7 files changed, 60 insertions, 0 deletions
diff --git a/etc/corebird.profile b/etc/corebird.profile
new file mode 100644
index 000000000..f3f73a44f
--- /dev/null
+++ b/etc/corebird.profile
@@ -0,0 +1,12 @@
+# Firejail corebird profile
+include /etc/firejail/disable-common.inc
+include /etc/firejail/disable-programs.inc
+include /etc/firejail/disable-devel.inc
+include /etc/firejail/disable-passwdmgr.inc
+caps.drop all
+seccomp
+protocol unix,inet,inet6
+netfilter
+noroot
diff --git a/etc/disable-common.inc b/etc/disable-common.inc
index 479f32cb1..a61f1b210 100644
--- a/etc/disable-common.inc
+++ b/etc/disable-common.inc
@@ -93,6 +93,7 @@ read-only ${HOME}/bin
 # top secret
 blacklist ${HOME}/.ssh
+blacklist ${HOME}/.cert
 blacklist ${HOME}/.gnome2/keyrings
 blacklist ${HOME}/kde4/share/apps/kwallet
 blacklist ${HOME}/kde/share/apps/kwallet
diff --git a/etc/disable-programs.inc b/etc/disable-programs.inc
index 307ccaf6c..3474a6592 100644
--- a/etc/disable-programs.inc
+++ b/etc/disable-programs.inc
@@ -112,3 +112,4 @@ blacklist ${HOME}/.local/share/wesnoth
 blacklist ${HOME}/.local/share/0ad
 blacklist ${HOME}/.local/share/xplayer
 blacklist ${HOME}/.local/share/totem
+blacklist ${HOME}/.local/share/psi+
diff --git a/etc/firejail.config b/etc/firejail.config
index fc09f1a0a..55d2faa9f 100644
--- a/etc/firejail.config
+++ b/etc/firejail.config
@@ -30,6 +30,12 @@
 # Enable or disable X11 sandboxing support, default enabled.
 # x11 yes
+# Force use of nonewprivs.  This mitigates the possibility of
+# a user abusing firejail's features to trick a privileged (suid
+# or file capabilities) process into loading code or configuration
+# that is partially under their control.  Default disabled
+# force-nonewprivs no
 # Screen size for --x11=xephyr, default 800x600. Run /usr/bin/xrandr for
 # a full list of resolutions available on your specific setup.
 # xephyr-screen 640x480
diff --git a/etc/konversation.profile b/etc/konversation.profile
new file mode 100644
index 000000000..d10decb8f
--- /dev/null
+++ b/etc/konversation.profile
@@ -0,0 +1,12 @@
+# Firejail konversation profile
+include /etc/firejail/disable-common.inc
+include /etc/firejail/disable-programs.inc
+include /etc/firejail/disable-devel.inc
+include /etc/firejail/disable-passwdmgr.inc
+caps.drop all
+seccomp
+protocol unix,inet,inet6
+netfilter
+noroot
diff --git a/etc/psi-plus.profile b/etc/psi-plus.profile
new file mode 100644
index 000000000..8194da74f
--- /dev/null
+++ b/etc/psi-plus.profile
@@ -0,0 +1,27 @@
+# Firejail profile for Psi+
+noblacklist ${HOME}/.config/psi+
+noblacklist ${HOME}/.local/share/psi+
+include /etc/firejail/disable-common.inc
+include /etc/firejail/disable-programs.inc
+include /etc/firejail/disable-passwdmgr.inc
+whitelist ${DOWNLOADS}
+mkdir ~/.config
+mkdir ~/.config/psi+
+whitelist ~/.config/psi+
+mkdir ~/.local
+mkdir ~/.local/share
+mkdir ~/.local/share/psi+
+whitelist ~/.local/share/psi+
+mkdir ~/.cache
+mkdir ~/.cache/psi+
+whitelist ~/.cache/psi+
+include /etc/firejail/whitelist-common.inc
+caps.drop all
+seccomp
+protocol unix,inet,inet6
+netfilter
+noroot
diff --git a/etc/whitelist-common.inc b/etc/whitelist-common.inc
index 9d5ef3d96..b3a1a1d30 100644
--- a/etc/whitelist-common.inc
+++ b/etc/whitelist-common.inc
@@ -1,5 +1,6 @@
 # common whitelist for all profiles
+whitelist ~/.XCompose
 whitelist ~/.config/mimeapps.list
 whitelist ~/.icons
 whitelist ~/.config/user-dirs.dirs

diff --git a/etc/corebird.profile b/etc/corebird.profile new file mode 100644 index 000000000..f3f73a44f --- /dev/null +++ b/etc/corebird.profile
@@ -0,0 +1,12 @@
		1	# Firejail corebird profile
		2
		3	include /etc/firejail/disable-common.inc
		4	include /etc/firejail/disable-programs.inc
		5	include /etc/firejail/disable-devel.inc
		6	include /etc/firejail/disable-passwdmgr.inc
		7
		8	caps.drop all
		9	seccomp
		10	protocol unix,inet,inet6
		11	netfilter
		12	noroot


diff --git a/etc/disable-common.inc b/etc/disable-common.inc index 479f32cb1..a61f1b210 100644 --- a/etc/disable-common.inc +++ b/etc/disable-common.inc
@@ -93,6 +93,7 @@ read-only ${HOME}/bin
93		93
94	# top secret	94	# top secret
95	blacklist ${HOME}/.ssh	95	blacklist ${HOME}/.ssh
		96	blacklist ${HOME}/.cert
96	blacklist ${HOME}/.gnome2/keyrings	97	blacklist ${HOME}/.gnome2/keyrings
97	blacklist ${HOME}/kde4/share/apps/kwallet	98	blacklist ${HOME}/kde4/share/apps/kwallet
98	blacklist ${HOME}/kde/share/apps/kwallet	99	blacklist ${HOME}/kde/share/apps/kwallet


diff --git a/etc/disable-programs.inc b/etc/disable-programs.inc index 307ccaf6c..3474a6592 100644 --- a/etc/disable-programs.inc +++ b/etc/disable-programs.inc
@@ -112,3 +112,4 @@ blacklist ${HOME}/.local/share/wesnoth
112	blacklist ${HOME}/.local/share/0ad	112	blacklist ${HOME}/.local/share/0ad
113	blacklist ${HOME}/.local/share/xplayer	113	blacklist ${HOME}/.local/share/xplayer
114	blacklist ${HOME}/.local/share/totem	114	blacklist ${HOME}/.local/share/totem
		115	blacklist ${HOME}/.local/share/psi+


diff --git a/etc/firejail.config b/etc/firejail.config index fc09f1a0a..55d2faa9f 100644 --- a/etc/firejail.config +++ b/etc/firejail.config
@@ -30,6 +30,12 @@
30	# Enable or disable X11 sandboxing support, default enabled.	30	# Enable or disable X11 sandboxing support, default enabled.
31	# x11 yes	31	# x11 yes
32		32
		33	# Force use of nonewprivs. This mitigates the possibility of
		34	# a user abusing firejail's features to trick a privileged (suid
		35	# or file capabilities) process into loading code or configuration
		36	# that is partially under their control. Default disabled
		37	# force-nonewprivs no
		38
33	# Screen size for --x11=xephyr, default 800x600. Run /usr/bin/xrandr for	39	# Screen size for --x11=xephyr, default 800x600. Run /usr/bin/xrandr for
34	# a full list of resolutions available on your specific setup.	40	# a full list of resolutions available on your specific setup.
35	# xephyr-screen 640x480	41	# xephyr-screen 640x480


diff --git a/etc/konversation.profile b/etc/konversation.profile new file mode 100644 index 000000000..d10decb8f --- /dev/null +++ b/etc/konversation.profile
@@ -0,0 +1,12 @@
		1	# Firejail konversation profile
		2
		3	include /etc/firejail/disable-common.inc
		4	include /etc/firejail/disable-programs.inc
		5	include /etc/firejail/disable-devel.inc
		6	include /etc/firejail/disable-passwdmgr.inc
		7
		8	caps.drop all
		9	seccomp
		10	protocol unix,inet,inet6
		11	netfilter
		12	noroot


diff --git a/etc/psi-plus.profile b/etc/psi-plus.profile new file mode 100644 index 000000000..8194da74f --- /dev/null +++ b/etc/psi-plus.profile
@@ -0,0 +1,27 @@
		1	# Firejail profile for Psi+
		2
		3	noblacklist ${HOME}/.config/psi+
		4	noblacklist ${HOME}/.local/share/psi+
		5	include /etc/firejail/disable-common.inc
		6	include /etc/firejail/disable-programs.inc
		7	include /etc/firejail/disable-passwdmgr.inc
		8
		9	whitelist ${DOWNLOADS}
		10	mkdir ~/.config
		11	mkdir ~/.config/psi+
		12	whitelist ~/.config/psi+
		13	mkdir ~/.local
		14	mkdir ~/.local/share
		15	mkdir ~/.local/share/psi+
		16	whitelist ~/.local/share/psi+
		17	mkdir ~/.cache
		18	mkdir ~/.cache/psi+
		19	whitelist ~/.cache/psi+
		20
		21	include /etc/firejail/whitelist-common.inc
		22
		23	caps.drop all
		24	seccomp
		25	protocol unix,inet,inet6
		26	netfilter
		27	noroot


diff --git a/etc/whitelist-common.inc b/etc/whitelist-common.inc index 9d5ef3d96..b3a1a1d30 100644 --- a/etc/whitelist-common.inc +++ b/etc/whitelist-common.inc
@@ -1,5 +1,6 @@
1	# common whitelist for all profiles	1	# common whitelist for all profiles
2		2
		3	whitelist ~/.XCompose
3	whitelist ~/.config/mimeapps.list	4	whitelist ~/.config/mimeapps.list
4	whitelist ~/.icons	5	whitelist ~/.icons
5	whitelist ~/.config/user-dirs.dirs	6	whitelist ~/.config/user-dirs.dirs