diff options
Diffstat (limited to 'etc')
54 files changed, 167 insertions, 6 deletions
diff --git a/etc/Mathematica.profile b/etc/Mathematica.profile new file mode 100644 index 000000000..d1f4b1de1 --- /dev/null +++ b/etc/Mathematica.profile | |||
@@ -0,0 +1,13 @@ | |||
1 | # Mathematica profile | ||
2 | whitelist ~/.Mathematica | ||
3 | whitelist ~/.Wolfram Research | ||
4 | whitelist ~/Documents/Wolfram Mathematica | ||
5 | include /etc/firejail/whitelist-common.inc | ||
6 | include /etc/firejail/disable-mgmt.inc | ||
7 | include /etc/firejail/disable-secret.inc | ||
8 | include /etc/firejail/disable-common.inc | ||
9 | include /etc/firejail/disable-devel.inc | ||
10 | include /etc/firejail/disable-terminals.inc | ||
11 | caps.drop all | ||
12 | seccomp | ||
13 | noroot | ||
diff --git a/etc/audacious.profile b/etc/audacious.profile index fa9cbbc52..f9a48f33c 100644 --- a/etc/audacious.profile +++ b/etc/audacious.profile | |||
@@ -3,6 +3,7 @@ include /etc/firejail/disable-mgmt.inc | |||
3 | include /etc/firejail/disable-secret.inc | 3 | include /etc/firejail/disable-secret.inc |
4 | include /etc/firejail/disable-common.inc | 4 | include /etc/firejail/disable-common.inc |
5 | include /etc/firejail/disable-devel.inc | 5 | include /etc/firejail/disable-devel.inc |
6 | include /etc/firejail/disable-terminals.inc | ||
6 | blacklist ${HOME}/.pki/nssdb | 7 | blacklist ${HOME}/.pki/nssdb |
7 | blacklist ${HOME}/.lastpass | 8 | blacklist ${HOME}/.lastpass |
8 | blacklist ${HOME}/.keepassx | 9 | blacklist ${HOME}/.keepassx |
diff --git a/etc/bitlbee.profile b/etc/bitlbee.profile index 4cd24fd0a..5eeddb815 100644 --- a/etc/bitlbee.profile +++ b/etc/bitlbee.profile | |||
@@ -3,6 +3,7 @@ noblacklist /sbin | |||
3 | noblacklist /usr/sbin | 3 | noblacklist /usr/sbin |
4 | include /etc/firejail/disable-mgmt.inc | 4 | include /etc/firejail/disable-mgmt.inc |
5 | include /etc/firejail/disable-common.inc | 5 | include /etc/firejail/disable-common.inc |
6 | include /etc/firejail/disable-terminals.inc | ||
6 | protocol unix,inet,inet6 | 7 | protocol unix,inet,inet6 |
7 | private | 8 | private |
8 | private-dev | 9 | private-dev |
diff --git a/etc/chromium.profile b/etc/chromium.profile index 76dc6b234..af2c740a8 100644 --- a/etc/chromium.profile +++ b/etc/chromium.profile | |||
@@ -3,6 +3,7 @@ noblacklist ${HOME}/.config/chromium | |||
3 | include /etc/firejail/disable-mgmt.inc | 3 | include /etc/firejail/disable-mgmt.inc |
4 | include /etc/firejail/disable-secret.inc | 4 | include /etc/firejail/disable-secret.inc |
5 | include /etc/firejail/disable-common.inc | 5 | include /etc/firejail/disable-common.inc |
6 | include /etc/firejail/disable-terminals.inc | ||
6 | 7 | ||
7 | # chromium is distributed with a perl script on Arch | 8 | # chromium is distributed with a perl script on Arch |
8 | # include /etc/firejail/disable-devel.inc | 9 | # include /etc/firejail/disable-devel.inc |
@@ -12,4 +13,5 @@ netfilter | |||
12 | whitelist ${DOWNLOADS} | 13 | whitelist ${DOWNLOADS} |
13 | whitelist ~/.config/chromium | 14 | whitelist ~/.config/chromium |
14 | whitelist ~/.cache/chromium | 15 | whitelist ~/.cache/chromium |
16 | whitelist ~/.pki | ||
15 | include /etc/firejail/whitelist-common.inc | 17 | include /etc/firejail/whitelist-common.inc |
diff --git a/etc/clementine.profile b/etc/clementine.profile index e84d8f19a..c9c0ca724 100644 --- a/etc/clementine.profile +++ b/etc/clementine.profile | |||
@@ -2,7 +2,9 @@ | |||
2 | include /etc/firejail/disable-mgmt.inc | 2 | include /etc/firejail/disable-mgmt.inc |
3 | include /etc/firejail/disable-secret.inc | 3 | include /etc/firejail/disable-secret.inc |
4 | include /etc/firejail/disable-common.inc | 4 | include /etc/firejail/disable-common.inc |
5 | include /etc/firejail/disable-terminals.inc | ||
5 | include /etc/firejail/disable-devel.inc | 6 | include /etc/firejail/disable-devel.inc |
7 | include /etc/firejail/disable-terminals.inc | ||
6 | blacklist ${HOME}/.pki/nssdb | 8 | blacklist ${HOME}/.pki/nssdb |
7 | blacklist ${HOME}/.lastpass | 9 | blacklist ${HOME}/.lastpass |
8 | blacklist ${HOME}/.keepassx | 10 | blacklist ${HOME}/.keepassx |
diff --git a/etc/conkeror.profile b/etc/conkeror.profile index 7c1384523..09f491c61 100644 --- a/etc/conkeror.profile +++ b/etc/conkeror.profile | |||
@@ -3,6 +3,7 @@ noblacklist ${HOME}/.conkeror.mozdev.org | |||
3 | include /etc/firejail/disable-mgmt.inc | 3 | include /etc/firejail/disable-mgmt.inc |
4 | include /etc/firejail/disable-secret.inc | 4 | include /etc/firejail/disable-secret.inc |
5 | include /etc/firejail/disable-common.inc | 5 | include /etc/firejail/disable-common.inc |
6 | include /etc/firejail/disable-terminals.inc | ||
6 | caps.drop all | 7 | caps.drop all |
7 | seccomp | 8 | seccomp |
8 | protocol unix,inet,inet6 | 9 | protocol unix,inet,inet6 |
@@ -21,8 +22,4 @@ whitelist ~/.pentadactyl | |||
21 | whitelist ~/.conkerorrc | 22 | whitelist ~/.conkerorrc |
22 | 23 | ||
23 | # common | 24 | # common |
24 | whitelist ~/.fonts | 25 | include /etc/firejail/whitelist-common.inc |
25 | whitelist ~/.fonts.d | ||
26 | whitelist ~/.fontconfig | ||
27 | whitelist ~/.fonts.conf | ||
28 | whitelist ~/.fonts.conf.d | ||
diff --git a/etc/deadbeef.profile b/etc/deadbeef.profile index 0d6e70a4a..35760bf13 100644 --- a/etc/deadbeef.profile +++ b/etc/deadbeef.profile | |||
@@ -3,6 +3,7 @@ include /etc/firejail/disable-mgmt.inc | |||
3 | include /etc/firejail/disable-secret.inc | 3 | include /etc/firejail/disable-secret.inc |
4 | include /etc/firejail/disable-common.inc | 4 | include /etc/firejail/disable-common.inc |
5 | include /etc/firejail/disable-devel.inc | 5 | include /etc/firejail/disable-devel.inc |
6 | include /etc/firejail/disable-terminals.inc | ||
6 | blacklist ${HOME}/.pki/nssdb | 7 | blacklist ${HOME}/.pki/nssdb |
7 | blacklist ${HOME}/.lastpass | 8 | blacklist ${HOME}/.lastpass |
8 | blacklist ${HOME}/.keepassx | 9 | blacklist ${HOME}/.keepassx |
diff --git a/etc/deluge.profile b/etc/deluge.profile index 4f76f3666..30e9f91ad 100644 --- a/etc/deluge.profile +++ b/etc/deluge.profile | |||
@@ -3,6 +3,7 @@ include /etc/firejail/disable-mgmt.inc | |||
3 | include /etc/firejail/disable-secret.inc | 3 | include /etc/firejail/disable-secret.inc |
4 | include /etc/firejail/disable-common.inc | 4 | include /etc/firejail/disable-common.inc |
5 | include /etc/firejail/disable-devel.inc | 5 | include /etc/firejail/disable-devel.inc |
6 | include /etc/firejail/disable-terminals.inc | ||
6 | blacklist ${HOME}/.pki/nssdb | 7 | blacklist ${HOME}/.pki/nssdb |
7 | blacklist ${HOME}/.lastpass | 8 | blacklist ${HOME}/.lastpass |
8 | blacklist ${HOME}/.keepassx | 9 | blacklist ${HOME}/.keepassx |
diff --git a/etc/disable-common.inc b/etc/disable-common.inc index e7974f02d..d97740860 100644 --- a/etc/disable-common.inc +++ b/etc/disable-common.inc | |||
@@ -108,13 +108,19 @@ read-only ${HOME}/.csh_files | |||
108 | # Initialization files that allow arbitrary command execution | 108 | # Initialization files that allow arbitrary command execution |
109 | read-only ${HOME}/.mailcap | 109 | read-only ${HOME}/.mailcap |
110 | read-only ${HOME}/.exrc | 110 | read-only ${HOME}/.exrc |
111 | read-only ${HOME}/_exrc | ||
111 | read-only ${HOME}/.vimrc | 112 | read-only ${HOME}/.vimrc |
113 | read-only ${HOME}/_vimrc | ||
114 | read-only ${HOME}/.gvimrc | ||
115 | read-only ${HOME}/_gvimrc | ||
112 | read-only ${HOME}/.vim | 116 | read-only ${HOME}/.vim |
113 | read-only ${HOME}/.emacs | 117 | read-only ${HOME}/.emacs |
114 | read-only ${HOME}/.tmux.conf | 118 | read-only ${HOME}/.tmux.conf |
115 | read-only ${HOME}/.iscreenrc | 119 | read-only ${HOME}/.iscreenrc |
116 | read-only ${HOME}/.muttrc | 120 | read-only ${HOME}/.muttrc |
121 | read-only ${HOME}/.mutt/muttrc | ||
117 | read-only ${HOME}/.xmonad | 122 | read-only ${HOME}/.xmonad |
123 | read-only ${HOME}/.xscreensaver | ||
118 | 124 | ||
119 | # The user ~/bin directory can override commands such as ls | 125 | # The user ~/bin directory can override commands such as ls |
120 | read-only ${HOME}/bin | 126 | read-only ${HOME}/bin |
diff --git a/etc/disable-secret.inc b/etc/disable-secret.inc index 8336b6b52..7d29cda31 100644 --- a/etc/disable-secret.inc +++ b/etc/disable-secret.inc | |||
@@ -1,9 +1,9 @@ | |||
1 | # HOME directory | 1 | # HOME directory |
2 | blacklist ${HOME}/.ssh | 2 | blacklist ${HOME}/.ssh |
3 | tmpfs ${HOME}/.gnome2_private | ||
4 | blacklist ${HOME}/.gnome2/keyrings | 3 | blacklist ${HOME}/.gnome2/keyrings |
5 | blacklist ${HOME}/kde4/share/apps/kwallet | 4 | blacklist ${HOME}/kde4/share/apps/kwallet |
6 | blacklist ${HOME}/kde/share/apps/kwallet | 5 | blacklist ${HOME}/kde/share/apps/kwallet |
6 | blacklist ${HOME}/.local/share/kwalletd | ||
7 | blacklist ${HOME}/.netrc | 7 | blacklist ${HOME}/.netrc |
8 | blacklist ${HOME}/.gnupg | 8 | blacklist ${HOME}/.gnupg |
9 | blacklist ${HOME}/*.kdbx | 9 | blacklist ${HOME}/*.kdbx |
diff --git a/etc/disable-terminals.inc b/etc/disable-terminals.inc new file mode 100644 index 000000000..9631e7f62 --- /dev/null +++ b/etc/disable-terminals.inc | |||
@@ -0,0 +1,6 @@ | |||
1 | # disable terminals running as server | ||
2 | blacklist ${PATH}/lxterminal | ||
3 | blacklist ${PATH}/gnome-terminal | ||
4 | blacklist ${PATH}/gnome-terminal.wrapper | ||
5 | blacklist ${PATH}/xfce4-terminal | ||
6 | blacklist ${PATH}/xfce4-terminal.wrapper | ||
diff --git a/etc/dnscrypt-proxy.profile b/etc/dnscrypt-proxy.profile index e0c5c93a3..0bc7ac78e 100644 --- a/etc/dnscrypt-proxy.profile +++ b/etc/dnscrypt-proxy.profile | |||
@@ -2,6 +2,10 @@ | |||
2 | noblacklist /sbin | 2 | noblacklist /sbin |
3 | noblacklist /usr/sbin | 3 | noblacklist /usr/sbin |
4 | include /etc/firejail/disable-mgmt.inc | 4 | include /etc/firejail/disable-mgmt.inc |
5 | include /etc/firejail/disable-common.inc | ||
6 | include /etc/firejail/disable-devel.inc | ||
7 | include /etc/firejail/disable-secret.inc | ||
8 | include /etc/firejail/disable-terminals.inc | ||
5 | private | 9 | private |
6 | private-dev | 10 | private-dev |
7 | seccomp.drop mount,umount2,ptrace,kexec_load,kexec_file_load,open_by_handle_at,init_module,finit_module,delete_module,iopl,ioperm,swapon,swapoff,syslog,process_vm_readv,process_vm_writev,sysfs,_sysctl,adjtimex,clock_adjtime,lookup_dcookie,perf_event_open,fanotify_init,kcmp,add_key,request_key,keyctl,uselib,acct,modify_ldt,pivot_root,io_setup,io_destroy,io_getevents,io_submit,io_cancel,remap_file_pages,mbind,get_mempolicy,set_mempolicy,migrate_pages,move_pages,vmsplice,perf_event_open | 11 | seccomp.drop mount,umount2,ptrace,kexec_load,kexec_file_load,open_by_handle_at,init_module,finit_module,delete_module,iopl,ioperm,swapon,swapoff,syslog,process_vm_readv,process_vm_writev,sysfs,_sysctl,adjtimex,clock_adjtime,lookup_dcookie,perf_event_open,fanotify_init,kcmp,add_key,request_key,keyctl,uselib,acct,modify_ldt,pivot_root,io_setup,io_destroy,io_getevents,io_submit,io_cancel,remap_file_pages,mbind,get_mempolicy,set_mempolicy,migrate_pages,move_pages,vmsplice,perf_event_open |
diff --git a/etc/dropbox.profile b/etc/dropbox.profile index 248e3ac9e..9d2c612de 100644 --- a/etc/dropbox.profile +++ b/etc/dropbox.profile | |||
@@ -2,6 +2,7 @@ | |||
2 | include /etc/firejail/disable-mgmt.inc | 2 | include /etc/firejail/disable-mgmt.inc |
3 | include /etc/firejail/disable-secret.inc | 3 | include /etc/firejail/disable-secret.inc |
4 | include /etc/firejail/disable-common.inc | 4 | include /etc/firejail/disable-common.inc |
5 | include /etc/firejail/disable-terminals.inc | ||
5 | blacklist ${HOME}/.pki/nssdb | 6 | blacklist ${HOME}/.pki/nssdb |
6 | blacklist ${HOME}/.lastpass | 7 | blacklist ${HOME}/.lastpass |
7 | blacklist ${HOME}/.keepassx | 8 | blacklist ${HOME}/.keepassx |
diff --git a/etc/empathy.profile b/etc/empathy.profile index 984bbc58e..7c96dc6fa 100644 --- a/etc/empathy.profile +++ b/etc/empathy.profile | |||
@@ -3,6 +3,7 @@ include /etc/firejail/disable-mgmt.inc | |||
3 | include /etc/firejail/disable-secret.inc | 3 | include /etc/firejail/disable-secret.inc |
4 | include /etc/firejail/disable-common.inc | 4 | include /etc/firejail/disable-common.inc |
5 | include /etc/firejail/disable-devel.inc | 5 | include /etc/firejail/disable-devel.inc |
6 | include /etc/firejail/disable-terminals.inc | ||
6 | blacklist ${HOME}/.wine | 7 | blacklist ${HOME}/.wine |
7 | caps.drop all | 8 | caps.drop all |
8 | seccomp | 9 | seccomp |
diff --git a/etc/epiphany.profile b/etc/epiphany.profile new file mode 100644 index 000000000..e86a35258 --- /dev/null +++ b/etc/epiphany.profile | |||
@@ -0,0 +1,16 @@ | |||
1 | # Epiphany browser profile | ||
2 | include /etc/firejail/disable-mgmt.inc | ||
3 | include /etc/firejail/disable-secret.inc | ||
4 | include /etc/firejail/disable-common.inc | ||
5 | include /etc/firejail/disable-devel.inc | ||
6 | include /etc/firejail/disable-terminals.inc | ||
7 | whitelist ${DOWNLOADS} | ||
8 | whitelist ${HOME}/.local/share/epiphany | ||
9 | whitelist ${HOME}/.config/epiphany | ||
10 | whitelist ${HOME}/.cache/epiphany | ||
11 | include /etc/firejail/whitelist-common.inc | ||
12 | caps.drop all | ||
13 | seccomp | ||
14 | protocol unix,inet,inet6 | ||
15 | netfilter | ||
16 | |||
diff --git a/etc/evince.profile b/etc/evince.profile index 34d8162b3..070dc7be7 100644 --- a/etc/evince.profile +++ b/etc/evince.profile | |||
@@ -3,6 +3,7 @@ include /etc/firejail/disable-mgmt.inc | |||
3 | include /etc/firejail/disable-secret.inc | 3 | include /etc/firejail/disable-secret.inc |
4 | include /etc/firejail/disable-common.inc | 4 | include /etc/firejail/disable-common.inc |
5 | include /etc/firejail/disable-devel.inc | 5 | include /etc/firejail/disable-devel.inc |
6 | include /etc/firejail/disable-terminals.inc | ||
6 | blacklist ${HOME}/.pki/nssdb | 7 | blacklist ${HOME}/.pki/nssdb |
7 | blacklist ${HOME}/.lastpass | 8 | blacklist ${HOME}/.lastpass |
8 | blacklist ${HOME}/.keepassx | 9 | blacklist ${HOME}/.keepassx |
diff --git a/etc/fbreader.profile b/etc/fbreader.profile index f94fc28df..a79f36398 100644 --- a/etc/fbreader.profile +++ b/etc/fbreader.profile | |||
@@ -4,6 +4,7 @@ include /etc/firejail/disable-mgmt.inc | |||
4 | include /etc/firejail/disable-secret.inc | 4 | include /etc/firejail/disable-secret.inc |
5 | include /etc/firejail/disable-common.inc | 5 | include /etc/firejail/disable-common.inc |
6 | include /etc/firejail/disable-devel.inc | 6 | include /etc/firejail/disable-devel.inc |
7 | include /etc/firejail/disable-terminals.inc | ||
7 | blacklist ${HOME}/.pki/nssdb | 8 | blacklist ${HOME}/.pki/nssdb |
8 | blacklist ${HOME}/.lastpass | 9 | blacklist ${HOME}/.lastpass |
9 | blacklist ${HOME}/.keepassx | 10 | blacklist ${HOME}/.keepassx |
diff --git a/etc/filezilla.profile b/etc/filezilla.profile index ba8649067..1462d134e 100644 --- a/etc/filezilla.profile +++ b/etc/filezilla.profile | |||
@@ -5,6 +5,7 @@ include /etc/firejail/disable-mgmt.inc | |||
5 | include /etc/firejail/disable-secret.inc | 5 | include /etc/firejail/disable-secret.inc |
6 | include /etc/firejail/disable-common.inc | 6 | include /etc/firejail/disable-common.inc |
7 | include /etc/firejail/disable-devel.inc | 7 | include /etc/firejail/disable-devel.inc |
8 | include /etc/firejail/disable-terminals.inc | ||
8 | blacklist ${HOME}/.wine | 9 | blacklist ${HOME}/.wine |
9 | caps.drop all | 10 | caps.drop all |
10 | seccomp | 11 | seccomp |
diff --git a/etc/firefox.profile b/etc/firefox.profile index a21093313..0946ebfbe 100644 --- a/etc/firefox.profile +++ b/etc/firefox.profile | |||
@@ -4,6 +4,7 @@ include /etc/firejail/disable-mgmt.inc | |||
4 | include /etc/firejail/disable-secret.inc | 4 | include /etc/firejail/disable-secret.inc |
5 | include /etc/firejail/disable-common.inc | 5 | include /etc/firejail/disable-common.inc |
6 | include /etc/firejail/disable-devel.inc | 6 | include /etc/firejail/disable-devel.inc |
7 | include /etc/firejail/disable-terminals.inc | ||
7 | caps.drop all | 8 | caps.drop all |
8 | seccomp | 9 | seccomp |
9 | protocol unix,inet,inet6,netlink | 10 | protocol unix,inet,inet6,netlink |
@@ -23,6 +24,7 @@ whitelist ~/.pentadactyl | |||
23 | whitelist ~/.keysnail.js | 24 | whitelist ~/.keysnail.js |
24 | whitelist ~/.config/gnome-mplayer | 25 | whitelist ~/.config/gnome-mplayer |
25 | whitelist ~/.cache/gnome-mplayer/plugin | 26 | whitelist ~/.cache/gnome-mplayer/plugin |
27 | whitelist ~/.pki | ||
26 | include /etc/firejail/whitelist-common.inc | 28 | include /etc/firejail/whitelist-common.inc |
27 | 29 | ||
28 | # experimental features | 30 | # experimental features |
diff --git a/etc/generic.profile b/etc/generic.profile index cc40ad27e..5618a555e 100644 --- a/etc/generic.profile +++ b/etc/generic.profile | |||
@@ -4,6 +4,7 @@ | |||
4 | include /etc/firejail/disable-mgmt.inc | 4 | include /etc/firejail/disable-mgmt.inc |
5 | include /etc/firejail/disable-secret.inc | 5 | include /etc/firejail/disable-secret.inc |
6 | include /etc/firejail/disable-common.inc | 6 | include /etc/firejail/disable-common.inc |
7 | include /etc/firejail/disable-terminals.inc | ||
7 | blacklist ${HOME}/.pki/nssdb | 8 | blacklist ${HOME}/.pki/nssdb |
8 | blacklist ${HOME}/.lastpass | 9 | blacklist ${HOME}/.lastpass |
9 | blacklist ${HOME}/.keepassx | 10 | blacklist ${HOME}/.keepassx |
diff --git a/etc/gnome-mplayer.profile b/etc/gnome-mplayer.profile index 0a495b0b0..8062c859a 100644 --- a/etc/gnome-mplayer.profile +++ b/etc/gnome-mplayer.profile | |||
@@ -3,6 +3,7 @@ include /etc/firejail/disable-mgmt.inc | |||
3 | include /etc/firejail/disable-secret.inc | 3 | include /etc/firejail/disable-secret.inc |
4 | include /etc/firejail/disable-common.inc | 4 | include /etc/firejail/disable-common.inc |
5 | include /etc/firejail/disable-devel.inc | 5 | include /etc/firejail/disable-devel.inc |
6 | include /etc/firejail/disable-terminals.inc | ||
6 | blacklist ${HOME}/.pki/nssdb | 7 | blacklist ${HOME}/.pki/nssdb |
7 | blacklist ${HOME}/.lastpass | 8 | blacklist ${HOME}/.lastpass |
8 | blacklist ${HOME}/.keepassx | 9 | blacklist ${HOME}/.keepassx |
diff --git a/etc/google-chrome-beta.profile b/etc/google-chrome-beta.profile index 6122876bf..f6b96575e 100644 --- a/etc/google-chrome-beta.profile +++ b/etc/google-chrome-beta.profile | |||
@@ -3,6 +3,7 @@ noblacklist ${HOME}/.config/google-chrome-beta | |||
3 | include /etc/firejail/disable-mgmt.inc | 3 | include /etc/firejail/disable-mgmt.inc |
4 | include /etc/firejail/disable-secret.inc | 4 | include /etc/firejail/disable-secret.inc |
5 | include /etc/firejail/disable-common.inc | 5 | include /etc/firejail/disable-common.inc |
6 | include /etc/firejail/disable-terminals.inc | ||
6 | 7 | ||
7 | # chromium is distributed with a perl script on Arch | 8 | # chromium is distributed with a perl script on Arch |
8 | # include /etc/firejail/disable-devel.inc | 9 | # include /etc/firejail/disable-devel.inc |
@@ -12,5 +13,6 @@ netfilter | |||
12 | whitelist ${DOWNLOADS} | 13 | whitelist ${DOWNLOADS} |
13 | whitelist ~/.config/google-chrome-beta | 14 | whitelist ~/.config/google-chrome-beta |
14 | whitelist ~/.cache/google-chrome-beta | 15 | whitelist ~/.cache/google-chrome-beta |
16 | whitelist ~/.pki | ||
15 | include /etc/firejail/whitelist-common.inc | 17 | include /etc/firejail/whitelist-common.inc |
16 | 18 | ||
diff --git a/etc/google-chrome-unstable.profile b/etc/google-chrome-unstable.profile index 7b8b12d04..3054a63db 100644 --- a/etc/google-chrome-unstable.profile +++ b/etc/google-chrome-unstable.profile | |||
@@ -3,6 +3,7 @@ noblacklist ${HOME}/.config/google-chrome-unstable | |||
3 | include /etc/firejail/disable-mgmt.inc | 3 | include /etc/firejail/disable-mgmt.inc |
4 | include /etc/firejail/disable-secret.inc | 4 | include /etc/firejail/disable-secret.inc |
5 | include /etc/firejail/disable-common.inc | 5 | include /etc/firejail/disable-common.inc |
6 | include /etc/firejail/disable-terminals.inc | ||
6 | 7 | ||
7 | # chromium is distributed with a perl script on Arch | 8 | # chromium is distributed with a perl script on Arch |
8 | # include /etc/firejail/disable-devel.inc | 9 | # include /etc/firejail/disable-devel.inc |
@@ -12,5 +13,6 @@ netfilter | |||
12 | whitelist ${DOWNLOADS} | 13 | whitelist ${DOWNLOADS} |
13 | whitelist ~/.config/google-chrome-unstable | 14 | whitelist ~/.config/google-chrome-unstable |
14 | whitelist ~/.cache/google-chrome-unstable | 15 | whitelist ~/.cache/google-chrome-unstable |
16 | whitelist ~/.pki | ||
15 | include /etc/firejail/whitelist-common.inc | 17 | include /etc/firejail/whitelist-common.inc |
16 | 18 | ||
diff --git a/etc/google-chrome.profile b/etc/google-chrome.profile index 351490d7f..3d5a6ebbd 100644 --- a/etc/google-chrome.profile +++ b/etc/google-chrome.profile | |||
@@ -3,6 +3,7 @@ noblacklist ${HOME}/.config/google-chrome | |||
3 | include /etc/firejail/disable-mgmt.inc | 3 | include /etc/firejail/disable-mgmt.inc |
4 | include /etc/firejail/disable-secret.inc | 4 | include /etc/firejail/disable-secret.inc |
5 | include /etc/firejail/disable-common.inc | 5 | include /etc/firejail/disable-common.inc |
6 | include /etc/firejail/disable-terminals.inc | ||
6 | 7 | ||
7 | # chromium is distributed with a perl script on Arch | 8 | # chromium is distributed with a perl script on Arch |
8 | # include /etc/firejail/disable-devel.inc | 9 | # include /etc/firejail/disable-devel.inc |
@@ -12,4 +13,5 @@ netfilter | |||
12 | whitelist ${DOWNLOADS} | 13 | whitelist ${DOWNLOADS} |
13 | whitelist ~/.config/google-chrome | 14 | whitelist ~/.config/google-chrome |
14 | whitelist ~/.cache/google-chrome | 15 | whitelist ~/.cache/google-chrome |
16 | whitelist ~/.pki | ||
15 | include /etc/firejail/whitelist-common.inc | 17 | include /etc/firejail/whitelist-common.inc |
diff --git a/etc/hexchat.profile b/etc/hexchat.profile index 61c9ac5bb..35b98fde6 100644 --- a/etc/hexchat.profile +++ b/etc/hexchat.profile | |||
@@ -4,6 +4,7 @@ include /etc/firejail/disable-mgmt.inc | |||
4 | include /etc/firejail/disable-secret.inc | 4 | include /etc/firejail/disable-secret.inc |
5 | include /etc/firejail/disable-common.inc | 5 | include /etc/firejail/disable-common.inc |
6 | include /etc/firejail/disable-devel.inc | 6 | include /etc/firejail/disable-devel.inc |
7 | include /etc/firejail/disable-terminals.inc | ||
7 | caps.drop all | 8 | caps.drop all |
8 | seccomp | 9 | seccomp |
9 | protocol unix,inet,inet6 | 10 | protocol unix,inet,inet6 |
diff --git a/etc/kmail.profile b/etc/kmail.profile index 05713755e..ca29675a0 100644 --- a/etc/kmail.profile +++ b/etc/kmail.profile | |||
@@ -4,6 +4,7 @@ include /etc/firejail/disable-mgmt.inc | |||
4 | include /etc/firejail/disable-secret.inc | 4 | include /etc/firejail/disable-secret.inc |
5 | include /etc/firejail/disable-common.inc | 5 | include /etc/firejail/disable-common.inc |
6 | include /etc/firejail/disable-devel.inc | 6 | include /etc/firejail/disable-devel.inc |
7 | include /etc/firejail/disable-terminals.inc | ||
7 | blacklist ${HOME}/.pki/nssdb | 8 | blacklist ${HOME}/.pki/nssdb |
8 | blacklist ${HOME}/.lastpass | 9 | blacklist ${HOME}/.lastpass |
9 | blacklist ${HOME}/.keepassx | 10 | blacklist ${HOME}/.keepassx |
diff --git a/etc/lxterminal.profile b/etc/lxterminal.profile new file mode 100644 index 000000000..a614a8dbf --- /dev/null +++ b/etc/lxterminal.profile | |||
@@ -0,0 +1,19 @@ | |||
1 | # lxterminal (LXDE) profile | ||
2 | |||
3 | include /etc/firejail/disable-mgmt.inc | ||
4 | include /etc/firejail/disable-secret.inc | ||
5 | include /etc/firejail/disable-common.inc | ||
6 | blacklist ${HOME}/.pki/nssdb | ||
7 | blacklist ${HOME}/.lastpass | ||
8 | blacklist ${HOME}/.keepassx | ||
9 | blacklist ${HOME}/.password-store | ||
10 | caps.drop all | ||
11 | seccomp | ||
12 | protocol unix,inet,inet6 | ||
13 | netfilter | ||
14 | |||
15 | #noroot - somehow this breaks on Debian Jessie! | ||
16 | |||
17 | # lxterminal is a single-instence program | ||
18 | # blacklist any existing lxterminal socket in order to force a second process instance | ||
19 | blacklist /tmp/.lxterminal-socket* | ||
diff --git a/etc/mathematica.profile b/etc/mathematica.profile new file mode 100644 index 000000000..9410054ae --- /dev/null +++ b/etc/mathematica.profile | |||
@@ -0,0 +1,2 @@ | |||
1 | # Mathematica profile | ||
2 | include /etc/firejail/Mathematica.profile | ||
diff --git a/etc/midori.profile b/etc/midori.profile index 77a6fb984..e46a6baa2 100644 --- a/etc/midori.profile +++ b/etc/midori.profile | |||
@@ -4,6 +4,7 @@ include /etc/firejail/disable-mgmt.inc | |||
4 | include /etc/firejail/disable-secret.inc | 4 | include /etc/firejail/disable-secret.inc |
5 | include /etc/firejail/disable-common.inc | 5 | include /etc/firejail/disable-common.inc |
6 | include /etc/firejail/disable-devel.inc | 6 | include /etc/firejail/disable-devel.inc |
7 | include /etc/firejail/disable-terminals.inc | ||
7 | caps.drop all | 8 | caps.drop all |
8 | seccomp | 9 | seccomp |
9 | protocol unix,inet,inet6 | 10 | protocol unix,inet,inet6 |
diff --git a/etc/mupen64plus.profile b/etc/mupen64plus.profile new file mode 100644 index 000000000..830531c04 --- /dev/null +++ b/etc/mupen64plus.profile | |||
@@ -0,0 +1,13 @@ | |||
1 | # mupen64plus profile | ||
2 | # manually whitelist ROM files | ||
3 | include /etc/firejail/disable-mgmt.inc | ||
4 | include /etc/firejail/disable-secret.inc | ||
5 | include /etc/firejail/disable-common.inc | ||
6 | include /etc/firejail/disable-devel.inc | ||
7 | include /etc/firejail/disable-terminals.inc | ||
8 | whitelist ${HOME}/.local/share/mupen64plus/ | ||
9 | whitelist ${HOME}/.config/mupen64plus/ | ||
10 | noroot | ||
11 | caps.drop all | ||
12 | seccomp | ||
13 | net none | ||
diff --git a/etc/opera-beta.profile b/etc/opera-beta.profile index c1672abce..783e8b0ef 100644 --- a/etc/opera-beta.profile +++ b/etc/opera-beta.profile | |||
@@ -4,10 +4,12 @@ include /etc/firejail/disable-mgmt.inc | |||
4 | include /etc/firejail/disable-secret.inc | 4 | include /etc/firejail/disable-secret.inc |
5 | include /etc/firejail/disable-common.inc | 5 | include /etc/firejail/disable-common.inc |
6 | include /etc/firejail/disable-devel.inc | 6 | include /etc/firejail/disable-devel.inc |
7 | include /etc/firejail/disable-terminals.inc | ||
7 | netfilter | 8 | netfilter |
8 | whitelist ~/.config/opera-beta | 9 | whitelist ~/.config/opera-beta |
9 | whitelist ${DOWNLOADS} | 10 | whitelist ${DOWNLOADS} |
10 | whitelist ~/.cache/opera-beta | 11 | whitelist ~/.cache/opera-beta |
12 | whitelist ~/.pki | ||
11 | include /etc/firejail/whitelist-common.inc | 13 | include /etc/firejail/whitelist-common.inc |
12 | 14 | ||
13 | 15 | ||
diff --git a/etc/opera.profile b/etc/opera.profile index a76806ed0..dd710a8fe 100644 --- a/etc/opera.profile +++ b/etc/opera.profile | |||
@@ -4,10 +4,12 @@ include /etc/firejail/disable-mgmt.inc | |||
4 | include /etc/firejail/disable-secret.inc | 4 | include /etc/firejail/disable-secret.inc |
5 | include /etc/firejail/disable-common.inc | 5 | include /etc/firejail/disable-common.inc |
6 | include /etc/firejail/disable-devel.inc | 6 | include /etc/firejail/disable-devel.inc |
7 | include /etc/firejail/disable-terminals.inc | ||
7 | netfilter | 8 | netfilter |
8 | whitelist ~/.config/opera | 9 | whitelist ~/.config/opera |
9 | whitelist ${DOWNLOADS} | 10 | whitelist ${DOWNLOADS} |
10 | whitelist ~/.cache/opera | 11 | whitelist ~/.cache/opera |
12 | whitelist ~/.pki | ||
11 | include /etc/firejail/whitelist-common.inc | 13 | include /etc/firejail/whitelist-common.inc |
12 | 14 | ||
13 | 15 | ||
diff --git a/etc/parole.profile b/etc/parole.profile index 24181c8d6..fd49bcf07 100644 --- a/etc/parole.profile +++ b/etc/parole.profile | |||
@@ -3,6 +3,7 @@ include /etc/firejail/disable-mgmt.inc | |||
3 | include /etc/firejail/disable-secret.inc | 3 | include /etc/firejail/disable-secret.inc |
4 | include /etc/firejail/disable-common.inc | 4 | include /etc/firejail/disable-common.inc |
5 | include /etc/firejail/disable-devel.inc | 5 | include /etc/firejail/disable-devel.inc |
6 | include /etc/firejail/disable-terminals.inc | ||
6 | private-etc passwd,group,fonts | 7 | private-etc passwd,group,fonts |
7 | private-bin parole,dbus-launch | 8 | private-bin parole,dbus-launch |
8 | blacklist ${HOME}/.pki/nssdb | 9 | blacklist ${HOME}/.pki/nssdb |
diff --git a/etc/pidgin.profile b/etc/pidgin.profile index 3dd57b623..54bedccc8 100644 --- a/etc/pidgin.profile +++ b/etc/pidgin.profile | |||
@@ -4,6 +4,7 @@ include /etc/firejail/disable-mgmt.inc | |||
4 | include /etc/firejail/disable-secret.inc | 4 | include /etc/firejail/disable-secret.inc |
5 | include /etc/firejail/disable-common.inc | 5 | include /etc/firejail/disable-common.inc |
6 | include /etc/firejail/disable-devel.inc | 6 | include /etc/firejail/disable-devel.inc |
7 | include /etc/firejail/disable-terminals.inc | ||
7 | blacklist ${HOME}/.wine | 8 | blacklist ${HOME}/.wine |
8 | caps.drop all | 9 | caps.drop all |
9 | seccomp | 10 | seccomp |
diff --git a/etc/qbittorrent.profile b/etc/qbittorrent.profile index dd50c779e..c68eb716b 100644 --- a/etc/qbittorrent.profile +++ b/etc/qbittorrent.profile | |||
@@ -3,6 +3,7 @@ include /etc/firejail/disable-mgmt.inc | |||
3 | include /etc/firejail/disable-secret.inc | 3 | include /etc/firejail/disable-secret.inc |
4 | include /etc/firejail/disable-common.inc | 4 | include /etc/firejail/disable-common.inc |
5 | include /etc/firejail/disable-devel.inc | 5 | include /etc/firejail/disable-devel.inc |
6 | include /etc/firejail/disable-terminals.inc | ||
6 | blacklist ${HOME}/.pki/nssdb | 7 | blacklist ${HOME}/.pki/nssdb |
7 | blacklist ${HOME}/.lastpass | 8 | blacklist ${HOME}/.lastpass |
8 | blacklist ${HOME}/.keepassx | 9 | blacklist ${HOME}/.keepassx |
diff --git a/etc/quassel.profile b/etc/quassel.profile index cb97d0752..e8db77973 100644 --- a/etc/quassel.profile +++ b/etc/quassel.profile | |||
@@ -3,6 +3,7 @@ include /etc/firejail/disable-mgmt.inc | |||
3 | include /etc/firejail/disable-secret.inc | 3 | include /etc/firejail/disable-secret.inc |
4 | include /etc/firejail/disable-common.inc | 4 | include /etc/firejail/disable-common.inc |
5 | include /etc/firejail/disable-devel.inc | 5 | include /etc/firejail/disable-devel.inc |
6 | include /etc/firejail/disable-terminals.inc | ||
6 | blacklist ${HOME}/.wine | 7 | blacklist ${HOME}/.wine |
7 | caps.drop all | 8 | caps.drop all |
8 | seccomp | 9 | seccomp |
diff --git a/etc/rhythmbox.profile b/etc/rhythmbox.profile index 9fc1fcb80..3326a34ed 100644 --- a/etc/rhythmbox.profile +++ b/etc/rhythmbox.profile | |||
@@ -3,6 +3,7 @@ include /etc/firejail/disable-mgmt.inc | |||
3 | include /etc/firejail/disable-secret.inc | 3 | include /etc/firejail/disable-secret.inc |
4 | include /etc/firejail/disable-common.inc | 4 | include /etc/firejail/disable-common.inc |
5 | include /etc/firejail/disable-devel.inc | 5 | include /etc/firejail/disable-devel.inc |
6 | include /etc/firejail/disable-terminals.inc | ||
6 | blacklist ${HOME}/.pki/nssdb | 7 | blacklist ${HOME}/.pki/nssdb |
7 | blacklist ${HOME}/.lastpass | 8 | blacklist ${HOME}/.lastpass |
8 | blacklist ${HOME}/.keepassx | 9 | blacklist ${HOME}/.keepassx |
diff --git a/etc/rtorrent.profile b/etc/rtorrent.profile index c2c0356d9..7ba5677e9 100644 --- a/etc/rtorrent.profile +++ b/etc/rtorrent.profile | |||
@@ -3,6 +3,7 @@ include /etc/firejail/disable-mgmt.inc | |||
3 | include /etc/firejail/disable-secret.inc | 3 | include /etc/firejail/disable-secret.inc |
4 | include /etc/firejail/disable-common.inc | 4 | include /etc/firejail/disable-common.inc |
5 | include /etc/firejail/disable-devel.inc | 5 | include /etc/firejail/disable-devel.inc |
6 | include /etc/firejail/disable-terminals.inc | ||
6 | caps.drop all | 7 | caps.drop all |
7 | seccomp | 8 | seccomp |
8 | protocol unix,inet,inet6 | 9 | protocol unix,inet,inet6 |
diff --git a/etc/seamonkey-bin.profile b/etc/seamonkey-bin.profile index 55b64bdae..d585c719b 100644 --- a/etc/seamonkey-bin.profile +++ b/etc/seamonkey-bin.profile | |||
@@ -4,6 +4,7 @@ include /etc/firejail/disable-mgmt.inc | |||
4 | include /etc/firejail/disable-secret.inc | 4 | include /etc/firejail/disable-secret.inc |
5 | include /etc/firejail/disable-common.inc | 5 | include /etc/firejail/disable-common.inc |
6 | include /etc/firejail/disable-devel.inc | 6 | include /etc/firejail/disable-devel.inc |
7 | include /etc/firejail/disable-terminals.inc | ||
7 | caps.drop all | 8 | caps.drop all |
8 | seccomp | 9 | seccomp |
9 | protocol unix,inet,inet6,netlink | 10 | protocol unix,inet,inet6,netlink |
@@ -23,6 +24,7 @@ whitelist ~/.pentadactyl | |||
23 | whitelist ~/.keysnail.js | 24 | whitelist ~/.keysnail.js |
24 | whitelist ~/.config/gnome-mplayer | 25 | whitelist ~/.config/gnome-mplayer |
25 | whitelist ~/.cache/gnome-mplayer/plugin | 26 | whitelist ~/.cache/gnome-mplayer/plugin |
27 | whitelist ~/.pki | ||
26 | include /etc/firejail/whitelist-common.inc | 28 | include /etc/firejail/whitelist-common.inc |
27 | 29 | ||
28 | # experimental features | 30 | # experimental features |
diff --git a/etc/seamonkey.profile b/etc/seamonkey.profile index 55b64bdae..d585c719b 100644 --- a/etc/seamonkey.profile +++ b/etc/seamonkey.profile | |||
@@ -4,6 +4,7 @@ include /etc/firejail/disable-mgmt.inc | |||
4 | include /etc/firejail/disable-secret.inc | 4 | include /etc/firejail/disable-secret.inc |
5 | include /etc/firejail/disable-common.inc | 5 | include /etc/firejail/disable-common.inc |
6 | include /etc/firejail/disable-devel.inc | 6 | include /etc/firejail/disable-devel.inc |
7 | include /etc/firejail/disable-terminals.inc | ||
7 | caps.drop all | 8 | caps.drop all |
8 | seccomp | 9 | seccomp |
9 | protocol unix,inet,inet6,netlink | 10 | protocol unix,inet,inet6,netlink |
@@ -23,6 +24,7 @@ whitelist ~/.pentadactyl | |||
23 | whitelist ~/.keysnail.js | 24 | whitelist ~/.keysnail.js |
24 | whitelist ~/.config/gnome-mplayer | 25 | whitelist ~/.config/gnome-mplayer |
25 | whitelist ~/.cache/gnome-mplayer/plugin | 26 | whitelist ~/.cache/gnome-mplayer/plugin |
27 | whitelist ~/.pki | ||
26 | include /etc/firejail/whitelist-common.inc | 28 | include /etc/firejail/whitelist-common.inc |
27 | 29 | ||
28 | # experimental features | 30 | # experimental features |
diff --git a/etc/server.profile b/etc/server.profile index 5b706df9a..5471aed91 100644 --- a/etc/server.profile +++ b/etc/server.profile | |||
@@ -5,5 +5,6 @@ noblacklist /usr/sbin | |||
5 | include /etc/firejail/disable-mgmt.inc | 5 | include /etc/firejail/disable-mgmt.inc |
6 | private | 6 | private |
7 | private-dev | 7 | private-dev |
8 | private-tmp | ||
8 | seccomp | 9 | seccomp |
9 | 10 | ||
diff --git a/etc/skype.profile b/etc/skype.profile index 4d2d042cc..a33cc339d 100644 --- a/etc/skype.profile +++ b/etc/skype.profile | |||
@@ -4,6 +4,7 @@ include /etc/firejail/disable-mgmt.inc | |||
4 | include /etc/firejail/disable-secret.inc | 4 | include /etc/firejail/disable-secret.inc |
5 | include /etc/firejail/disable-common.inc | 5 | include /etc/firejail/disable-common.inc |
6 | include /etc/firejail/disable-devel.inc | 6 | include /etc/firejail/disable-devel.inc |
7 | include /etc/firejail/disable-terminals.inc | ||
7 | caps.drop all | 8 | caps.drop all |
8 | netfilter | 9 | netfilter |
9 | noroot | 10 | noroot |
diff --git a/etc/steam.profile b/etc/steam.profile index 5b9244567..dc17c7a0f 100644 --- a/etc/steam.profile +++ b/etc/steam.profile | |||
@@ -5,6 +5,7 @@ include /etc/firejail/disable-mgmt.inc | |||
5 | include /etc/firejail/disable-secret.inc | 5 | include /etc/firejail/disable-secret.inc |
6 | include /etc/firejail/disable-common.inc | 6 | include /etc/firejail/disable-common.inc |
7 | include /etc/firejail/disable-devel.inc | 7 | include /etc/firejail/disable-devel.inc |
8 | include /etc/firejail/disable-terminals.inc | ||
8 | caps.drop all | 9 | caps.drop all |
9 | netfilter | 10 | netfilter |
10 | noroot | 11 | noroot |
diff --git a/etc/telegram.profile b/etc/telegram.profile new file mode 100644 index 000000000..261da6397 --- /dev/null +++ b/etc/telegram.profile | |||
@@ -0,0 +1,15 @@ | |||
1 | # Telegram profile | ||
2 | noblacklist ${HOME}/.TelegramDesktop | ||
3 | include /etc/firejail/disable-mgmt.inc | ||
4 | include /etc/firejail/disable-secret.inc | ||
5 | include /etc/firejail/disable-common.inc | ||
6 | include /etc/firejail/disable-devel.inc | ||
7 | include /etc/firejail/disable-terminals.inc | ||
8 | |||
9 | caps.drop all | ||
10 | seccomp | ||
11 | protocol unix,inet,inet6 | ||
12 | noroot | ||
13 | |||
14 | whitelist ~/Downloads/Telegram Desktop | ||
15 | whitelist ~/.TelegramDesktop | ||
diff --git a/etc/totem.profile b/etc/totem.profile index 52b9450c3..65c62695e 100644 --- a/etc/totem.profile +++ b/etc/totem.profile | |||
@@ -3,6 +3,7 @@ include /etc/firejail/disable-mgmt.inc | |||
3 | include /etc/firejail/disable-secret.inc | 3 | include /etc/firejail/disable-secret.inc |
4 | include /etc/firejail/disable-common.inc | 4 | include /etc/firejail/disable-common.inc |
5 | include /etc/firejail/disable-devel.inc | 5 | include /etc/firejail/disable-devel.inc |
6 | include /etc/firejail/disable-terminals.inc | ||
6 | blacklist ${HOME}/.pki/nssdb | 7 | blacklist ${HOME}/.pki/nssdb |
7 | blacklist ${HOME}/.lastpass | 8 | blacklist ${HOME}/.lastpass |
8 | blacklist ${HOME}/.keepassx | 9 | blacklist ${HOME}/.keepassx |
diff --git a/etc/transmission-gtk.profile b/etc/transmission-gtk.profile index a66ab0d63..290de9445 100644 --- a/etc/transmission-gtk.profile +++ b/etc/transmission-gtk.profile | |||
@@ -3,6 +3,7 @@ include /etc/firejail/disable-mgmt.inc | |||
3 | include /etc/firejail/disable-secret.inc | 3 | include /etc/firejail/disable-secret.inc |
4 | include /etc/firejail/disable-common.inc | 4 | include /etc/firejail/disable-common.inc |
5 | include /etc/firejail/disable-devel.inc | 5 | include /etc/firejail/disable-devel.inc |
6 | include /etc/firejail/disable-terminals.inc | ||
6 | blacklist ${HOME}/.pki/nssdb | 7 | blacklist ${HOME}/.pki/nssdb |
7 | blacklist ${HOME}/.lastpass | 8 | blacklist ${HOME}/.lastpass |
8 | blacklist ${HOME}/.keepassx | 9 | blacklist ${HOME}/.keepassx |
diff --git a/etc/transmission-qt.profile b/etc/transmission-qt.profile index ad23c62dc..6ff49e476 100644 --- a/etc/transmission-qt.profile +++ b/etc/transmission-qt.profile | |||
@@ -3,6 +3,7 @@ include /etc/firejail/disable-mgmt.inc | |||
3 | include /etc/firejail/disable-secret.inc | 3 | include /etc/firejail/disable-secret.inc |
4 | include /etc/firejail/disable-common.inc | 4 | include /etc/firejail/disable-common.inc |
5 | include /etc/firejail/disable-devel.inc | 5 | include /etc/firejail/disable-devel.inc |
6 | include /etc/firejail/disable-terminals.inc | ||
6 | blacklist ${HOME}/.pki/nssdb | 7 | blacklist ${HOME}/.pki/nssdb |
7 | blacklist ${HOME}/.lastpass | 8 | blacklist ${HOME}/.lastpass |
8 | blacklist ${HOME}/.keepassx | 9 | blacklist ${HOME}/.keepassx |
diff --git a/etc/uget-gtk.profile b/etc/uget-gtk.profile new file mode 100644 index 000000000..0430f12b4 --- /dev/null +++ b/etc/uget-gtk.profile | |||
@@ -0,0 +1,14 @@ | |||
1 | # uGet profile | ||
2 | include /etc/firejail/disable-mgmt.inc | ||
3 | include /etc/firejail/disable-secret.inc | ||
4 | include /etc/firejail/disable-common.inc | ||
5 | include /etc/firejail/disable-devel.inc | ||
6 | include /etc/firejail/disable-terminals.inc | ||
7 | caps.drop all | ||
8 | seccomp | ||
9 | protocol unix,inet,inet6 | ||
10 | netfilter | ||
11 | noroot | ||
12 | whitelist ${DOWNLOADS} | ||
13 | whitelist ~/.config/uGet | ||
14 | include /etc/firejail/whitelist-common.inc | ||
diff --git a/etc/unbound.profile b/etc/unbound.profile index 4dd00178b..c4f009159 100644 --- a/etc/unbound.profile +++ b/etc/unbound.profile | |||
@@ -2,6 +2,10 @@ | |||
2 | noblacklist /sbin | 2 | noblacklist /sbin |
3 | noblacklist /usr/sbin | 3 | noblacklist /usr/sbin |
4 | include /etc/firejail/disable-mgmt.inc | 4 | include /etc/firejail/disable-mgmt.inc |
5 | include /etc/firejail/disable-common.inc | ||
6 | include /etc/firejail/disable-devel.inc | ||
7 | include /etc/firejail/disable-secret.inc | ||
8 | include /etc/firejail/disable-terminals.inc | ||
5 | private | 9 | private |
6 | private-dev | 10 | private-dev |
7 | seccomp.drop mount,umount2,ptrace,kexec_load,kexec_file_load,open_by_handle_at,init_module,finit_module,delete_module,iopl,ioperm,swapon,swapoff,syslog,process_vm_readv,process_vm_writev,sysfs,_sysctl,adjtimex,clock_adjtime,lookup_dcookie,perf_event_open,fanotify_init,kcmp,add_key,request_key,keyctl,uselib,acct,modify_ldt,pivot_root,io_setup,io_destroy,io_getevents,io_submit,io_cancel,remap_file_pages,mbind,get_mempolicy,set_mempolicy,migrate_pages,move_pages,vmsplice,perf_event_open | 11 | seccomp.drop mount,umount2,ptrace,kexec_load,kexec_file_load,open_by_handle_at,init_module,finit_module,delete_module,iopl,ioperm,swapon,swapoff,syslog,process_vm_readv,process_vm_writev,sysfs,_sysctl,adjtimex,clock_adjtime,lookup_dcookie,perf_event_open,fanotify_init,kcmp,add_key,request_key,keyctl,uselib,acct,modify_ldt,pivot_root,io_setup,io_destroy,io_getevents,io_submit,io_cancel,remap_file_pages,mbind,get_mempolicy,set_mempolicy,migrate_pages,move_pages,vmsplice,perf_event_open |
diff --git a/etc/vlc.profile b/etc/vlc.profile index 37ff29308..028de0ad1 100644 --- a/etc/vlc.profile +++ b/etc/vlc.profile | |||
@@ -3,6 +3,7 @@ include /etc/firejail/disable-mgmt.inc | |||
3 | include /etc/firejail/disable-secret.inc | 3 | include /etc/firejail/disable-secret.inc |
4 | include /etc/firejail/disable-common.inc | 4 | include /etc/firejail/disable-common.inc |
5 | include /etc/firejail/disable-devel.inc | 5 | include /etc/firejail/disable-devel.inc |
6 | include /etc/firejail/disable-terminals.inc | ||
6 | blacklist ${HOME}/.pki/nssdb | 7 | blacklist ${HOME}/.pki/nssdb |
7 | blacklist ${HOME}/.lastpass | 8 | blacklist ${HOME}/.lastpass |
8 | blacklist ${HOME}/.keepassx | 9 | blacklist ${HOME}/.keepassx |
diff --git a/etc/weechat.profile b/etc/weechat.profile index 79e3ae774..218df3b33 100644 --- a/etc/weechat.profile +++ b/etc/weechat.profile | |||
@@ -3,6 +3,7 @@ noblacklist ${HOME}/.weechat | |||
3 | include /etc/firejail/disable-mgmt.inc | 3 | include /etc/firejail/disable-mgmt.inc |
4 | include /etc/firejail/disable-common.inc | 4 | include /etc/firejail/disable-common.inc |
5 | include /etc/firejail/disable-secret.inc | 5 | include /etc/firejail/disable-secret.inc |
6 | include /etc/firejail/disable-terminals.inc | ||
6 | caps.drop all | 7 | caps.drop all |
7 | seccomp | 8 | seccomp |
8 | protocol unix,inet,inet6 | 9 | protocol unix,inet,inet6 |
diff --git a/etc/whitelist-common.inc b/etc/whitelist-common.inc index 97105e0b4..5a96c7fc4 100644 --- a/etc/whitelist-common.inc +++ b/etc/whitelist-common.inc | |||
@@ -4,6 +4,7 @@ whitelist ~/.config/mimeapps.list | |||
4 | whitelist ~/.icons | 4 | whitelist ~/.icons |
5 | whitelist ~/.config/user-dirs.dirs | 5 | whitelist ~/.config/user-dirs.dirs |
6 | read-only ~/.config/user-dirs.dirs | 6 | read-only ~/.config/user-dirs.dirs |
7 | whitelist ~/.asoundrc | ||
7 | 8 | ||
8 | # fonts | 9 | # fonts |
9 | whitelist ~/.fonts | 10 | whitelist ~/.fonts |
@@ -12,6 +13,7 @@ whitelist ~/.fontconfig | |||
12 | whitelist ~/.fonts.conf | 13 | whitelist ~/.fonts.conf |
13 | whitelist ~/.fonts.conf.d | 14 | whitelist ~/.fonts.conf.d |
14 | whitelist ~/.config/fontconfig | 15 | whitelist ~/.config/fontconfig |
16 | whitelist ~/.cache/fontconfig | ||
15 | 17 | ||
16 | # gtk | 18 | # gtk |
17 | whitelist ~/.gtkrc | 19 | whitelist ~/.gtkrc |
diff --git a/etc/wine.profile b/etc/wine.profile index 8a7f66773..ae1f5d1b6 100644 --- a/etc/wine.profile +++ b/etc/wine.profile | |||
@@ -6,6 +6,7 @@ include /etc/firejail/disable-mgmt.inc | |||
6 | include /etc/firejail/disable-secret.inc | 6 | include /etc/firejail/disable-secret.inc |
7 | include /etc/firejail/disable-common.inc | 7 | include /etc/firejail/disable-common.inc |
8 | include /etc/firejail/disable-devel.inc | 8 | include /etc/firejail/disable-devel.inc |
9 | include /etc/firejail/disable-terminals.inc | ||
9 | caps.drop all | 10 | caps.drop all |
10 | netfilter | 11 | netfilter |
11 | noroot | 12 | noroot |
diff --git a/etc/xchat.profile b/etc/xchat.profile index 37e1371e6..be68e0add 100644 --- a/etc/xchat.profile +++ b/etc/xchat.profile | |||
@@ -4,6 +4,7 @@ include /etc/firejail/disable-mgmt.inc | |||
4 | include /etc/firejail/disable-secret.inc | 4 | include /etc/firejail/disable-secret.inc |
5 | include /etc/firejail/disable-common.inc | 5 | include /etc/firejail/disable-common.inc |
6 | include /etc/firejail/disable-devel.inc | 6 | include /etc/firejail/disable-devel.inc |
7 | include /etc/firejail/disable-terminals.inc | ||
7 | blacklist ${HOME}/.wine | 8 | blacklist ${HOME}/.wine |
8 | caps.drop all | 9 | caps.drop all |
9 | seccomp | 10 | seccomp |