diff options
Diffstat (limited to 'etc')
32 files changed, 149 insertions, 25 deletions
diff --git a/etc/atril.profile b/etc/atril.profile index 7109d343e..6b0eed2db 100644 --- a/etc/atril.profile +++ b/etc/atril.profile | |||
@@ -14,6 +14,7 @@ include /etc/firejail/disable-passwdmgr.inc | |||
14 | include /etc/firejail/disable-programs.inc | 14 | include /etc/firejail/disable-programs.inc |
15 | 15 | ||
16 | caps.drop all | 16 | caps.drop all |
17 | no3d | ||
17 | nodvd | 18 | nodvd |
18 | nogroups | 19 | nogroups |
19 | nonewprivs | 20 | nonewprivs |
@@ -28,4 +29,10 @@ tracelog | |||
28 | 29 | ||
29 | private-bin atril, atril-previewer, atril-thumbnailer | 30 | private-bin atril, atril-previewer, atril-thumbnailer |
30 | private-dev | 31 | private-dev |
31 | private-tmp | 32 | private-etc fonts |
33 | # atril needs access to /tmp/mozilla* to work in firefox | ||
34 | # private-tmp | ||
35 | |||
36 | memory-deny-write-execute | ||
37 | noexec ${HOME} | ||
38 | noexec /tmp | ||
diff --git a/etc/audacious.profile b/etc/audacious.profile index 3baa0ddba..eddc100ca 100644 --- a/etc/audacious.profile +++ b/etc/audacious.profile | |||
@@ -25,4 +25,7 @@ shell none | |||
25 | tracelog | 25 | tracelog |
26 | 26 | ||
27 | private-bin audacious | 27 | private-bin audacious |
28 | private-dev | ||
28 | private-tmp | 29 | private-tmp |
30 | |||
31 | memory-deny-write-execute | ||
diff --git a/etc/audacity.profile b/etc/audacity.profile index b5a15b04c..9fbc2b16d 100644 --- a/etc/audacity.profile +++ b/etc/audacity.profile | |||
@@ -30,5 +30,6 @@ private-bin audacity | |||
30 | private-dev | 30 | private-dev |
31 | private-tmp | 31 | private-tmp |
32 | 32 | ||
33 | memory-deny-write-execute | ||
33 | noexec ${HOME} | 34 | noexec ${HOME} |
34 | noexec /tmp | 35 | noexec /tmp |
diff --git a/etc/bitlbee.profile b/etc/bitlbee.profile index 0b61e7b9f..1b7b2c258 100644 --- a/etc/bitlbee.profile +++ b/etc/bitlbee.profile | |||
@@ -7,6 +7,7 @@ include /etc/firejail/globals.local | |||
7 | 7 | ||
8 | noblacklist /sbin | 8 | noblacklist /sbin |
9 | noblacklist /usr/sbin | 9 | noblacklist /usr/sbin |
10 | noblacklist /var/log | ||
10 | 11 | ||
11 | include /etc/firejail/disable-common.inc | 12 | include /etc/firejail/disable-common.inc |
12 | include /etc/firejail/disable-devel.inc | 13 | include /etc/firejail/disable-devel.inc |
diff --git a/etc/cvlc.profile b/etc/cvlc.profile index 460966321..e0d32da0f 100644 --- a/etc/cvlc.profile +++ b/etc/cvlc.profile | |||
@@ -14,7 +14,7 @@ include /etc/firejail/disable-programs.inc | |||
14 | 14 | ||
15 | caps.drop all | 15 | caps.drop all |
16 | netfilter | 16 | netfilter |
17 | nogroups | 17 | # nogroups |
18 | nonewprivs | 18 | nonewprivs |
19 | noroot | 19 | noroot |
20 | protocol unix,inet,inet6,netlink | 20 | protocol unix,inet,inet6,netlink |
@@ -27,4 +27,7 @@ tracelog | |||
27 | private-dev | 27 | private-dev |
28 | private-tmp | 28 | private-tmp |
29 | 29 | ||
30 | memory-deny-write-execute | 30 | # mdwe is disabled due to breaking hardware accelerated decoding |
31 | # memory-deny-write-execute | ||
32 | noexec ${HOME} | ||
33 | noexec /tmp | ||
diff --git a/etc/disable-common.inc b/etc/disable-common.inc index c220b9c50..294ff6bcb 100644 --- a/etc/disable-common.inc +++ b/etc/disable-common.inc | |||
@@ -107,15 +107,27 @@ blacklist ${PATH}/zuluCrypt-cli | |||
107 | blacklist ${PATH}/zuluMount-cli | 107 | blacklist ${PATH}/zuluMount-cli |
108 | 108 | ||
109 | # var | 109 | # var |
110 | blacklist /var/cache/apt | ||
111 | blacklist /var/cache/pacman | ||
112 | blacklist /var/lib/apt | ||
113 | blacklist /var/lib/clamav | ||
114 | blacklist /var/lib/dkms | ||
110 | blacklist /var/lib/mysql/mysql.sock | 115 | blacklist /var/lib/mysql/mysql.sock |
111 | blacklist /var/lib/mysqld/mysql.sock | 116 | blacklist /var/lib/mysqld/mysql.sock |
117 | blacklist /var/lib/pacman | ||
118 | blacklist /var/lib/systemd | ||
119 | blacklist /var/lib/upower | ||
120 | blacklist /var/log | ||
112 | blacklist /var/mail | 121 | blacklist /var/mail |
122 | blacklist /var/opt | ||
113 | blacklist /var/run/acpid.socket | 123 | blacklist /var/run/acpid.socket |
114 | blacklist /var/run/docker.sock | 124 | blacklist /var/run/docker.sock |
115 | blacklist /var/run/minissdpd.sock | 125 | blacklist /var/run/minissdpd.sock |
116 | blacklist /var/run/mysql/mysqld.sock | 126 | blacklist /var/run/mysql/mysqld.sock |
117 | blacklist /var/run/mysqld/mysqld.sock | 127 | blacklist /var/run/mysqld/mysqld.sock |
118 | blacklist /var/run/rpcbind.sock | 128 | blacklist /var/run/rpcbind.sock |
129 | blacklist /var/run/screens | ||
130 | blacklist /var/run/systemd | ||
119 | blacklist /var/spool/anacron | 131 | blacklist /var/spool/anacron |
120 | blacklist /var/spool/cron | 132 | blacklist /var/spool/cron |
121 | 133 | ||
diff --git a/etc/disable-programs.inc b/etc/disable-programs.inc index 7b0e6e9eb..d02377036 100644 --- a/etc/disable-programs.inc +++ b/etc/disable-programs.inc | |||
@@ -334,6 +334,7 @@ blacklist ${HOME}/.multimc5 | |||
334 | blacklist ${HOME}/.mutt | 334 | blacklist ${HOME}/.mutt |
335 | blacklist ${HOME}/.mutt/muttrc | 335 | blacklist ${HOME}/.mutt/muttrc |
336 | blacklist ${HOME}/.muttrc | 336 | blacklist ${HOME}/.muttrc |
337 | blacklist ${HOME}/.neverball | ||
337 | blacklist ${HOME}/.nv | 338 | blacklist ${HOME}/.nv |
338 | blacklist ${HOME}/.nylas-mail | 339 | blacklist ${HOME}/.nylas-mail |
339 | blacklist ${HOME}/.openinvaders | 340 | blacklist ${HOME}/.openinvaders |
diff --git a/etc/engrampa.profile b/etc/engrampa.profile index e10fd6084..7bc5e7481 100644 --- a/etc/engrampa.profile +++ b/etc/engrampa.profile | |||
@@ -12,7 +12,8 @@ include /etc/firejail/disable-passwdmgr.inc | |||
12 | include /etc/firejail/disable-programs.inc | 12 | include /etc/firejail/disable-programs.inc |
13 | 13 | ||
14 | caps.drop all | 14 | caps.drop all |
15 | netfilter | 15 | # net none - makes settings immutable |
16 | no3d | ||
16 | nodvd | 17 | nodvd |
17 | nogroups | 18 | nogroups |
18 | nonewprivs | 19 | nonewprivs |
@@ -29,3 +30,7 @@ tracelog | |||
29 | private-dev | 30 | private-dev |
30 | # private-etc fonts | 31 | # private-etc fonts |
31 | # private-tmp | 32 | # private-tmp |
33 | |||
34 | memory-deny-write-execute | ||
35 | noexec ${HOME} | ||
36 | noexec /tmp | ||
diff --git a/etc/eog.profile b/etc/eog.profile index 54d5a1a88..e5161b313 100644 --- a/etc/eog.profile +++ b/etc/eog.profile | |||
@@ -16,7 +16,7 @@ include /etc/firejail/disable-passwdmgr.inc | |||
16 | include /etc/firejail/disable-programs.inc | 16 | include /etc/firejail/disable-programs.inc |
17 | 17 | ||
18 | caps.drop all | 18 | caps.drop all |
19 | net none | 19 | # net none - makes settings immutable |
20 | no3d | 20 | no3d |
21 | nodvd | 21 | nodvd |
22 | nogroups | 22 | nogroups |
diff --git a/etc/eom.profile b/etc/eom.profile index 6fd069b5c..3fb1fcaf4 100644 --- a/etc/eom.profile +++ b/etc/eom.profile | |||
@@ -16,6 +16,8 @@ include /etc/firejail/disable-passwdmgr.inc | |||
16 | include /etc/firejail/disable-programs.inc | 16 | include /etc/firejail/disable-programs.inc |
17 | 17 | ||
18 | caps.drop all | 18 | caps.drop all |
19 | # net none - makes settings immutable | ||
20 | no3d | ||
19 | nodvd | 21 | nodvd |
20 | nogroups | 22 | nogroups |
21 | nonewprivs | 23 | nonewprivs |
@@ -30,7 +32,9 @@ tracelog | |||
30 | 32 | ||
31 | private-bin eom | 33 | private-bin eom |
32 | private-dev | 34 | private-dev |
35 | private-etc fonts | ||
33 | private-tmp | 36 | private-tmp |
34 | 37 | ||
38 | memory-deny-write-execute | ||
35 | noexec ${HOME} | 39 | noexec ${HOME} |
36 | noexec /tmp | 40 | noexec /tmp |
diff --git a/etc/file-roller.profile b/etc/file-roller.profile index 1ecb3c632..8484aa162 100644 --- a/etc/file-roller.profile +++ b/etc/file-roller.profile | |||
@@ -12,7 +12,7 @@ include /etc/firejail/disable-passwdmgr.inc | |||
12 | include /etc/firejail/disable-programs.inc | 12 | include /etc/firejail/disable-programs.inc |
13 | 13 | ||
14 | caps.drop all | 14 | caps.drop all |
15 | net none | 15 | # net none - makes settings immutable |
16 | no3d | 16 | no3d |
17 | nodvd | 17 | nodvd |
18 | nogroups | 18 | nogroups |
diff --git a/etc/fossamail.profile b/etc/fossamail.profile index 74073d8d1..cef522c53 100644 --- a/etc/fossamail.profile +++ b/etc/fossamail.profile | |||
@@ -17,7 +17,6 @@ whitelist ~/.fossamail | |||
17 | whitelist ~/.gnupg | 17 | whitelist ~/.gnupg |
18 | include /etc/firejail/whitelist-common.inc | 18 | include /etc/firejail/whitelist-common.inc |
19 | 19 | ||
20 | nodvd | 20 | # allow browsers |
21 | notv | 21 | # Redirect |
22 | |||
23 | include /etc/firejail/firefox.profile | 22 | include /etc/firejail/firefox.profile |
diff --git a/etc/gedit.profile b/etc/gedit.profile index 418575e09..3d7af1496 100644 --- a/etc/gedit.profile +++ b/etc/gedit.profile | |||
@@ -15,7 +15,7 @@ include /etc/firejail/disable-passwdmgr.inc | |||
15 | include /etc/firejail/disable-programs.inc | 15 | include /etc/firejail/disable-programs.inc |
16 | 16 | ||
17 | caps.drop all | 17 | caps.drop all |
18 | net none | 18 | # net none - makes settings immutable |
19 | no3d | 19 | no3d |
20 | nodvd | 20 | nodvd |
21 | nogroups | 21 | nogroups |
@@ -23,6 +23,7 @@ nonewprivs | |||
23 | noroot | 23 | noroot |
24 | nosound | 24 | nosound |
25 | notv | 25 | notv |
26 | novideo | ||
26 | protocol unix | 27 | protocol unix |
27 | seccomp | 28 | seccomp |
28 | shell none | 29 | shell none |
diff --git a/etc/goobox.profile b/etc/goobox.profile index 9bedaa431..60ffe0594 100644 --- a/etc/goobox.profile +++ b/etc/goobox.profile | |||
@@ -13,11 +13,11 @@ include /etc/firejail/disable-programs.inc | |||
13 | 13 | ||
14 | caps.drop all | 14 | caps.drop all |
15 | netfilter | 15 | netfilter |
16 | nodvd | ||
17 | nogroups | 16 | nogroups |
18 | nonewprivs | 17 | nonewprivs |
19 | noroot | 18 | noroot |
20 | notv | 19 | notv |
20 | novideo | ||
21 | protocol unix | 21 | protocol unix |
22 | seccomp | 22 | seccomp |
23 | shell none | 23 | shell none |
diff --git a/etc/handbrake.profile b/etc/handbrake.profile index 2b32abca6..2b33051e2 100644 --- a/etc/handbrake.profile +++ b/etc/handbrake.profile | |||
@@ -18,7 +18,6 @@ nogroups | |||
18 | nonewprivs | 18 | nonewprivs |
19 | noroot | 19 | noroot |
20 | nosound | 20 | nosound |
21 | notv | ||
22 | novideo | 21 | novideo |
23 | protocol unix,inet,inet6,netlink | 22 | protocol unix,inet,inet6,netlink |
24 | seccomp | 23 | seccomp |
diff --git a/etc/konversation.profile b/etc/konversation.profile index 212aa8817..1a08c3d83 100644 --- a/etc/konversation.profile +++ b/etc/konversation.profile | |||
@@ -23,4 +23,5 @@ protocol unix,inet,inet6 | |||
23 | seccomp | 23 | seccomp |
24 | tracelog | 24 | tracelog |
25 | 25 | ||
26 | private-dev | ||
26 | private-tmp | 27 | private-tmp |
diff --git a/etc/mediathekview.profile b/etc/mediathekview.profile index b90e21e66..1cda5022d 100644 --- a/etc/mediathekview.profile +++ b/etc/mediathekview.profile | |||
@@ -9,8 +9,10 @@ noblacklist ~/.config/mpv | |||
9 | noblacklist ~/.config/smplayer | 9 | noblacklist ~/.config/smplayer |
10 | noblacklist ~/.config/totem | 10 | noblacklist ~/.config/totem |
11 | noblacklist ~/.config/vlc | 11 | noblacklist ~/.config/vlc |
12 | noblacklist ~/.config/xplayer | ||
12 | noblacklist ~/.java | 13 | noblacklist ~/.java |
13 | noblacklist ~/.local/share/totem | 14 | noblacklist ~/.local/share/totem |
15 | noblacklist ~/.local/share/xplayer | ||
14 | noblacklist ~/.mediathek3 | 16 | noblacklist ~/.mediathek3 |
15 | noblacklist ~/.mplayer | 17 | noblacklist ~/.mplayer |
16 | 18 | ||
@@ -22,6 +24,7 @@ include /etc/firejail/disable-programs.inc | |||
22 | caps.drop all | 24 | caps.drop all |
23 | netfilter | 25 | netfilter |
24 | nodvd | 26 | nodvd |
27 | nogroups | ||
25 | nonewprivs | 28 | nonewprivs |
26 | noroot | 29 | noroot |
27 | notv | 30 | notv |
diff --git a/etc/neverball.profile b/etc/neverball.profile new file mode 100644 index 000000000..6a9a3a577 --- /dev/null +++ b/etc/neverball.profile | |||
@@ -0,0 +1,37 @@ | |||
1 | # Firejail profile for neverball | ||
2 | # This file is overwritten after every install/update | ||
3 | # Persistent local customizations | ||
4 | include /etc/firejail/neverball.local | ||
5 | # Persistent global definitions | ||
6 | include /etc/firejail/globals.local | ||
7 | |||
8 | noblacklist ${HOME}/.neverball | ||
9 | |||
10 | include /etc/firejail/disable-common.inc | ||
11 | include /etc/firejail/disable-devel.inc | ||
12 | include /etc/firejail/disable-passwdmgr.inc | ||
13 | include /etc/firejail/disable-programs.inc | ||
14 | |||
15 | mkdir ${HOME}/.neverball | ||
16 | whitelist ${HOME}/.neverball | ||
17 | include /etc/firejail/whitelist-common.inc | ||
18 | |||
19 | caps.drop all | ||
20 | netfilter | ||
21 | nodvd | ||
22 | nogroups | ||
23 | nonewprivs | ||
24 | noroot | ||
25 | notv | ||
26 | novideo | ||
27 | protocol unix,netlink | ||
28 | seccomp | ||
29 | shell none | ||
30 | |||
31 | disable-mnt | ||
32 | private-bin neverball | ||
33 | private-dev | ||
34 | private-tmp | ||
35 | |||
36 | noexec ${HOME} | ||
37 | noexec /tmp | ||
diff --git a/etc/pluma.profile b/etc/pluma.profile index d17a64d1d..718dee440 100644 --- a/etc/pluma.profile +++ b/etc/pluma.profile | |||
@@ -13,17 +13,24 @@ include /etc/firejail/disable-passwdmgr.inc | |||
13 | include /etc/firejail/disable-programs.inc | 13 | include /etc/firejail/disable-programs.inc |
14 | 14 | ||
15 | caps.drop all | 15 | caps.drop all |
16 | net none | 16 | # net none - makes settings immutable |
17 | no3d | ||
17 | nodvd | 18 | nodvd |
18 | nogroups | 19 | nogroups |
19 | nonewprivs | 20 | nonewprivs |
20 | noroot | 21 | noroot |
21 | nosound | 22 | nosound |
22 | notv | 23 | notv |
24 | novideo | ||
25 | protocol unix | ||
23 | seccomp | 26 | seccomp |
24 | shell none | 27 | shell none |
25 | tracelog | 28 | tracelog |
26 | 29 | ||
27 | private-bin pluma | 30 | private-bin pluma |
28 | private-dev | 31 | private-dev |
32 | # private-etc fonts | ||
29 | private-tmp | 33 | private-tmp |
34 | |||
35 | noexec ${HOME} | ||
36 | noexec /tmp | ||
diff --git a/etc/qpdfview.profile b/etc/qpdfview.profile index 2c652c688..7d69f38f9 100644 --- a/etc/qpdfview.profile +++ b/etc/qpdfview.profile | |||
@@ -21,6 +21,7 @@ nonewprivs | |||
21 | noroot | 21 | noroot |
22 | nosound | 22 | nosound |
23 | notv | 23 | notv |
24 | novideo | ||
24 | protocol unix | 25 | protocol unix |
25 | seccomp | 26 | seccomp |
26 | shell none | 27 | shell none |
@@ -29,3 +30,5 @@ tracelog | |||
29 | private-bin qpdfview | 30 | private-bin qpdfview |
30 | private-dev | 31 | private-dev |
31 | private-tmp | 32 | private-tmp |
33 | |||
34 | memory-deny-write-execute | ||
diff --git a/etc/scribus.profile b/etc/scribus.profile index acd6b2239..e4c88be49 100644 --- a/etc/scribus.profile +++ b/etc/scribus.profile | |||
@@ -28,6 +28,7 @@ include /etc/firejail/disable-programs.inc | |||
28 | 28 | ||
29 | caps.drop all | 29 | caps.drop all |
30 | nodvd | 30 | nodvd |
31 | nogroups | ||
31 | nonewprivs | 32 | nonewprivs |
32 | noroot | 33 | noroot |
33 | nosound | 34 | nosound |
diff --git a/etc/server.profile b/etc/server.profile index 04ef555de..edd4666e1 100644 --- a/etc/server.profile +++ b/etc/server.profile | |||
@@ -13,6 +13,8 @@ blacklist /tmp/.X11-unix | |||
13 | 13 | ||
14 | noblacklist /sbin | 14 | noblacklist /sbin |
15 | noblacklist /usr/sbin | 15 | noblacklist /usr/sbin |
16 | # noblacklist /var/log | ||
17 | # noblacklist /var/opt | ||
16 | 18 | ||
17 | include /etc/firejail/disable-common.inc | 19 | include /etc/firejail/disable-common.inc |
18 | # include /etc/firejail/disable-devel.inc | 20 | # include /etc/firejail/disable-devel.inc |
diff --git a/etc/simple-scan.profile b/etc/simple-scan.profile index de43f2a56..edd4db861 100644 --- a/etc/simple-scan.profile +++ b/etc/simple-scan.profile | |||
@@ -20,7 +20,7 @@ nonewprivs | |||
20 | noroot | 20 | noroot |
21 | nosound | 21 | nosound |
22 | notv | 22 | notv |
23 | novideo | 23 | # novideo |
24 | protocol unix,inet,inet6,netlink | 24 | protocol unix,inet,inet6,netlink |
25 | # simple-scan makes ioperm system calls, which are blacklisted by default. | 25 | # simple-scan makes ioperm system calls, which are blacklisted by default. |
26 | seccomp.drop @clock,@cpu-emulation,@debug,@module,@obsolete,@reboot,@resources,@swap,acct,add_key,bpf,chroot,fanotify_init,io_cancel,io_destroy,io_getevents,io_setup,io_submit,iopl,ioprio_set,kcmp,keyctl,mount,name_to_handle_at,nfsservctl,ni_syscall,open_by_handle_at,pciconfig_iobase,pciconfig_read,pciconfig_write,personality,pivot_root,process_vm_readv,ptrace,remap_file_pages,request_key,s390_mmio_read,s390_mmio_write,setdomainname,sethostname,syslog,umount,umount2,userfaultfd,vhangup,vmsplice | 26 | seccomp.drop @clock,@cpu-emulation,@debug,@module,@obsolete,@reboot,@resources,@swap,acct,add_key,bpf,chroot,fanotify_init,io_cancel,io_destroy,io_getevents,io_setup,io_submit,iopl,ioprio_set,kcmp,keyctl,mount,name_to_handle_at,nfsservctl,ni_syscall,open_by_handle_at,pciconfig_iobase,pciconfig_read,pciconfig_write,personality,pivot_root,process_vm_readv,ptrace,remap_file_pages,request_key,s390_mmio_read,s390_mmio_write,setdomainname,sethostname,syslog,umount,umount2,userfaultfd,vhangup,vmsplice |
diff --git a/etc/skanlite.profile b/etc/skanlite.profile index 1d590a142..1a53cc71c 100644 --- a/etc/skanlite.profile +++ b/etc/skanlite.profile | |||
@@ -20,7 +20,7 @@ nonewprivs | |||
20 | noroot | 20 | noroot |
21 | nosound | 21 | nosound |
22 | notv | 22 | notv |
23 | novideo | 23 | # novideo |
24 | protocol unix,netlink | 24 | protocol unix,netlink |
25 | # skanlite makes ioperm system calls, which are blacklisted by default. | 25 | # skanlite makes ioperm system calls, which are blacklisted by default. |
26 | seccomp.drop @clock,@cpu-emulation,@debug,@module,@obsolete,@reboot,@resources,@swap,acct,add_key,bpf,chroot,fanotify_init,io_cancel,io_destroy,io_getevents,io_setup,io_submit,iopl,ioprio_set,kcmp,keyctl,mount,name_to_handle_at,nfsservctl,ni_syscall,open_by_handle_at,pciconfig_iobase,pciconfig_read,pciconfig_write,personality,pivot_root,process_vm_readv,ptrace,remap_file_pages,request_key,s390_mmio_read,s390_mmio_write,setdomainname,sethostname,syslog,umount,umount2,userfaultfd,vhangup,vmsplice | 26 | seccomp.drop @clock,@cpu-emulation,@debug,@module,@obsolete,@reboot,@resources,@swap,acct,add_key,bpf,chroot,fanotify_init,io_cancel,io_destroy,io_getevents,io_setup,io_submit,iopl,ioprio_set,kcmp,keyctl,mount,name_to_handle_at,nfsservctl,ni_syscall,open_by_handle_at,pciconfig_iobase,pciconfig_read,pciconfig_write,personality,pivot_root,process_vm_readv,ptrace,remap_file_pages,request_key,s390_mmio_read,s390_mmio_write,setdomainname,sethostname,syslog,umount,umount2,userfaultfd,vhangup,vmsplice |
diff --git a/etc/steam.profile b/etc/steam.profile index 96899038a..227162e1f 100644 --- a/etc/steam.profile +++ b/etc/steam.profile | |||
@@ -5,12 +5,17 @@ include /etc/firejail/steam.local | |||
5 | # Persistent global definitions | 5 | # Persistent global definitions |
6 | include /etc/firejail/globals.local | 6 | include /etc/firejail/globals.local |
7 | 7 | ||
8 | noblacklist ${HOME}/.Steam | ||
9 | noblacklist ${HOME}/.Steampath | ||
10 | noblacklist ${HOME}/.Steampid | ||
11 | noblacklist ${HOME}/.java | 8 | noblacklist ${HOME}/.java |
9 | noblacklist ${HOME}/.killingfloor | ||
10 | noblacklist ${HOME}/.local/share/3909/PapersPlease | ||
11 | noblacklist ${HOME}/.local/share/aspyr-media | ||
12 | noblacklist ${HOME}/.local/share/cdprojektred | ||
13 | noblacklist ${HOME}/.local/share/feral-interactive | ||
12 | noblacklist ${HOME}/.local/share/Steam | 14 | noblacklist ${HOME}/.local/share/Steam |
13 | noblacklist ${HOME}/.local/share/steam | 15 | noblacklist ${HOME}/.local/share/SuperHexagon |
16 | noblacklist ${HOME}/.local/share/Terraria | ||
17 | noblacklist ${HOME}/.local/share/vpltd | ||
18 | noblacklist ${HOME}/.local/share/vulkan | ||
14 | noblacklist ${HOME}/.steam | 19 | noblacklist ${HOME}/.steam |
15 | noblacklist ${HOME}/.steampath | 20 | noblacklist ${HOME}/.steampath |
16 | noblacklist ${HOME}/.steampid | 21 | noblacklist ${HOME}/.steampid |
@@ -29,12 +34,15 @@ nogroups | |||
29 | nonewprivs | 34 | nonewprivs |
30 | noroot | 35 | noroot |
31 | notv | 36 | notv |
32 | # novideo | 37 | # novideo should be commented for VR |
38 | novideo | ||
33 | protocol unix,inet,inet6,netlink | 39 | protocol unix,inet,inet6,netlink |
34 | seccomp | 40 | seccomp |
35 | shell none | 41 | shell none |
36 | # tracelog disabled as it breaks integrated browser | 42 | # tracelog disabled as it breaks integrated browser |
37 | # tracelog | 43 | # tracelog |
38 | 44 | ||
45 | # private-dev should be commented for controllers | ||
39 | private-dev | 46 | private-dev |
47 | private-etc asound.conf,ca-certificates,dbus-1,drirc,fonts,group,gtk-2.0,gtk-3.0,host.conf,hostname,hosts,ld.so.cache,ld.so.preload,localtime,lsb-release,machine-id,mime.types,passwd,pulse,resolv.conf,ssl | ||
40 | private-tmp | 48 | private-tmp |
diff --git a/etc/vlc.profile b/etc/vlc.profile index a41f367dd..bccde7a3d 100644 --- a/etc/vlc.profile +++ b/etc/vlc.profile | |||
@@ -25,5 +25,7 @@ private-bin vlc,cvlc,nvlc,rvlc,qvlc,svlc | |||
25 | private-dev | 25 | private-dev |
26 | private-tmp | 26 | private-tmp |
27 | 27 | ||
28 | # mdwe is disabled due to breaking hardware accelerated decoding | ||
29 | # memory-deny-write-execute | ||
28 | noexec ${HOME} | 30 | noexec ${HOME} |
29 | noexec /tmp | 31 | noexec /tmp |
diff --git a/etc/xed.profile b/etc/xed.profile index 758fb5526..42a42ef5f 100644 --- a/etc/xed.profile +++ b/etc/xed.profile | |||
@@ -13,17 +13,24 @@ include /etc/firejail/disable-passwdmgr.inc | |||
13 | include /etc/firejail/disable-programs.inc | 13 | include /etc/firejail/disable-programs.inc |
14 | 14 | ||
15 | caps.drop all | 15 | caps.drop all |
16 | net none | 16 | # net none - makes settings immutable |
17 | no3d | ||
17 | nodvd | 18 | nodvd |
18 | nogroups | 19 | nogroups |
19 | nonewprivs | 20 | nonewprivs |
20 | noroot | 21 | noroot |
21 | nosound | 22 | nosound |
22 | notv | 23 | notv |
24 | novideo | ||
25 | protocol unix | ||
23 | seccomp | 26 | seccomp |
24 | shell none | 27 | shell none |
25 | tracelog | 28 | tracelog |
26 | 29 | ||
27 | private-bin xed | 30 | private-bin xed |
28 | private-dev | 31 | private-dev |
32 | # private-etc fonts | ||
29 | private-tmp | 33 | private-tmp |
34 | |||
35 | noexec ${HOME} | ||
36 | noexec /tmp | ||
diff --git a/etc/xfburn.profile b/etc/xfburn.profile index e80685f0e..ec1aca75f 100644 --- a/etc/xfburn.profile +++ b/etc/xfburn.profile | |||
@@ -14,12 +14,12 @@ include /etc/firejail/disable-programs.inc | |||
14 | 14 | ||
15 | caps.drop all | 15 | caps.drop all |
16 | netfilter | 16 | netfilter |
17 | nodvd | ||
18 | nogroups | 17 | nogroups |
19 | nonewprivs | 18 | nonewprivs |
20 | noroot | 19 | noroot |
21 | nosound | 20 | nosound |
22 | notv | 21 | notv |
22 | novideo | ||
23 | protocol unix | 23 | protocol unix |
24 | seccomp | 24 | seccomp |
25 | shell none | 25 | shell none |
diff --git a/etc/xonotic.profile b/etc/xonotic.profile index c7db00daf..fefeac76b 100644 --- a/etc/xonotic.profile +++ b/etc/xonotic.profile | |||
@@ -31,6 +31,7 @@ shell none | |||
31 | disable-mnt | 31 | disable-mnt |
32 | private-bin xonotic-sdl,xonotic-glx,blind-id | 32 | private-bin xonotic-sdl,xonotic-glx,blind-id |
33 | private-dev | 33 | private-dev |
34 | private-etc asound.conf,ca-certificates,drirc,fonts,host.conf,hostname,hosts,ld.so.cache,ld.so.preload,localtime,nsswitch.conf,pulse,resolv.conf,ssl | ||
34 | private-tmp | 35 | private-tmp |
35 | 36 | ||
36 | noexec ${HOME} | 37 | noexec ${HOME} |
diff --git a/etc/xplayer.profile b/etc/xplayer.profile index 0722768d1..5c845e977 100644 --- a/etc/xplayer.profile +++ b/etc/xplayer.profile | |||
@@ -18,7 +18,6 @@ netfilter | |||
18 | nogroups | 18 | nogroups |
19 | nonewprivs | 19 | nonewprivs |
20 | noroot | 20 | noroot |
21 | notv | ||
22 | protocol unix,inet,inet6 | 21 | protocol unix,inet,inet6 |
23 | seccomp | 22 | seccomp |
24 | shell none | 23 | shell none |
@@ -26,4 +25,8 @@ tracelog | |||
26 | 25 | ||
27 | private-bin xplayer,xplayer-audio-preview,xplayer-video-thumbnailer | 26 | private-bin xplayer,xplayer-audio-preview,xplayer-video-thumbnailer |
28 | private-dev | 27 | private-dev |
28 | # private-etc fonts | ||
29 | private-tmp | 29 | private-tmp |
30 | |||
31 | noexec ${HOME} | ||
32 | noexec /tmp | ||
diff --git a/etc/xreader.profile b/etc/xreader.profile index 107cefe5e..dd09c8a92 100644 --- a/etc/xreader.profile +++ b/etc/xreader.profile | |||
@@ -15,17 +15,25 @@ include /etc/firejail/disable-passwdmgr.inc | |||
15 | include /etc/firejail/disable-programs.inc | 15 | include /etc/firejail/disable-programs.inc |
16 | 16 | ||
17 | caps.drop all | 17 | caps.drop all |
18 | no3d | ||
18 | nodvd | 19 | nodvd |
19 | nogroups | 20 | nogroups |
20 | nonewprivs | 21 | nonewprivs |
21 | noroot | 22 | noroot |
22 | nosound | 23 | nosound |
23 | notv | 24 | notv |
25 | novideo | ||
24 | protocol unix | 26 | protocol unix |
25 | seccomp | 27 | seccomp |
26 | shell none | 28 | shell none |
27 | tracelog | 29 | tracelog |
28 | 30 | ||
29 | private-bin xreader, xreader-previewer, xreader-thumbnailer | 31 | private-bin xreader,xreader-previewer,xreader-thumbnailer |
30 | private-dev | 32 | private-dev |
31 | private-tmp | 33 | # private-etc fonts |
34 | # xreader needs access to /tmp/mozilla* to work in firefox | ||
35 | # private-tmp | ||
36 | |||
37 | memory-deny-write-execute | ||
38 | noexec ${HOME} | ||
39 | noexec /tmp | ||
diff --git a/etc/xviewer.profile b/etc/xviewer.profile index 70ad3b895..b9ff3948a 100644 --- a/etc/xviewer.profile +++ b/etc/xviewer.profile | |||
@@ -16,12 +16,15 @@ include /etc/firejail/disable-passwdmgr.inc | |||
16 | include /etc/firejail/disable-programs.inc | 16 | include /etc/firejail/disable-programs.inc |
17 | 17 | ||
18 | caps.drop all | 18 | caps.drop all |
19 | # net none - makes settings immutable | ||
20 | no3d | ||
19 | nodvd | 21 | nodvd |
20 | nogroups | 22 | nogroups |
21 | nonewprivs | 23 | nonewprivs |
22 | noroot | 24 | noroot |
23 | nosound | 25 | nosound |
24 | notv | 26 | notv |
27 | novideo | ||
25 | protocol unix | 28 | protocol unix |
26 | seccomp | 29 | seccomp |
27 | shell none | 30 | shell none |
@@ -29,7 +32,9 @@ tracelog | |||
29 | 32 | ||
30 | private-bin xviewer | 33 | private-bin xviewer |
31 | private-dev | 34 | private-dev |
35 | private-etc fonts | ||
32 | private-tmp | 36 | private-tmp |
33 | 37 | ||
38 | memory-deny-write-execute | ||
34 | noexec ${HOME} | 39 | noexec ${HOME} |
35 | noexec /tmp | 40 | noexec /tmp |