aboutsummaryrefslogtreecommitdiffstats
path: root/etc
diff options
context:
space:
mode:
Diffstat (limited to 'etc')
-rw-r--r--etc/akonadi_control.profile3
-rw-r--r--etc/checkbashisms.profile2
-rw-r--r--etc/disable-common.inc3
-rw-r--r--etc/disable-programs.inc5
-rw-r--r--etc/firefox.profile2
-rw-r--r--etc/ghostwriter.profile22
-rw-r--r--etc/itch.profile3
-rw-r--r--etc/kwin_x11.profile3
-rw-r--r--etc/pluma.profile3
-rw-r--r--etc/slack.profile3
-rw-r--r--etc/tb-starter-wrapper.profile19
-rw-r--r--etc/tor-browser.profile10
-rw-r--r--etc/torbrowser-launcher.profile2
-rw-r--r--etc/unzip.profile1
-rw-r--r--etc/whalebird.profile45
-rw-r--r--etc/zulip.profile47
16 files changed, 149 insertions, 24 deletions
diff --git a/etc/akonadi_control.profile b/etc/akonadi_control.profile
index 1c16f940e..904c784c6 100644
--- a/etc/akonadi_control.profile
+++ b/etc/akonadi_control.profile
@@ -17,6 +17,7 @@ noblacklist ${HOME}/.local/share/apps/korganizer
17noblacklist ${HOME}/.local/share/contacts 17noblacklist ${HOME}/.local/share/contacts
18noblacklist ${HOME}/.local/share/local-mail 18noblacklist ${HOME}/.local/share/local-mail
19noblacklist ${HOME}/.local/share/notes 19noblacklist ${HOME}/.local/share/notes
20noblacklist /sbin
20noblacklist /tmp/akonadi-* 21noblacklist /tmp/akonadi-*
21noblacklist /usr/sbin 22noblacklist /usr/sbin
22 23
@@ -45,7 +46,7 @@ nosound
45notv 46notv
46nou2f 47nou2f
47novideo 48novideo
48# protocol unix,inet,inet6 49# protocol unix,inet,inet6,netlink
49# seccomp.drop @cpu-emulation,@debug,@obsolete,@privileged,@resources,add_key,fanotify_init,io_cancel,io_destroy,kcmp,keyctl,name_to_handle_at,ni_syscall,open_by_handle_at,personality,process_vm_readv,ptrace,remap_file_pages,request_key,syslog,umount,userfaultfd,vmsplice 50# seccomp.drop @cpu-emulation,@debug,@obsolete,@privileged,@resources,add_key,fanotify_init,io_cancel,io_destroy,kcmp,keyctl,name_to_handle_at,ni_syscall,open_by_handle_at,personality,process_vm_readv,ptrace,remap_file_pages,request_key,syslog,umount,userfaultfd,vmsplice
50tracelog 51tracelog
51 52
diff --git a/etc/checkbashisms.profile b/etc/checkbashisms.profile
index fe3202cea..7b2d344e5 100644
--- a/etc/checkbashisms.profile
+++ b/etc/checkbashisms.profile
@@ -44,7 +44,7 @@ x11 none
44 44
45private-cache 45private-cache
46private-dev 46private-dev
47private-lib perl* 47private-lib libfreebl3.so,perl*
48private-tmp 48private-tmp
49 49
50memory-deny-write-execute 50memory-deny-write-execute
diff --git a/etc/disable-common.inc b/etc/disable-common.inc
index 7ca5a6b89..e1762719f 100644
--- a/etc/disable-common.inc
+++ b/etc/disable-common.inc
@@ -67,6 +67,7 @@ blacklist ${HOME}/.config/khotkeysrc
67blacklist ${HOME}/.config/krunnerrc 67blacklist ${HOME}/.config/krunnerrc
68blacklist ${HOME}/.config/kscreenlockerrc 68blacklist ${HOME}/.config/kscreenlockerrc
69blacklist ${HOME}/.config/ksslcertificatemanager 69blacklist ${HOME}/.config/ksslcertificatemanager
70blacklist ${HOME}/.config/kwalletrc
70blacklist ${HOME}/.config/kwinrc 71blacklist ${HOME}/.config/kwinrc
71blacklist ${HOME}/.config/kwinrulesrc 72blacklist ${HOME}/.config/kwinrulesrc
72blacklist ${HOME}/.config/plasma-org.kde.plasma.desktop-appletsrc 73blacklist ${HOME}/.config/plasma-org.kde.plasma.desktop-appletsrc
@@ -79,6 +80,7 @@ blacklist ${HOME}/.kde/share/config/khotkeysrc
79blacklist ${HOME}/.kde/share/config/krunnerrc 80blacklist ${HOME}/.kde/share/config/krunnerrc
80blacklist ${HOME}/.kde/share/config/kscreensaverrc 81blacklist ${HOME}/.kde/share/config/kscreensaverrc
81blacklist ${HOME}/.kde/share/config/ksslcertificatemanager 82blacklist ${HOME}/.kde/share/config/ksslcertificatemanager
83blacklist ${HOME}/.kde/share/config/kwalletrc
82blacklist ${HOME}/.kde/share/config/kwinrc 84blacklist ${HOME}/.kde/share/config/kwinrc
83blacklist ${HOME}/.kde/share/config/kwinrulesrc 85blacklist ${HOME}/.kde/share/config/kwinrulesrc
84blacklist ${HOME}/.kde/share/config/plasma-desktop-appletsrc 86blacklist ${HOME}/.kde/share/config/plasma-desktop-appletsrc
@@ -89,6 +91,7 @@ blacklist ${HOME}/.kde4/share/config/khotkeysrc
89blacklist ${HOME}/.kde4/share/config/krunnerrc 91blacklist ${HOME}/.kde4/share/config/krunnerrc
90blacklist ${HOME}/.kde4/share/config/kscreensaverrc 92blacklist ${HOME}/.kde4/share/config/kscreensaverrc
91blacklist ${HOME}/.kde4/share/config/ksslcertificatemanager 93blacklist ${HOME}/.kde4/share/config/ksslcertificatemanager
94blacklist ${HOME}/.kde4/share/config/kwalletrc
92blacklist ${HOME}/.kde4/share/config/kwinrc 95blacklist ${HOME}/.kde4/share/config/kwinrc
93blacklist ${HOME}/.kde4/share/config/kwinrulesrc 96blacklist ${HOME}/.kde4/share/config/kwinrulesrc
94blacklist ${HOME}/.kde4/share/config/plasma-desktop-appletsrc 97blacklist ${HOME}/.kde4/share/config/plasma-desktop-appletsrc
diff --git a/etc/disable-programs.inc b/etc/disable-programs.inc
index c061e94a2..c0bf1f8d4 100644
--- a/etc/disable-programs.inc
+++ b/etc/disable-programs.inc
@@ -302,6 +302,7 @@ blacklist ${HOME}/.config/vivaldi
302blacklist ${HOME}/.config/vivaldi-snapshot 302blacklist ${HOME}/.config/vivaldi-snapshot
303blacklist ${HOME}/.config/vlc 303blacklist ${HOME}/.config/vlc
304blacklist ${HOME}/.config/wesnoth 304blacklist ${HOME}/.config/wesnoth
305blacklist ${HOME}/.config/Whalebird
305blacklist ${HOME}/.config/wireshark 306blacklist ${HOME}/.config/wireshark
306blacklist ${HOME}/.config/xchat 307blacklist ${HOME}/.config/xchat
307blacklist ${HOME}/.config/xed 308blacklist ${HOME}/.config/xed
@@ -322,6 +323,7 @@ blacklist ${HOME}/.config/yelp
322blacklist ${HOME}/.config/youtube-dl 323blacklist ${HOME}/.config/youtube-dl
323blacklist ${HOME}/.config/zathura 324blacklist ${HOME}/.config/zathura
324blacklist ${HOME}/.config/zoomus.conf 325blacklist ${HOME}/.config/zoomus.conf
326blacklist ${HOME}/.config/Zulip
325blacklist ${HOME}/.conkeror.mozdev.org 327blacklist ${HOME}/.conkeror.mozdev.org
326blacklist ${HOME}/.crawl 328blacklist ${HOME}/.crawl
327blacklist ${HOME}/.curlrc 329blacklist ${HOME}/.curlrc
@@ -367,6 +369,7 @@ blacklist ${HOME}/.hugin
367blacklist ${HOME}/.icedove 369blacklist ${HOME}/.icedove
368blacklist ${HOME}/.imagej 370blacklist ${HOME}/.imagej
369blacklist ${HOME}/.inkscape 371blacklist ${HOME}/.inkscape
372blacklist ${HOME}/.itch
370blacklist ${HOME}/.jack-server 373blacklist ${HOME}/.jack-server
371blacklist ${HOME}/.jack-settings 374blacklist ${HOME}/.jack-settings
372blacklist ${HOME}/.jak 375blacklist ${HOME}/.jak
@@ -620,11 +623,13 @@ blacklist ${HOME}/.sword
620blacklist ${HOME}/.sylpheed-2.0 623blacklist ${HOME}/.sylpheed-2.0
621blacklist ${HOME}/.synfig 624blacklist ${HOME}/.synfig
622blacklist ${HOME}/.config/teams-for-linux 625blacklist ${HOME}/.config/teams-for-linux
626blacklist ${HOME}/.tb
623blacklist ${HOME}/.tconn 627blacklist ${HOME}/.tconn
624blacklist ${HOME}/.teeworlds 628blacklist ${HOME}/.teeworlds
625blacklist ${HOME}/.thunderbird 629blacklist ${HOME}/.thunderbird
626blacklist ${HOME}/.tilp 630blacklist ${HOME}/.tilp
627blacklist ${HOME}/.tooling 631blacklist ${HOME}/.tooling
632blacklist ${HOME}/.tor-browser
628blacklist ${HOME}/.tor-browser-* 633blacklist ${HOME}/.tor-browser-*
629blacklist ${HOME}/.tor-browser_* 634blacklist ${HOME}/.tor-browser_*
630blacklist ${HOME}/.torcs 635blacklist ${HOME}/.torcs
diff --git a/etc/firefox.profile b/etc/firefox.profile
index 84c647cb9..0c143f569 100644
--- a/etc/firefox.profile
+++ b/etc/firefox.profile
@@ -16,6 +16,8 @@ whitelist ${HOME}/.mozilla
16 16
17# firefox requires a shell to launch on Arch. 17# firefox requires a shell to launch on Arch.
18#private-bin bash,dbus-launch,dbus-send,env,firefox,sh,which 18#private-bin bash,dbus-launch,dbus-send,env,firefox,sh,which
19# Fedora use shell scripts to launch firefox, at least this is required
20#private-bin awk,basename,bash,cat,dirname,env,expr,false,firefox,firefox-wayland,ln,mkdir,pidof,rm,rmdir,sed,sh,tclsh,true,uname,which
19# private-etc must first be enabled in firefox-common.profile 21# private-etc must first be enabled in firefox-common.profile
20#private-etc firefox 22#private-etc firefox
21 23
diff --git a/etc/ghostwriter.profile b/etc/ghostwriter.profile
index 48c02f195..cb7e7c513 100644
--- a/etc/ghostwriter.profile
+++ b/etc/ghostwriter.profile
@@ -18,20 +18,10 @@ include disable-passwdmgr.inc
18include disable-programs.inc 18include disable-programs.inc
19include disable-xdg.inc 19include disable-xdg.inc
20 20
21#mkdir ${HOME}/.config/ghostwriter
22#whitelist ${HOME}/.config/ghostwriter
23#whitelist ${DESKTOP}
24#whitelist ${DOCUMENTS}
25#whitelist ${DOWNLOADS}
26#whitelist ${PICTURES}
27#include whitelist-common.inc
28
29apparmor 21apparmor
30caps.drop all 22caps.drop all
31machine-id 23machine-id
32netfilter 24netfilter
33#no3d
34#nodbus
35nodvd 25nodvd
36nogroups 26nogroups
37nonewprivs 27nonewprivs
@@ -40,17 +30,15 @@ nosound
40notv 30notv
41nou2f 31nou2f
42novideo 32novideo
43protocol unix,inet,netlink 33protocol unix,inet,inet6,netlink
44seccomp 34#seccomp -- breaks
45shell none 35shell none
46tracelog 36#tracelog -- breaks
47 37
48# Breaks Translation 38# Breaks Translation
49#private-bin ghostwriter,pandoc 39#private-bin ghostwriter,pandoc
50private-cache 40private-cache
51private-dev 41private-dev
52private-etc alternatives,crypto-policies,cups,dconf,drirc,fonts,gtk-3.0,localtime,machine-id 42# passwd,login.defs,firejail are a temporary workaround for #2877 and can be removed once it is fixed
53# Breaks Translation 43private-etc alternatives,ca-certificates,crypto-policies,dbus-1,dconf,firejail,fonts,gconf,groups,gtk-2.0,gtk-3.0,host.conf,hostname,hosts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,locale,locale.alias,locale.conf,localtime,login.defs,machine-id,mime.types,nsswitch.conf,pango,passwd,pki,protocols,resolv.conf,rpc,services,ssl,Trolltech.conf,X11,xdg
54#private-lib
55private-tmp 44private-tmp
56
diff --git a/etc/itch.profile b/etc/itch.profile
index c0b4fe6ce..b3c78c810 100644
--- a/etc/itch.profile
+++ b/etc/itch.profile
@@ -8,6 +8,7 @@ include globals.local
8# itch.io has native firejail/sandboxing support bundled in 8# itch.io has native firejail/sandboxing support bundled in
9# See https://itch.io/docs/itch/using/sandbox/linux.html 9# See https://itch.io/docs/itch/using/sandbox/linux.html
10 10
11noblacklist ${HOME}/.itch
11noblacklist ${HOME}/.config/itch 12noblacklist ${HOME}/.config/itch
12 13
13include disable-common.inc 14include disable-common.inc
@@ -16,7 +17,9 @@ include disable-interpreters.inc
16include disable-passwdmgr.inc 17include disable-passwdmgr.inc
17include disable-programs.inc 18include disable-programs.inc
18 19
20mkdir ${HOME}/.itch
19mkdir ${HOME}/.config/itch 21mkdir ${HOME}/.config/itch
22whitelist ${HOME}/.itch
20whitelist ${HOME}/.config/itch 23whitelist ${HOME}/.config/itch
21include whitelist-common.inc 24include whitelist-common.inc
22 25
diff --git a/etc/kwin_x11.profile b/etc/kwin_x11.profile
index ee07636d3..d512dd100 100644
--- a/etc/kwin_x11.profile
+++ b/etc/kwin_x11.profile
@@ -5,6 +5,9 @@ include kwin_x11.local
5# Persistent global definitions 5# Persistent global definitions
6include globals.local 6include globals.local
7 7
8# fix automatical kwin_x11 sandboxing:
9# echo KDEWM=kwin_x11 >> ~/.pam_environment
10
8noblacklist ${HOME}/.cache/kwin 11noblacklist ${HOME}/.cache/kwin
9noblacklist ${HOME}/.config/kwinrc 12noblacklist ${HOME}/.config/kwinrc
10noblacklist ${HOME}/.config/kwinrulesrc 13noblacklist ${HOME}/.config/kwinrulesrc
diff --git a/etc/pluma.profile b/etc/pluma.profile
index 81b2b1481..1e0512fd8 100644
--- a/etc/pluma.profile
+++ b/etc/pluma.profile
@@ -6,6 +6,7 @@ include pluma.local
6# Persistent global definitions 6# Persistent global definitions
7include globals.local 7include globals.local
8 8
9noblacklist ${HOME}/.config/enchant
9noblacklist ${HOME}/.config/pluma 10noblacklist ${HOME}/.config/pluma
10noblacklist ${HOME}/.python-history 11noblacklist ${HOME}/.python-history
11noblacklist ${HOME}/.python_history 12noblacklist ${HOME}/.python_history
@@ -42,7 +43,7 @@ tracelog
42 43
43private-bin pluma 44private-bin pluma
44private-dev 45private-dev
45private-lib pluma 46private-lib aspell,gconv,libgspell-1.so.*,libreadline.so.*,libtinfo.so.*,pluma
46private-tmp 47private-tmp
47 48
48memory-deny-write-execute 49memory-deny-write-execute
diff --git a/etc/slack.profile b/etc/slack.profile
index 5c10ef0ba..f71ae9584 100644
--- a/etc/slack.profile
+++ b/etc/slack.profile
@@ -20,7 +20,6 @@ include whitelist-common.inc
20include whitelist-var-common.inc 20include whitelist-var-common.inc
21 21
22caps.drop all 22caps.drop all
23name slack
24netfilter 23netfilter
25nodvd 24nodvd
26nogroups 25nogroups
@@ -35,5 +34,5 @@ shell none
35disable-mnt 34disable-mnt
36private-bin locale,slack 35private-bin locale,slack
37private-dev 36private-dev
38private-etc alternatives,asound.conf,ca-certificates,crypto-policies,fonts,group,ld.so.cache,ld.so.conf,localtime,machine-id,passwd,pki,pulse,resolv.conf,ssl 37private-etc alternatives,asound.conf,ca-certificates,crypto-policies,debian_version,fonts,group,ld.so.cache,ld.so.conf,localtime,machine-id,passwd,pki,pulse,resolv.conf,ssl
39private-tmp 38private-tmp
diff --git a/etc/tb-starter-wrapper.profile b/etc/tb-starter-wrapper.profile
new file mode 100644
index 000000000..8a7d45449
--- /dev/null
+++ b/etc/tb-starter-wrapper.profile
@@ -0,0 +1,19 @@
1# Firejail profile for tb-starter-wrapper
2# Description: wrapper-script used by whonix to start the tor browser
3quiet
4# This file is overwritten after every install/update
5# Persistent local customizations
6include tb-starter-wrapper.local
7# Persistent global definitions
8# added by included profile
9#include globals.local
10
11noblacklist ${HOME}/.tb
12
13mkdir ${HOME}/.tb
14whitelist ${HOME}/.tb
15
16x11 xorg
17
18# Redirect
19include torbrowser-launcher.profile
diff --git a/etc/tor-browser.profile b/etc/tor-browser.profile
new file mode 100644
index 000000000..0cd84abf5
--- /dev/null
+++ b/etc/tor-browser.profile
@@ -0,0 +1,10 @@
1# Firejail profile alias for torbrowser-launcher
2# This file is overwritten after every install/update
3
4noblacklist ${HOME}/.tor-browser
5
6mkdir ${HOME}/.tor-browser
7whitelist ${HOME}/.tor-browser
8
9# Redirect
10include torbrowser-launcher.profile
diff --git a/etc/torbrowser-launcher.profile b/etc/torbrowser-launcher.profile
index 75bcb04b4..00b82e852 100644
--- a/etc/torbrowser-launcher.profile
+++ b/etc/torbrowser-launcher.profile
@@ -48,7 +48,7 @@ shell none
48#tracelog 48#tracelog
49 49
50disable-mnt 50disable-mnt
51private-bin bash,cat,cp,cut,dirname,env,expr,file,getconf,gpg,grep,gxmessage,id,kdialog,ln,mkdir,pwd,python*,readlink,realpath,rm,sed,sh,tail,tar,tclsh,test,tor-browser-en,torbrowser-launcher,update-desktop-database,xmessage,xz,zenity 51private-bin bash,cat,cp,cut,dirname,env,expr,file,getconf,gpg,grep,gxmessage,id,kdialog,ln,mkdir,mv,pwd,python*,readlink,realpath,rm,sed,sh,tail,tar,tclsh,test,tor-browser,tor-browser-en,torbrowser-launcher,update-desktop-database,xmessage,xz,zenity
52private-dev 52private-dev
53private-etc alsa,alternatives,asound.conf,ca-certificates,crypto-policies,fonts,hostname,hosts,ld.so.cache,machine-id,pki,pulse,resolv.conf,ssl 53private-etc alsa,alternatives,asound.conf,ca-certificates,crypto-policies,fonts,hostname,hosts,ld.so.cache,machine-id,pki,pulse,resolv.conf,ssl
54private-tmp 54private-tmp
diff --git a/etc/unzip.profile b/etc/unzip.profile
index 94aee724d..60e447049 100644
--- a/etc/unzip.profile
+++ b/etc/unzip.profile
@@ -39,6 +39,5 @@ tracelog
39x11 none 39x11 none
40 40
41private-bin unzip 41private-bin unzip
42private-cache
43private-dev 42private-dev
44private-etc alternatives,group,localtime,passwd 43private-etc alternatives,group,localtime,passwd
diff --git a/etc/whalebird.profile b/etc/whalebird.profile
new file mode 100644
index 000000000..26932b6b3
--- /dev/null
+++ b/etc/whalebird.profile
@@ -0,0 +1,45 @@
1# Firejail profile for whalebird
2# Description: Electron-based Mastodon/Pleroma client
3# This file is overwritten after every install/update
4# Persistent local customizations
5include whalebird.local
6# Persistent global definitions
7include globals.local
8
9noblacklist ${HOME}/.config/Whalebird
10
11include disable-common.inc
12include disable-devel.inc
13include disable-exec.inc
14include disable-interpreters.inc
15include disable-passwdmgr.inc
16include disable-programs.inc
17include disable-xdg.inc
18
19mkdir ${HOME}/.config/Whalebird
20whitelist ${HOME}/.config/Whalebird
21whitelist ${DOWNLOADS}
22include whitelist-common.inc
23include whitelist-var-common.inc
24
25apparmor
26caps.drop all
27netfilter
28no3d
29nodvd
30nogroups
31nonewprivs
32noroot
33notv
34nou2f
35novideo
36protocol unix,inet,inet6
37seccomp
38shell none
39
40disable-mnt
41private-bin whalebird
42private-cache
43private-dev
44private-etc fonts,machine-id
45private-tmp
diff --git a/etc/zulip.profile b/etc/zulip.profile
new file mode 100644
index 000000000..999c2f77a
--- /dev/null
+++ b/etc/zulip.profile
@@ -0,0 +1,47 @@
1# Firejail profile for zulip
2# Description: Real-time team chat based on the email threading model
3# This file is overwritten after every install/update
4# Persistent local customizations
5include zulip.local
6# Persistent global definitions
7include globals.local
8
9ignore noexec /tmp
10
11noblacklist ${HOME}/.config/Zulip
12
13include disable-common.inc
14include disable-devel.inc
15include disable-exec.inc
16include disable-interpreters.inc
17include disable-passwdmgr.inc
18include disable-programs.inc
19include disable-xdg.inc
20
21mkdir ${HOME}/.config/Zulip
22whitelist ${HOME}/.config/Zulip
23whitelist ${DOWNLOADS}
24include whitelist-common.inc
25include whitelist-var-common.inc
26
27apparmor
28caps.drop all
29netfilter
30no3d
31nodvd
32nogroups
33nonewprivs
34noroot
35notv
36nou2f
37novideo
38protocol unix,inet,inet6
39seccomp
40shell none
41
42disable-mnt
43private-bin locale,zulip
44private-cache
45private-dev
46private-etc asound.conf,fonts,machine-id
47private-tmp
generated by cgit v1.2.3-70-g09d2 (git 2.46.0) at 2024-09-11 12:42:06 +0000