aboutsummaryrefslogtreecommitdiffstats
path: root/etc
diff options
context:
space:
mode:
Diffstat (limited to 'etc')
-rw-r--r--etc/2048-qt.profile3
-rw-r--r--etc/Screenshot.profile6
-rw-r--r--etc/Viber.profile1
-rw-r--r--etc/abiword.profile46
-rw-r--r--etc/asunder.profile4
-rw-r--r--etc/atool.profile1
-rw-r--r--etc/audacious.profile2
-rw-r--r--etc/audacity.profile2
-rw-r--r--etc/baobab.profile3
-rw-r--r--etc/bluefish.profile1
-rw-r--r--etc/brasero.profile3
-rw-r--r--etc/calibre.profile1
-rw-r--r--etc/catfish.profile1
-rw-r--r--etc/celluloid.profile1
-rw-r--r--etc/com.github.dahenson.agenda.profile60
-rw-r--r--etc/curl.profile4
-rw-r--r--etc/d-feet.profile1
-rw-r--r--etc/dconf-editor.profile1
-rw-r--r--etc/default.profile10
-rw-r--r--etc/deluge.profile2
-rw-r--r--etc/dia.profile3
-rw-r--r--etc/dig.profile5
-rw-r--r--etc/disable-common.inc35
-rw-r--r--etc/disable-devel.inc1
-rw-r--r--etc/disable-programs.inc23
-rw-r--r--etc/discord-common.profile11
-rw-r--r--etc/elinks.profile2
-rw-r--r--etc/enchant.profile1
-rw-r--r--etc/eo-common.profile1
-rw-r--r--etc/evince.profile1
-rw-r--r--etc/evolution.profile2
-rw-r--r--etc/fbreader.profile4
-rw-r--r--etc/feedreader.profile1
-rw-r--r--etc/ferdi.profile46
-rw-r--r--etc/file-roller.profile3
-rw-r--r--etc/file.profile5
-rw-r--r--etc/filezilla.profile2
-rw-r--r--etc/firefox-esr.profile2
-rw-r--r--etc/firefox.profile1
-rw-r--r--etc/firejail-default2
-rw-r--r--etc/flameshot.profile2
-rw-r--r--etc/four-in-a-row.profile17
-rw-r--r--etc/freeciv.profile1
-rw-r--r--etc/freeoffice-planmaker.profile2
-rw-r--r--etc/freeoffice-presentations.profile2
-rw-r--r--etc/freeoffice-textmaker.profile2
-rw-r--r--etc/frogatto.profile47
-rw-r--r--etc/frozen-bubble.profile2
-rw-r--r--etc/gedit.profile1
-rw-r--r--etc/gfeeds.profile1
-rw-r--r--etc/gitg.profile9
-rw-r--r--etc/gjs.profile1
-rw-r--r--etc/gnome-2048.profile27
-rw-r--r--etc/gnome-books.profile3
-rw-r--r--etc/gnome-builder.profile2
-rw-r--r--etc/gnome-calculator.profile1
-rw-r--r--etc/gnome-characters.profile2
-rw-r--r--etc/gnome-chess.profile4
-rw-r--r--etc/gnome-clocks.profile1
-rw-r--r--etc/gnome-contacts.profile1
-rw-r--r--etc/gnome-font-viewer.profile3
-rw-r--r--etc/gnome-hexgl.profile3
-rw-r--r--etc/gnome-latex.profile1
-rw-r--r--etc/gnome-logs.profile1
-rw-r--r--etc/gnome-mahjongg.profile14
-rw-r--r--etc/gnome-maps.profile2
-rw-r--r--etc/gnome-mines.profile18
-rw-r--r--etc/gnome-music.profile7
-rw-r--r--etc/gnome-nettool.profile1
-rw-r--r--etc/gnome-nibbles.profile21
-rw-r--r--etc/gnome-passwordsafe.profile6
-rw-r--r--etc/gnome-photos.profile2
-rw-r--r--etc/gnome-pomodoro.profile51
-rw-r--r--etc/gnome-recipes.profile1
-rw-r--r--etc/gnome-robots.profile17
-rw-r--r--etc/gnome-schedule.profile1
-rw-r--r--etc/gnome-screenshot.profile44
-rw-r--r--etc/gnome-sound-recorder.profile1
-rw-r--r--etc/gnome-sudoku.profile17
-rw-r--r--etc/gnome-taquin.profile17
-rw-r--r--etc/gnome-tetravex.profile12
-rw-r--r--etc/gnome-todo.profile51
-rw-r--r--etc/gnome-weather.profile1
-rw-r--r--etc/gnome_games-common.profile43
-rw-r--r--etc/gpg-agent.profile3
-rw-r--r--etc/gpg.profile3
-rw-r--r--etc/gucharmap.profile1
-rw-r--r--etc/handbrake.profile2
-rw-r--r--etc/highlight.profile1
-rw-r--r--etc/host.profile49
-rw-r--r--etc/iagno.profile37
-rw-r--r--etc/kino.profile3
-rw-r--r--etc/kmplayer.profile41
-rw-r--r--etc/latex-common.profile1
-rw-r--r--etc/leafpad.profile3
-rw-r--r--etc/less.profile1
-rw-r--r--etc/lightsoff.profile14
-rw-r--r--etc/lincity-ng.profile1
-rw-r--r--etc/links.profile1
-rw-r--r--etc/lximage-qt.profile4
-rw-r--r--etc/lxmusic.profile1
-rw-r--r--etc/lynx.profile2
-rw-r--r--etc/lzcat.profile1
-rw-r--r--etc/lzcmp.profile1
-rw-r--r--etc/lzegrep.profile1
-rw-r--r--etc/lzfgrep.profile1
-rw-r--r--etc/lzgrep.profile1
-rw-r--r--etc/lzip.profile1
-rw-r--r--etc/lzless.profile1
-rw-r--r--etc/lzma.profile1
-rw-r--r--etc/lzmainfo.profile1
-rw-r--r--etc/lzmore.profile1
-rw-r--r--etc/mate-calc.profile2
-rw-r--r--etc/mate-dictionary.profile1
-rw-r--r--etc/meld.profile2
-rw-r--r--etc/midori.profile3
-rw-r--r--etc/mousepad.profile3
-rw-r--r--etc/mplayer.profile2
-rw-r--r--etc/mupdf.profile1
-rw-r--r--etc/musescore.profile1
-rw-r--r--etc/mutt.profile2
-rw-r--r--etc/newsboat.profile1
-rw-r--r--etc/nslookup.profile53
-rw-r--r--etc/open-invaders.profile5
-rw-r--r--etc/opencity.profile1
-rw-r--r--etc/openclonk.profile4
-rw-r--r--etc/openttd.profile3
-rw-r--r--etc/pandoc.profile1
-rw-r--r--etc/patch.profile1
-rw-r--r--etc/pdftotext.profile1
-rw-r--r--etc/penguin-command.profile39
-rw-r--r--etc/ping.profile5
-rw-r--r--etc/pingus.profile3
-rw-r--r--etc/pitivi.profile5
-rw-r--r--etc/planmaker18.profile2
-rw-r--r--etc/planmaker18free.profile2
-rw-r--r--etc/pngquant.profile2
-rw-r--r--etc/polari.profile1
-rw-r--r--etc/ppsspp.profile1
-rw-r--r--etc/presentations18.profile3
-rw-r--r--etc/presentations18free.profile2
-rw-r--r--etc/qpdfview.profile1
-rw-r--r--etc/remmina.profile1
-rw-r--r--etc/rhythmbox.profile5
-rw-r--r--etc/ripperx.profile41
-rw-r--r--etc/ristretto.profile4
-rw-r--r--etc/rsync-download_only.profile1
-rw-r--r--etc/scribus.profile1
-rw-r--r--etc/seahorse.profile3
-rw-r--r--etc/shellcheck.profile2
-rw-r--r--etc/simutrans.profile3
-rw-r--r--etc/slack.profile2
-rw-r--r--etc/smtube.profile1
-rw-r--r--etc/sol.profile1
-rw-r--r--etc/sound-juicer.profile41
-rw-r--r--etc/ssh.profile3
-rw-r--r--etc/steam.profile11
-rw-r--r--etc/strings.profile1
-rw-r--r--etc/supertux2.profile2
-rw-r--r--etc/tcpdump.profile1
-rw-r--r--etc/teams.profile3
-rw-r--r--etc/templates/profile.template4
-rw-r--r--etc/terasology.profile1
-rw-r--r--etc/textmaker18.profile3
-rw-r--r--etc/textmaker18free.profile3
-rw-r--r--etc/thunderbird.profile1
-rw-r--r--etc/torbrowser-launcher.profile4
-rw-r--r--etc/tracker.profile2
-rw-r--r--etc/transmission-gtk.profile2
-rw-r--r--etc/transmission-remote-cli.profile4
-rw-r--r--etc/ts3client_runscript.sh.profile19
-rw-r--r--etc/tshark.profile2
-rw-r--r--etc/tuxguitar.profile2
-rw-r--r--etc/unknown-horizons.profile4
-rw-r--r--etc/unlzma.profile1
-rw-r--r--etc/unxz.profile1
-rw-r--r--etc/uzbl-browser.profile4
-rw-r--r--etc/vim.profile2
-rw-r--r--etc/w3m.profile2
-rw-r--r--etc/warmux.profile53
-rw-r--r--etc/warzone2100.profile1
-rw-r--r--etc/wget.profile2
-rw-r--r--etc/whitelist-runuser-common.inc10
-rw-r--r--etc/whitelist-usr-share-common.inc1
-rw-r--r--etc/whois.profile2
-rw-r--r--etc/widelands.profile1
-rw-r--r--etc/wire-desktop.profile2
-rw-r--r--etc/x-terminal-emulator.profile1
-rw-r--r--etc/x2goclient.profile47
-rw-r--r--etc/xcalc.profile2
-rw-r--r--etc/xed.profile4
-rw-r--r--etc/xfce4-dict.profile3
-rw-r--r--etc/xfce4-notes.profile3
-rw-r--r--etc/xpdf.profile3
-rw-r--r--etc/xplayer.profile4
-rw-r--r--etc/xxd.profile3
-rw-r--r--etc/xz.profile1
-rw-r--r--etc/xzcat.profile1
-rw-r--r--etc/xzcmp.profile1
-rw-r--r--etc/xzdiff.profile1
-rw-r--r--etc/xzegrep.profile1
-rw-r--r--etc/xzfgrep.profile1
-rw-r--r--etc/xzmore.profile1
-rw-r--r--etc/yelp.profile1
-rw-r--r--etc/youtube-dl.profile1
-rw-r--r--etc/zathura.profile4
-rw-r--r--etc/zoom.profile4
207 files changed, 1342 insertions, 103 deletions
diff --git a/etc/2048-qt.profile b/etc/2048-qt.profile
index 2347039a6..12268706a 100644
--- a/etc/2048-qt.profile
+++ b/etc/2048-qt.profile
@@ -23,8 +23,9 @@ whitelist ${HOME}/.config/xiaoyong
23include whitelist-common.inc 23include whitelist-common.inc
24include whitelist-var-common.inc 24include whitelist-var-common.inc
25 25
26apparmor
26caps.drop all 27caps.drop all
27netfilter 28net none
28nodvd 29nodvd
29nogroups 30nogroups
30nonewprivs 31nonewprivs
diff --git a/etc/Screenshot.profile b/etc/Screenshot.profile
new file mode 100644
index 000000000..d4b083736
--- /dev/null
+++ b/etc/Screenshot.profile
@@ -0,0 +1,6 @@
1# Firejail profile for gnome-screenshot
2# This file is overwritten after every install/update
3
4# Temporary fix for https://github.com/netblue30/firejail/issues/2624
5# Redirect
6include gnome-screenshot.profile
diff --git a/etc/Viber.profile b/etc/Viber.profile
index 925e130de..3195e39fa 100644
--- a/etc/Viber.profile
+++ b/etc/Viber.profile
@@ -6,6 +6,7 @@ include Viber.local
6include globals.local 6include globals.local
7 7
8noblacklist ${HOME}/.ViberPC 8noblacklist ${HOME}/.ViberPC
9noblacklist ${PATH}/dig
9 10
10include disable-common.inc 11include disable-common.inc
11include disable-devel.inc 12include disable-devel.inc
diff --git a/etc/abiword.profile b/etc/abiword.profile
new file mode 100644
index 000000000..748cda195
--- /dev/null
+++ b/etc/abiword.profile
@@ -0,0 +1,46 @@
1# Firejail profile for abiword
2# Description: flexible cross-platform word processor
3# This file is overwritten after every install/update
4# Persistent local customizations
5include abiword.local
6# Persistent global definitions
7include globals.local
8
9noblacklist ${HOME}/.config/abiword
10
11include disable-common.inc
12include disable-devel.inc
13include disable-exec.inc
14include disable-interpreters.inc
15include disable-passwdmgr.inc
16include disable-programs.inc
17
18whitelist /usr/share/abiword-3.0
19include whitelist-usr-share-common.inc
20include whitelist-runuser-common.inc
21include whitelist-var-common.inc
22
23apparmor
24caps.drop all
25machine-id
26net none
27no3d
28#nodbus
29nodvd
30nogroups
31nonewprivs
32noroot
33nosound
34notv
35nou2f
36novideo
37protocol unix
38seccomp
39shell none
40tracelog
41
42private-bin abiword
43private-cache
44private-dev
45private-etc fonts,gtk-3.0,passwd
46private-tmp
diff --git a/etc/asunder.profile b/etc/asunder.profile
index 1f3acd735..fceac7cf9 100644
--- a/etc/asunder.profile
+++ b/etc/asunder.profile
@@ -20,21 +20,25 @@ include disable-passwdmgr.inc
20include disable-programs.inc 20include disable-programs.inc
21include disable-xdg.inc 21include disable-xdg.inc
22 22
23include whitelist-usr-share-common.inc
23include whitelist-var-common.inc 24include whitelist-var-common.inc
24 25
25apparmor 26apparmor
26caps.drop all 27caps.drop all
27netfilter 28netfilter
29no3d
28nodbus 30nodbus
29# nogroups 31# nogroups
30nonewprivs 32nonewprivs
31noroot 33noroot
32nou2f 34nou2f
35notv
33novideo 36novideo
34protocol unix,inet,inet6 37protocol unix,inet,inet6
35seccomp 38seccomp
36shell none 39shell none
37 40
41private-cache
38private-dev 42private-dev
39private-tmp 43private-tmp
40 44
diff --git a/etc/atool.profile b/etc/atool.profile
index 0250451fc..ff3c81a80 100644
--- a/etc/atool.profile
+++ b/etc/atool.profile
@@ -25,7 +25,6 @@ hostname atool
25ipc-namespace 25ipc-namespace
26machine-id 26machine-id
27net none 27net none
28netfilter
29no3d 28no3d
30nodvd 29nodvd
31nodbus 30nodbus
diff --git a/etc/audacious.profile b/etc/audacious.profile
index 4d0c93047..1bba61a7f 100644
--- a/etc/audacious.profile
+++ b/etc/audacious.profile
@@ -39,5 +39,3 @@ tracelog
39private-cache 39private-cache
40private-dev 40private-dev
41private-tmp 41private-tmp
42
43memory-deny-write-execute
diff --git a/etc/audacity.profile b/etc/audacity.profile
index 200d3a387..022b54d0f 100644
--- a/etc/audacity.profile
+++ b/etc/audacity.profile
@@ -40,5 +40,3 @@ tracelog
40private-bin audacity 40private-bin audacity
41private-dev 41private-dev
42private-tmp 42private-tmp
43
44memory-deny-write-execute
diff --git a/etc/baobab.profile b/etc/baobab.profile
index 18c862a4d..a2cfa6d67 100644
--- a/etc/baobab.profile
+++ b/etc/baobab.profile
@@ -14,6 +14,8 @@ include disable-passwdmgr.inc
14# include disable-programs.inc 14# include disable-programs.inc
15# include disable-xdg.inc 15# include disable-xdg.inc
16 16
17include whitelist-runuser-common.inc
18
17caps.drop all 19caps.drop all
18net none 20net none
19no3d 21no3d
@@ -29,6 +31,7 @@ novideo
29protocol unix 31protocol unix
30seccomp 32seccomp
31shell none 33shell none
34tracelog
32 35
33private-bin baobab 36private-bin baobab
34private-dev 37private-dev
diff --git a/etc/bluefish.profile b/etc/bluefish.profile
index 412088ba9..a85840d2f 100644
--- a/etc/bluefish.profile
+++ b/etc/bluefish.profile
@@ -15,6 +15,7 @@ include disable-programs.inc
15 15
16include whitelist-var-common.inc 16include whitelist-var-common.inc
17 17
18apparmor
18caps.drop all 19caps.drop all
19net none 20net none
20no3d 21no3d
diff --git a/etc/brasero.profile b/etc/brasero.profile
index 67fc07afb..417a6b3e0 100644
--- a/etc/brasero.profile
+++ b/etc/brasero.profile
@@ -15,6 +15,9 @@ include disable-interpreters.inc
15include disable-passwdmgr.inc 15include disable-passwdmgr.inc
16include disable-programs.inc 16include disable-programs.inc
17 17
18include whitelist-var-common.inc
19
20apparmor
18caps.drop all 21caps.drop all
19net none 22net none
20nogroups 23nogroups
diff --git a/etc/calibre.profile b/etc/calibre.profile
index ad6f0aa0d..d17cfa85f 100644
--- a/etc/calibre.profile
+++ b/etc/calibre.profile
@@ -19,6 +19,7 @@ include disable-xdg.inc
19 19
20include whitelist-var-common.inc 20include whitelist-var-common.inc
21 21
22apparmor
22caps.drop all 23caps.drop all
23netfilter 24netfilter
24nodvd 25nodvd
diff --git a/etc/catfish.profile b/etc/catfish.profile
index c6c2d7e8a..577391c5d 100644
--- a/etc/catfish.profile
+++ b/etc/catfish.profile
@@ -24,6 +24,7 @@ include disable-passwdmgr.inc
24whitelist /var/lib/mlocate 24whitelist /var/lib/mlocate
25include whitelist-var-common.inc 25include whitelist-var-common.inc
26 26
27apparmor
27caps.drop all 28caps.drop all
28net none 29net none
29no3d 30no3d
diff --git a/etc/celluloid.profile b/etc/celluloid.profile
index d099ba11e..daed19634 100644
--- a/etc/celluloid.profile
+++ b/etc/celluloid.profile
@@ -24,6 +24,7 @@ include disable-passwdmgr.inc
24include disable-programs.inc 24include disable-programs.inc
25include disable-xdg.inc 25include disable-xdg.inc
26 26
27include whitelist-runuser-common.inc
27include whitelist-usr-share-common.inc 28include whitelist-usr-share-common.inc
28include whitelist-var-common.inc 29include whitelist-var-common.inc
29 30
diff --git a/etc/com.github.dahenson.agenda.profile b/etc/com.github.dahenson.agenda.profile
new file mode 100644
index 000000000..ea5370649
--- /dev/null
+++ b/etc/com.github.dahenson.agenda.profile
@@ -0,0 +1,60 @@
1# Firejail profile for com.github.dahenson.agenda
2# Description: Simple, fast, no-nonsense to-do (task) list
3# This file is overwritten after every install/update
4# Persistent local customizations
5include com.github.dahenson.agenda.local
6# Persistent global definitions
7include globals.local
8
9noblacklist ${HOME}/.cache/agenda
10noblacklist ${HOME}/.config/agenda
11noblacklist ${HOME}/.local/share/agenda
12
13include disable-common.inc
14include disable-devel.inc
15include disable-exec.inc
16include disable-interpreters.inc
17include disable-passwdmgr.inc
18include disable-programs.inc
19include disable-xdg.inc
20
21mkdir ${HOME}/.cache/agenda
22mkdir ${HOME}/.config/agenda
23mkdir ${HOME}/.local/share/agenda
24whitelist ${HOME}/.cache/agenda
25whitelist ${HOME}/.config/agenda
26whitelist ${HOME}/.local/share/agenda
27include whitelist-common.inc
28include whitelist-usr-share-common.inc
29include whitelist-runuser-common.inc
30include whitelist-var-common.inc
31
32apparmor
33caps.drop all
34machine-id
35net none
36no3d
37nodvd
38nogroups
39nonewprivs
40noroot
41nosound
42notv
43nou2f
44novideo
45protocol unix
46seccomp
47shell none
48tracelog
49
50disable-mnt
51private-bin com.github.dahenson.agenda
52private-cache
53private-dev
54private-etc dconf,fonts,gtk-3.0
55private-tmp
56
57read-only ${HOME}
58read-write ${HOME}/.cache/agenda
59read-write ${HOME}/.config/agenda
60read-write ${HOME}/.local/share/agenda
diff --git a/etc/curl.profile b/etc/curl.profile
index 3f93e5f7e..a33d084ce 100644
--- a/etc/curl.profile
+++ b/etc/curl.profile
@@ -10,6 +10,8 @@ include globals.local
10noblacklist ${HOME}/.curlrc 10noblacklist ${HOME}/.curlrc
11 11
12blacklist /tmp/.X11-unix 12blacklist /tmp/.X11-unix
13blacklist ${RUNUSER}/wayland-*
14blacklist ${RUNUSER}
13 15
14include disable-common.inc 16include disable-common.inc
15include disable-exec.inc 17include disable-exec.inc
@@ -19,7 +21,9 @@ include disable-programs.inc
19#include disable-xdg.inc 21#include disable-xdg.inc
20 22
21include whitelist-usr-share-common.inc 23include whitelist-usr-share-common.inc
24include whitelist-var-common.inc
22 25
26apparmor
23caps.drop all 27caps.drop all
24ipc-namespace 28ipc-namespace
25machine-id 29machine-id
diff --git a/etc/d-feet.profile b/etc/d-feet.profile
index 897bf5f5d..51df7b455 100644
--- a/etc/d-feet.profile
+++ b/etc/d-feet.profile
@@ -24,6 +24,7 @@ mkdir ${HOME}/.config/d-feet
24whitelist ${HOME}/.config/d-feet 24whitelist ${HOME}/.config/d-feet
25whitelist /usr/share/d-feet 25whitelist /usr/share/d-feet
26include whitelist-common.inc 26include whitelist-common.inc
27include whitelist-runuser-common.inc
27include whitelist-usr-share-common.inc 28include whitelist-usr-share-common.inc
28include whitelist-var-common.inc 29include whitelist-var-common.inc
29 30
diff --git a/etc/dconf-editor.profile b/etc/dconf-editor.profile
index a9d25128f..e7cc66e32 100644
--- a/etc/dconf-editor.profile
+++ b/etc/dconf-editor.profile
@@ -16,6 +16,7 @@ include disable-xdg.inc
16 16
17whitelist ${HOME}/.local/share/glib-2.0 17whitelist ${HOME}/.local/share/glib-2.0
18include whitelist-common.inc 18include whitelist-common.inc
19include whitelist-runuser-common.inc
19include whitelist-usr-share-common.inc 20include whitelist-usr-share-common.inc
20include whitelist-var-common.inc 21include whitelist-var-common.inc
21 22
diff --git a/etc/default.profile b/etc/default.profile
index 95a6e8095..7731b6e00 100644
--- a/etc/default.profile
+++ b/etc/default.profile
@@ -16,6 +16,11 @@ include disable-passwdmgr.inc
16include disable-programs.inc 16include disable-programs.inc
17# include disable-xdg.inc 17# include disable-xdg.inc
18 18
19# include whitelist-common.inc
20# include whitelist-usr-share-common.inc
21# include whitelist-runuser-common.inc
22# include whitelist-var-common.inc
23
19# apparmor 24# apparmor
20caps.drop all 25caps.drop all
21# ipc-namespace 26# ipc-namespace
@@ -42,8 +47,11 @@ seccomp
42# private-bin program 47# private-bin program
43# private-cache 48# private-cache
44# private-dev 49# private-dev
45# private-etc alternatives 50# see /usr/share/doc/firejail/profile.template for more common private-etc paths.
51# private-etc alternatives,fonts,machine-id
46# private-lib 52# private-lib
53# private-opt none
47# private-tmp 54# private-tmp
48 55
49# memory-deny-write-execute 56# memory-deny-write-execute
57# read-only ${HOME}
diff --git a/etc/deluge.profile b/etc/deluge.profile
index 8f4f9fbe9..17c5059f5 100644
--- a/etc/deluge.profile
+++ b/etc/deluge.profile
@@ -14,6 +14,7 @@ include allow-python3.inc
14 14
15include disable-common.inc 15include disable-common.inc
16# include disable-devel.inc 16# include disable-devel.inc
17include disable-exec.inc
17include disable-interpreters.inc 18include disable-interpreters.inc
18include disable-passwdmgr.inc 19include disable-passwdmgr.inc
19include disable-programs.inc 20include disable-programs.inc
@@ -24,6 +25,7 @@ whitelist ${HOME}/.config/deluge
24include whitelist-common.inc 25include whitelist-common.inc
25include whitelist-var-common.inc 26include whitelist-var-common.inc
26 27
28apparmor
27caps.drop all 29caps.drop all
28machine-id 30machine-id
29netfilter 31netfilter
diff --git a/etc/dia.profile b/etc/dia.profile
index bd79797b7..3a8651e2e 100644
--- a/etc/dia.profile
+++ b/etc/dia.profile
@@ -19,6 +19,9 @@ include disable-passwdmgr.inc
19include disable-programs.inc 19include disable-programs.inc
20include disable-xdg.inc 20include disable-xdg.inc
21 21
22include whitelist-var-common.inc
23
24apparmor
22caps.drop all 25caps.drop all
23net none 26net none
24no3d 27no3d
diff --git a/etc/dig.profile b/etc/dig.profile
index 054e4891d..270a95c05 100644
--- a/etc/dig.profile
+++ b/etc/dig.profile
@@ -8,8 +8,11 @@ include dig.local
8include globals.local 8include globals.local
9 9
10noblacklist ${HOME}/.digrc 10noblacklist ${HOME}/.digrc
11noblacklist ${PATH}/dig
11 12
12blacklist /tmp/.X11-unix 13blacklist /tmp/.X11-unix
14blacklist ${RUNUSER}/wayland-*
15blacklist ${RUNUSER}
13 16
14include disable-common.inc 17include disable-common.inc
15# include disable-devel.inc 18# include disable-devel.inc
@@ -25,6 +28,7 @@ include whitelist-common.inc
25include whitelist-usr-share-common.inc 28include whitelist-usr-share-common.inc
26include whitelist-var-common.inc 29include whitelist-var-common.inc
27 30
31apparmor
28caps.drop all 32caps.drop all
29ipc-namespace 33ipc-namespace
30machine-id 34machine-id
@@ -47,7 +51,6 @@ tracelog
47disable-mnt 51disable-mnt
48private 52private
49private-bin bash,dig,sh 53private-bin bash,dig,sh
50private-cache
51private-dev 54private-dev
52# Uncomment the next line (or put 'private-lib' in your dig.local) on non Debian/Ubuntu OS (see issue #3038) 55# Uncomment the next line (or put 'private-lib' in your dig.local) on non Debian/Ubuntu OS (see issue #3038)
53#private-lib 56#private-lib
diff --git a/etc/disable-common.inc b/etc/disable-common.inc
index bf29cd137..92c6cd2a8 100644
--- a/etc/disable-common.inc
+++ b/etc/disable-common.inc
@@ -166,6 +166,14 @@ blacklist ${HOME}/VirtualBox VMs
166blacklist ${HOME}/.config/gnome-boxes 166blacklist ${HOME}/.config/gnome-boxes
167blacklist ${HOME}/.local/share/gnome-boxes 167blacklist ${HOME}/.local/share/gnome-boxes
168 168
169# libvirt
170blacklist ${HOME}/.cache/libvirt
171blacklist ${HOME}/.config/libvirt
172blacklist ${RUNUSER}/libvirt
173blacklist /var/cache/libvirt
174blacklist /var/lib/libvirt
175blacklist /var/log/libvirt
176
169# VeraCrypt 177# VeraCrypt
170blacklist ${HOME}/.VeraCrypt 178blacklist ${HOME}/.VeraCrypt
171blacklist ${PATH}/veracrypt 179blacklist ${PATH}/veracrypt
@@ -444,8 +452,20 @@ blacklist /.snapshots
444 452
445# flatpak 453# flatpak
446blacklist ${HOME}/.config/flatpak 454blacklist ${HOME}/.config/flatpak
447blacklist ${HOME}/.local/share/flatpak 455blacklist ${HOME}/.local/share/flatpak/app
456blacklist ${HOME}/.local/share/flatpak/appstream
457blacklist ${HOME}/.local/share/flatpak/db
458read-only ${HOME}/.local/share/flatpak/exports
459blacklist ${HOME}/.local/share/flatpak/oci
460blacklist ${HOME}/.local/share/flatpak/overrides
461blacklist ${HOME}/.local/share/flatpak/repo
462blacklist ${HOME}/.local/share/flatpak/runtime
448blacklist ${HOME}/.var 463blacklist ${HOME}/.var
464blacklist ${RUNUSER}/app
465blacklist ${RUNUSER}/doc
466blacklist ${RUNUSER}/.dbus-proxy
467blacklist ${RUNUSER}/.flatpak
468blacklist ${RUNUSER}/.flatpak-helper
449blacklist /usr/share/flatpak 469blacklist /usr/share/flatpak
450blacklist /var/lib/flatpak 470blacklist /var/lib/flatpak
451# most of the time bwrap is SUID binary 471# most of the time bwrap is SUID binary
@@ -462,3 +482,16 @@ blacklist ${HOME}/sent
462 482
463# kernel configuration 483# kernel configuration
464blacklist /proc/config.gz 484blacklist /proc/config.gz
485
486# prevent DNS malware attempting to communicate with the server
487# using regular DNS tools
488blacklist ${PATH}/dig
489blacklist ${PATH}/kdig
490blacklist ${PATH}/nslookup
491blacklist ${PATH}/host
492blacklist ${PATH}/dlint
493blacklist ${PATH}/dnswalk
494blacklist ${PATH}/dns2tcp
495blacklist ${PATH}/iodine
496blacklist ${PATH}/knsupdate
497blacklist ${PATH}/resolvectl
diff --git a/etc/disable-devel.inc b/etc/disable-devel.inc
index 59df9fb0f..e1ba13380 100644
--- a/etc/disable-devel.inc
+++ b/etc/disable-devel.inc
@@ -26,7 +26,6 @@ blacklist ${PATH}/*-gcc*
26blacklist ${PATH}/*-g++* 26blacklist ${PATH}/*-g++*
27blacklist ${PATH}/*-gcc* 27blacklist ${PATH}/*-gcc*
28blacklist ${PATH}/*-g++* 28blacklist ${PATH}/*-g++*
29blacklist /usr/include
30# seems to create problems on Gentoo 29# seems to create problems on Gentoo
31#blacklist /usr/lib/gcc 30#blacklist /usr/lib/gcc
32 31
diff --git a/etc/disable-programs.inc b/etc/disable-programs.inc
index db257c1b6..5bb2f851a 100644
--- a/etc/disable-programs.inc
+++ b/etc/disable-programs.inc
@@ -8,6 +8,8 @@ blacklist ${HOME}/Monero/wallets
8blacklist ${HOME}/Nextcloud/Notes 8blacklist ${HOME}/Nextcloud/Notes
9blacklist ${HOME}/SoftMaker 9blacklist ${HOME}/SoftMaker
10blacklist ${HOME}/Standard Notes Backups 10blacklist ${HOME}/Standard Notes Backups
11blacklist ${HOME}/TeamSpeak3-Client-linux_x86
12blacklist ${HOME}/TeamSpeak3-Client-linux_amd64
11blacklist ${HOME}/mps 13blacklist ${HOME}/mps
12blacklist ${HOME}/wallet.dat 14blacklist ${HOME}/wallet.dat
13blacklist ${HOME}/.*coin 15blacklist ${HOME}/.*coin
@@ -73,6 +75,7 @@ blacklist ${HOME}/.config/Code Industry
73blacklist ${HOME}/.config/Cryptocat 75blacklist ${HOME}/.config/Cryptocat
74blacklist ${HOME}/.config/Debauchee/Barrier.conf 76blacklist ${HOME}/.config/Debauchee/Barrier.conf
75blacklist ${HOME}/.config/Enox 77blacklist ${HOME}/.config/Enox
78blacklist ${HOME}/.config/Ferdi
76blacklist ${HOME}/.config/Franz 79blacklist ${HOME}/.config/Franz
77blacklist ${HOME}/.config/FreeCAD 80blacklist ${HOME}/.config/FreeCAD
78blacklist ${HOME}/.config/Fritzing 81blacklist ${HOME}/.config/Fritzing
@@ -116,6 +119,8 @@ blacklist ${HOME}/.config/Thunar
116blacklist ${HOME}/.config/VirtualBox 119blacklist ${HOME}/.config/VirtualBox
117blacklist ${HOME}/.config/Wire 120blacklist ${HOME}/.config/Wire
118blacklist ${HOME}/.config/Zeal 121blacklist ${HOME}/.config/Zeal
122blacklist ${HOME}/.config/abiword
123blacklist ${HOME}/.config/agenda
119blacklist ${HOME}/.config/akonadi* 124blacklist ${HOME}/.config/akonadi*
120blacklist ${HOME}/.config/akregatorrc 125blacklist ${HOME}/.config/akregatorrc
121blacklist ${HOME}/.config/ardour4 126blacklist ${HOME}/.config/ardour4
@@ -228,6 +233,7 @@ blacklist ${HOME}/.config/klavaro
228blacklist ${HOME}/.config/klipperrc 233blacklist ${HOME}/.config/klipperrc
229blacklist ${HOME}/.config/kmail2rc 234blacklist ${HOME}/.config/kmail2rc
230blacklist ${HOME}/.config/kmailsearchindexingrc 235blacklist ${HOME}/.config/kmailsearchindexingrc
236blacklist ${HOME}/.config/kmplayerrc
231blacklist ${HOME}/.config/knotesrc 237blacklist ${HOME}/.config/knotesrc
232blacklist ${HOME}/.config/konversationrc 238blacklist ${HOME}/.config/konversationrc
233blacklist ${HOME}/.config/kritarc 239blacklist ${HOME}/.config/kritarc
@@ -305,6 +311,7 @@ blacklist ${HOME}/.config/slimjet
305blacklist ${HOME}/.config/smplayer 311blacklist ${HOME}/.config/smplayer
306blacklist ${HOME}/.config/smtube 312blacklist ${HOME}/.config/smtube
307blacklist ${HOME}/.config/snox 313blacklist ${HOME}/.config/snox
314blacklist ${HOME}/.config/sound-juicer
308blacklist ${HOME}/.config/specialmailcollectionsrc 315blacklist ${HOME}/.config/specialmailcollectionsrc
309blacklist ${HOME}/.config/spotify 316blacklist ${HOME}/.config/spotify
310blacklist ${HOME}/.config/sqlitebrowser 317blacklist ${HOME}/.config/sqlitebrowser
@@ -327,6 +334,7 @@ blacklist ${HOME}/.config/vivaldi
327blacklist ${HOME}/.config/vivaldi-snapshot 334blacklist ${HOME}/.config/vivaldi-snapshot
328blacklist ${HOME}/.config/vlc 335blacklist ${HOME}/.config/vlc
329blacklist ${HOME}/.config/wesnoth 336blacklist ${HOME}/.config/wesnoth
337blacklist ${HOME}/.config/wormux
330blacklist ${HOME}/.config/Whalebird 338blacklist ${HOME}/.config/Whalebird
331blacklist ${HOME}/.config/wireshark 339blacklist ${HOME}/.config/wireshark
332blacklist ${HOME}/.config/xchat 340blacklist ${HOME}/.config/xchat
@@ -375,6 +383,7 @@ blacklist ${HOME}/.fossamail
375blacklist ${HOME}/.freeciv 383blacklist ${HOME}/.freeciv
376blacklist ${HOME}/.freecol 384blacklist ${HOME}/.freecol
377blacklist ${HOME}/.freemind 385blacklist ${HOME}/.freemind
386blacklist ${HOME}/.frogatto
378blacklist ${HOME}/.frozen-bubble 387blacklist ${HOME}/.frozen-bubble
379blacklist ${HOME}/.gimp* 388blacklist ${HOME}/.gimp*
380blacklist ${HOME}/.gist 389blacklist ${HOME}/.gist
@@ -424,6 +433,7 @@ blacklist ${HOME}/.kde/share/config/kfindrc
424blacklist ${HOME}/.kde/share/config/kgetrc 433blacklist ${HOME}/.kde/share/config/kgetrc
425blacklist ${HOME}/.kde/share/config/khtmlrc 434blacklist ${HOME}/.kde/share/config/khtmlrc
426blacklist ${HOME}/.kde/share/config/klipperrc 435blacklist ${HOME}/.kde/share/config/klipperrc
436blacklist ${HOME}/.kde/share/config/kmplayerrc
427blacklist ${HOME}/.kde/share/config/konq_history 437blacklist ${HOME}/.kde/share/config/konq_history
428blacklist ${HOME}/.kde/share/config/konqsidebartngrc 438blacklist ${HOME}/.kde/share/config/konqsidebartngrc
429blacklist ${HOME}/.kde/share/config/konquerorrc 439blacklist ${HOME}/.kde/share/config/konquerorrc
@@ -496,6 +506,7 @@ blacklist ${HOME}/.local/share/TpLogger
496blacklist ${HOME}/.local/share/Zeal 506blacklist ${HOME}/.local/share/Zeal
497blacklist ${HOME}/.local/share/akonadi* 507blacklist ${HOME}/.local/share/akonadi*
498blacklist ${HOME}/.local/share/akregator 508blacklist ${HOME}/.local/share/akregator
509blacklist ${HOME}/.local/share/agenda
499blacklist ${HOME}/.local/share/apps/korganizer 510blacklist ${HOME}/.local/share/apps/korganizer
500blacklist ${HOME}/.local/share/aspyr-media 511blacklist ${HOME}/.local/share/aspyr-media
501blacklist ${HOME}/.local/share/autokey 512blacklist ${HOME}/.local/share/autokey
@@ -531,10 +542,14 @@ blacklist ${HOME}/.local/share/gnome-2048
531blacklist ${HOME}/.local/share/gnome-chess 542blacklist ${HOME}/.local/share/gnome-chess
532blacklist ${HOME}/.local/share/gnome-builder 543blacklist ${HOME}/.local/share/gnome-builder
533blacklist ${HOME}/.local/share/gnome-latex 544blacklist ${HOME}/.local/share/gnome-latex
545blacklist ${HOME}/.local/share/gnome-mines
534blacklist ${HOME}/.local/share/gnome-music 546blacklist ${HOME}/.local/share/gnome-music
547blacklist ${HOME}/.local/share/gnome-nibbles
535blacklist ${HOME}/.local/share/gnome-photos 548blacklist ${HOME}/.local/share/gnome-photos
549blacklist ${HOME}/.local/share/gnome-pomodoro
536blacklist ${HOME}/.local/share/gnome-recipes 550blacklist ${HOME}/.local/share/gnome-recipes
537blacklist ${HOME}/.local/share/gnome-ring 551blacklist ${HOME}/.local/share/gnome-ring
552blacklist ${HOME}/.local/share/gnome-sudoku
538blacklist ${HOME}/.local/share/gnome-twitch 553blacklist ${HOME}/.local/share/gnome-twitch
539blacklist ${HOME}/.local/share/godot 554blacklist ${HOME}/.local/share/godot
540blacklist ${HOME}/.local/share/gradio 555blacklist ${HOME}/.local/share/gradio
@@ -549,6 +564,7 @@ blacklist ${HOME}/.local/share/kiwix
549blacklist ${HOME}/.local/share/kiwix-desktop 564blacklist ${HOME}/.local/share/kiwix-desktop
550blacklist ${HOME}/.local/share/klavaro 565blacklist ${HOME}/.local/share/klavaro
551blacklist ${HOME}/.local/share/kmail2 566blacklist ${HOME}/.local/share/kmail2
567blacklist ${HOME}/.local/share/kmplayer
552blacklist ${HOME}/.local/share/knotes 568blacklist ${HOME}/.local/share/knotes
553blacklist ${HOME}/.local/share/krita 569blacklist ${HOME}/.local/share/krita
554blacklist ${HOME}/.local/share/ktorrent 570blacklist ${HOME}/.local/share/ktorrent
@@ -603,6 +619,7 @@ blacklist ${HOME}/.local/share/vpltd
603blacklist ${HOME}/.local/share/vulkan 619blacklist ${HOME}/.local/share/vulkan
604blacklist ${HOME}/.local/share/warsow-2.1 620blacklist ${HOME}/.local/share/warsow-2.1
605blacklist ${HOME}/.local/share/wesnoth 621blacklist ${HOME}/.local/share/wesnoth
622blacklist ${HOME}/.local/share/wormux
606blacklist ${HOME}/.local/share/xplayer 623blacklist ${HOME}/.local/share/xplayer
607blacklist ${HOME}/.local/share/xreader 624blacklist ${HOME}/.local/share/xreader
608blacklist ${HOME}/.local/share/zathura 625blacklist ${HOME}/.local/share/zathura
@@ -638,6 +655,7 @@ blacklist ${HOME}/.openttd
638blacklist ${HOME}/.opera 655blacklist ${HOME}/.opera
639blacklist ${HOME}/.opera-beta 656blacklist ${HOME}/.opera-beta
640blacklist ${HOME}/.ostrichriders 657blacklist ${HOME}/.ostrichriders
658blacklist ${HOME}/.penguin-command
641blacklist ${HOME}/.pingus 659blacklist ${HOME}/.pingus
642blacklist ${HOME}/.pioneer 660blacklist ${HOME}/.pioneer
643blacklist ${HOME}/.purple 661blacklist ${HOME}/.purple
@@ -650,6 +668,7 @@ blacklist ${HOME}/.remmina
650blacklist ${HOME}/.repo_.gitconfig.json 668blacklist ${HOME}/.repo_.gitconfig.json
651blacklist ${HOME}/.repoconfig 669blacklist ${HOME}/.repoconfig
652blacklist ${HOME}/.retroshare 670blacklist ${HOME}/.retroshare
671blacklist ${HOME}/.ripperXrc
653blacklist ${HOME}/.scorched3d 672blacklist ${HOME}/.scorched3d
654blacklist ${HOME}/.scribus 673blacklist ${HOME}/.scribus
655blacklist ${HOME}/.scribusrc 674blacklist ${HOME}/.scribusrc
@@ -697,6 +716,7 @@ blacklist ${HOME}/.widelands
697blacklist ${HOME}/.wine 716blacklist ${HOME}/.wine
698blacklist ${HOME}/.wine64 717blacklist ${HOME}/.wine64
699blacklist ${HOME}/.wireshark 718blacklist ${HOME}/.wireshark
719blacklist ${HOME}/.wormux
700blacklist ${HOME}/.xiphos 720blacklist ${HOME}/.xiphos
701blacklist ${HOME}/.xmind 721blacklist ${HOME}/.xmind
702blacklist ${HOME}/.xmms 722blacklist ${HOME}/.xmms
@@ -721,12 +741,14 @@ blacklist ${HOME}/.cache/BraveSoftware
721blacklist ${HOME}/.cache/Clementine 741blacklist ${HOME}/.cache/Clementine
722blacklist ${HOME}/.cache/Enox 742blacklist ${HOME}/.cache/Enox
723blacklist ${HOME}/.cache/Enpass 743blacklist ${HOME}/.cache/Enpass
744blacklist ${HOME}/.cache/Ferdi
724blacklist ${HOME}/.cache/Franz 745blacklist ${HOME}/.cache/Franz
725blacklist ${HOME}/.cache/INRIA 746blacklist ${HOME}/.cache/INRIA
726blacklist ${HOME}/.cache/MusicBrainz 747blacklist ${HOME}/.cache/MusicBrainz
727blacklist ${HOME}/.cache/QuiteRss 748blacklist ${HOME}/.cache/QuiteRss
728blacklist ${HOME}/.cache/Tox 749blacklist ${HOME}/.cache/Tox
729blacklist ${HOME}/.cache/Zeal 750blacklist ${HOME}/.cache/Zeal
751blacklist ${HOME}/.cache/agenda
730blacklist ${HOME}/.cache/akonadi* 752blacklist ${HOME}/.cache/akonadi*
731blacklist ${HOME}/.cache/atril 753blacklist ${HOME}/.cache/atril
732blacklist ${HOME}/.cache/attic 754blacklist ${HOME}/.cache/attic
@@ -759,6 +781,7 @@ blacklist ${HOME}/.cache/gfeeds
759blacklist ${HOME}/.cache/gimp 781blacklist ${HOME}/.cache/gimp
760blacklist ${HOME}/.cache/gnome-builder 782blacklist ${HOME}/.cache/gnome-builder
761blacklist ${HOME}/.cache/gnome-recipes 783blacklist ${HOME}/.cache/gnome-recipes
784blacklist ${HOME}/.cache/gnome-screenshot
762blacklist ${HOME}/.cache/gnome-twitch 785blacklist ${HOME}/.cache/gnome-twitch
763blacklist ${HOME}/.cache/godot 786blacklist ${HOME}/.cache/godot
764blacklist ${HOME}/.cache/google-chrome 787blacklist ${HOME}/.cache/google-chrome
diff --git a/etc/discord-common.profile b/etc/discord-common.profile
index a6e730937..cbeef798f 100644
--- a/etc/discord-common.profile
+++ b/etc/discord-common.profile
@@ -6,12 +6,17 @@ include discord-common.local
6# added by caller profile 6# added by caller profile
7#include globals.local 7#include globals.local
8 8
9ignore noexec ${HOME}
10
9include disable-common.inc 11include disable-common.inc
10include disable-devel.inc 12include disable-devel.inc
13include disable-exec.inc
11include disable-passwdmgr.inc 14include disable-passwdmgr.inc
12include disable-programs.inc 15include disable-programs.inc
13 16
14whitelist ${DOWNLOADS} 17whitelist ${DOWNLOADS}
18whitelist ${HOME}/.config/BetterDiscord
19whitelist ${HOME}/.local/share/betterdiscordctl
15include whitelist-common.inc 20include whitelist-common.inc
16include whitelist-var-common.inc 21include whitelist-var-common.inc
17 22
@@ -25,11 +30,9 @@ notv
25nou2f 30nou2f
26novideo 31novideo
27protocol unix,inet,inet6,netlink 32protocol unix,inet,inet6,netlink
28seccomp 33seccomp !chroot
29 34
30private-bin bash,cut,echo,egrep,grep,head,sed,sh,tr,xdg-mime,xdg-open,zsh 35private-bin bash,cut,echo,egrep,grep,head,sed,sh,tclsh,tr,xdg-mime,xdg-open,zsh
31private-dev 36private-dev
32private-etc alternatives,ca-certificates,crypto-policies,fonts,group,ld.so.cache,localtime,login.defs,machine-id,password,pki,resolv.conf,ssl 37private-etc alternatives,ca-certificates,crypto-policies,fonts,group,ld.so.cache,localtime,login.defs,machine-id,password,pki,resolv.conf,ssl
33private-tmp 38private-tmp
34
35noexec /tmp
diff --git a/etc/elinks.profile b/etc/elinks.profile
index 82d1ba528..2a306d704 100644
--- a/etc/elinks.profile
+++ b/etc/elinks.profile
@@ -18,6 +18,8 @@ include disable-passwdmgr.inc
18include disable-programs.inc 18include disable-programs.inc
19include disable-xdg.inc 19include disable-xdg.inc
20 20
21include whitelist-runuser-common.inc
22
21caps.drop all 23caps.drop all
22netfilter 24netfilter
23no3d 25no3d
diff --git a/etc/enchant.profile b/etc/enchant.profile
index fa556c7d2..69e8b1e44 100644
--- a/etc/enchant.profile
+++ b/etc/enchant.profile
@@ -21,6 +21,7 @@ include disable-xdg.inc
21mkdir ${HOME}/.config/enchant 21mkdir ${HOME}/.config/enchant
22whitelist ${HOME}/.config/enchant 22whitelist ${HOME}/.config/enchant
23include whitelist-common.inc 23include whitelist-common.inc
24include whitelist-runuser-common.inc
24include whitelist-usr-share-common.inc 25include whitelist-usr-share-common.inc
25include whitelist-var-common.inc 26include whitelist-var-common.inc
26 27
diff --git a/etc/eo-common.profile b/etc/eo-common.profile
index 13f498c03..80c704c6b 100644
--- a/etc/eo-common.profile
+++ b/etc/eo-common.profile
@@ -18,6 +18,7 @@ include disable-interpreters.inc
18include disable-passwdmgr.inc 18include disable-passwdmgr.inc
19include disable-programs.inc 19include disable-programs.inc
20 20
21include whitelist-runuser-common.inc
21include whitelist-usr-share-common.inc 22include whitelist-usr-share-common.inc
22include whitelist-var-common.inc 23include whitelist-var-common.inc
23 24
diff --git a/etc/evince.profile b/etc/evince.profile
index 143a347e6..68ef5eb9a 100644
--- a/etc/evince.profile
+++ b/etc/evince.profile
@@ -21,6 +21,7 @@ whitelist /usr/share/doc
21whitelist /usr/share/evince 21whitelist /usr/share/evince
22whitelist /usr/share/poppler 22whitelist /usr/share/poppler
23whitelist /usr/share/tracker 23whitelist /usr/share/tracker
24include whitelist-runuser-common.inc
24include whitelist-usr-share-common.inc 25include whitelist-usr-share-common.inc
25include whitelist-var-common.inc 26include whitelist-var-common.inc
26 27
diff --git a/etc/evolution.profile b/etc/evolution.profile
index 71a7a5600..4740bf935 100644
--- a/etc/evolution.profile
+++ b/etc/evolution.profile
@@ -23,6 +23,8 @@ include disable-interpreters.inc
23include disable-passwdmgr.inc 23include disable-passwdmgr.inc
24include disable-programs.inc 24include disable-programs.inc
25 25
26include whitelist-runuser-common.inc
27
26caps.drop all 28caps.drop all
27netfilter 29netfilter
28# no3d breaks under wayland 30# no3d breaks under wayland
diff --git a/etc/fbreader.profile b/etc/fbreader.profile
index 701f14dce..af670cee2 100644
--- a/etc/fbreader.profile
+++ b/etc/fbreader.profile
@@ -11,6 +11,7 @@ noblacklist ${DOCUMENTS}
11 11
12include disable-common.inc 12include disable-common.inc
13include disable-devel.inc 13include disable-devel.inc
14include disable-exec.inc
14include disable-interpreters.inc 15include disable-interpreters.inc
15include disable-passwdmgr.inc 16include disable-passwdmgr.inc
16include disable-programs.inc 17include disable-programs.inc
@@ -18,8 +19,9 @@ include disable-xdg.inc
18 19
19include whitelist-var-common.inc 20include whitelist-var-common.inc
20 21
22apparmor
21caps.drop all 23caps.drop all
22netfilter 24net none
23nodvd 25nodvd
24nonewprivs 26nonewprivs
25noroot 27noroot
diff --git a/etc/feedreader.profile b/etc/feedreader.profile
index 5a72b60ea..7d3c7a8f4 100644
--- a/etc/feedreader.profile
+++ b/etc/feedreader.profile
@@ -23,6 +23,7 @@ whitelist ${HOME}/.cache/feedreader
23whitelist ${HOME}/.local/share/feedreader 23whitelist ${HOME}/.local/share/feedreader
24whitelist /usr/share/feedreader 24whitelist /usr/share/feedreader
25include whitelist-common.inc 25include whitelist-common.inc
26include whitelist-runuser-common.inc
26include whitelist-usr-share-common.inc 27include whitelist-usr-share-common.inc
27include whitelist-var-common.inc 28include whitelist-var-common.inc
28 29
diff --git a/etc/ferdi.profile b/etc/ferdi.profile
new file mode 100644
index 000000000..9b4c5f114
--- /dev/null
+++ b/etc/ferdi.profile
@@ -0,0 +1,46 @@
1# Firejail profile for ferdi
2# This file is overwritten after every install/update
3# Persistent local customizations
4include ferdi.local
5# Persistent global definitions
6include globals.local
7
8ignore noexec /tmp
9
10noblacklist ${HOME}/.cache/Ferdi
11noblacklist ${HOME}/.config/Ferdi
12noblacklist ${HOME}/.pki
13noblacklist ${HOME}/.local/share/pki
14
15include disable-common.inc
16include disable-devel.inc
17include disable-exec.inc
18include disable-interpreters.inc
19include disable-programs.inc
20
21mkdir ${HOME}/.cache/Ferdi
22mkdir ${HOME}/.config/Ferdi
23mkdir ${HOME}/.pki
24mkdir ${HOME}/.local/share/pki
25whitelist ${DOWNLOADS}
26whitelist ${HOME}/.cache/Ferdi
27whitelist ${HOME}/.config/Ferdi
28whitelist ${HOME}/.pki
29whitelist ${HOME}/.local/share/pki
30include whitelist-common.inc
31
32caps.drop all
33netfilter
34nodvd
35nogroups
36nonewprivs
37noroot
38notv
39nou2f
40protocol unix,inet,inet6,netlink
41seccomp !chroot
42shell none
43
44disable-mnt
45private-dev
46private-tmp
diff --git a/etc/file-roller.profile b/etc/file-roller.profile
index 253b82cfe..70dd030ee 100644
--- a/etc/file-roller.profile
+++ b/etc/file-roller.profile
@@ -14,6 +14,7 @@ include disable-passwdmgr.inc
14include disable-programs.inc 14include disable-programs.inc
15 15
16whitelist /usr/share/file-roller 16whitelist /usr/share/file-roller
17include whitelist-runuser-common.inc
17include whitelist-usr-share-common.inc 18include whitelist-usr-share-common.inc
18include whitelist-var-common.inc 19include whitelist-var-common.inc
19 20
@@ -36,7 +37,7 @@ seccomp
36shell none 37shell none
37tracelog 38tracelog
38 39
39private-bin 7z,7za,7zr,ar,arj,brotli,bzip2,compress,cpio,dpkg-deb,file-roller,gtar,gzip,isoinfo,lha,lrzip,lsar,lz4,lzip,lzma,lzop,rar,rzip,tar,unace,unalz,unar,uncompress,unrar,unsquashfs,unstuff,unzip,xz,zip,zoo 40private-bin 7z,7za,7zr,ar,arj,bash,brotli,bzip2,compress,cpio,dpkg-deb,file-roller,gtar,gzip,isoinfo,lha,lrzip,lsar,lz4,lzip,lzma,lzop,p7zip,rar,rzip,sh,tar,unace,unalz,unar,uncompress,unrar,unsquashfs,unstuff,unzip,xz,zip,zoo
40private-cache 41private-cache
41private-dev 42private-dev
42private-etc dconf,fonts,gtk-3.0,xdg 43private-etc dconf,fonts,gtk-3.0,xdg
diff --git a/etc/file.profile b/etc/file.profile
index 9b21818f8..854586354 100644
--- a/etc/file.profile
+++ b/etc/file.profile
@@ -8,6 +8,7 @@ include file.local
8include globals.local 8include globals.local
9 9
10blacklist ${RUNUSER}/wayland-* 10blacklist ${RUNUSER}/wayland-*
11blacklist ${RUNUSER}
11 12
12include disable-common.inc 13include disable-common.inc
13include disable-exec.inc 14include disable-exec.inc
@@ -38,8 +39,8 @@ x11 none
38#private-bin bzip2,file,gzip,lrzip,lz4,lzip,xz,zstd 39#private-bin bzip2,file,gzip,lrzip,lz4,lzip,xz,zstd
39private-cache 40private-cache
40private-dev 41private-dev
41private-etc alternatives,localtime,magic,magic.mgc 42#private-etc alternatives,localtime,magic,magic.mgc
42private-lib file,libarchive.so.*,libfakeroot,libmagic.so.* 43#private-lib file,libarchive.so.*,libfakeroot,libmagic.so.*,libseccomp.so.*
43 44
44memory-deny-write-execute 45memory-deny-write-execute
45read-only ${HOME} 46read-only ${HOME}
diff --git a/etc/filezilla.profile b/etc/filezilla.profile
index d8d4c1746..6c7ab8f0d 100644
--- a/etc/filezilla.profile
+++ b/etc/filezilla.profile
@@ -17,6 +17,8 @@ include disable-common.inc
17include disable-devel.inc 17include disable-devel.inc
18include disable-interpreters.inc 18include disable-interpreters.inc
19include disable-programs.inc 19include disable-programs.inc
20
21include whitelist-runuser-common.inc
20include whitelist-var-common.inc 22include whitelist-var-common.inc
21 23
22caps.drop all 24caps.drop all
diff --git a/etc/firefox-esr.profile b/etc/firefox-esr.profile
index 6c1d77986..5e69fdb51 100644
--- a/etc/firefox-esr.profile
+++ b/etc/firefox-esr.profile
@@ -6,5 +6,7 @@ include firefox-esr.local
6# added by included profile 6# added by included profile
7#include globals.local 7#include globals.local
8 8
9whitelist /usr/share/firefox-esr
10
9# Redirect 11# Redirect
10include firefox.profile 12include firefox.profile
diff --git a/etc/firefox.profile b/etc/firefox.profile
index 0530516d8..4a2cb260f 100644
--- a/etc/firefox.profile
+++ b/etc/firefox.profile
@@ -15,6 +15,7 @@ whitelist ${HOME}/.cache/mozilla/firefox
15whitelist ${HOME}/.mozilla 15whitelist ${HOME}/.mozilla
16 16
17whitelist /usr/share/doc 17whitelist /usr/share/doc
18whitelist /usr/share/firefox
18whitelist /usr/share/gtk-doc/html 19whitelist /usr/share/gtk-doc/html
19whitelist /usr/share/mozilla 20whitelist /usr/share/mozilla
20whitelist /usr/share/webext 21whitelist /usr/share/webext
diff --git a/etc/firejail-default b/etc/firejail-default
index 763b838d3..e68e51c63 100644
--- a/etc/firejail-default
+++ b/etc/firejail-default
@@ -65,6 +65,8 @@ owner /proc/@{PID}/{uid_map,gid_map,setgroups} w,
65 65
66# Needed for electron apps 66# Needed for electron apps
67/proc/@{PID}/comm w, 67/proc/@{PID}/comm w,
68# Needed for nslookup, dig, host
69/proc/@{PID}/task/@{PID}/comm w,
68 70
69# Used by chromium 71# Used by chromium
70owner /proc/@{PID}/oom_score_adj w, 72owner /proc/@{PID}/oom_score_adj w,
diff --git a/etc/flameshot.profile b/etc/flameshot.profile
index 3aad9723b..9a3df98f4 100644
--- a/etc/flameshot.profile
+++ b/etc/flameshot.profile
@@ -17,6 +17,8 @@ include disable-passwdmgr.inc
17include disable-programs.inc 17include disable-programs.inc
18include disable-xdg.inc 18include disable-xdg.inc
19 19
20include whitelist-runuser-common.inc
21
20caps.drop all 22caps.drop all
21ipc-namespace 23ipc-namespace
22netfilter 24netfilter
diff --git a/etc/four-in-a-row.profile b/etc/four-in-a-row.profile
new file mode 100644
index 000000000..b468c3435
--- /dev/null
+++ b/etc/four-in-a-row.profile
@@ -0,0 +1,17 @@
1# Firejail profile for four-in-a-row
2# Description: Sliding tile puzzle game
3# This file is overwritten after every install/update
4# Persistent local customizations
5include four-in-a-row.local
6# Persistent global definitions
7include globals.local
8
9ignore machine-id
10ignore nosound
11
12whitelist /usr/share/four-in-a-row
13
14private-bin four-in-a-row
15
16# Redirect
17include gnome_games-common.profile
diff --git a/etc/freeciv.profile b/etc/freeciv.profile
index fa115d325..379c5eca9 100644
--- a/etc/freeciv.profile
+++ b/etc/freeciv.profile
@@ -21,6 +21,7 @@ whitelist ${HOME}/.freeciv
21include whitelist-common.inc 21include whitelist-common.inc
22include whitelist-var-common.inc 22include whitelist-var-common.inc
23 23
24apparmor
24caps.drop all 25caps.drop all
25ipc-namespace 26ipc-namespace
26netfilter 27netfilter
diff --git a/etc/freeoffice-planmaker.profile b/etc/freeoffice-planmaker.profile
index b6ca167eb..9449e7c48 100644
--- a/etc/freeoffice-planmaker.profile
+++ b/etc/freeoffice-planmaker.profile
@@ -7,4 +7,4 @@ include freeoffice-planmaker.local
7include globals.local 7include globals.local
8 8
9# Redirect 9# Redirect
10include softmaker-common.profile 10include softmaker-common.inc
diff --git a/etc/freeoffice-presentations.profile b/etc/freeoffice-presentations.profile
index 43661028c..636868e2e 100644
--- a/etc/freeoffice-presentations.profile
+++ b/etc/freeoffice-presentations.profile
@@ -7,4 +7,4 @@ include freeoffice-presentations.local
7include globals.local 7include globals.local
8 8
9# Redirect 9# Redirect
10include softmaker-common.profile 10include softmaker-common.inc
diff --git a/etc/freeoffice-textmaker.profile b/etc/freeoffice-textmaker.profile
index f7d30eaed..5d98d1cc6 100644
--- a/etc/freeoffice-textmaker.profile
+++ b/etc/freeoffice-textmaker.profile
@@ -6,4 +6,4 @@ include freeoffice-textmaker.local
6include globals.local 6include globals.local
7 7
8# Redirect 8# Redirect
9include softmaker-common.profile 9include softmaker-common.inc
diff --git a/etc/frogatto.profile b/etc/frogatto.profile
new file mode 100644
index 000000000..fd7c5fc16
--- /dev/null
+++ b/etc/frogatto.profile
@@ -0,0 +1,47 @@
1# Firejail profile for frogatto
2# Description: 2D platformer game starring a quixotic frog
3# This file is overwritten after every install/update
4# Persistent local customizations
5include frogatto.local
6# Persistent global definitions
7include globals.local
8
9noblacklist ${HOME}/.frogatto
10
11include disable-common.inc
12include disable-devel.inc
13include disable-exec.inc
14include disable-interpreters.inc
15include disable-passwdmgr.inc
16include disable-programs.inc
17include disable-xdg.inc
18
19mkdir ${HOME}/.frogatto
20whitelist ${HOME}/.frogatto
21whitelist /usr/share/frogatto
22include whitelist-common.inc
23include whitelist-usr-share-common.inc
24include whitelist-var-common.inc
25
26apparmor
27caps.drop all
28net none
29nodbus
30nodvd
31nogroups
32nonewprivs
33noroot
34notv
35nou2f
36novideo
37protocol unix
38seccomp
39shell none
40tracelog
41
42disable-mnt
43private-bin frogatto,sh
44private-cache
45private-dev
46private-etc machine-id
47private-tmp
diff --git a/etc/frozen-bubble.profile b/etc/frozen-bubble.profile
index 6cef181c8..c089d2e35 100644
--- a/etc/frozen-bubble.profile
+++ b/etc/frozen-bubble.profile
@@ -13,6 +13,7 @@ include allow-perl.inc
13 13
14include disable-common.inc 14include disable-common.inc
15include disable-devel.inc 15include disable-devel.inc
16include disable-exec.inc
16include disable-interpreters.inc 17include disable-interpreters.inc
17include disable-passwdmgr.inc 18include disable-passwdmgr.inc
18include disable-programs.inc 19include disable-programs.inc
@@ -22,6 +23,7 @@ whitelist ${HOME}/.frozen-bubble
22include whitelist-common.inc 23include whitelist-common.inc
23include whitelist-var-common.inc 24include whitelist-var-common.inc
24 25
26apparmor
25caps.drop all 27caps.drop all
26net none 28net none
27nodbus 29nodbus
diff --git a/etc/gedit.profile b/etc/gedit.profile
index a4471077a..148b98c99 100644
--- a/etc/gedit.profile
+++ b/etc/gedit.profile
@@ -19,6 +19,7 @@ include disable-exec.inc
19include disable-passwdmgr.inc 19include disable-passwdmgr.inc
20include disable-programs.inc 20include disable-programs.inc
21 21
22include whitelist-runuser-common.inc
22include whitelist-var-common.inc 23include whitelist-var-common.inc
23 24
24# apparmor - makes settings immutable 25# apparmor - makes settings immutable
diff --git a/etc/gfeeds.profile b/etc/gfeeds.profile
index d332c1bbe..7de762e0d 100644
--- a/etc/gfeeds.profile
+++ b/etc/gfeeds.profile
@@ -29,6 +29,7 @@ whitelist ${HOME}/.cache/org.gabmus.gfeeds
29whitelist ${HOME}/.config/org.gabmus.gfeeds.json 29whitelist ${HOME}/.config/org.gabmus.gfeeds.json
30whitelist /usr/share/gfeeds 30whitelist /usr/share/gfeeds
31include whitelist-common.inc 31include whitelist-common.inc
32include whitelist-runuser-common.inc
32include whitelist-usr-share-common.inc 33include whitelist-usr-share-common.inc
33include whitelist-var-common.inc 34include whitelist-var-common.inc
34 35
diff --git a/etc/gitg.profile b/etc/gitg.profile
index 56f8e136f..68f38c3ce 100644
--- a/etc/gitg.profile
+++ b/etc/gitg.profile
@@ -19,7 +19,16 @@ include disable-interpreters.inc
19include disable-passwdmgr.inc 19include disable-passwdmgr.inc
20include disable-programs.inc 20include disable-programs.inc
21 21
22#whitelist ${HOME}/YOUR_GIT_PROJECTS_DIRECTORY
23#whitelist ${HOME}/.config/git
24#whitelist ${HOME}/.gitconfig
25#whitelist ${HOME}/.git-credentials
26#whitelist ${HOME}/.local/share/gitg
27#whitelist ${HOME}/.ssh
28#include whitelist-common.inc
29
22whitelist /usr/share/gitg 30whitelist /usr/share/gitg
31include whitelist-runuser-common.inc
23include whitelist-usr-share-common.inc 32include whitelist-usr-share-common.inc
24include whitelist-var-common.inc 33include whitelist-var-common.inc
25 34
diff --git a/etc/gjs.profile b/etc/gjs.profile
index 85dd57f29..9c8848b8a 100644
--- a/etc/gjs.profile
+++ b/etc/gjs.profile
@@ -22,6 +22,7 @@ include disable-interpreters.inc
22include disable-passwdmgr.inc 22include disable-passwdmgr.inc
23include disable-programs.inc 23include disable-programs.inc
24 24
25include whitelist-runuser-common.inc
25include whitelist-usr-share-common.inc 26include whitelist-usr-share-common.inc
26include whitelist-var-common.inc 27include whitelist-var-common.inc
27 28
diff --git a/etc/gnome-2048.profile b/etc/gnome-2048.profile
index 9eb4c147d..978a13244 100644
--- a/etc/gnome-2048.profile
+++ b/etc/gnome-2048.profile
@@ -8,31 +8,10 @@ include globals.local
8 8
9noblacklist ${HOME}/.local/share/gnome-2048 9noblacklist ${HOME}/.local/share/gnome-2048
10 10
11include disable-common.inc
12include disable-devel.inc
13include disable-exec.inc
14include disable-interpreters.inc
15include disable-passwdmgr.inc
16include disable-programs.inc
17
18include whitelist-var-common.inc
19
20mkdir ${HOME}/.local/share/gnome-2048 11mkdir ${HOME}/.local/share/gnome-2048
21whitelist ${HOME}/.local/share/gnome-2048 12whitelist ${HOME}/.local/share/gnome-2048
22include whitelist-common.inc
23
24caps.drop all
25netfilter
26nodvd
27nonewprivs
28noroot
29notv
30nou2f
31novideo
32protocol unix,inet,inet6
33seccomp
34 13
35disable-mnt 14private-bin gnome-2048
36private-dev
37private-tmp
38 15
16# Redirect
17include gnome_games-common.profile
diff --git a/etc/gnome-books.profile b/etc/gnome-books.profile
index 84e38d0e1..998109ca7 100644
--- a/etc/gnome-books.profile
+++ b/etc/gnome-books.profile
@@ -23,8 +23,9 @@ include disable-xdg.inc
23 23
24include whitelist-var-common.inc 24include whitelist-var-common.inc
25 25
26apparmor
26caps.drop all 27caps.drop all
27netfilter 28net none
28no3d 29no3d
29nodvd 30nodvd
30nogroups 31nogroups
diff --git a/etc/gnome-builder.profile b/etc/gnome-builder.profile
index eaf48931d..7a684dd59 100644
--- a/etc/gnome-builder.profile
+++ b/etc/gnome-builder.profile
@@ -17,6 +17,8 @@ include disable-common.inc
17include disable-passwdmgr.inc 17include disable-passwdmgr.inc
18include disable-programs.inc 18include disable-programs.inc
19 19
20include whitelist-runuser-common.inc
21
20caps.drop all 22caps.drop all
21ipc-namespace 23ipc-namespace
22netfilter 24netfilter
diff --git a/etc/gnome-calculator.profile b/etc/gnome-calculator.profile
index 6709a331e..627ae368a 100644
--- a/etc/gnome-calculator.profile
+++ b/etc/gnome-calculator.profile
@@ -16,6 +16,7 @@ include disable-programs.inc
16include disable-xdg.inc 16include disable-xdg.inc
17 17
18include whitelist-common.inc 18include whitelist-common.inc
19include whitelist-runuser-common.inc
19include whitelist-usr-share-common.inc 20include whitelist-usr-share-common.inc
20include whitelist-var-common.inc 21include whitelist-var-common.inc
21 22
diff --git a/etc/gnome-characters.profile b/etc/gnome-characters.profile
index 2d4724610..77b0c3c15 100644
--- a/etc/gnome-characters.profile
+++ b/etc/gnome-characters.profile
@@ -19,9 +19,11 @@ include disable-xdg.inc
19 19
20whitelist /usr/share/org.gnome.Characters 20whitelist /usr/share/org.gnome.Characters
21include whitelist-common.inc 21include whitelist-common.inc
22include whitelist-runuser-common.inc
22include whitelist-usr-share-common.inc 23include whitelist-usr-share-common.inc
23include whitelist-var-common.inc 24include whitelist-var-common.inc
24 25
26apparmor
25caps.drop all 27caps.drop all
26machine-id 28machine-id
27net none 29net none
diff --git a/etc/gnome-chess.profile b/etc/gnome-chess.profile
index e657293ac..a80e1ca6d 100644
--- a/etc/gnome-chess.profile
+++ b/etc/gnome-chess.profile
@@ -16,6 +16,10 @@ include disable-passwdmgr.inc
16include disable-programs.inc 16include disable-programs.inc
17include disable-xdg.inc 17include disable-xdg.inc
18 18
19whitelist /usr/share/gnuchess
20whitelist /usr/share/gnome-chess
21include whitelist-runuser-common.inc
22include whitelist-usr-share-common.inc
19include whitelist-var-common.inc 23include whitelist-var-common.inc
20 24
21apparmor 25apparmor
diff --git a/etc/gnome-clocks.profile b/etc/gnome-clocks.profile
index 025335a23..b865423c5 100644
--- a/etc/gnome-clocks.profile
+++ b/etc/gnome-clocks.profile
@@ -17,6 +17,7 @@ include disable-xdg.inc
17whitelist /usr/share/gnome-clocks 17whitelist /usr/share/gnome-clocks
18whitelist /usr/share/libgweather 18whitelist /usr/share/libgweather
19include whitelist-common.inc 19include whitelist-common.inc
20include whitelist-runuser-common.inc
20include whitelist-usr-share-common.inc 21include whitelist-usr-share-common.inc
21include whitelist-var-common.inc 22include whitelist-var-common.inc
22 23
diff --git a/etc/gnome-contacts.profile b/etc/gnome-contacts.profile
index ac6d82451..7c1e4bb58 100644
--- a/etc/gnome-contacts.profile
+++ b/etc/gnome-contacts.profile
@@ -17,6 +17,7 @@ include disable-programs.inc
17include disable-xdg.inc 17include disable-xdg.inc
18 18
19include whitelist-common.inc 19include whitelist-common.inc
20include whitelist-runuser-common.inc
20include whitelist-var-common.inc 21include whitelist-var-common.inc
21 22
22caps.drop all 23caps.drop all
diff --git a/etc/gnome-font-viewer.profile b/etc/gnome-font-viewer.profile
index 468ef0401..b2327133c 100644
--- a/etc/gnome-font-viewer.profile
+++ b/etc/gnome-font-viewer.profile
@@ -17,8 +17,9 @@ include disable-xdg.inc
17 17
18include whitelist-var-common.inc 18include whitelist-var-common.inc
19 19
20apparmor
20caps.drop all 21caps.drop all
21netfilter 22net none
22no3d 23no3d
23nodvd 24nodvd
24nonewprivs 25nonewprivs
diff --git a/etc/gnome-hexgl.profile b/etc/gnome-hexgl.profile
index 386c33d7f..a06ccc9c1 100644
--- a/etc/gnome-hexgl.profile
+++ b/etc/gnome-hexgl.profile
@@ -15,9 +15,8 @@ include disable-programs.inc
15include disable-xdg.inc 15include disable-xdg.inc
16 16
17mkdir ${HOME}/.cache/mesa_shader_cache 17mkdir ${HOME}/.cache/mesa_shader_cache
18whitelist ${RUNUSER}/pulse
19whitelist ${RUNUSER}/wayland-0
20whitelist /usr/share/gnome-hexgl 18whitelist /usr/share/gnome-hexgl
19include whitelist-runuser-common.inc
21include whitelist-usr-share-common.inc 20include whitelist-usr-share-common.inc
22include whitelist-var-common.inc 21include whitelist-var-common.inc
23 22
diff --git a/etc/gnome-latex.profile b/etc/gnome-latex.profile
index 1bf48c6ab..ea4151137 100644
--- a/etc/gnome-latex.profile
+++ b/etc/gnome-latex.profile
@@ -22,6 +22,7 @@ include disable-programs.inc
22whitelist /usr/share/gnome-latex 22whitelist /usr/share/gnome-latex
23whitelist /usr/share/perl5 23whitelist /usr/share/perl5
24whitelist /usr/share/texlive 24whitelist /usr/share/texlive
25include whitelist-runuser-common.inc
25include whitelist-usr-share-common.inc 26include whitelist-usr-share-common.inc
26# May cause issues. 27# May cause issues.
27#include whitelist-var-common.inc 28#include whitelist-var-common.inc
diff --git a/etc/gnome-logs.profile b/etc/gnome-logs.profile
index 0c5bec144..31b7cfb4f 100644
--- a/etc/gnome-logs.profile
+++ b/etc/gnome-logs.profile
@@ -15,6 +15,7 @@ include disable-programs.inc
15include disable-xdg.inc 15include disable-xdg.inc
16 16
17whitelist /var/log/journal 17whitelist /var/log/journal
18include whitelist-runuser-common.inc
18include whitelist-usr-share-common.inc 19include whitelist-usr-share-common.inc
19include whitelist-var-common.inc 20include whitelist-var-common.inc
20 21
diff --git a/etc/gnome-mahjongg.profile b/etc/gnome-mahjongg.profile
new file mode 100644
index 000000000..653c5f949
--- /dev/null
+++ b/etc/gnome-mahjongg.profile
@@ -0,0 +1,14 @@
1# Firejail profile for gnome-mahjongg
2# Description: Sliding tile puzzle game
3# This file is overwritten after every install/update
4# Persistent local customizations
5include gnome-mahjongg.local
6# Persistent global definitions
7include globals.local
8
9whitelist /usr/share/gnome-mahjongg
10
11private-bin gnome-mahjongg
12
13# Redirect
14include gnome_games-common.profile
diff --git a/etc/gnome-maps.profile b/etc/gnome-maps.profile
index 62350b862..bf263efa9 100644
--- a/etc/gnome-maps.profile
+++ b/etc/gnome-maps.profile
@@ -13,7 +13,6 @@ include globals.local
13 13
14noblacklist ${HOME}/.cache/champlain 14noblacklist ${HOME}/.cache/champlain
15noblacklist ${HOME}/.cache/org.gnome.Maps 15noblacklist ${HOME}/.cache/org.gnome.Maps
16noblacklist ${HOME}/.local/share/flatpak
17noblacklist ${HOME}/.local/share/maps-places.json 16noblacklist ${HOME}/.local/share/maps-places.json
18 17
19# Allow gjs (blacklisted by disable-interpreters.inc) 18# Allow gjs (blacklisted by disable-interpreters.inc)
@@ -36,6 +35,7 @@ whitelist ${PICTURES}
36whitelist /usr/share/gnome-maps 35whitelist /usr/share/gnome-maps
37whitelist /usr/share/libgweather 36whitelist /usr/share/libgweather
38include whitelist-common.inc 37include whitelist-common.inc
38include whitelist-runuser-common.inc
39include whitelist-usr-share-common.inc 39include whitelist-usr-share-common.inc
40include whitelist-var-common.inc 40include whitelist-var-common.inc
41 41
diff --git a/etc/gnome-mines.profile b/etc/gnome-mines.profile
new file mode 100644
index 000000000..9cae75524
--- /dev/null
+++ b/etc/gnome-mines.profile
@@ -0,0 +1,18 @@
1# Firejail profile for gnome-mines
2# Description: Sliding tile puzzle game
3# This file is overwritten after every install/update
4# Persistent local customizations
5include gnome-mines.local
6# Persistent global definitions
7include globals.local
8
9noblacklist ${HOME}/.local/share/gnome-mines
10
11mkdir ${HOME}/.local/share/gnome-mines
12whitelist ${HOME}/.local/share/gnome-mines
13whitelist /usr/share/gnome-mines
14
15private-bin gnome-mines
16
17# Redirect
18include gnome_games-common.profile
diff --git a/etc/gnome-music.profile b/etc/gnome-music.profile
index ad3fa1753..36b46897c 100644
--- a/etc/gnome-music.profile
+++ b/etc/gnome-music.profile
@@ -21,8 +21,10 @@ include disable-passwdmgr.inc
21include disable-programs.inc 21include disable-programs.inc
22include disable-xdg.inc 22include disable-xdg.inc
23 23
24include whitelist-runuser-common.inc
24include whitelist-var-common.inc 25include whitelist-var-common.inc
25 26
27apparmor
26caps.drop all 28caps.drop all
27netfilter 29netfilter
28no3d 30no3d
@@ -37,8 +39,9 @@ seccomp
37shell none 39shell none
38tracelog 40tracelog
39 41
40private-bin env,gio-launch-desktop,gnome-music,python*,yelp 42# private-bin calls a file manager - whatever is installed!
43#private-bin env,gio-launch-desktop,gnome-music,python*,yelp
41private-dev 44private-dev
42private-etc alternatives,asound.conf,fonts,machine-id,pulse 45private-etc alternatives,asound.conf,dconf,fonts,fonts,gtk-3.0,machine-id,pulse,selinux,xdg
43private-tmp 46private-tmp
44 47
diff --git a/etc/gnome-nettool.profile b/etc/gnome-nettool.profile
index d15299890..649473679 100644
--- a/etc/gnome-nettool.profile
+++ b/etc/gnome-nettool.profile
@@ -16,6 +16,7 @@ include disable-xdg.inc
16 16
17whitelist /usr/share/gnome-nettool 17whitelist /usr/share/gnome-nettool
18#include whitelist-common.inc -- see #903 18#include whitelist-common.inc -- see #903
19include whitelist-runuser-common.inc
19include whitelist-usr-share-common.inc 20include whitelist-usr-share-common.inc
20include whitelist-var-common.inc 21include whitelist-var-common.inc
21 22
diff --git a/etc/gnome-nibbles.profile b/etc/gnome-nibbles.profile
new file mode 100644
index 000000000..4e42b6b15
--- /dev/null
+++ b/etc/gnome-nibbles.profile
@@ -0,0 +1,21 @@
1# Firejail profile for gnome-nibbles
2# Description: Sliding tile puzzle game
3# This file is overwritten after every install/update
4# Persistent local customizations
5include gnome-nibbles.local
6# Persistent global definitions
7include globals.local
8
9ignore machine-id
10ignore nosound
11
12noblacklist ${HOME}/.local/share/gnome-nibbles
13
14mkdir ${HOME}/.local/share/gnome-nibbles
15whitelist ${HOME}/.local/share/gnome-nibbles
16whitelist /usr/share/gnome-nibbles
17
18private-bin gnome-nibbles
19
20# Redirect
21include gnome_games-common.profile
diff --git a/etc/gnome-passwordsafe.profile b/etc/gnome-passwordsafe.profile
index de8f6ad7d..555a59d93 100644
--- a/etc/gnome-passwordsafe.profile
+++ b/etc/gnome-passwordsafe.profile
@@ -21,13 +21,9 @@ include disable-passwdmgr.inc
21include disable-programs.inc 21include disable-programs.inc
22include disable-xdg.inc 22include disable-xdg.inc
23 23
24whitelist ${RUNUSER}/bus
25# If you have a second wayland compositor, whitelist its socket here.
26whitelist ${RUNUSER}/wayland-0
27whitelist ${RUNUSER}/gdm/Xauthority
28
29whitelist /usr/share/cracklib 24whitelist /usr/share/cracklib
30whitelist /usr/share/passwordsafe 25whitelist /usr/share/passwordsafe
26include whitelist-runuser-common.inc
31include whitelist-usr-share-common.inc 27include whitelist-usr-share-common.inc
32include whitelist-var-common.inc 28include whitelist-var-common.inc
33 29
diff --git a/etc/gnome-photos.profile b/etc/gnome-photos.profile
index aa0b7dbe3..2af406af9 100644
--- a/etc/gnome-photos.profile
+++ b/etc/gnome-photos.profile
@@ -17,8 +17,10 @@ include disable-interpreters.inc
17include disable-passwdmgr.inc 17include disable-passwdmgr.inc
18include disable-programs.inc 18include disable-programs.inc
19 19
20include whitelist-runuser-common.inc
20include whitelist-var-common.inc 21include whitelist-var-common.inc
21 22
23apparmor
22caps.drop all 24caps.drop all
23netfilter 25netfilter
24nodvd 26nodvd
diff --git a/etc/gnome-pomodoro.profile b/etc/gnome-pomodoro.profile
new file mode 100644
index 000000000..f8be23f07
--- /dev/null
+++ b/etc/gnome-pomodoro.profile
@@ -0,0 +1,51 @@
1# Firejail profile for gnome-pomodoro
2# Description: time management utility for GNOME based on the pomodoro technique
3# This file is overwritten after every install/update
4# Persistent local customizations
5include gnome-pomodoro.local
6# Persistent global definitions
7include globals.local
8
9noblacklist ${HOME}/.local/share/gnome-pomodoro
10
11include disable-common.inc
12include disable-devel.inc
13include disable-exec.inc
14include disable-interpreters.inc
15include disable-passwdmgr.inc
16include disable-programs.inc
17include disable-xdg.inc
18
19mkdir ${HOME}/.local/share/gnome-pomodoro
20whitelist ${HOME}/.local/share/gnome-pomodoro
21whitelist /usr/share/gnome-pomodoro
22include whitelist-common.inc
23include whitelist-usr-share-common.inc
24include whitelist-runuser-common.inc
25include whitelist-var-common.inc
26
27apparmor
28caps.drop all
29net none
30no3d
31nodvd
32nogroups
33nonewprivs
34noroot
35notv
36nou2f
37novideo
38protocol unix
39seccomp
40shell none
41tracelog
42
43disable-mnt
44private-bin gnome-pomodoro
45private-cache
46private-dev
47private-etc dconf,fonts,gtk-3.0,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,localtime,machine-id
48private-tmp
49
50read-only ${HOME}
51read-write ${HOME}/.local/share/gnome-pomodoro
diff --git a/etc/gnome-recipes.profile b/etc/gnome-recipes.profile
index b4791afc5..20c355371 100644
--- a/etc/gnome-recipes.profile
+++ b/etc/gnome-recipes.profile
@@ -26,6 +26,7 @@ include whitelist-common.inc
26include whitelist-usr-share-common.inc 26include whitelist-usr-share-common.inc
27include whitelist-var-common.inc 27include whitelist-var-common.inc
28 28
29apparmor
29caps.drop all 30caps.drop all
30ipc-namespace 31ipc-namespace
31machine-id 32machine-id
diff --git a/etc/gnome-robots.profile b/etc/gnome-robots.profile
new file mode 100644
index 000000000..888324a5c
--- /dev/null
+++ b/etc/gnome-robots.profile
@@ -0,0 +1,17 @@
1# Firejail profile for gnome-robots
2# Description: Sliding tile puzzle game
3# This file is overwritten after every install/update
4# Persistent local customizations
5include gnome-robots.local
6# Persistent global definitions
7include globals.local
8
9ignore machine-id
10ignore nosound
11
12whitelist /usr/share/gnome-robots
13
14private-bin gnome-robots
15
16# Redirect
17include gnome_games-common.profile
diff --git a/etc/gnome-schedule.profile b/etc/gnome-schedule.profile
index c8dd8ead7..55913a2d7 100644
--- a/etc/gnome-schedule.profile
+++ b/etc/gnome-schedule.profile
@@ -39,6 +39,7 @@ whitelist /usr/share/gnome-schedule
39whitelist /var/spool/atd 39whitelist /var/spool/atd
40whitelist /var/spool/cron 40whitelist /var/spool/cron
41include whitelist-common.inc 41include whitelist-common.inc
42include whitelist-runuser-common.inc
42include whitelist-usr-share-common.inc 43include whitelist-usr-share-common.inc
43include whitelist-var-common.inc 44include whitelist-var-common.inc
44 45
diff --git a/etc/gnome-screenshot.profile b/etc/gnome-screenshot.profile
new file mode 100644
index 000000000..cc5efb161
--- /dev/null
+++ b/etc/gnome-screenshot.profile
@@ -0,0 +1,44 @@
1# Firejail profile for gnome-screenshot
2# Description: GNOME screenshot tool
3# This file is overwritten after every install/update
4# Persistent local customizations
5include gnome-screenshot.local
6# Persistent global definitions
7include globals.local
8
9noblacklist ${PICTURES}
10noblacklist ${HOME}/.cache/gnome-screenshot
11
12include disable-common.inc
13include disable-devel.inc
14include disable-exec.inc
15include disable-interpreters.inc
16include disable-passwdmgr.inc
17include disable-programs.inc
18include disable-xdg.inc
19
20include whitelist-usr-share-common.inc
21include whitelist-runuser-common.inc
22include whitelist-var-common.inc
23
24apparmor
25caps.drop all
26net none
27no3d
28nodvd
29nogroups
30nonewprivs
31noroot
32notv
33nou2f
34novideo
35protocol unix
36seccomp
37shell none
38tracelog
39
40disable-mnt
41private-bin gnome-screenshot
42private-dev
43private-etc dconf,fonts,gtk-3.0,localtime,machine-id
44private-tmp
diff --git a/etc/gnome-sound-recorder.profile b/etc/gnome-sound-recorder.profile
index 7f8fc8a0c..a64ec25a9 100644
--- a/etc/gnome-sound-recorder.profile
+++ b/etc/gnome-sound-recorder.profile
@@ -7,7 +7,6 @@ include gnome-sound-recorder.local
7include globals.local 7include globals.local
8 8
9noblacklist ${MUSIC} 9noblacklist ${MUSIC}
10noblacklist ${HOME}/.local/share/flatpak
11noblacklist ${HOME}/.local/share/Trash 10noblacklist ${HOME}/.local/share/Trash
12 11
13# Allow gjs (blacklisted by disable-interpreters.inc) 12# Allow gjs (blacklisted by disable-interpreters.inc)
diff --git a/etc/gnome-sudoku.profile b/etc/gnome-sudoku.profile
new file mode 100644
index 000000000..b41bccd1e
--- /dev/null
+++ b/etc/gnome-sudoku.profile
@@ -0,0 +1,17 @@
1# Firejail profile for gnome-sudoku
2# Description: Sliding tile puzzle game
3# This file is overwritten after every install/update
4# Persistent local customizations
5include gnome-sudoku.local
6# Persistent global definitions
7include globals.local
8
9noblacklist ${HOME}/.local/share/gnome-sudoku
10
11mkdir ${HOME}/.local/share/gnome-sudoku
12whitelist ${HOME}/.local/share/gnome-sudoku
13
14private-bin gnome-sudoku
15
16# Redirect
17include gnome_games-common.profile
diff --git a/etc/gnome-taquin.profile b/etc/gnome-taquin.profile
new file mode 100644
index 000000000..efd64d455
--- /dev/null
+++ b/etc/gnome-taquin.profile
@@ -0,0 +1,17 @@
1# Firejail profile for gnome-taquin
2# Description: Sliding tile puzzle game
3# This file is overwritten after every install/update
4# Persistent local customizations
5include gnome-taquin.local
6# Persistent global definitions
7include globals.local
8
9ignore machine-id
10ignore nosound
11
12whitelist /usr/share/gnome-taquin
13
14private-bin gnome-taquin
15
16# Redirect
17include gnome_games-common.profile
diff --git a/etc/gnome-tetravex.profile b/etc/gnome-tetravex.profile
new file mode 100644
index 000000000..e9622539c
--- /dev/null
+++ b/etc/gnome-tetravex.profile
@@ -0,0 +1,12 @@
1# Firejail profile for gnome-tetravex
2# Description: Sliding tile puzzle game
3# This file is overwritten after every install/update
4# Persistent local customizations
5include gnome-tetravex.local
6# Persistent global definitions
7include globals.local
8
9private-bin gnome-tetravex
10
11# Redirect
12include gnome_games-common.profile
diff --git a/etc/gnome-todo.profile b/etc/gnome-todo.profile
new file mode 100644
index 000000000..6240cce65
--- /dev/null
+++ b/etc/gnome-todo.profile
@@ -0,0 +1,51 @@
1# Firejail profile for gnome-todo
2# Description: Personal task manager for GNOME
3# This file is overwritten after every install/update
4# Persistent local customizations
5include gnome-todo.local
6# Persistent global definitions
7include globals.local
8
9# Allow python (blacklisted by disable-interpreters.inc)
10include allow-python3.inc
11
12include disable-common.inc
13include disable-devel.inc
14include disable-exec.inc
15include disable-interpreters.inc
16include disable-passwdmgr.inc
17include disable-programs.inc
18include disable-xdg.inc
19
20whitelist /usr/share/gnome-todo
21include whitelist-common.inc
22include whitelist-usr-share-common.inc
23include whitelist-runuser-common.inc
24include whitelist-var-common.inc
25
26apparmor
27caps.drop all
28machine-id
29net none
30nodvd
31nogroups
32nonewprivs
33noroot
34nosound
35notv
36nou2f
37novideo
38protocol unix
39seccomp
40shell none
41tracelog
42
43disable-mnt
44#private
45private-bin gnome-todo
46private-cache
47private-dev
48private-etc dconf,fonts,gtk-3.0,localtime,passwd,xdg
49private-tmp
50
51read-only ${HOME}
diff --git a/etc/gnome-weather.profile b/etc/gnome-weather.profile
index 10db6296b..a181f1b9e 100644
--- a/etc/gnome-weather.profile
+++ b/etc/gnome-weather.profile
@@ -21,6 +21,7 @@ include disable-passwdmgr.inc
21include disable-programs.inc 21include disable-programs.inc
22include disable-xdg.inc 22include disable-xdg.inc
23 23
24include whitelist-runuser-common.inc
24include whitelist-var-common.inc 25include whitelist-var-common.inc
25 26
26caps.drop all 27caps.drop all
diff --git a/etc/gnome_games-common.profile b/etc/gnome_games-common.profile
new file mode 100644
index 000000000..0b75c5e92
--- /dev/null
+++ b/etc/gnome_games-common.profile
@@ -0,0 +1,43 @@
1# Firejail profile for gnome_games-common
2# This file is overwritten after every install/update
3# Persistent local customizations
4include gnome_games-common.local
5# Persistent global definitions
6# added by caller profile
7#include globals.local
8
9include disable-common.inc
10include disable-devel.inc
11include disable-exec.inc
12include disable-interpreters.inc
13include disable-passwdmgr.inc
14include disable-programs.inc
15include disable-xdg.inc
16
17include whitelist-common.inc
18include whitelist-runuser-common.inc
19include whitelist-usr-share-common.inc
20include whitelist-var-common.inc
21
22apparmor
23caps.drop all
24machine-id
25net none
26nodvd
27nogroups
28nonewprivs
29noroot
30nosound
31notv
32nou2f
33novideo
34protocol unix
35seccomp
36shell none
37tracelog
38
39disable-mnt
40private-cache
41private-dev
42private-etc dconf,fonts,gconf,gtk-2.0,gtk-3.0,machine-id,pango,X11
43private-tmp
diff --git a/etc/gpg-agent.profile b/etc/gpg-agent.profile
index 16bda186e..adc8957e6 100644
--- a/etc/gpg-agent.profile
+++ b/etc/gpg-agent.profile
@@ -21,9 +21,12 @@ include disable-xdg.inc
21 21
22mkdir ${HOME}/.gnupg 22mkdir ${HOME}/.gnupg
23whitelist ${HOME}/.gnupg 23whitelist ${HOME}/.gnupg
24whitelist ${RUNUSER}/gnupg
25whitelist ${RUNUSER}/keyring
24whitelist /usr/share/gnupg 26whitelist /usr/share/gnupg
25whitelist /usr/share/gnupg2 27whitelist /usr/share/gnupg2
26include whitelist-common.inc 28include whitelist-common.inc
29include whitelist-runuser-common.inc
27include whitelist-usr-share-common.inc 30include whitelist-usr-share-common.inc
28include whitelist-var-common.inc 31include whitelist-var-common.inc
29 32
diff --git a/etc/gpg.profile b/etc/gpg.profile
index b408a0123..787f35f9e 100644
--- a/etc/gpg.profile
+++ b/etc/gpg.profile
@@ -18,9 +18,12 @@ include disable-interpreters.inc
18include disable-passwdmgr.inc 18include disable-passwdmgr.inc
19include disable-programs.inc 19include disable-programs.inc
20 20
21whitelist ${RUNUSER}/gnupg
22whitelist ${RUNUSER}/keyring
21whitelist /usr/share/gnupg 23whitelist /usr/share/gnupg
22whitelist /usr/share/gnupg2 24whitelist /usr/share/gnupg2
23whitelist /usr/share/pacman/keyrings 25whitelist /usr/share/pacman/keyrings
26include whitelist-runuser-common.inc
24include whitelist-usr-share-common.inc 27include whitelist-usr-share-common.inc
25include whitelist-var-common.inc 28include whitelist-var-common.inc
26 29
diff --git a/etc/gucharmap.profile b/etc/gucharmap.profile
index b3aa58d29..f3e3ab14d 100644
--- a/etc/gucharmap.profile
+++ b/etc/gucharmap.profile
@@ -15,6 +15,7 @@ include disable-programs.inc
15include disable-xdg.inc 15include disable-xdg.inc
16 16
17include whitelist-common.inc 17include whitelist-common.inc
18include whitelist-runuser-common.inc
18include whitelist-usr-share-common.inc 19include whitelist-usr-share-common.inc
19include whitelist-var-common.inc 20include whitelist-var-common.inc
20 21
diff --git a/etc/handbrake.profile b/etc/handbrake.profile
index 324c629e3..add3f407c 100644
--- a/etc/handbrake.profile
+++ b/etc/handbrake.profile
@@ -22,7 +22,7 @@ include whitelist-var-common.inc
22 22
23apparmor 23apparmor
24caps.drop all 24caps.drop all
25netfilter 25net none
26nodbus 26nodbus
27nogroups 27nogroups
28nonewprivs 28nonewprivs
diff --git a/etc/highlight.profile b/etc/highlight.profile
index 036de8d99..fc8b2f65a 100644
--- a/etc/highlight.profile
+++ b/etc/highlight.profile
@@ -7,6 +7,7 @@ include highlight.local
7include globals.local 7include globals.local
8 8
9blacklist ${RUNUSER}/wayland-* 9blacklist ${RUNUSER}/wayland-*
10blacklist ${RUNUSER}
10 11
11include disable-common.inc 12include disable-common.inc
12include disable-devel.inc 13include disable-devel.inc
diff --git a/etc/host.profile b/etc/host.profile
new file mode 100644
index 000000000..51b372361
--- /dev/null
+++ b/etc/host.profile
@@ -0,0 +1,49 @@
1# Firejail profile for host
2# Description: DNS lookup utility
3# This file is overwritten after every install/update
4quiet
5# Persistent local customizations
6include host.local
7# Persistent global definitions
8include globals.local
9
10noblacklist ${PATH}/host
11
12include disable-common.inc
13include disable-devel.inc
14include disable-exec.inc
15include disable-interpreters.inc
16include disable-passwdmgr.inc
17include disable-programs.inc
18include disable-xdg.inc
19
20include whitelist-usr-share-common.inc
21include whitelist-var-common.inc
22
23apparmor
24caps.drop all
25ipc-namespace
26machine-id
27netfilter
28no3d
29nodbus
30nodvd
31nogroups
32nonewprivs
33noroot
34nosound
35notv
36nou2f
37novideo
38protocol unix,inet,inet6
39seccomp
40shell none
41tracelog
42
43disable-mnt
44private
45private-bin bash,host,sh
46private-dev
47private-tmp
48
49memory-deny-write-execute
diff --git a/etc/iagno.profile b/etc/iagno.profile
new file mode 100644
index 000000000..e79043048
--- /dev/null
+++ b/etc/iagno.profile
@@ -0,0 +1,37 @@
1# Firejail profile for iagno
2# Description: Reversi clone for Gnome desktop
3# This file is overwritten after every install/update
4# Persistent local customizations
5include iagno.local
6# Persistent global definitions
7include globals.local
8
9include disable-common.inc
10include disable-devel.inc
11include disable-exec.inc
12include disable-interpreters.inc
13include disable-passwdmgr.inc
14include disable-programs.inc
15
16include whitelist-var-common.inc
17
18apparmor
19caps.drop all
20net none
21#nodbus
22nodvd
23nogroups
24nonewprivs
25noroot
26notv
27nou2f
28novideo
29protocol unix
30seccomp
31shell none
32
33disable-mnt
34private
35private-bin iagno
36private-dev
37private-tmp
diff --git a/etc/kino.profile b/etc/kino.profile
index 9e8d61391..b3ade0dd9 100644
--- a/etc/kino.profile
+++ b/etc/kino.profile
@@ -16,6 +16,9 @@ include disable-interpreters.inc
16include disable-passwdmgr.inc 16include disable-passwdmgr.inc
17include disable-programs.inc 17include disable-programs.inc
18 18
19include whitelist-var-common.inc
20
21apparmor
19caps.drop all 22caps.drop all
20netfilter 23netfilter
21nogroups 24nogroups
diff --git a/etc/kmplayer.profile b/etc/kmplayer.profile
new file mode 100644
index 000000000..7eabde61d
--- /dev/null
+++ b/etc/kmplayer.profile
@@ -0,0 +1,41 @@
1# Firejail profile for mplayer
2# Description: mplayer KDE GUI (movie player)
3# This file is overwritten after every install/update
4# Persistent local customizations
5include kmplayer.local
6# Persistent global definitions
7include globals.local
8
9noblacklist ${HOME}/.config/kmplayerrc
10noblacklist ${HOME}/.kde/share/config/kmplayerrc
11noblacklist ${HOME}/.local/share/kmplayer
12noblacklist ${MUSIC}
13noblacklist ${VIDEOS}
14
15include disable-common.inc
16include disable-devel.inc
17include disable-exec.inc
18include disable-interpreters.inc
19include disable-passwdmgr.inc
20include disable-programs.inc
21include disable-xdg.inc
22
23include whitelist-usr-share-common.inc
24include whitelist-var-common.inc
25
26apparmor
27caps.drop all
28netfilter
29nogroups
30nonewprivs
31noroot
32nou2f
33protocol unix,inet,inet6,netlink
34seccomp
35shell none
36
37# private-bin kmplayer,mplayer
38private-cache
39private-dev
40private-tmp
41
diff --git a/etc/latex-common.profile b/etc/latex-common.profile
index 712ada722..84901e8ef 100644
--- a/etc/latex-common.profile
+++ b/etc/latex-common.profile
@@ -14,6 +14,7 @@ include disable-passwdmgr.inc
14include disable-programs.inc 14include disable-programs.inc
15 15
16whitelist /var/lib 16whitelist /var/lib
17include whitelist-runuser-common.inc
17include whitelist-var-common.inc 18include whitelist-var-common.inc
18 19
19caps.drop all 20caps.drop all
diff --git a/etc/leafpad.profile b/etc/leafpad.profile
index 56a792c8e..c456541aa 100644
--- a/etc/leafpad.profile
+++ b/etc/leafpad.profile
@@ -17,8 +17,9 @@ include disable-programs.inc
17 17
18include whitelist-var-common.inc 18include whitelist-var-common.inc
19 19
20apparmor
20caps.drop all 21caps.drop all
21netfilter 22net none
22no3d 23no3d
23nodvd 24nodvd
24nogroups 25nogroups
diff --git a/etc/less.profile b/etc/less.profile
index 00624e0f1..27e24c852 100644
--- a/etc/less.profile
+++ b/etc/less.profile
@@ -8,6 +8,7 @@ include less.local
8include globals.local 8include globals.local
9 9
10blacklist ${RUNUSER}/wayland-* 10blacklist ${RUNUSER}/wayland-*
11blacklist ${RUNUSER}
11 12
12noblacklist ${HOME}/.lesshst 13noblacklist ${HOME}/.lesshst
13 14
diff --git a/etc/lightsoff.profile b/etc/lightsoff.profile
new file mode 100644
index 000000000..65c8bd78d
--- /dev/null
+++ b/etc/lightsoff.profile
@@ -0,0 +1,14 @@
1# Firejail profile for lightsoff
2# Description: Sliding tile puzzle game
3# This file is overwritten after every install/update
4# Persistent local customizations
5include lightsoff.local
6# Persistent global definitions
7include globals.local
8
9whitelist /usr/share/lightsoff
10
11private-bin lightsoff
12
13# Redirect
14include gnome_games-common.profile
diff --git a/etc/lincity-ng.profile b/etc/lincity-ng.profile
index b55ac9a15..748d38221 100644
--- a/etc/lincity-ng.profile
+++ b/etc/lincity-ng.profile
@@ -21,6 +21,7 @@ whitelist ${HOME}/.lincity-ng
21include whitelist-common.inc 21include whitelist-common.inc
22include whitelist-var-common.inc 22include whitelist-var-common.inc
23 23
24apparmor
24caps.drop all 25caps.drop all
25ipc-namespace 26ipc-namespace
26net none 27net none
diff --git a/etc/links.profile b/etc/links.profile
index a31001c87..b2f94d3cf 100644
--- a/etc/links.profile
+++ b/etc/links.profile
@@ -24,6 +24,7 @@ include disable-xdg.inc
24mkdir ${HOME}/.links 24mkdir ${HOME}/.links
25whitelist ${HOME}/.links 25whitelist ${HOME}/.links
26whitelist ${DOWNLOADS} 26whitelist ${DOWNLOADS}
27include whitelist-runuser-common.inc
27include whitelist-var-common.inc 28include whitelist-var-common.inc
28 29
29caps.drop all 30caps.drop all
diff --git a/etc/lximage-qt.profile b/etc/lximage-qt.profile
index 74adb7a67..a33ddab78 100644
--- a/etc/lximage-qt.profile
+++ b/etc/lximage-qt.profile
@@ -14,9 +14,11 @@ include disable-exec.inc
14include disable-interpreters.inc 14include disable-interpreters.inc
15include disable-passwdmgr.inc 15include disable-passwdmgr.inc
16include disable-programs.inc 16include disable-programs.inc
17include whitelist-var-common.inc
17 18
19apparmor
18caps.drop all 20caps.drop all
19netfilter 21net none
20no3d 22no3d
21nodvd 23nodvd
22nogroups 24nogroups
diff --git a/etc/lxmusic.profile b/etc/lxmusic.profile
index e1a37343e..9094f4377 100644
--- a/etc/lxmusic.profile
+++ b/etc/lxmusic.profile
@@ -20,6 +20,7 @@ include disable-xdg.inc
20 20
21include whitelist-var-common.inc 21include whitelist-var-common.inc
22 22
23apparmor
23caps.drop all 24caps.drop all
24netfilter 25netfilter
25no3d 26no3d
diff --git a/etc/lynx.profile b/etc/lynx.profile
index fb6fe94ec..dbd0a61e5 100644
--- a/etc/lynx.profile
+++ b/etc/lynx.profile
@@ -16,6 +16,8 @@ include disable-passwdmgr.inc
16include disable-programs.inc 16include disable-programs.inc
17include disable-xdg.inc 17include disable-xdg.inc
18 18
19include whitelist-runuser-common.inc
20
19caps.drop all 21caps.drop all
20netfilter 22netfilter
21no3d 23no3d
diff --git a/etc/lzcat.profile b/etc/lzcat.profile
index f7410b928..d9c72407f 100644
--- a/etc/lzcat.profile
+++ b/etc/lzcat.profile
@@ -1,6 +1,7 @@
1# Firejail profile alias for cpio 1# Firejail profile alias for cpio
2# Description: Library and command line tools for XZ and LZMA compressed files 2# Description: Library and command line tools for XZ and LZMA compressed files
3# This file is overwritten after every install/update 3# This file is overwritten after every install/update
4quiet
4 5
5# Redirect 6# Redirect
6include cpio.profile 7include cpio.profile
diff --git a/etc/lzcmp.profile b/etc/lzcmp.profile
index f7410b928..d9c72407f 100644
--- a/etc/lzcmp.profile
+++ b/etc/lzcmp.profile
@@ -1,6 +1,7 @@
1# Firejail profile alias for cpio 1# Firejail profile alias for cpio
2# Description: Library and command line tools for XZ and LZMA compressed files 2# Description: Library and command line tools for XZ and LZMA compressed files
3# This file is overwritten after every install/update 3# This file is overwritten after every install/update
4quiet
4 5
5# Redirect 6# Redirect
6include cpio.profile 7include cpio.profile
diff --git a/etc/lzegrep.profile b/etc/lzegrep.profile
index f7410b928..d9c72407f 100644
--- a/etc/lzegrep.profile
+++ b/etc/lzegrep.profile
@@ -1,6 +1,7 @@
1# Firejail profile alias for cpio 1# Firejail profile alias for cpio
2# Description: Library and command line tools for XZ and LZMA compressed files 2# Description: Library and command line tools for XZ and LZMA compressed files
3# This file is overwritten after every install/update 3# This file is overwritten after every install/update
4quiet
4 5
5# Redirect 6# Redirect
6include cpio.profile 7include cpio.profile
diff --git a/etc/lzfgrep.profile b/etc/lzfgrep.profile
index f7410b928..d9c72407f 100644
--- a/etc/lzfgrep.profile
+++ b/etc/lzfgrep.profile
@@ -1,6 +1,7 @@
1# Firejail profile alias for cpio 1# Firejail profile alias for cpio
2# Description: Library and command line tools for XZ and LZMA compressed files 2# Description: Library and command line tools for XZ and LZMA compressed files
3# This file is overwritten after every install/update 3# This file is overwritten after every install/update
4quiet
4 5
5# Redirect 6# Redirect
6include cpio.profile 7include cpio.profile
diff --git a/etc/lzgrep.profile b/etc/lzgrep.profile
index f7410b928..d9c72407f 100644
--- a/etc/lzgrep.profile
+++ b/etc/lzgrep.profile
@@ -1,6 +1,7 @@
1# Firejail profile alias for cpio 1# Firejail profile alias for cpio
2# Description: Library and command line tools for XZ and LZMA compressed files 2# Description: Library and command line tools for XZ and LZMA compressed files
3# This file is overwritten after every install/update 3# This file is overwritten after every install/update
4quiet
4 5
5# Redirect 6# Redirect
6include cpio.profile 7include cpio.profile
diff --git a/etc/lzip.profile b/etc/lzip.profile
index f7410b928..d9c72407f 100644
--- a/etc/lzip.profile
+++ b/etc/lzip.profile
@@ -1,6 +1,7 @@
1# Firejail profile alias for cpio 1# Firejail profile alias for cpio
2# Description: Library and command line tools for XZ and LZMA compressed files 2# Description: Library and command line tools for XZ and LZMA compressed files
3# This file is overwritten after every install/update 3# This file is overwritten after every install/update
4quiet
4 5
5# Redirect 6# Redirect
6include cpio.profile 7include cpio.profile
diff --git a/etc/lzless.profile b/etc/lzless.profile
index f7410b928..d9c72407f 100644
--- a/etc/lzless.profile
+++ b/etc/lzless.profile
@@ -1,6 +1,7 @@
1# Firejail profile alias for cpio 1# Firejail profile alias for cpio
2# Description: Library and command line tools for XZ and LZMA compressed files 2# Description: Library and command line tools for XZ and LZMA compressed files
3# This file is overwritten after every install/update 3# This file is overwritten after every install/update
4quiet
4 5
5# Redirect 6# Redirect
6include cpio.profile 7include cpio.profile
diff --git a/etc/lzma.profile b/etc/lzma.profile
index f7410b928..d9c72407f 100644
--- a/etc/lzma.profile
+++ b/etc/lzma.profile
@@ -1,6 +1,7 @@
1# Firejail profile alias for cpio 1# Firejail profile alias for cpio
2# Description: Library and command line tools for XZ and LZMA compressed files 2# Description: Library and command line tools for XZ and LZMA compressed files
3# This file is overwritten after every install/update 3# This file is overwritten after every install/update
4quiet
4 5
5# Redirect 6# Redirect
6include cpio.profile 7include cpio.profile
diff --git a/etc/lzmainfo.profile b/etc/lzmainfo.profile
index f7410b928..d9c72407f 100644
--- a/etc/lzmainfo.profile
+++ b/etc/lzmainfo.profile
@@ -1,6 +1,7 @@
1# Firejail profile alias for cpio 1# Firejail profile alias for cpio
2# Description: Library and command line tools for XZ and LZMA compressed files 2# Description: Library and command line tools for XZ and LZMA compressed files
3# This file is overwritten after every install/update 3# This file is overwritten after every install/update
4quiet
4 5
5# Redirect 6# Redirect
6include cpio.profile 7include cpio.profile
diff --git a/etc/lzmore.profile b/etc/lzmore.profile
index f7410b928..d9c72407f 100644
--- a/etc/lzmore.profile
+++ b/etc/lzmore.profile
@@ -1,6 +1,7 @@
1# Firejail profile alias for cpio 1# Firejail profile alias for cpio
2# Description: Library and command line tools for XZ and LZMA compressed files 2# Description: Library and command line tools for XZ and LZMA compressed files
3# This file is overwritten after every install/update 3# This file is overwritten after every install/update
4quiet
4 5
5# Redirect 6# Redirect
6include cpio.profile 7include cpio.profile
diff --git a/etc/mate-calc.profile b/etc/mate-calc.profile
index 2f6020ad3..8bd62ae0b 100644
--- a/etc/mate-calc.profile
+++ b/etc/mate-calc.profile
@@ -22,7 +22,9 @@ whitelist ${HOME}/.cache/mate-calc
22whitelist ${HOME}/.config/caja 22whitelist ${HOME}/.config/caja
23whitelist ${HOME}/.config/mate-menu 23whitelist ${HOME}/.config/mate-menu
24include whitelist-common.inc 24include whitelist-common.inc
25include whitelist-var-common.inc
25 26
27apparmor
26caps.drop all 28caps.drop all
27net none 29net none
28no3d 30no3d
diff --git a/etc/mate-dictionary.profile b/etc/mate-dictionary.profile
index 49a776766..59f439c91 100644
--- a/etc/mate-dictionary.profile
+++ b/etc/mate-dictionary.profile
@@ -18,6 +18,7 @@ mkdir ${HOME}/.config/mate/mate-dictionary
18whitelist ${HOME}/.config/mate/mate-dictionary 18whitelist ${HOME}/.config/mate/mate-dictionary
19include whitelist-common.inc 19include whitelist-common.inc
20 20
21apparmor
21caps.drop all 22caps.drop all
22netfilter 23netfilter
23no3d 24no3d
diff --git a/etc/meld.profile b/etc/meld.profile
index 9a320c13d..be13e9643 100644
--- a/etc/meld.profile
+++ b/etc/meld.profile
@@ -36,6 +36,8 @@ include disable-passwdmgr.inc
36# Uncomment the next line (or put it into your meld.local) if you don't need to compare files in disable-programs.inc. 36# Uncomment the next line (or put it into your meld.local) if you don't need to compare files in disable-programs.inc.
37#include disable-programs.inc 37#include disable-programs.inc
38 38
39include whitelist-runuser-common.inc
40
39# Uncomment the next lines (or put it into your meld.local) if you don't need to compare files in /usr/share. 41# Uncomment the next lines (or put it into your meld.local) if you don't need to compare files in /usr/share.
40#whitelist /usr/share/meld 42#whitelist /usr/share/meld
41#include whitelist-usr-share-common.inc 43#include whitelist-usr-share-common.inc
diff --git a/etc/midori.profile b/etc/midori.profile
index e11e2acaa..e15259608 100644
--- a/etc/midori.profile
+++ b/etc/midori.profile
@@ -48,7 +48,9 @@ whitelist ${HOME}/.local/share/webkitgtk
48whitelist ${HOME}/.pki 48whitelist ${HOME}/.pki
49whitelist ${HOME}/.local/share/pki 49whitelist ${HOME}/.local/share/pki
50include whitelist-common.inc 50include whitelist-common.inc
51include whitelist-var-common.inc
51 52
53apparmor
52caps.drop all 54caps.drop all
53netfilter 55netfilter
54nodvd 56nodvd
@@ -60,3 +62,4 @@ seccomp
60tracelog 62tracelog
61 63
62disable-mnt 64disable-mnt
65private-tmp
diff --git a/etc/mousepad.profile b/etc/mousepad.profile
index 20370a5b5..868313c40 100644
--- a/etc/mousepad.profile
+++ b/etc/mousepad.profile
@@ -17,8 +17,9 @@ include disable-programs.inc
17 17
18include whitelist-var-common.inc 18include whitelist-var-common.inc
19 19
20apparmor
20caps.drop all 21caps.drop all
21netfilter 22net none
22nodvd 23nodvd
23nogroups 24nogroups
24nonewprivs 25nonewprivs
diff --git a/etc/mplayer.profile b/etc/mplayer.profile
index 9ab4f8c7f..cd25d6c0b 100644
--- a/etc/mplayer.profile
+++ b/etc/mplayer.profile
@@ -21,7 +21,9 @@ include disable-xdg.inc
21include whitelist-usr-share-common.inc 21include whitelist-usr-share-common.inc
22include whitelist-var-common.inc 22include whitelist-var-common.inc
23 23
24apparmor
24caps.drop all 25caps.drop all
26# net none - mplayer can be used for streaming.
25netfilter 27netfilter
26# nogroups 28# nogroups
27nonewprivs 29nonewprivs
diff --git a/etc/mupdf.profile b/etc/mupdf.profile
index 43afbc859..592467658 100644
--- a/etc/mupdf.profile
+++ b/etc/mupdf.profile
@@ -18,6 +18,7 @@ include disable-xdg.inc
18 18
19include whitelist-var-common.inc 19include whitelist-var-common.inc
20 20
21apparmor
21caps.drop all 22caps.drop all
22machine-id 23machine-id
23net none 24net none
diff --git a/etc/musescore.profile b/etc/musescore.profile
index b3693c956..679e82ae8 100644
--- a/etc/musescore.profile
+++ b/etc/musescore.profile
@@ -23,6 +23,7 @@ include disable-xdg.inc
23 23
24include whitelist-var-common.inc 24include whitelist-var-common.inc
25 25
26apparmor
26caps.drop all 27caps.drop all
27netfilter 28netfilter
28no3d 29no3d
diff --git a/etc/mutt.profile b/etc/mutt.profile
index 1fc412955..8ff547b52 100644
--- a/etc/mutt.profile
+++ b/etc/mutt.profile
@@ -40,6 +40,8 @@ include disable-interpreters.inc
40include disable-passwdmgr.inc 40include disable-passwdmgr.inc
41include disable-programs.inc 41include disable-programs.inc
42 42
43include whitelist-runuser-common.inc
44
43caps.drop all 45caps.drop all
44netfilter 46netfilter
45no3d 47no3d
diff --git a/etc/newsboat.profile b/etc/newsboat.profile
index e063abe53..eabd17b4b 100644
--- a/etc/newsboat.profile
+++ b/etc/newsboat.profile
@@ -19,6 +19,7 @@ include disable-xdg.inc
19mkdir ${HOME}/.newsboat 19mkdir ${HOME}/.newsboat
20whitelist ${HOME}/.newsboat 20whitelist ${HOME}/.newsboat
21include whitelist-common.inc 21include whitelist-common.inc
22include whitelist-runuser-common.inc
22include whitelist-var-common.inc 23include whitelist-var-common.inc
23 24
24caps.drop all 25caps.drop all
diff --git a/etc/nslookup.profile b/etc/nslookup.profile
new file mode 100644
index 000000000..4aa1cfcbf
--- /dev/null
+++ b/etc/nslookup.profile
@@ -0,0 +1,53 @@
1# Firejail profile for nslookup
2# Description: DNS lookup utility
3# This file is overwritten after every install/update
4quiet
5# Persistent local customizations
6include nslookup.local
7# Persistent global definitions
8include globals.local
9
10blacklist /tmp/.X11-unix
11blacklist ${RUNUSER}/wayland-*
12blacklist ${RUNUSER}
13
14noblacklist ${PATH}/nslookup
15
16include disable-common.inc
17include disable-devel.inc
18include disable-exec.inc
19include disable-interpreters.inc
20include disable-passwdmgr.inc
21include disable-programs.inc
22include disable-xdg.inc
23
24include whitelist-usr-share-common.inc
25include whitelist-var-common.inc
26
27apparmor
28caps.drop all
29ipc-namespace
30machine-id
31netfilter
32no3d
33nodbus
34nodvd
35nogroups
36nonewprivs
37noroot
38nosound
39notv
40nou2f
41novideo
42protocol unix,inet,inet6
43seccomp
44shell none
45tracelog
46
47disable-mnt
48private
49private-bin bash,nslookup,sh
50private-dev
51private-tmp
52
53memory-deny-write-execute
diff --git a/etc/open-invaders.profile b/etc/open-invaders.profile
index 5925ccc09..1f214b7f5 100644
--- a/etc/open-invaders.profile
+++ b/etc/open-invaders.profile
@@ -10,6 +10,7 @@ noblacklist ${HOME}/.openinvaders
10 10
11include disable-common.inc 11include disable-common.inc
12include disable-devel.inc 12include disable-devel.inc
13include disable-exec.inc
13include disable-interpreters.inc 14include disable-interpreters.inc
14include disable-passwdmgr.inc 15include disable-passwdmgr.inc
15include disable-programs.inc 16include disable-programs.inc
@@ -17,7 +18,9 @@ include disable-programs.inc
17mkdir ${HOME}/.openinvaders 18mkdir ${HOME}/.openinvaders
18whitelist ${HOME}/.openinvaders 19whitelist ${HOME}/.openinvaders
19include whitelist-common.inc 20include whitelist-common.inc
21include whitelist-var-common.inc
20 22
23apparmor
21caps.drop all 24caps.drop all
22net none 25net none
23nodbus 26nodbus
@@ -32,6 +35,6 @@ protocol unix,netlink
32seccomp 35seccomp
33shell none 36shell none
34 37
35# private-bin open-invaders 38private-bin open-invaders
36private-dev 39private-dev
37private-tmp 40private-tmp
diff --git a/etc/opencity.profile b/etc/opencity.profile
index 6a27c8095..b0192c947 100644
--- a/etc/opencity.profile
+++ b/etc/opencity.profile
@@ -21,6 +21,7 @@ whitelist ${HOME}/.opencity
21include whitelist-common.inc 21include whitelist-common.inc
22include whitelist-var-common.inc 22include whitelist-var-common.inc
23 23
24apparmor
24caps.drop all 25caps.drop all
25ipc-namespace 26ipc-namespace
26net none 27net none
diff --git a/etc/openclonk.profile b/etc/openclonk.profile
index da60006b3..20b2a9626 100644
--- a/etc/openclonk.profile
+++ b/etc/openclonk.profile
@@ -21,9 +21,11 @@ whitelist ${HOME}/.clonk
21include whitelist-common.inc 21include whitelist-common.inc
22include whitelist-var-common.inc 22include whitelist-var-common.inc
23 23
24apparmor
24caps.drop all 25caps.drop all
25ipc-namespace 26ipc-namespace
26net none 27# net none - networked game
28netfilter
27nodbus 29nodbus
28nodvd 30nodvd
29nogroups 31nogroups
diff --git a/etc/openttd.profile b/etc/openttd.profile
index 5de4d325d..10f2f39c3 100644
--- a/etc/openttd.profile
+++ b/etc/openttd.profile
@@ -21,9 +21,10 @@ whitelist ${HOME}/.openttd
21include whitelist-common.inc 21include whitelist-common.inc
22include whitelist-var-common.inc 22include whitelist-var-common.inc
23 23
24apparmor
24caps.drop all 25caps.drop all
25ipc-namespace 26ipc-namespace
26netfilter 27net none
27nodbus 28nodbus
28nodvd 29nodvd
29nogroups 30nogroups
diff --git a/etc/pandoc.profile b/etc/pandoc.profile
index 9a8d82a96..9117b0c07 100644
--- a/etc/pandoc.profile
+++ b/etc/pandoc.profile
@@ -8,6 +8,7 @@ include pandoc.local
8include globals.local 8include globals.local
9 9
10blacklist ${RUNUSER}/wayland-* 10blacklist ${RUNUSER}/wayland-*
11blacklist ${RUNUSER}
11 12
12noblacklist ${DOCUMENTS} 13noblacklist ${DOCUMENTS}
13 14
diff --git a/etc/patch.profile b/etc/patch.profile
index 4a3365378..95c92a3f5 100644
--- a/etc/patch.profile
+++ b/etc/patch.profile
@@ -8,6 +8,7 @@ include patch.local
8include globals.local 8include globals.local
9 9
10blacklist ${RUNUSER}/wayland-* 10blacklist ${RUNUSER}/wayland-*
11blacklist ${RUNUSER}
11 12
12noblacklist ${DOCUMENTS} 13noblacklist ${DOCUMENTS}
13 14
diff --git a/etc/pdftotext.profile b/etc/pdftotext.profile
index 73ebf4615..a7112f1e8 100644
--- a/etc/pdftotext.profile
+++ b/etc/pdftotext.profile
@@ -7,6 +7,7 @@ include pdftotext.local
7include globals.local 7include globals.local
8 8
9blacklist ${RUNUSER}/wayland-* 9blacklist ${RUNUSER}/wayland-*
10blacklist ${RUNUSER}
10 11
11noblacklist ${DOCUMENTS} 12noblacklist ${DOCUMENTS}
12 13
diff --git a/etc/penguin-command.profile b/etc/penguin-command.profile
new file mode 100644
index 000000000..a44126b65
--- /dev/null
+++ b/etc/penguin-command.profile
@@ -0,0 +1,39 @@
1# Firejail profile for open-invaders
2# Description: Space Invaders clone
3# This file is overwritten after every install/update
4# Persistent local customizations
5include penguin-command.local
6# Persistent global definitions
7include globals.local
8
9noblacklist ${HOME}/.penguin-command
10
11include disable-common.inc
12include disable-devel.inc
13include disable-exec.inc
14include disable-interpreters.inc
15include disable-passwdmgr.inc
16include disable-programs.inc
17
18whitelist ${HOME}/.penguin-command
19include whitelist-common.inc
20include whitelist-var-common.inc
21
22apparmor
23caps.drop all
24net none
25nodbus
26nodvd
27nogroups
28nonewprivs
29noroot
30notv
31nou2f
32novideo
33protocol unix,netlink
34seccomp
35shell none
36
37private-bin penguin-command
38private-dev
39private-tmp
diff --git a/etc/ping.profile b/etc/ping.profile
index 5f68ee011..3ef8ad64a 100644
--- a/etc/ping.profile
+++ b/etc/ping.profile
@@ -7,6 +7,10 @@ include ping.local
7# Persistent global definitions 7# Persistent global definitions
8include globals.local 8include globals.local
9 9
10blacklist /tmp/.X11-unix
11blacklist ${RUNUSER}/wayland-*
12blacklist ${RUNUSER}
13
10include disable-common.inc 14include disable-common.inc
11include disable-devel.inc 15include disable-devel.inc
12include disable-exec.inc 16include disable-exec.inc
@@ -19,6 +23,7 @@ include whitelist-common.inc
19include whitelist-usr-share-common.inc 23include whitelist-usr-share-common.inc
20include whitelist-var-common.inc 24include whitelist-var-common.inc
21 25
26apparmor
22caps.keep net_raw 27caps.keep net_raw
23ipc-namespace 28ipc-namespace
24#net tun0 29#net tun0
diff --git a/etc/pingus.profile b/etc/pingus.profile
index a3adc55a2..8e77a26d0 100644
--- a/etc/pingus.profile
+++ b/etc/pingus.profile
@@ -10,6 +10,7 @@ noblacklist ${HOME}/.pingus
10 10
11include disable-common.inc 11include disable-common.inc
12include disable-devel.inc 12include disable-devel.inc
13include disable-exec.inc
13include disable-interpreters.inc 14include disable-interpreters.inc
14include disable-passwdmgr.inc 15include disable-passwdmgr.inc
15include disable-programs.inc 16include disable-programs.inc
@@ -17,7 +18,9 @@ include disable-programs.inc
17mkdir ${HOME}/.pingus 18mkdir ${HOME}/.pingus
18whitelist ${HOME}/.pingus 19whitelist ${HOME}/.pingus
19include whitelist-common.inc 20include whitelist-common.inc
21include whitelist-var-common.inc
20 22
23apparmor
21caps.drop all 24caps.drop all
22net none 25net none
23nodbus 26nodbus
diff --git a/etc/pitivi.profile b/etc/pitivi.profile
index 89a6a020b..c722e29b4 100644
--- a/etc/pitivi.profile
+++ b/etc/pitivi.profile
@@ -6,7 +6,6 @@ include pitivi.local
6# Persistent global definitions 6# Persistent global definitions
7include globals.local 7include globals.local
8 8
9
10noblacklist ${HOME}/.config/pitivi 9noblacklist ${HOME}/.config/pitivi
11 10
12# Allow python (blacklisted by disable-interpreters.inc) 11# Allow python (blacklisted by disable-interpreters.inc)
@@ -20,11 +19,13 @@ include disable-interpreters.inc
20include disable-passwdmgr.inc 19include disable-passwdmgr.inc
21include disable-programs.inc 20include disable-programs.inc
22 21
22include whitelist-runuser-common.inc
23include whitelist-var-common.inc 23include whitelist-var-common.inc
24 24
25apparmor
25caps.drop all 26caps.drop all
26ipc-namespace 27ipc-namespace
27netfilter 28net none
28nodvd 29nodvd
29nogroups 30nogroups
30nonewprivs 31nonewprivs
diff --git a/etc/planmaker18.profile b/etc/planmaker18.profile
index 4cf1efb7f..2ba8e86c0 100644
--- a/etc/planmaker18.profile
+++ b/etc/planmaker18.profile
@@ -7,4 +7,4 @@ include planmaker18.local
7include globals.local 7include globals.local
8 8
9# Redirect 9# Redirect
10include softmaker-common.profile 10include softmaker-common.inc
diff --git a/etc/planmaker18free.profile b/etc/planmaker18free.profile
index bb85f1fc7..d0bce44f5 100644
--- a/etc/planmaker18free.profile
+++ b/etc/planmaker18free.profile
@@ -7,4 +7,4 @@ include planmaker18free.local
7include globals.local 7include globals.local
8 8
9# Redirect 9# Redirect
10include softmaker-common.profile 10include softmaker-common.inc
diff --git a/etc/pngquant.profile b/etc/pngquant.profile
index f9ce43c4c..4695eee71 100644
--- a/etc/pngquant.profile
+++ b/etc/pngquant.profile
@@ -16,6 +16,8 @@ include disable-interpreters.inc
16include disable-passwdmgr.inc 16include disable-passwdmgr.inc
17include disable-programs.inc 17include disable-programs.inc
18 18
19include whitelist-runuser-common.inc
20include whitelist-usr-share-common.inc
19include whitelist-var-common.inc 21include whitelist-var-common.inc
20 22
21apparmor 23apparmor
diff --git a/etc/polari.profile b/etc/polari.profile
index 939e2537e..87a53775f 100644
--- a/etc/polari.profile
+++ b/etc/polari.profile
@@ -28,6 +28,7 @@ whitelist ${HOME}/.local/share/TpLogger
28whitelist ${HOME}/.local/share/telepathy 28whitelist ${HOME}/.local/share/telepathy
29whitelist ${HOME}/.purple 29whitelist ${HOME}/.purple
30include whitelist-common.inc 30include whitelist-common.inc
31include whitelist-runuser-common.inc
31 32
32caps.drop all 33caps.drop all
33netfilter 34netfilter
diff --git a/etc/ppsspp.profile b/etc/ppsspp.profile
index 970290002..0b5da661a 100644
--- a/etc/ppsspp.profile
+++ b/etc/ppsspp.profile
@@ -21,7 +21,6 @@ include whitelist-var-common.inc
21 21
22caps.drop all 22caps.drop all
23ipc-namespace 23ipc-namespace
24netfilter
25net none 24net none
26nodbus 25nodbus
27nodvd 26nodvd
diff --git a/etc/presentations18.profile b/etc/presentations18.profile
index ac844d1af..d4f531060 100644
--- a/etc/presentations18.profile
+++ b/etc/presentations18.profile
@@ -7,4 +7,5 @@ include presentations18.local
7include globals.local 7include globals.local
8 8
9# Redirect 9# Redirect
10include softmaker-common.profile 10include softmaker-common.inc
11
diff --git a/etc/presentations18free.profile b/etc/presentations18free.profile
index 218747224..e2319f13f 100644
--- a/etc/presentations18free.profile
+++ b/etc/presentations18free.profile
@@ -7,4 +7,4 @@ include presentations18free.local
7include globals.local 7include globals.local
8 8
9# Redirect 9# Redirect
10include softmaker-common.profile 10include softmaker-common.inc
diff --git a/etc/qpdfview.profile b/etc/qpdfview.profile
index 863f57ba4..dace1634f 100644
--- a/etc/qpdfview.profile
+++ b/etc/qpdfview.profile
@@ -20,6 +20,7 @@ include disable-xdg.inc
20 20
21include whitelist-var-common.inc 21include whitelist-var-common.inc
22 22
23apparmor
23caps.drop all 24caps.drop all
24machine-id 25machine-id
25# needs D-Bus when started from a file manager 26# needs D-Bus when started from a file manager
diff --git a/etc/remmina.profile b/etc/remmina.profile
index e85ceca13..6311c91df 100644
--- a/etc/remmina.profile
+++ b/etc/remmina.profile
@@ -19,6 +19,7 @@ include disable-passwdmgr.inc
19include disable-programs.inc 19include disable-programs.inc
20include disable-xdg.inc 20include disable-xdg.inc
21 21
22include whitelist-runuser-common.inc
22include whitelist-var-common.inc 23include whitelist-var-common.inc
23 24
24caps.drop all 25caps.drop all
diff --git a/etc/rhythmbox.profile b/etc/rhythmbox.profile
index ad8b1015e..689fbe626 100644
--- a/etc/rhythmbox.profile
+++ b/etc/rhythmbox.profile
@@ -25,10 +25,11 @@ include disable-xdg.inc
25whitelist /usr/share/rhythmbox 25whitelist /usr/share/rhythmbox
26whitelist /usr/share/lua 26whitelist /usr/share/lua
27whitelist /usr/share/libquvi-scripts 27whitelist /usr/share/libquvi-scripts
28include whitelist-runuser-common.inc
28include whitelist-usr-share-common.inc 29include whitelist-usr-share-common.inc
29include whitelist-var-common.inc 30include whitelist-var-common.inc
30 31
31# apparmor - makes settings immutable 32apparmor
32caps.drop all 33caps.drop all
33netfilter 34netfilter
34# nodbus - makes settings immutable 35# nodbus - makes settings immutable
@@ -38,7 +39,7 @@ noroot
38notv 39notv
39nou2f 40nou2f
40novideo 41novideo
41protocol unix,inet,inet6 42protocol unix,inet,inet6,netlink
42seccomp 43seccomp
43shell none 44shell none
44tracelog 45tracelog
diff --git a/etc/ripperx.profile b/etc/ripperx.profile
new file mode 100644
index 000000000..b572aa1b4
--- /dev/null
+++ b/etc/ripperx.profile
@@ -0,0 +1,41 @@
1# Firejail profile for mpv
2# Description: Graphical audio CD ripper and encoder
3# This file is overwritten after every install/update
4# Persistent local customizations
5include ripperx.local
6# Persistent global definitions
7include globals.local
8
9noblacklist ${HOME}/.ripperXrc
10noblacklist ${MUSIC}
11
12include disable-common.inc
13include disable-devel.inc
14include disable-exec.inc
15include disable-interpreters.inc
16include disable-passwdmgr.inc
17include disable-programs.inc
18include disable-xdg.inc
19
20include whitelist-usr-share-common.inc
21include whitelist-var-common.inc
22
23apparmor
24caps.drop all
25netfilter
26no3d
27nodbus
28nogroups
29nonewprivs
30noroot
31nou2f
32notv
33novideo
34protocol unix,inet,inet6
35seccomp
36shell none
37tracelog
38
39private-cache
40private-dev
41private-tmp
diff --git a/etc/ristretto.profile b/etc/ristretto.profile
index 8fcbb203c..a1cbdf16c 100644
--- a/etc/ristretto.profile
+++ b/etc/ristretto.profile
@@ -17,7 +17,11 @@ include disable-interpreters.inc
17include disable-passwdmgr.inc 17include disable-passwdmgr.inc
18include disable-programs.inc 18include disable-programs.inc
19 19
20include whitelist-var-common.inc
21
22apparmor
20caps.drop all 23caps.drop all
24net none
21netfilter 25netfilter
22no3d 26no3d
23nodvd 27nodvd
diff --git a/etc/rsync-download_only.profile b/etc/rsync-download_only.profile
index 84147f0a5..500656a4b 100644
--- a/etc/rsync-download_only.profile
+++ b/etc/rsync-download_only.profile
@@ -14,6 +14,7 @@ include globals.local
14 14
15blacklist /tmp/.X11-unix 15blacklist /tmp/.X11-unix
16blacklist ${RUNUSER}/wayland-* 16blacklist ${RUNUSER}/wayland-*
17blacklist ${RUNUSER}
17 18
18include disable-common.inc 19include disable-common.inc
19include disable-devel.inc 20include disable-devel.inc
diff --git a/etc/scribus.profile b/etc/scribus.profile
index e20cd1b5a..e7faccea1 100644
--- a/etc/scribus.profile
+++ b/etc/scribus.profile
@@ -40,6 +40,7 @@ include disable-xdg.inc
40 40
41include whitelist-var-common.inc 41include whitelist-var-common.inc
42 42
43apparmor
43caps.drop all 44caps.drop all
44net none 45net none
45nodbus 46nodbus
diff --git a/etc/seahorse.profile b/etc/seahorse.profile
index 5a742d05f..3a69086b5 100644
--- a/etc/seahorse.profile
+++ b/etc/seahorse.profile
@@ -31,7 +31,10 @@ whitelist /usr/share/gnupg
31whitelist /usr/share/gnupg2 31whitelist /usr/share/gnupg2
32whitelist /usr/share/seahorse 32whitelist /usr/share/seahorse
33whitelist /usr/share/seahorse-nautilus 33whitelist /usr/share/seahorse-nautilus
34whitelist ${RUNUSER}/gnupg
35whitelist ${RUNUSER}/keyring
34#include whitelist-common.inc 36#include whitelist-common.inc
37include whitelist-runuser-common.inc
35include whitelist-usr-share-common.inc 38include whitelist-usr-share-common.inc
36include whitelist-var-common.inc 39include whitelist-var-common.inc
37 40
diff --git a/etc/shellcheck.profile b/etc/shellcheck.profile
index f8744bdf8..fb43c61e4 100644
--- a/etc/shellcheck.profile
+++ b/etc/shellcheck.profile
@@ -8,6 +8,7 @@ include shellcheck.local
8include globals.local 8include globals.local
9 9
10blacklist ${RUNUSER}/wayland-* 10blacklist ${RUNUSER}/wayland-*
11blacklist ${RUNUSER}
11 12
12noblacklist ${DOCUMENTS} 13noblacklist ${DOCUMENTS}
13 14
@@ -23,6 +24,7 @@ whitelist /usr/share/shellcheck
23include whitelist-usr-share-common.inc 24include whitelist-usr-share-common.inc
24include whitelist-var-common.inc 25include whitelist-var-common.inc
25 26
27apparmor
26caps.drop all 28caps.drop all
27ipc-namespace 29ipc-namespace
28machine-id 30machine-id
diff --git a/etc/simutrans.profile b/etc/simutrans.profile
index c6f5f70b0..73093a259 100644
--- a/etc/simutrans.profile
+++ b/etc/simutrans.profile
@@ -10,6 +10,7 @@ noblacklist ${HOME}/.simutrans
10 10
11include disable-common.inc 11include disable-common.inc
12include disable-devel.inc 12include disable-devel.inc
13include disable-exec.inc
13include disable-interpreters.inc 14include disable-interpreters.inc
14include disable-passwdmgr.inc 15include disable-passwdmgr.inc
15include disable-programs.inc 16include disable-programs.inc
@@ -17,7 +18,9 @@ include disable-programs.inc
17mkdir ${HOME}/.simutrans 18mkdir ${HOME}/.simutrans
18whitelist ${HOME}/.simutrans 19whitelist ${HOME}/.simutrans
19include whitelist-common.inc 20include whitelist-common.inc
21include whitelist-var-common.inc
20 22
23apparmor
21caps.drop all 24caps.drop all
22net none 25net none
23nodbus 26nodbus
diff --git a/etc/slack.profile b/etc/slack.profile
index 54069f657..9a10e38fe 100644
--- a/etc/slack.profile
+++ b/etc/slack.profile
@@ -28,7 +28,7 @@ noroot
28notv 28notv
29nou2f 29nou2f
30protocol unix,inet,inet6,netlink 30protocol unix,inet,inet6,netlink
31seccomp 31seccomp !chroot
32shell none 32shell none
33 33
34disable-mnt 34disable-mnt
diff --git a/etc/smtube.profile b/etc/smtube.profile
index 98e0229ce..79bc02979 100644
--- a/etc/smtube.profile
+++ b/etc/smtube.profile
@@ -28,6 +28,7 @@ whitelist /usr/share/smtube
28include whitelist-usr-share-common.inc 28include whitelist-usr-share-common.inc
29include whitelist-var-common.inc 29include whitelist-var-common.inc
30 30
31apparmor
31caps.drop all 32caps.drop all
32netfilter 33netfilter
33nodvd 34nodvd
diff --git a/etc/sol.profile b/etc/sol.profile
index ea1620b31..4c8fdfbb1 100644
--- a/etc/sol.profile
+++ b/etc/sol.profile
@@ -17,6 +17,7 @@ include disable-xdg.inc
17include whitelist-common.inc 17include whitelist-common.inc
18include whitelist-var-common.inc 18include whitelist-var-common.inc
19 19
20apparmor
20caps.drop all 21caps.drop all
21ipc-namespace 22ipc-namespace
22net none 23net none
diff --git a/etc/sound-juicer.profile b/etc/sound-juicer.profile
new file mode 100644
index 000000000..ebd321573
--- /dev/null
+++ b/etc/sound-juicer.profile
@@ -0,0 +1,41 @@
1# Firejail profile for mpv
2# Description: Graphical audio CD ripper and encoder
3# This file is overwritten after every install/update
4# Persistent local customizations
5include sound-juicer.local
6# Persistent global definitions
7include globals.local
8
9noblacklist ${HOME}/.config/sound-juicer
10noblacklist ${MUSIC}
11
12include disable-common.inc
13include disable-devel.inc
14include disable-exec.inc
15include disable-interpreters.inc
16include disable-passwdmgr.inc
17include disable-programs.inc
18include disable-xdg.inc
19
20include whitelist-var-common.inc
21
22apparmor
23caps.drop all
24netfilter
25no3d
26#nodbus
27nogroups
28nonewprivs
29noroot
30nosound
31nou2f
32notv
33novideo
34protocol unix,inet,inet6,netlink
35seccomp
36shell none
37tracelog
38
39private-cache
40private-dev
41private-tmp
diff --git a/etc/ssh.profile b/etc/ssh.profile
index 1551c3fb6..cbd59c6e0 100644
--- a/etc/ssh.profile
+++ b/etc/ssh.profile
@@ -18,7 +18,10 @@ include disable-exec.inc
18include disable-passwdmgr.inc 18include disable-passwdmgr.inc
19include disable-programs.inc 19include disable-programs.inc
20 20
21whitelist ${RUNUSER}/keyring/ssh
22whitelist ${RUNUSER}/gnupg/S.gpg-agent.ssh
21include whitelist-usr-share-common.inc 23include whitelist-usr-share-common.inc
24include whitelist-runuser-common.inc
22 25
23caps.drop all 26caps.drop all
24ipc-namespace 27ipc-namespace
diff --git a/etc/steam.profile b/etc/steam.profile
index bc90af837..499d21e6d 100644
--- a/etc/steam.profile
+++ b/etc/steam.profile
@@ -27,8 +27,8 @@ noblacklist /usr/sbin
27include allow-java.inc 27include allow-java.inc
28 28
29# Allow python (blacklisted by disable-interpreters.inc) 29# Allow python (blacklisted by disable-interpreters.inc)
30include allow-python2.inc 30include allow-python2.inc
31include allow-python3.inc 31include allow-python3.inc
32 32
33include disable-common.inc 33include disable-common.inc
34include disable-devel.inc 34include disable-devel.inc
@@ -38,14 +38,13 @@ include disable-programs.inc
38 38
39include whitelist-var-common.inc 39include whitelist-var-common.inc
40 40
41# allow-debuggers needed for running some games with proton
42allow-debuggers
43caps.drop all 41caps.drop all
44#ipc-namespace 42#ipc-namespace
45netfilter 43netfilter
46# nodbus disabled as it breaks appindicator support 44# nodbus disabled as it breaks appindicator support
47#nodbus 45#nodbus
48nodvd 46nodvd
47# nVidia user may need to comment / ignore nogroups and noroot
49nogroups 48nogroups
50nonewprivs 49nonewprivs
51noroot 50noroot
@@ -54,9 +53,9 @@ nou2f
54# novideo should be commented for VR 53# novideo should be commented for VR
55novideo 54novideo
56protocol unix,inet,inet6,netlink 55protocol unix,inet,inet6,netlink
57# seccomp cause sometimes issues (see #2860, #2951), 56# seccomp cause sometimes issues (see #2951, #3267),
58# comment it or add 'ignore seccomp' to steam.local if so. 57# comment it or add 'ignore seccomp' to steam.local if so.
59seccomp 58seccomp !kcmp,!ptrace
60shell none 59shell none
61# tracelog disabled as it breaks integrated browser 60# tracelog disabled as it breaks integrated browser
62#tracelog 61#tracelog
diff --git a/etc/strings.profile b/etc/strings.profile
index 7dc453b1f..7d2d035a4 100644
--- a/etc/strings.profile
+++ b/etc/strings.profile
@@ -8,6 +8,7 @@ include strings.local
8include globals.local 8include globals.local
9 9
10blacklist ${RUNUSER}/wayland-* 10blacklist ${RUNUSER}/wayland-*
11blacklist ${RUNUSER}
11 12
12#include disable-common.inc 13#include disable-common.inc
13include disable-devel.inc 14include disable-devel.inc
diff --git a/etc/supertux2.profile b/etc/supertux2.profile
index 4c64ee766..a702faa9e 100644
--- a/etc/supertux2.profile
+++ b/etc/supertux2.profile
@@ -10,6 +10,7 @@ noblacklist ${HOME}/.local/share/supertux2
10 10
11include disable-common.inc 11include disable-common.inc
12include disable-devel.inc 12include disable-devel.inc
13include disable-exec.inc
13include disable-interpreters.inc 14include disable-interpreters.inc
14include disable-passwdmgr.inc 15include disable-passwdmgr.inc
15include disable-programs.inc 16include disable-programs.inc
@@ -19,6 +20,7 @@ whitelist ${HOME}/.local/share/supertux2
19include whitelist-common.inc 20include whitelist-common.inc
20include whitelist-var-common.inc 21include whitelist-var-common.inc
21 22
23apparmor
22caps.drop all 24caps.drop all
23net none 25net none
24nodbus 26nodbus
diff --git a/etc/tcpdump.profile b/etc/tcpdump.profile
index 3c46dfdcb..881fbf49e 100644
--- a/etc/tcpdump.profile
+++ b/etc/tcpdump.profile
@@ -19,6 +19,7 @@ include disable-xdg.inc
19 19
20include whitelist-common.inc 20include whitelist-common.inc
21 21
22apparmor
22caps.keep net_raw 23caps.keep net_raw
23ipc-namespace 24ipc-namespace
24#net tun0 25#net tun0
diff --git a/etc/teams.profile b/etc/teams.profile
index 8b60a941e..0e5a42be7 100644
--- a/etc/teams.profile
+++ b/etc/teams.profile
@@ -9,6 +9,8 @@ include teams.local
9# added by included profile 9# added by included profile
10#include globals.local 10#include globals.local
11 11
12ignore nodbus
13
12noblacklist ${HOME}/.config/teams 14noblacklist ${HOME}/.config/teams
13noblacklist ${HOME}/.config/Microsoft 15noblacklist ${HOME}/.config/Microsoft
14 16
@@ -30,7 +32,6 @@ tracelog
30disable-mnt 32disable-mnt
31private-cache 33private-cache
32private-dev 34private-dev
33private-tmp
34 35
35# Redirect 36# Redirect
36include electron.profile 37include electron.profile
diff --git a/etc/templates/profile.template b/etc/templates/profile.template
index 0362b82af..4cb40027c 100644
--- a/etc/templates/profile.template
+++ b/etc/templates/profile.template
@@ -27,6 +27,7 @@
27# ALLOW INCLUDES 27# ALLOW INCLUDES
28# BLACKLISTS 28# BLACKLISTS
29# DISABLE INCLUDES 29# DISABLE INCLUDES
30# NOWHITELISTS
30# MKDIRS 31# MKDIRS
31# WHITELISTS 32# WHITELISTS
32# WHITELIST INCLUDES 33# WHITELIST INCLUDES
@@ -62,6 +63,8 @@ include globals.local
62#blacklist /tmp/.X11-unix 63#blacklist /tmp/.X11-unix
63# Disable Wayland 64# Disable Wayland
64#blacklist ${RUNUSER}/wayland-* 65#blacklist ${RUNUSER}/wayland-*
66# Disable RUNUSER (cli only)
67#blacklist ${RUNUSER}
65 68
66# It is common practice to add files/dirs containing program-specific configuration 69# It is common practice to add files/dirs containing program-specific configuration
67# (often ${HOME}/PROGRAMNAME or ${HOME}/.config/PROGRAMNAME) into disable-programs.inc 70# (often ${HOME}/PROGRAMNAME or ${HOME}/.config/PROGRAMNAME) into disable-programs.inc
@@ -116,6 +119,7 @@ include globals.local
116##mkfile PATH 119##mkfile PATH
117#whitelist PATH 120#whitelist PATH
118#include whitelist-common.inc 121#include whitelist-common.inc
122#GTK3 only: include whitelist-runuser-common.inc
119#include whitelist-usr-share-common.inc 123#include whitelist-usr-share-common.inc
120#include whitelist-var-common.inc 124#include whitelist-var-common.inc
121 125
diff --git a/etc/terasology.profile b/etc/terasology.profile
index 9a8426435..3324a18be 100644
--- a/etc/terasology.profile
+++ b/etc/terasology.profile
@@ -28,7 +28,6 @@ include whitelist-common.inc
28caps.drop all 28caps.drop all
29ipc-namespace 29ipc-namespace
30net none 30net none
31netfilter
32nodbus 31nodbus
33nodvd 32nodvd
34nogroups 33nogroups
diff --git a/etc/textmaker18.profile b/etc/textmaker18.profile
index 8284df791..d28947394 100644
--- a/etc/textmaker18.profile
+++ b/etc/textmaker18.profile
@@ -7,4 +7,5 @@ include textmaker18.local
7include globals.local 7include globals.local
8 8
9# Redirect 9# Redirect
10include softmaker-common.profile 10include softmaker-common.inc
11
diff --git a/etc/textmaker18free.profile b/etc/textmaker18free.profile
index ad945ca55..7b4fd5b08 100644
--- a/etc/textmaker18free.profile
+++ b/etc/textmaker18free.profile
@@ -7,4 +7,5 @@ include textmaker18free.local
7include globals.local 7include globals.local
8 8
9# Redirect 9# Redirect
10include softmaker-common.profile 10include softmaker-common.inc
11
diff --git a/etc/thunderbird.profile b/etc/thunderbird.profile
index b375247f4..4193ef963 100644
--- a/etc/thunderbird.profile
+++ b/etc/thunderbird.profile
@@ -47,6 +47,7 @@ whitelist ${HOME}/.thunderbird
47 47
48whitelist /usr/share/gnupg 48whitelist /usr/share/gnupg
49whitelist /usr/share/mozilla 49whitelist /usr/share/mozilla
50whitelist /usr/share/thunderbird
50whitelist /usr/share/webext 51whitelist /usr/share/webext
51include whitelist-usr-share-common.inc 52include whitelist-usr-share-common.inc
52 53
diff --git a/etc/torbrowser-launcher.profile b/etc/torbrowser-launcher.profile
index 72bdf9fa1..329d7be02 100644
--- a/etc/torbrowser-launcher.profile
+++ b/etc/torbrowser-launcher.profile
@@ -12,8 +12,8 @@ noblacklist ${HOME}/.config/torbrowser
12noblacklist ${HOME}/.local/share/torbrowser 12noblacklist ${HOME}/.local/share/torbrowser
13 13
14# Allow python (blacklisted by disable-interpreters.inc) 14# Allow python (blacklisted by disable-interpreters.inc)
15include allow-python2.inc 15include allow-python2.inc
16include allow-python3.inc 16include allow-python3.inc
17 17
18include disable-common.inc 18include disable-common.inc
19include disable-devel.inc 19include disable-devel.inc
diff --git a/etc/tracker.profile b/etc/tracker.profile
index d47185b1d..9030b1e01 100644
--- a/etc/tracker.profile
+++ b/etc/tracker.profile
@@ -17,6 +17,8 @@ include disable-interpreters.inc
17include disable-passwdmgr.inc 17include disable-passwdmgr.inc
18include disable-programs.inc 18include disable-programs.inc
19 19
20include whitelist-runuser-common.inc
21
20caps.drop all 22caps.drop all
21netfilter 23netfilter
22no3d 24no3d
diff --git a/etc/transmission-gtk.profile b/etc/transmission-gtk.profile
index 01bdeb4ef..baa970307 100644
--- a/etc/transmission-gtk.profile
+++ b/etc/transmission-gtk.profile
@@ -7,6 +7,8 @@ include transmission-gtk.local
7# Persistent global definitions 7# Persistent global definitions
8include globals.local 8include globals.local
9 9
10include whitelist-runuser-common.inc
11
10private-bin transmission-gtk 12private-bin transmission-gtk
11 13
12ignore memory-deny-write-execute 14ignore memory-deny-write-execute
diff --git a/etc/transmission-remote-cli.profile b/etc/transmission-remote-cli.profile
index 8b3a966c1..7b9285e66 100644
--- a/etc/transmission-remote-cli.profile
+++ b/etc/transmission-remote-cli.profile
@@ -8,8 +8,8 @@ include transmission-remote-cli.local
8include globals.local 8include globals.local
9 9
10# Allow python (blacklisted by disable-interpreters.inc) 10# Allow python (blacklisted by disable-interpreters.inc)
11include allow-python2.inc 11include allow-python2.inc
12include allow-python3.inc 12include allow-python3.inc
13 13
14private-bin python*,transmission-remote-cli 14private-bin python*,transmission-remote-cli
15 15
diff --git a/etc/ts3client_runscript.sh.profile b/etc/ts3client_runscript.sh.profile
new file mode 100644
index 000000000..8d4675454
--- /dev/null
+++ b/etc/ts3client_runscript.sh.profile
@@ -0,0 +1,19 @@
1# Firejail profile alias for teamspeak3
2# Description: TeamSpeak is software for quality voice communication via the Internet
3# This file is overwritten after every install/update
4# Persistent local customizations
5include ts3client_runscript.sh.local
6# Persistent global definitions
7# added by included profile
8#include globals.local
9
10ignore noexec ${HOME}
11
12noblacklist ${HOME}/TeamSpeak3-Client-linux_x86
13noblacklist ${HOME}/TeamSpeak3-Client-linux_amd64
14
15whitelist ${HOME}/TeamSpeak3-Client-linux_x86
16whitelist ${HOME}/TeamSpeak3-Client-linux_amd64
17
18# Redirect
19include teamspeak3.profile
diff --git a/etc/tshark.profile b/etc/tshark.profile
index 22ced5d8a..684a9491d 100644
--- a/etc/tshark.profile
+++ b/etc/tshark.profile
@@ -16,9 +16,11 @@ include disable-xdg.inc
16 16
17whitelist /usr/share/wireshark 17whitelist /usr/share/wireshark
18include whitelist-common.inc 18include whitelist-common.inc
19include whitelist-runuser-common.inc
19include whitelist-usr-share-common.inc 20include whitelist-usr-share-common.inc
20include whitelist-var-common.inc 21include whitelist-var-common.inc
21 22
23apparmor
22#caps.keep net_raw 24#caps.keep net_raw
23caps.keep dac_override,net_admin,net_raw 25caps.keep dac_override,net_admin,net_raw
24ipc-namespace 26ipc-namespace
diff --git a/etc/tuxguitar.profile b/etc/tuxguitar.profile
index ae868a022..d2b13d9ee 100644
--- a/etc/tuxguitar.profile
+++ b/etc/tuxguitar.profile
@@ -15,6 +15,7 @@ include allow-java.inc
15 15
16include disable-common.inc 16include disable-common.inc
17include disable-devel.inc 17include disable-devel.inc
18include disable-exec.inc
18include disable-interpreters.inc 19include disable-interpreters.inc
19include disable-passwdmgr.inc 20include disable-passwdmgr.inc
20include disable-programs.inc 21include disable-programs.inc
@@ -22,6 +23,7 @@ include disable-xdg.inc
22 23
23include whitelist-var-common.inc 24include whitelist-var-common.inc
24 25
26apparmor
25caps.drop all 27caps.drop all
26netfilter 28netfilter
27no3d 29no3d
diff --git a/etc/unknown-horizons.profile b/etc/unknown-horizons.profile
index 7223ea2e1..1e623f9ce 100644
--- a/etc/unknown-horizons.profile
+++ b/etc/unknown-horizons.profile
@@ -9,13 +9,16 @@ include globals.local
9noblacklist ${HOME}/.unknown-horizons 9noblacklist ${HOME}/.unknown-horizons
10 10
11include disable-common.inc 11include disable-common.inc
12include disable-exec.inc
12include disable-passwdmgr.inc 13include disable-passwdmgr.inc
13include disable-programs.inc 14include disable-programs.inc
14 15
15mkdir ${HOME}/.unknown-horizons 16mkdir ${HOME}/.unknown-horizons
16whitelist ${HOME}/.unknown-horizons 17whitelist ${HOME}/.unknown-horizons
17include whitelist-common.inc 18include whitelist-common.inc
19include whitelist-var-common.inc
18 20
21apparmor
19caps.drop all 22caps.drop all
20nodvd 23nodvd
21nogroups 24nogroups
@@ -28,6 +31,7 @@ protocol unix,inet,inet6,netlink
28seccomp 31seccomp
29shell none 32shell none
30 33
34disable-mnt
31# private-bin unknown-horizons 35# private-bin unknown-horizons
32private-dev 36private-dev
33# private-etc alternatives,ca-certificates,crypto-policies,pki,ssl 37# private-etc alternatives,ca-certificates,crypto-policies,pki,ssl
diff --git a/etc/unlzma.profile b/etc/unlzma.profile
index f7410b928..d9c72407f 100644
--- a/etc/unlzma.profile
+++ b/etc/unlzma.profile
@@ -1,6 +1,7 @@
1# Firejail profile alias for cpio 1# Firejail profile alias for cpio
2# Description: Library and command line tools for XZ and LZMA compressed files 2# Description: Library and command line tools for XZ and LZMA compressed files
3# This file is overwritten after every install/update 3# This file is overwritten after every install/update
4quiet
4 5
5# Redirect 6# Redirect
6include cpio.profile 7include cpio.profile
diff --git a/etc/unxz.profile b/etc/unxz.profile
index f7410b928..d9c72407f 100644
--- a/etc/unxz.profile
+++ b/etc/unxz.profile
@@ -1,6 +1,7 @@
1# Firejail profile alias for cpio 1# Firejail profile alias for cpio
2# Description: Library and command line tools for XZ and LZMA compressed files 2# Description: Library and command line tools for XZ and LZMA compressed files
3# This file is overwritten after every install/update 3# This file is overwritten after every install/update
4quiet
4 5
5# Redirect 6# Redirect
6include cpio.profile 7include cpio.profile
diff --git a/etc/uzbl-browser.profile b/etc/uzbl-browser.profile
index d4e54235b..41487a8f2 100644
--- a/etc/uzbl-browser.profile
+++ b/etc/uzbl-browser.profile
@@ -10,8 +10,8 @@ noblacklist ${HOME}/.gnupg
10noblacklist ${HOME}/.local/share/uzbl 10noblacklist ${HOME}/.local/share/uzbl
11 11
12# Allow python (blacklisted by disable-interpreters.inc) 12# Allow python (blacklisted by disable-interpreters.inc)
13include allow-python2.inc 13include allow-python2.inc
14include allow-python3.inc 14include allow-python3.inc
15 15
16include disable-common.inc 16include disable-common.inc
17include disable-devel.inc 17include disable-devel.inc
diff --git a/etc/vim.profile b/etc/vim.profile
index d27a9a633..e9a474239 100644
--- a/etc/vim.profile
+++ b/etc/vim.profile
@@ -17,6 +17,8 @@ include disable-common.inc
17include disable-passwdmgr.inc 17include disable-passwdmgr.inc
18include disable-programs.inc 18include disable-programs.inc
19 19
20include whitelist-runuser-common.inc
21
20caps.drop all 22caps.drop all
21netfilter 23netfilter
22nodvd 24nodvd
diff --git a/etc/w3m.profile b/etc/w3m.profile
index 97465baa1..5215ee6f5 100644
--- a/etc/w3m.profile
+++ b/etc/w3m.profile
@@ -20,6 +20,8 @@ include disable-passwdmgr.inc
20include disable-programs.inc 20include disable-programs.inc
21include disable-xdg.inc 21include disable-xdg.inc
22 22
23include whitelist-runuser-common.inc
24
23caps.drop all 25caps.drop all
24netfilter 26netfilter
25no3d 27no3d
diff --git a/etc/warmux.profile b/etc/warmux.profile
new file mode 100644
index 000000000..df7af49c4
--- /dev/null
+++ b/etc/warmux.profile
@@ -0,0 +1,53 @@
1# Firejail profile for warmux
2# Description: a convivial mass murder game
3# This file is overwritten after every install/update
4# Persistent local customizations
5include warmux.local
6# Persistent global definitions
7include globals.local
8
9noblacklist ${HOME}/.config/wormux
10noblacklist ${HOME}/.local/share/wormux
11noblacklist ${HOME}/.wormux
12
13include disable-common.inc
14include disable-devel.inc
15include disable-exec.inc
16include disable-interpreters.inc
17include disable-passwdmgr.inc
18include disable-programs.inc
19include disable-xdg.inc
20
21mkdir ${HOME}/.config/wormux
22mkdir ${HOME}/.local/share/wormux
23mkdir ${HOME}/.wormux
24whitelist ${HOME}/.config/wormux
25whitelist ${HOME}/.local/share/wormux
26whitelist ${HOME}/.wormux
27whitelist /usr/share/warmux
28include whitelist-common.inc
29include whitelist-usr-share-common.inc
30include whitelist-var-common.inc
31
32apparmor
33caps.drop all
34netfilter
35nodbus
36nodvd
37nogroups
38nonewprivs
39noroot
40notv
41nou2f
42novideo
43protocol unix,inet,inet6
44seccomp
45shell none
46tracelog
47
48disable-mnt
49private-bin warmux
50private-cache
51private-dev
52private-etc ca-certificates,crypto-policies,host.conf,hostname,hosts,machine-id,nsswitch.conf,pki,protocols,resolv.conf,rpc,services,ssl
53private-tmp
diff --git a/etc/warzone2100.profile b/etc/warzone2100.profile
index e65e0a0c3..e33cace49 100644
--- a/etc/warzone2100.profile
+++ b/etc/warzone2100.profile
@@ -22,6 +22,7 @@ whitelist ${HOME}/.warzone2100-3.2
22include whitelist-common.inc 22include whitelist-common.inc
23include whitelist-var-common.inc 23include whitelist-var-common.inc
24 24
25apparmor
25caps.drop all 26caps.drop all
26netfilter 27netfilter
27nodvd 28nodvd
diff --git a/etc/wget.profile b/etc/wget.profile
index 401926e2d..ad7a14c41 100644
--- a/etc/wget.profile
+++ b/etc/wget.profile
@@ -13,6 +13,7 @@ noblacklist ${HOME}/.wgetrc
13 13
14blacklist /tmp/.X11-unix 14blacklist /tmp/.X11-unix
15blacklist ${RUNUSER}/wayland-* 15blacklist ${RUNUSER}/wayland-*
16blacklist ${RUNUSER}
16 17
17include disable-common.inc 18include disable-common.inc
18include disable-devel.inc 19include disable-devel.inc
@@ -26,6 +27,7 @@ include disable-programs.inc
26include whitelist-usr-share-common.inc 27include whitelist-usr-share-common.inc
27include whitelist-var-common.inc 28include whitelist-var-common.inc
28 29
30apparmor
29caps.drop all 31caps.drop all
30ipc-namespace 32ipc-namespace
31machine-id 33machine-id
diff --git a/etc/whitelist-runuser-common.inc b/etc/whitelist-runuser-common.inc
new file mode 100644
index 000000000..de59d03d3
--- /dev/null
+++ b/etc/whitelist-runuser-common.inc
@@ -0,0 +1,10 @@
1# Local customizations come here
2include whitelist-runuser-common.local
3
4# common ${RUNUSER} (=/run/user/$UID) whitelist for all profiles
5
6whitelist ${RUNUSER}/bus
7whitelist ${RUNUSER}/dconf
8whitelist ${RUNUSER}/gdm/Xauthority
9whitelist ${RUNUSER}/pulse/native
10whitelist ${RUNUSER}/wayland-0
diff --git a/etc/whitelist-usr-share-common.inc b/etc/whitelist-usr-share-common.inc
index a9d4cadb8..8a0f6774a 100644
--- a/etc/whitelist-usr-share-common.inc
+++ b/etc/whitelist-usr-share-common.inc
@@ -22,6 +22,7 @@ whitelist /usr/share/glib-2.0
22whitelist /usr/share/glvnd 22whitelist /usr/share/glvnd
23whitelist /usr/share/gtk-2.0 23whitelist /usr/share/gtk-2.0
24whitelist /usr/share/gtk-3.0 24whitelist /usr/share/gtk-3.0
25whitelist /usr/share/gtk-engines
25whitelist /usr/share/gtksourceview-3.0 26whitelist /usr/share/gtksourceview-3.0
26whitelist /usr/share/gtksourceview-4 27whitelist /usr/share/gtksourceview-4
27whitelist /usr/share/hunspell 28whitelist /usr/share/hunspell
diff --git a/etc/whois.profile b/etc/whois.profile
index 0e60e18ab..5fea610d8 100644
--- a/etc/whois.profile
+++ b/etc/whois.profile
@@ -9,6 +9,7 @@ include globals.local
9 9
10blacklist /tmp/.X11-unix 10blacklist /tmp/.X11-unix
11blacklist ${RUNUSER}/wayland-* 11blacklist ${RUNUSER}/wayland-*
12blacklist ${RUNUSER}
12 13
13include disable-common.inc 14include disable-common.inc
14include disable-devel.inc 15include disable-devel.inc
@@ -21,6 +22,7 @@ include disable-xdg.inc
21include whitelist-usr-share-common.inc 22include whitelist-usr-share-common.inc
22include whitelist-var-common.inc 23include whitelist-var-common.inc
23 24
25apparmor
24caps.drop all 26caps.drop all
25hostname whois 27hostname whois
26ipc-namespace 28ipc-namespace
diff --git a/etc/widelands.profile b/etc/widelands.profile
index c6b5f27da..dd956fa28 100644
--- a/etc/widelands.profile
+++ b/etc/widelands.profile
@@ -21,6 +21,7 @@ whitelist ${HOME}/.widelands
21include whitelist-common.inc 21include whitelist-common.inc
22include whitelist-var-common.inc 22include whitelist-var-common.inc
23 23
24apparmor
24caps.drop all 25caps.drop all
25ipc-namespace 26ipc-namespace
26netfilter 27netfilter
diff --git a/etc/wire-desktop.profile b/etc/wire-desktop.profile
index 3c783322b..e199be02c 100644
--- a/etc/wire-desktop.profile
+++ b/etc/wire-desktop.profile
@@ -26,7 +26,7 @@ nou2f
26shell none 26shell none
27 27
28disable-mnt 28disable-mnt
29private-bin bash,electron,electron4,env,sh,wire-desktop 29private-bin bash,electron,electron4,electron6,env,sh,wire-desktop
30private-dev 30private-dev
31private-etc alternatives,ca-certificates,crypto-policies,fonts,machine-id,pki,resolv.conf,ssl 31private-etc alternatives,ca-certificates,crypto-policies,fonts,machine-id,pki,resolv.conf,ssl
32private-tmp 32private-tmp
diff --git a/etc/x-terminal-emulator.profile b/etc/x-terminal-emulator.profile
index e21b74030..b6424f342 100644
--- a/etc/x-terminal-emulator.profile
+++ b/etc/x-terminal-emulator.profile
@@ -8,7 +8,6 @@ include globals.local
8caps.drop all 8caps.drop all
9ipc-namespace 9ipc-namespace
10net none 10net none
11netfilter
12nodbus 11nodbus
13nogroups 12nogroups
14noroot 13noroot
diff --git a/etc/x2goclient.profile b/etc/x2goclient.profile
new file mode 100644
index 000000000..bb0535ae6
--- /dev/null
+++ b/etc/x2goclient.profile
@@ -0,0 +1,47 @@
1# Firejail profile for x2goclient
2# Description: Graphical client for X2Go remote desktop system
3# This file is overwritten after every install/update
4# Persistent local customizations
5include x2goclient.local
6# Persistent global definitions
7include globals.local
8
9noblacklist ${HOME}/.ssh
10noblacklist ${HOME}/.x2go
11noblacklist ${HOME}/.x2goclient
12
13include disable-common.inc
14include disable-devel.inc
15include disable-exec.inc
16include disable-interpreters.inc
17include disable-passwdmgr.inc
18include disable-programs.inc
19
20apparmor
21caps.drop all
22ipc-namespace
23netfilter
24#no3d
25nodbus
26nodvd
27nogroups
28nonewprivs
29noroot
30notv
31nou2f
32novideo
33protocol unix,inet,inet6
34seccomp
35shell none
36tracelog
37
38#private-bin nxproxy,x2goclient
39private-cache
40private-dev
41#private-etc alternatives,asound.conf,ca-certificates,crypto-policies,fonts,gtk-3.0,host.conf,hostname,hosts,machine-id,pki,pulse,resolv.conf,ssl,X11,xdg
42#private-lib
43private-opt none
44private-srv none
45private-tmp
46
47#memory-deny-write-execute
diff --git a/etc/xcalc.profile b/etc/xcalc.profile
index 0ad423d30..a644af351 100644
--- a/etc/xcalc.profile
+++ b/etc/xcalc.profile
@@ -15,9 +15,9 @@ include disable-xdg.inc
15 15
16include whitelist-var-common.inc 16include whitelist-var-common.inc
17 17
18apparmor
18caps.drop all 19caps.drop all
19net none 20net none
20netfilter
21no3d 21no3d
22nodbus 22nodbus
23nodvd 23nodvd
diff --git a/etc/xed.profile b/etc/xed.profile
index a67230e51..145dd988e 100644
--- a/etc/xed.profile
+++ b/etc/xed.profile
@@ -11,8 +11,8 @@ noblacklist ${HOME}/.python_history
11noblacklist ${HOME}/.pythonhist 11noblacklist ${HOME}/.pythonhist
12 12
13# Allow python (blacklisted by disable-interpreters.inc) 13# Allow python (blacklisted by disable-interpreters.inc)
14include allow-python2.inc 14include allow-python2.inc
15include allow-python3.inc 15include allow-python3.inc
16 16
17include disable-common.inc 17include disable-common.inc
18include disable-devel.inc 18include disable-devel.inc
diff --git a/etc/xfce4-dict.profile b/etc/xfce4-dict.profile
index bc499bd30..a3e0c4633 100644
--- a/etc/xfce4-dict.profile
+++ b/etc/xfce4-dict.profile
@@ -15,6 +15,9 @@ include disable-interpreters.inc
15include disable-passwdmgr.inc 15include disable-passwdmgr.inc
16include disable-programs.inc 16include disable-programs.inc
17 17
18include whitelist-var-common.inc
19
20apparmor
18caps.drop all 21caps.drop all
19netfilter 22netfilter
20no3d 23no3d
diff --git a/etc/xfce4-notes.profile b/etc/xfce4-notes.profile
index 4dad1bf7a..c3d0930ff 100644
--- a/etc/xfce4-notes.profile
+++ b/etc/xfce4-notes.profile
@@ -17,6 +17,9 @@ include disable-interpreters.inc
17include disable-passwdmgr.inc 17include disable-passwdmgr.inc
18include disable-programs.inc 18include disable-programs.inc
19 19
20include whitelist-var-common.inc
21
22apparmor
20caps.drop all 23caps.drop all
21netfilter 24netfilter
22no3d 25no3d
diff --git a/etc/xpdf.profile b/etc/xpdf.profile
index 8c405ba1d..cb7ac4a59 100644
--- a/etc/xpdf.profile
+++ b/etc/xpdf.profile
@@ -19,6 +19,7 @@ include disable-xdg.inc
19 19
20include whitelist-var-common.inc 20include whitelist-var-common.inc
21 21
22apparmor
22caps.drop all 23caps.drop all
23machine-id 24machine-id
24net none 25net none
@@ -38,4 +39,4 @@ shell none
38 39
39private-dev 40private-dev
40private-tmp 41private-tmp
41 42memory-deny-write-execute
diff --git a/etc/xplayer.profile b/etc/xplayer.profile
index 325ce7627..7c474da41 100644
--- a/etc/xplayer.profile
+++ b/etc/xplayer.profile
@@ -11,8 +11,8 @@ noblacklist ${MUSIC}
11noblacklist ${VIDEOS} 11noblacklist ${VIDEOS}
12 12
13# Allow python (blacklisted by disable-interpreters.inc) 13# Allow python (blacklisted by disable-interpreters.inc)
14include allow-python2.inc 14include allow-python2.inc
15include allow-python3.inc 15include allow-python3.inc
16 16
17include disable-common.inc 17include disable-common.inc
18include disable-devel.inc 18include disable-devel.inc
diff --git a/etc/xxd.profile b/etc/xxd.profile
index 569f194d3..864e8ce9c 100644
--- a/etc/xxd.profile
+++ b/etc/xxd.profile
@@ -1,6 +1,7 @@
1# Firejail profile for xxd 1# Firejail profile for xxd
2# Description: Tool to make (or reverse) a hex dump 2# Description: Tool to make (or reverse) a hex dump
3# This file is overwritten after every install/update 3# This file is overwritten after every install/update
4quiet
4# Persistent local customizations 5# Persistent local customizations
5include xxd.local 6include xxd.local
6# Persistent global definitions 7# Persistent global definitions
@@ -8,4 +9,4 @@ include xxd.local
8#include globals.local 9#include globals.local
9 10
10# Redirect 11# Redirect
11include vim.profile 12include cpio.profile
diff --git a/etc/xz.profile b/etc/xz.profile
index f7410b928..d9c72407f 100644
--- a/etc/xz.profile
+++ b/etc/xz.profile
@@ -1,6 +1,7 @@
1# Firejail profile alias for cpio 1# Firejail profile alias for cpio
2# Description: Library and command line tools for XZ and LZMA compressed files 2# Description: Library and command line tools for XZ and LZMA compressed files
3# This file is overwritten after every install/update 3# This file is overwritten after every install/update
4quiet
4 5
5# Redirect 6# Redirect
6include cpio.profile 7include cpio.profile
diff --git a/etc/xzcat.profile b/etc/xzcat.profile
index f7410b928..d9c72407f 100644
--- a/etc/xzcat.profile
+++ b/etc/xzcat.profile
@@ -1,6 +1,7 @@
1# Firejail profile alias for cpio 1# Firejail profile alias for cpio
2# Description: Library and command line tools for XZ and LZMA compressed files 2# Description: Library and command line tools for XZ and LZMA compressed files
3# This file is overwritten after every install/update 3# This file is overwritten after every install/update
4quiet
4 5
5# Redirect 6# Redirect
6include cpio.profile 7include cpio.profile
diff --git a/etc/xzcmp.profile b/etc/xzcmp.profile
index f7410b928..d9c72407f 100644
--- a/etc/xzcmp.profile
+++ b/etc/xzcmp.profile
@@ -1,6 +1,7 @@
1# Firejail profile alias for cpio 1# Firejail profile alias for cpio
2# Description: Library and command line tools for XZ and LZMA compressed files 2# Description: Library and command line tools for XZ and LZMA compressed files
3# This file is overwritten after every install/update 3# This file is overwritten after every install/update
4quiet
4 5
5# Redirect 6# Redirect
6include cpio.profile 7include cpio.profile
diff --git a/etc/xzdiff.profile b/etc/xzdiff.profile
index f7410b928..d9c72407f 100644
--- a/etc/xzdiff.profile
+++ b/etc/xzdiff.profile
@@ -1,6 +1,7 @@
1# Firejail profile alias for cpio 1# Firejail profile alias for cpio
2# Description: Library and command line tools for XZ and LZMA compressed files 2# Description: Library and command line tools for XZ and LZMA compressed files
3# This file is overwritten after every install/update 3# This file is overwritten after every install/update
4quiet
4 5
5# Redirect 6# Redirect
6include cpio.profile 7include cpio.profile
diff --git a/etc/xzegrep.profile b/etc/xzegrep.profile
index f7410b928..d9c72407f 100644
--- a/etc/xzegrep.profile
+++ b/etc/xzegrep.profile
@@ -1,6 +1,7 @@
1# Firejail profile alias for cpio 1# Firejail profile alias for cpio
2# Description: Library and command line tools for XZ and LZMA compressed files 2# Description: Library and command line tools for XZ and LZMA compressed files
3# This file is overwritten after every install/update 3# This file is overwritten after every install/update
4quiet
4 5
5# Redirect 6# Redirect
6include cpio.profile 7include cpio.profile
diff --git a/etc/xzfgrep.profile b/etc/xzfgrep.profile
index f7410b928..d9c72407f 100644
--- a/etc/xzfgrep.profile
+++ b/etc/xzfgrep.profile
@@ -1,6 +1,7 @@
1# Firejail profile alias for cpio 1# Firejail profile alias for cpio
2# Description: Library and command line tools for XZ and LZMA compressed files 2# Description: Library and command line tools for XZ and LZMA compressed files
3# This file is overwritten after every install/update 3# This file is overwritten after every install/update
4quiet
4 5
5# Redirect 6# Redirect
6include cpio.profile 7include cpio.profile
diff --git a/etc/xzmore.profile b/etc/xzmore.profile
index f7410b928..d9c72407f 100644
--- a/etc/xzmore.profile
+++ b/etc/xzmore.profile
@@ -1,6 +1,7 @@
1# Firejail profile alias for cpio 1# Firejail profile alias for cpio
2# Description: Library and command line tools for XZ and LZMA compressed files 2# Description: Library and command line tools for XZ and LZMA compressed files
3# This file is overwritten after every install/update 3# This file is overwritten after every install/update
4quiet
4 5
5# Redirect 6# Redirect
6include cpio.profile 7include cpio.profile
diff --git a/etc/yelp.profile b/etc/yelp.profile
index acd483209..7053f98e8 100644
--- a/etc/yelp.profile
+++ b/etc/yelp.profile
@@ -23,6 +23,7 @@ whitelist /usr/share/help
23whitelist /usr/share/yelp 23whitelist /usr/share/yelp
24whitelist /usr/share/yelp-xsl 24whitelist /usr/share/yelp-xsl
25include whitelist-common.inc 25include whitelist-common.inc
26include whitelist-runuser-common.inc
26include whitelist-usr-share-common.inc 27include whitelist-usr-share-common.inc
27include whitelist-var-common.inc 28include whitelist-var-common.inc
28 29
diff --git a/etc/youtube-dl.profile b/etc/youtube-dl.profile
index 19effef47..6066313a3 100644
--- a/etc/youtube-dl.profile
+++ b/etc/youtube-dl.profile
@@ -22,6 +22,7 @@ include allow-python3.inc
22 22
23blacklist /tmp/.X11-unix 23blacklist /tmp/.X11-unix
24blacklist ${RUNUSER}/wayland-* 24blacklist ${RUNUSER}/wayland-*
25blacklist ${RUNUSER}
25 26
26include disable-common.inc 27include disable-common.inc
27include disable-devel.inc 28include disable-devel.inc
diff --git a/etc/zathura.profile b/etc/zathura.profile
index 703c8edd4..9ca5fd862 100644
--- a/etc/zathura.profile
+++ b/etc/zathura.profile
@@ -25,6 +25,7 @@ whitelist /usr/share/zathura
25include whitelist-usr-share-common.inc 25include whitelist-usr-share-common.inc
26include whitelist-var-common.inc 26include whitelist-var-common.inc
27 27
28apparmor
28caps.drop all 29caps.drop all
29ipc-namespace 30ipc-namespace
30machine-id 31machine-id
@@ -47,7 +48,8 @@ private-bin zathura
47private-cache 48private-cache
48private-dev 49private-dev
49private-etc alternatives,fonts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,machine-id 50private-etc alternatives,fonts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,machine-id
50private-lib gcc/*/*/libgcc_s.so.*,gcc/*/*/libstdc++.so.*,libarchive.so.*,libdjvulibre.so.*,libgirara-gtk*,libpoppler-glib.so.*,libspectre.so.*,zathura 51# private-lib has problems on Debian 10
52#private-lib gcc/*/*/libgcc_s.so.*,gcc/*/*/libstdc++.so.*,libarchive.so.*,libdjvulibre.so.*,libgirara-gtk*,libpoppler-glib.so.*,libspectre.so.*,zathura
51private-tmp 53private-tmp
52 54
53read-only ${HOME} 55read-only ${HOME}
diff --git a/etc/zoom.profile b/etc/zoom.profile
index 6d312aff6..6eac10703 100644
--- a/etc/zoom.profile
+++ b/etc/zoom.profile
@@ -27,7 +27,7 @@ nodvd
27nonewprivs 27nonewprivs
28noroot 28noroot
29notv 29notv
30protocol unix,inet,inet6 30protocol unix,inet,inet6,netlink
31seccomp 31seccomp !chroot
32 32
33private-tmp 33private-tmp
generated by cgit v1.2.3-70-g09d2 (git 2.46.0) at 2024-09-03 03:24:07 +0000