diff options
Diffstat (limited to 'etc')
| -rw-r--r-- | etc/disable-programs.inc | 4 | ||||
| -rw-r--r-- | etc/engrampa.profile | 1 | ||||
| -rw-r--r-- | etc/firefox.profile | 4 | ||||
| -rw-r--r-- | etc/firejail.config | 11 | ||||
| -rw-r--r-- | etc/geeqie.profile | 27 | ||||
| -rw-r--r-- | etc/vlc.profile | 2 |
6 files changed, 45 insertions, 4 deletions
diff --git a/etc/disable-programs.inc b/etc/disable-programs.inc index 00473de95..a5c7502db 100644 --- a/etc/disable-programs.inc +++ b/etc/disable-programs.inc | |||
| @@ -30,6 +30,7 @@ blacklist ${HOME}/.cache/darktable | |||
| 30 | blacklist ${HOME}/.cache/epiphany | 30 | blacklist ${HOME}/.cache/epiphany |
| 31 | blacklist ${HOME}/.cache/evolution | 31 | blacklist ${HOME}/.cache/evolution |
| 32 | blacklist ${HOME}/.cache/gajim | 32 | blacklist ${HOME}/.cache/gajim |
| 33 | blacklist ${HOME}/.cache/geeqie | ||
| 33 | blacklist ${HOME}/.cache/google-chrome | 34 | blacklist ${HOME}/.cache/google-chrome |
| 34 | blacklist ${HOME}/.cache/google-chrome-beta | 35 | blacklist ${HOME}/.cache/google-chrome-beta |
| 35 | blacklist ${HOME}/.cache/google-chrome-unstable | 36 | blacklist ${HOME}/.cache/google-chrome-unstable |
| @@ -103,6 +104,7 @@ blacklist ${HOME}/.config/evolution | |||
| 103 | blacklist ${HOME}/.config/filezilla | 104 | blacklist ${HOME}/.config/filezilla |
| 104 | blacklist ${HOME}/.config/flowblade | 105 | blacklist ${HOME}/.config/flowblade |
| 105 | blacklist ${HOME}/.config/gajim | 106 | blacklist ${HOME}/.config/gajim |
| 107 | blacklist ${HOME}/.config/geeqie | ||
| 106 | blacklist ${HOME}/.config/gedit | 108 | blacklist ${HOME}/.config/gedit |
| 107 | blacklist ${HOME}/.config/google-chrome | 109 | blacklist ${HOME}/.config/google-chrome |
| 108 | blacklist ${HOME}/.config/google-chrome-beta | 110 | blacklist ${HOME}/.config/google-chrome-beta |
| @@ -221,6 +223,7 @@ blacklist ${HOME}/.local/share/epiphany | |||
| 221 | blacklist ${HOME}/.local/share/evolution | 223 | blacklist ${HOME}/.local/share/evolution |
| 222 | blacklist ${HOME}/.local/share/feral-interactive | 224 | blacklist ${HOME}/.local/share/feral-interactive |
| 223 | blacklist ${HOME}/.local/share/gajim | 225 | blacklist ${HOME}/.local/share/gajim |
| 226 | blacklist ${HOME}/.local/share/geeqie | ||
| 224 | blacklist ${HOME}/.local/share/gnome-2048 | 227 | blacklist ${HOME}/.local/share/gnome-2048 |
| 225 | blacklist ${HOME}/.local/share/gnome-chess | 228 | blacklist ${HOME}/.local/share/gnome-chess |
| 226 | blacklist ${HOME}/.local/share/gnome-music | 229 | blacklist ${HOME}/.local/share/gnome-music |
| @@ -284,6 +287,7 @@ blacklist ${HOME}/.weechat | |||
| 284 | blacklist ${HOME}/.wine | 287 | blacklist ${HOME}/.wine |
| 285 | blacklist ${HOME}/.wine64 | 288 | blacklist ${HOME}/.wine64 |
| 286 | blacklist ${HOME}/.xiphos | 289 | blacklist ${HOME}/.xiphos |
| 290 | blacklist ${HOME}/.xmms | ||
| 287 | blacklist ${HOME}/.xonotic | 291 | blacklist ${HOME}/.xonotic |
| 288 | blacklist ${HOME}/.xpdfrc | 292 | blacklist ${HOME}/.xpdfrc |
| 289 | blacklist ${HOME}/.zoom | 293 | blacklist ${HOME}/.zoom |
diff --git a/etc/engrampa.profile b/etc/engrampa.profile index b30b53085..da4872ca0 100644 --- a/etc/engrampa.profile +++ b/etc/engrampa.profile | |||
| @@ -13,7 +13,6 @@ nogroups | |||
| 13 | nonewprivs | 13 | nonewprivs |
| 14 | noroot | 14 | noroot |
| 15 | nosound | 15 | nosound |
| 16 | no3d | ||
| 17 | protocol unix | 16 | protocol unix |
| 18 | seccomp | 17 | seccomp |
| 19 | netfilter | 18 | netfilter |
diff --git a/etc/firefox.profile b/etc/firefox.profile index e323cac91..e2cfb9138 100644 --- a/etc/firefox.profile +++ b/etc/firefox.profile | |||
| @@ -54,5 +54,5 @@ include /etc/firejail/whitelist-common.inc | |||
| 54 | # experimental features | 54 | # experimental features |
| 55 | #private-bin firefox,which,sh,dbus-launch,dbus-send,env | 55 | #private-bin firefox,which,sh,dbus-launch,dbus-send,env |
| 56 | #private-etc passwd,group,hostname,hosts,localtime,nsswitch.conf,resolv.conf,xdg,gtk-2.0,gtk-3.0,X11,pango,fonts,firefox,mime.types,mailcap,asound.conf,pulse | 56 | #private-etc passwd,group,hostname,hosts,localtime,nsswitch.conf,resolv.conf,xdg,gtk-2.0,gtk-3.0,X11,pango,fonts,firefox,mime.types,mailcap,asound.conf,pulse |
| 57 | private-dev | 57 | private-dev |
| 58 | private-tmp | 58 | #private-tmp |
diff --git a/etc/firejail.config b/etc/firejail.config index 766802a7d..0887e05b5 100644 --- a/etc/firejail.config +++ b/etc/firejail.config | |||
| @@ -6,6 +6,9 @@ | |||
| 6 | # Enable or disable bind support, default enabled. | 6 | # Enable or disable bind support, default enabled. |
| 7 | # bind yes | 7 | # bind yes |
| 8 | 8 | ||
| 9 | # Enable mounting a tmpfs on top of ~/.cache directory, default enabled. | ||
| 10 | # cache-tmpfs yes | ||
| 11 | |||
| 9 | # Enable or disable chroot support, default enabled. | 12 | # Enable or disable chroot support, default enabled. |
| 10 | # chroot yes | 13 | # chroot yes |
| 11 | 14 | ||
| @@ -14,6 +17,10 @@ | |||
| 14 | # and it will harden the rest of the chroot tree. | 17 | # and it will harden the rest of the chroot tree. |
| 15 | # chroot-desktop yes | 18 | # chroot-desktop yes |
| 16 | 19 | ||
| 20 | # Disable /mnt, /media, /run/mount and /run/media access. By default access | ||
| 21 | # to these directories is enabled. | ||
| 22 | # disable-mnt no | ||
| 23 | |||
| 17 | # Enable or disable file transfer support, default enabled. | 24 | # Enable or disable file transfer support, default enabled. |
| 18 | # file-transfer yes | 25 | # file-transfer yes |
| 19 | 26 | ||
| @@ -26,6 +33,10 @@ | |||
| 26 | # Enabled by default | 33 | # Enabled by default |
| 27 | # follow-symlink-as-user yes | 34 | # follow-symlink-as-user yes |
| 28 | 35 | ||
| 36 | # Follow symlink for private-bin command. | ||
| 37 | # Disabled by default | ||
| 38 | # follow-symlink-private-bin no | ||
| 39 | |||
| 29 | # Force use of nonewprivs. This mitigates the possibility of | 40 | # Force use of nonewprivs. This mitigates the possibility of |
| 30 | # a user abusing firejail's features to trick a privileged (suid | 41 | # a user abusing firejail's features to trick a privileged (suid |
| 31 | # or file capabilities) process into loading code or configuration | 42 | # or file capabilities) process into loading code or configuration |
diff --git a/etc/geeqie.profile b/etc/geeqie.profile new file mode 100644 index 000000000..57f942a50 --- /dev/null +++ b/etc/geeqie.profile | |||
| @@ -0,0 +1,27 @@ | |||
| 1 | # This file is overwritten during software install. | ||
| 2 | # Persistent customizations should go in a .local file. | ||
| 3 | include /etc/firejail/geeqie.local | ||
| 4 | |||
| 5 | # Firejail profile for Geeqie | ||
| 6 | noblacklist ~/.cache/geeqie | ||
| 7 | noblacklist ~/.config/geeqie | ||
| 8 | noblacklist ~/.local/share/geeqie | ||
| 9 | include /etc/firejail/disable-common.inc | ||
| 10 | include /etc/firejail/disable-programs.inc | ||
| 11 | include /etc/firejail/disable-devel.inc | ||
| 12 | include /etc/firejail/disable-passwdmgr.inc | ||
| 13 | |||
| 14 | caps.drop all | ||
| 15 | nogroups | ||
| 16 | nonewprivs | ||
| 17 | noroot | ||
| 18 | protocol unix | ||
| 19 | seccomp | ||
| 20 | nosound | ||
| 21 | |||
| 22 | private-dev | ||
| 23 | |||
| 24 | #Experimental: | ||
| 25 | shell none | ||
| 26 | #private-bin geeqie | ||
| 27 | #private-etc X11 | ||
diff --git a/etc/vlc.profile b/etc/vlc.profile index 9d1cdb4c8..0c96f0108 100644 --- a/etc/vlc.profile +++ b/etc/vlc.profile | |||
| @@ -20,5 +20,5 @@ seccomp | |||
| 20 | shell none | 20 | shell none |
| 21 | 21 | ||
| 22 | private-bin vlc,cvlc,nvlc,rvlc,qvlc,svlc | 22 | private-bin vlc,cvlc,nvlc,rvlc,qvlc,svlc |
| 23 | private-dev | 23 | # private-dev |
| 24 | private-tmp | 24 | private-tmp |