @@ -21,9 +21,13 @@ shell none | |||
| 21 | tracelog | 21 | tracelog |
| 22 | 22 | ||
| 23 | private-bin strings | 23 | private-bin strings |
| 24 | private-cache | ||
| 24 | private-dev | 25 | private-dev |
| 26 | private-etc none | ||
| 25 | private-lib | 27 | private-lib |
| 26 | 28 | ||
| 27 | memory-deny-write-execute | 29 | memory-deny-write-execute |
| 30 | noexec ${HOME} | ||
| 31 | noexec /tmp | ||
| 28 | 32 | ||
| 29 | include /etc/firejail/default.profile | 33 | include /etc/firejail/default.profile |