12 files changed, 404 insertions, 1 deletions
diff --git a/etc/QMediathekView.profile b/etc/QMediathekView.profile
new file mode 100644
index 000000000..558f62f0e
--- /dev/null
+++ b/etc/QMediathekView.profile
@@ -0,0 +1,54 @@
+# Firejail profile for QMediathekView
+# Description: Search, download or stream files from mediathek.de
+# This file is overwritten after every install/update
+# Persistent local customizations
+include /etc/firejail/QMediathekView.local
+# Persistent global definitions
+include /etc/firejail/globals.local
+noblacklist ${HOME}/.config/QMediathekView
+noblacklist ${HOME}/.local/share/QMediathekView
+noblacklist ${HOME}/.config/mpv
+noblacklist ${HOME}/.config/smplayer
+noblacklist ${HOME}/.config/totem
+noblacklist ${HOME}/.config/vlc
+noblacklist ${HOME}/.config/xplayer
+noblacklist ${HOME}/.local/share/totem
+noblacklist ${HOME}/.local/share/xplayer
+noblacklist ${HOME}/.mplayer
+include /etc/firejail/disable-common.inc
+include /etc/firejail/disable-devel.inc
+include /etc/firejail/disable-interpreters.inc
+include /etc/firejail/disable-passwdmgr.inc
+include /etc/firejail/disable-programs.inc
+include /etc/firejail/whitelist-var-common.inc
+caps.drop all
+netfilter
+# no3d
+# nodbus
+nodvd
+nogroups
+nonewprivs
+noroot
+notv
+nou2f
+protocol unix,inet,inet6
+seccomp
+shell none
+tracelog
+disable-mnt
+private-bin QMediathekView,mplayer,mpv,smplayer,totem,vlc,xplayer
+private-cache
+private-dev
+# private-etc none
+# private-lib
+private-tmp
+# memory-deny-write-execute - breaks on Arch
+noexec ${HOME}
+noexec /tmp
diff --git a/etc/aria2c.profile b/etc/aria2c.profile
new file mode 100644
index 000000000..4231c58ff
--- /dev/null
+++ b/etc/aria2c.profile
@@ -0,0 +1,45 @@
+# Firejail profile for aria2c
+# Description: Download utility that supports HTTP(S), FTP, BitTorrent and Metalink
+# This file is overwritten after every install/update
+# Persistent local customizations
+include /etc/firejail/aria2c.local
+# Persistent global definitions
+include /etc/firejail/globals.local
+noblacklist ${HOME}/.aria2
+include /etc/firejail/disable-common.inc
+include /etc/firejail/disable-devel.inc
+include /etc/firejail/disable-interpreters.inc
+include /etc/firejail/disable-passwdmgr.inc
+include /etc/firejail/disable-programs.inc
+include /etc/firejail/disable-xdg.inc
+caps.drop all
+ipc-namespace
+netfilter
+no3d
+nodbus
+nodvd
+nogroups
+nonewprivs
+noroot
+nosound
+notv
+novideo
+protocol unix,inet,inet6
+seccomp
+shell none
+disable-mnt
+# private
+private-bin aria2c,gzip
+private-cache
+private-dev
+private-etc ca-certificates,ssl
+private-lib libreadline.so.*
+private-tmp
+memory-deny-write-execute
+noexec ${HOME}
+noexec /tmp
diff --git a/etc/authenticator.profile b/etc/authenticator.profile
new file mode 100644
index 000000000..f10abdda8
--- /dev/null
+++ b/etc/authenticator.profile
@@ -0,0 +1,49 @@
+# Firejail profile for authenticator
+# Description: 2FA code generator for GNOME
+# This file is overwritten after every install/update
+# Persistent local customizations
+include /etc/firejail/authenticator.local
+# Persistent global definitions
+include /etc/firejail/globals.local
+# blacklisted in 'disable-programs.local'
+noblacklist ${HOME}/.config/Authenticator
+# Allow python 3.x (blacklisted by disable-interpreters.inc)
+noblacklist ${PATH}/python3*
+noblacklist /usr/lib/python3*
+include /etc/firejail/disable-common.inc
+include /etc/firejail/disable-devel.inc
+include /etc/firejail/disable-interpreters.inc
+include /etc/firejail/disable-passwdmgr.inc
+include /etc/firejail/disable-programs.inc
+# apparmor
+caps.drop all
+net none
+no3d
+# nodbus - makes settings immutable
+nodvd
+nogroups
+nonewprivs
+noroot
+nosound
+notv
+# novideo
+nou2f
+protocol unix
+seccomp
+shell none
+disable-mnt
+# private-bin authenticator
+private-cache
+private-dev
+private-etc fonts,ld.so.cache
+# private-lib
+private-tmp
+# memory-deny-write-execute - breaks on Arch
+noexec ${HOME}
+noexec /tmp
diff --git a/etc/checkbashisms.profile b/etc/checkbashisms.profile
new file mode 100644
index 000000000..c8b8be04e
--- /dev/null
+++ b/etc/checkbashisms.profile
@@ -0,0 +1,49 @@
+# Firejail profile for checkbashisms
+# Description: Lint tool for shell scripts
+# This file is overwritten after every install/update
+quiet
+# Persistent local customizations
+include /etc/firejail/checkbashisms.local
+# Persistent global definitions
+include /etc/firejail/globals.local
+noblacklist ${DOCUMENTS}
+# Allow perl (blacklisted by disable-interpreters.inc)
+noblacklist ${PATH}/cpan*
+noblacklist ${PATH}/core_perl
+noblacklist ${PATH}/perl
+noblacklist /usr/lib/perl*
+noblacklist /usr/share/perl*
+include /etc/firejail/disable-common.inc
+include /etc/firejail/disable-devel.inc
+include /etc/firejail/disable-interpreters.inc
+include /etc/firejail/disable-passwdmgr.inc
+include /etc/firejail/disable-programs.inc
+include /etc/firejail/disable-xdg.inc
+include /etc/firejail/whitelist-var-common.inc
+caps.drop all
+ipc-namespace
+net none
+no3d
+nodbus
+nodvd
+nogroups
+nonewprivs
+noroot
+nosound
+notv
+novideo
+protocol unix
+seccomp
+shell none
+private-dev
+private-tmp
+memory-deny-write-execute
+noexec ${HOME}
+noexec /tmp
diff --git a/etc/claws-mail.profile b/etc/claws-mail.profile
index cb8ae6a80..0274fd66b 100644
--- a/etc/claws-mail.profile
+++ b/etc/claws-mail.profile
@@ -16,19 +16,24 @@ include /etc/firejail/disable-interpreters.inc
 include /etc/firejail/disable-passwdmgr.inc
 include /etc/firejail/disable-programs.inc
+include /etc/firejail/whitelist-common.inc
 caps.drop all
 netfilter
+no3d
 nodvd
 nogroups
 nonewprivs
 noroot
 nosound
 notv
+nou2f
 novideo
 protocol unix,inet,inet6
 seccomp
 shell none
+private-cache
 private-dev
 private-tmp
diff --git a/etc/desktop.profile b/etc/desktop.profile
new file mode 100644
index 000000000..8bfa885a3
--- /dev/null
+++ b/etc/desktop.profile
@@ -0,0 +1,44 @@
+# Firejail profile for desktop
+# Description: Extend your GitHub workflow beyond your browser with GitHub Desktop
+# This file is overwritten after every install/update
+# Persistent local customizations
+include /etc/firejail/github-desktop.local
+# Persistent global definitions
+include /etc/firejail/globals.local
+whitelist ${HOME}/.gitconfig
+whitelist ${HOME}/.config/GitHub Desktop
+include /etc/firejail/disable-common.inc
+include /etc/firejail/disable-passwdmgr.inc
+include /etc/firejail/disable-programs.inc
+include /etc/firejail/disable-devel.inc
+include /etc/firejail/disable-interpreters.inc
+include /etc/firejail/whitelist-common.inc
+caps.drop all
+netfilter
+# no3d
+nodvd
+nogroups
+nonewprivs
+noroot
+nosound
+notv
+nou2f
+novideo
+protocol unix,inet,inet6,netlink
+seccomp
+disable-mnt
+# private-bin Atom,desktop
+# private-cache
+# private-dev
+# private-etc none
+# private-lib
+# private-tmp
+# memory-deny-write-execute
+# noexec ${HOME}
+# noexec /tmp
diff --git a/etc/devilspie.profile b/etc/devilspie.profile
new file mode 100644
index 000000000..dbfb05798
--- /dev/null
+++ b/etc/devilspie.profile
@@ -0,0 +1,49 @@
+# Firejail profile for devilspie
+# Description: Window matching daemon
+# This file is overwritten after every install/update
+# Persistent local customizations
+include /etc/firejail/devilspie.local
+# Persistent global definitions
+include /etc/firejail/globals.local
+noblacklist ${HOME}/.devilspie
+include /etc/firejail/disable-common.inc
+include /etc/firejail/disable-devel.inc
+include /etc/firejail/disable-interpreters.inc
+include /etc/firejail/disable-passwdmgr.inc
+include /etc/firejail/disable-programs.inc
+caps.drop all
+ipc-namespace
+machine-id
+net none
+no3d
+nodbus
+nodvd
+nogroups
+nonewprivs
+noroot
+nosound
+notv
+nou2f
+novideo
+protocol unix
+seccomp
+shell none
+tracelog
+disable-mnt
+private-bin devilspie
+private-cache
+private-dev
+private-etc none
+private-lib gconv
+private-tmp
+memory-deny-write-execute
+noexec ${HOME}
+noexec /tmp
+# devilspie will never write anything
+read-only ${HOME}
diff --git a/etc/devilspie2.profile b/etc/devilspie2.profile
new file mode 100644
index 000000000..3a9a9659a
--- /dev/null
+++ b/etc/devilspie2.profile
@@ -0,0 +1,49 @@
+# Firejail profile for devilspie2
+# Description: Window matching daemon (Lua)
+# This file is overwritten after every install/update
+# Persistent local customizations
+include /etc/firejail/devilspie2.local
+# Persistent global definitions
+include /etc/firejail/globals.local
+noblacklist ${HOME}/.config/devilspie2
+include /etc/firejail/disable-common.inc
+include /etc/firejail/disable-devel.inc
+include /etc/firejail/disable-interpreters.inc
+include /etc/firejail/disable-passwdmgr.inc
+include /etc/firejail/disable-programs.inc
+caps.drop all
+ipc-namespace
+machine-id
+net none
+no3d
+nodbus
+nodvd
+nogroups
+nonewprivs
+noroot
+nosound
+notv
+nou2f
+novideo
+protocol unix
+seccomp
+shell none
+tracelog
+disable-mnt
+private-bin devilspie2
+private-cache
+private-dev
+private-etc none
+private-lib gconv
+private-tmp
+memory-deny-write-execute
+noexec ${HOME}
+noexec /tmp
+# devilspie2 will never write anything
+read-only ${HOME}
diff --git a/etc/disable-programs.inc b/etc/disable-programs.inc
index f0da93f57..6fa0eed26 100644
--- a/etc/disable-programs.inc
+++ b/etc/disable-programs.inc
@@ -32,6 +32,7 @@ blacklist ${HOME}/.aMule
 blacklist ${HOME}/.android
 blacklist ${HOME}/.anydesk
 blacklist ${HOME}/.arduino15
+blacklist ${HOME}/.aria2
 blacklist ${HOME}/.arm
 blacklist ${HOME}/.asunder_album_genre
 blacklist ${HOME}/.asunder_album_title
@@ -46,6 +47,7 @@ blacklist ${HOME}/.config/0ad
 blacklist ${HOME}/.config/2048-qt
 blacklist ${HOME}/.config/Atom
 blacklist ${HOME}/.config/Audaciousrc
+blacklist ${HOME}/.config/Authenticator
 blacklist ${HOME}/.config/Beaker Browser
 blacklist ${HOME}/.config/Brackets
 blacklist ${HOME}/.config/Clementine
@@ -55,6 +57,7 @@ blacklist ${HOME}/.config/Franz
 blacklist ${HOME}/.config/FreeCAD
 blacklist ${HOME}/.config/Fritzing
 blacklist ${HOME}/.config/GIMP
+blacklist ${HOME}/.config/GitHub Desktop
 blacklist ${HOME}/.config/Gitter
 blacklist ${HOME}/.config/Google
 blacklist ${HOME}/.config/Google Play Music Desktop Player
@@ -71,6 +74,7 @@ blacklist ${HOME}/.config/MuseScore
 blacklist ${HOME}/.config/MusicBrainz
 blacklist ${HOME}/.config/Nylas Mail
 blacklist ${HOME}/.config/Qlipper
+blacklist ${HOME}/.config/QMediathekView
 blacklist ${HOME}/.config/QuiteRss
 blacklist ${HOME}/.config/QuiteRssrc
 blacklist ${HOME}/.config/Rambox
@@ -112,6 +116,7 @@ blacklist ${HOME}/.config/corebird
 blacklist ${HOME}/.config/darktable
 blacklist ${HOME}/.config/deadbeef
 blacklist ${HOME}/.config/deluge
+blacklist ${HOME}/.config/devilspie2
 blacklist ${HOME}/.config/digikam
 blacklist ${HOME}/.config/digikamrc
 blacklist ${HOME}/.config/discord
@@ -253,11 +258,13 @@ blacklist ${HOME}/.config/zoomus.conf
 blacklist ${HOME}/.conkeror.mozdev.org
 blacklist ${HOME}/.curlrc
 blacklist ${HOME}/.dashcore
+blacklist ${HOME}/.devilspie
 blacklist ${HOME}/.dia
 blacklist ${HOME}/.dillo
 blacklist ${HOME}/.dooble
 blacklist ${HOME}/.dosbox
 blacklist ${HOME}/.dropbox*
+blacklist ${HOME}/.easystroke
 blacklist ${HOME}/.electron-cache
 blacklist ${HOME}/.electrum*
 blacklist ${HOME}/.elinks
@@ -361,6 +368,7 @@ blacklist ${HOME}/.local/share/3909/PapersPlease
 blacklist ${HOME}/.local/share/Empathy
 blacklist ${HOME}/.local/share/JetBrains
 blacklist ${HOME}/.local/share/Mumble
+blacklist ${HOME}/.local/share/QMediathekView
 blacklist ${HOME}/.local/share/QuiteRss
 blacklist ${HOME}/.local/share/Ricochet
 blacklist ${HOME}/.local/share/Steam
diff --git a/etc/easystroke.profile b/etc/easystroke.profile
new file mode 100644
index 000000000..6fac08a5d
--- /dev/null
+++ b/etc/easystroke.profile
@@ -0,0 +1,45 @@
+# Firejail profile for easystroke
+# Description: Control your desktop using mouse gestures
+# This file is overwritten after every install/update
+# Persistent local customizations
+include /etc/firejail/easystroke.local
+# Persistent global definitions
+include /etc/firejail/globals.local
+noblacklist ${HOME}/.easystroke
+include /etc/firejail/disable-common.inc
+include /etc/firejail/disable-devel.inc
+include /etc/firejail/disable-interpreters.inc
+include /etc/firejail/disable-passwdmgr.inc
+include /etc/firejail/disable-programs.inc
+caps.drop all
+ipc-namespace
+machine-id
+net none
+no3d
+# nodbus
+nodvd
+nogroups
+nonewprivs
+noroot
+nosound
+notv
+nou2f
+novideo
+protocol unix
+seccomp
+shell none
+disable-mnt
+private-bin easystroke
+private-cache
+private-dev
+private-etc fonts
+private-lib gdk-pixbuf-2.*,gio,gvfs/libgvfscommon.so,libgconf-2.so.*,librsvg-2.so.*
+private-tmp
+memory-deny-write-execute
+noexec ${HOME}
+noexec /tmp
diff --git a/etc/file.profile b/etc/file.profile
index 5d1227520..00e18de20 100644
--- a/etc/file.profile
+++ b/etc/file.profile
@@ -30,10 +30,12 @@ shell none
 tracelog
 x11 none
-private-bin file
+#private-bin file
+private-cache
 private-dev
 private-etc magic.mgc,magic,localtime
 private-lib
+private-tmp
 memory-deny-write-execute
 noexec ${HOME}
diff --git a/etc/strings.profile b/etc/strings.profile
index 5bea9525f..ae2fbf18f 100644
--- a/etc/strings.profile
+++ b/etc/strings.profile
@@ -21,9 +21,13 @@ shell none
 tracelog
 private-bin strings
+private-cache
 private-dev
+private-etc none
 private-lib
 memory-deny-write-execute
+noexec ${HOME}
+noexec /tmp
 include /etc/firejail/default.profile

diff --git a/etc/QMediathekView.profile b/etc/QMediathekView.profile new file mode 100644 index 000000000..558f62f0e --- /dev/null +++ b/etc/QMediathekView.profile
@@ -0,0 +1,54 @@
		1	# Firejail profile for QMediathekView
		2	# Description: Search, download or stream files from mediathek.de
		3	# This file is overwritten after every install/update
		4	# Persistent local customizations
		5	include /etc/firejail/QMediathekView.local
		6	# Persistent global definitions
		7	include /etc/firejail/globals.local
		8
		9	noblacklist ${HOME}/.config/QMediathekView
		10	noblacklist ${HOME}/.local/share/QMediathekView
		11
		12	noblacklist ${HOME}/.config/mpv
		13	noblacklist ${HOME}/.config/smplayer
		14	noblacklist ${HOME}/.config/totem
		15	noblacklist ${HOME}/.config/vlc
		16	noblacklist ${HOME}/.config/xplayer
		17	noblacklist ${HOME}/.local/share/totem
		18	noblacklist ${HOME}/.local/share/xplayer
		19	noblacklist ${HOME}/.mplayer
		20
		21	include /etc/firejail/disable-common.inc
		22	include /etc/firejail/disable-devel.inc
		23	include /etc/firejail/disable-interpreters.inc
		24	include /etc/firejail/disable-passwdmgr.inc
		25	include /etc/firejail/disable-programs.inc
		26
		27	include /etc/firejail/whitelist-var-common.inc
		28
		29	caps.drop all
		30	netfilter
		31	# no3d
		32	# nodbus
		33	nodvd
		34	nogroups
		35	nonewprivs
		36	noroot
		37	notv
		38	nou2f
		39	protocol unix,inet,inet6
		40	seccomp
		41	shell none
		42	tracelog
		43
		44	disable-mnt
		45	private-bin QMediathekView,mplayer,mpv,smplayer,totem,vlc,xplayer
		46	private-cache
		47	private-dev
		48	# private-etc none
		49	# private-lib
		50	private-tmp
		51
		52	# memory-deny-write-execute - breaks on Arch
		53	noexec ${HOME}
		54	noexec /tmp


diff --git a/etc/aria2c.profile b/etc/aria2c.profile new file mode 100644 index 000000000..4231c58ff --- /dev/null +++ b/etc/aria2c.profile
@@ -0,0 +1,45 @@
		1	# Firejail profile for aria2c
		2	# Description: Download utility that supports HTTP(S), FTP, BitTorrent and Metalink
		3	# This file is overwritten after every install/update
		4	# Persistent local customizations
		5	include /etc/firejail/aria2c.local
		6	# Persistent global definitions
		7	include /etc/firejail/globals.local
		8
		9	noblacklist ${HOME}/.aria2
		10
		11	include /etc/firejail/disable-common.inc
		12	include /etc/firejail/disable-devel.inc
		13	include /etc/firejail/disable-interpreters.inc
		14	include /etc/firejail/disable-passwdmgr.inc
		15	include /etc/firejail/disable-programs.inc
		16	include /etc/firejail/disable-xdg.inc
		17
		18	caps.drop all
		19	ipc-namespace
		20	netfilter
		21	no3d
		22	nodbus
		23	nodvd
		24	nogroups
		25	nonewprivs
		26	noroot
		27	nosound
		28	notv
		29	novideo
		30	protocol unix,inet,inet6
		31	seccomp
		32	shell none
		33
		34	disable-mnt
		35	# private
		36	private-bin aria2c,gzip
		37	private-cache
		38	private-dev
		39	private-etc ca-certificates,ssl
		40	private-lib libreadline.so.*
		41	private-tmp
		42
		43	memory-deny-write-execute
		44	noexec ${HOME}
		45	noexec /tmp


diff --git a/etc/authenticator.profile b/etc/authenticator.profile new file mode 100644 index 000000000..f10abdda8 --- /dev/null +++ b/etc/authenticator.profile
@@ -0,0 +1,49 @@
		1	# Firejail profile for authenticator
		2	# Description: 2FA code generator for GNOME
		3	# This file is overwritten after every install/update
		4	# Persistent local customizations
		5	include /etc/firejail/authenticator.local
		6	# Persistent global definitions
		7	include /etc/firejail/globals.local
		8
		9	# blacklisted in 'disable-programs.local'
		10	noblacklist ${HOME}/.config/Authenticator
		11
		12	# Allow python 3.x (blacklisted by disable-interpreters.inc)
		13	noblacklist ${PATH}/python3*
		14	noblacklist /usr/lib/python3*
		15
		16	include /etc/firejail/disable-common.inc
		17	include /etc/firejail/disable-devel.inc
		18	include /etc/firejail/disable-interpreters.inc
		19	include /etc/firejail/disable-passwdmgr.inc
		20	include /etc/firejail/disable-programs.inc
		21
		22	# apparmor
		23	caps.drop all
		24	net none
		25	no3d
		26	# nodbus - makes settings immutable
		27	nodvd
		28	nogroups
		29	nonewprivs
		30	noroot
		31	nosound
		32	notv
		33	# novideo
		34	nou2f
		35	protocol unix
		36	seccomp
		37	shell none
		38
		39	disable-mnt
		40	# private-bin authenticator
		41	private-cache
		42	private-dev
		43	private-etc fonts,ld.so.cache
		44	# private-lib
		45	private-tmp
		46
		47	# memory-deny-write-execute - breaks on Arch
		48	noexec ${HOME}
		49	noexec /tmp


diff --git a/etc/checkbashisms.profile b/etc/checkbashisms.profile new file mode 100644 index 000000000..c8b8be04e --- /dev/null +++ b/etc/checkbashisms.profile
@@ -0,0 +1,49 @@
		1	# Firejail profile for checkbashisms
		2	# Description: Lint tool for shell scripts
		3	# This file is overwritten after every install/update
		4	quiet
		5	# Persistent local customizations
		6	include /etc/firejail/checkbashisms.local
		7	# Persistent global definitions
		8	include /etc/firejail/globals.local
		9
		10	noblacklist ${DOCUMENTS}
		11
		12	# Allow perl (blacklisted by disable-interpreters.inc)
		13	noblacklist ${PATH}/cpan*
		14	noblacklist ${PATH}/core_perl
		15	noblacklist ${PATH}/perl
		16	noblacklist /usr/lib/perl*
		17	noblacklist /usr/share/perl*
		18
		19	include /etc/firejail/disable-common.inc
		20	include /etc/firejail/disable-devel.inc
		21	include /etc/firejail/disable-interpreters.inc
		22	include /etc/firejail/disable-passwdmgr.inc
		23	include /etc/firejail/disable-programs.inc
		24	include /etc/firejail/disable-xdg.inc
		25
		26	include /etc/firejail/whitelist-var-common.inc
		27
		28	caps.drop all
		29	ipc-namespace
		30	net none
		31	no3d
		32	nodbus
		33	nodvd
		34	nogroups
		35	nonewprivs
		36	noroot
		37	nosound
		38	notv
		39	novideo
		40	protocol unix
		41	seccomp
		42	shell none
		43
		44	private-dev
		45	private-tmp
		46
		47	memory-deny-write-execute
		48	noexec ${HOME}
		49	noexec /tmp


diff --git a/etc/claws-mail.profile b/etc/claws-mail.profile index cb8ae6a80..0274fd66b 100644 --- a/etc/claws-mail.profile +++ b/etc/claws-mail.profile
@@ -16,19 +16,24 @@ include /etc/firejail/disable-interpreters.inc
16	include /etc/firejail/disable-passwdmgr.inc	16	include /etc/firejail/disable-passwdmgr.inc
17	include /etc/firejail/disable-programs.inc	17	include /etc/firejail/disable-programs.inc
18		18
		19	include /etc/firejail/whitelist-common.inc
		20
19	caps.drop all	21	caps.drop all
20	netfilter	22	netfilter
		23	no3d
21	nodvd	24	nodvd
22	nogroups	25	nogroups
23	nonewprivs	26	nonewprivs
24	noroot	27	noroot
25	nosound	28	nosound
26	notv	29	notv
		30	nou2f
27	novideo	31	novideo
28	protocol unix,inet,inet6	32	protocol unix,inet,inet6
29	seccomp	33	seccomp
30	shell none	34	shell none
31		35
		36	private-cache
32	private-dev	37	private-dev
33	private-tmp	38	private-tmp
34		39


diff --git a/etc/desktop.profile b/etc/desktop.profile new file mode 100644 index 000000000..8bfa885a3 --- /dev/null +++ b/etc/desktop.profile
@@ -0,0 +1,44 @@
		1	# Firejail profile for desktop
		2	# Description: Extend your GitHub workflow beyond your browser with GitHub Desktop
		3	# This file is overwritten after every install/update
		4	# Persistent local customizations
		5	include /etc/firejail/github-desktop.local
		6	# Persistent global definitions
		7	include /etc/firejail/globals.local
		8
		9	whitelist ${HOME}/.gitconfig
		10	whitelist ${HOME}/.config/GitHub Desktop
		11
		12	include /etc/firejail/disable-common.inc
		13	include /etc/firejail/disable-passwdmgr.inc
		14	include /etc/firejail/disable-programs.inc
		15	include /etc/firejail/disable-devel.inc
		16	include /etc/firejail/disable-interpreters.inc
		17
		18	include /etc/firejail/whitelist-common.inc
		19
		20	caps.drop all
		21	netfilter
		22	# no3d
		23	nodvd
		24	nogroups
		25	nonewprivs
		26	noroot
		27	nosound
		28	notv
		29	nou2f
		30	novideo
		31	protocol unix,inet,inet6,netlink
		32	seccomp
		33
		34	disable-mnt
		35	# private-bin Atom,desktop
		36	# private-cache
		37	# private-dev
		38	# private-etc none
		39	# private-lib
		40	# private-tmp
		41
		42	# memory-deny-write-execute
		43	# noexec ${HOME}
		44	# noexec /tmp


diff --git a/etc/devilspie.profile b/etc/devilspie.profile new file mode 100644 index 000000000..dbfb05798 --- /dev/null +++ b/etc/devilspie.profile
@@ -0,0 +1,49 @@
		1	# Firejail profile for devilspie
		2	# Description: Window matching daemon
		3	# This file is overwritten after every install/update
		4	# Persistent local customizations
		5	include /etc/firejail/devilspie.local
		6	# Persistent global definitions
		7	include /etc/firejail/globals.local
		8
		9	noblacklist ${HOME}/.devilspie
		10
		11	include /etc/firejail/disable-common.inc
		12	include /etc/firejail/disable-devel.inc
		13	include /etc/firejail/disable-interpreters.inc
		14	include /etc/firejail/disable-passwdmgr.inc
		15	include /etc/firejail/disable-programs.inc
		16
		17	caps.drop all
		18	ipc-namespace
		19	machine-id
		20	net none
		21	no3d
		22	nodbus
		23	nodvd
		24	nogroups
		25	nonewprivs
		26	noroot
		27	nosound
		28	notv
		29	nou2f
		30	novideo
		31	protocol unix
		32	seccomp
		33	shell none
		34	tracelog
		35
		36	disable-mnt
		37	private-bin devilspie
		38	private-cache
		39	private-dev
		40	private-etc none
		41	private-lib gconv
		42	private-tmp
		43
		44	memory-deny-write-execute
		45	noexec ${HOME}
		46	noexec /tmp
		47
		48	# devilspie will never write anything
		49	read-only ${HOME}


diff --git a/etc/devilspie2.profile b/etc/devilspie2.profile new file mode 100644 index 000000000..3a9a9659a --- /dev/null +++ b/etc/devilspie2.profile
@@ -0,0 +1,49 @@
		1	# Firejail profile for devilspie2
		2	# Description: Window matching daemon (Lua)
		3	# This file is overwritten after every install/update
		4	# Persistent local customizations
		5	include /etc/firejail/devilspie2.local
		6	# Persistent global definitions
		7	include /etc/firejail/globals.local
		8
		9	noblacklist ${HOME}/.config/devilspie2
		10
		11	include /etc/firejail/disable-common.inc
		12	include /etc/firejail/disable-devel.inc
		13	include /etc/firejail/disable-interpreters.inc
		14	include /etc/firejail/disable-passwdmgr.inc
		15	include /etc/firejail/disable-programs.inc
		16
		17	caps.drop all
		18	ipc-namespace
		19	machine-id
		20	net none
		21	no3d
		22	nodbus
		23	nodvd
		24	nogroups
		25	nonewprivs
		26	noroot
		27	nosound
		28	notv
		29	nou2f
		30	novideo
		31	protocol unix
		32	seccomp
		33	shell none
		34	tracelog
		35
		36	disable-mnt
		37	private-bin devilspie2
		38	private-cache
		39	private-dev
		40	private-etc none
		41	private-lib gconv
		42	private-tmp
		43
		44	memory-deny-write-execute
		45	noexec ${HOME}
		46	noexec /tmp
		47
		48	# devilspie2 will never write anything
		49	read-only ${HOME}


diff --git a/etc/disable-programs.inc b/etc/disable-programs.inc index f0da93f57..6fa0eed26 100644 --- a/etc/disable-programs.inc +++ b/etc/disable-programs.inc
@@ -32,6 +32,7 @@ blacklist ${HOME}/.aMule
32	blacklist ${HOME}/.android	32	blacklist ${HOME}/.android
33	blacklist ${HOME}/.anydesk	33	blacklist ${HOME}/.anydesk
34	blacklist ${HOME}/.arduino15	34	blacklist ${HOME}/.arduino15
		35	blacklist ${HOME}/.aria2
35	blacklist ${HOME}/.arm	36	blacklist ${HOME}/.arm
36	blacklist ${HOME}/.asunder_album_genre	37	blacklist ${HOME}/.asunder_album_genre
37	blacklist ${HOME}/.asunder_album_title	38	blacklist ${HOME}/.asunder_album_title
@@ -46,6 +47,7 @@ blacklist ${HOME}/.config/0ad
46	blacklist ${HOME}/.config/2048-qt	47	blacklist ${HOME}/.config/2048-qt
47	blacklist ${HOME}/.config/Atom	48	blacklist ${HOME}/.config/Atom
48	blacklist ${HOME}/.config/Audaciousrc	49	blacklist ${HOME}/.config/Audaciousrc
		50	blacklist ${HOME}/.config/Authenticator
49	blacklist ${HOME}/.config/Beaker Browser	51	blacklist ${HOME}/.config/Beaker Browser
50	blacklist ${HOME}/.config/Brackets	52	blacklist ${HOME}/.config/Brackets
51	blacklist ${HOME}/.config/Clementine	53	blacklist ${HOME}/.config/Clementine
@@ -55,6 +57,7 @@ blacklist ${HOME}/.config/Franz
55	blacklist ${HOME}/.config/FreeCAD	57	blacklist ${HOME}/.config/FreeCAD
56	blacklist ${HOME}/.config/Fritzing	58	blacklist ${HOME}/.config/Fritzing
57	blacklist ${HOME}/.config/GIMP	59	blacklist ${HOME}/.config/GIMP
		60	blacklist ${HOME}/.config/GitHub Desktop
58	blacklist ${HOME}/.config/Gitter	61	blacklist ${HOME}/.config/Gitter
59	blacklist ${HOME}/.config/Google	62	blacklist ${HOME}/.config/Google
60	blacklist ${HOME}/.config/Google Play Music Desktop Player	63	blacklist ${HOME}/.config/Google Play Music Desktop Player
@@ -71,6 +74,7 @@ blacklist ${HOME}/.config/MuseScore
71	blacklist ${HOME}/.config/MusicBrainz	74	blacklist ${HOME}/.config/MusicBrainz
72	blacklist ${HOME}/.config/Nylas Mail	75	blacklist ${HOME}/.config/Nylas Mail
73	blacklist ${HOME}/.config/Qlipper	76	blacklist ${HOME}/.config/Qlipper
		77	blacklist ${HOME}/.config/QMediathekView
74	blacklist ${HOME}/.config/QuiteRss	78	blacklist ${HOME}/.config/QuiteRss
75	blacklist ${HOME}/.config/QuiteRssrc	79	blacklist ${HOME}/.config/QuiteRssrc
76	blacklist ${HOME}/.config/Rambox	80	blacklist ${HOME}/.config/Rambox
@@ -112,6 +116,7 @@ blacklist ${HOME}/.config/corebird
112	blacklist ${HOME}/.config/darktable	116	blacklist ${HOME}/.config/darktable
113	blacklist ${HOME}/.config/deadbeef	117	blacklist ${HOME}/.config/deadbeef
114	blacklist ${HOME}/.config/deluge	118	blacklist ${HOME}/.config/deluge
		119	blacklist ${HOME}/.config/devilspie2
115	blacklist ${HOME}/.config/digikam	120	blacklist ${HOME}/.config/digikam
116	blacklist ${HOME}/.config/digikamrc	121	blacklist ${HOME}/.config/digikamrc
117	blacklist ${HOME}/.config/discord	122	blacklist ${HOME}/.config/discord
@@ -253,11 +258,13 @@ blacklist ${HOME}/.config/zoomus.conf
253	blacklist ${HOME}/.conkeror.mozdev.org	258	blacklist ${HOME}/.conkeror.mozdev.org
254	blacklist ${HOME}/.curlrc	259	blacklist ${HOME}/.curlrc
255	blacklist ${HOME}/.dashcore	260	blacklist ${HOME}/.dashcore
		261	blacklist ${HOME}/.devilspie
256	blacklist ${HOME}/.dia	262	blacklist ${HOME}/.dia
257	blacklist ${HOME}/.dillo	263	blacklist ${HOME}/.dillo
258	blacklist ${HOME}/.dooble	264	blacklist ${HOME}/.dooble
259	blacklist ${HOME}/.dosbox	265	blacklist ${HOME}/.dosbox
260	blacklist ${HOME}/.dropbox*	266	blacklist ${HOME}/.dropbox*
		267	blacklist ${HOME}/.easystroke
261	blacklist ${HOME}/.electron-cache	268	blacklist ${HOME}/.electron-cache
262	blacklist ${HOME}/.electrum*	269	blacklist ${HOME}/.electrum*
263	blacklist ${HOME}/.elinks	270	blacklist ${HOME}/.elinks
@@ -361,6 +368,7 @@ blacklist ${HOME}/.local/share/3909/PapersPlease
361	blacklist ${HOME}/.local/share/Empathy	368	blacklist ${HOME}/.local/share/Empathy
362	blacklist ${HOME}/.local/share/JetBrains	369	blacklist ${HOME}/.local/share/JetBrains
363	blacklist ${HOME}/.local/share/Mumble	370	blacklist ${HOME}/.local/share/Mumble
		371	blacklist ${HOME}/.local/share/QMediathekView
364	blacklist ${HOME}/.local/share/QuiteRss	372	blacklist ${HOME}/.local/share/QuiteRss
365	blacklist ${HOME}/.local/share/Ricochet	373	blacklist ${HOME}/.local/share/Ricochet
366	blacklist ${HOME}/.local/share/Steam	374	blacklist ${HOME}/.local/share/Steam


diff --git a/etc/easystroke.profile b/etc/easystroke.profile new file mode 100644 index 000000000..6fac08a5d --- /dev/null +++ b/etc/easystroke.profile
@@ -0,0 +1,45 @@
		1	# Firejail profile for easystroke
		2	# Description: Control your desktop using mouse gestures
		3	# This file is overwritten after every install/update
		4	# Persistent local customizations
		5	include /etc/firejail/easystroke.local
		6	# Persistent global definitions
		7	include /etc/firejail/globals.local
		8
		9	noblacklist ${HOME}/.easystroke
		10
		11	include /etc/firejail/disable-common.inc
		12	include /etc/firejail/disable-devel.inc
		13	include /etc/firejail/disable-interpreters.inc
		14	include /etc/firejail/disable-passwdmgr.inc
		15	include /etc/firejail/disable-programs.inc
		16
		17	caps.drop all
		18	ipc-namespace
		19	machine-id
		20	net none
		21	no3d
		22	# nodbus
		23	nodvd
		24	nogroups
		25	nonewprivs
		26	noroot
		27	nosound
		28	notv
		29	nou2f
		30	novideo
		31	protocol unix
		32	seccomp
		33	shell none
		34
		35	disable-mnt
		36	private-bin easystroke
		37	private-cache
		38	private-dev
		39	private-etc fonts
		40	private-lib gdk-pixbuf-2.,gio,gvfs/libgvfscommon.so,libgconf-2.so.,librsvg-2.so.*
		41	private-tmp
		42
		43	memory-deny-write-execute
		44	noexec ${HOME}
		45	noexec /tmp


diff --git a/etc/file.profile b/etc/file.profile index 5d1227520..00e18de20 100644 --- a/etc/file.profile +++ b/etc/file.profile
@@ -30,10 +30,12 @@ shell none
30	tracelog	30	tracelog
31	x11 none	31	x11 none
32		32
33	private-bin file	33	#private-bin file
		34	private-cache
34	private-dev	35	private-dev
35	private-etc magic.mgc,magic,localtime	36	private-etc magic.mgc,magic,localtime
36	private-lib	37	private-lib
		38	private-tmp
37		39
38	memory-deny-write-execute	40	memory-deny-write-execute
39	noexec ${HOME}	41	noexec ${HOME}


diff --git a/etc/strings.profile b/etc/strings.profile index 5bea9525f..ae2fbf18f 100644 --- a/etc/strings.profile +++ b/etc/strings.profile
@@ -21,9 +21,13 @@ shell none
21	tracelog	21	tracelog
22		22
23	private-bin strings	23	private-bin strings
		24	private-cache
24	private-dev	25	private-dev
		26	private-etc none
25	private-lib	27	private-lib
26		28
27	memory-deny-write-execute	29	memory-deny-write-execute
		30	noexec ${HOME}
		31	noexec /tmp
28		32
29	include /etc/firejail/default.profile	33	include /etc/firejail/default.profile