aboutsummaryrefslogtreecommitdiffstats
path: root/etc
diff options
context:
space:
mode:
Diffstat (limited to 'etc')
-rw-r--r--etc/android-studio.profile2
-rw-r--r--etc/aosp.profile42
-rw-r--r--etc/ark.profile2
-rw-r--r--etc/atom.profile4
-rw-r--r--etc/atril.profile2
-rw-r--r--etc/audacious.profile2
-rw-r--r--etc/audacity.profile2
-rw-r--r--etc/baloo_file.profile4
-rw-r--r--etc/bluefish.profile34
-rw-r--r--etc/calligra.profile3
-rw-r--r--etc/cin.profile2
-rw-r--r--etc/cinelerra.profile6
-rw-r--r--etc/clamdscan.profile1
-rw-r--r--etc/clamdtop.profile1
-rw-r--r--etc/clamscan.profile1
-rw-r--r--etc/cliqz.profile83
-rw-r--r--etc/dia.profile2
-rw-r--r--etc/disable-common.inc3
-rw-r--r--etc/disable-programs.inc10
-rw-r--r--etc/dnscrypt-proxy.profile3
-rw-r--r--etc/dnsmasq.profile1
-rw-r--r--etc/engrampa.profile2
-rw-r--r--etc/eog.profile2
-rw-r--r--etc/eom.profile2
-rw-r--r--etc/evince.profile1
-rw-r--r--etc/ffmpeg.profile12
-rw-r--r--etc/file-roller.profile2
-rw-r--r--etc/gedit.profile5
-rw-r--r--etc/gitter.profile3
-rw-r--r--etc/gnome-calculator.profile2
-rw-r--r--etc/gwenview.profile2
-rw-r--r--etc/hugin.profile2
-rw-r--r--etc/idea.sh.profile2
-rw-r--r--etc/inkscape.profile2
-rw-r--r--etc/inox.profile4
-rw-r--r--etc/kdenlive.profile2
-rw-r--r--etc/konversation.profile2
-rw-r--r--etc/ktorrent.profile1
-rw-r--r--etc/mate-calc.profile13
-rw-r--r--etc/mate-color-select.profile9
-rw-r--r--etc/mate-dictionary.profile10
-rw-r--r--etc/mediathekview.profile2
-rw-r--r--etc/musescore.profile2
-rw-r--r--etc/natron.profile1
-rw-r--r--etc/okular.profile2
-rw-r--r--etc/openshot-qt.profile6
-rw-r--r--etc/pdfmod.profile38
-rw-r--r--etc/pinta.profile34
-rw-r--r--etc/scribus.profile3
-rw-r--r--etc/server.profile3
-rw-r--r--etc/shotcut.profile2
-rw-r--r--etc/steam.profile3
-rw-r--r--etc/synfigstudio.profile4
-rw-r--r--etc/tuxguitar.profile2
-rw-r--r--etc/uefitool.profile33
-rw-r--r--etc/unbound.profile3
-rw-r--r--etc/waterfox.profile4
-rw-r--r--etc/xreader.profile2
-rw-r--r--etc/xviewer.profile2
59 files changed, 405 insertions, 31 deletions
diff --git a/etc/android-studio.profile b/etc/android-studio.profile
index 1e1953780..6be92e1c0 100644
--- a/etc/android-studio.profile
+++ b/etc/android-studio.profile
@@ -9,6 +9,8 @@ noblacklist ${HOME}/.AndroidStudio*
9noblacklist ${HOME}/.android 9noblacklist ${HOME}/.android
10noblacklist ${HOME}/.gitconfig 10noblacklist ${HOME}/.gitconfig
11noblacklist ${HOME}/.gradle 11noblacklist ${HOME}/.gradle
12noblacklist ${HOME}/.jack-server
13noblacklist ${HOME}/.jack-settings
12noblacklist ${HOME}/.java 14noblacklist ${HOME}/.java
13noblacklist ${HOME}/.local/share/JetBrains 15noblacklist ${HOME}/.local/share/JetBrains
14noblacklist ${HOME}/.ssh 16noblacklist ${HOME}/.ssh
diff --git a/etc/aosp.profile b/etc/aosp.profile
new file mode 100644
index 000000000..5ceef9348
--- /dev/null
+++ b/etc/aosp.profile
@@ -0,0 +1,42 @@
1# Firejail profile for aosp
2# This file is overwritten after every install/update
3# Persistent local customizations
4include /etc/firejail/aosp.local
5# Persistent global definitions
6include /etc/firejail/globals.local
7
8
9noblacklist ${HOME}/.android
10noblacklist ${HOME}/.bash_history
11noblacklist ${HOME}/.gitconfig
12noblacklist ${HOME}/.gradle
13noblacklist ${HOME}/.jack-server
14noblacklist ${HOME}/.jack-settings
15noblacklist ${HOME}/.java
16noblacklist ${HOME}/.repo_.gitconfig.json
17noblacklist ${HOME}/.repoconfig
18noblacklist ${HOME}/.ssh
19noblacklist ${HOME}/.tooling
20
21include /etc/firejail/disable-common.inc
22include /etc/firejail/disable-passwdmgr.inc
23include /etc/firejail/disable-programs.inc
24
25include /etc/firejail/whitelist-var-common.inc
26
27caps.drop all
28ipc-namespace
29netfilter
30no3d
31nodvd
32nogroups
33nonewprivs
34noroot
35nosound
36notv
37novideo
38protocol unix,inet,inet6
39#seccomp
40shell none
41
42private-tmp
diff --git a/etc/ark.profile b/etc/ark.profile
index 38bd5246e..ba9cb1134 100644
--- a/etc/ark.profile
+++ b/etc/ark.profile
@@ -12,6 +12,8 @@ include /etc/firejail/disable-devel.inc
12include /etc/firejail/disable-passwdmgr.inc 12include /etc/firejail/disable-passwdmgr.inc
13include /etc/firejail/disable-programs.inc 13include /etc/firejail/disable-programs.inc
14 14
15include /etc/firejail/whitelist-var-common.inc
16
15caps.drop all 17caps.drop all
16netfilter 18netfilter
17nodvd 19nodvd
diff --git a/etc/atom.profile b/etc/atom.profile
index 8629c3dd8..db3cbc687 100644
--- a/etc/atom.profile
+++ b/etc/atom.profile
@@ -23,7 +23,11 @@ notv
23novideo 23novideo
24protocol unix,inet,inet6,netlink 24protocol unix,inet,inet6,netlink
25seccomp 25seccomp
26# net none
26shell none 27shell none
27 28
28private-dev 29private-dev
29private-tmp 30private-tmp
31
32noexec ${HOME}
33noexec /tmp
diff --git a/etc/atril.profile b/etc/atril.profile
index 2e4af9086..052b41655 100644
--- a/etc/atril.profile
+++ b/etc/atril.profile
@@ -13,6 +13,8 @@ include /etc/firejail/disable-devel.inc
13include /etc/firejail/disable-passwdmgr.inc 13include /etc/firejail/disable-passwdmgr.inc
14include /etc/firejail/disable-programs.inc 14include /etc/firejail/disable-programs.inc
15 15
16include /etc/firejail/whitelist-var-common.inc
17
16caps.drop all 18caps.drop all
17no3d 19no3d
18nodvd 20nodvd
diff --git a/etc/audacious.profile b/etc/audacious.profile
index 52e701821..7e2b91773 100644
--- a/etc/audacious.profile
+++ b/etc/audacious.profile
@@ -13,6 +13,8 @@ include /etc/firejail/disable-devel.inc
13include /etc/firejail/disable-passwdmgr.inc 13include /etc/firejail/disable-passwdmgr.inc
14include /etc/firejail/disable-programs.inc 14include /etc/firejail/disable-programs.inc
15 15
16include /etc/firejail/whitelist-var-common.inc
17
16caps.drop all 18caps.drop all
17netfilter 19netfilter
18nogroups 20nogroups
diff --git a/etc/audacity.profile b/etc/audacity.profile
index 9fbc2b16d..88aea243e 100644
--- a/etc/audacity.profile
+++ b/etc/audacity.profile
@@ -12,6 +12,8 @@ include /etc/firejail/disable-devel.inc
12include /etc/firejail/disable-passwdmgr.inc 12include /etc/firejail/disable-passwdmgr.inc
13include /etc/firejail/disable-programs.inc 13include /etc/firejail/disable-programs.inc
14 14
15include /etc/firejail/whitelist-var-common.inc
16
15caps.drop all 17caps.drop all
16net none 18net none
17no3d 19no3d
diff --git a/etc/baloo_file.profile b/etc/baloo_file.profile
index 4e603971f..2c2d70c00 100644
--- a/etc/baloo_file.profile
+++ b/etc/baloo_file.profile
@@ -17,6 +17,8 @@ include /etc/firejail/disable-devel.inc
17include /etc/firejail/disable-passwdmgr.inc 17include /etc/firejail/disable-passwdmgr.inc
18include /etc/firejail/disable-programs.inc 18include /etc/firejail/disable-programs.inc
19 19
20include /etc/firejail/whitelist-var-common.inc
21
20caps.drop all 22caps.drop all
21no3d 23no3d
22nodvd 24nodvd
@@ -29,8 +31,10 @@ novideo
29protocol unix 31protocol unix
30# Baloo makes ioprio_set system calls, which are blacklisted by default. 32# Baloo makes ioprio_set system calls, which are blacklisted by default.
31seccomp.drop @cpu-emulation,@debug,@obsolete,@privileged,@resources,add_key,fanotify_init,io_cancel,io_destroy,io_getevents,io_setup,io_submit,kcmp,keyctl,name_to_handle_at,ni_syscall,open_by_handle_at,personality,process_vm_readv,ptrace,remap_file_pages,request_key,syslog,umount,userfaultfd,vmsplice 33seccomp.drop @cpu-emulation,@debug,@obsolete,@privileged,@resources,add_key,fanotify_init,io_cancel,io_destroy,io_getevents,io_setup,io_submit,kcmp,keyctl,name_to_handle_at,ni_syscall,open_by_handle_at,personality,process_vm_readv,ptrace,remap_file_pages,request_key,syslog,umount,userfaultfd,vmsplice
34shell none
32x11 xorg 35x11 xorg
33 36
37private-bin baloo_file,baloo_file_extractor,kbuildsycoca4
34private-dev 38private-dev
35private-tmp 39private-tmp
36 40
diff --git a/etc/bluefish.profile b/etc/bluefish.profile
new file mode 100644
index 000000000..f7e322838
--- /dev/null
+++ b/etc/bluefish.profile
@@ -0,0 +1,34 @@
1# Firejail profile for bluefish
2# This file is overwritten after every install/update
3# Persistent local customizations
4include /etc/firejail/bluefish.local
5# Persistent global definitions
6include /etc/firejail/globals.local
7
8
9include /etc/firejail/disable-common.inc
10include /etc/firejail/disable-devel.inc
11include /etc/firejail/disable-passwdmgr.inc
12include /etc/firejail/disable-programs.inc
13
14caps.drop all
15net none
16no3d
17nodvd
18nogroups
19nonewprivs
20noroot
21nosound
22notv
23novideo
24protocol unix
25seccomp
26shell none
27tracelog
28
29private-bin bluefish
30private-dev
31private-tmp
32
33noexec ${HOME}
34noexec /tmp
diff --git a/etc/calligra.profile b/etc/calligra.profile
index e90c8efe8..d2b76d22c 100644
--- a/etc/calligra.profile
+++ b/etc/calligra.profile
@@ -12,6 +12,7 @@ include /etc/firejail/disable-programs.inc
12 12
13caps.drop all 13caps.drop all
14ipc-namespace 14ipc-namespace
15net none
15nodvd 16nodvd
16nogroups 17nogroups
17nonewprivs 18nonewprivs
@@ -25,5 +26,5 @@ shell none
25private-bin calligra,calligraauthor,calligraconverter,calligraflow,calligraplan,calligraplanwork,calligrasheets,calligrastage,calligrawords,dbus-launch 26private-bin calligra,calligraauthor,calligraconverter,calligraflow,calligraplan,calligraplanwork,calligrasheets,calligrastage,calligrawords,dbus-launch
26private-dev 27private-dev
27 28
28noexec ${HOME} 29#noexec ${HOME}
29noexec /tmp 30noexec /tmp
diff --git a/etc/cin.profile b/etc/cin.profile
index eeeda476f..6b3e3888b 100644
--- a/etc/cin.profile
+++ b/etc/cin.profile
@@ -24,7 +24,7 @@ protocol unix
24seccomp 24seccomp
25shell none 25shell none
26 26
27#private-bin cin 27private-bin cin,ffmpeg
28private-dev 28private-dev
29 29
30noexec ${HOME} 30noexec ${HOME}
diff --git a/etc/cinelerra.profile b/etc/cinelerra.profile
new file mode 100644
index 000000000..e6a1941b5
--- /dev/null
+++ b/etc/cinelerra.profile
@@ -0,0 +1,6 @@
1# Firejail profile alias for cin
2# This file is overwritten after every install/update
3
4
5# Redirect
6include /etc/firejail/cin.profile
diff --git a/etc/clamdscan.profile b/etc/clamdscan.profile
index 1fc728206..f6861dfa1 100644
--- a/etc/clamdscan.profile
+++ b/etc/clamdscan.profile
@@ -1,5 +1,6 @@
1# Firejail profile alias for clamav 1# Firejail profile alias for clamav
2# This file is overwritten after every install/update 2# This file is overwritten after every install/update
3quiet
3 4
4 5
5# Redirect 6# Redirect
diff --git a/etc/clamdtop.profile b/etc/clamdtop.profile
index 1fc728206..f6861dfa1 100644
--- a/etc/clamdtop.profile
+++ b/etc/clamdtop.profile
@@ -1,5 +1,6 @@
1# Firejail profile alias for clamav 1# Firejail profile alias for clamav
2# This file is overwritten after every install/update 2# This file is overwritten after every install/update
3quiet
3 4
4 5
5# Redirect 6# Redirect
diff --git a/etc/clamscan.profile b/etc/clamscan.profile
index 1fc728206..f6861dfa1 100644
--- a/etc/clamscan.profile
+++ b/etc/clamscan.profile
@@ -1,5 +1,6 @@
1# Firejail profile alias for clamav 1# Firejail profile alias for clamav
2# This file is overwritten after every install/update 2# This file is overwritten after every install/update
3quiet
3 4
4 5
5# Redirect 6# Redirect
diff --git a/etc/cliqz.profile b/etc/cliqz.profile
new file mode 100644
index 000000000..a7c791a02
--- /dev/null
+++ b/etc/cliqz.profile
@@ -0,0 +1,83 @@
1# Firejail profile for cliqz
2# This file is overwritten after every install/update
3# Persistent local customizations
4include /etc/firejail/cliqz.local
5# Persistent global definitions
6include /etc/firejail/globals.local
7
8noblacklist ~/.cache/cliqz
9noblacklist ~/.config/cliqz
10noblacklist ~/.config/okularpartrc
11noblacklist ~/.config/okularrc
12noblacklist ~/.config/qpdfview
13noblacklist ~/.kde/share/apps/okular
14noblacklist ~/.kde/share/config/okularpartrc
15noblacklist ~/.kde/share/config/okularrc
16noblacklist ~/.kde4/share/apps/okular
17noblacklist ~/.kde4/share/config/okularpartrc
18noblacklist ~/.kde4/share/config/okularrc
19noblacklist ~/.local/share/gnome-shell/extensions
20noblacklist ~/.local/share/okular
21noblacklist ~/.local/share/qpdfview
22
23noblacklist ~/.pki
24
25include /etc/firejail/disable-common.inc
26include /etc/firejail/disable-devel.inc
27include /etc/firejail/disable-programs.inc
28
29mkdir ~/.cache/mozilla/firefox
30mkdir ~/.mozilla
31mkdir ~/.pki
32whitelist ${DOWNLOADS}
33whitelist ~/.cache/gnome-mplayer/plugin
34whitelist ~/.cache/mozilla/firefox
35whitelist ~/.config/gnome-mplayer
36whitelist ~/.config/okularpartrc
37whitelist ~/.config/okularrc
38whitelist ~/.config/pipelight-silverlight5.1
39whitelist ~/.config/pipelight-widevine
40whitelist ~/.config/qpdfview
41whitelist ~/.kde/share/apps/okular
42whitelist ~/.kde/share/config/okularpartrc
43whitelist ~/.kde/share/config/okularrc
44whitelist ~/.kde4/share/apps/okular
45whitelist ~/.kde4/share/config/okularpartrc
46whitelist ~/.kde4/share/config/okularrc
47whitelist ~/.keysnail.js
48whitelist ~/.lastpass
49whitelist ~/.local/share/gnome-shell/extensions
50whitelist ~/.local/share/okular
51whitelist ~/.local/share/qpdfview
52whitelist ~/.mozilla
53whitelist ~/.pentadactyl
54whitelist ~/.pentadactylrc
55whitelist ~/.pki
56whitelist ~/.vimperator
57whitelist ~/.vimperatorrc
58whitelist ~/.wine-pipelight
59whitelist ~/.wine-pipelight64
60whitelist ~/.zotero
61whitelist ~/dwhelper
62include /etc/firejail/whitelist-common.inc
63include /etc/firejail/whitelist-var-common.inc
64
65caps.drop all
66netfilter
67nodvd
68nogroups
69nonewprivs
70noroot
71notv
72protocol unix,inet,inet6,netlink
73seccomp
74shell none
75tracelog
76
77# private-bin firefox,which,sh,dbus-launch,dbus-send,env
78private-dev
79# private-etc passwd,group,hostname,hosts,localtime,nsswitch.conf,resolv.conf,xdg,gtk-2.0,gtk-3.0,X11,pango,fonts,firefox,mime.types,mailcap,asound.conf,pulse
80private-tmp
81
82noexec ${HOME}
83noexec /tmp
diff --git a/etc/dia.profile b/etc/dia.profile
index abe83ac8c..800c3bbf1 100644
--- a/etc/dia.profile
+++ b/etc/dia.profile
@@ -13,7 +13,7 @@ include /etc/firejail/disable-passwdmgr.inc
13include /etc/firejail/disable-programs.inc 13include /etc/firejail/disable-programs.inc
14 14
15caps.drop all 15caps.drop all
16netfilter 16net none
17no3d 17no3d
18nodvd 18nodvd
19nogroups 19nogroups
diff --git a/etc/disable-common.inc b/etc/disable-common.inc
index abce0fe57..d943950d4 100644
--- a/etc/disable-common.inc
+++ b/etc/disable-common.inc
@@ -120,7 +120,8 @@ blacklist /var/lib/mysql/mysql.sock
120blacklist /var/lib/mysqld/mysql.sock 120blacklist /var/lib/mysqld/mysql.sock
121blacklist /var/lib/pacman 121blacklist /var/lib/pacman
122blacklist /var/lib/upower 122blacklist /var/lib/upower
123blacklist /var/log 123# blacklist /var/log - a virtual /var/log directory (mostly empty) is buid up by default for
124# every sandbox, unless --writeble-var-log switch is activated
124blacklist /var/mail 125blacklist /var/mail
125blacklist /var/opt 126blacklist /var/opt
126blacklist /var/run/acpid.socket 127blacklist /var/run/acpid.socket
diff --git a/etc/disable-programs.inc b/etc/disable-programs.inc
index 615e28172..064e60294 100644
--- a/etc/disable-programs.inc
+++ b/etc/disable-programs.inc
@@ -81,6 +81,7 @@ blacklist ${HOME}/.config/chromium
81blacklist ${HOME}/.config/chromium-dev 81blacklist ${HOME}/.config/chromium-dev
82blacklist ${HOME}/.config/chromium-flags.conf 82blacklist ${HOME}/.config/chromium-flags.conf
83blacklist ${HOME}/.config/clipit 83blacklist ${HOME}/.config/clipit
84blacklist ${HOME}/.config/cliqz
84blacklist ${HOME}/.config/cmus 85blacklist ${HOME}/.config/cmus
85blacklist ${HOME}/.config/corebird 86blacklist ${HOME}/.config/corebird
86blacklist ${HOME}/.config/darktable 87blacklist ${HOME}/.config/darktable
@@ -142,6 +143,8 @@ blacklist ${HOME}/.config/opera-beta
142blacklist ${HOME}/.config/orage 143blacklist ${HOME}/.config/orage
143blacklist ${HOME}/.config/org.kde.gwenviewrc 144blacklist ${HOME}/.config/org.kde.gwenviewrc
144blacklist ${HOME}/.config/pcmanfm 145blacklist ${HOME}/.config/pcmanfm
146blacklist ${HOME}/.config/pdfmod
147blacklist ${HOME}/.config/Pinta
145blacklist ${HOME}/.config/pix 148blacklist ${HOME}/.config/pix
146blacklist ${HOME}/.config/pluma 149blacklist ${HOME}/.config/pluma
147blacklist ${HOME}/.config/psi+ 150blacklist ${HOME}/.config/psi+
@@ -220,6 +223,8 @@ blacklist ${HOME}/.hugin
220blacklist ${HOME}/.icedove 223blacklist ${HOME}/.icedove
221blacklist ${HOME}/.imagej 224blacklist ${HOME}/.imagej
222blacklist ${HOME}/.inkscape 225blacklist ${HOME}/.inkscape
226blacklist ${HOME}/.jack-server
227blacklist ${HOME}/.jack-settings
223blacklist ${HOME}/.java 228blacklist ${HOME}/.java
224blacklist ${HOME}/.jitsi 229blacklist ${HOME}/.jitsi
225blacklist ${HOME}/.kde/share/apps/gwenview 230blacklist ${HOME}/.kde/share/apps/gwenview
@@ -360,6 +365,8 @@ blacklist ${HOME}/.pingus
360blacklist ${HOME}/.purple 365blacklist ${HOME}/.purple
361blacklist ${HOME}/.qemu-launcher 366blacklist ${HOME}/.qemu-launcher
362blacklist ${HOME}/.remmina 367blacklist ${HOME}/.remmina
368blacklist ${HOME}/.repo_.gitconfig.json
369blacklist ${HOME}/.repoconfig
363blacklist ${HOME}/.retroshare 370blacklist ${HOME}/.retroshare
364blacklist ${HOME}/.scribus 371blacklist ${HOME}/.scribus
365blacklist ${HOME}/.scribusrc 372blacklist ${HOME}/.scribusrc
@@ -376,6 +383,7 @@ blacklist ${HOME}/.synfig
376blacklist ${HOME}/.tconn 383blacklist ${HOME}/.tconn
377blacklist ${HOME}/.thunderbird 384blacklist ${HOME}/.thunderbird
378blacklist ${HOME}/.tooling 385blacklist ${HOME}/.tooling
386blacklist ${HOME}/.tor-browser-en
379blacklist ${HOME}/.ts3client 387blacklist ${HOME}/.ts3client
380blacklist ${HOME}/.tuxguitar* 388blacklist ${HOME}/.tuxguitar*
381blacklist ${HOME}/.unknow-horizons 389blacklist ${HOME}/.unknow-horizons
@@ -408,6 +416,7 @@ blacklist ${HOME}/.cache/calibre
408blacklist ${HOME}/.cache/champlain 416blacklist ${HOME}/.cache/champlain
409blacklist ${HOME}/.cache/chromium 417blacklist ${HOME}/.cache/chromium
410blacklist ${HOME}/.cache/chromium-dev 418blacklist ${HOME}/.cache/chromium-dev
419blacklist ${HOME}/.cache/cliqz
411blacklist ${HOME}/.cache/darktable 420blacklist ${HOME}/.cache/darktable
412blacklist ${HOME}/.cache/epiphany 421blacklist ${HOME}/.cache/epiphany
413blacklist ${HOME}/.cache/evolution 422blacklist ${HOME}/.cache/evolution
@@ -427,6 +436,7 @@ blacklist ${HOME}/.cache/netsurf
427blacklist ${HOME}/.cache/opera 436blacklist ${HOME}/.cache/opera
428blacklist ${HOME}/.cache/opera-beta 437blacklist ${HOME}/.cache/opera-beta
429blacklist ${HOME}/.cache/org.gnome.Books 438blacklist ${HOME}/.cache/org.gnome.Books
439blacklist ${HOME}/.cache/pdfmod
430blacklist ${HOME}/.cache/peek 440blacklist ${HOME}/.cache/peek
431blacklist ${HOME}/.cache/qBittorrent 441blacklist ${HOME}/.cache/qBittorrent
432blacklist ${HOME}/.cache/qupzilla 442blacklist ${HOME}/.cache/qupzilla
diff --git a/etc/dnscrypt-proxy.profile b/etc/dnscrypt-proxy.profile
index 86af9c7b3..6d4f6349a 100644
--- a/etc/dnscrypt-proxy.profile
+++ b/etc/dnscrypt-proxy.profile
@@ -9,7 +9,6 @@ blacklist /tmp/.X11-unix
9 9
10noblacklist /sbin 10noblacklist /sbin
11noblacklist /usr/sbin 11noblacklist /usr/sbin
12noblacklist /var/log
13 12
14include /etc/firejail/disable-common.inc 13include /etc/firejail/disable-common.inc
15include /etc/firejail/disable-devel.inc 14include /etc/firejail/disable-devel.inc
@@ -31,4 +30,4 @@ private
31private-dev 30private-dev
32 31
33# mdwe can break modules/plugins 32# mdwe can break modules/plugins
34# memory-deny-write-execute 33memory-deny-write-execute
diff --git a/etc/dnsmasq.profile b/etc/dnsmasq.profile
index d4cd0530e..2a1302adb 100644
--- a/etc/dnsmasq.profile
+++ b/etc/dnsmasq.profile
@@ -9,7 +9,6 @@ blacklist /tmp/.X11-unix
9 9
10noblacklist /sbin 10noblacklist /sbin
11noblacklist /usr/sbin 11noblacklist /usr/sbin
12noblacklist /var/log
13 12
14include /etc/firejail/disable-common.inc 13include /etc/firejail/disable-common.inc
15include /etc/firejail/disable-devel.inc 14include /etc/firejail/disable-devel.inc
diff --git a/etc/engrampa.profile b/etc/engrampa.profile
index 7bc5e7481..c198adba9 100644
--- a/etc/engrampa.profile
+++ b/etc/engrampa.profile
@@ -11,6 +11,8 @@ include /etc/firejail/disable-devel.inc
11include /etc/firejail/disable-passwdmgr.inc 11include /etc/firejail/disable-passwdmgr.inc
12include /etc/firejail/disable-programs.inc 12include /etc/firejail/disable-programs.inc
13 13
14include /etc/firejail/whitelist-var-common.inc
15
14caps.drop all 16caps.drop all
15# net none - makes settings immutable 17# net none - makes settings immutable
16no3d 18no3d
diff --git a/etc/eog.profile b/etc/eog.profile
index e5161b313..5ff926371 100644
--- a/etc/eog.profile
+++ b/etc/eog.profile
@@ -15,6 +15,8 @@ include /etc/firejail/disable-devel.inc
15include /etc/firejail/disable-passwdmgr.inc 15include /etc/firejail/disable-passwdmgr.inc
16include /etc/firejail/disable-programs.inc 16include /etc/firejail/disable-programs.inc
17 17
18include /etc/firejail/whitelist-var-common.inc
19
18caps.drop all 20caps.drop all
19# net none - makes settings immutable 21# net none - makes settings immutable
20no3d 22no3d
diff --git a/etc/eom.profile b/etc/eom.profile
index 3fb1fcaf4..802578959 100644
--- a/etc/eom.profile
+++ b/etc/eom.profile
@@ -15,6 +15,8 @@ include /etc/firejail/disable-devel.inc
15include /etc/firejail/disable-passwdmgr.inc 15include /etc/firejail/disable-passwdmgr.inc
16include /etc/firejail/disable-programs.inc 16include /etc/firejail/disable-programs.inc
17 17
18include /etc/firejail/whitelist-var-common.inc
19
18caps.drop all 20caps.drop all
19# net none - makes settings immutable 21# net none - makes settings immutable
20no3d 22no3d
diff --git a/etc/evince.profile b/etc/evince.profile
index f503b9a8e..466260c49 100644
--- a/etc/evince.profile
+++ b/etc/evince.profile
@@ -15,6 +15,7 @@ include /etc/firejail/disable-programs.inc
15include /etc/firejail/whitelist-var-common.inc 15include /etc/firejail/whitelist-var-common.inc
16 16
17caps.drop all 17caps.drop all
18# net none breaks AppArmor on Ubuntu systems
18netfilter 19netfilter
19no3d 20no3d
20nodvd 21nodvd
diff --git a/etc/ffmpeg.profile b/etc/ffmpeg.profile
index e098c95e3..5db39cf61 100644
--- a/etc/ffmpeg.profile
+++ b/etc/ffmpeg.profile
@@ -1,4 +1,4 @@
1# Firejail profile for default 1# Firejail profile for ffmpeg
2# This file is overwritten after every install/update 2# This file is overwritten after every install/update
3quiet 3quiet
4# Persistent local customizations 4# Persistent local customizations
@@ -11,6 +11,8 @@ include /etc/firejail/disable-devel.inc
11include /etc/firejail/disable-passwdmgr.inc 11include /etc/firejail/disable-passwdmgr.inc
12include /etc/firejail/disable-programs.inc 12include /etc/firejail/disable-programs.inc
13 13
14include /etc/firejail/whitelist-var-common.inc
15
14caps.drop all 16caps.drop all
15net none 17net none
16no3d 18no3d
@@ -23,11 +25,11 @@ noroot
23# protocol none - needs to be implemented! 25# protocol none - needs to be implemented!
24seccomp 26seccomp
25# seccomp.keep futex,write,read,munmap,fstat,mprotect,mmap,open,close,stat,lseek,brk,rt_sigaction,rt_sigprocmask,ioctl,access,select,madvise,getpid,clone,execve,fcntl,getdents,readlink,getrlimit,getrusage,statfs,getpriority,setpriority,arch_prctl,sched_getaffinity,set_tid_address,set_robust_list,getrandom 27# seccomp.keep futex,write,read,munmap,fstat,mprotect,mmap,open,close,stat,lseek,brk,rt_sigaction,rt_sigprocmask,ioctl,access,select,madvise,getpid,clone,execve,fcntl,getdents,readlink,getrlimit,getrusage,statfs,getpriority,setpriority,arch_prctl,sched_getaffinity,set_tid_address,set_robust_list,getrandom
26# memory-deny-write-execute - it breaks old versions of ffmpeg
27shell none 28shell none
28tracelog 29tracelog
29 30
30private-tmp
31private-dev
32private-bin ffmpeg 31private-bin ffmpeg
33include /etc/firejail/whitelist-var-common.inc 32private-dev
33private-tmp
34
35# memory-deny-write-execute - it breaks old versions of ffmpeg
diff --git a/etc/file-roller.profile b/etc/file-roller.profile
index 8484aa162..01e689b9d 100644
--- a/etc/file-roller.profile
+++ b/etc/file-roller.profile
@@ -11,6 +11,8 @@ include /etc/firejail/disable-devel.inc
11include /etc/firejail/disable-passwdmgr.inc 11include /etc/firejail/disable-passwdmgr.inc
12include /etc/firejail/disable-programs.inc 12include /etc/firejail/disable-programs.inc
13 13
14include /etc/firejail/whitelist-var-common.inc
15
14caps.drop all 16caps.drop all
15# net none - makes settings immutable 17# net none - makes settings immutable
16no3d 18no3d
diff --git a/etc/gedit.profile b/etc/gedit.profile
index 3d7af1496..e17d94da0 100644
--- a/etc/gedit.profile
+++ b/etc/gedit.profile
@@ -5,9 +5,10 @@ include /etc/firejail/gedit.local
5# Persistent global definitions 5# Persistent global definitions
6include /etc/firejail/globals.local 6include /etc/firejail/globals.local
7 7
8# when gedit is started via gnome-shell, firejail is not applied because systemd will start it
9 8
10noblacklist ~/.config/gedit 9noblacklist ${HOME}/.config/enchant
10noblacklist ${HOME}/.config/gedit
11noblacklist ${HOME}/.gitconfig
11 12
12include /etc/firejail/disable-common.inc 13include /etc/firejail/disable-common.inc
13# include /etc/firejail/disable-devel.inc 14# include /etc/firejail/disable-devel.inc
diff --git a/etc/gitter.profile b/etc/gitter.profile
index 5a172fcc4..0a47bf888 100644
--- a/etc/gitter.profile
+++ b/etc/gitter.profile
@@ -25,6 +25,7 @@ protocol unix,inet,inet6,netlink
25seccomp 25seccomp
26shell none 26shell none
27 27
28private-bin gitter 28private-bin bash,env,gitter
29private-opt Gitter
29private-dev 30private-dev
30private-tmp 31private-tmp
diff --git a/etc/gnome-calculator.profile b/etc/gnome-calculator.profile
index 326222426..9e70a563a 100644
--- a/etc/gnome-calculator.profile
+++ b/etc/gnome-calculator.profile
@@ -28,10 +28,8 @@ seccomp
28shell none 28shell none
29 29
30disable-mnt 30disable-mnt
31private
32private-bin gnome-calculator 31private-bin gnome-calculator
33private-dev 32private-dev
34# private-etc fonts
35private-tmp 33private-tmp
36 34
37memory-deny-write-execute 35memory-deny-write-execute
diff --git a/etc/gwenview.profile b/etc/gwenview.profile
index 7f1577afe..2b025e56c 100644
--- a/etc/gwenview.profile
+++ b/etc/gwenview.profile
@@ -19,6 +19,8 @@ include /etc/firejail/disable-devel.inc
19include /etc/firejail/disable-passwdmgr.inc 19include /etc/firejail/disable-passwdmgr.inc
20include /etc/firejail/disable-programs.inc 20include /etc/firejail/disable-programs.inc
21 21
22include /etc/firejail/whitelist-var-common.inc
23
22caps.drop all 24caps.drop all
23nodvd 25nodvd
24nogroups 26nogroups
diff --git a/etc/hugin.profile b/etc/hugin.profile
index ff88e0d5c..64b6e0c69 100644
--- a/etc/hugin.profile
+++ b/etc/hugin.profile
@@ -13,7 +13,7 @@ include /etc/firejail/disable-passwdmgr.inc
13include /etc/firejail/disable-programs.inc 13include /etc/firejail/disable-programs.inc
14 14
15caps.drop all 15caps.drop all
16netfilter 16net none
17nodvd 17nodvd
18nogroups 18nogroups
19nonewprivs 19nonewprivs
diff --git a/etc/idea.sh.profile b/etc/idea.sh.profile
index 928ec7327..caec416e9 100644
--- a/etc/idea.sh.profile
+++ b/etc/idea.sh.profile
@@ -9,6 +9,8 @@ noblacklist ${HOME}/.IdeaIC*
9noblacklist ${HOME}/.android 9noblacklist ${HOME}/.android
10noblacklist ${HOME}/.gitconfig 10noblacklist ${HOME}/.gitconfig
11noblacklist ${HOME}/.gradle 11noblacklist ${HOME}/.gradle
12noblacklist ${HOME}/.jack-server
13noblacklist ${HOME}/.jack-settings
12noblacklist ${HOME}/.java 14noblacklist ${HOME}/.java
13noblacklist ${HOME}/.local/share/JetBrains 15noblacklist ${HOME}/.local/share/JetBrains
14noblacklist ${HOME}/.ssh 16noblacklist ${HOME}/.ssh
diff --git a/etc/inkscape.profile b/etc/inkscape.profile
index c062ab8ef..04c1020ab 100644
--- a/etc/inkscape.profile
+++ b/etc/inkscape.profile
@@ -27,7 +27,7 @@ protocol unix
27seccomp 27seccomp
28shell none 28shell none
29 29
30#private-bin inkscape 30private-bin inkscape,potrace
31private-dev 31private-dev
32private-tmp 32private-tmp
33 33
diff --git a/etc/inox.profile b/etc/inox.profile
index 6273c4de6..de4d6205b 100644
--- a/etc/inox.profile
+++ b/etc/inox.profile
@@ -21,6 +21,10 @@ whitelist ~/.config/inox
21whitelist ~/.pki 21whitelist ~/.pki
22include /etc/firejail/whitelist-common.inc 22include /etc/firejail/whitelist-common.inc
23 23
24caps.keep sys_chroot,sys_admin
24netfilter 25netfilter
25nodvd 26nodvd
27nogroups
28noroot
26notv 29notv
30shell none
diff --git a/etc/kdenlive.profile b/etc/kdenlive.profile
index a1a5f957c..10c2909a0 100644
--- a/etc/kdenlive.profile
+++ b/etc/kdenlive.profile
@@ -26,5 +26,5 @@ private-bin kdenlive,kdenlive_render,dbus-launch,melt,ffmpeg,ffplay,ffprobe,dvda
26private-dev 26private-dev
27#private-etc fonts,alternatives,X11,pulse,passwd 27#private-etc fonts,alternatives,X11,pulse,passwd
28 28
29noexec ${HOME} 29#noexec ${HOME}
30noexec /tmp 30noexec /tmp
diff --git a/etc/konversation.profile b/etc/konversation.profile
index 8ffc43487..7d09857ba 100644
--- a/etc/konversation.profile
+++ b/etc/konversation.profile
@@ -11,6 +11,8 @@ include /etc/firejail/disable-devel.inc
11include /etc/firejail/disable-passwdmgr.inc 11include /etc/firejail/disable-passwdmgr.inc
12include /etc/firejail/disable-programs.inc 12include /etc/firejail/disable-programs.inc
13 13
14include /etc/firejail/whitelist-var-common.inc
15
14caps.drop all 16caps.drop all
15netfilter 17netfilter
16nodvd 18nodvd
diff --git a/etc/ktorrent.profile b/etc/ktorrent.profile
index c0b37df3c..e95bc23ca 100644
--- a/etc/ktorrent.profile
+++ b/etc/ktorrent.profile
@@ -31,6 +31,7 @@ whitelist ~/.kde4/share/apps/ktorrent
31whitelist ~/.kde4/share/config/ktorrentrc 31whitelist ~/.kde4/share/config/ktorrentrc
32whitelist ~/.local/share/ktorrent 32whitelist ~/.local/share/ktorrent
33include /etc/firejail/whitelist-common.inc 33include /etc/firejail/whitelist-common.inc
34include /etc/firejail/whitelist-var-common.inc
34 35
35caps.drop all 36caps.drop all
36netfilter 37netfilter
diff --git a/etc/mate-calc.profile b/etc/mate-calc.profile
index caf3095a5..c59b2dcc7 100644
--- a/etc/mate-calc.profile
+++ b/etc/mate-calc.profile
@@ -12,8 +12,15 @@ include /etc/firejail/disable-devel.inc
12include /etc/firejail/disable-passwdmgr.inc 12include /etc/firejail/disable-passwdmgr.inc
13include /etc/firejail/disable-programs.inc 13include /etc/firejail/disable-programs.inc
14 14
15whitelist ${HOME}/.cache/mate-calc
16whitelist ${HOME}/.config/caja
17whitelist ${HOME}/.config/gtk-3.0
18whitelist ${HOME}/.config/dconf
19whitelist ${HOME}./config/mate-menu
20whitelist ${HOME}/.themes
21
15caps.drop all 22caps.drop all
16netfilter 23net none
17no3d 24no3d
18nodvd 25nodvd
19nogroups 26nogroups
@@ -27,8 +34,12 @@ seccomp
27shell none 34shell none
28 35
29disable-mnt 36disable-mnt
37private-bin mate-calc,mate-calculator
38private-etc fonts
30private-dev 39private-dev
40private-opt none
31private-tmp 41private-tmp
32 42
43memory-deny-write-execute
33noexec ${HOME} 44noexec ${HOME}
34noexec /tmp 45noexec /tmp
diff --git a/etc/mate-color-select.profile b/etc/mate-color-select.profile
index 26ce42fbf..7df7d7faa 100644
--- a/etc/mate-color-select.profile
+++ b/etc/mate-color-select.profile
@@ -11,6 +11,11 @@ include /etc/firejail/disable-devel.inc
11include /etc/firejail/disable-passwdmgr.inc 11include /etc/firejail/disable-passwdmgr.inc
12include /etc/firejail/disable-programs.inc 12include /etc/firejail/disable-programs.inc
13 13
14whitelist ${HOME}/.config/gtk-3.0
15whitelist ${HOME}/.fonts
16whitelist ${HOME}/.icons
17whitelist ${HOME}/.themes
18
14caps.drop all 19caps.drop all
15netfilter 20netfilter
16no3d 21no3d
@@ -26,9 +31,11 @@ seccomp
26shell none 31shell none
27 32
28disable-mnt 33disable-mnt
29private 34private-bin mate-color-select
35private-etc fonts
30private-dev 36private-dev
31private-tmp 37private-tmp
32 38
39memory-deny-write-execute
33noexec ${HOME} 40noexec ${HOME}
34noexec /tmp 41noexec /tmp
diff --git a/etc/mate-dictionary.profile b/etc/mate-dictionary.profile
index f0de57e0d..3f85addaf 100644
--- a/etc/mate-dictionary.profile
+++ b/etc/mate-dictionary.profile
@@ -12,6 +12,12 @@ include /etc/firejail/disable-devel.inc
12include /etc/firejail/disable-passwdmgr.inc 12include /etc/firejail/disable-passwdmgr.inc
13include /etc/firejail/disable-programs.inc 13include /etc/firejail/disable-programs.inc
14 14
15whitelist ${HOME}/.config/mate/mate-dictionary
16whitelist ${HOME}/.config/gtk-3.0
17whitelist ${HOME}/.fonts
18whitelist ${HOME}/.icons
19whitelist ${HOME}/.themes
20
15caps.drop all 21caps.drop all
16netfilter 22netfilter
17no3d 23no3d
@@ -27,8 +33,12 @@ seccomp
27shell none 33shell none
28 34
29disable-mnt 35disable-mnt
36private-bin mate-dictionary
37private-etc fonts,resolv.conf
38private-opt mate-dictionary
30private-dev 39private-dev
31private-tmp 40private-tmp
32 41
42memory-deny-write-execute
33noexec ${HOME} 43noexec ${HOME}
34noexec /tmp 44noexec /tmp
diff --git a/etc/mediathekview.profile b/etc/mediathekview.profile
index 1cda5022d..dc9946794 100644
--- a/etc/mediathekview.profile
+++ b/etc/mediathekview.profile
@@ -21,6 +21,8 @@ include /etc/firejail/disable-devel.inc
21include /etc/firejail/disable-passwdmgr.inc 21include /etc/firejail/disable-passwdmgr.inc
22include /etc/firejail/disable-programs.inc 22include /etc/firejail/disable-programs.inc
23 23
24include /etc/firejail/whitelist-var-common.inc
25
24caps.drop all 26caps.drop all
25netfilter 27netfilter
26nodvd 28nodvd
diff --git a/etc/musescore.profile b/etc/musescore.profile
index b039d07b2..b3d04c08f 100644
--- a/etc/musescore.profile
+++ b/etc/musescore.profile
@@ -15,6 +15,8 @@ include /etc/firejail/disable-devel.inc
15include /etc/firejail/disable-passwdmgr.inc 15include /etc/firejail/disable-passwdmgr.inc
16include /etc/firejail/disable-programs.inc 16include /etc/firejail/disable-programs.inc
17 17
18include /etc/firejail/whitelist-var-common.inc
19
18caps.drop all 20caps.drop all
19netfilter 21netfilter
20no3d 22no3d
diff --git a/etc/natron.profile b/etc/natron.profile
index d77539d83..b76649605 100644
--- a/etc/natron.profile
+++ b/etc/natron.profile
@@ -26,6 +26,7 @@ notv
26protocol unix,inet,inet6 26protocol unix,inet,inet6
27seccomp 27seccomp
28shell none 28shell none
29net none
29 30
30private-bin natron,Natron,NatronRenderer 31private-bin natron,Natron,NatronRenderer
31 32
diff --git a/etc/okular.profile b/etc/okular.profile
index 94736fbae..60390e4d8 100644
--- a/etc/okular.profile
+++ b/etc/okular.profile
@@ -36,7 +36,7 @@ seccomp
36shell none 36shell none
37tracelog 37tracelog
38 38
39# private-bin okular,kbuildsycoca4,lpr 39# private-bin okular,kbuildsycoca4,kdeinit4,lpr
40private-dev 40private-dev
41# private-etc fonts,X11 41# private-etc fonts,X11
42private-tmp 42private-tmp
diff --git a/etc/openshot-qt.profile b/etc/openshot-qt.profile
new file mode 100644
index 000000000..cbd1f8fe8
--- /dev/null
+++ b/etc/openshot-qt.profile
@@ -0,0 +1,6 @@
1# Firejail profile alias for openshot
2# This file is overwritten after every install/update
3
4
5# Redirect
6include /etc/firejail/openshot.profile
diff --git a/etc/pdfmod.profile b/etc/pdfmod.profile
new file mode 100644
index 000000000..8489e79a6
--- /dev/null
+++ b/etc/pdfmod.profile
@@ -0,0 +1,38 @@
1# Firejail profile for pdfmod
2# This file is overwritten after every install/update
3# Persistent local customizations
4include /etc/firejail/pdfmod.local
5# Persistent global definitions
6include /etc/firejail/globals.local
7
8
9noblacklist ${HOME}/.cache/pdfmod
10noblacklist ${HOME}/.config/pdfmod
11
12include /etc/firejail/disable-common.inc
13include /etc/firejail/disable-devel.inc
14include /etc/firejail/disable-passwdmgr.inc
15include /etc/firejail/disable-programs.inc
16
17include /etc/firejail/whitelist-var-common.inc
18
19caps.drop all
20ipc-namespace
21net none
22no3d
23nodvd
24nogroups
25nonewprivs
26noroot
27nosound
28notv
29novideo
30protocol unix
31seccomp
32shell none
33
34private-dev
35private-tmp
36
37noexec ${HOME}
38noexec /tmp
diff --git a/etc/pinta.profile b/etc/pinta.profile
new file mode 100644
index 000000000..cb6e05d35
--- /dev/null
+++ b/etc/pinta.profile
@@ -0,0 +1,34 @@
1# Firejail profile for pinta
2# This file is overwritten after every install/update
3# Persistent local customizations
4include /etc/firejail/pinta.local
5# Persistent global definitions
6include /etc/firejail/globals.local
7
8
9noblacklist ${HOME}/.config/Pinta
10
11include /etc/firejail/disable-common.inc
12include /etc/firejail/disable-devel.inc
13include /etc/firejail/disable-passwdmgr.inc
14include /etc/firejail/disable-programs.inc
15
16caps.drop all
17ipc-namespace
18net none
19nodvd
20nogroups
21nonewprivs
22noroot
23nosound
24notv
25novideo
26protocol unix
27seccomp
28shell none
29
30private-dev
31private-tmp
32
33noexec ${HOME}
34noexec /tmp
diff --git a/etc/scribus.profile b/etc/scribus.profile
index dd06fa59f..1b2d0c0b8 100644
--- a/etc/scribus.profile
+++ b/etc/scribus.profile
@@ -26,7 +26,10 @@ include /etc/firejail/disable-devel.inc
26include /etc/firejail/disable-passwdmgr.inc 26include /etc/firejail/disable-passwdmgr.inc
27include /etc/firejail/disable-programs.inc 27include /etc/firejail/disable-programs.inc
28 28
29include /etc/firejail/whitelist-var-common.inc
30
29caps.drop all 31caps.drop all
32net none
30nodvd 33nodvd
31nogroups 34nogroups
32nonewprivs 35nonewprivs
diff --git a/etc/server.profile b/etc/server.profile
index edd4666e1..860e0056d 100644
--- a/etc/server.profile
+++ b/etc/server.profile
@@ -13,7 +13,6 @@ blacklist /tmp/.X11-unix
13 13
14noblacklist /sbin 14noblacklist /sbin
15noblacklist /usr/sbin 15noblacklist /usr/sbin
16# noblacklist /var/log
17# noblacklist /var/opt 16# noblacklist /var/opt
18 17
19include /etc/firejail/disable-common.inc 18include /etc/firejail/disable-common.inc
@@ -29,6 +28,8 @@ notv
29novideo 28novideo
30seccomp 29seccomp
31 30
31# netfilter /etc/firejail/webserver.net
32
32# disable-mnt 33# disable-mnt
33private 34private
34# private-bin program 35# private-bin program
diff --git a/etc/shotcut.profile b/etc/shotcut.profile
index e30bc1f46..4e8b1da05 100644
--- a/etc/shotcut.profile
+++ b/etc/shotcut.profile
@@ -27,5 +27,5 @@ shell none
27#private-bin shotcut,melt,qmelt,nice 27#private-bin shotcut,melt,qmelt,nice
28private-dev 28private-dev
29 29
30noexec ${HOME} 30#noexec ${HOME}
31noexec /tmp 31noexec /tmp
diff --git a/etc/steam.profile b/etc/steam.profile
index b4b9ede70..33c082533 100644
--- a/etc/steam.profile
+++ b/etc/steam.profile
@@ -46,5 +46,6 @@ shell none
46 46
47# private-dev should be commented for controllers 47# private-dev should be commented for controllers
48private-dev 48private-dev
49private-etc asound.conf,ca-certificates,dbus-1,drirc,fonts,group,gtk-2.0,gtk-3.0,host.conf,hostname,hosts,ld.so.cache,ld.so.preload,ld.so.conf,ld.so.conf.d,localtime,lsb-release,machine-id,mime.types,passwd,pulse,resolv.conf,ssl 49# private-etc breaks some games
50#private-etc asound.conf,ca-certificates,dbus-1,drirc,fonts,group,gtk-2.0,gtk-3.0,host.conf,hostname,hosts,ld.so.cache,ld.so.preload,ld.so.conf,ld.so.conf.d,localtime,lsb-release,machine-id,mime.types,passwd,pulse,resolv.conf,ssl
50private-tmp 51private-tmp
diff --git a/etc/synfigstudio.profile b/etc/synfigstudio.profile
index b0014ace6..2617c0e51 100644
--- a/etc/synfigstudio.profile
+++ b/etc/synfigstudio.profile
@@ -14,7 +14,7 @@ include /etc/firejail/disable-passwdmgr.inc
14include /etc/firejail/disable-programs.inc 14include /etc/firejail/disable-programs.inc
15 15
16caps.drop all 16caps.drop all
17netfilter 17net none
18nodvd 18nodvd
19nogroups 19nogroups
20nonewprivs 20nonewprivs
@@ -26,7 +26,7 @@ protocol unix
26seccomp 26seccomp
27shell none 27shell none
28 28
29#private-bin synfigstudio 29#private-bin synfigstudio,synfig,ffmpeg
30private-dev 30private-dev
31private-tmp 31private-tmp
32 32
diff --git a/etc/tuxguitar.profile b/etc/tuxguitar.profile
index fbc198cc3..30e2a619d 100644
--- a/etc/tuxguitar.profile
+++ b/etc/tuxguitar.profile
@@ -13,6 +13,8 @@ include /etc/firejail/disable-devel.inc
13include /etc/firejail/disable-passwdmgr.inc 13include /etc/firejail/disable-passwdmgr.inc
14include /etc/firejail/disable-programs.inc 14include /etc/firejail/disable-programs.inc
15 15
16include /etc/firejail/whitelist-var-common.inc
17
16caps.drop all 18caps.drop all
17netfilter 19netfilter
18no3d 20no3d
diff --git a/etc/uefitool.profile b/etc/uefitool.profile
new file mode 100644
index 000000000..138f69aa8
--- /dev/null
+++ b/etc/uefitool.profile
@@ -0,0 +1,33 @@
1# Firejail profile for uefitool
2# This file is overwritten after every install/update
3# Persistent local customizations
4include /etc/firejail/uefitool.local
5# Persistent global definitions
6include /etc/firejail/globals.local
7
8
9include /etc/firejail/disable-common.inc
10include /etc/firejail/disable-devel.inc
11include /etc/firejail/disable-passwdmgr.inc
12include /etc/firejail/disable-programs.inc
13
14caps.drop all
15ipc-namespace
16net none
17no3d
18nodvd
19nogroups
20nonewprivs
21noroot
22nosound
23notv
24novideo
25protocol unix
26seccomp
27shell none
28
29private-dev
30private-tmp
31
32noexec ${HOME}
33noexec /tmp
diff --git a/etc/unbound.profile b/etc/unbound.profile
index 2a38aa7c6..d380b5698 100644
--- a/etc/unbound.profile
+++ b/etc/unbound.profile
@@ -9,7 +9,6 @@ blacklist /tmp/.X11-unix
9 9
10noblacklist /sbin 10noblacklist /sbin
11noblacklist /usr/sbin 11noblacklist /usr/sbin
12noblacklist /var/log
13 12
14include /etc/firejail/disable-common.inc 13include /etc/firejail/disable-common.inc
15include /etc/firejail/disable-devel.inc 14include /etc/firejail/disable-devel.inc
@@ -31,4 +30,4 @@ private
31private-dev 30private-dev
32 31
33# mdwe can break modules/plugins 32# mdwe can break modules/plugins
34# memory-deny-write-execute 33memory-deny-write-execute
diff --git a/etc/waterfox.profile b/etc/waterfox.profile
index 2322c1fae..67995f345 100644
--- a/etc/waterfox.profile
+++ b/etc/waterfox.profile
@@ -65,6 +65,7 @@ whitelist ~/.wine-pipelight64
65whitelist ~/.zotero 65whitelist ~/.zotero
66whitelist ~/dwhelper 66whitelist ~/dwhelper
67include /etc/firejail/whitelist-common.inc 67include /etc/firejail/whitelist-common.inc
68include /etc/firejail/whitelist-var-common.inc
68 69
69caps.drop all 70caps.drop all
70netfilter 71netfilter
@@ -78,7 +79,8 @@ seccomp
78shell none 79shell none
79tracelog 80tracelog
80 81
81# private-bin waterfox,which,sh,dbus-launch,dbus-send,env 82# waterfox requires a shell to launch on Arch. We can possibly remove sh though.
83# private-bin waterfox,which,sh,dbus-launch,dbus-send,env,dash,bash
82private-dev 84private-dev
83# private-etc passwd,group,hostname,hosts,localtime,nsswitch.conf,resolv.conf,xdg,gtk-2.0,gtk-3.0,X11,pango,fonts,waterfox,mime.types,mailcap,asound.conf,pulse 85# private-etc passwd,group,hostname,hosts,localtime,nsswitch.conf,resolv.conf,xdg,gtk-2.0,gtk-3.0,X11,pango,fonts,waterfox,mime.types,mailcap,asound.conf,pulse
84private-tmp 86private-tmp
diff --git a/etc/xreader.profile b/etc/xreader.profile
index c02b9a014..bebcb262f 100644
--- a/etc/xreader.profile
+++ b/etc/xreader.profile
@@ -14,6 +14,8 @@ include /etc/firejail/disable-devel.inc
14include /etc/firejail/disable-passwdmgr.inc 14include /etc/firejail/disable-passwdmgr.inc
15include /etc/firejail/disable-programs.inc 15include /etc/firejail/disable-programs.inc
16 16
17include /etc/firejail/whitelist-var-common.inc
18
17caps.drop all 19caps.drop all
18no3d 20no3d
19nodvd 21nodvd
diff --git a/etc/xviewer.profile b/etc/xviewer.profile
index b9ff3948a..53f2a0c82 100644
--- a/etc/xviewer.profile
+++ b/etc/xviewer.profile
@@ -15,6 +15,8 @@ include /etc/firejail/disable-devel.inc
15include /etc/firejail/disable-passwdmgr.inc 15include /etc/firejail/disable-passwdmgr.inc
16include /etc/firejail/disable-programs.inc 16include /etc/firejail/disable-programs.inc
17 17
18include /etc/firejail/whitelist-var-common.inc
19
18caps.drop all 20caps.drop all
19# net none - makes settings immutable 21# net none - makes settings immutable
20no3d 22no3d
generated by cgit v1.2.3-70-g09d2 (git 2.46.0) at 2024-09-03 21:43:50 +0000