diff options
Diffstat (limited to 'etc')
285 files changed, 2481 insertions, 437 deletions
diff --git a/etc/Maelstrom.profile b/etc/Maelstrom.profile new file mode 100644 index 000000000..cee49111e --- /dev/null +++ b/etc/Maelstrom.profile | |||
@@ -0,0 +1,43 @@ | |||
1 | # Firejail profile for Maelstrom | ||
2 | # Description: A space combat game | ||
3 | # This file is overwritten after every install/update | ||
4 | # Persistent local customizations | ||
5 | include Maelstrom.local | ||
6 | # Persistent global definitions | ||
7 | include globals.local | ||
8 | |||
9 | noblacklist /var/lib/games/Maelstrom-Scores | ||
10 | |||
11 | include disable-common.inc | ||
12 | include disable-devel.inc | ||
13 | include disable-exec.inc | ||
14 | include disable-interpreters.inc | ||
15 | include disable-passwdmgr.inc | ||
16 | include disable-programs.inc | ||
17 | include disable-xdg.inc | ||
18 | |||
19 | whitelist /var/lib/games | ||
20 | include whitelist-common.inc | ||
21 | include whitelist-var-common.inc | ||
22 | |||
23 | caps.drop all | ||
24 | ipc-namespace | ||
25 | net none | ||
26 | nodbus | ||
27 | nodvd | ||
28 | nogroups | ||
29 | #nonewprivs | ||
30 | #noroot | ||
31 | notv | ||
32 | nou2f | ||
33 | novideo | ||
34 | #protocol unix | ||
35 | #seccomp | ||
36 | shell none | ||
37 | tracelog | ||
38 | |||
39 | disable-mnt | ||
40 | private-bin Maelstrom | ||
41 | private-cache | ||
42 | private-dev | ||
43 | private-tmp | ||
diff --git a/etc/acat.profile b/etc/acat.profile index 0b4579035..f35adf3dc 100644 --- a/etc/acat.profile +++ b/etc/acat.profile | |||
@@ -3,7 +3,8 @@ | |||
3 | # Persistent local customizations | 3 | # Persistent local customizations |
4 | include acat.local | 4 | include acat.local |
5 | # Persistent global definitions | 5 | # Persistent global definitions |
6 | include globals.local | 6 | # added by included profile |
7 | #include globals.local | ||
7 | 8 | ||
8 | # Redirect | 9 | # Redirect |
9 | include atool.profile | 10 | include atool.profile |
diff --git a/etc/adiff.profile b/etc/adiff.profile index 9073b1477..f22a27e79 100644 --- a/etc/adiff.profile +++ b/etc/adiff.profile | |||
@@ -3,7 +3,8 @@ | |||
3 | # Persistent local customizations | 3 | # Persistent local customizations |
4 | include adiff.local | 4 | include adiff.local |
5 | # Persistent global definitions | 5 | # Persistent global definitions |
6 | include globals.local | 6 | # added by included profile |
7 | #include globals.local | ||
7 | 8 | ||
8 | # Redirect | 9 | # Redirect |
9 | include atool.profile | 10 | include atool.profile |
diff --git a/etc/akonadi_control.profile b/etc/akonadi_control.profile index 4d40e6594..1c16f940e 100644 --- a/etc/akonadi_control.profile +++ b/etc/akonadi_control.profile | |||
@@ -22,6 +22,7 @@ noblacklist /usr/sbin | |||
22 | 22 | ||
23 | include disable-common.inc | 23 | include disable-common.inc |
24 | include disable-devel.inc | 24 | include disable-devel.inc |
25 | include disable-exec.inc | ||
25 | include disable-interpreters.inc | 26 | include disable-interpreters.inc |
26 | include disable-passwdmgr.inc | 27 | include disable-passwdmgr.inc |
27 | include disable-programs.inc | 28 | include disable-programs.inc |
@@ -51,5 +52,3 @@ tracelog | |||
51 | private-dev | 52 | private-dev |
52 | # private-tmp - breaks programs that depend on akonadi | 53 | # private-tmp - breaks programs that depend on akonadi |
53 | 54 | ||
54 | noexec ${HOME} | ||
55 | noexec /tmp | ||
diff --git a/etc/als.profile b/etc/als.profile index 24b8b976b..aa7f29337 100644 --- a/etc/als.profile +++ b/etc/als.profile | |||
@@ -3,7 +3,8 @@ | |||
3 | # Persistent local customizations | 3 | # Persistent local customizations |
4 | include als.local | 4 | include als.local |
5 | # Persistent global definitions | 5 | # Persistent global definitions |
6 | include globals.local | 6 | # added by included profile |
7 | #include globals.local | ||
7 | 8 | ||
8 | # Redirect | 9 | # Redirect |
9 | include atool.profile | 10 | include atool.profile |
diff --git a/etc/anki.profile b/etc/anki.profile new file mode 100644 index 000000000..6ab95dd52 --- /dev/null +++ b/etc/anki.profile | |||
@@ -0,0 +1,57 @@ | |||
1 | # Firejail profile for anki | ||
2 | # Description: flexible, intelligent flashcard program | ||
3 | # This file is overwritten after every install/update | ||
4 | # Persistent local customizations | ||
5 | include anki.local | ||
6 | # Persistent global definitions | ||
7 | include globals.local | ||
8 | |||
9 | noblacklist ${DOCUMENTS} | ||
10 | noblacklist ${HOME}/.local/share/Anki2 | ||
11 | |||
12 | # Allow python (blacklisted by disable-interpreters.inc) | ||
13 | noblacklist ${PATH}/python2* | ||
14 | noblacklist ${PATH}/python3* | ||
15 | noblacklist /usr/lib/python2* | ||
16 | noblacklist /usr/lib/python3* | ||
17 | noblacklist /usr/local/lib/python2* | ||
18 | noblacklist /usr/local/lib/python3* | ||
19 | |||
20 | include disable-common.inc | ||
21 | include disable-devel.inc | ||
22 | include disable-exec.inc | ||
23 | include disable-interpreters.inc | ||
24 | include disable-passwdmgr.inc | ||
25 | include disable-programs.inc | ||
26 | include disable-xdg.inc | ||
27 | |||
28 | whitelist ${DOCUMENTS} | ||
29 | whitelist ${HOME}/.local/share/Anki2 | ||
30 | include whitelist-common.inc | ||
31 | include whitelist-var-common.inc | ||
32 | |||
33 | apparmor | ||
34 | caps.drop all | ||
35 | machine-id | ||
36 | netfilter | ||
37 | no3d | ||
38 | nodbus | ||
39 | nodvd | ||
40 | nogroups | ||
41 | nonewprivs | ||
42 | noroot | ||
43 | nosound | ||
44 | notv | ||
45 | nou2f | ||
46 | novideo | ||
47 | protocol unix,inet,inet6 | ||
48 | seccomp | ||
49 | shell none | ||
50 | tracelog | ||
51 | |||
52 | disable-mnt | ||
53 | private-bin anki,python* | ||
54 | private-cache | ||
55 | private-dev | ||
56 | private-etc alternatives,ca-certificates,fonts,gtk-2.0,hostname,hosts,machine-id,pki,resolv.conf,Trolltech.conf,ssl | ||
57 | private-tmp | ||
diff --git a/etc/apack.profile b/etc/apack.profile index bd5e49a01..b09d3d718 100644 --- a/etc/apack.profile +++ b/etc/apack.profile | |||
@@ -3,7 +3,8 @@ | |||
3 | # Persistent local customizations | 3 | # Persistent local customizations |
4 | include apack.local | 4 | include apack.local |
5 | # Persistent global definitions | 5 | # Persistent global definitions |
6 | include globals.local | 6 | # added by included profile |
7 | #include globals.local | ||
7 | 8 | ||
8 | # Redirect | 9 | # Redirect |
9 | include atool.profile | 10 | include atool.profile |
diff --git a/etc/arch-audit.profile b/etc/arch-audit.profile index e28733c63..e353326df 100644 --- a/etc/arch-audit.profile +++ b/etc/arch-audit.profile | |||
@@ -12,6 +12,7 @@ noblacklist /var/lib/pacman | |||
12 | 12 | ||
13 | include disable-common.inc | 13 | include disable-common.inc |
14 | include disable-devel.inc | 14 | include disable-devel.inc |
15 | include disable-exec.inc | ||
15 | include disable-interpreters.inc | 16 | include disable-interpreters.inc |
16 | include disable-passwdmgr.inc | 17 | include disable-passwdmgr.inc |
17 | include disable-programs.inc | 18 | include disable-programs.inc |
@@ -44,5 +45,3 @@ private-dev | |||
44 | private-tmp | 45 | private-tmp |
45 | 46 | ||
46 | memory-deny-write-execute | 47 | memory-deny-write-execute |
47 | noexec ${HOME} | ||
48 | noexec /tmp | ||
diff --git a/etc/arepack.profile b/etc/arepack.profile index f5584b2be..d23fc21db 100644 --- a/etc/arepack.profile +++ b/etc/arepack.profile | |||
@@ -3,7 +3,8 @@ | |||
3 | # Persistent local customizations | 3 | # Persistent local customizations |
4 | include arepack.local | 4 | include arepack.local |
5 | # Persistent global definitions | 5 | # Persistent global definitions |
6 | include globals.local | 6 | # added by included profile |
7 | #include globals.local | ||
7 | 8 | ||
8 | # Redirect | 9 | # Redirect |
9 | include atool.profile | 10 | include atool.profile |
diff --git a/etc/aria2c.profile b/etc/aria2c.profile index 10d607c49..6e5a87dab 100644 --- a/etc/aria2c.profile +++ b/etc/aria2c.profile | |||
@@ -28,7 +28,7 @@ nosound | |||
28 | notv | 28 | notv |
29 | nou2f | 29 | nou2f |
30 | novideo | 30 | novideo |
31 | protocol unix,inet,inet6 | 31 | protocol unix,inet,inet6,netlink |
32 | seccomp | 32 | seccomp |
33 | shell none | 33 | shell none |
34 | 34 | ||
@@ -36,7 +36,7 @@ shell none | |||
36 | private-bin aria2c,gzip | 36 | private-bin aria2c,gzip |
37 | private-cache | 37 | private-cache |
38 | private-dev | 38 | private-dev |
39 | private-etc alternatives,ca-certificates,ssl | 39 | private-etc alternatives,ca-certificates,ssl,resolv.conf |
40 | private-lib libreadline.so.* | 40 | private-lib libreadline.so.* |
41 | private-tmp | 41 | private-tmp |
42 | 42 | ||
diff --git a/etc/ark.profile b/etc/ark.profile index b60674f95..9214e96ff 100644 --- a/etc/ark.profile +++ b/etc/ark.profile | |||
@@ -10,6 +10,7 @@ noblacklist ${HOME}/.config/arkrc | |||
10 | 10 | ||
11 | include disable-common.inc | 11 | include disable-common.inc |
12 | include disable-devel.inc | 12 | include disable-devel.inc |
13 | include disable-exec.inc | ||
13 | include disable-interpreters.inc | 14 | include disable-interpreters.inc |
14 | include disable-passwdmgr.inc | 15 | include disable-passwdmgr.inc |
15 | include disable-programs.inc | 16 | include disable-programs.inc |
@@ -39,5 +40,3 @@ private-bin ark,unrar,rar,unzip,zip,zipinfo,7z,p7zip,unar,lsar,lrzip,lzop,lz4,ba | |||
39 | private-dev | 40 | private-dev |
40 | private-tmp | 41 | private-tmp |
41 | 42 | ||
42 | noexec ${HOME} | ||
43 | noexec /tmp | ||
diff --git a/etc/arm.profile b/etc/arm.profile index 217b61d09..d31b962ca 100644 --- a/etc/arm.profile +++ b/etc/arm.profile | |||
@@ -13,6 +13,8 @@ noblacklist ${PATH}/python2* | |||
13 | noblacklist ${PATH}/python3* | 13 | noblacklist ${PATH}/python3* |
14 | noblacklist /usr/lib/python2* | 14 | noblacklist /usr/lib/python2* |
15 | noblacklist /usr/lib/python3* | 15 | noblacklist /usr/lib/python3* |
16 | noblacklist /usr/local/lib/python2* | ||
17 | noblacklist /usr/local/lib/python3* | ||
16 | 18 | ||
17 | include disable-common.inc | 19 | include disable-common.inc |
18 | include disable-devel.inc | 20 | include disable-devel.inc |
diff --git a/etc/artha.profile b/etc/artha.profile index 431fc3ed1..8ef5124de 100644 --- a/etc/artha.profile +++ b/etc/artha.profile | |||
@@ -11,14 +11,15 @@ noblacklist ${HOME}/.config/enchant | |||
11 | 11 | ||
12 | include disable-common.inc | 12 | include disable-common.inc |
13 | include disable-devel.inc | 13 | include disable-devel.inc |
14 | include disable-exec.inc | ||
14 | include disable-interpreters.inc | 15 | include disable-interpreters.inc |
15 | include disable-passwdmgr.inc | 16 | include disable-passwdmgr.inc |
16 | include disable-programs.inc | 17 | include disable-programs.inc |
17 | 18 | ||
19 | apparmor | ||
18 | caps.drop all | 20 | caps.drop all |
19 | ipc-namespace | 21 | ipc-namespace |
20 | machine-id | 22 | # net none - breaks on Ubuntu |
21 | net none | ||
22 | no3d | 23 | no3d |
23 | # nodbus | 24 | # nodbus |
24 | nodvd | 25 | nodvd |
@@ -37,10 +38,8 @@ disable-mnt | |||
37 | private-bin artha,enchant,notify-send | 38 | private-bin artha,enchant,notify-send |
38 | private-cache | 39 | private-cache |
39 | private-dev | 40 | private-dev |
40 | private-etc alternatives,fonts | 41 | private-etc alternatives,machine-id,fonts |
41 | private-lib libnotify.so.* | 42 | private-lib libnotify.so.* |
42 | private-tmp | 43 | private-tmp |
43 | 44 | ||
44 | memory-deny-write-execute | 45 | memory-deny-write-execute |
45 | noexec ${HOME} | ||
46 | noexec /tmp | ||
diff --git a/etc/assogiate.profile b/etc/assogiate.profile index 1161c24fe..c579cc280 100644 --- a/etc/assogiate.profile +++ b/etc/assogiate.profile | |||
@@ -10,6 +10,7 @@ noblacklist ${PICTURES} | |||
10 | 10 | ||
11 | include disable-common.inc | 11 | include disable-common.inc |
12 | include disable-devel.inc | 12 | include disable-devel.inc |
13 | include disable-exec.inc | ||
13 | include disable-interpreters.inc | 14 | include disable-interpreters.inc |
14 | include disable-passwdmgr.inc | 15 | include disable-passwdmgr.inc |
15 | include disable-programs.inc | 16 | include disable-programs.inc |
@@ -38,12 +39,10 @@ shell none | |||
38 | tracelog | 39 | tracelog |
39 | 40 | ||
40 | disable-mnt | 41 | disable-mnt |
41 | private-bin assogiate | 42 | private-bin assogiate,gtk-update-icon-cache |
42 | private-cache | 43 | private-cache |
43 | private-dev | 44 | private-dev |
44 | private-lib gnome-vfs-2.0,libattr.so.*,libacl.so.*,libfam.so.* | 45 | private-lib gnome-vfs-2.0,libattr.so.*,libacl.so.*,libfam.so.* |
45 | private-tmp | 46 | private-tmp |
46 | 47 | ||
47 | memory-deny-write-execute | 48 | memory-deny-write-execute |
48 | noexec ${HOME} | ||
49 | noexec /tmp | ||
diff --git a/etc/asunder.profile b/etc/asunder.profile index 3167dfe12..fa2479051 100644 --- a/etc/asunder.profile +++ b/etc/asunder.profile | |||
@@ -14,6 +14,7 @@ noblacklist ${MUSIC} | |||
14 | 14 | ||
15 | include disable-common.inc | 15 | include disable-common.inc |
16 | include disable-devel.inc | 16 | include disable-devel.inc |
17 | include disable-exec.inc | ||
17 | include disable-interpreters.inc | 18 | include disable-interpreters.inc |
18 | include disable-passwdmgr.inc | 19 | include disable-passwdmgr.inc |
19 | include disable-programs.inc | 20 | include disable-programs.inc |
@@ -39,5 +40,3 @@ private-tmp | |||
39 | 40 | ||
40 | # mdwe is disabled due to breaking hardware accelerated decoding | 41 | # mdwe is disabled due to breaking hardware accelerated decoding |
41 | # memory-deny-write-execute | 42 | # memory-deny-write-execute |
42 | noexec ${HOME} | ||
43 | noexec /tmp | ||
diff --git a/etc/atool.profile b/etc/atool.profile index c82108cef..b17498e9d 100644 --- a/etc/atool.profile +++ b/etc/atool.profile | |||
@@ -18,15 +18,21 @@ noblacklist /usr/share/perl* | |||
18 | 18 | ||
19 | include disable-common.inc | 19 | include disable-common.inc |
20 | # include disable-devel.inc | 20 | # include disable-devel.inc |
21 | include disable-exec.inc | ||
21 | include disable-interpreters.inc | 22 | include disable-interpreters.inc |
22 | include disable-passwdmgr.inc | 23 | include disable-passwdmgr.inc |
23 | include disable-programs.inc | 24 | include disable-programs.inc |
24 | 25 | ||
26 | apparmor | ||
25 | caps.drop all | 27 | caps.drop all |
26 | netfilter | 28 | hostname atool |
29 | ipc-namespace | ||
30 | machine-id | ||
27 | net none | 31 | net none |
32 | netfilter | ||
28 | no3d | 33 | no3d |
29 | nodvd | 34 | nodvd |
35 | nodbus | ||
30 | nogroups | 36 | nogroups |
31 | nonewprivs | 37 | nonewprivs |
32 | noroot | 38 | noroot |
@@ -39,9 +45,11 @@ seccomp | |||
39 | shell none | 45 | shell none |
40 | tracelog | 46 | tracelog |
41 | 47 | ||
48 | # private-bin atool,perl | ||
42 | private-cache | 49 | private-cache |
43 | # private-bin atool | ||
44 | private-dev | 50 | private-dev |
45 | # without login.defs atool complains and uses UID/GID 1000 by default | 51 | # without login.defs atool complains and uses UID/GID 1000 by default |
46 | private-etc alternatives,passwd,group,login.defs | 52 | private-etc alternatives,passwd,group,login.defs |
47 | private-tmp | 53 | private-tmp |
54 | |||
55 | memory-deny-write-execute | ||
diff --git a/etc/atril.profile b/etc/atril.profile index aca945ba3..2f39af823 100644 --- a/etc/atril.profile +++ b/etc/atril.profile | |||
@@ -15,6 +15,7 @@ noblacklist ${DOCUMENTS} | |||
15 | 15 | ||
16 | include disable-common.inc | 16 | include disable-common.inc |
17 | include disable-devel.inc | 17 | include disable-devel.inc |
18 | include disable-exec.inc | ||
18 | include disable-interpreters.inc | 19 | include disable-interpreters.inc |
19 | include disable-passwdmgr.inc | 20 | include disable-passwdmgr.inc |
20 | include disable-programs.inc | 21 | include disable-programs.inc |
@@ -49,5 +50,3 @@ private-tmp | |||
49 | 50 | ||
50 | # webkit gtk killed by memory-deny-write-execute | 51 | # webkit gtk killed by memory-deny-write-execute |
51 | #memory-deny-write-execute | 52 | #memory-deny-write-execute |
52 | noexec ${HOME} | ||
53 | noexec /tmp | ||
diff --git a/etc/audacious.profile b/etc/audacious.profile index 590d3ffa3..4d0c93047 100644 --- a/etc/audacious.profile +++ b/etc/audacious.profile | |||
@@ -12,6 +12,7 @@ noblacklist ${MUSIC} | |||
12 | 12 | ||
13 | include disable-common.inc | 13 | include disable-common.inc |
14 | include disable-devel.inc | 14 | include disable-devel.inc |
15 | include disable-exec.inc | ||
15 | include disable-interpreters.inc | 16 | include disable-interpreters.inc |
16 | include disable-passwdmgr.inc | 17 | include disable-passwdmgr.inc |
17 | include disable-programs.inc | 18 | include disable-programs.inc |
@@ -40,5 +41,3 @@ private-dev | |||
40 | private-tmp | 41 | private-tmp |
41 | 42 | ||
42 | memory-deny-write-execute | 43 | memory-deny-write-execute |
43 | noexec ${HOME} | ||
44 | noexec /tmp | ||
diff --git a/etc/audacity.profile b/etc/audacity.profile index 4dd412359..200d3a387 100644 --- a/etc/audacity.profile +++ b/etc/audacity.profile | |||
@@ -12,6 +12,7 @@ noblacklist ${MUSIC} | |||
12 | 12 | ||
13 | include disable-common.inc | 13 | include disable-common.inc |
14 | include disable-devel.inc | 14 | include disable-devel.inc |
15 | include disable-exec.inc | ||
15 | include disable-interpreters.inc | 16 | include disable-interpreters.inc |
16 | include disable-passwdmgr.inc | 17 | include disable-passwdmgr.inc |
17 | include disable-programs.inc | 18 | include disable-programs.inc |
@@ -41,5 +42,3 @@ private-dev | |||
41 | private-tmp | 42 | private-tmp |
42 | 43 | ||
43 | memory-deny-write-execute | 44 | memory-deny-write-execute |
44 | noexec ${HOME} | ||
45 | noexec /tmp | ||
diff --git a/etc/aunpack.profile b/etc/aunpack.profile index cde9473e3..c119ed9ad 100644 --- a/etc/aunpack.profile +++ b/etc/aunpack.profile | |||
@@ -3,7 +3,8 @@ | |||
3 | # Persistent local customizations | 3 | # Persistent local customizations |
4 | include aunpack.local | 4 | include aunpack.local |
5 | # Persistent global definitions | 5 | # Persistent global definitions |
6 | include globals.local | 6 | # added by included profile |
7 | #include globals.local | ||
7 | 8 | ||
8 | # Redirect | 9 | # Redirect |
9 | include atool.profile | 10 | include atool.profile |
diff --git a/etc/authenticator.profile b/etc/authenticator.profile index 7f5090251..f989ab1ba 100644 --- a/etc/authenticator.profile +++ b/etc/authenticator.profile | |||
@@ -8,12 +8,17 @@ include globals.local | |||
8 | 8 | ||
9 | noblacklist ${HOME}/.config/Authenticator | 9 | noblacklist ${HOME}/.config/Authenticator |
10 | 10 | ||
11 | # Allow python 3.x (blacklisted by disable-interpreters.inc) | 11 | # Allow python (blacklisted by disable-interpreters.inc) |
12 | #noblacklist ${PATH}/python2* | ||
12 | noblacklist ${PATH}/python3* | 13 | noblacklist ${PATH}/python3* |
14 | #noblacklist /usr/lib/python2* | ||
13 | noblacklist /usr/lib/python3* | 15 | noblacklist /usr/lib/python3* |
16 | #noblacklist /usr/local/lib/python2* | ||
17 | noblacklist /usr/local/lib/python3* | ||
14 | 18 | ||
15 | include disable-common.inc | 19 | include disable-common.inc |
16 | include disable-devel.inc | 20 | include disable-devel.inc |
21 | include disable-exec.inc | ||
17 | include disable-interpreters.inc | 22 | include disable-interpreters.inc |
18 | include disable-passwdmgr.inc | 23 | include disable-passwdmgr.inc |
19 | include disable-programs.inc | 24 | include disable-programs.inc |
@@ -43,5 +48,3 @@ private-etc alternatives,fonts,ld.so.cache | |||
43 | private-tmp | 48 | private-tmp |
44 | 49 | ||
45 | # memory-deny-write-execute - breaks on Arch | 50 | # memory-deny-write-execute - breaks on Arch |
46 | noexec ${HOME} | ||
47 | noexec /tmp | ||
diff --git a/etc/baloo_file.profile b/etc/baloo_file.profile index 176d8cae7..f46987cc7 100644 --- a/etc/baloo_file.profile +++ b/etc/baloo_file.profile | |||
@@ -19,6 +19,7 @@ noblacklist ${HOME}/.local/share/baloo | |||
19 | 19 | ||
20 | include disable-common.inc | 20 | include disable-common.inc |
21 | include disable-devel.inc | 21 | include disable-devel.inc |
22 | include disable-exec.inc | ||
22 | include disable-interpreters.inc | 23 | include disable-interpreters.inc |
23 | include disable-passwdmgr.inc | 24 | include disable-passwdmgr.inc |
24 | include disable-programs.inc | 25 | include disable-programs.inc |
@@ -46,6 +47,3 @@ private-bin baloo_file,baloo_file_extractor,baloo_filemetadata_temp_extractor,kb | |||
46 | private-cache | 47 | private-cache |
47 | private-dev | 48 | private-dev |
48 | private-tmp | 49 | private-tmp |
49 | |||
50 | noexec ${HOME} | ||
51 | noexec /tmp | ||
diff --git a/etc/bleachbit.profile b/etc/bleachbit.profile index fa850fe1a..fae7d8133 100644 --- a/etc/bleachbit.profile +++ b/etc/bleachbit.profile | |||
@@ -11,6 +11,8 @@ noblacklist ${PATH}/python2* | |||
11 | noblacklist ${PATH}/python3* | 11 | noblacklist ${PATH}/python3* |
12 | noblacklist /usr/lib/python2* | 12 | noblacklist /usr/lib/python2* |
13 | noblacklist /usr/lib/python3* | 13 | noblacklist /usr/lib/python3* |
14 | noblacklist /usr/local/lib/python2* | ||
15 | noblacklist /usr/local/lib/python3* | ||
14 | 16 | ||
15 | include disable-common.inc | 17 | include disable-common.inc |
16 | include disable-devel.inc | 18 | include disable-devel.inc |
diff --git a/etc/blender.profile b/etc/blender.profile index 77d073cd7..d23fe0810 100644 --- a/etc/blender.profile +++ b/etc/blender.profile | |||
@@ -13,6 +13,8 @@ noblacklist ${PATH}/python2* | |||
13 | noblacklist ${PATH}/python3* | 13 | noblacklist ${PATH}/python3* |
14 | noblacklist /usr/lib/python2* | 14 | noblacklist /usr/lib/python2* |
15 | noblacklist /usr/lib/python3* | 15 | noblacklist /usr/lib/python3* |
16 | noblacklist /usr/local/lib/python2* | ||
17 | noblacklist /usr/local/lib/python3* | ||
16 | 18 | ||
17 | include disable-common.inc | 19 | include disable-common.inc |
18 | include disable-devel.inc | 20 | include disable-devel.inc |
diff --git a/etc/bsdtar.profile b/etc/bsdtar.profile index b6b673976..f964438bc 100644 --- a/etc/bsdtar.profile +++ b/etc/bsdtar.profile | |||
@@ -10,16 +10,20 @@ blacklist /tmp/.X11-unix | |||
10 | 10 | ||
11 | include disable-common.inc | 11 | include disable-common.inc |
12 | # include disable-devel.inc | 12 | # include disable-devel.inc |
13 | include disable-exec.inc | ||
13 | include disable-interpreters.inc | 14 | include disable-interpreters.inc |
14 | include disable-passwdmgr.inc | 15 | include disable-passwdmgr.inc |
15 | include disable-programs.inc | 16 | include disable-programs.inc |
16 | 17 | ||
18 | apparmor | ||
17 | caps.drop all | 19 | caps.drop all |
18 | hostname bsdtar | 20 | hostname bsdtar |
19 | ipc-namespace | 21 | ipc-namespace |
22 | machine-id | ||
20 | netfilter | 23 | netfilter |
21 | no3d | 24 | no3d |
22 | nodvd | 25 | nodvd |
26 | nodbus | ||
23 | nogroups | 27 | nogroups |
24 | nonewprivs | 28 | nonewprivs |
25 | # noroot | 29 | # noroot |
@@ -34,5 +38,8 @@ tracelog | |||
34 | 38 | ||
35 | # support compressed archives | 39 | # support compressed archives |
36 | private-bin sh,bash,bsdcat,bsdcpio,bsdtar,gtar,compress,gzip,lzma,xz,bzip2,lbzip2,lzip,lzop,lz4,libarchive | 40 | private-bin sh,bash,bsdcat,bsdcpio,bsdtar,gtar,compress,gzip,lzma,xz,bzip2,lbzip2,lzip,lzop,lz4,libarchive |
41 | private-cache | ||
37 | private-dev | 42 | private-dev |
38 | private-etc alternatives,passwd,group,localtime | 43 | private-etc alternatives,passwd,group,localtime |
44 | |||
45 | memory-deny-write-execute | ||
diff --git a/etc/bunzip2.profile b/etc/bunzip2.profile index 891476cb1..ff86cbdfc 100644 --- a/etc/bunzip2.profile +++ b/etc/bunzip2.profile | |||
@@ -1,9 +1,11 @@ | |||
1 | # Firejail profile for bunzip2 | 1 | # Firejail profile for bunzip2 |
2 | # Description: A high-quality data compression program | ||
2 | # This file is overwritten after every install/update | 3 | # This file is overwritten after every install/update |
3 | # Persistent local customizations | 4 | # Persistent local customizations |
4 | include bunzip2.local | 5 | include bunzip2.local |
5 | # Persistent global definitions | 6 | # Persistent global definitions |
6 | include globals.local | 7 | # added by included profile |
8 | #include globals.local | ||
7 | 9 | ||
8 | # Redirect | 10 | # Redirect |
9 | include gzip.profile | 11 | include gzip.profile |
diff --git a/etc/bzflag.profile b/etc/bzflag.profile new file mode 100644 index 000000000..94cd40899 --- /dev/null +++ b/etc/bzflag.profile | |||
@@ -0,0 +1,44 @@ | |||
1 | # Firejail profile for bzflag | ||
2 | # Description: 3D multi-player tank battle game | ||
3 | # This file is overwritten after every install/update | ||
4 | # Persistent local customizations | ||
5 | include bzflag.local | ||
6 | # Persistent global definitions | ||
7 | include globals.local | ||
8 | |||
9 | noblacklist ${HOME}/.bzf | ||
10 | |||
11 | include disable-common.inc | ||
12 | include disable-devel.inc | ||
13 | include disable-exec.inc | ||
14 | include disable-interpreters.inc | ||
15 | include disable-passwdmgr.inc | ||
16 | include disable-programs.inc | ||
17 | include disable-xdg.inc | ||
18 | |||
19 | mkdir ${HOME}/.bzf | ||
20 | whitelist ${HOME}/.bzf | ||
21 | include whitelist-common.inc | ||
22 | include whitelist-var-common.inc | ||
23 | |||
24 | caps.drop all | ||
25 | ipc-namespace | ||
26 | netfilter | ||
27 | nodbus | ||
28 | nodvd | ||
29 | nogroups | ||
30 | nonewprivs | ||
31 | noroot | ||
32 | notv | ||
33 | nou2f | ||
34 | novideo | ||
35 | protocol unix,inet,inet6 | ||
36 | seccomp | ||
37 | shell none | ||
38 | tracelog | ||
39 | |||
40 | disable-mnt | ||
41 | private-bin bzflag,bzflag-wrapper,bzfs,bzadmin | ||
42 | private-cache | ||
43 | private-dev | ||
44 | private-tmp | ||
diff --git a/etc/bzip2.profile b/etc/bzip2.profile new file mode 100644 index 000000000..0f2fdd35a --- /dev/null +++ b/etc/bzip2.profile | |||
@@ -0,0 +1,11 @@ | |||
1 | # Firejail profile for bzip2 | ||
2 | # Description: A high-quality data compression program | ||
3 | # This file is overwritten after every install/update | ||
4 | # Persistent local customizations | ||
5 | include bzip2.local | ||
6 | # Persistent global definitions | ||
7 | # added by included profile | ||
8 | #include globals.local | ||
9 | |||
10 | # Redirect | ||
11 | include gzip.profile | ||
diff --git a/etc/caja.profile b/etc/caja.profile index 49516de8c..f38110dc9 100644 --- a/etc/caja.profile +++ b/etc/caja.profile | |||
@@ -18,6 +18,8 @@ noblacklist ${PATH}/python2* | |||
18 | noblacklist ${PATH}/python3* | 18 | noblacklist ${PATH}/python3* |
19 | noblacklist /usr/lib/python2* | 19 | noblacklist /usr/lib/python2* |
20 | noblacklist /usr/lib/python3* | 20 | noblacklist /usr/lib/python3* |
21 | noblacklist /usr/local/lib/python2* | ||
22 | noblacklist /usr/local/lib/python3* | ||
21 | 23 | ||
22 | include disable-common.inc | 24 | include disable-common.inc |
23 | include disable-devel.inc | 25 | include disable-devel.inc |
diff --git a/etc/catfish.profile b/etc/catfish.profile index 1afcd0365..341348ff9 100644 --- a/etc/catfish.profile +++ b/etc/catfish.profile | |||
@@ -16,6 +16,8 @@ noblacklist ${PATH}/python2* | |||
16 | noblacklist ${PATH}/python3* | 16 | noblacklist ${PATH}/python3* |
17 | noblacklist /usr/lib/python2* | 17 | noblacklist /usr/lib/python2* |
18 | noblacklist /usr/lib/python3* | 18 | noblacklist /usr/lib/python3* |
19 | noblacklist /usr/local/lib/python2* | ||
20 | noblacklist /usr/local/lib/python3* | ||
19 | 21 | ||
20 | include disable-common.inc | 22 | include disable-common.inc |
21 | # include disable-devel.inc | 23 | # include disable-devel.inc |
diff --git a/etc/celluloid.profile b/etc/celluloid.profile index 1f61ff9f5..5604a16b9 100644 --- a/etc/celluloid.profile +++ b/etc/celluloid.profile | |||
@@ -21,6 +21,7 @@ noblacklist /usr/local/lib/python3* | |||
21 | 21 | ||
22 | include disable-common.inc | 22 | include disable-common.inc |
23 | include disable-devel.inc | 23 | include disable-devel.inc |
24 | include disable-exec.inc | ||
24 | include disable-interpreters.inc | 25 | include disable-interpreters.inc |
25 | include disable-passwdmgr.inc | 26 | include disable-passwdmgr.inc |
26 | include disable-programs.inc | 27 | include disable-programs.inc |
@@ -47,5 +48,3 @@ private-etc alternatives,ca-certificates,ssl,pki,pkcs11,hosts,machine-id,localti | |||
47 | private-dev | 48 | private-dev |
48 | private-tmp | 49 | private-tmp |
49 | 50 | ||
50 | noexec ${HOME} | ||
51 | noexec /tmp | ||
diff --git a/etc/checkbashisms.profile b/etc/checkbashisms.profile index fe2648792..5afbf2d56 100644 --- a/etc/checkbashisms.profile +++ b/etc/checkbashisms.profile | |||
@@ -18,6 +18,7 @@ noblacklist /usr/share/perl* | |||
18 | 18 | ||
19 | include disable-common.inc | 19 | include disable-common.inc |
20 | include disable-devel.inc | 20 | include disable-devel.inc |
21 | include disable-exec.inc | ||
21 | include disable-interpreters.inc | 22 | include disable-interpreters.inc |
22 | include disable-passwdmgr.inc | 23 | include disable-passwdmgr.inc |
23 | include disable-programs.inc | 24 | include disable-programs.inc |
@@ -50,5 +51,3 @@ private-lib perl* | |||
50 | private-tmp | 51 | private-tmp |
51 | 52 | ||
52 | memory-deny-write-execute | 53 | memory-deny-write-execute |
53 | noexec ${HOME} | ||
54 | noexec /tmp | ||
diff --git a/etc/cherrytree.profile b/etc/cherrytree.profile index d7dcf87dd..22bda418a 100644 --- a/etc/cherrytree.profile +++ b/etc/cherrytree.profile | |||
@@ -14,6 +14,8 @@ noblacklist ${PATH}/python2* | |||
14 | noblacklist ${PATH}/python3* | 14 | noblacklist ${PATH}/python3* |
15 | noblacklist /usr/lib/python2* | 15 | noblacklist /usr/lib/python2* |
16 | noblacklist /usr/lib/python3* | 16 | noblacklist /usr/lib/python3* |
17 | noblacklist /usr/local/lib/python2* | ||
18 | noblacklist /usr/local/lib/python3* | ||
17 | 19 | ||
18 | include disable-common.inc | 20 | include disable-common.inc |
19 | include disable-devel.inc | 21 | include disable-devel.inc |
diff --git a/etc/chromium-common.profile b/etc/chromium-common.profile index a182e5d20..3c7423316 100644 --- a/etc/chromium-common.profile +++ b/etc/chromium-common.profile | |||
@@ -6,11 +6,15 @@ include chromium-common.local | |||
6 | # already included by caller profile | 6 | # already included by caller profile |
7 | #include globals.local | 7 | #include globals.local |
8 | 8 | ||
9 | # noexec ${HOME} breaks DRM binaries. | ||
10 | ignore noexec ${HOME} | ||
11 | |||
9 | noblacklist ${HOME}/.pki | 12 | noblacklist ${HOME}/.pki |
10 | noblacklist ${HOME}/.local/share/pki | 13 | noblacklist ${HOME}/.local/share/pki |
11 | 14 | ||
12 | include disable-common.inc | 15 | include disable-common.inc |
13 | include disable-devel.inc | 16 | include disable-devel.inc |
17 | include disable-exec.inc | ||
14 | include disable-interpreters.inc | 18 | include disable-interpreters.inc |
15 | include disable-programs.inc | 19 | include disable-programs.inc |
16 | 20 | ||
@@ -37,9 +41,5 @@ disable-mnt | |||
37 | private-dev | 41 | private-dev |
38 | # private-tmp - problems with multiple browser sessions | 42 | # private-tmp - problems with multiple browser sessions |
39 | 43 | ||
40 | # breaks DRM binaries | ||
41 | #noexec ${HOME} | ||
42 | noexec /tmp | ||
43 | |||
44 | # the file dialog needs to work without d-bus | 44 | # the file dialog needs to work without d-bus |
45 | env NO_CHROME_KDE_FILE_DIALOG=1 | 45 | env NO_CHROME_KDE_FILE_DIALOG=1 |
diff --git a/etc/clamav.profile b/etc/clamav.profile index a48fa8039..45e7723eb 100644 --- a/etc/clamav.profile +++ b/etc/clamav.profile | |||
@@ -7,6 +7,8 @@ include clamav.local | |||
7 | # Persistent global definitions | 7 | # Persistent global definitions |
8 | include globals.local | 8 | include globals.local |
9 | 9 | ||
10 | include disable-exec.inc | ||
11 | |||
10 | caps.drop all | 12 | caps.drop all |
11 | ipc-namespace | 13 | ipc-namespace |
12 | net none | 14 | net none |
@@ -30,5 +32,3 @@ private-dev | |||
30 | read-only ${HOME} | 32 | read-only ${HOME} |
31 | 33 | ||
32 | memory-deny-write-execute | 34 | memory-deny-write-execute |
33 | noexec ${HOME} | ||
34 | noexec /tmp | ||
diff --git a/etc/clamtk.profile b/etc/clamtk.profile index a93523acc..bc09808cb 100644 --- a/etc/clamtk.profile +++ b/etc/clamtk.profile | |||
@@ -5,6 +5,8 @@ include clamtk.local | |||
5 | # Persistent global definitions | 5 | # Persistent global definitions |
6 | include globals.local | 6 | include globals.local |
7 | 7 | ||
8 | include disable-exec.inc | ||
9 | |||
8 | caps.drop all | 10 | caps.drop all |
9 | ipc-namespace | 11 | ipc-namespace |
10 | net none | 12 | net none |
@@ -23,6 +25,3 @@ seccomp | |||
23 | shell none | 25 | shell none |
24 | 26 | ||
25 | private-dev | 27 | private-dev |
26 | |||
27 | noexec ${HOME} | ||
28 | noexec /tmp | ||
diff --git a/etc/clawsker.profile b/etc/clawsker.profile index 404e1b8ed..c519ecedb 100644 --- a/etc/clawsker.profile +++ b/etc/clawsker.profile | |||
@@ -17,6 +17,7 @@ noblacklist /usr/share/perl* | |||
17 | 17 | ||
18 | include disable-common.inc | 18 | include disable-common.inc |
19 | include disable-devel.inc | 19 | include disable-devel.inc |
20 | include disable-exec.inc | ||
20 | include disable-interpreters.inc | 21 | include disable-interpreters.inc |
21 | include disable-passwdmgr.inc | 22 | include disable-passwdmgr.inc |
22 | include disable-programs.inc | 23 | include disable-programs.inc |
@@ -25,6 +26,7 @@ mkdir ${HOME}/.claws-mail | |||
25 | whitelist ${HOME}/.claws-mail | 26 | whitelist ${HOME}/.claws-mail |
26 | include whitelist-common.inc | 27 | include whitelist-common.inc |
27 | 28 | ||
29 | apparmor | ||
28 | caps.drop all | 30 | caps.drop all |
29 | net none | 31 | net none |
30 | no3d | 32 | no3d |
@@ -42,13 +44,11 @@ seccomp | |||
42 | shell none | 44 | shell none |
43 | 45 | ||
44 | disable-mnt | 46 | disable-mnt |
45 | private-bin clawsker,perl | 47 | private-bin bash,clawsker,perl,sh,which |
46 | private-cache | 48 | private-cache |
47 | private-dev | 49 | private-dev |
48 | private-etc alternatives,fonts | 50 | private-etc alternatives,fonts |
49 | private-lib girepository-1.*,libgirepository-1.*,perl* | 51 | private-lib girepository-1.*,libdbus-glib-1.so.*,libetpan.so.*,libgirepository-1.*,libgtk-x11-2.0.so.*,libstartup-notification-1.so.*,perl* |
50 | private-tmp | 52 | private-tmp |
51 | 53 | ||
52 | # memory-deny-write-execute - breaks on Arch | 54 | # memory-deny-write-execute - breaks on Arch |
53 | noexec ${HOME} | ||
54 | noexec /tmp | ||
diff --git a/etc/clipit.profile b/etc/clipit.profile index 052d0464b..6e4d3fbaf 100644 --- a/etc/clipit.profile +++ b/etc/clipit.profile | |||
@@ -11,6 +11,7 @@ noblacklist ${HOME}/.local/share/clipit | |||
11 | 11 | ||
12 | include disable-common.inc | 12 | include disable-common.inc |
13 | include disable-devel.inc | 13 | include disable-devel.inc |
14 | include disable-exec.inc | ||
14 | include disable-interpreters.inc | 15 | include disable-interpreters.inc |
15 | include disable-passwdmgr.inc | 16 | include disable-passwdmgr.inc |
16 | include disable-programs.inc | 17 | include disable-programs.inc |
@@ -39,5 +40,3 @@ private-cache | |||
39 | private-dev | 40 | private-dev |
40 | private-tmp | 41 | private-tmp |
41 | 42 | ||
42 | noexec ${HOME} | ||
43 | noexec /tmp | ||
diff --git a/etc/cpio.profile b/etc/cpio.profile index f63e0a552..b6f7e7f9f 100644 --- a/etc/cpio.profile +++ b/etc/cpio.profile | |||
@@ -13,14 +13,21 @@ noblacklist /sbin | |||
13 | noblacklist /usr/sbin | 13 | noblacklist /usr/sbin |
14 | 14 | ||
15 | include disable-common.inc | 15 | include disable-common.inc |
16 | # include disable-devel.inc | ||
17 | include disable-exec.inc | ||
16 | include disable-passwdmgr.inc | 18 | include disable-passwdmgr.inc |
17 | include disable-programs.inc | 19 | include disable-programs.inc |
18 | 20 | ||
21 | apparmor | ||
19 | caps.drop all | 22 | caps.drop all |
23 | hostname cpio | ||
24 | ipc-namespace | ||
25 | machine-id | ||
20 | net none | 26 | net none |
21 | no3d | 27 | no3d |
22 | nodbus | 28 | nodbus |
23 | nodvd | 29 | nodvd |
30 | nogroups | ||
24 | nonewprivs | 31 | nonewprivs |
25 | nosound | 32 | nosound |
26 | notv | 33 | notv |
@@ -30,4 +37,7 @@ seccomp | |||
30 | shell none | 37 | shell none |
31 | tracelog | 38 | tracelog |
32 | 39 | ||
40 | private-cache | ||
33 | private-dev | 41 | private-dev |
42 | |||
43 | memory-deny-write-execute | ||
diff --git a/etc/crawl-tiles.profile b/etc/crawl-tiles.profile new file mode 100644 index 000000000..39151865e --- /dev/null +++ b/etc/crawl-tiles.profile | |||
@@ -0,0 +1,7 @@ | |||
1 | # Firejail profile alias for crawl | ||
2 | # This file is overwritten after every install/update | ||
3 | |||
4 | ignore no3d | ||
5 | |||
6 | # Redirect | ||
7 | include crawl.profile | ||
diff --git a/etc/crawl.profile b/etc/crawl.profile new file mode 100644 index 000000000..af78ac738 --- /dev/null +++ b/etc/crawl.profile | |||
@@ -0,0 +1,45 @@ | |||
1 | # Firejail profile for crawl-tiles | ||
2 | # Description: Roguelike dungeon exploration game | ||
3 | # This file is overwritten after every install/update | ||
4 | # Persistent local customizations | ||
5 | include crawl-tiles.local | ||
6 | # Persistent global definitions | ||
7 | include globals.local | ||
8 | |||
9 | noblacklist ${HOME}/.crawl | ||
10 | |||
11 | include disable-common.inc | ||
12 | include disable-devel.inc | ||
13 | include disable-exec.inc | ||
14 | include disable-interpreters.inc | ||
15 | include disable-passwdmgr.inc | ||
16 | include disable-programs.inc | ||
17 | include disable-xdg.inc | ||
18 | |||
19 | mkdir ${HOME}/.crawl | ||
20 | whitelist ${HOME}/.crawl | ||
21 | include whitelist-common.inc | ||
22 | include whitelist-var-common.inc | ||
23 | |||
24 | caps.drop all | ||
25 | ipc-namespace | ||
26 | net none | ||
27 | no3d | ||
28 | nodbus | ||
29 | nodvd | ||
30 | nogroups | ||
31 | nonewprivs | ||
32 | noroot | ||
33 | nosound | ||
34 | notv | ||
35 | nou2f | ||
36 | novideo | ||
37 | protocol unix | ||
38 | seccomp | ||
39 | shell none | ||
40 | |||
41 | disable-mnt | ||
42 | private-bin crawl,crawl-tiles | ||
43 | private-cache | ||
44 | private-dev | ||
45 | private-tmp | ||
diff --git a/etc/d-feet.profile b/etc/d-feet.profile index 1a11ca2a4..9475bdd2a 100644 --- a/etc/d-feet.profile +++ b/etc/d-feet.profile | |||
@@ -9,13 +9,16 @@ include globals.local | |||
9 | noblacklist ${HOME}/.config/d-feet | 9 | noblacklist ${HOME}/.config/d-feet |
10 | 10 | ||
11 | # Allow python (disabled by disable-interpreters.inc) | 11 | # Allow python (disabled by disable-interpreters.inc) |
12 | #noblacklist ${PATH}/python2* | 12 | noblacklist ${PATH}/python2* |
13 | noblacklist ${PATH}/python3* | 13 | noblacklist ${PATH}/python3* |
14 | #noblacklist /usr/lib/python2* | 14 | noblacklist /usr/lib/python2* |
15 | noblacklist /usr/lib/python3* | 15 | noblacklist /usr/lib/python3* |
16 | noblacklist /usr/local/lib/python2* | ||
17 | noblacklist /usr/local/lib/python3* | ||
16 | 18 | ||
17 | include disable-common.inc | 19 | include disable-common.inc |
18 | include disable-devel.inc | 20 | include disable-devel.inc |
21 | include disable-exec.inc | ||
19 | include disable-interpreters.inc | 22 | include disable-interpreters.inc |
20 | include disable-passwdmgr.inc | 23 | include disable-passwdmgr.inc |
21 | include disable-programs.inc | 24 | include disable-programs.inc |
@@ -29,8 +32,7 @@ include whitelist-var-common.inc | |||
29 | apparmor | 32 | apparmor |
30 | caps.drop all | 33 | caps.drop all |
31 | ipc-namespace | 34 | ipc-namespace |
32 | machine-id | 35 | # net none - breaks on Ubuntu |
33 | net none | ||
34 | no3d | 36 | no3d |
35 | nodvd | 37 | nodvd |
36 | nogroups | 38 | nogroups |
@@ -48,9 +50,7 @@ disable-mnt | |||
48 | private-bin d-feet,python* | 50 | private-bin d-feet,python* |
49 | private-cache | 51 | private-cache |
50 | private-dev | 52 | private-dev |
51 | private-etc alternatives,dbus-1,fonts | 53 | private-etc alternatives,dbus-1,fonts,machine-id |
52 | private-tmp | 54 | private-tmp |
53 | 55 | ||
54 | # memory-deny-write-execute - Breaks on Arch | 56 | # memory-deny-write-execute - Breaks on Arch |
55 | noexec ${HOME} | ||
56 | noexec /tmp | ||
diff --git a/etc/dconf-editor.profile b/etc/dconf-editor.profile index abaf5acd5..6b7f8f112 100644 --- a/etc/dconf-editor.profile +++ b/etc/dconf-editor.profile | |||
@@ -6,8 +6,11 @@ include dconf-editor.local | |||
6 | # Persistent global definitions | 6 | # Persistent global definitions |
7 | include globals.local | 7 | include globals.local |
8 | 8 | ||
9 | whitelist ${HOME}/.local/share/glib-2.0 | ||
10 | |||
9 | include disable-common.inc | 11 | include disable-common.inc |
10 | include disable-devel.inc | 12 | include disable-devel.inc |
13 | include disable-exec.inc | ||
11 | include disable-interpreters.inc | 14 | include disable-interpreters.inc |
12 | include disable-passwdmgr.inc | 15 | include disable-passwdmgr.inc |
13 | include disable-programs.inc | 16 | include disable-programs.inc |
@@ -17,8 +20,7 @@ include whitelist-common.inc | |||
17 | 20 | ||
18 | apparmor | 21 | apparmor |
19 | caps.drop all | 22 | caps.drop all |
20 | machine-id | 23 | # net none - breaks application on older versions |
21 | net none | ||
22 | no3d | 24 | no3d |
23 | nodvd | 25 | nodvd |
24 | nogroups | 26 | nogroups |
@@ -37,10 +39,8 @@ disable-mnt | |||
37 | private-bin dconf-editor | 39 | private-bin dconf-editor |
38 | private-cache | 40 | private-cache |
39 | private-dev | 41 | private-dev |
40 | private-etc alternatives,fonts | 42 | private-etc alternatives,fonts,machine-id |
41 | private-lib | 43 | private-lib |
42 | private-tmp | 44 | private-tmp |
43 | 45 | ||
44 | # memory-deny-write-execute | 46 | # memory-deny-write-execute |
45 | noexec ${HOME} | ||
46 | noexec /tmp | ||
diff --git a/etc/dconf.profile b/etc/dconf.profile index d2376cc35..6ffcddaf5 100644 --- a/etc/dconf.profile +++ b/etc/dconf.profile | |||
@@ -6,8 +6,11 @@ include dconf.local | |||
6 | # Persistent global definitions | 6 | # Persistent global definitions |
7 | include globals.local | 7 | include globals.local |
8 | 8 | ||
9 | whitelist ${HOME}/.local/share/glib-2.0 | ||
10 | |||
9 | include disable-common.inc | 11 | include disable-common.inc |
10 | include disable-devel.inc | 12 | include disable-devel.inc |
13 | include disable-exec.inc | ||
11 | include disable-interpreters.inc | 14 | include disable-interpreters.inc |
12 | include disable-passwdmgr.inc | 15 | include disable-passwdmgr.inc |
13 | include disable-programs.inc | 16 | include disable-programs.inc |
@@ -44,5 +47,3 @@ private-lib | |||
44 | private-tmp | 47 | private-tmp |
45 | 48 | ||
46 | memory-deny-write-execute | 49 | memory-deny-write-execute |
47 | noexec ${HOME} | ||
48 | noexec /tmp | ||
diff --git a/etc/default.profile b/etc/default.profile index 917e42287..3eacf9546 100644 --- a/etc/default.profile +++ b/etc/default.profile | |||
@@ -10,11 +10,13 @@ include globals.local | |||
10 | 10 | ||
11 | include disable-common.inc | 11 | include disable-common.inc |
12 | # include disable-devel.inc | 12 | # include disable-devel.inc |
13 | # include disable-exec.inc | ||
13 | # include disable-interpreters.inc | 14 | # include disable-interpreters.inc |
14 | include disable-passwdmgr.inc | 15 | include disable-passwdmgr.inc |
15 | include disable-programs.inc | 16 | include disable-programs.inc |
16 | #include disable-xdg.inc | 17 | # include disable-xdg.inc |
17 | 18 | ||
19 | # apparmor | ||
18 | caps.drop all | 20 | caps.drop all |
19 | # ipc-namespace | 21 | # ipc-namespace |
20 | netfilter | 22 | netfilter |
@@ -42,5 +44,3 @@ seccomp | |||
42 | # private-tmp | 44 | # private-tmp |
43 | 45 | ||
44 | # memory-deny-write-execute | 46 | # memory-deny-write-execute |
45 | # noexec ${HOME} | ||
46 | # noexec /tmp | ||
diff --git a/etc/deluge.profile b/etc/deluge.profile index 8df6e028f..e86c84272 100644 --- a/etc/deluge.profile +++ b/etc/deluge.profile | |||
@@ -13,6 +13,8 @@ noblacklist ${PATH}/python2* | |||
13 | noblacklist ${PATH}/python3* | 13 | noblacklist ${PATH}/python3* |
14 | noblacklist /usr/lib/python2* | 14 | noblacklist /usr/lib/python2* |
15 | noblacklist /usr/lib/python3* | 15 | noblacklist /usr/lib/python3* |
16 | noblacklist /usr/local/lib/python2* | ||
17 | noblacklist /usr/local/lib/python3* | ||
16 | 18 | ||
17 | include disable-common.inc | 19 | include disable-common.inc |
18 | # include disable-devel.inc | 20 | # include disable-devel.inc |
diff --git a/etc/devhelp.profile b/etc/devhelp.profile index 7f00e55e7..4e618b7ea 100644 --- a/etc/devhelp.profile +++ b/etc/devhelp.profile | |||
@@ -9,6 +9,7 @@ include globals.local | |||
9 | 9 | ||
10 | include disable-common.inc | 10 | include disable-common.inc |
11 | include disable-devel.inc | 11 | include disable-devel.inc |
12 | include disable-exec.inc | ||
12 | include disable-interpreters.inc | 13 | include disable-interpreters.inc |
13 | include disable-passwdmgr.inc | 14 | include disable-passwdmgr.inc |
14 | include disable-programs.inc | 15 | include disable-programs.inc |
@@ -18,8 +19,7 @@ include whitelist-common.inc | |||
18 | 19 | ||
19 | apparmor | 20 | apparmor |
20 | caps.drop all | 21 | caps.drop all |
21 | machine-id | 22 | # net none - makes settings immutable |
22 | net none | ||
23 | # nodbus - makes settings immutable | 23 | # nodbus - makes settings immutable |
24 | nodvd | 24 | nodvd |
25 | nogroups | 25 | nogroups |
@@ -38,11 +38,9 @@ disable-mnt | |||
38 | private-bin devhelp | 38 | private-bin devhelp |
39 | private-cache | 39 | private-cache |
40 | private-dev | 40 | private-dev |
41 | private-etc alternatives,fonts | 41 | private-etc alternatives,dconf,fonts,ld.so.cache,machine-id,ssl |
42 | private-tmp | 42 | private-tmp |
43 | 43 | ||
44 | # memory-deny-write-execute - Breaks on Arch | 44 | # memory-deny-write-execute - Breaks on Arch |
45 | noexec ${HOME} | ||
46 | noexec /tmp | ||
47 | 45 | ||
48 | read-only ${HOME} | 46 | read-only ${HOME} |
diff --git a/etc/devilspie.profile b/etc/devilspie.profile index ffab615d1..2d100c4b0 100644 --- a/etc/devilspie.profile +++ b/etc/devilspie.profile | |||
@@ -10,6 +10,7 @@ noblacklist ${HOME}/.devilspie | |||
10 | 10 | ||
11 | include disable-common.inc | 11 | include disable-common.inc |
12 | include disable-devel.inc | 12 | include disable-devel.inc |
13 | include disable-exec.inc | ||
13 | include disable-interpreters.inc | 14 | include disable-interpreters.inc |
14 | include disable-passwdmgr.inc | 15 | include disable-passwdmgr.inc |
15 | include disable-programs.inc | 16 | include disable-programs.inc |
@@ -44,7 +45,5 @@ private-lib gconv | |||
44 | private-tmp | 45 | private-tmp |
45 | 46 | ||
46 | memory-deny-write-execute | 47 | memory-deny-write-execute |
47 | noexec ${HOME} | ||
48 | noexec /tmp | ||
49 | 48 | ||
50 | read-only ${HOME} | 49 | read-only ${HOME} |
diff --git a/etc/devilspie2.profile b/etc/devilspie2.profile index b89bf122b..2f599366b 100644 --- a/etc/devilspie2.profile +++ b/etc/devilspie2.profile | |||
@@ -10,6 +10,7 @@ noblacklist ${HOME}/.config/devilspie2 | |||
10 | 10 | ||
11 | include disable-common.inc | 11 | include disable-common.inc |
12 | include disable-devel.inc | 12 | include disable-devel.inc |
13 | include disable-exec.inc | ||
13 | include disable-interpreters.inc | 14 | include disable-interpreters.inc |
14 | include disable-passwdmgr.inc | 15 | include disable-passwdmgr.inc |
15 | include disable-programs.inc | 16 | include disable-programs.inc |
@@ -44,7 +45,5 @@ private-lib gconv | |||
44 | private-tmp | 45 | private-tmp |
45 | 46 | ||
46 | memory-deny-write-execute | 47 | memory-deny-write-execute |
47 | noexec ${HOME} | ||
48 | noexec /tmp | ||
49 | 48 | ||
50 | read-only ${HOME} | 49 | read-only ${HOME} |
diff --git a/etc/dig.profile b/etc/dig.profile index 23970d9d0..1843f6e46 100644 --- a/etc/dig.profile +++ b/etc/dig.profile | |||
@@ -11,6 +11,7 @@ noblacklist ${HOME}/.digrc | |||
11 | 11 | ||
12 | include disable-common.inc | 12 | include disable-common.inc |
13 | # include disable-devel.inc | 13 | # include disable-devel.inc |
14 | include disable-exec.inc | ||
14 | # include disable-interpreters.inc | 15 | # include disable-interpreters.inc |
15 | include disable-passwdmgr.inc | 16 | include disable-passwdmgr.inc |
16 | include disable-programs.inc | 17 | include disable-programs.inc |
@@ -49,5 +50,3 @@ private-lib | |||
49 | private-tmp | 50 | private-tmp |
50 | 51 | ||
51 | memory-deny-write-execute | 52 | memory-deny-write-execute |
52 | noexec ${HOME} | ||
53 | noexec /tmp | ||
diff --git a/etc/digikam.profile b/etc/digikam.profile index cc0e98ba3..e9c89a1b9 100644 --- a/etc/digikam.profile +++ b/etc/digikam.profile | |||
@@ -14,6 +14,7 @@ noblacklist ${PICTURES} | |||
14 | 14 | ||
15 | include disable-common.inc | 15 | include disable-common.inc |
16 | include disable-devel.inc | 16 | include disable-devel.inc |
17 | include disable-exec.inc | ||
17 | include disable-interpreters.inc | 18 | include disable-interpreters.inc |
18 | include disable-passwdmgr.inc | 19 | include disable-passwdmgr.inc |
19 | include disable-programs.inc | 20 | include disable-programs.inc |
@@ -40,5 +41,3 @@ shell none | |||
40 | # private-etc alternatives,ca-certificates,ssl,pki,crypto-policies | 41 | # private-etc alternatives,ca-certificates,ssl,pki,crypto-policies |
41 | private-tmp | 42 | private-tmp |
42 | 43 | ||
43 | noexec ${HOME} | ||
44 | noexec /tmp | ||
diff --git a/etc/disable-exec.inc b/etc/disable-exec.inc new file mode 100644 index 000000000..ee3391730 --- /dev/null +++ b/etc/disable-exec.inc | |||
@@ -0,0 +1,11 @@ | |||
1 | # This file is overwritten during software install. | ||
2 | # Persistent customizations should go in a .local file. | ||
3 | include disable-exec.local | ||
4 | |||
5 | noexec ${HOME} | ||
6 | noexec ${RUNUSER} | ||
7 | noexec /dev/shm | ||
8 | noexec /tmp | ||
9 | # /var is noexec by default for unprivileged users | ||
10 | # except there is a writable-var option, so just in case: | ||
11 | noexec /var | ||
diff --git a/etc/disable-programs.inc b/etc/disable-programs.inc index 971e00f18..96fd80daf 100644 --- a/etc/disable-programs.inc +++ b/etc/disable-programs.inc | |||
@@ -6,7 +6,6 @@ blacklist ${HOME}/Arduino | |||
6 | blacklist ${HOME}/Monero/wallets | 6 | blacklist ${HOME}/Monero/wallets |
7 | blacklist ${HOME}/Nextcloud/Notes | 7 | blacklist ${HOME}/Nextcloud/Notes |
8 | blacklist ${HOME}/Standard Notes Backups | 8 | blacklist ${HOME}/Standard Notes Backups |
9 | blacklist ${HOME}/snap | ||
10 | blacklist ${HOME}/wallet.dat | 9 | blacklist ${HOME}/wallet.dat |
11 | blacklist ${HOME}/.*coin | 10 | blacklist ${HOME}/.*coin |
12 | blacklist ${HOME}/.8pecxstudios | 11 | blacklist ${HOME}/.8pecxstudios |
@@ -49,8 +48,10 @@ blacklist ${HOME}/.bcast5 | |||
49 | blacklist ${HOME}/.bibletime | 48 | blacklist ${HOME}/.bibletime |
50 | blacklist ${HOME}/.bitcoin | 49 | blacklist ${HOME}/.bitcoin |
51 | blacklist ${HOME}/.bogofilter | 50 | blacklist ${HOME}/.bogofilter |
51 | blacklist ${HOME}/.bzf | ||
52 | blacklist ${HOME}/.claws-mail | 52 | blacklist ${HOME}/.claws-mail |
53 | blacklist ${HOME}/.cliqz | 53 | blacklist ${HOME}/.cliqz |
54 | blacklist ${HOME}/.clonk | ||
54 | blacklist ${HOME}/.config/0ad | 55 | blacklist ${HOME}/.config/0ad |
55 | blacklist ${HOME}/.config/2048-qt | 56 | blacklist ${HOME}/.config/2048-qt |
56 | blacklist ${HOME}/.config/Atom | 57 | blacklist ${HOME}/.config/Atom |
@@ -77,6 +78,7 @@ blacklist ${HOME}/.config/Google Play Music Desktop Player | |||
77 | blacklist ${HOME}/.config/Gpredict | 78 | blacklist ${HOME}/.config/Gpredict |
78 | blacklist ${HOME}/.config/INRIA | 79 | blacklist ${HOME}/.config/INRIA |
79 | blacklist ${HOME}/.config/InSilmaril | 80 | blacklist ${HOME}/.config/InSilmaril |
81 | blacklist ${HOME}/.config/Kid3 | ||
80 | blacklist ${HOME}/.config/Luminance | 82 | blacklist ${HOME}/.config/Luminance |
81 | blacklist ${HOME}/.config/Meltytech | 83 | blacklist ${HOME}/.config/Meltytech |
82 | blacklist ${HOME}/.config/Mendeley Ltd. | 84 | blacklist ${HOME}/.config/Mendeley Ltd. |
@@ -156,6 +158,7 @@ blacklist ${HOME}/.config/falkon | |||
156 | blacklist ${HOME}/.config/filezilla | 158 | blacklist ${HOME}/.config/filezilla |
157 | blacklist ${HOME}/.config/flowblade | 159 | blacklist ${HOME}/.config/flowblade |
158 | blacklist ${HOME}/.config/font-manager | 160 | blacklist ${HOME}/.config/font-manager |
161 | blacklist ${HOME}/.config/freecol | ||
159 | blacklist ${HOME}/.config/gajim | 162 | blacklist ${HOME}/.config/gajim |
160 | blacklist ${HOME}/.config/galculator | 163 | blacklist ${HOME}/.config/galculator |
161 | blacklist ${HOME}/.config/gconf | 164 | blacklist ${HOME}/.config/gconf |
@@ -190,6 +193,7 @@ blacklist ${HOME}/.config/katesyntaxhighlightingrc | |||
190 | blacklist ${HOME}/.config/katevirc | 193 | blacklist ${HOME}/.config/katevirc |
191 | blacklist ${HOME}/.config/kdenliverc | 194 | blacklist ${HOME}/.config/kdenliverc |
192 | blacklist ${HOME}/.config/kgetrc | 195 | blacklist ${HOME}/.config/kgetrc |
196 | blacklist ${HOME}/.config/kid3rc | ||
193 | blacklist ${HOME}/.config/klavaro | 197 | blacklist ${HOME}/.config/klavaro |
194 | blacklist ${HOME}/.config/klipperrc | 198 | blacklist ${HOME}/.config/klipperrc |
195 | blacklist ${HOME}/.config/kmail2rc | 199 | blacklist ${HOME}/.config/kmail2rc |
@@ -203,8 +207,10 @@ blacklist ${HOME}/.config/ktorrentrc | |||
203 | blacklist ${HOME}/.config/leafpad | 207 | blacklist ${HOME}/.config/leafpad |
204 | blacklist ${HOME}/.config/libreoffice | 208 | blacklist ${HOME}/.config/libreoffice |
205 | blacklist ${HOME}/.config/liferea | 209 | blacklist ${HOME}/.config/liferea |
210 | blacklist ${HOME}/.config/lugaru | ||
206 | blacklist ${HOME}/.config/lximage-qt | 211 | blacklist ${HOME}/.config/lximage-qt |
207 | blacklist ${HOME}/.config/mailtransports | 212 | blacklist ${HOME}/.config/mailtransports |
213 | blacklist ${HOME}/.config/mana | ||
208 | blacklist ${HOME}/.config/mate-calc | 214 | blacklist ${HOME}/.config/mate-calc |
209 | blacklist ${HOME}/.config/mate/eom | 215 | blacklist ${HOME}/.config/mate/eom |
210 | blacklist ${HOME}/.config/mate/mate-dictionary | 216 | blacklist ${HOME}/.config/mate/mate-dictionary |
@@ -223,6 +229,7 @@ blacklist ${HOME}/.config/nemo | |||
223 | blacklist ${HOME}/.config/netsurf | 229 | blacklist ${HOME}/.config/netsurf |
224 | blacklist ${HOME}/.config/nheko | 230 | blacklist ${HOME}/.config/nheko |
225 | blacklist ${HOME}/.config/NitroShare | 231 | blacklist ${HOME}/.config/NitroShare |
232 | blacklist ${HOME}/.config/nomacs | ||
226 | blacklist ${HOME}/.config/obs-studio | 233 | blacklist ${HOME}/.config/obs-studio |
227 | blacklist ${HOME}/.config/okularpartrc | 234 | blacklist ${HOME}/.config/okularpartrc |
228 | blacklist ${HOME}/.config/okularrc | 235 | blacklist ${HOME}/.config/okularrc |
@@ -296,6 +303,7 @@ blacklist ${HOME}/.config/yandex-browser-beta | |||
296 | blacklist ${HOME}/.config/zathura | 303 | blacklist ${HOME}/.config/zathura |
297 | blacklist ${HOME}/.config/zoomus.conf | 304 | blacklist ${HOME}/.config/zoomus.conf |
298 | blacklist ${HOME}/.conkeror.mozdev.org | 305 | blacklist ${HOME}/.conkeror.mozdev.org |
306 | blacklist ${HOME}/.crawl | ||
299 | blacklist ${HOME}/.curlrc | 307 | blacklist ${HOME}/.curlrc |
300 | blacklist ${HOME}/.dashcore | 308 | blacklist ${HOME}/.dashcore |
301 | blacklist ${HOME}/.devilspie | 309 | blacklist ${HOME}/.devilspie |
@@ -318,6 +326,9 @@ blacklist ${HOME}/.filezilla | |||
318 | blacklist ${HOME}/.flowblade | 326 | blacklist ${HOME}/.flowblade |
319 | blacklist ${HOME}/.fltk | 327 | blacklist ${HOME}/.fltk |
320 | blacklist ${HOME}/.fossamail | 328 | blacklist ${HOME}/.fossamail |
329 | blacklist ${HOME}/.freeciv | ||
330 | blacklist ${HOME}/.freecol | ||
331 | blacklist ${HOME}/.freemind | ||
321 | blacklist ${HOME}/.frozen-bubble | 332 | blacklist ${HOME}/.frozen-bubble |
322 | blacklist ${HOME}/.gimp* | 333 | blacklist ${HOME}/.gimp* |
323 | blacklist ${HOME}/.git-credential-cache | 334 | blacklist ${HOME}/.git-credential-cache |
@@ -404,12 +415,14 @@ blacklist ${HOME}/.killingfloor | |||
404 | blacklist ${HOME}/.kino-history | 415 | blacklist ${HOME}/.kino-history |
405 | blacklist ${HOME}/.kinorc | 416 | blacklist ${HOME}/.kinorc |
406 | blacklist ${HOME}/.kodi | 417 | blacklist ${HOME}/.kodi |
418 | blacklist ${HOME}/.lincity-ng | ||
407 | blacklist ${HOME}/.linphone-history.db | 419 | blacklist ${HOME}/.linphone-history.db |
408 | blacklist ${HOME}/.linphonerc | 420 | blacklist ${HOME}/.linphonerc |
409 | blacklist ${HOME}/.lmmsrc.xml | 421 | blacklist ${HOME}/.lmmsrc.xml |
410 | blacklist ${HOME}/.local/lib/vivaldi | 422 | blacklist ${HOME}/.local/lib/vivaldi |
411 | blacklist ${HOME}/.local/share/0ad | 423 | blacklist ${HOME}/.local/share/0ad |
412 | blacklist ${HOME}/.local/share/3909/PapersPlease | 424 | blacklist ${HOME}/.local/share/3909/PapersPlease |
425 | blacklist ${HOME}/.local/share/Anki2 | ||
413 | blacklist ${HOME}/.local/share/Empathy | 426 | blacklist ${HOME}/.local/share/Empathy |
414 | blacklist ${HOME}/.local/share/JetBrains | 427 | blacklist ${HOME}/.local/share/JetBrains |
415 | blacklist ${HOME}/.local/share/Mendeley Ltd. | 428 | blacklist ${HOME}/.local/share/Mendeley Ltd. |
@@ -437,6 +450,7 @@ blacklist ${HOME}/.local/share/data/Mendeley Ltd. | |||
437 | blacklist ${HOME}/.local/share/data/Mumble | 450 | blacklist ${HOME}/.local/share/data/Mumble |
438 | blacklist ${HOME}/.local/share/data/MusE | 451 | blacklist ${HOME}/.local/share/data/MusE |
439 | blacklist ${HOME}/.local/share/data/MuseScore | 452 | blacklist ${HOME}/.local/share/data/MuseScore |
453 | blacklist ${HOME}/.local/share/data/nomacs | ||
440 | blacklist ${HOME}/.local/share/data/qBittorrent | 454 | blacklist ${HOME}/.local/share/data/qBittorrent |
441 | blacklist ${HOME}/.local/share/dino | 455 | blacklist ${HOME}/.local/share/dino |
442 | blacklist ${HOME}/.local/share/dolphin | 456 | blacklist ${HOME}/.local/share/dolphin |
@@ -445,6 +459,7 @@ blacklist ${HOME}/.local/share/epiphany | |||
445 | blacklist ${HOME}/.local/share/evolution | 459 | blacklist ${HOME}/.local/share/evolution |
446 | blacklist ${HOME}/.local/share/feedreader | 460 | blacklist ${HOME}/.local/share/feedreader |
447 | blacklist ${HOME}/.local/share/feral-interactive | 461 | blacklist ${HOME}/.local/share/feral-interactive |
462 | blacklist ${HOME}/.local/share/freecol | ||
448 | blacklist ${HOME}/.local/share/gajim | 463 | blacklist ${HOME}/.local/share/gajim |
449 | blacklist ${HOME}/.local/share/geary | 464 | blacklist ${HOME}/.local/share/geary |
450 | blacklist ${HOME}/.local/share/geeqie | 465 | blacklist ${HOME}/.local/share/geeqie |
@@ -472,6 +487,8 @@ blacklist ${HOME}/.local/share/kwrite | |||
472 | blacklist ${HOME}/.local/share/liferea | 487 | blacklist ${HOME}/.local/share/liferea |
473 | blacklist ${HOME}/.local/share/local-mail | 488 | blacklist ${HOME}/.local/share/local-mail |
474 | blacklist ${HOME}/.local/share/lollypop | 489 | blacklist ${HOME}/.local/share/lollypop |
490 | blacklist ${HOME}/.local/share/lugaru | ||
491 | blacklist ${HOME}/.local/share/mana | ||
475 | blacklist ${HOME}/.local/share/maps-places.json | 492 | blacklist ${HOME}/.local/share/maps-places.json |
476 | blacklist ${HOME}/.local/share/meld | 493 | blacklist ${HOME}/.local/share/meld |
477 | blacklist ${HOME}/.local/share/midori | 494 | blacklist ${HOME}/.local/share/midori |
@@ -483,6 +500,7 @@ blacklist ${HOME}/.local/share/nautilus | |||
483 | blacklist ${HOME}/.local/share/nautilus-python | 500 | blacklist ${HOME}/.local/share/nautilus-python |
484 | blacklist ${HOME}/.local/share/nemo | 501 | blacklist ${HOME}/.local/share/nemo |
485 | blacklist ${HOME}/.local/share/nemo-python | 502 | blacklist ${HOME}/.local/share/nemo-python |
503 | blacklist ${HOME}/.local/share/nomacs | ||
486 | blacklist ${HOME}/.local/share/notes | 504 | blacklist ${HOME}/.local/share/notes |
487 | blacklist ${HOME}/.local/share/ocenaudio | 505 | blacklist ${HOME}/.local/share/ocenaudio |
488 | blacklist ${HOME}/.local/share/okular | 506 | blacklist ${HOME}/.local/share/okular |
@@ -508,6 +526,7 @@ blacklist ${HOME}/.local/share/uzbl | |||
508 | blacklist ${HOME}/.local/share/vlc | 526 | blacklist ${HOME}/.local/share/vlc |
509 | blacklist ${HOME}/.local/share/vpltd | 527 | blacklist ${HOME}/.local/share/vpltd |
510 | blacklist ${HOME}/.local/share/vulkan | 528 | blacklist ${HOME}/.local/share/vulkan |
529 | blacklist ${HOME}/.local/share/warsow-2.1 | ||
511 | blacklist ${HOME}/.local/share/wesnoth | 530 | blacklist ${HOME}/.local/share/wesnoth |
512 | blacklist ${HOME}/.local/share/xplayer | 531 | blacklist ${HOME}/.local/share/xplayer |
513 | blacklist ${HOME}/.local/share/xreader | 532 | blacklist ${HOME}/.local/share/xreader |
@@ -517,6 +536,7 @@ blacklist ${HOME}/.masterpdfeditor | |||
517 | blacklist ${HOME}/.mcabber | 536 | blacklist ${HOME}/.mcabber |
518 | blacklist ${HOME}/.mcabberrc | 537 | blacklist ${HOME}/.mcabberrc |
519 | blacklist ${HOME}/.mediathek3 | 538 | blacklist ${HOME}/.mediathek3 |
539 | blacklist ${HOME}/.megaglest | ||
520 | blacklist ${HOME}/.minetest | 540 | blacklist ${HOME}/.minetest |
521 | blacklist ${HOME}/.moonchild productions/basilisk | 541 | blacklist ${HOME}/.moonchild productions/basilisk |
522 | blacklist ${HOME}/.moonchild productions/pale moon | 542 | blacklist ${HOME}/.moonchild productions/pale moon |
@@ -531,12 +551,16 @@ blacklist ${HOME}/.netactview | |||
531 | blacklist ${HOME}/.neverball | 551 | blacklist ${HOME}/.neverball |
532 | blacklist ${HOME}/.nv | 552 | blacklist ${HOME}/.nv |
533 | blacklist ${HOME}/.nylas-mail | 553 | blacklist ${HOME}/.nylas-mail |
554 | blacklist ${HOME}/.opencity | ||
534 | blacklist ${HOME}/.openinvaders | 555 | blacklist ${HOME}/.openinvaders |
535 | blacklist ${HOME}/.openshot | 556 | blacklist ${HOME}/.openshot |
536 | blacklist ${HOME}/.openshot_qt | 557 | blacklist ${HOME}/.openshot_qt |
558 | blacklist ${HOME}/.openttd | ||
537 | blacklist ${HOME}/.opera | 559 | blacklist ${HOME}/.opera |
538 | blacklist ${HOME}/.opera-beta | 560 | blacklist ${HOME}/.opera-beta |
561 | blacklist ${HOME}/.ostrichriders | ||
539 | blacklist ${HOME}/.pingus | 562 | blacklist ${HOME}/.pingus |
563 | blacklist ${HOME}/.pioneer | ||
540 | blacklist ${HOME}/.purple | 564 | blacklist ${HOME}/.purple |
541 | blacklist ${HOME}/.qemu-launcher | 565 | blacklist ${HOME}/.qemu-launcher |
542 | blacklist ${HOME}/.qmmp | 566 | blacklist ${HOME}/.qmmp |
@@ -546,6 +570,7 @@ blacklist ${HOME}/.remmina | |||
546 | blacklist ${HOME}/.repo_.gitconfig.json | 570 | blacklist ${HOME}/.repo_.gitconfig.json |
547 | blacklist ${HOME}/.repoconfig | 571 | blacklist ${HOME}/.repoconfig |
548 | blacklist ${HOME}/.retroshare | 572 | blacklist ${HOME}/.retroshare |
573 | blacklist ${HOME}/.scorched3d | ||
549 | blacklist ${HOME}/.scribus | 574 | blacklist ${HOME}/.scribus |
550 | blacklist ${HOME}/.scribusrc | 575 | blacklist ${HOME}/.scribusrc |
551 | blacklist ${HOME}/.simutrans | 576 | blacklist ${HOME}/.simutrans |
@@ -560,10 +585,14 @@ blacklist ${HOME}/.sword | |||
560 | blacklist ${HOME}/.sylpheed-2.0 | 585 | blacklist ${HOME}/.sylpheed-2.0 |
561 | blacklist ${HOME}/.synfig | 586 | blacklist ${HOME}/.synfig |
562 | blacklist ${HOME}/.tconn | 587 | blacklist ${HOME}/.tconn |
588 | blacklist ${HOME}/.teeworlds | ||
563 | blacklist ${HOME}/.thunderbird | 589 | blacklist ${HOME}/.thunderbird |
564 | blacklist ${HOME}/.tilp | 590 | blacklist ${HOME}/.tilp |
565 | blacklist ${HOME}/.tooling | 591 | blacklist ${HOME}/.tooling |
566 | blacklist ${HOME}/.tor-browser-* | 592 | blacklist ${HOME}/.tor-browser-* |
593 | blacklist ${HOME}/.tor-browser_* | ||
594 | blacklist ${HOME}/.torcs | ||
595 | blacklist ${HOME}/.tremulous | ||
567 | blacklist ${HOME}/.ts3client | 596 | blacklist ${HOME}/.ts3client |
568 | blacklist ${HOME}/.tuxguitar* | 597 | blacklist ${HOME}/.tuxguitar* |
569 | blacklist ${HOME}/.unknown-horizons | 598 | blacklist ${HOME}/.unknown-horizons |
@@ -572,12 +601,14 @@ blacklist ${HOME}/.viking-maps | |||
572 | blacklist ${HOME}/.vscode | 601 | blacklist ${HOME}/.vscode |
573 | blacklist ${HOME}/.vscode-oss | 602 | blacklist ${HOME}/.vscode-oss |
574 | blacklist ${HOME}/.vst | 603 | blacklist ${HOME}/.vst |
604 | blacklist ${HOME}/.vultures | ||
575 | blacklist ${HOME}/.w3m | 605 | blacklist ${HOME}/.w3m |
576 | blacklist ${HOME}/.warzone2100-3.* | 606 | blacklist ${HOME}/.warzone2100-3.* |
577 | blacklist ${HOME}/.waterfox | 607 | blacklist ${HOME}/.waterfox |
578 | blacklist ${HOME}/.weechat | 608 | blacklist ${HOME}/.weechat |
579 | blacklist ${HOME}/.wget-hsts | 609 | blacklist ${HOME}/.wget-hsts |
580 | blacklist ${HOME}/.wgetrc | 610 | blacklist ${HOME}/.wgetrc |
611 | blacklist ${HOME}/.widelands | ||
581 | blacklist ${HOME}/.wine | 612 | blacklist ${HOME}/.wine |
582 | blacklist ${HOME}/.wireshark | 613 | blacklist ${HOME}/.wireshark |
583 | blacklist ${HOME}/.wine64 | 614 | blacklist ${HOME}/.wine64 |
@@ -620,6 +651,7 @@ blacklist ${HOME}/.cache/falkon | |||
620 | blacklist ${HOME}/.cache/feedreader | 651 | blacklist ${HOME}/.cache/feedreader |
621 | blacklist ${HOME}/.cache/font-manager | 652 | blacklist ${HOME}/.cache/font-manager |
622 | blacklist ${HOME}/.cache/fossamail | 653 | blacklist ${HOME}/.cache/fossamail |
654 | blacklist ${HOME}/.cache/freecol | ||
623 | blacklist ${HOME}/.cache/gajim | 655 | blacklist ${HOME}/.cache/gajim |
624 | blacklist ${HOME}/.cache/geeqie | 656 | blacklist ${HOME}/.cache/geeqie |
625 | blacklist ${HOME}/.cache/google-chrome | 657 | blacklist ${HOME}/.cache/google-chrome |
@@ -684,6 +716,7 @@ blacklist ${HOME}/.cache/transmission | |||
684 | blacklist ${HOME}/.cache/vivaldi | 716 | blacklist ${HOME}/.cache/vivaldi |
685 | blacklist ${HOME}/.cache/vivaldi-snapshot | 717 | blacklist ${HOME}/.cache/vivaldi-snapshot |
686 | blacklist ${HOME}/.cache/vlc | 718 | blacklist ${HOME}/.cache/vlc |
719 | blacklist ${HOME}/.cache/warsow-2.1 | ||
687 | blacklist ${HOME}/.cache/waterfox | 720 | blacklist ${HOME}/.cache/waterfox |
688 | blacklist ${HOME}/.cache/wesnoth | 721 | blacklist ${HOME}/.cache/wesnoth |
689 | blacklist ${HOME}/.cache/xmms2 | 722 | blacklist ${HOME}/.cache/xmms2 |
@@ -692,3 +725,7 @@ blacklist ${HOME}/.cache/yandex-browser | |||
692 | blacklist ${HOME}/.cache/yandex-browser-beta | 725 | blacklist ${HOME}/.cache/yandex-browser-beta |
693 | 726 | ||
694 | blacklist /var/games/nethack | 727 | blacklist /var/games/nethack |
728 | blacklist /var/games/slashem | ||
729 | blacklist /var/games/vulturesclaw | ||
730 | blacklist /var/games/vultureseye | ||
731 | blacklist /var/lib/games/Maelstrom-Scores | ||
diff --git a/etc/display.profile b/etc/display.profile index ff19365ad..e66fa3ae9 100644 --- a/etc/display.profile +++ b/etc/display.profile | |||
@@ -12,6 +12,8 @@ noblacklist ${PATH}/python2* | |||
12 | noblacklist ${PATH}/python3* | 12 | noblacklist ${PATH}/python3* |
13 | noblacklist /usr/lib/python2* | 13 | noblacklist /usr/lib/python2* |
14 | noblacklist /usr/lib/python3* | 14 | noblacklist /usr/lib/python3* |
15 | noblacklist /usr/local/lib/python2* | ||
16 | noblacklist /usr/local/lib/python3* | ||
15 | 17 | ||
16 | include disable-common.inc | 18 | include disable-common.inc |
17 | include disable-devel.inc | 19 | include disable-devel.inc |
diff --git a/etc/easystroke.profile b/etc/easystroke.profile index 44156f97e..42529d302 100644 --- a/etc/easystroke.profile +++ b/etc/easystroke.profile | |||
@@ -10,12 +10,14 @@ noblacklist ${HOME}/.easystroke | |||
10 | 10 | ||
11 | include disable-common.inc | 11 | include disable-common.inc |
12 | include disable-devel.inc | 12 | include disable-devel.inc |
13 | include disable-exec.inc | ||
13 | include disable-interpreters.inc | 14 | include disable-interpreters.inc |
14 | include disable-passwdmgr.inc | 15 | include disable-passwdmgr.inc |
15 | include disable-programs.inc | 16 | include disable-programs.inc |
17 | include disable-xdg.inc | ||
16 | 18 | ||
19 | apparmor | ||
17 | caps.drop all | 20 | caps.drop all |
18 | ipc-namespace | ||
19 | machine-id | 21 | machine-id |
20 | net none | 22 | net none |
21 | no3d | 23 | no3d |
@@ -33,13 +35,13 @@ seccomp | |||
33 | shell none | 35 | shell none |
34 | 36 | ||
35 | disable-mnt | 37 | disable-mnt |
36 | private-bin easystroke,bash,sh | 38 | # breaks custom shell command functionality |
39 | #private-bin bash,easystroke,sh | ||
37 | private-cache | 40 | private-cache |
38 | private-dev | 41 | private-dev |
39 | private-etc alternatives,fonts | 42 | private-etc alternatives,fonts,group,passwd |
40 | private-lib gdk-pixbuf-2.*,gio,gvfs/libgvfscommon.so,libgconf-2.so.*,librsvg-2.so.* | 43 | # breaks custom shell command functionality |
44 | #private-lib gdk-pixbuf-2.*,gio,gvfs/libgvfscommon.so,libgconf-2.so.*,librsvg-2.so.* | ||
41 | private-tmp | 45 | private-tmp |
42 | 46 | ||
43 | memory-deny-write-execute | 47 | memory-deny-write-execute |
44 | noexec ${HOME} | ||
45 | noexec /tmp | ||
diff --git a/etc/electrum.profile b/etc/electrum.profile index a290683de..9d5cf7fab 100644 --- a/etc/electrum.profile +++ b/etc/electrum.profile | |||
@@ -13,6 +13,8 @@ noblacklist ${PATH}/python2* | |||
13 | noblacklist ${PATH}/python3* | 13 | noblacklist ${PATH}/python3* |
14 | noblacklist /usr/lib/python2* | 14 | noblacklist /usr/lib/python2* |
15 | noblacklist /usr/lib/python3* | 15 | noblacklist /usr/lib/python3* |
16 | noblacklist /usr/local/lib/python2* | ||
17 | noblacklist /usr/local/lib/python3* | ||
16 | 18 | ||
17 | include disable-common.inc | 19 | include disable-common.inc |
18 | include disable-devel.inc | 20 | include disable-devel.inc |
diff --git a/etc/enchant.profile b/etc/enchant.profile index 7d304feb7..288d8799c 100644 --- a/etc/enchant.profile +++ b/etc/enchant.profile | |||
@@ -10,6 +10,7 @@ noblacklist ${HOME}/.config/enchant | |||
10 | 10 | ||
11 | include disable-common.inc | 11 | include disable-common.inc |
12 | include disable-devel.inc | 12 | include disable-devel.inc |
13 | include disable-exec.inc | ||
13 | include disable-interpreters.inc | 14 | include disable-interpreters.inc |
14 | include disable-passwdmgr.inc | 15 | include disable-passwdmgr.inc |
15 | include disable-programs.inc | 16 | include disable-programs.inc |
@@ -43,5 +44,3 @@ private-lib | |||
43 | private-tmp | 44 | private-tmp |
44 | 45 | ||
45 | memory-deny-write-execute | 46 | memory-deny-write-execute |
46 | noexec ${HOME} | ||
47 | noexec /tmp | ||
diff --git a/etc/engrampa.profile b/etc/engrampa.profile index 670808de2..562e8f542 100644 --- a/etc/engrampa.profile +++ b/etc/engrampa.profile | |||
@@ -8,6 +8,7 @@ include globals.local | |||
8 | 8 | ||
9 | include disable-common.inc | 9 | include disable-common.inc |
10 | include disable-devel.inc | 10 | include disable-devel.inc |
11 | include disable-exec.inc | ||
11 | include disable-interpreters.inc | 12 | include disable-interpreters.inc |
12 | include disable-passwdmgr.inc | 13 | include disable-passwdmgr.inc |
13 | include disable-programs.inc | 14 | include disable-programs.inc |
@@ -38,5 +39,3 @@ private-dev | |||
38 | # private-tmp | 39 | # private-tmp |
39 | 40 | ||
40 | memory-deny-write-execute | 41 | memory-deny-write-execute |
41 | noexec ${HOME} | ||
42 | noexec /tmp | ||
diff --git a/etc/eog.profile b/etc/eog.profile index 32b648bd9..f296cbcb4 100644 --- a/etc/eog.profile +++ b/etc/eog.profile | |||
@@ -13,6 +13,7 @@ noblacklist ${HOME}/.steam | |||
13 | 13 | ||
14 | include disable-common.inc | 14 | include disable-common.inc |
15 | include disable-devel.inc | 15 | include disable-devel.inc |
16 | include disable-exec.inc | ||
16 | include disable-interpreters.inc | 17 | include disable-interpreters.inc |
17 | include disable-passwdmgr.inc | 18 | include disable-passwdmgr.inc |
18 | include disable-programs.inc | 19 | include disable-programs.inc |
@@ -23,9 +24,7 @@ apparmor | |||
23 | caps.drop all | 24 | caps.drop all |
24 | ipc-namespace | 25 | ipc-namespace |
25 | machine-id | 26 | machine-id |
26 | net none | ||
27 | no3d | 27 | no3d |
28 | # nodbus - makes settings immutable | ||
29 | nodvd | 28 | nodvd |
30 | nogroups | 29 | nogroups |
31 | nonewprivs | 30 | nonewprivs |
@@ -37,7 +36,10 @@ novideo | |||
37 | protocol unix | 36 | protocol unix |
38 | seccomp | 37 | seccomp |
39 | shell none | 38 | shell none |
39 | tracelog | ||
40 | 40 | ||
41 | # private-bin, private-etc and private-lib break 'Open With' / 'Open in file manager' | ||
42 | # comment those if you need that functionality | ||
41 | private-bin eog | 43 | private-bin eog |
42 | private-cache | 44 | private-cache |
43 | private-dev | 45 | private-dev |
@@ -46,5 +48,3 @@ private-lib eog,gdk-pixbuf-2.*,gio,girepository-1.*,gvfs,libgconf-2.so.* | |||
46 | private-tmp | 48 | private-tmp |
47 | 49 | ||
48 | # memory-deny-write-execute | 50 | # memory-deny-write-execute |
49 | noexec ${HOME} | ||
50 | noexec /tmp | ||
diff --git a/etc/eom.profile b/etc/eom.profile index c34331da6..a6007f99c 100644 --- a/etc/eom.profile +++ b/etc/eom.profile | |||
@@ -19,11 +19,8 @@ include disable-programs.inc | |||
19 | 19 | ||
20 | include whitelist-var-common.inc | 20 | include whitelist-var-common.inc |
21 | 21 | ||
22 | # apparmor - makes settings immutable | ||
23 | caps.drop all | 22 | caps.drop all |
24 | # net none - makes settings immutable | ||
25 | no3d | 23 | no3d |
26 | # nodbus - makes settings immutable | ||
27 | nodvd | 24 | nodvd |
28 | nogroups | 25 | nogroups |
29 | nonewprivs | 26 | nonewprivs |
@@ -37,6 +34,8 @@ seccomp | |||
37 | shell none | 34 | shell none |
38 | tracelog | 35 | tracelog |
39 | 36 | ||
37 | # private-bin, private-etc and private-lib break 'Open With' / 'Open in file manager' | ||
38 | # comment those if you need that functionality | ||
40 | private-bin eom | 39 | private-bin eom |
41 | private-dev | 40 | private-dev |
42 | private-etc alternatives,fonts | 41 | private-etc alternatives,fonts |
diff --git a/etc/exfalso.profile b/etc/exfalso.profile index 23bd25986..b4d275d22 100644 --- a/etc/exfalso.profile +++ b/etc/exfalso.profile | |||
@@ -14,6 +14,8 @@ noblacklist ${PATH}/python2* | |||
14 | noblacklist ${PATH}/python3* | 14 | noblacklist ${PATH}/python3* |
15 | noblacklist /usr/lib/python2* | 15 | noblacklist /usr/lib/python2* |
16 | noblacklist /usr/lib/python3* | 16 | noblacklist /usr/lib/python3* |
17 | noblacklist /usr/local/lib/python2* | ||
18 | noblacklist /usr/local/lib/python3* | ||
17 | 19 | ||
18 | include disable-common.inc | 20 | include disable-common.inc |
19 | include disable-devel.inc | 21 | include disable-devel.inc |
diff --git a/etc/exiftool.profile b/etc/exiftool.profile index 1838ce273..2ee4aae6f 100644 --- a/etc/exiftool.profile +++ b/etc/exiftool.profile | |||
@@ -15,6 +15,7 @@ noblacklist /usr/share/perl* | |||
15 | 15 | ||
16 | include disable-common.inc | 16 | include disable-common.inc |
17 | include disable-devel.inc | 17 | include disable-devel.inc |
18 | include disable-exec.inc | ||
18 | include disable-interpreters.inc | 19 | include disable-interpreters.inc |
19 | include disable-passwdmgr.inc | 20 | include disable-passwdmgr.inc |
20 | include disable-programs.inc | 21 | include disable-programs.inc |
@@ -39,12 +40,12 @@ seccomp | |||
39 | shell none | 40 | shell none |
40 | tracelog | 41 | tracelog |
41 | 42 | ||
42 | private-bin exiftool,perl | 43 | # To support exiftool in private-bin on Arch Linux (and derivatives), symlink /usr/bin/vendor_perl/exiftool to /usr/bin/exiftool and uncomment the below. |
44 | # Users on non-Arch Linux distributions can safely uncomment the below to enable extra hardening. | ||
45 | #private-bin exiftool,perl | ||
43 | private-cache | 46 | private-cache |
44 | private-dev | 47 | private-dev |
45 | private-etc alternatives | 48 | private-etc alternatives |
46 | private-tmp | 49 | private-tmp |
47 | 50 | ||
48 | memory-deny-write-execute | 51 | memory-deny-write-execute |
49 | noexec ${HOME} | ||
50 | noexec /tmp | ||
diff --git a/etc/feh-network.inc b/etc/feh-network.inc index b74486f4f..f3876475e 100644 --- a/etc/feh-network.inc +++ b/etc/feh-network.inc | |||
@@ -1,2 +1,4 @@ | |||
1 | ignore net none | 1 | ignore net none |
2 | private-etc resolv.conf,ca-certificates,ssl | 2 | netfilter |
3 | protocol unix,inet,inet6 | ||
4 | private-etc resolv.conf,ca-certificates,ssl,pki,hosts,crypto-policies | ||
diff --git a/etc/ffmpeg.profile b/etc/ffmpeg.profile index aa7a91928..a1c311e42 100644 --- a/etc/ffmpeg.profile +++ b/etc/ffmpeg.profile | |||
@@ -12,6 +12,7 @@ noblacklist ${VIDEOS} | |||
12 | 12 | ||
13 | include disable-common.inc | 13 | include disable-common.inc |
14 | include disable-devel.inc | 14 | include disable-devel.inc |
15 | include disable-exec.inc | ||
15 | include disable-interpreters.inc | 16 | include disable-interpreters.inc |
16 | include disable-passwdmgr.inc | 17 | include disable-passwdmgr.inc |
17 | include disable-programs.inc | 18 | include disable-programs.inc |
@@ -48,5 +49,3 @@ private-etc alternatives,pki,pkcs11,hosts,ssl,ca-certificates,resolv.conf | |||
48 | private-tmp | 49 | private-tmp |
49 | 50 | ||
50 | # memory-deny-write-execute - it breaks old versions of ffmpeg | 51 | # memory-deny-write-execute - it breaks old versions of ffmpeg |
51 | noexec ${HOME} | ||
52 | noexec /tmp | ||
diff --git a/etc/ffmpegthumbnailer.profile b/etc/ffmpegthumbnailer.profile index 6ab35e9a0..3681c40f1 100644 --- a/etc/ffmpegthumbnailer.profile +++ b/etc/ffmpegthumbnailer.profile | |||
@@ -10,6 +10,8 @@ include ffmpegthumbnailer.local | |||
10 | private-bin ffmpegthumbnailer | 10 | private-bin ffmpegthumbnailer |
11 | private-lib libffmpegthumbnailer.so.* | 11 | private-lib libffmpegthumbnailer.so.* |
12 | 12 | ||
13 | # fix for ranger video thumbnails | ||
14 | ignore private-cache | ||
13 | 15 | ||
14 | # Redirect | 16 | # Redirect |
15 | include ffmpeg.profile | 17 | include ffmpeg.profile |
diff --git a/etc/file-roller.profile b/etc/file-roller.profile index 777efe0e3..ad52b0e97 100644 --- a/etc/file-roller.profile +++ b/etc/file-roller.profile | |||
@@ -8,6 +8,7 @@ include globals.local | |||
8 | 8 | ||
9 | include disable-common.inc | 9 | include disable-common.inc |
10 | include disable-devel.inc | 10 | include disable-devel.inc |
11 | include disable-exec.inc | ||
11 | include disable-interpreters.inc | 12 | include disable-interpreters.inc |
12 | include disable-passwdmgr.inc | 13 | include disable-passwdmgr.inc |
13 | include disable-programs.inc | 14 | include disable-programs.inc |
@@ -16,11 +17,11 @@ include whitelist-var-common.inc | |||
16 | 17 | ||
17 | apparmor | 18 | apparmor |
18 | caps.drop all | 19 | caps.drop all |
19 | ipc-namespace | 20 | #ipc-namespace - causing issues launching on archlinux |
20 | machine-id | 21 | machine-id |
21 | net none | 22 | # net none - breaks on older Ubuntu versions |
22 | no3d | 23 | no3d |
23 | # nodbus makes settings immutable - comment if you need settings support | 24 | # nodbus - makes settings immutable - comment if you need settings support |
24 | nodbus | 25 | nodbus |
25 | nodvd | 26 | nodvd |
26 | nogroups | 27 | nogroups |
@@ -41,5 +42,3 @@ private-dev | |||
41 | # private-tmp | 42 | # private-tmp |
42 | 43 | ||
43 | # memory-deny-write-execute | 44 | # memory-deny-write-execute |
44 | noexec ${HOME} | ||
45 | noexec /tmp | ||
diff --git a/etc/file.profile b/etc/file.profile index e084e80c2..c304b4efe 100644 --- a/etc/file.profile +++ b/etc/file.profile | |||
@@ -10,6 +10,7 @@ include globals.local | |||
10 | blacklist /tmp/.X11-unix | 10 | blacklist /tmp/.X11-unix |
11 | 11 | ||
12 | include disable-common.inc | 12 | include disable-common.inc |
13 | include disable-exec.inc | ||
13 | include disable-passwdmgr.inc | 14 | include disable-passwdmgr.inc |
14 | include disable-programs.inc | 15 | include disable-programs.inc |
15 | 16 | ||
@@ -41,5 +42,3 @@ private-etc alternatives,magic.mgc,magic,localtime | |||
41 | private-lib libarchive.so.*,libfakeroot,libmagic.so.* | 42 | private-lib libarchive.so.*,libfakeroot,libmagic.so.* |
42 | 43 | ||
43 | memory-deny-write-execute | 44 | memory-deny-write-execute |
44 | noexec ${HOME} | ||
45 | noexec /tmp | ||
diff --git a/etc/filezilla.profile b/etc/filezilla.profile index 2e77937ea..fb96d9d87 100644 --- a/etc/filezilla.profile +++ b/etc/filezilla.profile | |||
@@ -14,6 +14,8 @@ noblacklist ${PATH}/python2* | |||
14 | noblacklist ${PATH}/python3* | 14 | noblacklist ${PATH}/python3* |
15 | noblacklist /usr/lib/python2* | 15 | noblacklist /usr/lib/python2* |
16 | noblacklist /usr/lib/python3* | 16 | noblacklist /usr/lib/python3* |
17 | noblacklist /usr/local/lib/python2* | ||
18 | noblacklist /usr/local/lib/python3* | ||
17 | 19 | ||
18 | include disable-common.inc | 20 | include disable-common.inc |
19 | include disable-devel.inc | 21 | include disable-devel.inc |
diff --git a/etc/firefox-common.profile b/etc/firefox-common.profile index 3089b7ce8..a2a34f33f 100644 --- a/etc/firefox-common.profile +++ b/etc/firefox-common.profile | |||
@@ -6,6 +6,9 @@ include firefox-common.local | |||
6 | # already included by caller profile | 6 | # already included by caller profile |
7 | #include globals.local | 7 | #include globals.local |
8 | 8 | ||
9 | # noexec ${HOME} breaks DRM binaries. | ||
10 | ignore noexec ${HOME} | ||
11 | |||
9 | # Uncomment the following line to allow access to common programs/addons/plugins. | 12 | # Uncomment the following line to allow access to common programs/addons/plugins. |
10 | #include firefox-common-addons.inc | 13 | #include firefox-common-addons.inc |
11 | 14 | ||
@@ -14,6 +17,7 @@ noblacklist ${HOME}/.local/share/pki | |||
14 | 17 | ||
15 | include disable-common.inc | 18 | include disable-common.inc |
16 | include disable-devel.inc | 19 | include disable-devel.inc |
20 | include disable-exec.inc | ||
17 | include disable-interpreters.inc | 21 | include disable-interpreters.inc |
18 | include disable-programs.inc | 22 | include disable-programs.inc |
19 | 23 | ||
@@ -55,7 +59,3 @@ private-dev | |||
55 | # private-etc below works fine on most distributions. There are some problems on CentOS. | 59 | # private-etc below works fine on most distributions. There are some problems on CentOS. |
56 | #private-etc alternatives,ca-certificates,ssl,machine-id,dconf,selinux,passwd,group,hostname,hosts,localtime,nsswitch.conf,resolv.conf,xdg,gtk-2.0,gtk-3.0,X11,pango,fonts,mime.types,mailcap,asound.conf,pulse,pki,crypto-policies,ld.so.cache | 60 | #private-etc alternatives,ca-certificates,ssl,machine-id,dconf,selinux,passwd,group,hostname,hosts,localtime,nsswitch.conf,resolv.conf,xdg,gtk-2.0,gtk-3.0,X11,pango,fonts,mime.types,mailcap,asound.conf,pulse,pki,crypto-policies,ld.so.cache |
57 | private-tmp | 61 | private-tmp |
58 | |||
59 | # Breaks DRM binaries. | ||
60 | #noexec ${HOME} | ||
61 | noexec /tmp | ||
diff --git a/etc/flowblade.profile b/etc/flowblade.profile index 4628b85ee..b57c27936 100644 --- a/etc/flowblade.profile +++ b/etc/flowblade.profile | |||
@@ -14,6 +14,8 @@ noblacklist ${PATH}/python2* | |||
14 | noblacklist ${PATH}/python3* | 14 | noblacklist ${PATH}/python3* |
15 | noblacklist /usr/lib/python2* | 15 | noblacklist /usr/lib/python2* |
16 | noblacklist /usr/lib/python3* | 16 | noblacklist /usr/lib/python3* |
17 | noblacklist /usr/local/lib/python2* | ||
18 | noblacklist /usr/local/lib/python3* | ||
17 | 19 | ||
18 | include disable-common.inc | 20 | include disable-common.inc |
19 | include disable-devel.inc | 21 | include disable-devel.inc |
diff --git a/etc/font-manager.profile b/etc/font-manager.profile index 3c57a4327..98952e1cc 100644 --- a/etc/font-manager.profile +++ b/etc/font-manager.profile | |||
@@ -14,9 +14,12 @@ noblacklist ${PATH}/python2* | |||
14 | noblacklist ${PATH}/python3* | 14 | noblacklist ${PATH}/python3* |
15 | noblacklist /usr/lib/python2* | 15 | noblacklist /usr/lib/python2* |
16 | noblacklist /usr/lib/python3* | 16 | noblacklist /usr/lib/python3* |
17 | noblacklist /usr/local/lib/python2* | ||
18 | noblacklist /usr/local/lib/python3* | ||
17 | 19 | ||
18 | include disable-common.inc | 20 | include disable-common.inc |
19 | include disable-devel.inc | 21 | include disable-devel.inc |
22 | include disable-exec.inc | ||
20 | include disable-interpreters.inc | 23 | include disable-interpreters.inc |
21 | include disable-passwdmgr.inc | 24 | include disable-passwdmgr.inc |
22 | include disable-programs.inc | 25 | include disable-programs.inc |
@@ -31,7 +34,7 @@ include whitelist-common.inc | |||
31 | apparmor | 34 | apparmor |
32 | caps.drop all | 35 | caps.drop all |
33 | machine-id | 36 | machine-id |
34 | net none | 37 | # net none - issues on older versions |
35 | no3d | 38 | no3d |
36 | nodvd | 39 | nodvd |
37 | nogroups | 40 | nogroups |
@@ -52,5 +55,3 @@ private-dev | |||
52 | private-tmp | 55 | private-tmp |
53 | 56 | ||
54 | #memory-deny-write-execute - Breaks on Arch | 57 | #memory-deny-write-execute - Breaks on Arch |
55 | noexec ${HOME} | ||
56 | noexec /tmp | ||
diff --git a/etc/fontforge.profile b/etc/fontforge.profile index 2a833de06..dc4e43b09 100644 --- a/etc/fontforge.profile +++ b/etc/fontforge.profile | |||
@@ -14,6 +14,8 @@ noblacklist ${PATH}/python2* | |||
14 | noblacklist ${PATH}/python3* | 14 | noblacklist ${PATH}/python3* |
15 | noblacklist /usr/lib/python2* | 15 | noblacklist /usr/lib/python2* |
16 | noblacklist /usr/lib/python3* | 16 | noblacklist /usr/lib/python3* |
17 | noblacklist /usr/local/lib/python2* | ||
18 | noblacklist /usr/local/lib/python3* | ||
17 | 19 | ||
18 | include disable-common.inc | 20 | include disable-common.inc |
19 | include disable-devel.inc | 21 | include disable-devel.inc |
diff --git a/etc/freeciv-gtk3.profile b/etc/freeciv-gtk3.profile new file mode 100644 index 000000000..fa36459e7 --- /dev/null +++ b/etc/freeciv-gtk3.profile | |||
@@ -0,0 +1,5 @@ | |||
1 | # Firejail profile alias for freeciv | ||
2 | # This file is overwritten after every install/update | ||
3 | |||
4 | # Redirect | ||
5 | include freeciv.profile | ||
diff --git a/etc/freeciv-mp-gtk3.profile b/etc/freeciv-mp-gtk3.profile new file mode 100644 index 000000000..fa36459e7 --- /dev/null +++ b/etc/freeciv-mp-gtk3.profile | |||
@@ -0,0 +1,5 @@ | |||
1 | # Firejail profile alias for freeciv | ||
2 | # This file is overwritten after every install/update | ||
3 | |||
4 | # Redirect | ||
5 | include freeciv.profile | ||
diff --git a/etc/freeciv.profile b/etc/freeciv.profile new file mode 100644 index 000000000..4813379a7 --- /dev/null +++ b/etc/freeciv.profile | |||
@@ -0,0 +1,44 @@ | |||
1 | # Firejail profile for freeciv | ||
2 | # Description: A multi-player strategy game | ||
3 | # This file is overwritten after every install/update | ||
4 | # Persistent local customizations | ||
5 | include freeciv.local | ||
6 | # Persistent global definitions | ||
7 | include globals.local | ||
8 | |||
9 | noblacklist ${HOME}/.freeciv | ||
10 | |||
11 | include disable-common.inc | ||
12 | include disable-devel.inc | ||
13 | include disable-exec.inc | ||
14 | include disable-interpreters.inc | ||
15 | include disable-passwdmgr.inc | ||
16 | include disable-programs.inc | ||
17 | include disable-xdg.inc | ||
18 | |||
19 | mkdir ${HOME}/.freeciv | ||
20 | whitelist ${HOME}/.freeciv | ||
21 | include whitelist-common.inc | ||
22 | include whitelist-var-common.inc | ||
23 | |||
24 | caps.drop all | ||
25 | ipc-namespace | ||
26 | netfilter | ||
27 | nodbus | ||
28 | nodvd | ||
29 | nogroups | ||
30 | nonewprivs | ||
31 | noroot | ||
32 | notv | ||
33 | nou2f | ||
34 | novideo | ||
35 | protocol unix,inet,inet6 | ||
36 | seccomp | ||
37 | shell none | ||
38 | tracelog | ||
39 | |||
40 | disable-mnt | ||
41 | private-bin freeciv-gtk3,freeciv-mp-gtk3,freeciv-server,freeciv-manual | ||
42 | private-cache | ||
43 | private-dev | ||
44 | private-tmp | ||
diff --git a/etc/freecol.profile b/etc/freecol.profile new file mode 100644 index 000000000..7987cc076 --- /dev/null +++ b/etc/freecol.profile | |||
@@ -0,0 +1,60 @@ | |||
1 | # Firejail profile for freecol | ||
2 | # Description: Turn-based multi-player strategy game | ||
3 | # This file is overwritten after every install/update | ||
4 | # Persistent local customizations | ||
5 | include freecol.local | ||
6 | # Persistent global definitions | ||
7 | include globals.local | ||
8 | |||
9 | noblacklist ${HOME}/.freecol | ||
10 | noblacklist ${HOME}/.java | ||
11 | noblacklist ${HOME}/.cache/freecol | ||
12 | noblacklist ${HOME}/.config/freecol | ||
13 | noblacklist ${HOME}/.local/share/freecol | ||
14 | |||
15 | # Allow access to java | ||
16 | noblacklist ${PATH}/java | ||
17 | noblacklist /usr/lib/java | ||
18 | noblacklist /etc/java | ||
19 | noblacklist /usr/share/java | ||
20 | |||
21 | include disable-common.inc | ||
22 | include disable-devel.inc | ||
23 | include disable-exec.inc | ||
24 | include disable-interpreters.inc | ||
25 | include disable-passwdmgr.inc | ||
26 | include disable-programs.inc | ||
27 | include disable-xdg.inc | ||
28 | |||
29 | mkdir ${HOME}/.java | ||
30 | mkdir ${HOME}/.cache/freecol | ||
31 | mkdir ${HOME}/.config/freecol | ||
32 | mkdir ${HOME}/.local/share/freecol | ||
33 | whitelist ${HOME}/.freecol | ||
34 | whitelist ${HOME}/.java | ||
35 | whitelist ${HOME}/.cache/freecol | ||
36 | whitelist ${HOME}/.config/freecol | ||
37 | whitelist ${HOME}/.local/share/freecol | ||
38 | include whitelist-common.inc | ||
39 | include whitelist-var-common.inc | ||
40 | |||
41 | caps.drop all | ||
42 | ipc-namespace | ||
43 | netfilter | ||
44 | nodbus | ||
45 | nodvd | ||
46 | nogroups | ||
47 | nonewprivs | ||
48 | noroot | ||
49 | notv | ||
50 | nou2f | ||
51 | novideo | ||
52 | protocol unix,inet,inet6 | ||
53 | seccomp | ||
54 | shell none | ||
55 | tracelog | ||
56 | |||
57 | disable-mnt | ||
58 | private-cache | ||
59 | private-dev | ||
60 | private-tmp | ||
diff --git a/etc/freemind.profile b/etc/freemind.profile new file mode 100644 index 000000000..507bd564d --- /dev/null +++ b/etc/freemind.profile | |||
@@ -0,0 +1,52 @@ | |||
1 | # Firejail profile for freemind | ||
2 | # Description: Free mind mapping software | ||
3 | # This file is overwritten after every install/update | ||
4 | # Persistent local customizations | ||
5 | include freemind.local | ||
6 | # Persistent global definitions | ||
7 | include globals.local | ||
8 | |||
9 | noblacklist ${DOCUMENTS} | ||
10 | noblacklist ${PATH}/java | ||
11 | noblacklist /etc/java | ||
12 | noblacklist /usr/lib/java | ||
13 | noblacklist /usr/share/java | ||
14 | noblacklist ${HOME}/.freemind | ||
15 | |||
16 | include disable-common.inc | ||
17 | include disable-devel.inc | ||
18 | include disable-exec.inc | ||
19 | include disable-interpreters.inc | ||
20 | include disable-passwdmgr.inc | ||
21 | include disable-programs.inc | ||
22 | include disable-xdg.inc | ||
23 | |||
24 | include whitelist-var-common.inc | ||
25 | |||
26 | apparmor | ||
27 | caps.drop all | ||
28 | machine-id | ||
29 | netfilter | ||
30 | no3d | ||
31 | nodbus | ||
32 | nodvd | ||
33 | nogroups | ||
34 | nonewprivs | ||
35 | noroot | ||
36 | nosound | ||
37 | notv | ||
38 | nou2f | ||
39 | novideo | ||
40 | protocol unix,inet,inet6 | ||
41 | seccomp | ||
42 | shell none | ||
43 | tracelog | ||
44 | |||
45 | disable-mnt | ||
46 | private-bin freemind,java,bash,sed,sh,grep,mkdir,echo,cp,uname,which,lsb_release,rpm,dpkg,dirname,readlink | ||
47 | private-cache | ||
48 | private-dev | ||
49 | #private-etc alternatives,fonts,java | ||
50 | private-tmp | ||
51 | private-opt none | ||
52 | private-srv none | ||
diff --git a/etc/freshclam.profile b/etc/freshclam.profile index 2dd55d8cc..2bab79e2e 100644 --- a/etc/freshclam.profile +++ b/etc/freshclam.profile | |||
@@ -6,6 +6,7 @@ include clamav.local | |||
6 | # Persistent global definitions | 6 | # Persistent global definitions |
7 | include globals.local | 7 | include globals.local |
8 | 8 | ||
9 | include disable-exec.inc | ||
9 | 10 | ||
10 | caps.keep setgid,setuid | 11 | caps.keep setgid,setuid |
11 | ipc-namespace | 12 | ipc-namespace |
@@ -32,5 +33,3 @@ writable-var | |||
32 | writable-var-log | 33 | writable-var-log |
33 | 34 | ||
34 | memory-deny-write-execute | 35 | memory-deny-write-execute |
35 | noexec ${HOME} | ||
36 | noexec /tmp | ||
diff --git a/etc/gajim.profile b/etc/gajim.profile index 3dd66dc23..bdb40d7e1 100644 --- a/etc/gajim.profile +++ b/etc/gajim.profile | |||
@@ -10,10 +10,13 @@ noblacklist ${HOME}/.cache/gajim | |||
10 | noblacklist ${HOME}/.config/gajim | 10 | noblacklist ${HOME}/.config/gajim |
11 | noblacklist ${HOME}/.local/share/gajim | 11 | noblacklist ${HOME}/.local/share/gajim |
12 | 12 | ||
13 | # Allow Python (blacklisted by disable-interpreters.inc) | 13 | # Allow python (blacklisted by disable-interpreters.inc) |
14 | #noblacklist ${PATH}/python2* | ||
14 | noblacklist ${PATH}/python3* | 15 | noblacklist ${PATH}/python3* |
16 | #noblacklist /usr/lib/python2* | ||
15 | noblacklist /usr/lib/python3* | 17 | noblacklist /usr/lib/python3* |
16 | noblacklist /usr/lib64/python3* | 18 | #noblacklist /usr/local/lib/python2* |
19 | noblacklist /usr/local/lib/python3* | ||
17 | 20 | ||
18 | include disable-common.inc | 21 | include disable-common.inc |
19 | include disable-devel.inc | 22 | include disable-devel.inc |
diff --git a/etc/galculator.profile b/etc/galculator.profile index 509d9bd05..92b400572 100644 --- a/etc/galculator.profile +++ b/etc/galculator.profile | |||
@@ -10,9 +10,11 @@ noblacklist ${HOME}/.config/galculator | |||
10 | 10 | ||
11 | include disable-common.inc | 11 | include disable-common.inc |
12 | include disable-devel.inc | 12 | include disable-devel.inc |
13 | include disable-exec.inc | ||
13 | include disable-interpreters.inc | 14 | include disable-interpreters.inc |
14 | include disable-passwdmgr.inc | 15 | include disable-passwdmgr.inc |
15 | include disable-programs.inc | 16 | include disable-programs.inc |
17 | include disable-xdg.inc | ||
16 | 18 | ||
17 | mkdir ${HOME}/.config/galculator | 19 | mkdir ${HOME}/.config/galculator |
18 | whitelist ${HOME}/.config/galculator | 20 | whitelist ${HOME}/.config/galculator |
@@ -21,6 +23,8 @@ include whitelist-var-common.inc | |||
21 | 23 | ||
22 | apparmor | 24 | apparmor |
23 | caps.drop all | 25 | caps.drop all |
26 | hostname galculator | ||
27 | ipc-namespace | ||
24 | net none | 28 | net none |
25 | nodbus | 29 | nodbus |
26 | nodvd | 30 | nodvd |
@@ -37,7 +41,10 @@ shell none | |||
37 | tracelog | 41 | tracelog |
38 | 42 | ||
39 | private-bin galculator | 43 | private-bin galculator |
44 | private-cache | ||
40 | private-dev | 45 | private-dev |
41 | private-etc alternatives,fonts | 46 | private-etc alternatives,fonts |
42 | private-lib | 47 | private-lib |
43 | private-tmp | 48 | private-tmp |
49 | |||
50 | memory-deny-write-execute | ||
diff --git a/etc/gcloud.profile b/etc/gcloud.profile index d9df8fd37..a08aebf2c 100644 --- a/etc/gcloud.profile +++ b/etc/gcloud.profile | |||
@@ -5,12 +5,16 @@ include gcloud.local | |||
5 | # Persistent global definitions | 5 | # Persistent global definitions |
6 | include globals.local | 6 | include globals.local |
7 | 7 | ||
8 | # noexec ${HOME} will break user-local installs of gcloud tooling | ||
9 | ignore noexec ${HOME} | ||
10 | |||
8 | noblacklist ${HOME}/.boto | 11 | noblacklist ${HOME}/.boto |
9 | noblacklist ${HOME}/.config/gcloud | 12 | noblacklist ${HOME}/.config/gcloud |
10 | noblacklist /var/run/docker.sock | 13 | noblacklist /var/run/docker.sock |
11 | 14 | ||
12 | include disable-common.inc | 15 | include disable-common.inc |
13 | include disable-devel.inc | 16 | include disable-devel.inc |
17 | include disable-exec.inc | ||
14 | include disable-programs.inc | 18 | include disable-programs.inc |
15 | 19 | ||
16 | apparmor | 20 | apparmor |
@@ -34,8 +38,3 @@ disable-mnt | |||
34 | private-dev | 38 | private-dev |
35 | private-etc alternatives,ca-certificates,ssl,hosts,localtime,nsswitch.conf,resolv.conf,pki,crypto-policies,ld.so.cache | 39 | private-etc alternatives,ca-certificates,ssl,hosts,localtime,nsswitch.conf,resolv.conf,pki,crypto-policies,ld.so.cache |
36 | private-tmp | 40 | private-tmp |
37 | |||
38 | noexec /tmp | ||
39 | |||
40 | # will break user-local installs of gcloud tooling | ||
41 | # noexec ${HOME} | ||
diff --git a/etc/gconf.profile b/etc/gconf.profile index 94af21833..5cc6b87a0 100644 --- a/etc/gconf.profile +++ b/etc/gconf.profile | |||
@@ -8,14 +8,17 @@ include globals.local | |||
8 | 8 | ||
9 | noblacklist ${HOME}/.config/gconf | 9 | noblacklist ${HOME}/.config/gconf |
10 | 10 | ||
11 | # Allow python2 (blacklisted by disable-interpreters.inc) | 11 | # Allow python (blacklisted by disable-interpreters.inc) |
12 | noblacklist ${PATH}/python2* | 12 | noblacklist ${PATH}/python2* |
13 | #noblacklist ${PATH}/python3* | 13 | #noblacklist ${PATH}/python3* |
14 | noblacklist /usr/lib/python2* | 14 | noblacklist /usr/lib/python2* |
15 | #noblacklist /usr/lib/python3* | 15 | #noblacklist /usr/lib/python3* |
16 | noblacklist /usr/local/lib/python2* | ||
17 | #noblacklist /usr/local/lib/python3* | ||
16 | 18 | ||
17 | include disable-common.inc | 19 | include disable-common.inc |
18 | include disable-devel.inc | 20 | include disable-devel.inc |
21 | include disable-exec.inc | ||
19 | include disable-interpreters.inc | 22 | include disable-interpreters.inc |
20 | include disable-passwdmgr.inc | 23 | include disable-passwdmgr.inc |
21 | include disable-programs.inc | 24 | include disable-programs.inc |
@@ -53,5 +56,3 @@ private-lib libpython*,python2* | |||
53 | private-tmp | 56 | private-tmp |
54 | 57 | ||
55 | memory-deny-write-execute | 58 | memory-deny-write-execute |
56 | noexec ${HOME} | ||
57 | noexec /tmp | ||
diff --git a/etc/gedit.profile b/etc/gedit.profile index a583c534f..6b99ec580 100644 --- a/etc/gedit.profile +++ b/etc/gedit.profile | |||
@@ -13,6 +13,7 @@ noblacklist ${HOME}/.python-history | |||
13 | 13 | ||
14 | include disable-common.inc | 14 | include disable-common.inc |
15 | # include disable-devel.inc | 15 | # include disable-devel.inc |
16 | include disable-exec.inc | ||
16 | # include disable-interpreters.inc | 17 | # include disable-interpreters.inc |
17 | include disable-passwdmgr.inc | 18 | include disable-passwdmgr.inc |
18 | include disable-programs.inc | 19 | include disable-programs.inc |
@@ -44,5 +45,3 @@ private-dev | |||
44 | private-lib /usr/bin/gedit,libtinfo.so.*,libreadline.so.*,gedit,libgspell-1.so.*,gconv,aspell | 45 | private-lib /usr/bin/gedit,libtinfo.so.*,libreadline.so.*,gedit,libgspell-1.so.*,gconv,aspell |
45 | private-tmp | 46 | private-tmp |
46 | 47 | ||
47 | noexec ${HOME} | ||
48 | noexec /tmp | ||
diff --git a/etc/geekbench.profile b/etc/geekbench.profile index 425fb7bb5..764c68131 100644 --- a/etc/geekbench.profile +++ b/etc/geekbench.profile | |||
@@ -8,6 +8,7 @@ include globals.local | |||
8 | 8 | ||
9 | include disable-common.inc | 9 | include disable-common.inc |
10 | include disable-devel.inc | 10 | include disable-devel.inc |
11 | include disable-exec.inc | ||
11 | include disable-interpreters.inc | 12 | include disable-interpreters.inc |
12 | include disable-passwdmgr.inc | 13 | include disable-passwdmgr.inc |
13 | include disable-programs.inc | 14 | include disable-programs.inc |
@@ -46,7 +47,5 @@ private-opt none | |||
46 | private-tmp | 47 | private-tmp |
47 | 48 | ||
48 | # memory-deny-write-execute - Breaks on Arch | 49 | # memory-deny-write-execute - Breaks on Arch |
49 | noexec ${HOME} | ||
50 | noexec /tmp | ||
51 | 50 | ||
52 | read-only ${HOME} | 51 | read-only ${HOME} |
diff --git a/etc/ghostwriter.profile b/etc/ghostwriter.profile index 615e6d01c..76011df19 100644 --- a/etc/ghostwriter.profile +++ b/etc/ghostwriter.profile | |||
@@ -12,6 +12,7 @@ noblacklist ${PICTURES} | |||
12 | 12 | ||
13 | include disable-common.inc | 13 | include disable-common.inc |
14 | include disable-devel.inc | 14 | include disable-devel.inc |
15 | include disable-exec.inc | ||
15 | include disable-interpreters.inc | 16 | include disable-interpreters.inc |
16 | include disable-passwdmgr.inc | 17 | include disable-passwdmgr.inc |
17 | include disable-programs.inc | 18 | include disable-programs.inc |
@@ -53,5 +54,3 @@ private-etc alternatives,cups,crypto-policies,localtime,drirc,fonts,gtk-3.0,dcon | |||
53 | #private-lib | 54 | #private-lib |
54 | private-tmp | 55 | private-tmp |
55 | 56 | ||
56 | noexec ${HOME} | ||
57 | noexec /tmp | ||
diff --git a/etc/gimp.profile b/etc/gimp.profile index 9b14b1fe8..91001cd30 100644 --- a/etc/gimp.profile +++ b/etc/gimp.profile | |||
@@ -6,12 +6,17 @@ include gimp.local | |||
6 | # Persistent global definitions | 6 | # Persistent global definitions |
7 | include globals.local | 7 | include globals.local |
8 | 8 | ||
9 | # gimp plugins are installed by the user in ${HOME}/.gimp-2.8/plug-ins/ directory | ||
10 | # if you are not using external plugins, you can disable ignore noexec statement below | ||
11 | ignore noexec ${HOME} | ||
12 | |||
9 | noblacklist ${HOME}/.config/GIMP | 13 | noblacklist ${HOME}/.config/GIMP |
10 | noblacklist ${HOME}/.gimp* | 14 | noblacklist ${HOME}/.gimp* |
11 | noblacklist ${DOCUMENTS} | 15 | noblacklist ${DOCUMENTS} |
12 | noblacklist ${PICTURES} | 16 | noblacklist ${PICTURES} |
13 | 17 | ||
14 | include disable-common.inc | 18 | include disable-common.inc |
19 | include disable-exec.inc | ||
15 | include disable-passwdmgr.inc | 20 | include disable-passwdmgr.inc |
16 | include disable-programs.inc | 21 | include disable-programs.inc |
17 | include disable-xdg.inc | 22 | include disable-xdg.inc |
@@ -35,8 +40,3 @@ shell none | |||
35 | 40 | ||
36 | private-dev | 41 | private-dev |
37 | private-tmp | 42 | private-tmp |
38 | |||
39 | # gimp plugins are installed by the user in ${HOME}/.gimp-2.8/plug-ins/ directory | ||
40 | # if you are not using external plugins, you can enable noexec statement below | ||
41 | # noexec ${HOME} | ||
42 | noexec /tmp | ||
diff --git a/etc/git.profile b/etc/git.profile index 575793f58..44e3474f8 100644 --- a/etc/git.profile +++ b/etc/git.profile | |||
@@ -21,6 +21,7 @@ noblacklist ${HOME}/.vim | |||
21 | noblacklist ${HOME}/.viminfo | 21 | noblacklist ${HOME}/.viminfo |
22 | 22 | ||
23 | include disable-common.inc | 23 | include disable-common.inc |
24 | include disable-exec.inc | ||
24 | include disable-passwdmgr.inc | 25 | include disable-passwdmgr.inc |
25 | include disable-programs.inc | 26 | include disable-programs.inc |
26 | 27 | ||
@@ -46,5 +47,3 @@ private-cache | |||
46 | private-dev | 47 | private-dev |
47 | 48 | ||
48 | memory-deny-write-execute | 49 | memory-deny-write-execute |
49 | noexec ${HOME} | ||
50 | noexec /tmp | ||
diff --git a/etc/gnome-calculator.profile b/etc/gnome-calculator.profile index eb124a4e8..c9ad4831f 100644 --- a/etc/gnome-calculator.profile +++ b/etc/gnome-calculator.profile | |||
@@ -9,6 +9,7 @@ include globals.local | |||
9 | 9 | ||
10 | include disable-common.inc | 10 | include disable-common.inc |
11 | include disable-devel.inc | 11 | include disable-devel.inc |
12 | include disable-exec.inc | ||
12 | include disable-passwdmgr.inc | 13 | include disable-passwdmgr.inc |
13 | include disable-interpreters.inc | 14 | include disable-interpreters.inc |
14 | include disable-programs.inc | 15 | include disable-programs.inc |
@@ -45,5 +46,3 @@ private-dev | |||
45 | private-tmp | 46 | private-tmp |
46 | 47 | ||
47 | # memory-deny-write-execute | 48 | # memory-deny-write-execute |
48 | noexec ${HOME} | ||
49 | noexec /tmp | ||
diff --git a/etc/gnome-clocks.profile b/etc/gnome-clocks.profile index 32a7ca918..cb73a9477 100644 --- a/etc/gnome-clocks.profile +++ b/etc/gnome-clocks.profile | |||
@@ -8,6 +8,7 @@ include globals.local | |||
8 | 8 | ||
9 | include disable-common.inc | 9 | include disable-common.inc |
10 | include disable-devel.inc | 10 | include disable-devel.inc |
11 | include disable-exec.inc | ||
11 | include disable-interpreters.inc | 12 | include disable-interpreters.inc |
12 | include disable-passwdmgr.inc | 13 | include disable-passwdmgr.inc |
13 | include disable-programs.inc | 14 | include disable-programs.inc |
@@ -39,5 +40,3 @@ private-dev | |||
39 | private-etc alternatives,fonts,ca-certificates,ssl,pki,crypto-policies,machine-id,hosts,pkcs11,localtime,gtk-3.0,dconf | 40 | private-etc alternatives,fonts,ca-certificates,ssl,pki,crypto-policies,machine-id,hosts,pkcs11,localtime,gtk-3.0,dconf |
40 | private-tmp | 41 | private-tmp |
41 | 42 | ||
42 | noexec ${HOME} | ||
43 | noexec /tmp | ||
diff --git a/etc/gnome-keyring.profile b/etc/gnome-keyring.profile index 88898a816..47d8ca2c0 100644 --- a/etc/gnome-keyring.profile +++ b/etc/gnome-keyring.profile | |||
@@ -11,6 +11,7 @@ noblacklist ${HOME}/.gnupg | |||
11 | 11 | ||
12 | include disable-common.inc | 12 | include disable-common.inc |
13 | include disable-devel.inc | 13 | include disable-devel.inc |
14 | include disable-exec.inc | ||
14 | include disable-passwdmgr.inc | 15 | include disable-passwdmgr.inc |
15 | include disable-interpreters.inc | 16 | include disable-interpreters.inc |
16 | include disable-programs.inc | 17 | include disable-programs.inc |
@@ -47,5 +48,3 @@ private-dev | |||
47 | private-tmp | 48 | private-tmp |
48 | 49 | ||
49 | memory-deny-write-execute | 50 | memory-deny-write-execute |
50 | noexec ${HOME} | ||
51 | noexec /tmp | ||
diff --git a/etc/gnome-logs.profile b/etc/gnome-logs.profile index 9ea4fb9f6..c7cbd8388 100644 --- a/etc/gnome-logs.profile +++ b/etc/gnome-logs.profile | |||
@@ -8,6 +8,7 @@ include globals.local | |||
8 | 8 | ||
9 | include disable-common.inc | 9 | include disable-common.inc |
10 | include disable-devel.inc | 10 | include disable-devel.inc |
11 | include disable-exec.inc | ||
11 | include disable-interpreters.inc | 12 | include disable-interpreters.inc |
12 | include disable-passwdmgr.inc | 13 | include disable-passwdmgr.inc |
13 | include disable-programs.inc | 14 | include disable-programs.inc |
@@ -46,8 +47,6 @@ private-tmp | |||
46 | writable-var-log | 47 | writable-var-log |
47 | 48 | ||
48 | memory-deny-write-execute | 49 | memory-deny-write-execute |
49 | noexec ${HOME} | ||
50 | noexec /tmp | ||
51 | 50 | ||
52 | # comment this if you export logs to a file in your ${HOME} | 51 | # comment this if you export logs to a file in your ${HOME} |
53 | read-only ${HOME} | 52 | read-only ${HOME} |
diff --git a/etc/gnome-maps.profile b/etc/gnome-maps.profile index 6ce44e7ce..97de9c2be 100644 --- a/etc/gnome-maps.profile +++ b/etc/gnome-maps.profile | |||
@@ -13,6 +13,7 @@ noblacklist ${HOME}/.local/share/flatpak | |||
13 | 13 | ||
14 | include disable-common.inc | 14 | include disable-common.inc |
15 | include disable-devel.inc | 15 | include disable-devel.inc |
16 | include disable-exec.inc | ||
16 | include disable-interpreters.inc | 17 | include disable-interpreters.inc |
17 | include disable-passwdmgr.inc | 18 | include disable-passwdmgr.inc |
18 | include disable-programs.inc | 19 | include disable-programs.inc |
@@ -43,5 +44,3 @@ private-dev | |||
43 | # private-etc alternatives,fonts,ca-certificates,ssl,pki,crypto-policies | 44 | # private-etc alternatives,fonts,ca-certificates,ssl,pki,crypto-policies |
44 | private-tmp | 45 | private-tmp |
45 | 46 | ||
46 | noexec ${HOME} | ||
47 | noexec /tmp | ||
diff --git a/etc/gnome-music.profile b/etc/gnome-music.profile index c4dedcf1c..f31b8af2c 100644 --- a/etc/gnome-music.profile +++ b/etc/gnome-music.profile | |||
@@ -14,6 +14,8 @@ noblacklist ${PATH}/python2* | |||
14 | noblacklist ${PATH}/python3* | 14 | noblacklist ${PATH}/python3* |
15 | noblacklist /usr/lib/python2* | 15 | noblacklist /usr/lib/python2* |
16 | noblacklist /usr/lib/python3* | 16 | noblacklist /usr/lib/python3* |
17 | noblacklist /usr/local/lib/python2* | ||
18 | noblacklist /usr/local/lib/python3* | ||
17 | 19 | ||
18 | include disable-common.inc | 20 | include disable-common.inc |
19 | include disable-devel.inc | 21 | include disable-devel.inc |
diff --git a/etc/gnome-pie.profile b/etc/gnome-pie.profile index 01c65a5a4..e542181fa 100644 --- a/etc/gnome-pie.profile +++ b/etc/gnome-pie.profile | |||
@@ -16,8 +16,7 @@ include disable-passwdmgr.inc | |||
16 | 16 | ||
17 | caps.drop all | 17 | caps.drop all |
18 | ipc-namespace | 18 | ipc-namespace |
19 | machine-id | 19 | # net none - breaks dbus |
20 | net none | ||
21 | no3d | 20 | no3d |
22 | nodvd | 21 | nodvd |
23 | nogroups | 22 | nogroups |
@@ -34,7 +33,7 @@ shell none | |||
34 | disable-mnt | 33 | disable-mnt |
35 | private-cache | 34 | private-cache |
36 | private-dev | 35 | private-dev |
37 | private-etc alternatives,fonts | 36 | private-etc alternatives,fonts,machine-id |
38 | private-lib gdk-pixbuf-2.*,gio,gvfs/libgvfscommon.so,libgconf-2.so.*,librsvg-2.so.* | 37 | private-lib gdk-pixbuf-2.*,gio,gvfs/libgvfscommon.so,libgconf-2.so.*,librsvg-2.so.* |
39 | private-tmp | 38 | private-tmp |
40 | 39 | ||
diff --git a/etc/gnome-schedule.profile b/etc/gnome-schedule.profile index d856c1f83..931efbbab 100644 --- a/etc/gnome-schedule.profile +++ b/etc/gnome-schedule.profile | |||
@@ -35,14 +35,17 @@ noblacklist ${PATH}/urxvtcd | |||
35 | noblacklist ${PATH}/xfce4-terminal | 35 | noblacklist ${PATH}/xfce4-terminal |
36 | noblacklist ${PATH}/xfce4-terminal.wrapper | 36 | noblacklist ${PATH}/xfce4-terminal.wrapper |
37 | 37 | ||
38 | # Allow python (disabled by disable-interpreters.inc) | 38 | # Allow python (blacklisted by disable-interpreters.inc) |
39 | noblacklist ${PATH}/python2* | 39 | noblacklist ${PATH}/python2* |
40 | noblacklist ${PATH}/python3* | 40 | noblacklist ${PATH}/python3* |
41 | noblacklist /usr/lib/python2* | 41 | noblacklist /usr/lib/python2* |
42 | noblacklist /usr/lib/python3* | 42 | noblacklist /usr/lib/python3* |
43 | noblacklist /usr/local/lib/python2* | ||
44 | noblacklist /usr/local/lib/python3* | ||
43 | 45 | ||
44 | include disable-common.inc | 46 | include disable-common.inc |
45 | include disable-devel.inc | 47 | include disable-devel.inc |
48 | include disable-exec.inc | ||
46 | include disable-interpreters.inc | 49 | include disable-interpreters.inc |
47 | include disable-passwdmgr.inc | 50 | include disable-passwdmgr.inc |
48 | include disable-programs.inc | 51 | include disable-programs.inc |
@@ -56,7 +59,7 @@ apparmor | |||
56 | caps.keep chown,dac_override,setgid,setuid | 59 | caps.keep chown,dac_override,setgid,setuid |
57 | ipc-namespace | 60 | ipc-namespace |
58 | machine-id | 61 | machine-id |
59 | net none | 62 | #net none - breaks on Ubuntu |
60 | no3d | 63 | no3d |
61 | nodvd | 64 | nodvd |
62 | nogroups | 65 | nogroups |
@@ -73,5 +76,3 @@ private-dev | |||
73 | # private-etc alternatives | 76 | # private-etc alternatives |
74 | writable-var | 77 | writable-var |
75 | 78 | ||
76 | noexec ${HOME} | ||
77 | noexec /tmp | ||
diff --git a/etc/gnome-system-log.profile b/etc/gnome-system-log.profile index 214a3923f..c6af31ede 100644 --- a/etc/gnome-system-log.profile +++ b/etc/gnome-system-log.profile | |||
@@ -10,6 +10,7 @@ noblacklist /var/log | |||
10 | 10 | ||
11 | include disable-common.inc | 11 | include disable-common.inc |
12 | include disable-devel.inc | 12 | include disable-devel.inc |
13 | include disable-exec.inc | ||
13 | include disable-interpreters.inc | 14 | include disable-interpreters.inc |
14 | include disable-passwdmgr.inc | 15 | include disable-passwdmgr.inc |
15 | include disable-programs.inc | 16 | include disable-programs.inc |
@@ -22,8 +23,7 @@ include whitelist-var-common.inc | |||
22 | apparmor | 23 | apparmor |
23 | caps.drop all | 24 | caps.drop all |
24 | ipc-namespace | 25 | ipc-namespace |
25 | machine-id | 26 | # net none - breaks dbus |
26 | net none | ||
27 | no3d | 27 | no3d |
28 | # nodbus | 28 | # nodbus |
29 | nodvd | 29 | nodvd |
@@ -50,8 +50,6 @@ private-tmp | |||
50 | writable-var-log | 50 | writable-var-log |
51 | 51 | ||
52 | memory-deny-write-execute | 52 | memory-deny-write-execute |
53 | noexec ${HOME} | ||
54 | noexec /tmp | ||
55 | 53 | ||
56 | # uncomment this if you never export logs to a file in your ${HOME} | 54 | # uncomment this if you never export logs to a file in your ${HOME} |
57 | #read-only ${HOME} | 55 | #read-only ${HOME} |
diff --git a/etc/gpicview.profile b/etc/gpicview.profile index 4c66e3772..17371aec0 100644 --- a/etc/gpicview.profile +++ b/etc/gpicview.profile | |||
@@ -10,6 +10,7 @@ noblacklist ${HOME}/.config/gpicview | |||
10 | 10 | ||
11 | include disable-common.inc | 11 | include disable-common.inc |
12 | include disable-devel.inc | 12 | include disable-devel.inc |
13 | include disable-exec.inc | ||
13 | include disable-interpreters.inc | 14 | include disable-interpreters.inc |
14 | include disable-passwdmgr.inc | 15 | include disable-passwdmgr.inc |
15 | include disable-programs.inc | 16 | include disable-programs.inc |
@@ -43,5 +44,3 @@ private-lib | |||
43 | private-tmp | 44 | private-tmp |
44 | 45 | ||
45 | memory-deny-write-execute | 46 | memory-deny-write-execute |
46 | noexec ${HOME} | ||
47 | noexec /tmp | ||
diff --git a/etc/gucharmap.profile b/etc/gucharmap.profile index b1bd59307..9507188fc 100644 --- a/etc/gucharmap.profile +++ b/etc/gucharmap.profile | |||
@@ -9,6 +9,7 @@ include globals.local | |||
9 | 9 | ||
10 | include disable-common.inc | 10 | include disable-common.inc |
11 | include disable-devel.inc | 11 | include disable-devel.inc |
12 | include disable-exec.inc | ||
12 | include disable-interpreters.inc | 13 | include disable-interpreters.inc |
13 | include disable-passwdmgr.inc | 14 | include disable-passwdmgr.inc |
14 | include disable-programs.inc | 15 | include disable-programs.inc |
@@ -20,7 +21,7 @@ include whitelist-var-common.inc | |||
20 | apparmor | 21 | apparmor |
21 | caps.drop all | 22 | caps.drop all |
22 | machine-id | 23 | machine-id |
23 | net none | 24 | #net none - breaks dbus |
24 | no3d | 25 | no3d |
25 | nodvd | 26 | nodvd |
26 | nogroups | 27 | nogroups |
@@ -35,12 +36,13 @@ seccomp | |||
35 | shell none | 36 | shell none |
36 | 37 | ||
37 | disable-mnt | 38 | disable-mnt |
39 | private-bin gucharmap | ||
38 | private-cache | 40 | private-cache |
39 | private-dev | 41 | private-dev |
42 | private-etc alternatives,fonts | ||
43 | private-lib | ||
40 | private-tmp | 44 | private-tmp |
41 | 45 | ||
42 | memory-deny-write-execute | 46 | memory-deny-write-execute |
43 | noexec ${HOME} | ||
44 | noexec /tmp | ||
45 | 47 | ||
46 | read-only ${HOME} | 48 | read-only ${HOME} |
diff --git a/etc/gunzip.profile b/etc/gunzip.profile index fe35f8fe7..aff990ec0 100644 --- a/etc/gunzip.profile +++ b/etc/gunzip.profile | |||
@@ -3,7 +3,8 @@ | |||
3 | # Persistent local customizations | 3 | # Persistent local customizations |
4 | include gunzip.local | 4 | include gunzip.local |
5 | # Persistent global definitions | 5 | # Persistent global definitions |
6 | include globals.local | 6 | # added by included profile |
7 | #include globals.local | ||
7 | 8 | ||
8 | # Redirect | 9 | # Redirect |
9 | include gzip.profile | 10 | include gzip.profile |
diff --git a/etc/gwenview.profile b/etc/gwenview.profile index 790e4920d..d4af3ed1a 100644 --- a/etc/gwenview.profile +++ b/etc/gwenview.profile | |||
@@ -19,6 +19,7 @@ noblacklist ${HOME}/.local/share/org.kde.gwenview | |||
19 | 19 | ||
20 | include disable-common.inc | 20 | include disable-common.inc |
21 | include disable-devel.inc | 21 | include disable-devel.inc |
22 | include disable-exec.inc | ||
22 | include disable-interpreters.inc | 23 | include disable-interpreters.inc |
23 | include disable-passwdmgr.inc | 24 | include disable-passwdmgr.inc |
24 | include disable-programs.inc | 25 | include disable-programs.inc |
@@ -47,5 +48,3 @@ private-dev | |||
47 | private-etc alternatives,fonts,gimp,gtk-2.0,kde4rc,kde5rc,ld.so.cache,machine-id,pulse,xdg | 48 | private-etc alternatives,fonts,gimp,gtk-2.0,kde4rc,kde5rc,ld.so.cache,machine-id,pulse,xdg |
48 | 49 | ||
49 | # memory-deny-write-execute | 50 | # memory-deny-write-execute |
50 | noexec ${HOME} | ||
51 | noexec /tmp | ||
diff --git a/etc/gzip.profile b/etc/gzip.profile index 1dbc661a1..27e262f87 100644 --- a/etc/gzip.profile +++ b/etc/gzip.profile | |||
@@ -5,16 +5,24 @@ quiet | |||
5 | # Persistent local customizations | 5 | # Persistent local customizations |
6 | include gzip.local | 6 | include gzip.local |
7 | # Persistent global definitions | 7 | # Persistent global definitions |
8 | # added by included profile | 8 | include globals.local |
9 | #include globals.local | ||
10 | 9 | ||
11 | blacklist /tmp/.X11-unix | 10 | blacklist /tmp/.X11-unix |
12 | 11 | ||
12 | include disable-exec.inc | ||
13 | include disable-interpreters.inc | ||
14 | |||
13 | ignore noroot | 15 | ignore noroot |
16 | |||
17 | apparmor | ||
18 | hostname gzip | ||
19 | ipc-namespace | ||
20 | machine-id | ||
14 | net none | 21 | net none |
15 | no3d | 22 | no3d |
16 | nodbus | 23 | nodbus |
17 | nodvd | 24 | nodvd |
25 | nogroups | ||
18 | nosound | 26 | nosound |
19 | notv | 27 | notv |
20 | nou2f | 28 | nou2f |
@@ -22,6 +30,9 @@ novideo | |||
22 | shell none | 30 | shell none |
23 | tracelog | 31 | tracelog |
24 | 32 | ||
33 | private-cache | ||
25 | private-dev | 34 | private-dev |
26 | 35 | ||
36 | memory-deny-write-execute | ||
37 | |||
27 | include default.profile | 38 | include default.profile |
diff --git a/etc/handbrake.profile b/etc/handbrake.profile index a98f80bc7..324c629e3 100644 --- a/etc/handbrake.profile +++ b/etc/handbrake.profile | |||
@@ -12,6 +12,7 @@ noblacklist ${VIDEOS} | |||
12 | 12 | ||
13 | include disable-common.inc | 13 | include disable-common.inc |
14 | include disable-devel.inc | 14 | include disable-devel.inc |
15 | include disable-exec.inc | ||
15 | include disable-interpreters.inc | 16 | include disable-interpreters.inc |
16 | include disable-passwdmgr.inc | 17 | include disable-passwdmgr.inc |
17 | include disable-programs.inc | 18 | include disable-programs.inc |
@@ -35,5 +36,3 @@ shell none | |||
35 | private-dev | 36 | private-dev |
36 | private-tmp | 37 | private-tmp |
37 | 38 | ||
38 | noexec ${HOME} | ||
39 | noexec /tmp | ||
diff --git a/etc/hexchat.profile b/etc/hexchat.profile index 783f91e82..e8abf4b31 100644 --- a/etc/hexchat.profile +++ b/etc/hexchat.profile | |||
@@ -14,6 +14,8 @@ noblacklist ${PATH}/python2* | |||
14 | noblacklist ${PATH}/python3* | 14 | noblacklist ${PATH}/python3* |
15 | noblacklist /usr/lib/python2* | 15 | noblacklist /usr/lib/python2* |
16 | noblacklist /usr/lib/python3* | 16 | noblacklist /usr/lib/python3* |
17 | noblacklist /usr/local/lib/python2* | ||
18 | noblacklist /usr/local/lib/python3* | ||
17 | 19 | ||
18 | include disable-common.inc | 20 | include disable-common.inc |
19 | include disable-devel.inc | 21 | include disable-devel.inc |
diff --git a/etc/img2txt.profile b/etc/img2txt.profile index 24fd29fbe..ade50048e 100644 --- a/etc/img2txt.profile +++ b/etc/img2txt.profile | |||
@@ -10,6 +10,7 @@ noblacklist ${PICTURES} | |||
10 | 10 | ||
11 | include disable-common.inc | 11 | include disable-common.inc |
12 | include disable-devel.inc | 12 | include disable-devel.inc |
13 | include disable-exec.inc | ||
13 | include disable-interpreters.inc | 14 | include disable-interpreters.inc |
14 | include disable-passwdmgr.inc | 15 | include disable-passwdmgr.inc |
15 | include disable-programs.inc | 16 | include disable-programs.inc |
@@ -41,5 +42,3 @@ private-dev | |||
41 | private-tmp | 42 | private-tmp |
42 | 43 | ||
43 | memory-deny-write-execute | 44 | memory-deny-write-execute |
44 | noexec ${HOME} | ||
45 | noexec /tmp | ||
diff --git a/etc/inkscape.profile b/etc/inkscape.profile index ba0a2c9f9..ecc5e5d35 100644 --- a/etc/inkscape.profile +++ b/etc/inkscape.profile | |||
@@ -17,9 +17,12 @@ noblacklist ${PATH}/python2* | |||
17 | noblacklist ${PATH}/python3* | 17 | noblacklist ${PATH}/python3* |
18 | noblacklist /usr/lib/python2* | 18 | noblacklist /usr/lib/python2* |
19 | noblacklist /usr/lib/python3* | 19 | noblacklist /usr/lib/python3* |
20 | noblacklist /usr/local/lib/python2* | ||
21 | noblacklist /usr/local/lib/python3* | ||
20 | 22 | ||
21 | include disable-common.inc | 23 | include disable-common.inc |
22 | include disable-devel.inc | 24 | include disable-devel.inc |
25 | include disable-exec.inc | ||
23 | include disable-interpreters.inc | 26 | include disable-interpreters.inc |
24 | include disable-passwdmgr.inc | 27 | include disable-passwdmgr.inc |
25 | include disable-programs.inc | 28 | include disable-programs.inc |
@@ -50,5 +53,3 @@ private-dev | |||
50 | private-tmp | 53 | private-tmp |
51 | 54 | ||
52 | # memory-deny-write-execute | 55 | # memory-deny-write-execute |
53 | noexec ${HOME} | ||
54 | noexec /tmp | ||
diff --git a/etc/kate.profile b/etc/kate.profile index 4a78d718f..3035393c4 100644 --- a/etc/kate.profile +++ b/etc/kate.profile | |||
@@ -6,6 +6,8 @@ include kate.local | |||
6 | # Persistent global definitions | 6 | # Persistent global definitions |
7 | include globals.local | 7 | include globals.local |
8 | 8 | ||
9 | ignore noexec ${HOME} | ||
10 | |||
9 | noblacklist ${HOME}/.config/katemetainfos | 11 | noblacklist ${HOME}/.config/katemetainfos |
10 | noblacklist ${HOME}/.config/katepartrc | 12 | noblacklist ${HOME}/.config/katepartrc |
11 | noblacklist ${HOME}/.config/katerc | 13 | noblacklist ${HOME}/.config/katerc |
@@ -16,6 +18,7 @@ noblacklist ${HOME}/.local/share/kate | |||
16 | 18 | ||
17 | include disable-common.inc | 19 | include disable-common.inc |
18 | # include disable-devel.inc | 20 | # include disable-devel.inc |
21 | include disable-exec.inc | ||
19 | # include disable-interpreters.inc | 22 | # include disable-interpreters.inc |
20 | include disable-passwdmgr.inc | 23 | include disable-passwdmgr.inc |
21 | include disable-programs.inc | 24 | include disable-programs.inc |
@@ -45,7 +48,4 @@ private-dev | |||
45 | # private-etc alternatives,fonts,kde4rc,kde5rc,ld.so.cache,machine-id,xdg | 48 | # private-etc alternatives,fonts,kde4rc,kde5rc,ld.so.cache,machine-id,xdg |
46 | private-tmp | 49 | private-tmp |
47 | 50 | ||
48 | # noexec ${HOME} | ||
49 | noexec /tmp | ||
50 | |||
51 | join-or-start kate | 51 | join-or-start kate |
diff --git a/etc/kcalc.profile b/etc/kcalc.profile index 8baefaa98..8c641802b 100644 --- a/etc/kcalc.profile +++ b/etc/kcalc.profile | |||
@@ -9,6 +9,7 @@ include globals.local | |||
9 | 9 | ||
10 | include disable-common.inc | 10 | include disable-common.inc |
11 | include disable-devel.inc | 11 | include disable-devel.inc |
12 | include disable-exec.inc | ||
12 | include disable-interpreters.inc | 13 | include disable-interpreters.inc |
13 | include disable-passwdmgr.inc | 14 | include disable-passwdmgr.inc |
14 | include disable-programs.inc | 15 | include disable-programs.inc |
@@ -45,5 +46,3 @@ private-dev | |||
45 | # private-lib - problems on Arch | 46 | # private-lib - problems on Arch |
46 | private-tmp | 47 | private-tmp |
47 | 48 | ||
48 | noexec ${HOME} | ||
49 | noexec /tmp | ||
diff --git a/etc/kdenlive.profile b/etc/kdenlive.profile index f7b5c89b3..82c8c6793 100644 --- a/etc/kdenlive.profile +++ b/etc/kdenlive.profile | |||
@@ -6,12 +6,15 @@ include kdenlive.local | |||
6 | # Persistent global definitions | 6 | # Persistent global definitions |
7 | include globals.local | 7 | include globals.local |
8 | 8 | ||
9 | ignore noexec ${HOME} | ||
10 | |||
9 | noblacklist ${HOME}/.cache/kdenlive | 11 | noblacklist ${HOME}/.cache/kdenlive |
10 | noblacklist ${HOME}/.config/kdenliverc | 12 | noblacklist ${HOME}/.config/kdenliverc |
11 | noblacklist ${HOME}/.local/share/kdenlive | 13 | noblacklist ${HOME}/.local/share/kdenlive |
12 | 14 | ||
13 | include disable-common.inc | 15 | include disable-common.inc |
14 | include disable-devel.inc | 16 | include disable-devel.inc |
17 | include disable-exec.inc | ||
15 | include disable-interpreters.inc | 18 | include disable-interpreters.inc |
16 | include disable-passwdmgr.inc | 19 | include disable-passwdmgr.inc |
17 | include disable-programs.inc | 20 | include disable-programs.inc |
@@ -33,6 +36,3 @@ shell none | |||
33 | private-bin kdenlive,kdenlive_render,dbus-launch,melt,ffmpeg,ffplay,ffprobe,dvdauthor,genisoimage,vlc,xine,kdeinit5,kshell5,kdeinit5_shutdown,kdeinit5_wrapper,kdeinit4,kshell4,kdeinit4_shutdown,kdeinit4_wrapper,mlt-melt | 36 | private-bin kdenlive,kdenlive_render,dbus-launch,melt,ffmpeg,ffplay,ffprobe,dvdauthor,genisoimage,vlc,xine,kdeinit5,kshell5,kdeinit5_shutdown,kdeinit5_wrapper,kdeinit4,kshell4,kdeinit4_shutdown,kdeinit4_wrapper,mlt-melt |
34 | private-dev | 37 | private-dev |
35 | # private-etc alternatives,fonts,kde4rc,kde5rc,ld.so.cache,machine-id,passwd,pulse,xdg,X11 | 38 | # private-etc alternatives,fonts,kde4rc,kde5rc,ld.so.cache,machine-id,passwd,pulse,xdg,X11 |
36 | |||
37 | # noexec ${HOME} | ||
38 | noexec /tmp | ||
diff --git a/etc/keepassx.profile b/etc/keepassx.profile index 357eb435d..44e9c67bb 100644 --- a/etc/keepassx.profile +++ b/etc/keepassx.profile | |||
@@ -14,6 +14,7 @@ noblacklist ${DOCUMENTS} | |||
14 | 14 | ||
15 | include disable-common.inc | 15 | include disable-common.inc |
16 | include disable-devel.inc | 16 | include disable-devel.inc |
17 | include disable-exec.inc | ||
17 | include disable-interpreters.inc | 18 | include disable-interpreters.inc |
18 | include disable-passwdmgr.inc | 19 | include disable-passwdmgr.inc |
19 | include disable-programs.inc | 20 | include disable-programs.inc |
@@ -45,5 +46,3 @@ private-etc alternatives,fonts,machine-id | |||
45 | private-tmp | 46 | private-tmp |
46 | 47 | ||
47 | memory-deny-write-execute | 48 | memory-deny-write-execute |
48 | noexec ${HOME} | ||
49 | noexec /tmp | ||
diff --git a/etc/keepassxc.profile b/etc/keepassxc.profile index f0546beda..33b4509b7 100644 --- a/etc/keepassxc.profile +++ b/etc/keepassxc.profile | |||
@@ -16,6 +16,7 @@ noblacklist ${DOCUMENTS} | |||
16 | 16 | ||
17 | include disable-common.inc | 17 | include disable-common.inc |
18 | include disable-devel.inc | 18 | include disable-devel.inc |
19 | include disable-exec.inc | ||
19 | include disable-interpreters.inc | 20 | include disable-interpreters.inc |
20 | include disable-passwdmgr.inc | 21 | include disable-passwdmgr.inc |
21 | include disable-programs.inc | 22 | include disable-programs.inc |
@@ -47,8 +48,6 @@ private-tmp | |||
47 | 48 | ||
48 | # 2.2.4 crashes on database open | 49 | # 2.2.4 crashes on database open |
49 | # memory-deny-write-execute | 50 | # memory-deny-write-execute |
50 | noexec ${HOME} | ||
51 | noexec /tmp | ||
52 | 51 | ||
53 | # Mutex is stored in /tmp by default, which is broken by private-tmp | 52 | # Mutex is stored in /tmp by default, which is broken by private-tmp |
54 | join-or-start keepassxc | 53 | join-or-start keepassxc |
diff --git a/etc/kget.profile b/etc/kget.profile index 2ef84a0ee..485edc1a4 100644 --- a/etc/kget.profile +++ b/etc/kget.profile | |||
@@ -15,6 +15,7 @@ noblacklist ${HOME}/.local/share/kget | |||
15 | 15 | ||
16 | include disable-common.inc | 16 | include disable-common.inc |
17 | include disable-devel.inc | 17 | include disable-devel.inc |
18 | include disable-exec.inc | ||
18 | include disable-interpreters.inc | 19 | include disable-interpreters.inc |
19 | include disable-passwdmgr.inc | 20 | include disable-passwdmgr.inc |
20 | include disable-programs.inc | 21 | include disable-programs.inc |
@@ -38,5 +39,3 @@ private-dev | |||
38 | private-tmp | 39 | private-tmp |
39 | 40 | ||
40 | # memory-deny-write-execute | 41 | # memory-deny-write-execute |
41 | noexec ${HOME} | ||
42 | noexec /tmp | ||
diff --git a/etc/kid3-cli.profile b/etc/kid3-cli.profile new file mode 100644 index 000000000..bee62b5d9 --- /dev/null +++ b/etc/kid3-cli.profile | |||
@@ -0,0 +1,6 @@ | |||
1 | # Firejail profile for kid3-cli | ||
2 | # This file is overwritten after every install/update | ||
3 | include kid3-cli.local | ||
4 | |||
5 | # Redirect | ||
6 | include kid3.profile | ||
diff --git a/etc/kid3-qt.profile b/etc/kid3-qt.profile new file mode 100644 index 000000000..9bcede077 --- /dev/null +++ b/etc/kid3-qt.profile | |||
@@ -0,0 +1,8 @@ | |||
1 | # Firejail profile for kid3-qt | ||
2 | # This file is overwritten after every install/update | ||
3 | include kid3-qt.local | ||
4 | |||
5 | noblacklist ${HOME}/.config/Kid3 | ||
6 | |||
7 | # Redirect | ||
8 | include kid3.profile | ||
diff --git a/etc/kid3.profile b/etc/kid3.profile new file mode 100644 index 000000000..3171e94fe --- /dev/null +++ b/etc/kid3.profile | |||
@@ -0,0 +1,45 @@ | |||
1 | # Firejail profile for kid3 | ||
2 | # Description: Audio Tag Editor | ||
3 | # This file is overwritten after every install/update | ||
4 | # Persistent local customizations | ||
5 | include kid3.local | ||
6 | # Persistent global definitions | ||
7 | include globals.local | ||
8 | |||
9 | noblacklist ${MUSIC} | ||
10 | noblacklist ${HOME}/.config/kid3rc | ||
11 | |||
12 | include disable-common.inc | ||
13 | include disable-devel.inc | ||
14 | include disable-exec.inc | ||
15 | include disable-interpreters.inc | ||
16 | include disable-passwdmgr.inc | ||
17 | include disable-programs.inc | ||
18 | include disable-xdg.inc | ||
19 | |||
20 | include whitelist-var-common.inc | ||
21 | |||
22 | apparmor | ||
23 | caps.drop all | ||
24 | netfilter | ||
25 | nodbus | ||
26 | nodvd | ||
27 | nogroups | ||
28 | nonewprivs | ||
29 | noroot | ||
30 | notv | ||
31 | nou2f | ||
32 | novideo | ||
33 | protocol unix,inet,inet6,netlink | ||
34 | seccomp | ||
35 | shell none | ||
36 | tracelog | ||
37 | |||
38 | private-cache | ||
39 | private-dev | ||
40 | private-etc alternatives,drirc,fonts,kde5rc,gtk-3.0,dconf,machine-id,ca-certificates,ssl,pki,hostname,hosts,resolv.conf,pulse,,crypto-policies | ||
41 | private-tmp | ||
42 | private-opt none | ||
43 | private-srv none | ||
44 | |||
45 | memory-deny-write-execute | ||
diff --git a/etc/klavaro.profile b/etc/klavaro.profile index 04b4a5ae5..5ad5e2699 100644 --- a/etc/klavaro.profile +++ b/etc/klavaro.profile | |||
@@ -11,6 +11,7 @@ noblacklist ${HOME}/.local/share/klavaro | |||
11 | 11 | ||
12 | include disable-common.inc | 12 | include disable-common.inc |
13 | include disable-devel.inc | 13 | include disable-devel.inc |
14 | include disable-exec.inc | ||
14 | include disable-interpreters.inc | 15 | include disable-interpreters.inc |
15 | include disable-passwdmgr.inc | 16 | include disable-passwdmgr.inc |
16 | include disable-programs.inc | 17 | include disable-programs.inc |
@@ -51,5 +52,3 @@ private-opt none | |||
51 | private-srv none | 52 | private-srv none |
52 | 53 | ||
53 | memory-deny-write-execute | 54 | memory-deny-write-execute |
54 | noexec ${HOME} | ||
55 | noexec /tmp | ||
diff --git a/etc/kmail.profile b/etc/kmail.profile index 1f8403ef1..009b2c063 100644 --- a/etc/kmail.profile +++ b/etc/kmail.profile | |||
@@ -31,6 +31,7 @@ noblacklist /tmp/akonadi-* | |||
31 | 31 | ||
32 | include disable-common.inc | 32 | include disable-common.inc |
33 | include disable-devel.inc | 33 | include disable-devel.inc |
34 | include disable-exec.inc | ||
34 | include disable-interpreters.inc | 35 | include disable-interpreters.inc |
35 | include disable-passwdmgr.inc | 36 | include disable-passwdmgr.inc |
36 | include disable-programs.inc | 37 | include disable-programs.inc |
@@ -58,5 +59,3 @@ writable-run-user | |||
58 | private-dev | 59 | private-dev |
59 | # private-tmp - interrupts connection to akonadi, breaks opening of email attachments | 60 | # private-tmp - interrupts connection to akonadi, breaks opening of email attachments |
60 | 61 | ||
61 | noexec ${HOME} | ||
62 | noexec /tmp | ||
diff --git a/etc/kodi.profile b/etc/kodi.profile index 303310591..dad085967 100644 --- a/etc/kodi.profile +++ b/etc/kodi.profile | |||
@@ -6,6 +6,9 @@ include kodi.local | |||
6 | # Persistent global definitions | 6 | # Persistent global definitions |
7 | include globals.local | 7 | include globals.local |
8 | 8 | ||
9 | # noexec ${HOME} breaks plugins | ||
10 | ignore noexec ${HOME} | ||
11 | |||
9 | noblacklist ${HOME}/.kodi | 12 | noblacklist ${HOME}/.kodi |
10 | noblacklist ${MUSIC} | 13 | noblacklist ${MUSIC} |
11 | noblacklist ${PICTURES} | 14 | noblacklist ${PICTURES} |
@@ -16,9 +19,12 @@ noblacklist ${PATH}/python2* | |||
16 | noblacklist ${PATH}/python3* | 19 | noblacklist ${PATH}/python3* |
17 | noblacklist /usr/lib/python2* | 20 | noblacklist /usr/lib/python2* |
18 | noblacklist /usr/lib/python3* | 21 | noblacklist /usr/lib/python3* |
22 | noblacklist /usr/local/lib/python2* | ||
23 | noblacklist /usr/local/lib/python3* | ||
19 | 24 | ||
20 | include disable-common.inc | 25 | include disable-common.inc |
21 | include disable-devel.inc | 26 | include disable-devel.inc |
27 | include disable-exec.inc | ||
22 | include disable-interpreters.inc | 28 | include disable-interpreters.inc |
23 | include disable-passwdmgr.inc | 29 | include disable-passwdmgr.inc |
24 | include disable-programs.inc | 30 | include disable-programs.inc |
@@ -40,7 +46,3 @@ tracelog | |||
40 | 46 | ||
41 | private-dev | 47 | private-dev |
42 | private-tmp | 48 | private-tmp |
43 | |||
44 | # breaks plugins | ||
45 | #noexec ${HOME} | ||
46 | noexec /tmp | ||
diff --git a/etc/konversation.profile b/etc/konversation.profile index 03c51ccce..19174459c 100644 --- a/etc/konversation.profile +++ b/etc/konversation.profile | |||
@@ -12,6 +12,7 @@ noblacklist ${HOME}/.kde4/share/config/konversationrc | |||
12 | 12 | ||
13 | include disable-common.inc | 13 | include disable-common.inc |
14 | include disable-devel.inc | 14 | include disable-devel.inc |
15 | include disable-exec.inc | ||
15 | include disable-interpreters.inc | 16 | include disable-interpreters.inc |
16 | include disable-passwdmgr.inc | 17 | include disable-passwdmgr.inc |
17 | include disable-programs.inc | 18 | include disable-programs.inc |
@@ -39,5 +40,3 @@ private-dev | |||
39 | private-tmp | 40 | private-tmp |
40 | 41 | ||
41 | # memory-deny-write-execute | 42 | # memory-deny-write-execute |
42 | noexec ${HOME} | ||
43 | noexec /tmp | ||
diff --git a/etc/krita.profile b/etc/krita.profile index 3313106a2..8f275f8df 100644 --- a/etc/krita.profile +++ b/etc/krita.profile | |||
@@ -6,6 +6,9 @@ include krita.local | |||
6 | # Persistent global definitions | 6 | # Persistent global definitions |
7 | include globals.local | 7 | include globals.local |
8 | 8 | ||
9 | # noexec ${HOME} may break krita, see issue #1953 | ||
10 | ignore noexec ${HOME} | ||
11 | |||
9 | noblacklist ${HOME}/.config/kritarc | 12 | noblacklist ${HOME}/.config/kritarc |
10 | noblacklist ${HOME}/.local/share/krita | 13 | noblacklist ${HOME}/.local/share/krita |
11 | noblacklist ${DOCUMENTS} | 14 | noblacklist ${DOCUMENTS} |
@@ -16,9 +19,12 @@ noblacklist ${PATH}/python2* | |||
16 | noblacklist ${PATH}/python3* | 19 | noblacklist ${PATH}/python3* |
17 | noblacklist /usr/lib/python2* | 20 | noblacklist /usr/lib/python2* |
18 | noblacklist /usr/lib/python3* | 21 | noblacklist /usr/lib/python3* |
22 | noblacklist /usr/local/lib/python2* | ||
23 | noblacklist /usr/local/lib/python3* | ||
19 | 24 | ||
20 | include disable-common.inc | 25 | include disable-common.inc |
21 | include disable-devel.inc | 26 | include disable-devel.inc |
27 | include disable-exec.inc | ||
22 | include disable-interpreters.inc | 28 | include disable-interpreters.inc |
23 | include disable-passwdmgr.inc | 29 | include disable-passwdmgr.inc |
24 | include disable-programs.inc | 30 | include disable-programs.inc |
@@ -45,7 +51,3 @@ shell none | |||
45 | private-cache | 51 | private-cache |
46 | private-dev | 52 | private-dev |
47 | private-tmp | 53 | private-tmp |
48 | |||
49 | # noexec ${HOME} may break krita, see issue #1953 | ||
50 | # noexec ${HOME} | ||
51 | noexec /tmp | ||
diff --git a/etc/ktorrent.profile b/etc/ktorrent.profile index 7b7571176..f30a1b7e6 100644 --- a/etc/ktorrent.profile +++ b/etc/ktorrent.profile | |||
@@ -15,6 +15,7 @@ noblacklist ${HOME}/.local/share/ktorrent | |||
15 | 15 | ||
16 | include disable-common.inc | 16 | include disable-common.inc |
17 | include disable-devel.inc | 17 | include disable-devel.inc |
18 | include disable-exec.inc | ||
18 | include disable-interpreters.inc | 19 | include disable-interpreters.inc |
19 | include disable-passwdmgr.inc | 20 | include disable-passwdmgr.inc |
20 | include disable-programs.inc | 21 | include disable-programs.inc |
@@ -57,5 +58,3 @@ private-dev | |||
57 | private-tmp | 58 | private-tmp |
58 | 59 | ||
59 | # memory-deny-write-execute | 60 | # memory-deny-write-execute |
60 | noexec ${HOME} | ||
61 | noexec /tmp | ||
diff --git a/etc/kwin_x11.profile b/etc/kwin_x11.profile index 834f6f2dd..ee07636d3 100644 --- a/etc/kwin_x11.profile +++ b/etc/kwin_x11.profile | |||
@@ -12,6 +12,7 @@ noblacklist ${HOME}/.local/share/kwin | |||
12 | 12 | ||
13 | include disable-common.inc | 13 | include disable-common.inc |
14 | include disable-devel.inc | 14 | include disable-devel.inc |
15 | include disable-exec.inc | ||
15 | include disable-interpreters.inc | 16 | include disable-interpreters.inc |
16 | include disable-passwdmgr.inc | 17 | include disable-passwdmgr.inc |
17 | include disable-programs.inc | 18 | include disable-programs.inc |
@@ -39,6 +40,3 @@ private-bin kwin_x11 | |||
39 | private-dev | 40 | private-dev |
40 | private-etc alternatives,drirc,fonts,kde5rc,ld.so.cache,machine-id,xdg | 41 | private-etc alternatives,drirc,fonts,kde5rc,ld.so.cache,machine-id,xdg |
41 | private-tmp | 42 | private-tmp |
42 | |||
43 | noexec ${HOME} | ||
44 | noexec /tmp | ||
diff --git a/etc/kwrite.profile b/etc/kwrite.profile index bc4fba97d..9b0640eab 100644 --- a/etc/kwrite.profile +++ b/etc/kwrite.profile | |||
@@ -17,6 +17,7 @@ noblacklist ${DOCUMENTS} | |||
17 | 17 | ||
18 | include disable-common.inc | 18 | include disable-common.inc |
19 | include disable-devel.inc | 19 | include disable-devel.inc |
20 | include disable-exec.inc | ||
20 | include disable-interpreters.inc | 21 | include disable-interpreters.inc |
21 | include disable-passwdmgr.inc | 22 | include disable-passwdmgr.inc |
22 | include disable-programs.inc | 23 | include disable-programs.inc |
@@ -47,7 +48,5 @@ private-dev | |||
47 | private-etc alternatives,fonts,kde4rc,kde5rc,ld.so.cache,machine-id,pulse,xdg | 48 | private-etc alternatives,fonts,kde4rc,kde5rc,ld.so.cache,machine-id,pulse,xdg |
48 | private-tmp | 49 | private-tmp |
49 | 50 | ||
50 | noexec ${HOME} | ||
51 | noexec /tmp | ||
52 | 51 | ||
53 | join-or-start kwrite | 52 | join-or-start kwrite |
diff --git a/etc/libreoffice.profile b/etc/libreoffice.profile index 0e6c86b80..6e77cd741 100644 --- a/etc/libreoffice.profile +++ b/etc/libreoffice.profile | |||
@@ -19,6 +19,7 @@ noblacklist /usr/share/java | |||
19 | 19 | ||
20 | include disable-common.inc | 20 | include disable-common.inc |
21 | include disable-devel.inc | 21 | include disable-devel.inc |
22 | include disable-exec.inc | ||
22 | include disable-passwdmgr.inc | 23 | include disable-passwdmgr.inc |
23 | include disable-programs.inc | 24 | include disable-programs.inc |
24 | 25 | ||
@@ -49,7 +50,5 @@ tracelog | |||
49 | private-dev | 50 | private-dev |
50 | private-tmp | 51 | private-tmp |
51 | 52 | ||
52 | noexec ${HOME} | ||
53 | noexec /tmp | ||
54 | 53 | ||
55 | join-or-start libreoffice | 54 | join-or-start libreoffice |
diff --git a/etc/liferea.profile b/etc/liferea.profile index c498541d4..5927747b8 100644 --- a/etc/liferea.profile +++ b/etc/liferea.profile | |||
@@ -15,6 +15,8 @@ noblacklist ${PATH}/python2* | |||
15 | noblacklist ${PATH}/python3* | 15 | noblacklist ${PATH}/python3* |
16 | noblacklist /usr/lib/python2* | 16 | noblacklist /usr/lib/python2* |
17 | noblacklist /usr/lib/python3* | 17 | noblacklist /usr/lib/python3* |
18 | noblacklist /usr/local/lib/python2* | ||
19 | noblacklist /usr/local/lib/python3* | ||
18 | 20 | ||
19 | include disable-common.inc | 21 | include disable-common.inc |
20 | include disable-devel.inc | 22 | include disable-devel.inc |
diff --git a/etc/lincity-ng.profile b/etc/lincity-ng.profile new file mode 100644 index 000000000..b55ac9a15 --- /dev/null +++ b/etc/lincity-ng.profile | |||
@@ -0,0 +1,44 @@ | |||
1 | # Firejail profile for lincity-ng | ||
2 | # Description: City simulation game | ||
3 | # This file is overwritten after every install/update | ||
4 | # Persistent local customizations | ||
5 | include lincity-ng.local | ||
6 | # Persistent global definitions | ||
7 | include globals.local | ||
8 | |||
9 | noblacklist ${HOME}/.lincity-ng | ||
10 | |||
11 | include disable-common.inc | ||
12 | include disable-devel.inc | ||
13 | include disable-exec.inc | ||
14 | include disable-interpreters.inc | ||
15 | include disable-passwdmgr.inc | ||
16 | include disable-programs.inc | ||
17 | include disable-xdg.inc | ||
18 | |||
19 | mkdir ${HOME}/.lincity-ng | ||
20 | whitelist ${HOME}/.lincity-ng | ||
21 | include whitelist-common.inc | ||
22 | include whitelist-var-common.inc | ||
23 | |||
24 | caps.drop all | ||
25 | ipc-namespace | ||
26 | net none | ||
27 | nodbus | ||
28 | nodvd | ||
29 | nogroups | ||
30 | nonewprivs | ||
31 | noroot | ||
32 | notv | ||
33 | nou2f | ||
34 | novideo | ||
35 | protocol unix | ||
36 | seccomp | ||
37 | shell none | ||
38 | tracelog | ||
39 | |||
40 | disable-mnt | ||
41 | private-bin lincity-ng | ||
42 | private-cache | ||
43 | private-dev | ||
44 | private-tmp | ||
diff --git a/etc/lollypop.profile b/etc/lollypop.profile index 047424e5e..c4717965a 100644 --- a/etc/lollypop.profile +++ b/etc/lollypop.profile | |||
@@ -14,6 +14,8 @@ noblacklist ${PATH}/python2* | |||
14 | noblacklist ${PATH}/python3* | 14 | noblacklist ${PATH}/python3* |
15 | noblacklist /usr/lib/python2* | 15 | noblacklist /usr/lib/python2* |
16 | noblacklist /usr/lib/python3* | 16 | noblacklist /usr/lib/python3* |
17 | noblacklist /usr/local/lib/python2* | ||
18 | noblacklist /usr/local/lib/python3* | ||
17 | 19 | ||
18 | include disable-common.inc | 20 | include disable-common.inc |
19 | include disable-devel.inc | 21 | include disable-devel.inc |
diff --git a/etc/lrunzip.profile b/etc/lrunzip.profile new file mode 100644 index 000000000..96aeee770 --- /dev/null +++ b/etc/lrunzip.profile | |||
@@ -0,0 +1,12 @@ | |||
1 | # Firejail profile for lrunzip | ||
2 | # Description: Multi-threaded compression with rzip/lzma, lzo and zpaq | ||
3 | # This file is overwritten after every install/update | ||
4 | # Persistent local customizations | ||
5 | include lrunzip.local | ||
6 | # Persistent global definitions | ||
7 | # added by included profile | ||
8 | #include globals.local | ||
9 | |||
10 | |||
11 | # Redirect | ||
12 | include cpio.profile | ||
diff --git a/etc/lrz.profile b/etc/lrz.profile new file mode 100644 index 000000000..03de48104 --- /dev/null +++ b/etc/lrz.profile | |||
@@ -0,0 +1,12 @@ | |||
1 | # Firejail profile for lrz | ||
2 | # Description: Multi-threaded compression with rzip/lzma, lzo and zpaq | ||
3 | # This file is overwritten after every install/update | ||
4 | # Persistent local customizations | ||
5 | include lrz.local | ||
6 | # Persistent global definitions | ||
7 | # added by included profile | ||
8 | #include globals.local | ||
9 | |||
10 | |||
11 | # Redirect | ||
12 | include cpio.profile | ||
diff --git a/etc/lrzcat.profile b/etc/lrzcat.profile new file mode 100644 index 000000000..6d95c41a0 --- /dev/null +++ b/etc/lrzcat.profile | |||
@@ -0,0 +1,12 @@ | |||
1 | # Firejail profile for lrzcat | ||
2 | # Description: Multi-threaded compression with rzip/lzma, lzo and zpaq | ||
3 | # This file is overwritten after every install/update | ||
4 | # Persistent local customizations | ||
5 | include lrzcat.local | ||
6 | # Persistent global definitions | ||
7 | # added by included profile | ||
8 | #include globals.local | ||
9 | |||
10 | |||
11 | # Redirect | ||
12 | include cpio.profile | ||
diff --git a/etc/lrzip.profile b/etc/lrzip.profile new file mode 100644 index 000000000..148d23393 --- /dev/null +++ b/etc/lrzip.profile | |||
@@ -0,0 +1,12 @@ | |||
1 | # Firejail profile for lrzip | ||
2 | # Description: Multi-threaded compression with rzip/lzma, lzo and zpaq | ||
3 | # This file is overwritten after every install/update | ||
4 | # Persistent local customizations | ||
5 | include lrzip.local | ||
6 | # Persistent global definitions | ||
7 | # added by included profile | ||
8 | #include globals.local | ||
9 | |||
10 | |||
11 | # Redirect | ||
12 | include cpio.profile | ||
diff --git a/etc/lrztar.profile b/etc/lrztar.profile new file mode 100644 index 000000000..90327c2bb --- /dev/null +++ b/etc/lrztar.profile | |||
@@ -0,0 +1,12 @@ | |||
1 | # Firejail profile for lrztar | ||
2 | # Description: Multi-threaded compression with rzip/lzma, lzo and zpaq | ||
3 | # This file is overwritten after every install/update | ||
4 | # Persistent local customizations | ||
5 | include lrztar.local | ||
6 | # Persistent global definitions | ||
7 | # added by included profile | ||
8 | #include globals.local | ||
9 | |||
10 | |||
11 | # Redirect | ||
12 | include cpio.profile | ||
diff --git a/etc/lrzuntar.profile b/etc/lrzuntar.profile new file mode 100644 index 000000000..6aa91cabd --- /dev/null +++ b/etc/lrzuntar.profile | |||
@@ -0,0 +1,12 @@ | |||
1 | # Firejail profile for lrzuntar | ||
2 | # Description: Multi-threaded compression with rzip/lzma, lzo and zpaq | ||
3 | # This file is overwritten after every install/update | ||
4 | # Persistent local customizations | ||
5 | include lrzuntar.local | ||
6 | # Persistent global definitions | ||
7 | # added by included profile | ||
8 | #include globals.local | ||
9 | |||
10 | |||
11 | # Redirect | ||
12 | include cpio.profile | ||
diff --git a/etc/lugaru.profile b/etc/lugaru.profile new file mode 100644 index 000000000..d81441572 --- /dev/null +++ b/etc/lugaru.profile | |||
@@ -0,0 +1,49 @@ | |||
1 | # Firejail profile for lugaru | ||
2 | # Description: Ninja rabbit fighting game | ||
3 | # This file is overwritten after every install/update | ||
4 | # Persistent local customizations | ||
5 | include lugaru.local | ||
6 | # Persistent global definitions | ||
7 | include globals.local | ||
8 | |||
9 | # note: crashes after entering | ||
10 | |||
11 | noblacklist ${HOME}/.config/lugaru | ||
12 | noblacklist ${HOME}/.local/share/lugaru | ||
13 | |||
14 | include disable-common.inc | ||
15 | include disable-devel.inc | ||
16 | include disable-exec.inc | ||
17 | include disable-interpreters.inc | ||
18 | include disable-passwdmgr.inc | ||
19 | include disable-programs.inc | ||
20 | include disable-xdg.inc | ||
21 | |||
22 | mkdir ${HOME}/.config/lugaru | ||
23 | mkdir ${HOME}/.local/share/lugaru | ||
24 | whitelist ${HOME}/.config/lugaru | ||
25 | whitelist ${HOME}/.local/share/lugaru | ||
26 | include whitelist-common.inc | ||
27 | include whitelist-var-common.inc | ||
28 | |||
29 | caps.drop all | ||
30 | ipc-namespace | ||
31 | net none | ||
32 | nodbus | ||
33 | nodvd | ||
34 | nogroups | ||
35 | nonewprivs | ||
36 | noroot | ||
37 | notv | ||
38 | nou2f | ||
39 | novideo | ||
40 | protocol unix,netlink | ||
41 | seccomp | ||
42 | shell none | ||
43 | tracelog | ||
44 | |||
45 | disable-mnt | ||
46 | private-bin lugaru | ||
47 | private-cache | ||
48 | private-dev | ||
49 | private-tmp | ||
diff --git a/etc/macrofusion.profile b/etc/macrofusion.profile index 170085117..793cd59bb 100644 --- a/etc/macrofusion.profile +++ b/etc/macrofusion.profile | |||
@@ -13,6 +13,8 @@ noblacklist ${PATH}/python2* | |||
13 | noblacklist ${PATH}/python3* | 13 | noblacklist ${PATH}/python3* |
14 | noblacklist /usr/lib/python2* | 14 | noblacklist /usr/lib/python2* |
15 | noblacklist /usr/lib/python3* | 15 | noblacklist /usr/lib/python3* |
16 | noblacklist /usr/local/lib/python2* | ||
17 | noblacklist /usr/local/lib/python3* | ||
16 | 18 | ||
17 | include disable-common.inc | 19 | include disable-common.inc |
18 | include disable-devel.inc | 20 | include disable-devel.inc |
diff --git a/etc/manaplus.profile b/etc/manaplus.profile new file mode 100644 index 000000000..93d409bf8 --- /dev/null +++ b/etc/manaplus.profile | |||
@@ -0,0 +1,48 @@ | |||
1 | # Firejail profile for manaplus | ||
2 | # Description: 2D MMORPG client for Evol Online and The Mana World | ||
3 | # This file is overwritten after every install/update | ||
4 | # Persistent local customizations | ||
5 | include manaplus.local | ||
6 | # Persistent global definitions | ||
7 | include globals.local | ||
8 | |||
9 | noblacklist ${HOME}/.config/mana | ||
10 | noblacklist ${HOME}/.local/share/mana | ||
11 | |||
12 | include disable-common.inc | ||
13 | include disable-devel.inc | ||
14 | include disable-exec.inc | ||
15 | include disable-interpreters.inc | ||
16 | include disable-passwdmgr.inc | ||
17 | include disable-programs.inc | ||
18 | include disable-xdg.inc | ||
19 | |||
20 | mkdir ${HOME}/.config/mana | ||
21 | mkdir ${HOME}/.config/mana/mana | ||
22 | mkdir ${HOME}/.local/share/mana | ||
23 | whitelist ${HOME}/.config/mana | ||
24 | whitelist ${HOME}/.local/share/mana | ||
25 | include whitelist-common.inc | ||
26 | include whitelist-var-common.inc | ||
27 | |||
28 | caps.drop all | ||
29 | ipc-namespace | ||
30 | netfilter | ||
31 | nodbus | ||
32 | nodvd | ||
33 | nogroups | ||
34 | nonewprivs | ||
35 | noroot | ||
36 | notv | ||
37 | nou2f | ||
38 | novideo | ||
39 | protocol unix,inet,inet6 | ||
40 | seccomp | ||
41 | shell none | ||
42 | tracelog | ||
43 | |||
44 | disable-mnt | ||
45 | private-bin manaplus | ||
46 | private-cache | ||
47 | private-dev | ||
48 | private-tmp | ||
diff --git a/etc/masterpdfeditor.profile b/etc/masterpdfeditor.profile index 3d88b1f82..ce6486115 100644 --- a/etc/masterpdfeditor.profile +++ b/etc/masterpdfeditor.profile | |||
@@ -11,18 +11,18 @@ noblacklist ${HOME}/.masterpdfeditor | |||
11 | 11 | ||
12 | include disable-common.inc | 12 | include disable-common.inc |
13 | include disable-devel.inc | 13 | include disable-devel.inc |
14 | include disable-exec.inc | ||
14 | include disable-interpreters.inc | 15 | include disable-interpreters.inc |
15 | include disable-passwdmgr.inc | 16 | include disable-passwdmgr.inc |
16 | include disable-programs.inc | 17 | include disable-programs.inc |
17 | 18 | ||
18 | include whitelist-var-common.inc | 19 | include whitelist-var-common.inc |
19 | 20 | ||
21 | apparmor | ||
20 | caps.drop all | 22 | caps.drop all |
21 | ipc-namespace | 23 | ipc-namespace |
22 | machine-id | 24 | machine-id |
23 | net none | ||
24 | no3d | 25 | no3d |
25 | nodbus | ||
26 | nodvd | 26 | nodvd |
27 | nogroups | 27 | nogroups |
28 | nonewprivs | 28 | nonewprivs |
@@ -36,11 +36,9 @@ seccomp | |||
36 | shell none | 36 | shell none |
37 | tracelog | 37 | tracelog |
38 | 38 | ||
39 | private-bin masterpdfeditor* | 39 | private-bin masterpdfedito* |
40 | private-cache | 40 | private-cache |
41 | private-dev | 41 | private-dev |
42 | private-etc alternatives,fonts | 42 | private-etc alternatives,fonts |
43 | private-tmp | 43 | private-tmp |
44 | 44 | ||
45 | noexec ${HOME} | ||
46 | noexec /tmp | ||
diff --git a/etc/mediainfo.profile b/etc/mediainfo.profile index 6bb393376..d2681f32d 100644 --- a/etc/mediainfo.profile +++ b/etc/mediainfo.profile | |||
@@ -10,6 +10,7 @@ blacklist /tmp/.X11-unix | |||
10 | 10 | ||
11 | include disable-common.inc | 11 | include disable-common.inc |
12 | include disable-devel.inc | 12 | include disable-devel.inc |
13 | include disable-exec.inc | ||
13 | include disable-interpreters.inc | 14 | include disable-interpreters.inc |
14 | include disable-passwdmgr.inc | 15 | include disable-passwdmgr.inc |
15 | include disable-programs.inc | 16 | include disable-programs.inc |
@@ -41,5 +42,3 @@ private-etc alternatives | |||
41 | private-tmp | 42 | private-tmp |
42 | 43 | ||
43 | memory-deny-write-execute | 44 | memory-deny-write-execute |
44 | noexec ${HOME} | ||
45 | noexec /tmp | ||
diff --git a/etc/megaglest.profile b/etc/megaglest.profile new file mode 100644 index 000000000..08eae6dfc --- /dev/null +++ b/etc/megaglest.profile | |||
@@ -0,0 +1,44 @@ | |||
1 | # Firejail profile for megaglest | ||
2 | # Description: 3D multi-player real time strategy game | ||
3 | # This file is overwritten after every install/update | ||
4 | # Persistent local customizations | ||
5 | include megaglest.local | ||
6 | # Persistent global definitions | ||
7 | include globals.local | ||
8 | |||
9 | noblacklist ${HOME}/.megaglest | ||
10 | |||
11 | include disable-common.inc | ||
12 | include disable-devel.inc | ||
13 | include disable-exec.inc | ||
14 | include disable-interpreters.inc | ||
15 | include disable-passwdmgr.inc | ||
16 | include disable-programs.inc | ||
17 | include disable-xdg.inc | ||
18 | |||
19 | mkdir ${HOME}/.megaglest | ||
20 | whitelist ${HOME}/.megaglest | ||
21 | include whitelist-common.inc | ||
22 | include whitelist-var-common.inc | ||
23 | |||
24 | caps.drop all | ||
25 | ipc-namespace | ||
26 | netfilter | ||
27 | nodbus | ||
28 | nodvd | ||
29 | nogroups | ||
30 | nonewprivs | ||
31 | noroot | ||
32 | notv | ||
33 | nou2f | ||
34 | novideo | ||
35 | protocol unix,inet,inet6,netlink | ||
36 | seccomp | ||
37 | shell none | ||
38 | tracelog | ||
39 | |||
40 | disable-mnt | ||
41 | private-bin megaglest,megaglest_editor,megaglest_g3dviewer | ||
42 | private-cache | ||
43 | private-dev | ||
44 | private-tmp | ||
diff --git a/etc/megaglest_editor.profile b/etc/megaglest_editor.profile new file mode 100644 index 000000000..02aad8084 --- /dev/null +++ b/etc/megaglest_editor.profile | |||
@@ -0,0 +1,5 @@ | |||
1 | # Firejail profile alias for megaglest | ||
2 | # This file is overwritten after every install/update | ||
3 | |||
4 | # Redirect | ||
5 | include megaglest.profile | ||
diff --git a/etc/meld.profile b/etc/meld.profile index 2b87094fb..395771cf2 100644 --- a/etc/meld.profile +++ b/etc/meld.profile | |||
@@ -8,17 +8,35 @@ include globals.local | |||
8 | 8 | ||
9 | noblacklist ${HOME}/.local/share/meld | 9 | noblacklist ${HOME}/.local/share/meld |
10 | 10 | ||
11 | include disable-common.inc | 11 | # Allow python (blacklisted by disable-interpreters.inc) |
12 | noblacklist ${PATH}/python2* | ||
13 | noblacklist ${PATH}/python3* | ||
14 | noblacklist /usr/lib/python2* | ||
15 | noblacklist /usr/lib/python3* | ||
16 | noblacklist /usr/local/lib/python2* | ||
17 | noblacklist /usr/local/lib/python3* | ||
18 | |||
19 | noblacklist ${HOME}/.gitconfig | ||
20 | noblacklist ${HOME}/.ssh | ||
21 | noblacklist ${HOME}/.subversion | ||
22 | |||
23 | # Uncomment the next line if you don't need to compare files in disable-common.inc. | ||
24 | #include disable-common.inc | ||
12 | include disable-devel.inc | 25 | include disable-devel.inc |
26 | include disable-exec.inc | ||
27 | include disable-interpreters.inc | ||
13 | include disable-passwdmgr.inc | 28 | include disable-passwdmgr.inc |
14 | include disable-programs.inc | 29 | # Uncomment the next line if you don't need to compare files in disable-programs.inc. |
30 | #include disable-programs.inc | ||
15 | 31 | ||
16 | include whitelist-var-common.inc | 32 | include whitelist-var-common.inc |
17 | 33 | ||
34 | apparmor | ||
18 | caps.drop all | 35 | caps.drop all |
19 | net none | 36 | ipc-namespace |
37 | machine-id | ||
38 | netfilter | ||
20 | no3d | 39 | no3d |
21 | nodbus | ||
22 | nodvd | 40 | nodvd |
23 | nogroups | 41 | nogroups |
24 | nonewprivs | 42 | nonewprivs |
@@ -27,14 +45,15 @@ nosound | |||
27 | notv | 45 | notv |
28 | nou2f | 46 | nou2f |
29 | novideo | 47 | novideo |
30 | protocol unix | 48 | protocol unix,inet,inet6 |
31 | seccomp | 49 | seccomp |
32 | shell none | 50 | shell none |
51 | tracelog | ||
33 | 52 | ||
34 | private-bin meld,python* | 53 | private-bin bzr,cvs,git,hg,meld,python*,svn |
35 | private-cache | 54 | private-cache |
36 | private-dev | 55 | private-dev |
56 | # Uncomment the next line if you don't need to compare in /etc. | ||
57 | #private-etc alternatives,ca-certificates,crypto-policies,fonts,hostname,hosts,pki,resolv.conf,ssl,subversion | ||
37 | private-tmp | 58 | private-tmp |
38 | 59 | ||
39 | noexec ${HOME} | ||
40 | noexec /tmp | ||
diff --git a/etc/mendeleydesktop.profile b/etc/mendeleydesktop.profile index 046526310..a3d6092f1 100644 --- a/etc/mendeleydesktop.profile +++ b/etc/mendeleydesktop.profile | |||
@@ -19,6 +19,8 @@ noblacklist ${PATH}/python2* | |||
19 | noblacklist ${PATH}/python3* | 19 | noblacklist ${PATH}/python3* |
20 | noblacklist /usr/lib/python2* | 20 | noblacklist /usr/lib/python2* |
21 | noblacklist /usr/lib/python3* | 21 | noblacklist /usr/lib/python3* |
22 | noblacklist /usr/local/lib/python2* | ||
23 | noblacklist /usr/local/lib/python3* | ||
22 | 24 | ||
23 | include disable-common.inc | 25 | include disable-common.inc |
24 | include disable-devel.inc | 26 | include disable-devel.inc |
diff --git a/etc/minetest.profile b/etc/minetest.profile index aa50847ea..b3e692446 100644 --- a/etc/minetest.profile +++ b/etc/minetest.profile | |||
@@ -10,9 +10,11 @@ noblacklist ${HOME}/.minetest | |||
10 | 10 | ||
11 | include disable-common.inc | 11 | include disable-common.inc |
12 | include disable-devel.inc | 12 | include disable-devel.inc |
13 | include disable-exec.inc | ||
13 | include disable-interpreters.inc | 14 | include disable-interpreters.inc |
14 | include disable-passwdmgr.inc | 15 | include disable-passwdmgr.inc |
15 | include disable-programs.inc | 16 | include disable-programs.inc |
17 | include disable-xdg.inc | ||
16 | 18 | ||
17 | mkdir ${HOME}/.minetest | 19 | mkdir ${HOME}/.minetest |
18 | whitelist ${HOME}/.minetest | 20 | whitelist ${HOME}/.minetest |
@@ -33,13 +35,12 @@ novideo | |||
33 | protocol unix,inet,inet6 | 35 | protocol unix,inet,inet6 |
34 | seccomp | 36 | seccomp |
35 | shell none | 37 | shell none |
38 | tracelog | ||
36 | 39 | ||
37 | disable-mnt | 40 | disable-mnt |
38 | private-bin minetest | 41 | private-bin minetest |
42 | private-cache | ||
39 | private-dev | 43 | private-dev |
40 | # private-etc needs to be updated, see #1702 | 44 | # private-etc needs to be updated, see #1702 |
41 | #private-etc alternatives,asound.conf,ca-certificates,drirc,fonts,group,host.conf,hostname,hosts,ld.so.cache,ld.so.preload,localtime,nsswitch.conf,passwd,pulse,resolv.conf,ssl,pki,crypto-policies,machine-id | 45 | #private-etc alternatives,asound.conf,ca-certificates,drirc,fonts,group,host.conf,hostname,hosts,ld.so.cache,ld.so.preload,localtime,nsswitch.conf,passwd,pulse,resolv.conf,ssl,pki,crypto-policies,machine-id |
42 | private-tmp | 46 | private-tmp |
43 | |||
44 | noexec ${HOME} | ||
45 | noexec /tmp | ||
diff --git a/etc/mpDris2.profile b/etc/mpDris2.profile index 48b5070f6..b179ecfaf 100644 --- a/etc/mpDris2.profile +++ b/etc/mpDris2.profile | |||
@@ -13,6 +13,8 @@ noblacklist ${PATH}/python2* | |||
13 | noblacklist ${PATH}/python3* | 13 | noblacklist ${PATH}/python3* |
14 | noblacklist /usr/lib/python2* | 14 | noblacklist /usr/lib/python2* |
15 | noblacklist /usr/lib/python3* | 15 | noblacklist /usr/lib/python3* |
16 | noblacklist /usr/local/lib/python2* | ||
17 | noblacklist /usr/local/lib/python3* | ||
16 | 18 | ||
17 | include disable-common.inc | 19 | include disable-common.inc |
18 | include disable-devel.inc | 20 | include disable-devel.inc |
diff --git a/etc/mpsyt.profile b/etc/mpsyt.profile index f057bdd9e..0808c5a1a 100644 --- a/etc/mpsyt.profile +++ b/etc/mpsyt.profile | |||
@@ -24,6 +24,7 @@ noblacklist ${VIDEOS} | |||
24 | 24 | ||
25 | include disable-common.inc | 25 | include disable-common.inc |
26 | include disable-devel.inc | 26 | include disable-devel.inc |
27 | include disable-exec.inc | ||
27 | include disable-interpreters.inc | 28 | include disable-interpreters.inc |
28 | include disable-passwdmgr.inc | 29 | include disable-passwdmgr.inc |
29 | include disable-programs.inc | 30 | include disable-programs.inc |
@@ -57,5 +58,3 @@ private-bin mpsyt,mplayer,mpv,youtube-dl,python*,env,ffmpeg | |||
57 | private-dev | 58 | private-dev |
58 | private-tmp | 59 | private-tmp |
59 | 60 | ||
60 | noexec ${HOME} | ||
61 | noexec /tmp | ||
diff --git a/etc/mpv.profile b/etc/mpv.profile index cf113c1bb..c2ae9c6f9 100644 --- a/etc/mpv.profile +++ b/etc/mpv.profile | |||
@@ -21,6 +21,7 @@ noblacklist /usr/local/lib/python3* | |||
21 | 21 | ||
22 | include disable-common.inc | 22 | include disable-common.inc |
23 | include disable-devel.inc | 23 | include disable-devel.inc |
24 | include disable-exec.inc | ||
24 | include disable-interpreters.inc | 25 | include disable-interpreters.inc |
25 | include disable-passwdmgr.inc | 26 | include disable-passwdmgr.inc |
26 | include disable-programs.inc | 27 | include disable-programs.inc |
diff --git a/etc/ms-office.profile b/etc/ms-office.profile index 6334ecd41..f23617f8d 100644 --- a/etc/ms-office.profile +++ b/etc/ms-office.profile | |||
@@ -13,6 +13,8 @@ noblacklist ${PATH}/python2* | |||
13 | noblacklist ${PATH}/python3* | 13 | noblacklist ${PATH}/python3* |
14 | noblacklist /usr/lib/python2* | 14 | noblacklist /usr/lib/python2* |
15 | noblacklist /usr/lib/python3* | 15 | noblacklist /usr/lib/python3* |
16 | noblacklist /usr/local/lib/python2* | ||
17 | noblacklist /usr/local/lib/python3* | ||
16 | 18 | ||
17 | include disable-common.inc | 19 | include disable-common.inc |
18 | include disable-devel.inc | 20 | include disable-devel.inc |
diff --git a/etc/mupdf.profile b/etc/mupdf.profile index c1d4f2cbe..1d5953ff7 100644 --- a/etc/mupdf.profile +++ b/etc/mupdf.profile | |||
@@ -10,6 +10,7 @@ noblacklist ${DOCUMENTS} | |||
10 | 10 | ||
11 | include disable-common.inc | 11 | include disable-common.inc |
12 | include disable-devel.inc | 12 | include disable-devel.inc |
13 | include disable-exec.inc | ||
13 | include disable-interpreters.inc | 14 | include disable-interpreters.inc |
14 | include disable-passwdmgr.inc | 15 | include disable-passwdmgr.inc |
15 | include disable-programs.inc | 16 | include disable-programs.inc |
@@ -40,4 +41,5 @@ private-dev | |||
40 | private-etc alternatives,fonts | 41 | private-etc alternatives,fonts |
41 | private-tmp | 42 | private-tmp |
42 | 43 | ||
44 | memory-deny-write-execute | ||
43 | read-only ${HOME} | 45 | read-only ${HOME} |
diff --git a/etc/musescore.profile b/etc/musescore.profile index 5f009c681..9750a31f4 100644 --- a/etc/musescore.profile +++ b/etc/musescore.profile | |||
@@ -15,6 +15,7 @@ noblacklist ${MUSIC} | |||
15 | 15 | ||
16 | include disable-common.inc | 16 | include disable-common.inc |
17 | include disable-devel.inc | 17 | include disable-devel.inc |
18 | include disable-exec.inc | ||
18 | include disable-interpreters.inc | 19 | include disable-interpreters.inc |
19 | include disable-passwdmgr.inc | 20 | include disable-passwdmgr.inc |
20 | include disable-programs.inc | 21 | include disable-programs.inc |
@@ -38,6 +39,3 @@ tracelog | |||
38 | 39 | ||
39 | # private-bin musescore,mscore | 40 | # private-bin musescore,mscore |
40 | private-tmp | 41 | private-tmp |
41 | |||
42 | noexec ${HOME} | ||
43 | noexec /tmp | ||
diff --git a/etc/mypaint.profile b/etc/mypaint.profile index 21fd841cf..615bb60d1 100644 --- a/etc/mypaint.profile +++ b/etc/mypaint.profile | |||
@@ -15,6 +15,7 @@ noblacklist ${PICTURES} | |||
15 | 15 | ||
16 | include disable-common.inc | 16 | include disable-common.inc |
17 | include disable-devel.inc | 17 | include disable-devel.inc |
18 | include disable-exec.inc | ||
18 | include disable-interpreters.inc | 19 | include disable-interpreters.inc |
19 | include disable-passwdmgr.inc | 20 | include disable-passwdmgr.inc |
20 | include disable-programs.inc | 21 | include disable-programs.inc |
@@ -44,5 +45,3 @@ private-dev | |||
44 | private-etc alternatives,fonts,gtk-3.0,dconf | 45 | private-etc alternatives,fonts,gtk-3.0,dconf |
45 | private-tmp | 46 | private-tmp |
46 | 47 | ||
47 | noexec ${HOME} | ||
48 | noexec /tmp | ||
diff --git a/etc/nano.profile b/etc/nano.profile index ed172b37c..50e251d49 100644 --- a/etc/nano.profile +++ b/etc/nano.profile | |||
@@ -11,6 +11,7 @@ noblacklist ${HOME}/.nanorc | |||
11 | 11 | ||
12 | include disable-common.inc | 12 | include disable-common.inc |
13 | include disable-devel.inc | 13 | include disable-devel.inc |
14 | include disable-exec.inc | ||
14 | include disable-interpreters.inc | 15 | include disable-interpreters.inc |
15 | include disable-passwdmgr.inc | 16 | include disable-passwdmgr.inc |
16 | include disable-programs.inc | 17 | include disable-programs.inc |
@@ -43,5 +44,3 @@ private-dev | |||
43 | private-etc alternatives,nanorc | 44 | private-etc alternatives,nanorc |
44 | 45 | ||
45 | memory-deny-write-execute | 46 | memory-deny-write-execute |
46 | noexec ${HOME} | ||
47 | noexec /tmp | ||
diff --git a/etc/natron.profile b/etc/natron.profile index 790fe437d..85e23c759 100644 --- a/etc/natron.profile +++ b/etc/natron.profile | |||
@@ -5,11 +5,13 @@ include natron.local | |||
5 | # Persistent global definitions | 5 | # Persistent global definitions |
6 | include globals.local | 6 | include globals.local |
7 | 7 | ||
8 | # Allow access to python | 8 | # Allow python (blacklisted by disable-interpreters.inc) |
9 | noblacklist ${PATH}/python2* | 9 | noblacklist ${PATH}/python2* |
10 | noblacklist ${PATH}/python3* | 10 | noblacklist ${PATH}/python3* |
11 | noblacklist /usr/lib/python2* | 11 | noblacklist /usr/lib/python2* |
12 | noblacklist /usr/lib/python3* | 12 | noblacklist /usr/lib/python3* |
13 | noblacklist /usr/local/lib/python2* | ||
14 | noblacklist /usr/local/lib/python3* | ||
13 | 15 | ||
14 | noblacklist ${HOME}/.Natron | 16 | noblacklist ${HOME}/.Natron |
15 | noblacklist ${HOME}/.cache/INRIA/Natron | 17 | noblacklist ${HOME}/.cache/INRIA/Natron |
diff --git a/etc/nautilus.profile b/etc/nautilus.profile index b5e65e3ee..1d68ef8e3 100644 --- a/etc/nautilus.profile +++ b/etc/nautilus.profile | |||
@@ -19,6 +19,8 @@ noblacklist ${PATH}/python2* | |||
19 | noblacklist ${PATH}/python3* | 19 | noblacklist ${PATH}/python3* |
20 | noblacklist /usr/lib/python2* | 20 | noblacklist /usr/lib/python2* |
21 | noblacklist /usr/lib/python3* | 21 | noblacklist /usr/lib/python3* |
22 | noblacklist /usr/local/lib/python2* | ||
23 | noblacklist /usr/local/lib/python3* | ||
22 | 24 | ||
23 | include disable-common.inc | 25 | include disable-common.inc |
24 | include disable-devel.inc | 26 | include disable-devel.inc |
diff --git a/etc/nemo.profile b/etc/nemo.profile index 8da094015..2364ea4a7 100644 --- a/etc/nemo.profile +++ b/etc/nemo.profile | |||
@@ -16,6 +16,8 @@ noblacklist ${PATH}/python2* | |||
16 | noblacklist ${PATH}/python3* | 16 | noblacklist ${PATH}/python3* |
17 | noblacklist /usr/lib/python2* | 17 | noblacklist /usr/lib/python2* |
18 | noblacklist /usr/lib/python3* | 18 | noblacklist /usr/lib/python3* |
19 | noblacklist /usr/local/lib/python2* | ||
20 | noblacklist /usr/local/lib/python3* | ||
19 | 21 | ||
20 | include disable-common.inc | 22 | include disable-common.inc |
21 | include disable-devel.inc | 23 | include disable-devel.inc |
diff --git a/etc/netactview.profile b/etc/netactview.profile index 58235c31b..c91822a9d 100644 --- a/etc/netactview.profile +++ b/etc/netactview.profile | |||
@@ -10,6 +10,7 @@ noblacklist ${HOME}/.netactview | |||
10 | 10 | ||
11 | include disable-common.inc | 11 | include disable-common.inc |
12 | include disable-devel.inc | 12 | include disable-devel.inc |
13 | include disable-exec.inc | ||
13 | include disable-interpreters.inc | 14 | include disable-interpreters.inc |
14 | include disable-passwdmgr.inc | 15 | include disable-passwdmgr.inc |
15 | include disable-programs.inc | 16 | include disable-programs.inc |
@@ -47,5 +48,3 @@ private-lib | |||
47 | private-tmp | 48 | private-tmp |
48 | 49 | ||
49 | memory-deny-write-execute | 50 | memory-deny-write-execute |
50 | noexec ${HOME} | ||
51 | noexec /tmp | ||
diff --git a/etc/nethack-vultures.profile b/etc/nethack-vultures.profile new file mode 100644 index 000000000..771430337 --- /dev/null +++ b/etc/nethack-vultures.profile | |||
@@ -0,0 +1,47 @@ | |||
1 | # Firejail profile for nethack-vultures | ||
2 | # Description: A rogue-like single player dungeon exploration game | ||
3 | # This file is overwritten after every install/update | ||
4 | # Persistent local customizations | ||
5 | include nethack.local | ||
6 | # Persistent global definitions | ||
7 | include globals.local | ||
8 | |||
9 | |||
10 | noblacklist ${HOME}/.vultures | ||
11 | noblacklist /var/log | ||
12 | |||
13 | include disable-common.inc | ||
14 | include disable-devel.inc | ||
15 | include disable-interpreters.inc | ||
16 | include disable-passwdmgr.inc | ||
17 | include disable-programs.inc | ||
18 | |||
19 | mkdir ${HOME}/.vultures | ||
20 | whitelist ${HOME}/.vultures | ||
21 | whitelist /var/log/vultures | ||
22 | include whitelist-common.inc | ||
23 | include whitelist-var-common.inc | ||
24 | |||
25 | caps.drop all | ||
26 | ipc-namespace | ||
27 | net none | ||
28 | nodbus | ||
29 | nodvd | ||
30 | nogroups | ||
31 | #nonewprivs | ||
32 | #noroot | ||
33 | notv | ||
34 | novideo | ||
35 | #protocol unix,netlink | ||
36 | #seccomp | ||
37 | shell none | ||
38 | |||
39 | disable-mnt | ||
40 | #private | ||
41 | private-cache | ||
42 | private-dev | ||
43 | private-tmp | ||
44 | writable-var | ||
45 | |||
46 | noexec ${HOME} | ||
47 | noexec /tmp | ||
diff --git a/etc/nitroshare.profile b/etc/nitroshare.profile index bf8fff7cd..4d2c5bdf2 100644 --- a/etc/nitroshare.profile +++ b/etc/nitroshare.profile | |||
@@ -14,6 +14,8 @@ noblacklist ${PATH}/python2* | |||
14 | noblacklist ${PATH}/python3* | 14 | noblacklist ${PATH}/python3* |
15 | noblacklist /usr/lib/python2* | 15 | noblacklist /usr/lib/python2* |
16 | noblacklist /usr/lib/python3* | 16 | noblacklist /usr/lib/python3* |
17 | noblacklist /usr/local/lib/python2* | ||
18 | noblacklist /usr/local/lib/python3* | ||
17 | 19 | ||
18 | include disable-common.inc | 20 | include disable-common.inc |
19 | include disable-devel.inc | 21 | include disable-devel.inc |
diff --git a/etc/nomacs.profile b/etc/nomacs.profile new file mode 100644 index 000000000..4bda5cbce --- /dev/null +++ b/etc/nomacs.profile | |||
@@ -0,0 +1,48 @@ | |||
1 | # Firejail profile for nomacs | ||
2 | # Description: a fast and small image viewer | ||
3 | # This file is overwritten after every install/update | ||
4 | # Persistent local customizations | ||
5 | include nomacs.local | ||
6 | # Persistent global definitions | ||
7 | include globals.local | ||
8 | |||
9 | noblacklist ${HOME}/.config/nomacs | ||
10 | noblacklist ${HOME}/.local/share/nomacs | ||
11 | noblacklist ${HOME}/.local/share/data/nomacs | ||
12 | noblacklist ${PICTURES} | ||
13 | |||
14 | include disable-common.inc | ||
15 | include disable-devel.inc | ||
16 | include disable-interpreters.inc | ||
17 | include disable-passwdmgr.inc | ||
18 | include disable-programs.inc | ||
19 | include disable-xdg.inc | ||
20 | |||
21 | include whitelist-var-common.inc | ||
22 | |||
23 | apparmor | ||
24 | caps.drop all | ||
25 | machine-id | ||
26 | netfilter | ||
27 | nodvd | ||
28 | nogroups | ||
29 | nonewprivs | ||
30 | noroot | ||
31 | nosound | ||
32 | notv | ||
33 | nou2f | ||
34 | novideo | ||
35 | protocol unix,inet,inet6,netlink | ||
36 | seccomp | ||
37 | shell none | ||
38 | tracelog | ||
39 | |||
40 | #private-bin nomacs | ||
41 | private-cache | ||
42 | private-dev | ||
43 | private-etc alternatives,hosts,ca-certificates,ssl,pki,crypto-policies,resolv.conf,drirc,fonts,gtk-3.0,dconf,machine-id,login.defs | ||
44 | private-tmp | ||
45 | |||
46 | memory-deny-write-execute | ||
47 | noexec ${HOME} | ||
48 | noexec /tmp | ||
diff --git a/etc/obs.profile b/etc/obs.profile index 87afdc222..5e3ce092a 100644 --- a/etc/obs.profile +++ b/etc/obs.profile | |||
@@ -15,6 +15,8 @@ noblacklist ${PATH}/python2* | |||
15 | noblacklist ${PATH}/python3* | 15 | noblacklist ${PATH}/python3* |
16 | noblacklist /usr/lib/python2* | 16 | noblacklist /usr/lib/python2* |
17 | noblacklist /usr/lib/python3* | 17 | noblacklist /usr/lib/python3* |
18 | noblacklist /usr/local/lib/python2* | ||
19 | noblacklist /usr/local/lib/python3* | ||
18 | 20 | ||
19 | include disable-common.inc | 21 | include disable-common.inc |
20 | include disable-devel.inc | 22 | include disable-devel.inc |
diff --git a/etc/ocenaudio.profile b/etc/ocenaudio.profile index be218e3a8..ceeb59384 100644 --- a/etc/ocenaudio.profile +++ b/etc/ocenaudio.profile | |||
@@ -12,6 +12,7 @@ noblacklist ${MUSIC} | |||
12 | 12 | ||
13 | include disable-common.inc | 13 | include disable-common.inc |
14 | include disable-devel.inc | 14 | include disable-devel.inc |
15 | include disable-exec.inc | ||
15 | include disable-interpreters.inc | 16 | include disable-interpreters.inc |
16 | include disable-passwdmgr.inc | 17 | include disable-passwdmgr.inc |
17 | include disable-programs.inc | 18 | include disable-programs.inc |
@@ -47,5 +48,3 @@ private-etc alternatives,asound.conf,fonts,ld.so.cache,pulse | |||
47 | private-tmp | 48 | private-tmp |
48 | 49 | ||
49 | # memory-deny-write-execute - breaks on Arch | 50 | # memory-deny-write-execute - breaks on Arch |
50 | noexec ${HOME} | ||
51 | noexec /tmp | ||
diff --git a/etc/okular.profile b/etc/okular.profile index 0192a1d3d..48e45ca3f 100644 --- a/etc/okular.profile +++ b/etc/okular.profile | |||
@@ -20,6 +20,7 @@ noblacklist ${DOCUMENTS} | |||
20 | 20 | ||
21 | include disable-common.inc | 21 | include disable-common.inc |
22 | include disable-devel.inc | 22 | include disable-devel.inc |
23 | include disable-exec.inc | ||
23 | include disable-interpreters.inc | 24 | include disable-interpreters.inc |
24 | include disable-passwdmgr.inc | 25 | include disable-passwdmgr.inc |
25 | include disable-programs.inc | 26 | include disable-programs.inc |
@@ -52,7 +53,5 @@ private-etc alternatives,cups,fonts,kde4rc,kde5rc,ld.so.cache,machine-id,xdg | |||
52 | # private-tmp - on KDE we need access to the real /tmp for data exchange with email clients | 53 | # private-tmp - on KDE we need access to the real /tmp for data exchange with email clients |
53 | 54 | ||
54 | # memory-deny-write-execute | 55 | # memory-deny-write-execute |
55 | noexec ${HOME} | ||
56 | noexec /tmp | ||
57 | 56 | ||
58 | join-or-start okular | 57 | join-or-start okular |
diff --git a/etc/onionshare-gui.profile b/etc/onionshare-gui.profile index 1955901b0..75f6194a6 100644 --- a/etc/onionshare-gui.profile +++ b/etc/onionshare-gui.profile | |||
@@ -10,6 +10,7 @@ noblacklist ${HOME}/.config/onionshare | |||
10 | # Allow python (blacklisted by disable-interpreters.inc) | 10 | # Allow python (blacklisted by disable-interpreters.inc) |
11 | noblacklist ${PATH}/python3* | 11 | noblacklist ${PATH}/python3* |
12 | noblacklist /usr/lib/python3* | 12 | noblacklist /usr/lib/python3* |
13 | noblacklist /usr/local/lib/python3* | ||
13 | 14 | ||
14 | include disable-common.inc | 15 | include disable-common.inc |
15 | include disable-devel.inc | 16 | include disable-devel.inc |
diff --git a/etc/opencity.profile b/etc/opencity.profile new file mode 100644 index 000000000..6a27c8095 --- /dev/null +++ b/etc/opencity.profile | |||
@@ -0,0 +1,44 @@ | |||
1 | # Firejail profile for opencity | ||
2 | # Description: Full 3D city simulator game project | ||
3 | # This file is overwritten after every install/update | ||
4 | # Persistent local customizations | ||
5 | include opencity.local | ||
6 | # Persistent global definitions | ||
7 | include globals.local | ||
8 | |||
9 | noblacklist ${HOME}/.opencity | ||
10 | |||
11 | include disable-common.inc | ||
12 | include disable-devel.inc | ||
13 | include disable-exec.inc | ||
14 | include disable-interpreters.inc | ||
15 | include disable-passwdmgr.inc | ||
16 | include disable-programs.inc | ||
17 | include disable-xdg.inc | ||
18 | |||
19 | mkdir ${HOME}/.opencity | ||
20 | whitelist ${HOME}/.opencity | ||
21 | include whitelist-common.inc | ||
22 | include whitelist-var-common.inc | ||
23 | |||
24 | caps.drop all | ||
25 | ipc-namespace | ||
26 | net none | ||
27 | nodbus | ||
28 | nodvd | ||
29 | nogroups | ||
30 | nonewprivs | ||
31 | noroot | ||
32 | notv | ||
33 | nou2f | ||
34 | novideo | ||
35 | protocol unix | ||
36 | seccomp | ||
37 | shell none | ||
38 | tracelog | ||
39 | |||
40 | disable-mnt | ||
41 | private-bin opencity | ||
42 | private-cache | ||
43 | private-dev | ||
44 | private-tmp | ||
diff --git a/etc/openclonk.profile b/etc/openclonk.profile new file mode 100644 index 000000000..02663c2f4 --- /dev/null +++ b/etc/openclonk.profile | |||
@@ -0,0 +1,44 @@ | |||
1 | # Firejail profile for openclonk | ||
2 | # Description: Multiplayer action, tactics and skill game | ||
3 | # This file is overwritten after every install/update | ||
4 | # Persistent local customizations | ||
5 | include openclonk.local | ||
6 | # Persistent global definitions | ||
7 | include globals.local | ||
8 | |||
9 | noblacklist ${HOME}/.clonk | ||
10 | |||
11 | include disable-common.inc | ||
12 | include disable-devel.inc | ||
13 | include disable-exec.inc | ||
14 | include disable-interpreters.inc | ||
15 | include disable-passwdmgr.inc | ||
16 | include disable-programs.inc | ||
17 | include disable-xdg.inc | ||
18 | |||
19 | mkdir ${HOME}/.clonk | ||
20 | whitelist ${HOME}/.clonk | ||
21 | include whitelist-common.inc | ||
22 | include whitelist-var-common.inc | ||
23 | |||
24 | caps.drop all | ||
25 | ipc-namespace | ||
26 | net none | ||
27 | nodbus | ||
28 | nodvd | ||
29 | nogroups | ||
30 | nonewprivs | ||
31 | noroot | ||
32 | notv | ||
33 | nou2f | ||
34 | novideo | ||
35 | protocol unix | ||
36 | seccomp | ||
37 | shell none | ||
38 | tracelog | ||
39 | |||
40 | disable-mnt | ||
41 | private-bin openclonk,c4group | ||
42 | private-cache | ||
43 | private-dev | ||
44 | private-tmp | ||
diff --git a/etc/openshot.profile b/etc/openshot.profile index e383ecf06..cfda1d0ce 100644 --- a/etc/openshot.profile +++ b/etc/openshot.profile | |||
@@ -14,9 +14,12 @@ noblacklist ${PATH}/python2* | |||
14 | noblacklist ${PATH}/python3* | 14 | noblacklist ${PATH}/python3* |
15 | noblacklist /usr/lib/python2* | 15 | noblacklist /usr/lib/python2* |
16 | noblacklist /usr/lib/python3* | 16 | noblacklist /usr/lib/python3* |
17 | noblacklist /usr/local/lib/python2* | ||
18 | noblacklist /usr/local/lib/python3* | ||
17 | 19 | ||
18 | include disable-common.inc | 20 | include disable-common.inc |
19 | include disable-devel.inc | 21 | include disable-devel.inc |
22 | include disable-exec.inc | ||
20 | include disable-interpreters.inc | 23 | include disable-interpreters.inc |
21 | include disable-passwdmgr.inc | 24 | include disable-passwdmgr.inc |
22 | include disable-programs.inc | 25 | include disable-programs.inc |
@@ -40,5 +43,3 @@ shell none | |||
40 | private-dev | 43 | private-dev |
41 | private-tmp | 44 | private-tmp |
42 | 45 | ||
43 | noexec ${HOME} | ||
44 | noexec /tmp | ||
diff --git a/etc/openttd.profile b/etc/openttd.profile new file mode 100644 index 000000000..5de4d325d --- /dev/null +++ b/etc/openttd.profile | |||
@@ -0,0 +1,44 @@ | |||
1 | # Firejail profile for openttd | ||
2 | # Description: Transport system simulation game | ||
3 | # This file is overwritten after every install/update | ||
4 | # Persistent local customizations | ||
5 | include openttd.local | ||
6 | # Persistent global definitions | ||
7 | include globals.local | ||
8 | |||
9 | noblacklist ${HOME}/.openttd | ||
10 | |||
11 | include disable-common.inc | ||
12 | include disable-devel.inc | ||
13 | include disable-exec.inc | ||
14 | include disable-interpreters.inc | ||
15 | include disable-passwdmgr.inc | ||
16 | include disable-programs.inc | ||
17 | include disable-xdg.inc | ||
18 | |||
19 | mkdir ${HOME}/.openttd | ||
20 | whitelist ${HOME}/.openttd | ||
21 | include whitelist-common.inc | ||
22 | include whitelist-var-common.inc | ||
23 | |||
24 | caps.drop all | ||
25 | ipc-namespace | ||
26 | netfilter | ||
27 | nodbus | ||
28 | nodvd | ||
29 | nogroups | ||
30 | nonewprivs | ||
31 | noroot | ||
32 | notv | ||
33 | nou2f | ||
34 | novideo | ||
35 | protocol unix,inet,inet6 | ||
36 | seccomp | ||
37 | shell none | ||
38 | tracelog | ||
39 | |||
40 | disable-mnt | ||
41 | private-bin openttd | ||
42 | private-cache | ||
43 | private-dev | ||
44 | private-tmp | ||
diff --git a/etc/ostrichriders.profile b/etc/ostrichriders.profile new file mode 100644 index 000000000..bef784126 --- /dev/null +++ b/etc/ostrichriders.profile | |||
@@ -0,0 +1,45 @@ | |||
1 | # Firejail profile for ostrichriders | ||
2 | # Description: Knights flying on ostriches compete against other riders | ||
3 | # This file is overwritten after every install/update | ||
4 | # Persistent local customizations | ||
5 | include ostrichriders.local | ||
6 | # Persistent global definitions | ||
7 | include globals.local | ||
8 | |||
9 | noblacklist ${HOME}/.ostrichriders | ||
10 | |||
11 | include disable-common.inc | ||
12 | include disable-devel.inc | ||
13 | include disable-exec.inc | ||
14 | include disable-interpreters.inc | ||
15 | include disable-passwdmgr.inc | ||
16 | include disable-programs.inc | ||
17 | include disable-xdg.inc | ||
18 | |||
19 | mkdir ${HOME}/.ostrichriders | ||
20 | whitelist ${HOME}/.ostrichriders | ||
21 | include whitelist-common.inc | ||
22 | include whitelist-var-common.inc | ||
23 | |||
24 | caps.drop all | ||
25 | ipc-namespace | ||
26 | net none | ||
27 | nodbus | ||
28 | nodvd | ||
29 | nogroups | ||
30 | nonewprivs | ||
31 | noroot | ||
32 | notv | ||
33 | nou2f | ||
34 | novideo | ||
35 | protocol unix,netlink | ||
36 | seccomp | ||
37 | shell none | ||
38 | tracelog | ||
39 | |||
40 | disable-mnt | ||
41 | private-bin ostrichriders | ||
42 | private-cache | ||
43 | # private-dev should be commented for controllers | ||
44 | private-dev | ||
45 | private-tmp | ||
diff --git a/etc/patch.profile b/etc/patch.profile index c0937bfc5..9515bffdf 100644 --- a/etc/patch.profile +++ b/etc/patch.profile | |||
@@ -11,6 +11,7 @@ noblacklist ${DOCUMENTS} | |||
11 | 11 | ||
12 | include disable-common.inc | 12 | include disable-common.inc |
13 | include disable-devel.inc | 13 | include disable-devel.inc |
14 | include disable-exec.inc | ||
14 | include disable-interpreters.inc | 15 | include disable-interpreters.inc |
15 | include disable-passwdmgr.inc | 16 | include disable-passwdmgr.inc |
16 | include disable-xdg.inc | 17 | include disable-xdg.inc |
@@ -39,5 +40,3 @@ private-dev | |||
39 | private-lib libfakeroot | 40 | private-lib libfakeroot |
40 | 41 | ||
41 | memory-deny-write-execute | 42 | memory-deny-write-execute |
42 | noexec ${HOME} | ||
43 | noexec /tmp | ||
diff --git a/etc/pavucontrol.profile b/etc/pavucontrol.profile index 6bda9e7d3..18b9b7fc6 100644 --- a/etc/pavucontrol.profile +++ b/etc/pavucontrol.profile | |||
@@ -10,6 +10,7 @@ noblacklist ${HOME}/.config/pavucontrol.ini | |||
10 | 10 | ||
11 | include disable-common.inc | 11 | include disable-common.inc |
12 | include disable-devel.inc | 12 | include disable-devel.inc |
13 | include disable-exec.inc | ||
13 | include disable-interpreters.inc | 14 | include disable-interpreters.inc |
14 | include disable-passwdmgr.inc | 15 | include disable-passwdmgr.inc |
15 | include disable-programs.inc | 16 | include disable-programs.inc |
@@ -19,7 +20,7 @@ include whitelist-var-common.inc | |||
19 | 20 | ||
20 | apparmor | 21 | apparmor |
21 | caps.drop all | 22 | caps.drop all |
22 | ipc-namespace | 23 | #ipc-namespace |
23 | net none | 24 | net none |
24 | no3d | 25 | no3d |
25 | nodbus | 26 | nodbus |
@@ -43,5 +44,3 @@ private-lib | |||
43 | private-tmp | 44 | private-tmp |
44 | 45 | ||
45 | memory-deny-write-execute | 46 | memory-deny-write-execute |
46 | noexec ${HOME} | ||
47 | noexec /tmp | ||
diff --git a/etc/pdfchain.profile b/etc/pdfchain.profile index d9f721578..98a9f1840 100644 --- a/etc/pdfchain.profile +++ b/etc/pdfchain.profile | |||
@@ -9,6 +9,7 @@ noblacklist ${DOCUMENTS} | |||
9 | 9 | ||
10 | include disable-common.inc | 10 | include disable-common.inc |
11 | include disable-devel.inc | 11 | include disable-devel.inc |
12 | include disable-exec.inc | ||
12 | include disable-interpreters.inc | 13 | include disable-interpreters.inc |
13 | include disable-passwdmgr.inc | 14 | include disable-passwdmgr.inc |
14 | include disable-programs.inc | 15 | include disable-programs.inc |
@@ -38,5 +39,3 @@ private-etc alternatives,dconf,fonts,gtk-3.0,xdg | |||
38 | private-tmp | 39 | private-tmp |
39 | 40 | ||
40 | memory-deny-write-execute | 41 | memory-deny-write-execute |
41 | noexec ${HOME} | ||
42 | noexec /tmp | ||
diff --git a/etc/picard.profile b/etc/picard.profile index dc13d7d6e..26002e14d 100644 --- a/etc/picard.profile +++ b/etc/picard.profile | |||
@@ -15,6 +15,8 @@ noblacklist ${PATH}/python2* | |||
15 | noblacklist ${PATH}/python3* | 15 | noblacklist ${PATH}/python3* |
16 | noblacklist /usr/lib/python2* | 16 | noblacklist /usr/lib/python2* |
17 | noblacklist /usr/lib/python3* | 17 | noblacklist /usr/lib/python3* |
18 | noblacklist /usr/local/lib/python2* | ||
19 | noblacklist /usr/local/lib/python3* | ||
18 | 20 | ||
19 | include disable-common.inc | 21 | include disable-common.inc |
20 | include disable-devel.inc | 22 | include disable-devel.inc |
diff --git a/etc/pidgin.profile b/etc/pidgin.profile index 91a204557..444478149 100644 --- a/etc/pidgin.profile +++ b/etc/pidgin.profile | |||
@@ -6,14 +6,24 @@ include pidgin.local | |||
6 | # Persistent global definitions | 6 | # Persistent global definitions |
7 | include globals.local | 7 | include globals.local |
8 | 8 | ||
9 | mkdir ${HOME}/.purple | ||
9 | noblacklist ${HOME}/.purple | 10 | noblacklist ${HOME}/.purple |
11 | whitelist ${HOME}/.purple | ||
12 | |||
13 | ignore noexec ${RUNUSER} | ||
14 | ignore noexec /dev/shm | ||
10 | 15 | ||
11 | include disable-common.inc | 16 | include disable-common.inc |
12 | include disable-devel.inc | 17 | include disable-devel.inc |
18 | include disable-exec.inc | ||
13 | include disable-interpreters.inc | 19 | include disable-interpreters.inc |
14 | include disable-passwdmgr.inc | 20 | include disable-passwdmgr.inc |
15 | include disable-programs.inc | 21 | include disable-programs.inc |
22 | include disable-xdg.inc | ||
23 | include whitelist-common.inc | ||
24 | include whitelist-var-common.inc | ||
16 | 25 | ||
26 | apparmor | ||
17 | caps.drop all | 27 | caps.drop all |
18 | netfilter | 28 | netfilter |
19 | nodvd | 29 | nodvd |
@@ -24,13 +34,10 @@ notv | |||
24 | nou2f | 34 | nou2f |
25 | protocol unix,inet,inet6 | 35 | protocol unix,inet,inet6 |
26 | seccomp | 36 | seccomp |
27 | shell none | 37 | # shell none |
28 | tracelog | 38 | tracelog |
29 | 39 | ||
30 | private-bin pidgin | 40 | # private-bin pidgin |
31 | private-cache | 41 | private-cache |
32 | private-dev | 42 | private-dev |
33 | private-tmp | 43 | private-tmp |
34 | |||
35 | noexec ${HOME} | ||
36 | noexec /tmp | ||
diff --git a/etc/pioneer.profile b/etc/pioneer.profile new file mode 100644 index 000000000..a240aa5fc --- /dev/null +++ b/etc/pioneer.profile | |||
@@ -0,0 +1,44 @@ | |||
1 | # Firejail profile for pioneer | ||
2 | # Description: A game of lonely space adventure | ||
3 | # This file is overwritten after every install/update | ||
4 | # Persistent local customizations | ||
5 | include pioneer.local | ||
6 | # Persistent global definitions | ||
7 | include globals.local | ||
8 | |||
9 | noblacklist ${HOME}/.pioneer | ||
10 | |||
11 | include disable-common.inc | ||
12 | include disable-devel.inc | ||
13 | include disable-exec.inc | ||
14 | include disable-interpreters.inc | ||
15 | include disable-passwdmgr.inc | ||
16 | include disable-programs.inc | ||
17 | include disable-xdg.inc | ||
18 | |||
19 | mkdir ${HOME}/.pioneer | ||
20 | whitelist ${HOME}/.pioneer | ||
21 | include whitelist-common.inc | ||
22 | include whitelist-var-common.inc | ||
23 | |||
24 | caps.drop all | ||
25 | ipc-namespace | ||
26 | net none | ||
27 | nodbus | ||
28 | nodvd | ||
29 | nogroups | ||
30 | nonewprivs | ||
31 | noroot | ||
32 | notv | ||
33 | nou2f | ||
34 | novideo | ||
35 | protocol unix,netlink | ||
36 | seccomp | ||
37 | shell none | ||
38 | tracelog | ||
39 | |||
40 | disable-mnt | ||
41 | private-bin pioneer,modelcompiler,savegamedump | ||
42 | private-cache | ||
43 | private-dev | ||
44 | private-tmp | ||
diff --git a/etc/pithos.profile b/etc/pithos.profile index b201dcfea..6492ace7b 100644 --- a/etc/pithos.profile +++ b/etc/pithos.profile | |||
@@ -11,6 +11,8 @@ noblacklist ${PATH}/python2* | |||
11 | noblacklist ${PATH}/python3* | 11 | noblacklist ${PATH}/python3* |
12 | noblacklist /usr/lib/python2* | 12 | noblacklist /usr/lib/python2* |
13 | noblacklist /usr/lib/python3* | 13 | noblacklist /usr/lib/python3* |
14 | noblacklist /usr/local/lib/python2* | ||
15 | noblacklist /usr/local/lib/python3* | ||
14 | 16 | ||
15 | include disable-common.inc | 17 | include disable-common.inc |
16 | include disable-devel.inc | 18 | include disable-devel.inc |
diff --git a/etc/pitivi.profile b/etc/pitivi.profile index 5bd6fd357..ac7922833 100644 --- a/etc/pitivi.profile +++ b/etc/pitivi.profile | |||
@@ -14,6 +14,8 @@ noblacklist ${PATH}/python2* | |||
14 | noblacklist ${PATH}/python3* | 14 | noblacklist ${PATH}/python3* |
15 | noblacklist /usr/lib/python2* | 15 | noblacklist /usr/lib/python2* |
16 | noblacklist /usr/lib/python3* | 16 | noblacklist /usr/lib/python3* |
17 | noblacklist /usr/local/lib/python2* | ||
18 | noblacklist /usr/local/lib/python3* | ||
17 | 19 | ||
18 | include disable-common.inc | 20 | include disable-common.inc |
19 | include disable-devel.inc | 21 | include disable-devel.inc |
diff --git a/etc/playonlinux.profile b/etc/playonlinux.profile index c97c27435..2f287223b 100644 --- a/etc/playonlinux.profile +++ b/etc/playonlinux.profile | |||
@@ -20,6 +20,8 @@ noblacklist ${PATH}/python2* | |||
20 | noblacklist ${PATH}/python3* | 20 | noblacklist ${PATH}/python3* |
21 | noblacklist /usr/lib/python2* | 21 | noblacklist /usr/lib/python2* |
22 | noblacklist /usr/lib/python3* | 22 | noblacklist /usr/lib/python3* |
23 | noblacklist /usr/local/lib/python2* | ||
24 | noblacklist /usr/local/lib/python3* | ||
23 | 25 | ||
24 | # Allow perl (blacklisted by disable-interpreters.inc) | 26 | # Allow perl (blacklisted by disable-interpreters.inc) |
25 | noblacklist ${PATH}/cpan* | 27 | noblacklist ${PATH}/cpan* |
diff --git a/etc/pluma.profile b/etc/pluma.profile index a8b1e4cc6..25142bc18 100644 --- a/etc/pluma.profile +++ b/etc/pluma.profile | |||
@@ -10,6 +10,7 @@ noblacklist ${HOME}/.config/pluma | |||
10 | 10 | ||
11 | include disable-common.inc | 11 | include disable-common.inc |
12 | include disable-devel.inc | 12 | include disable-devel.inc |
13 | include disable-exec.inc | ||
13 | include disable-interpreters.inc | 14 | include disable-interpreters.inc |
14 | include disable-passwdmgr.inc | 15 | include disable-passwdmgr.inc |
15 | include disable-programs.inc | 16 | include disable-programs.inc |
@@ -42,7 +43,5 @@ private-lib pluma | |||
42 | private-tmp | 43 | private-tmp |
43 | 44 | ||
44 | memory-deny-write-execute | 45 | memory-deny-write-execute |
45 | noexec ${HOME} | ||
46 | noexec /tmp | ||
47 | 46 | ||
48 | join-or-start pluma | 47 | join-or-start pluma |
diff --git a/etc/pybitmessage.profile b/etc/pybitmessage.profile index 92cae0f97..63ae156a1 100644 --- a/etc/pybitmessage.profile +++ b/etc/pybitmessage.profile | |||
@@ -14,6 +14,8 @@ noblacklist ${PATH}/python2* | |||
14 | noblacklist ${PATH}/python3* | 14 | noblacklist ${PATH}/python3* |
15 | noblacklist /usr/lib/python2* | 15 | noblacklist /usr/lib/python2* |
16 | noblacklist /usr/lib/python3* | 16 | noblacklist /usr/lib/python3* |
17 | noblacklist /usr/local/lib/python2* | ||
18 | noblacklist /usr/local/lib/python3* | ||
17 | 19 | ||
18 | include disable-common.inc | 20 | include disable-common.inc |
19 | include disable-devel.inc | 21 | include disable-devel.inc |
diff --git a/etc/pycharm-community.profile b/etc/pycharm-community.profile index bfe8b614e..3caaacf09 100644 --- a/etc/pycharm-community.profile +++ b/etc/pycharm-community.profile | |||
@@ -5,7 +5,6 @@ include pycharm-community.local | |||
5 | # Persistent global definitions | 5 | # Persistent global definitions |
6 | include globals.local | 6 | include globals.local |
7 | 7 | ||
8 | noblacklist ${HOME}/snap | ||
9 | noblacklist ${HOME}/.PyCharmCE* | 8 | noblacklist ${HOME}/.PyCharmCE* |
10 | noblacklist ${HOME}/.python-history | 9 | noblacklist ${HOME}/.python-history |
11 | noblacklist ${HOME}/.java | 10 | noblacklist ${HOME}/.java |
diff --git a/etc/qbittorrent.profile b/etc/qbittorrent.profile index 7b1f05574..b0a6a0016 100644 --- a/etc/qbittorrent.profile +++ b/etc/qbittorrent.profile | |||
@@ -16,9 +16,12 @@ noblacklist ${PATH}/python2* | |||
16 | noblacklist ${PATH}/python3* | 16 | noblacklist ${PATH}/python3* |
17 | noblacklist /usr/lib/python2* | 17 | noblacklist /usr/lib/python2* |
18 | noblacklist /usr/lib/python3* | 18 | noblacklist /usr/lib/python3* |
19 | noblacklist /usr/local/lib/python2* | ||
20 | noblacklist /usr/local/lib/python3* | ||
19 | 21 | ||
20 | include disable-common.inc | 22 | include disable-common.inc |
21 | include disable-devel.inc | 23 | include disable-devel.inc |
24 | include disable-exec.inc | ||
22 | include disable-interpreters.inc | 25 | include disable-interpreters.inc |
23 | include disable-passwdmgr.inc | 26 | include disable-passwdmgr.inc |
24 | include disable-programs.inc | 27 | include disable-programs.inc |
@@ -59,5 +62,3 @@ private-dev | |||
59 | private-tmp | 62 | private-tmp |
60 | 63 | ||
61 | # memory-deny-write-execute - problems on Arch, see #1690 on GitHub repo | 64 | # memory-deny-write-execute - problems on Arch, see #1690 on GitHub repo |
62 | noexec ${HOME} | ||
63 | noexec /tmp | ||
diff --git a/etc/qpdfview.profile b/etc/qpdfview.profile index 06598c769..6cb3fe4cd 100644 --- a/etc/qpdfview.profile +++ b/etc/qpdfview.profile | |||
@@ -12,6 +12,7 @@ noblacklist ${DOCUMENTS} | |||
12 | 12 | ||
13 | include disable-common.inc | 13 | include disable-common.inc |
14 | include disable-devel.inc | 14 | include disable-devel.inc |
15 | include disable-exec.inc | ||
15 | include disable-interpreters.inc | 16 | include disable-interpreters.inc |
16 | include disable-passwdmgr.inc | 17 | include disable-passwdmgr.inc |
17 | include disable-programs.inc | 18 | include disable-programs.inc |
@@ -39,5 +40,3 @@ private-dev | |||
39 | private-tmp | 40 | private-tmp |
40 | 41 | ||
41 | memory-deny-write-execute | 42 | memory-deny-write-execute |
42 | noexec ${HOME} | ||
43 | noexec /tmp | ||
diff --git a/etc/qtox.profile b/etc/qtox.profile index 3dc4c6a30..0ca5a5ef0 100644 --- a/etc/qtox.profile +++ b/etc/qtox.profile | |||
@@ -10,9 +10,11 @@ noblacklist ${HOME}/.config/tox | |||
10 | 10 | ||
11 | include disable-common.inc | 11 | include disable-common.inc |
12 | include disable-devel.inc | 12 | include disable-devel.inc |
13 | include disable-exec.inc | ||
13 | include disable-interpreters.inc | 14 | include disable-interpreters.inc |
14 | include disable-passwdmgr.inc | 15 | include disable-passwdmgr.inc |
15 | include disable-programs.inc | 16 | include disable-programs.inc |
17 | include disable-xdg.inc | ||
16 | 18 | ||
17 | mkdir ${HOME}/.config/tox | 19 | mkdir ${HOME}/.config/tox |
18 | whitelist ${DOWNLOADS} | 20 | whitelist ${DOWNLOADS} |
@@ -20,9 +22,11 @@ whitelist ${HOME}/.config/tox | |||
20 | include whitelist-common.inc | 22 | include whitelist-common.inc |
21 | include whitelist-var-common.inc | 23 | include whitelist-var-common.inc |
22 | 24 | ||
25 | apparmor | ||
23 | caps.drop all | 26 | caps.drop all |
24 | ipc-namespace | 27 | ipc-namespace |
25 | netfilter | 28 | netfilter |
29 | nodbus | ||
26 | nodvd | 30 | nodvd |
27 | nogroups | 31 | nogroups |
28 | nonewprivs | 32 | nonewprivs |
@@ -36,9 +40,9 @@ tracelog | |||
36 | 40 | ||
37 | disable-mnt | 41 | disable-mnt |
38 | private-bin qtox | 42 | private-bin qtox |
39 | private-etc alternatives,fonts,resolv.conf,ld.so.cache,localtime,ca-certificates,ssl,pki,crypto-policies,machine-id,pulse | 43 | private-cache |
40 | private-dev | 44 | private-dev |
45 | private-etc alternatives,fonts,resolv.conf,ld.so.cache,localtime,ca-certificates,ssl,pki,crypto-policies,machine-id,pulse | ||
41 | private-tmp | 46 | private-tmp |
42 | 47 | ||
43 | noexec ${HOME} | 48 | memory-deny-write-execute |
44 | noexec /tmp | ||
diff --git a/etc/qutebrowser.profile b/etc/qutebrowser.profile index ac9f9bfd9..9e3853a09 100644 --- a/etc/qutebrowser.profile +++ b/etc/qutebrowser.profile | |||
@@ -15,6 +15,8 @@ noblacklist ${PATH}/python2* | |||
15 | noblacklist ${PATH}/python3* | 15 | noblacklist ${PATH}/python3* |
16 | noblacklist /usr/lib/python2* | 16 | noblacklist /usr/lib/python2* |
17 | noblacklist /usr/lib/python3* | 17 | noblacklist /usr/lib/python3* |
18 | noblacklist /usr/local/lib/python2* | ||
19 | noblacklist /usr/local/lib/python3* | ||
18 | 20 | ||
19 | # with >=llvm-4 mesa drivers need llvm stuff | 21 | # with >=llvm-4 mesa drivers need llvm stuff |
20 | noblacklist /usr/lib/llvm* | 22 | noblacklist /usr/lib/llvm* |
diff --git a/etc/ranger.profile b/etc/ranger.profile index ee1ef0f9d..1e50ca9fa 100644 --- a/etc/ranger.profile +++ b/etc/ranger.profile | |||
@@ -15,6 +15,8 @@ noblacklist ${PATH}/python2* | |||
15 | noblacklist ${PATH}/python3* | 15 | noblacklist ${PATH}/python3* |
16 | noblacklist /usr/lib/python2* | 16 | noblacklist /usr/lib/python2* |
17 | noblacklist /usr/lib/python3* | 17 | noblacklist /usr/lib/python3* |
18 | noblacklist /usr/local/lib/python2* | ||
19 | noblacklist /usr/local/lib/python3* | ||
18 | 20 | ||
19 | # Allow perl | 21 | # Allow perl |
20 | # noblacklist ${PATH}/cpan* | 22 | # noblacklist ${PATH}/cpan* |
diff --git a/etc/redshift.profile b/etc/redshift.profile index 351b54075..e60877172 100644 --- a/etc/redshift.profile +++ b/etc/redshift.profile | |||
@@ -12,6 +12,7 @@ noblacklist ${HOME}/.config/redshift.conf | |||
12 | 12 | ||
13 | include disable-common.inc | 13 | include disable-common.inc |
14 | include disable-devel.inc | 14 | include disable-devel.inc |
15 | include disable-exec.inc | ||
15 | include disable-passwdmgr.inc | 16 | include disable-passwdmgr.inc |
16 | include disable-interpreters.inc | 17 | include disable-interpreters.inc |
17 | include disable-programs.inc | 18 | include disable-programs.inc |
@@ -45,5 +46,3 @@ private-dev | |||
45 | private-tmp | 46 | private-tmp |
46 | 47 | ||
47 | memory-deny-write-execute | 48 | memory-deny-write-execute |
48 | noexec ${HOME} | ||
49 | noexec /tmp | ||
diff --git a/etc/regextester.profile b/etc/regextester.profile index 19d6a89f4..c7c59bec2 100644 --- a/etc/regextester.profile +++ b/etc/regextester.profile | |||
@@ -8,6 +8,7 @@ include globals.local | |||
8 | 8 | ||
9 | include disable-common.inc | 9 | include disable-common.inc |
10 | include disable-devel.inc | 10 | include disable-devel.inc |
11 | include disable-exec.inc | ||
11 | include disable-passwdmgr.inc | 12 | include disable-passwdmgr.inc |
12 | include disable-interpreters.inc | 13 | include disable-interpreters.inc |
13 | include disable-programs.inc | 14 | include disable-programs.inc |
@@ -45,8 +46,6 @@ private-lib libgranite.so.* | |||
45 | private-tmp | 46 | private-tmp |
46 | 47 | ||
47 | memory-deny-write-execute | 48 | memory-deny-write-execute |
48 | noexec ${HOME} | ||
49 | noexec /tmp | ||
50 | 49 | ||
51 | # never write anything | 50 | # never write anything |
52 | read-only ${HOME} | 51 | read-only ${HOME} |
diff --git a/etc/rhythmbox.profile b/etc/rhythmbox.profile index 6b673a924..df874f378 100644 --- a/etc/rhythmbox.profile +++ b/etc/rhythmbox.profile | |||
@@ -12,6 +12,7 @@ noblacklist ${HOME}/.local/share/rhythmbox | |||
12 | include disable-common.inc | 12 | include disable-common.inc |
13 | include disable-devel.inc | 13 | include disable-devel.inc |
14 | # rhythmbox is using Python | 14 | # rhythmbox is using Python |
15 | include disable-exec.inc | ||
15 | #include disable-interpreters.inc | 16 | #include disable-interpreters.inc |
16 | include disable-passwdmgr.inc | 17 | include disable-passwdmgr.inc |
17 | include disable-programs.inc | 18 | include disable-programs.inc |
@@ -39,5 +40,3 @@ private-bin rhythmbox | |||
39 | private-dev | 40 | private-dev |
40 | private-tmp | 41 | private-tmp |
41 | 42 | ||
42 | noexec ${HOME} | ||
43 | noexec /tmp | ||
diff --git a/etc/scorched3d.profile b/etc/scorched3d.profile new file mode 100644 index 000000000..e94d436cf --- /dev/null +++ b/etc/scorched3d.profile | |||
@@ -0,0 +1,44 @@ | |||
1 | # Firejail profile for scorched3d | ||
2 | # Description: Game based loosely on the classic DOS game Scorched Earth | ||
3 | # This file is overwritten after every install/update | ||
4 | # Persistent local customizations | ||
5 | include scorched3d.local | ||
6 | # Persistent global definitions | ||
7 | include globals.local | ||
8 | |||
9 | noblacklist ${HOME}/.scorched3d | ||
10 | |||
11 | include disable-common.inc | ||
12 | include disable-devel.inc | ||
13 | include disable-exec.inc | ||
14 | include disable-interpreters.inc | ||
15 | include disable-passwdmgr.inc | ||
16 | include disable-programs.inc | ||
17 | include disable-xdg.inc | ||
18 | |||
19 | mkdir ${HOME}/.scorched3d | ||
20 | whitelist ${HOME}/.scorched3d | ||
21 | include whitelist-common.inc | ||
22 | include whitelist-var-common.inc | ||
23 | |||
24 | caps.drop all | ||
25 | ipc-namespace | ||
26 | netfilter | ||
27 | nodbus | ||
28 | nodvd | ||
29 | nogroups | ||
30 | nonewprivs | ||
31 | noroot | ||
32 | notv | ||
33 | nou2f | ||
34 | novideo | ||
35 | protocol unix,inet,inet6 | ||
36 | seccomp | ||
37 | shell none | ||
38 | tracelog | ||
39 | |||
40 | disable-mnt | ||
41 | private-bin scorched3d,scorched3d-wrapper,scorched3dc,scorched3ds | ||
42 | private-cache | ||
43 | private-dev | ||
44 | private-tmp | ||
diff --git a/etc/scribus.profile b/etc/scribus.profile index a8e510b8a..5bec43d85 100644 --- a/etc/scribus.profile +++ b/etc/scribus.profile | |||
@@ -31,6 +31,8 @@ noblacklist ${PATH}/python2* | |||
31 | noblacklist ${PATH}/python3* | 31 | noblacklist ${PATH}/python3* |
32 | noblacklist /usr/lib/python2* | 32 | noblacklist /usr/lib/python2* |
33 | noblacklist /usr/lib/python3* | 33 | noblacklist /usr/lib/python3* |
34 | noblacklist /usr/local/lib/python2* | ||
35 | noblacklist /usr/local/lib/python3* | ||
34 | 36 | ||
35 | include disable-common.inc | 37 | include disable-common.inc |
36 | include disable-devel.inc | 38 | include disable-devel.inc |
diff --git a/etc/sdat2img.profile b/etc/sdat2img.profile index 01a056767..d78b51766 100644 --- a/etc/sdat2img.profile +++ b/etc/sdat2img.profile | |||
@@ -11,6 +11,8 @@ noblacklist ${PATH}/python2* | |||
11 | noblacklist ${PATH}/python3* | 11 | noblacklist ${PATH}/python3* |
12 | noblacklist /usr/lib/python2* | 12 | noblacklist /usr/lib/python2* |
13 | noblacklist /usr/lib/python3* | 13 | noblacklist /usr/lib/python3* |
14 | noblacklist /usr/local/lib/python2* | ||
15 | noblacklist /usr/local/lib/python3* | ||
14 | 16 | ||
15 | include disable-common.inc | 17 | include disable-common.inc |
16 | include disable-devel.inc | 18 | include disable-devel.inc |
diff --git a/etc/seahorse-daemon.profile b/etc/seahorse-daemon.profile new file mode 100644 index 000000000..1beb0edc6 --- /dev/null +++ b/etc/seahorse-daemon.profile | |||
@@ -0,0 +1,15 @@ | |||
1 | # Firejail profile for seahorse-daemon | ||
2 | # Description: PGP encryption and signing | ||
3 | # This file is overwritten after every install/update | ||
4 | # Persistent local customizations | ||
5 | include seahorse-daemon.local | ||
6 | # Persistent global definitions | ||
7 | # added by included profile | ||
8 | #include globals.local | ||
9 | |||
10 | blacklist /tmp/.X11-unix | ||
11 | |||
12 | memory-deny-write-execute | ||
13 | |||
14 | # Redirect | ||
15 | include seahorse.profile | ||
diff --git a/etc/seahorse-tool.profile b/etc/seahorse-tool.profile index bbab69162..96f365a4b 100644 --- a/etc/seahorse-tool.profile +++ b/etc/seahorse-tool.profile | |||
@@ -7,22 +7,11 @@ include seahorse-tool.local | |||
7 | # added by included profile | 7 | # added by included profile |
8 | #include globals.local | 8 | #include globals.local |
9 | 9 | ||
10 | # dconf | 10 | noblacklist ${DOWNLOADS} |
11 | mkdir ${HOME}/.config/dconf | ||
12 | whitelist ${HOME}/.config/dconf | ||
13 | 11 | ||
14 | include disable-xdg.inc | ||
15 | include whitelist-var-common.inc | ||
16 | |||
17 | apparmor | ||
18 | ipc-namespace | ||
19 | |||
20 | disable-mnt | ||
21 | private-tmp | 12 | private-tmp |
22 | 13 | ||
23 | memory-deny-write-execute | 14 | memory-deny-write-execute |
24 | noexec ${HOME} | ||
25 | noexec /tmp | ||
26 | 15 | ||
27 | # Redirect | 16 | # Redirect |
28 | include gpg.profile | 17 | include seahorse.profile |
diff --git a/etc/seahorse.profile b/etc/seahorse.profile index 0bf3b89fd..cd9f6c767 100644 --- a/etc/seahorse.profile +++ b/etc/seahorse.profile | |||
@@ -4,22 +4,57 @@ | |||
4 | # Persistent local customizations | 4 | # Persistent local customizations |
5 | include seahorse.local | 5 | include seahorse.local |
6 | # Persistent global definitions | 6 | # Persistent global definitions |
7 | # added by included profile | 7 | include globals.local |
8 | #include globals.local | ||
9 | 8 | ||
10 | # dconf | 9 | # dconf |
11 | mkdir ${HOME}/.config/dconf | 10 | noblacklist ${HOME}/.config/dconf |
12 | whitelist ${HOME}/.config/dconf | 11 | whitelist ${HOME}/.config/dconf |
13 | 12 | ||
13 | # gpg | ||
14 | mkdir ${HOME}/.gnupg | ||
15 | noblacklist ${HOME}/.gnupg | ||
16 | whitelist ${HOME}/.gnupg | ||
17 | |||
14 | # ssh | 18 | # ssh |
19 | whitelist /etc/ld.so.preload | ||
15 | noblacklist /etc/ssh | 20 | noblacklist /etc/ssh |
21 | whitelist /etc/ssh | ||
16 | noblacklist /tmp/ssh-* | 22 | noblacklist /tmp/ssh-* |
23 | whitelist /tmp/ssh-* | ||
24 | mkdir ${HOME}/.ssh | ||
17 | noblacklist ${HOME}/.ssh | 25 | noblacklist ${HOME}/.ssh |
26 | whitelist ${HOME}/.ssh | ||
18 | 27 | ||
28 | include disable-common.inc | ||
29 | include disable-devel.inc | ||
30 | include disable-exec.inc | ||
31 | include disable-interpreters.inc | ||
32 | include disable-passwdmgr.inc | ||
33 | include disable-programs.inc | ||
34 | include disable-xdg.inc | ||
35 | include whitelist-common.inc | ||
19 | include whitelist-var-common.inc | 36 | include whitelist-var-common.inc |
20 | 37 | ||
21 | apparmor | 38 | apparmor |
22 | ipc-namespace | 39 | caps.drop all |
40 | machine-id | ||
41 | netfilter | ||
42 | no3d | ||
43 | nodvd | ||
44 | nogroups | ||
45 | nonewprivs | ||
46 | noroot | ||
47 | nosound | ||
48 | notv | ||
49 | nou2f | ||
50 | novideo | ||
51 | protocol unix,inet,inet6 | ||
52 | seccomp | ||
53 | # shell none - causes gpg to hang | ||
54 | tracelog | ||
55 | |||
56 | disable-mnt | ||
57 | private-cache | ||
58 | private-dev | ||
23 | 59 | ||
24 | # Redirect | 60 | writable-run-user |
25 | include gpg.profile | ||
diff --git a/etc/server.profile b/etc/server.profile index 8da4853e7..686268a18 100644 --- a/etc/server.profile +++ b/etc/server.profile | |||
@@ -17,10 +17,11 @@ noblacklist /usr/sbin | |||
17 | 17 | ||
18 | include disable-common.inc | 18 | include disable-common.inc |
19 | # include disable-devel.inc | 19 | # include disable-devel.inc |
20 | # include disable-exec.inc | ||
20 | # include disable-interpreters.inc | 21 | # include disable-interpreters.inc |
21 | include disable-passwdmgr.inc | 22 | include disable-passwdmgr.inc |
22 | include disable-programs.inc | 23 | include disable-programs.inc |
23 | #include disable-xdg.inc | 24 | # include disable-xdg.inc |
24 | 25 | ||
25 | caps | 26 | caps |
26 | # ipc-namespace | 27 | # ipc-namespace |
@@ -48,5 +49,3 @@ private-dev | |||
48 | private-tmp | 49 | private-tmp |
49 | 50 | ||
50 | # memory-deny-write-execute | 51 | # memory-deny-write-execute |
51 | # noexec ${HOME} | ||
52 | # noexec /tmp | ||
diff --git a/etc/simplescreenrecorder.profile b/etc/simplescreenrecorder.profile index 6862d51ee..ead475e07 100644 --- a/etc/simplescreenrecorder.profile +++ b/etc/simplescreenrecorder.profile | |||
@@ -10,6 +10,7 @@ noblacklist ${VIDEOS} | |||
10 | 10 | ||
11 | include disable-common.inc | 11 | include disable-common.inc |
12 | include disable-devel.inc | 12 | include disable-devel.inc |
13 | include disable-exec.inc | ||
13 | include disable-interpreters.inc | 14 | include disable-interpreters.inc |
14 | include disable-passwdmgr.inc | 15 | include disable-passwdmgr.inc |
15 | include disable-programs.inc | 16 | include disable-programs.inc |
@@ -17,7 +18,6 @@ include disable-xdg.inc | |||
17 | 18 | ||
18 | apparmor | 19 | apparmor |
19 | caps.drop all | 20 | caps.drop all |
20 | net none | ||
21 | nodvd | 21 | nodvd |
22 | nogroups | 22 | nogroups |
23 | nonewprivs | 23 | nonewprivs |
@@ -35,5 +35,3 @@ private-dev | |||
35 | private-tmp | 35 | private-tmp |
36 | 36 | ||
37 | memory-deny-write-execute | 37 | memory-deny-write-execute |
38 | noexec ${HOME} | ||
39 | noexec /tmp | ||
diff --git a/etc/slashem.profile b/etc/slashem.profile new file mode 100644 index 000000000..0a372ce5f --- /dev/null +++ b/etc/slashem.profile | |||
@@ -0,0 +1,47 @@ | |||
1 | # Firejail profile for slashem | ||
2 | # Description: A rogue-like single player dungeon exploration game | ||
3 | # This file is overwritten after every install/update | ||
4 | # Persistent local customizations | ||
5 | include slashem.local | ||
6 | # Persistent global definitions | ||
7 | include globals.local | ||
8 | |||
9 | |||
10 | noblacklist /var/games/slashem | ||
11 | |||
12 | include disable-common.inc | ||
13 | include disable-devel.inc | ||
14 | include disable-interpreters.inc | ||
15 | include disable-passwdmgr.inc | ||
16 | include disable-programs.inc | ||
17 | |||
18 | whitelist /var/games/slashem | ||
19 | include whitelist-common.inc | ||
20 | include whitelist-var-common.inc | ||
21 | |||
22 | caps.drop all | ||
23 | ipc-namespace | ||
24 | net none | ||
25 | no3d | ||
26 | nodbus | ||
27 | nodvd | ||
28 | nogroups | ||
29 | #nonewprivs | ||
30 | #noroot | ||
31 | nosound | ||
32 | notv | ||
33 | novideo | ||
34 | #protocol unix,netlink | ||
35 | #seccomp | ||
36 | shell none | ||
37 | |||
38 | disable-mnt | ||
39 | #private | ||
40 | private-cache | ||
41 | private-dev | ||
42 | private-tmp | ||
43 | writable-var | ||
44 | |||
45 | #memory-deny-write-execute | ||
46 | noexec ${HOME} | ||
47 | noexec /tmp | ||
diff --git a/etc/smplayer.profile b/etc/smplayer.profile index 57ab2cde6..e347d23d6 100644 --- a/etc/smplayer.profile +++ b/etc/smplayer.profile | |||
@@ -13,6 +13,7 @@ noblacklist ${VIDEOS} | |||
13 | 13 | ||
14 | include disable-common.inc | 14 | include disable-common.inc |
15 | include disable-devel.inc | 15 | include disable-devel.inc |
16 | include disable-exec.inc | ||
16 | include disable-interpreters.inc | 17 | include disable-interpreters.inc |
17 | include disable-passwdmgr.inc | 18 | include disable-passwdmgr.inc |
18 | include disable-programs.inc | 19 | include disable-programs.inc |
@@ -36,5 +37,3 @@ private-bin smplayer,smtube,mplayer,mpv | |||
36 | private-dev | 37 | private-dev |
37 | private-tmp | 38 | private-tmp |
38 | 39 | ||
39 | noexec ${HOME} | ||
40 | noexec /tmp | ||
diff --git a/etc/soundconverter.profile b/etc/soundconverter.profile index d34ccf901..4d6e80840 100644 --- a/etc/soundconverter.profile +++ b/etc/soundconverter.profile | |||
@@ -13,9 +13,12 @@ noblacklist ${PATH}/python2* | |||
13 | noblacklist ${PATH}/python3* | 13 | noblacklist ${PATH}/python3* |
14 | noblacklist /usr/lib/python2* | 14 | noblacklist /usr/lib/python2* |
15 | noblacklist /usr/lib/python3* | 15 | noblacklist /usr/lib/python3* |
16 | noblacklist /usr/local/lib/python2* | ||
17 | noblacklist /usr/local/lib/python3* | ||
16 | 18 | ||
17 | include disable-common.inc | 19 | include disable-common.inc |
18 | include disable-devel.inc | 20 | include disable-devel.inc |
21 | include disable-exec.inc | ||
19 | include disable-interpreters.inc | 22 | include disable-interpreters.inc |
20 | include disable-passwdmgr.inc | 23 | include disable-passwdmgr.inc |
21 | include disable-programs.inc | 24 | include disable-programs.inc |
@@ -23,8 +26,10 @@ include disable-xdg.inc | |||
23 | 26 | ||
24 | include whitelist-var-common.inc | 27 | include whitelist-var-common.inc |
25 | 28 | ||
29 | apparmor | ||
26 | caps.drop all | 30 | caps.drop all |
27 | net none | 31 | ipc-namespace |
32 | machine-id | ||
28 | no3d | 33 | no3d |
29 | nodvd | 34 | nodvd |
30 | nogroups | 35 | nogroups |
@@ -42,5 +47,3 @@ private-cache | |||
42 | private-dev | 47 | private-dev |
43 | private-tmp | 48 | private-tmp |
44 | 49 | ||
45 | noexec ${HOME} | ||
46 | noexec /tmp | ||
diff --git a/etc/sqlitebrowser.profile b/etc/sqlitebrowser.profile index 8122079e1..4758871d3 100644 --- a/etc/sqlitebrowser.profile +++ b/etc/sqlitebrowser.profile | |||
@@ -11,6 +11,7 @@ noblacklist ${DOCUMENTS} | |||
11 | 11 | ||
12 | include disable-common.inc | 12 | include disable-common.inc |
13 | include disable-devel.inc | 13 | include disable-devel.inc |
14 | include disable-exec.inc | ||
14 | include disable-interpreters.inc | 15 | include disable-interpreters.inc |
15 | include disable-passwdmgr.inc | 16 | include disable-passwdmgr.inc |
16 | include disable-programs.inc | 17 | include disable-programs.inc |
@@ -42,5 +43,3 @@ private-etc alternatives,ca-certificates,crypto-policies,fonts,group,machine-id, | |||
42 | private-tmp | 43 | private-tmp |
43 | 44 | ||
44 | memory-deny-write-execute | 45 | memory-deny-write-execute |
45 | noexec ${HOME} | ||
46 | noexec /tmp | ||
diff --git a/etc/ssh-agent.profile b/etc/ssh-agent.profile index 02b66955f..8aafca8aa 100644 --- a/etc/ssh-agent.profile +++ b/etc/ssh-agent.profile | |||
@@ -16,7 +16,6 @@ include disable-common.inc | |||
16 | include disable-passwdmgr.inc | 16 | include disable-passwdmgr.inc |
17 | include disable-programs.inc | 17 | include disable-programs.inc |
18 | 18 | ||
19 | shell none | ||
20 | caps.drop all | 19 | caps.drop all |
21 | netfilter | 20 | netfilter |
22 | no3d | 21 | no3d |
@@ -26,4 +25,6 @@ noroot | |||
26 | notv | 25 | notv |
27 | protocol unix,inet,inet6 | 26 | protocol unix,inet,inet6 |
28 | seccomp | 27 | seccomp |
28 | shell none | ||
29 | |||
29 | writable-run-user | 30 | writable-run-user |
diff --git a/etc/ssh.profile b/etc/ssh.profile index de627dcf0..4c8af65b8 100644 --- a/etc/ssh.profile +++ b/etc/ssh.profile | |||
@@ -12,6 +12,7 @@ noblacklist /tmp/ssh-* | |||
12 | noblacklist ${HOME}/.ssh | 12 | noblacklist ${HOME}/.ssh |
13 | 13 | ||
14 | include disable-common.inc | 14 | include disable-common.inc |
15 | include disable-exec.inc | ||
15 | include disable-passwdmgr.inc | 16 | include disable-passwdmgr.inc |
16 | include disable-programs.inc | 17 | include disable-programs.inc |
17 | 18 | ||
@@ -36,6 +37,4 @@ private-dev | |||
36 | # private-tmp # Breaks when exiting | 37 | # private-tmp # Breaks when exiting |
37 | 38 | ||
38 | memory-deny-write-execute | 39 | memory-deny-write-execute |
39 | noexec ${HOME} | ||
40 | noexec /tmp | ||
41 | writable-run-user | 40 | writable-run-user |
diff --git a/etc/standardnotes-desktop.profile b/etc/standardnotes-desktop.profile index ba7248b73..5458120ef 100644 --- a/etc/standardnotes-desktop.profile +++ b/etc/standardnotes-desktop.profile | |||
@@ -10,6 +10,7 @@ noblacklist ${HOME}/.config/Standard Notes | |||
10 | 10 | ||
11 | include disable-common.inc | 11 | include disable-common.inc |
12 | include disable-devel.inc | 12 | include disable-devel.inc |
13 | include disable-exec.inc | ||
13 | include disable-interpreters.inc | 14 | include disable-interpreters.inc |
14 | include disable-passwdmgr.inc | 15 | include disable-passwdmgr.inc |
15 | include disable-programs.inc | 16 | include disable-programs.inc |
@@ -40,5 +41,3 @@ private-dev | |||
40 | private-tmp | 41 | private-tmp |
41 | private-etc alternatives,ca-certificates,fonts,host.conf,hostname,hosts,resolv.conf,ssl,pki,crypto-policies,xdg | 42 | private-etc alternatives,ca-certificates,fonts,host.conf,hostname,hosts,resolv.conf,ssl,pki,crypto-policies,xdg |
42 | 43 | ||
43 | noexec ${HOME} | ||
44 | noexec /tmp | ||
diff --git a/etc/start-tor-browser.desktop.profile b/etc/start-tor-browser.desktop.profile index 2b01eca88..a61038157 100644 --- a/etc/start-tor-browser.desktop.profile +++ b/etc/start-tor-browser.desktop.profile | |||
@@ -1,66 +1,75 @@ | |||
1 | # Firejail profile alias for torbrowser-launcher | 1 | # Firejail profile alias for torbrowser-launcher |
2 | # This file is overwritten after every install/update | 2 | # This file is overwritten after every install/update |
3 | 3 | # Persistent local customizations | |
4 | 4 | include start-tor-browser.desktop.local | |
5 | noblacklist ${HOME}/.tor-browser-ar: | 5 | |
6 | mkdir ${HOME}/.tor-browser-ar: | 6 | |
7 | whitelist ${HOME}/.tor-browser-ar: | 7 | noblacklist ${HOME}/.tor-browser-* |
8 | 8 | noblacklist ${HOME}/.tor-browser_* | |
9 | noblacklist ${HOME}/.tor-browser-en: | 9 | |
10 | mkdir ${HOME}/.tor-browser-en: | 10 | whitelist ${HOME}/.tor-browser-ar |
11 | whitelist ${HOME}/.tor-browser-en: | 11 | whitelist ${HOME}/.tor-browser-ca |
12 | 12 | whitelist ${HOME}/.tor-browser-cs | |
13 | noblacklist ${HOME}/.tor-browser-en-us: | 13 | whitelist ${HOME}/.tor-browser-da |
14 | mkdir ${HOME}/.tor-browser-en-us: | 14 | whitelist ${HOME}/.tor-browser-de |
15 | whitelist ${HOME}/.tor-browser-en-us: | 15 | whitelist ${HOME}/.tor-browser-el |
16 | 16 | whitelist ${HOME}/.tor-browser-en | |
17 | noblacklist ${HOME}/.tor-browser-es: | 17 | whitelist ${HOME}/.tor-browser-en-us |
18 | mkdir ${HOME}/.tor-browser-es: | 18 | whitelist ${HOME}/.tor-browser-es |
19 | whitelist ${HOME}/.tor-browser-es: | 19 | whitelist ${HOME}/.tor-browser-es-es |
20 | 20 | whitelist ${HOME}/.tor-browser-fa | |
21 | noblacklist ${HOME}/.tor-browser-es-es: | 21 | whitelist ${HOME}/.tor-browser-fr |
22 | mkdir ${HOME}/.tor-browser-es-es: | 22 | whitelist ${HOME}/.tor-browser-ga-ie |
23 | whitelist ${HOME}/.tor-browser-es-es: | 23 | whitelist ${HOME}/.tor-browser-he |
24 | 24 | whitelist ${HOME}/.tor-browser-hu | |
25 | noblacklist ${HOME}/.tor-browser-fa: | 25 | whitelist ${HOME}/.tor-browser-id |
26 | mkdir ${HOME}/.tor-browser-fa: | 26 | whitelist ${HOME}/.tor-browser-is |
27 | whitelist ${HOME}/.tor-browser-fa: | 27 | whitelist ${HOME}/.tor-browser-it |
28 | 28 | whitelist ${HOME}/.tor-browser-ja | |
29 | noblacklist ${HOME}/.tor-browser-fr: | 29 | whitelist ${HOME}/.tor-browser-ka |
30 | mkdir ${HOME}/.tor-browser-fr: | 30 | whitelist ${HOME}/.tor-browser-ko |
31 | whitelist ${HOME}/.tor-browser-fr: | 31 | whitelist ${HOME}/.tor-browser-nb |
32 | 32 | whitelist ${HOME}/.tor-browser-nl | |
33 | noblacklist ${HOME}/.tor-browser-it: | 33 | whitelist ${HOME}/.tor-browser-pl |
34 | mkdir ${HOME}/.tor-browser-it: | 34 | whitelist ${HOME}/.tor-browser-pt-br |
35 | whitelist ${HOME}/.tor-browser-it: | 35 | whitelist ${HOME}/.tor-browser-ru |
36 | 36 | whitelist ${HOME}/.tor-browser-sv-se | |
37 | noblacklist ${HOME}/.tor-browser-ja: | 37 | whitelist ${HOME}/.tor-browser-tr |
38 | mkdir ${HOME}/.tor-browser-ja: | 38 | whitelist ${HOME}/.tor-browser-vi |
39 | whitelist ${HOME}/.tor-browser-ja: | 39 | whitelist ${HOME}/.tor-browser-zh-cn |
40 | 40 | whitelist ${HOME}/.tor-browser-zh-tw | |
41 | noblacklist ${HOME}/.tor-browser-ko: | 41 | |
42 | mkdir ${HOME}/.tor-browser-ko: | 42 | whitelist ${HOME}/.tor-browser_ar |
43 | whitelist ${HOME}/.tor-browser-ko: | 43 | whitelist ${HOME}/.tor-browser_ca |
44 | 44 | whitelist ${HOME}/.tor-browser_cs | |
45 | noblacklist ${HOME}/.tor-browser-pl: | 45 | whitelist ${HOME}/.tor-browser_da |
46 | mkdir ${HOME}/.tor-browser-pl: | 46 | whitelist ${HOME}/.tor-browser_de |
47 | whitelist ${HOME}/.tor-browser-pl: | 47 | whitelist ${HOME}/.tor-browser_el |
48 | 48 | whitelist ${HOME}/.tor-browser_en | |
49 | noblacklist ${HOME}/.tor-browser-pt-br: | 49 | whitelist ${HOME}/.tor-browser_en_US |
50 | mkdir ${HOME}/.tor-browser-pt-br: | 50 | whitelist ${HOME}/.tor-browser_es |
51 | whitelist ${HOME}/.tor-browser-pt-br: | 51 | whitelist ${HOME}/.tor-browser_es-ES |
52 | 52 | whitelist ${HOME}/.tor-browser_fa | |
53 | noblacklist ${HOME}/.tor-browser-ru: | 53 | whitelist ${HOME}/.tor-browser_fr |
54 | mkdir ${HOME}/.tor-browser-ru: | 54 | whitelist ${HOME}/.tor-browser_ga-IE |
55 | whitelist ${HOME}/.tor-browser-ru: | 55 | whitelist ${HOME}/.tor-browser_he |
56 | 56 | whitelist ${HOME}/.tor-browser_hu | |
57 | noblacklist ${HOME}/.tor-browser-vi: | 57 | whitelist ${HOME}/.tor-browser_id |
58 | mkdir ${HOME}/.tor-browser-vi: | 58 | whitelist ${HOME}/.tor-browser_is |
59 | whitelist ${HOME}/.tor-browser-vi: | 59 | whitelist ${HOME}/.tor-browser_it |
60 | 60 | whitelist ${HOME}/.tor-browser_ja | |
61 | noblacklist ${HOME}/.tor-browser-zh-cn: | 61 | whitelist ${HOME}/.tor-browser_ka |
62 | mkdir ${HOME}/.tor-browser-zh-cn: | 62 | whitelist ${HOME}/.tor-browser_ko |
63 | whitelist ${HOME}/.tor-browser-zh-cn: | 63 | whitelist ${HOME}/.tor-browser_nb |
64 | whitelist ${HOME}/.tor-browser_nl | ||
65 | whitelist ${HOME}/.tor-browser_pl | ||
66 | whitelist ${HOME}/.tor-browser_pt-BR | ||
67 | whitelist ${HOME}/.tor-browser_ru | ||
68 | whitelist ${HOME}/.tor-browser_sv-SE | ||
69 | whitelist ${HOME}/.tor-browser_tr | ||
70 | whitelist ${HOME}/.tor-browser_vi | ||
71 | whitelist ${HOME}/.tor-browser_zh-CN | ||
72 | whitelist ${HOME}/.tor-browser_zh-TW | ||
64 | 73 | ||
65 | # Redirect | 74 | # Redirect |
66 | include torbrowser-launcher.profile | 75 | include torbrowser-launcher.profile |
diff --git a/etc/start-tor-browser.profile b/etc/start-tor-browser.profile index b0cb52a0f..8acf77349 100644 --- a/etc/start-tor-browser.profile +++ b/etc/start-tor-browser.profile | |||
@@ -5,9 +5,11 @@ include start-tor-browser.local | |||
5 | # Persistent global definitions | 5 | # Persistent global definitions |
6 | include globals.local | 6 | include globals.local |
7 | 7 | ||
8 | ignore noexec ${HOME} | ||
8 | 9 | ||
9 | include disable-common.inc | 10 | include disable-common.inc |
10 | include disable-devel.inc | 11 | include disable-devel.inc |
12 | include disable-exec.inc | ||
11 | include disable-interpreters.inc | 13 | include disable-interpreters.inc |
12 | include disable-passwdmgr.inc | 14 | include disable-passwdmgr.inc |
13 | include disable-programs.inc | 15 | include disable-programs.inc |
@@ -36,5 +38,3 @@ private-bin bash,sh,grep,tail,env,gpg,id,readlink,dirname,test,mkdir,ln,sed,cp,r | |||
36 | private-dev | 38 | private-dev |
37 | private-etc alternatives,fonts,hostname,hosts,resolv.conf,pki,ssl,ca-certificates,crypto-policies,alsa,asound.conf,pulse,machine-id,ld.so.cache | 39 | private-etc alternatives,fonts,hostname,hosts,resolv.conf,pki,ssl,ca-certificates,crypto-policies,alsa,asound.conf,pulse,machine-id,ld.so.cache |
38 | private-tmp | 40 | private-tmp |
39 | |||
40 | noexec /tmp | ||
diff --git a/etc/steam.profile b/etc/steam.profile index 9d348347e..8f08b18f0 100644 --- a/etc/steam.profile +++ b/etc/steam.profile | |||
@@ -36,6 +36,8 @@ noblacklist ${PATH}/python2* | |||
36 | noblacklist ${PATH}/python3* | 36 | noblacklist ${PATH}/python3* |
37 | noblacklist /usr/lib/python2* | 37 | noblacklist /usr/lib/python2* |
38 | noblacklist /usr/lib/python3* | 38 | noblacklist /usr/lib/python3* |
39 | noblacklist /usr/local/lib/python2* | ||
40 | noblacklist /usr/local/lib/python3* | ||
39 | 41 | ||
40 | include disable-common.inc | 42 | include disable-common.inc |
41 | include disable-devel.inc | 43 | include disable-devel.inc |
diff --git a/etc/strings.profile b/etc/strings.profile index ca7bd0922..0caecdf7b 100644 --- a/etc/strings.profile +++ b/etc/strings.profile | |||
@@ -8,6 +8,7 @@ include strings.local | |||
8 | #include globals.local | 8 | #include globals.local |
9 | 9 | ||
10 | blacklist /tmp/.X11-unix | 10 | blacklist /tmp/.X11-unix |
11 | include disable-exec.inc | ||
11 | 12 | ||
12 | ignore noroot | 13 | ignore noroot |
13 | net none | 14 | net none |
@@ -28,7 +29,5 @@ private-etc alternatives | |||
28 | private-lib libfakeroot | 29 | private-lib libfakeroot |
29 | 30 | ||
30 | memory-deny-write-execute | 31 | memory-deny-write-execute |
31 | noexec ${HOME} | ||
32 | noexec /tmp | ||
33 | 32 | ||
34 | include default.profile | 33 | include default.profile |
diff --git a/etc/subdownloader.profile b/etc/subdownloader.profile index 009cf65df..c07131893 100644 --- a/etc/subdownloader.profile +++ b/etc/subdownloader.profile | |||
@@ -14,9 +14,12 @@ noblacklist ${PATH}/python2* | |||
14 | noblacklist ${PATH}/python3* | 14 | noblacklist ${PATH}/python3* |
15 | noblacklist /usr/lib/python2* | 15 | noblacklist /usr/lib/python2* |
16 | noblacklist /usr/lib/python3* | 16 | noblacklist /usr/lib/python3* |
17 | noblacklist /usr/local/lib/python2* | ||
18 | noblacklist /usr/local/lib/python3* | ||
17 | 19 | ||
18 | include disable-common.inc | 20 | include disable-common.inc |
19 | include disable-devel.inc | 21 | include disable-devel.inc |
22 | include disable-exec.inc | ||
20 | include disable-interpreters.inc | 23 | include disable-interpreters.inc |
21 | include disable-passwdmgr.inc | 24 | include disable-passwdmgr.inc |
22 | include disable-programs.inc | 25 | include disable-programs.inc |
@@ -42,5 +45,3 @@ private-etc alternatives,fonts | |||
42 | private-tmp | 45 | private-tmp |
43 | 46 | ||
44 | # memory-deny-write-execute - Breaks on Arch | 47 | # memory-deny-write-execute - Breaks on Arch |
45 | noexec ${HOME} | ||
46 | noexec /tmp | ||
diff --git a/etc/supertuxkart.profile b/etc/supertuxkart.profile index 696ac4de0..60d80ecd4 100644 --- a/etc/supertuxkart.profile +++ b/etc/supertuxkart.profile | |||
@@ -12,6 +12,7 @@ noblacklist ${HOME}/.local/share/supertuxkart | |||
12 | 12 | ||
13 | include disable-common.inc | 13 | include disable-common.inc |
14 | include disable-devel.inc | 14 | include disable-devel.inc |
15 | include disable-exec.inc | ||
15 | include disable-passwdmgr.inc | 16 | include disable-passwdmgr.inc |
16 | include disable-programs.inc | 17 | include disable-programs.inc |
17 | include disable-xdg.inc | 18 | include disable-xdg.inc |
@@ -51,5 +52,3 @@ private-tmp | |||
51 | private-opt none | 52 | private-opt none |
52 | private-srv none | 53 | private-srv none |
53 | 54 | ||
54 | noexec ${HOME} | ||
55 | noexec /tmp | ||
diff --git a/etc/sysprof.profile b/etc/sysprof.profile index eedf4c4b4..3cfea5c5e 100644 --- a/etc/sysprof.profile +++ b/etc/sysprof.profile | |||
@@ -8,6 +8,7 @@ include globals.local | |||
8 | 8 | ||
9 | include disable-common.inc | 9 | include disable-common.inc |
10 | include disable-devel.inc | 10 | include disable-devel.inc |
11 | include disable-exec.inc | ||
11 | include disable-interpreters.inc | 12 | include disable-interpreters.inc |
12 | include disable-passwdmgr.inc | 13 | include disable-passwdmgr.inc |
13 | include disable-programs.inc | 14 | include disable-programs.inc |
@@ -43,5 +44,3 @@ private-etc alternatives,fonts,ld.so.cache,machine-id,ssl | |||
43 | private-tmp | 44 | private-tmp |
44 | 45 | ||
45 | # memory-deny-write-execute - Breaks GUI on Arch | 46 | # memory-deny-write-execute - Breaks GUI on Arch |
46 | noexec ${HOME} | ||
47 | noexec /tmp | ||
diff --git a/etc/tar.profile b/etc/tar.profile index e1cfe9c80..14fc00d21 100644 --- a/etc/tar.profile +++ b/etc/tar.profile | |||
@@ -10,12 +10,20 @@ include tar.local | |||
10 | 10 | ||
11 | blacklist /tmp/.X11-unix | 11 | blacklist /tmp/.X11-unix |
12 | 12 | ||
13 | hostname tar | 13 | include disable-exec.inc |
14 | include disable-interpreters.inc | ||
15 | |||
14 | ignore noroot | 16 | ignore noroot |
17 | |||
18 | apparmor | ||
19 | hostname tar | ||
20 | ipc-namespace | ||
21 | machine-id | ||
15 | net none | 22 | net none |
16 | no3d | 23 | no3d |
17 | nodbus | 24 | nodbus |
18 | nodvd | 25 | nodvd |
26 | nogroups | ||
19 | nosound | 27 | nosound |
20 | notv | 28 | notv |
21 | nou2f | 29 | nou2f |
@@ -25,10 +33,13 @@ tracelog | |||
25 | 33 | ||
26 | # support compressed archives | 34 | # support compressed archives |
27 | private-bin sh,bash,tar,gtar,compress,gzip,lzma,xz,bzip2,lbzip2,lzip,lzop | 35 | private-bin sh,bash,tar,gtar,compress,gzip,lzma,xz,bzip2,lbzip2,lzip,lzop |
36 | private-cache | ||
28 | private-dev | 37 | private-dev |
29 | private-etc alternatives,passwd,group,localtime | 38 | private-etc alternatives,passwd,group,localtime |
30 | private-lib libfakeroot | 39 | private-lib libfakeroot |
31 | 40 | ||
41 | memory-deny-write-execute | ||
42 | |||
32 | # Debian based distributions need this for 'dpkg --unpack' (incl. synaptic) | 43 | # Debian based distributions need this for 'dpkg --unpack' (incl. synaptic) |
33 | writable-var | 44 | writable-var |
34 | 45 | ||
diff --git a/etc/teeworlds.profile b/etc/teeworlds.profile new file mode 100644 index 000000000..782f337d3 --- /dev/null +++ b/etc/teeworlds.profile | |||
@@ -0,0 +1,44 @@ | |||
1 | # Firejail profile for teeworlds | ||
2 | # Description: Online multi-player platform 2D shooter | ||
3 | # This file is overwritten after every install/update | ||
4 | # Persistent local customizations | ||
5 | include teeworlds.local | ||
6 | # Persistent global definitions | ||
7 | include globals.local | ||
8 | |||
9 | noblacklist ${HOME}/.teeworlds | ||
10 | |||
11 | include disable-common.inc | ||
12 | include disable-devel.inc | ||
13 | include disable-exec.inc | ||
14 | include disable-interpreters.inc | ||
15 | include disable-passwdmgr.inc | ||
16 | include disable-programs.inc | ||
17 | include disable-xdg.inc | ||
18 | |||
19 | mkdir ${HOME}/.teeworlds | ||
20 | whitelist ${HOME}/.teeworlds | ||
21 | include whitelist-common.inc | ||
22 | include whitelist-var-common.inc | ||
23 | |||
24 | caps.drop all | ||
25 | ipc-namespace | ||
26 | netfilter | ||
27 | nodbus | ||
28 | nodvd | ||
29 | nogroups | ||
30 | nonewprivs | ||
31 | noroot | ||
32 | notv | ||
33 | nou2f | ||
34 | novideo | ||
35 | protocol unix,inet,inet6 | ||
36 | seccomp | ||
37 | shell none | ||
38 | tracelog | ||
39 | |||
40 | disable-mnt | ||
41 | private-bin teeworlds | ||
42 | private-cache | ||
43 | private-dev | ||
44 | private-tmp | ||
diff --git a/etc/tor-browser-ca.profile b/etc/tor-browser-ca.profile new file mode 100644 index 000000000..db70a7109 --- /dev/null +++ b/etc/tor-browser-ca.profile | |||
@@ -0,0 +1,10 @@ | |||
1 | # Firejail profile alias for torbrowser-launcher | ||
2 | # This file is overwritten after every install/update | ||
3 | |||
4 | noblacklist ${HOME}/.tor-browser-ca | ||
5 | |||
6 | mkdir ${HOME}/.tor-browser-ca | ||
7 | whitelist ${HOME}/.tor-browser-ca | ||
8 | |||
9 | # Redirect | ||
10 | include torbrowser-launcher.profile | ||
diff --git a/etc/tor-browser-cs.profile b/etc/tor-browser-cs.profile new file mode 100644 index 000000000..77b271b68 --- /dev/null +++ b/etc/tor-browser-cs.profile | |||
@@ -0,0 +1,10 @@ | |||
1 | # Firejail profile alias for torbrowser-launcher | ||
2 | # This file is overwritten after every install/update | ||
3 | |||
4 | noblacklist ${HOME}/.tor-browser-cs | ||
5 | |||
6 | mkdir ${HOME}/.tor-browser-cs | ||
7 | whitelist ${HOME}/.tor-browser-cs | ||
8 | |||
9 | # Redirect | ||
10 | include torbrowser-launcher.profile | ||
diff --git a/etc/tor-browser-da.profile b/etc/tor-browser-da.profile new file mode 100644 index 000000000..3b9fff9a4 --- /dev/null +++ b/etc/tor-browser-da.profile | |||
@@ -0,0 +1,10 @@ | |||
1 | # Firejail profile alias for torbrowser-launcher | ||
2 | # This file is overwritten after every install/update | ||
3 | |||
4 | noblacklist ${HOME}/.tor-browser-da | ||
5 | |||
6 | mkdir ${HOME}/.tor-browser-da | ||
7 | whitelist ${HOME}/.tor-browser-da | ||
8 | |||
9 | # Redirect | ||
10 | include torbrowser-launcher.profile | ||
diff --git a/etc/tor-browser-de.profile b/etc/tor-browser-de.profile new file mode 100644 index 000000000..3b4f7f94f --- /dev/null +++ b/etc/tor-browser-de.profile | |||
@@ -0,0 +1,10 @@ | |||
1 | # Firejail profile alias for torbrowser-launcher | ||
2 | # This file is overwritten after every install/update | ||
3 | |||
4 | noblacklist ${HOME}/.tor-browser-de | ||
5 | |||
6 | mkdir ${HOME}/.tor-browser-de | ||
7 | whitelist ${HOME}/.tor-browser-de | ||
8 | |||
9 | # Redirect | ||
10 | include torbrowser-launcher.profile | ||
diff --git a/etc/tor-browser-el.profile b/etc/tor-browser-el.profile new file mode 100644 index 000000000..b978b6042 --- /dev/null +++ b/etc/tor-browser-el.profile | |||
@@ -0,0 +1,10 @@ | |||
1 | # Firejail profile alias for torbrowser-launcher | ||
2 | # This file is overwritten after every install/update | ||
3 | |||
4 | noblacklist ${HOME}/.tor-browser-el | ||
5 | |||
6 | mkdir ${HOME}/.tor-browser-el | ||
7 | whitelist ${HOME}/.tor-browser-el | ||
8 | |||
9 | # Redirect | ||
10 | include torbrowser-launcher.profile | ||
diff --git a/etc/tor-browser-ga-ie.profile b/etc/tor-browser-ga-ie.profile new file mode 100644 index 000000000..994897a87 --- /dev/null +++ b/etc/tor-browser-ga-ie.profile | |||
@@ -0,0 +1,10 @@ | |||
1 | # Firejail profile alias for torbrowser-launcher | ||
2 | # This file is overwritten after every install/update | ||
3 | |||
4 | noblacklist ${HOME}/.tor-browser-ga-ie | ||
5 | |||
6 | mkdir ${HOME}/.tor-browser-ga-ie | ||
7 | whitelist ${HOME}/.tor-browser-ga-ie | ||
8 | |||
9 | # Redirect | ||
10 | include torbrowser-launcher.profile | ||
diff --git a/etc/tor-browser-he.profile b/etc/tor-browser-he.profile new file mode 100644 index 000000000..6367b4c0a --- /dev/null +++ b/etc/tor-browser-he.profile | |||
@@ -0,0 +1,10 @@ | |||
1 | # Firejail profile alias for torbrowser-launcher | ||
2 | # This file is overwritten after every install/update | ||
3 | |||
4 | noblacklist ${HOME}/.tor-browser-he | ||
5 | |||
6 | mkdir ${HOME}/.tor-browser-he | ||
7 | whitelist ${HOME}/.tor-browser-he | ||
8 | |||
9 | # Redirect | ||
10 | include torbrowser-launcher.profile | ||
diff --git a/etc/tor-browser-hu.profile b/etc/tor-browser-hu.profile new file mode 100644 index 000000000..68e79833e --- /dev/null +++ b/etc/tor-browser-hu.profile | |||
@@ -0,0 +1,10 @@ | |||
1 | # Firejail profile alias for torbrowser-launcher | ||
2 | # This file is overwritten after every install/update | ||
3 | |||
4 | noblacklist ${HOME}/.tor-browser-hu | ||
5 | |||
6 | mkdir ${HOME}/.tor-browser-hu | ||
7 | whitelist ${HOME}/.tor-browser-hu | ||
8 | |||
9 | # Redirect | ||
10 | include torbrowser-launcher.profile | ||
diff --git a/etc/tor-browser-id.profile b/etc/tor-browser-id.profile new file mode 100644 index 000000000..85b455ba2 --- /dev/null +++ b/etc/tor-browser-id.profile | |||
@@ -0,0 +1,10 @@ | |||
1 | # Firejail profile alias for torbrowser-launcher | ||
2 | # This file is overwritten after every install/update | ||
3 | |||
4 | noblacklist ${HOME}/.tor-browser-id | ||
5 | |||
6 | mkdir ${HOME}/.tor-browser-id | ||
7 | whitelist ${HOME}/.tor-browser-id | ||
8 | |||
9 | # Redirect | ||
10 | include torbrowser-launcher.profile | ||
diff --git a/etc/tor-browser-is.profile b/etc/tor-browser-is.profile new file mode 100644 index 000000000..48e88db71 --- /dev/null +++ b/etc/tor-browser-is.profile | |||
@@ -0,0 +1,10 @@ | |||
1 | # Firejail profile alias for torbrowser-launcher | ||
2 | # This file is overwritten after every install/update | ||
3 | |||
4 | noblacklist ${HOME}/.tor-browser-is | ||
5 | |||
6 | mkdir ${HOME}/.tor-browser-is | ||
7 | whitelist ${HOME}/.tor-browser-is | ||
8 | |||
9 | # Redirect | ||
10 | include torbrowser-launcher.profile | ||
diff --git a/etc/tor-browser-ka.profile b/etc/tor-browser-ka.profile new file mode 100644 index 000000000..173b85e5c --- /dev/null +++ b/etc/tor-browser-ka.profile | |||
@@ -0,0 +1,10 @@ | |||
1 | # Firejail profile alias for torbrowser-launcher | ||
2 | # This file is overwritten after every install/update | ||
3 | |||
4 | noblacklist ${HOME}/.tor-browser-ka | ||
5 | |||
6 | mkdir ${HOME}/.tor-browser-ka | ||
7 | whitelist ${HOME}/.tor-browser-ka | ||
8 | |||
9 | # Redirect | ||
10 | include torbrowser-launcher.profile | ||
diff --git a/etc/tor-browser-nb.profile b/etc/tor-browser-nb.profile new file mode 100644 index 000000000..d1352dd80 --- /dev/null +++ b/etc/tor-browser-nb.profile | |||
@@ -0,0 +1,10 @@ | |||
1 | # Firejail profile alias for torbrowser-launcher | ||
2 | # This file is overwritten after every install/update | ||
3 | |||
4 | noblacklist ${HOME}/.tor-browser-nb | ||
5 | |||
6 | mkdir ${HOME}/.tor-browser-nb | ||
7 | whitelist ${HOME}/.tor-browser-nb | ||
8 | |||
9 | # Redirect | ||
10 | include torbrowser-launcher.profile | ||
diff --git a/etc/tor-browser-nl.profile b/etc/tor-browser-nl.profile new file mode 100644 index 000000000..d4443cca2 --- /dev/null +++ b/etc/tor-browser-nl.profile | |||
@@ -0,0 +1,10 @@ | |||
1 | # Firejail profile alias for torbrowser-launcher | ||
2 | # This file is overwritten after every install/update | ||
3 | |||
4 | noblacklist ${HOME}/.tor-browser-nl | ||
5 | |||
6 | mkdir ${HOME}/.tor-browser-nl | ||
7 | whitelist ${HOME}/.tor-browser-nl | ||
8 | |||
9 | # Redirect | ||
10 | include torbrowser-launcher.profile | ||
diff --git a/etc/tor-browser-sv-se.profile b/etc/tor-browser-sv-se.profile new file mode 100644 index 000000000..c8544262f --- /dev/null +++ b/etc/tor-browser-sv-se.profile | |||
@@ -0,0 +1,10 @@ | |||
1 | # Firejail profile alias for torbrowser-launcher | ||
2 | # This file is overwritten after every install/update | ||
3 | |||
4 | noblacklist ${HOME}/.tor-browser-sv-se | ||
5 | |||
6 | mkdir ${HOME}/.tor-browser-sv-se | ||
7 | whitelist ${HOME}/.tor-browser-sv-se | ||
8 | |||
9 | # Redirect | ||
10 | include torbrowser-launcher.profile | ||
diff --git a/etc/tor-browser-tr.profile b/etc/tor-browser-tr.profile new file mode 100644 index 000000000..2343fa8de --- /dev/null +++ b/etc/tor-browser-tr.profile | |||
@@ -0,0 +1,10 @@ | |||
1 | # Firejail profile alias for torbrowser-launcher | ||
2 | # This file is overwritten after every install/update | ||
3 | |||
4 | noblacklist ${HOME}/.tor-browser-tr | ||
5 | |||
6 | mkdir ${HOME}/.tor-browser-tr | ||
7 | whitelist ${HOME}/.tor-browser-tr | ||
8 | |||
9 | # Redirect | ||
10 | include torbrowser-launcher.profile | ||
diff --git a/etc/tor-browser-zh-tw.profile b/etc/tor-browser-zh-tw.profile new file mode 100644 index 000000000..6fe09c6c1 --- /dev/null +++ b/etc/tor-browser-zh-tw.profile | |||
@@ -0,0 +1,10 @@ | |||
1 | # Firejail profile alias for torbrowser-launcher | ||
2 | # This file is overwritten after every install/update | ||
3 | |||
4 | noblacklist ${HOME}/.tor-browser-zh-tw | ||
5 | |||
6 | mkdir ${HOME}/.tor-browser-zh-tw | ||
7 | whitelist ${HOME}/.tor-browser-zh-tw | ||
8 | |||
9 | # Redirect | ||
10 | include torbrowser-launcher.profile | ||
diff --git a/etc/tor-browser_ar.profile b/etc/tor-browser_ar.profile new file mode 100644 index 000000000..1e1f5ce35 --- /dev/null +++ b/etc/tor-browser_ar.profile | |||
@@ -0,0 +1,10 @@ | |||
1 | # Firejail profile alias for torbrowser-launcher | ||
2 | # This file is overwritten after every install/update | ||
3 | |||
4 | noblacklist ${HOME}/.tor-browser_ar | ||
5 | |||
6 | mkdir ${HOME}/.tor-browser_ar | ||
7 | whitelist ${HOME}/.tor-browser_ar | ||
8 | |||
9 | # Redirect | ||
10 | include torbrowser-launcher.profile | ||
diff --git a/etc/tor-browser_ca.profile b/etc/tor-browser_ca.profile new file mode 100644 index 000000000..e114b6051 --- /dev/null +++ b/etc/tor-browser_ca.profile | |||
@@ -0,0 +1,10 @@ | |||
1 | # Firejail profile alias for torbrowser-launcher | ||
2 | # This file is overwritten after every install/update | ||
3 | |||
4 | noblacklist ${HOME}/.tor-browser_ca | ||
5 | |||
6 | mkdir ${HOME}/.tor-browser_ca | ||
7 | whitelist ${HOME}/.tor-browser_ca | ||
8 | |||
9 | # Redirect | ||
10 | include torbrowser-launcher.profile | ||
diff --git a/etc/tor-browser_cs.profile b/etc/tor-browser_cs.profile new file mode 100644 index 000000000..498068bc6 --- /dev/null +++ b/etc/tor-browser_cs.profile | |||
@@ -0,0 +1,10 @@ | |||
1 | # Firejail profile alias for torbrowser-launcher | ||
2 | # This file is overwritten after every install/update | ||
3 | |||
4 | noblacklist ${HOME}/.tor-browser_cs | ||
5 | |||
6 | mkdir ${HOME}/.tor-browser_cs | ||
7 | whitelist ${HOME}/.tor-browser_cs | ||
8 | |||
9 | # Redirect | ||
10 | include torbrowser-launcher.profile | ||
diff --git a/etc/tor-browser_da.profile b/etc/tor-browser_da.profile new file mode 100644 index 000000000..5c25c03c8 --- /dev/null +++ b/etc/tor-browser_da.profile | |||
@@ -0,0 +1,10 @@ | |||
1 | # Firejail profile alias for torbrowser-launcher | ||
2 | # This file is overwritten after every install/update | ||
3 | |||
4 | noblacklist ${HOME}/.tor-browser_da | ||
5 | |||
6 | mkdir ${HOME}/.tor-browser_da | ||
7 | whitelist ${HOME}/.tor-browser_da | ||
8 | |||
9 | # Redirect | ||
10 | include torbrowser-launcher.profile | ||
diff --git a/etc/tor-browser_de.profile b/etc/tor-browser_de.profile new file mode 100644 index 000000000..d530e7dbe --- /dev/null +++ b/etc/tor-browser_de.profile | |||
@@ -0,0 +1,10 @@ | |||
1 | # Firejail profile alias for torbrowser-launcher | ||
2 | # This file is overwritten after every install/update | ||
3 | |||
4 | noblacklist ${HOME}/.tor-browser_de | ||
5 | |||
6 | mkdir ${HOME}/.tor-browser_de | ||
7 | whitelist ${HOME}/.tor-browser_de | ||
8 | |||
9 | # Redirect | ||
10 | include torbrowser-launcher.profile | ||
diff --git a/etc/tor-browser_el.profile b/etc/tor-browser_el.profile new file mode 100644 index 000000000..67d5ab440 --- /dev/null +++ b/etc/tor-browser_el.profile | |||
@@ -0,0 +1,10 @@ | |||
1 | # Firejail profile alias for torbrowser-launcher | ||
2 | # This file is overwritten after every install/update | ||
3 | |||
4 | noblacklist ${HOME}/.tor-browser_el | ||
5 | |||
6 | mkdir ${HOME}/.tor-browser_el | ||
7 | whitelist ${HOME}/.tor-browser_el | ||
8 | |||
9 | # Redirect | ||
10 | include torbrowser-launcher.profile | ||
diff --git a/etc/tor-browser_en-US.profile b/etc/tor-browser_en-US.profile new file mode 100644 index 000000000..b298ab2b8 --- /dev/null +++ b/etc/tor-browser_en-US.profile | |||
@@ -0,0 +1,10 @@ | |||
1 | # Firejail profile alias for torbrowser-launcher | ||
2 | # This file is overwritten after every install/update | ||
3 | |||
4 | noblacklist ${HOME}/.tor-browser_en-US | ||
5 | |||
6 | mkdir ${HOME}/.tor-browser_en-US | ||
7 | whitelist ${HOME}/.tor-browser_en-US | ||
8 | |||
9 | # Redirect | ||
10 | include torbrowser-launcher.profile | ||
diff --git a/etc/tor-browser_en.profile b/etc/tor-browser_en.profile new file mode 100644 index 000000000..6bb0616b1 --- /dev/null +++ b/etc/tor-browser_en.profile | |||
@@ -0,0 +1,10 @@ | |||
1 | # Firejail profile alias for torbrowser-launcher | ||
2 | # This file is overwritten after every install/update | ||
3 | |||
4 | noblacklist ${HOME}/.tor-browser_en | ||
5 | |||
6 | mkdir ${HOME}/.tor-browser_en | ||
7 | whitelist ${HOME}/.tor-browser_en | ||
8 | |||
9 | # Redirect | ||
10 | include torbrowser-launcher.profile | ||
diff --git a/etc/tor-browser_es-ES.profile b/etc/tor-browser_es-ES.profile new file mode 100644 index 000000000..78f57ffe5 --- /dev/null +++ b/etc/tor-browser_es-ES.profile | |||
@@ -0,0 +1,10 @@ | |||
1 | # Firejail profile alias for torbrowser-launcher | ||
2 | # This file is overwritten after every install/update | ||
3 | |||
4 | noblacklist ${HOME}/.tor-browser_es-ES | ||
5 | |||
6 | mkdir ${HOME}/.tor-browser_es-ES | ||
7 | whitelist ${HOME}/.tor-browser_es-ES | ||
8 | |||
9 | # Redirect | ||
10 | include torbrowser-launcher.profile | ||
diff --git a/etc/tor-browser_es.profile b/etc/tor-browser_es.profile new file mode 100644 index 000000000..ea34a07c9 --- /dev/null +++ b/etc/tor-browser_es.profile | |||
@@ -0,0 +1,10 @@ | |||
1 | # Firejail profile alias for torbrowser-launcher | ||
2 | # This file is overwritten after every install/update | ||
3 | |||
4 | noblacklist ${HOME}/.tor-browser_es | ||
5 | |||
6 | mkdir ${HOME}/.tor-browser_es | ||
7 | whitelist ${HOME}/.tor-browser_es | ||
8 | |||
9 | # Redirect | ||
10 | include torbrowser-launcher.profile | ||
diff --git a/etc/tor-browser_fa.profile b/etc/tor-browser_fa.profile new file mode 100644 index 000000000..fbc416ce5 --- /dev/null +++ b/etc/tor-browser_fa.profile | |||
@@ -0,0 +1,10 @@ | |||
1 | # Firejail profile alias for torbrowser-launcher | ||
2 | # This file is overwritten after every install/update | ||
3 | |||
4 | noblacklist ${HOME}/.tor-browser_fa | ||
5 | |||
6 | mkdir ${HOME}/.tor-browser_fa | ||
7 | whitelist ${HOME}/.tor-browser_fa | ||
8 | |||
9 | # Redirect | ||
10 | include torbrowser-launcher.profile | ||
diff --git a/etc/tor-browser_fr.profile b/etc/tor-browser_fr.profile new file mode 100644 index 000000000..caea6db5b --- /dev/null +++ b/etc/tor-browser_fr.profile | |||
@@ -0,0 +1,10 @@ | |||
1 | # Firejail profile alias for torbrowser-launcher | ||
2 | # This file is overwritten after every install/update | ||
3 | |||
4 | noblacklist ${HOME}/.tor-browser_fr | ||
5 | |||
6 | mkdir ${HOME}/.tor-browser_fr | ||
7 | whitelist ${HOME}/.tor-browser_fr | ||
8 | |||
9 | # Redirect | ||
10 | include torbrowser-launcher.profile | ||
diff --git a/etc/tor-browser_ga-IE.profile b/etc/tor-browser_ga-IE.profile new file mode 100644 index 000000000..6342daebf --- /dev/null +++ b/etc/tor-browser_ga-IE.profile | |||
@@ -0,0 +1,10 @@ | |||
1 | # Firejail profile alias for torbrowser-launcher | ||
2 | # This file is overwritten after every install/update | ||
3 | |||
4 | noblacklist ${HOME}/.tor-browser_ga-IE | ||
5 | |||
6 | mkdir ${HOME}/.tor-browser_ga-IE | ||
7 | whitelist ${HOME}/.tor-browser_ga-IE | ||
8 | |||
9 | # Redirect | ||
10 | include torbrowser-launcher.profile | ||
diff --git a/etc/tor-browser_he.profile b/etc/tor-browser_he.profile new file mode 100644 index 000000000..cc4150620 --- /dev/null +++ b/etc/tor-browser_he.profile | |||
@@ -0,0 +1,10 @@ | |||
1 | # Firejail profile alias for torbrowser-launcher | ||
2 | # This file is overwritten after every install/update | ||
3 | |||
4 | noblacklist ${HOME}/.tor-browser_he | ||
5 | |||
6 | mkdir ${HOME}/.tor-browser_he | ||
7 | whitelist ${HOME}/.tor-browser_he | ||
8 | |||
9 | # Redirect | ||
10 | include torbrowser-launcher.profile | ||
diff --git a/etc/tor-browser_hu.profile b/etc/tor-browser_hu.profile new file mode 100644 index 000000000..952a0b68a --- /dev/null +++ b/etc/tor-browser_hu.profile | |||
@@ -0,0 +1,10 @@ | |||
1 | # Firejail profile alias for torbrowser-launcher | ||
2 | # This file is overwritten after every install/update | ||
3 | |||
4 | noblacklist ${HOME}/.tor-browser_hu | ||
5 | |||
6 | mkdir ${HOME}/.tor-browser_hu | ||
7 | whitelist ${HOME}/.tor-browser_hu | ||
8 | |||
9 | # Redirect | ||
10 | include torbrowser-launcher.profile | ||
diff --git a/etc/tor-browser_id.profile b/etc/tor-browser_id.profile new file mode 100644 index 000000000..a006b27c0 --- /dev/null +++ b/etc/tor-browser_id.profile | |||
@@ -0,0 +1,10 @@ | |||
1 | # Firejail profile alias for torbrowser-launcher | ||
2 | # This file is overwritten after every install/update | ||
3 | |||
4 | noblacklist ${HOME}/.tor-browser_id | ||
5 | |||
6 | mkdir ${HOME}/.tor-browser_id | ||
7 | whitelist ${HOME}/.tor-browser_id | ||
8 | |||
9 | # Redirect | ||
10 | include torbrowser-launcher.profile | ||
diff --git a/etc/tor-browser_is.profile b/etc/tor-browser_is.profile new file mode 100644 index 000000000..038e0fabb --- /dev/null +++ b/etc/tor-browser_is.profile | |||
@@ -0,0 +1,10 @@ | |||
1 | # Firejail profile alias for torbrowser-launcher | ||
2 | # This file is overwritten after every install/update | ||
3 | |||
4 | noblacklist ${HOME}/.tor-browser_is | ||
5 | |||
6 | mkdir ${HOME}/.tor-browser_is | ||
7 | whitelist ${HOME}/.tor-browser_is | ||
8 | |||
9 | # Redirect | ||
10 | include torbrowser-launcher.profile | ||
diff --git a/etc/tor-browser_it.profile b/etc/tor-browser_it.profile new file mode 100644 index 000000000..3d2566994 --- /dev/null +++ b/etc/tor-browser_it.profile | |||
@@ -0,0 +1,10 @@ | |||
1 | # Firejail profile alias for torbrowser-launcher | ||
2 | # This file is overwritten after every install/update | ||
3 | |||
4 | noblacklist ${HOME}/.tor-browser_it | ||
5 | |||
6 | mkdir ${HOME}/.tor-browser_it | ||
7 | whitelist ${HOME}/.tor-browser_it | ||
8 | |||
9 | # Redirect | ||
10 | include torbrowser-launcher.profile | ||
diff --git a/etc/tor-browser_ja.profile b/etc/tor-browser_ja.profile new file mode 100644 index 000000000..08c942bcd --- /dev/null +++ b/etc/tor-browser_ja.profile | |||
@@ -0,0 +1,10 @@ | |||
1 | # Firejail profile alias for torbrowser-launcher | ||
2 | # This file is overwritten after every install/update | ||
3 | |||
4 | noblacklist ${HOME}/.tor-browser_ja | ||
5 | |||
6 | mkdir ${HOME}/.tor-browser_ja | ||
7 | whitelist ${HOME}/.tor-browser_ja | ||
8 | |||
9 | # Redirect | ||
10 | include torbrowser-launcher.profile | ||
diff --git a/etc/tor-browser_ka.profile b/etc/tor-browser_ka.profile new file mode 100644 index 000000000..97664be4d --- /dev/null +++ b/etc/tor-browser_ka.profile | |||
@@ -0,0 +1,10 @@ | |||
1 | # Firejail profile alias for torbrowser-launcher | ||
2 | # This file is overwritten after every install/update | ||
3 | |||
4 | noblacklist ${HOME}/.tor-browser_ka | ||
5 | |||
6 | mkdir ${HOME}/.tor-browser_ka | ||
7 | whitelist ${HOME}/.tor-browser_ka | ||
8 | |||
9 | # Redirect | ||
10 | include torbrowser-launcher.profile | ||
diff --git a/etc/tor-browser_ko.profile b/etc/tor-browser_ko.profile new file mode 100644 index 000000000..98cf1e3e1 --- /dev/null +++ b/etc/tor-browser_ko.profile | |||
@@ -0,0 +1,10 @@ | |||
1 | # Firejail profile alias for torbrowser-launcher | ||
2 | # This file is overwritten after every install/update | ||
3 | |||
4 | noblacklist ${HOME}/.tor-browser_ko | ||
5 | |||
6 | mkdir ${HOME}/.tor-browser_ko | ||
7 | whitelist ${HOME}/.tor-browser_ko | ||
8 | |||
9 | # Redirect | ||
10 | include torbrowser-launcher.profile | ||
diff --git a/etc/tor-browser_nb.profile b/etc/tor-browser_nb.profile new file mode 100644 index 000000000..6df840573 --- /dev/null +++ b/etc/tor-browser_nb.profile | |||
@@ -0,0 +1,10 @@ | |||
1 | # Firejail profile alias for torbrowser-launcher | ||
2 | # This file is overwritten after every install/update | ||
3 | |||
4 | noblacklist ${HOME}/.tor-browser_nb | ||
5 | |||
6 | mkdir ${HOME}/.tor-browser_nb | ||
7 | whitelist ${HOME}/.tor-browser_nb | ||
8 | |||
9 | # Redirect | ||
10 | include torbrowser-launcher.profile | ||
diff --git a/etc/tor-browser_nl.profile b/etc/tor-browser_nl.profile new file mode 100644 index 000000000..3f545f888 --- /dev/null +++ b/etc/tor-browser_nl.profile | |||
@@ -0,0 +1,10 @@ | |||
1 | # Firejail profile alias for torbrowser-launcher | ||
2 | # This file is overwritten after every install/update | ||
3 | |||
4 | noblacklist ${HOME}/.tor-browser_nl | ||
5 | |||
6 | mkdir ${HOME}/.tor-browser_nl | ||
7 | whitelist ${HOME}/.tor-browser_nl | ||
8 | |||
9 | # Redirect | ||
10 | include torbrowser-launcher.profile | ||
diff --git a/etc/tor-browser_pl.profile b/etc/tor-browser_pl.profile new file mode 100644 index 000000000..4e04dc027 --- /dev/null +++ b/etc/tor-browser_pl.profile | |||
@@ -0,0 +1,10 @@ | |||
1 | # Firejail profile alias for torbrowser-launcher | ||
2 | # This file is overwritten after every install/update | ||
3 | |||
4 | noblacklist ${HOME}/.tor-browser_pl | ||
5 | |||
6 | mkdir ${HOME}/.tor-browser_pl | ||
7 | whitelist ${HOME}/.tor-browser_pl | ||
8 | |||
9 | # Redirect | ||
10 | include torbrowser-launcher.profile | ||
diff --git a/etc/tor-browser_pt-BR.profile b/etc/tor-browser_pt-BR.profile new file mode 100644 index 000000000..7f864886c --- /dev/null +++ b/etc/tor-browser_pt-BR.profile | |||
@@ -0,0 +1,10 @@ | |||
1 | # Firejail profile alias for torbrowser-launcher | ||
2 | # This file is overwritten after every install/update | ||
3 | |||
4 | noblacklist ${HOME}/.tor-browser_pt-BR | ||
5 | |||
6 | mkdir ${HOME}/.tor-browser_pt-BR | ||
7 | whitelist ${HOME}/.tor-browser_pt-BR | ||
8 | |||
9 | # Redirect | ||
10 | include torbrowser-launcher.profile | ||
diff --git a/etc/tor-browser_ru.profile b/etc/tor-browser_ru.profile new file mode 100644 index 000000000..2fae6fbe7 --- /dev/null +++ b/etc/tor-browser_ru.profile | |||
@@ -0,0 +1,10 @@ | |||
1 | # Firejail profile alias for torbrowser-launcher | ||
2 | # This file is overwritten after every install/update | ||
3 | |||
4 | noblacklist ${HOME}/.tor-browser_ru | ||
5 | |||
6 | mkdir ${HOME}/.tor-browser_ru | ||
7 | whitelist ${HOME}/.tor-browser_ru | ||
8 | |||
9 | # Redirect | ||
10 | include torbrowser-launcher.profile | ||
diff --git a/etc/tor-browser_sv-SE.profile b/etc/tor-browser_sv-SE.profile new file mode 100644 index 000000000..2157f8d2b --- /dev/null +++ b/etc/tor-browser_sv-SE.profile | |||
@@ -0,0 +1,10 @@ | |||
1 | # Firejail profile alias for torbrowser-launcher | ||
2 | # This file is overwritten after every install/update | ||
3 | |||
4 | noblacklist ${HOME}/.tor-browser_sv-SE | ||
5 | |||
6 | mkdir ${HOME}/.tor-browser_sv-SE | ||
7 | whitelist ${HOME}/.tor-browser_sv-SE | ||
8 | |||
9 | # Redirect | ||
10 | include torbrowser-launcher.profile | ||
diff --git a/etc/tor-browser_tr.profile b/etc/tor-browser_tr.profile new file mode 100644 index 000000000..20ac246ca --- /dev/null +++ b/etc/tor-browser_tr.profile | |||
@@ -0,0 +1,10 @@ | |||
1 | # Firejail profile alias for torbrowser-launcher | ||
2 | # This file is overwritten after every install/update | ||
3 | |||
4 | noblacklist ${HOME}/.tor-browser_tr | ||
5 | |||
6 | mkdir ${HOME}/.tor-browser_tr | ||
7 | whitelist ${HOME}/.tor-browser_tr | ||
8 | |||
9 | # Redirect | ||
10 | include torbrowser-launcher.profile | ||
diff --git a/etc/tor-browser_vi.profile b/etc/tor-browser_vi.profile new file mode 100644 index 000000000..4faa06ff6 --- /dev/null +++ b/etc/tor-browser_vi.profile | |||
@@ -0,0 +1,10 @@ | |||
1 | # Firejail profile alias for torbrowser-launcher | ||
2 | # This file is overwritten after every install/update | ||
3 | |||
4 | noblacklist ${HOME}/.tor-browser_vi | ||
5 | |||
6 | mkdir ${HOME}/.tor-browser_vi | ||
7 | whitelist ${HOME}/.tor-browser_vi | ||
8 | |||
9 | # Redirect | ||
10 | include torbrowser-launcher.profile | ||
diff --git a/etc/tor-browser_zh-CN.profile b/etc/tor-browser_zh-CN.profile new file mode 100644 index 000000000..e4d8215e6 --- /dev/null +++ b/etc/tor-browser_zh-CN.profile | |||
@@ -0,0 +1,10 @@ | |||
1 | # Firejail profile alias for torbrowser-launcher | ||
2 | # This file is overwritten after every install/update | ||
3 | |||
4 | noblacklist ${HOME}/.tor-browser_zh-CN | ||
5 | |||
6 | mkdir ${HOME}/.tor-browser_zh-CN | ||
7 | whitelist ${HOME}/.tor-browser_zh-CN | ||
8 | |||
9 | # Redirect | ||
10 | include torbrowser-launcher.profile | ||
diff --git a/etc/tor-browser_zh-TW.profile b/etc/tor-browser_zh-TW.profile new file mode 100644 index 000000000..8a28015a6 --- /dev/null +++ b/etc/tor-browser_zh-TW.profile | |||
@@ -0,0 +1,10 @@ | |||
1 | # Firejail profile alias for torbrowser-launcher | ||
2 | # This file is overwritten after every install/update | ||
3 | |||
4 | noblacklist ${HOME}/.tor-browser_zh-TW | ||
5 | |||
6 | mkdir ${HOME}/.tor-browser_zh-TW | ||
7 | whitelist ${HOME}/.tor-browser_zh-TW | ||
8 | |||
9 | # Redirect | ||
10 | include torbrowser-launcher.profile | ||
diff --git a/etc/torbrowser-launcher.profile b/etc/torbrowser-launcher.profile index 2b1cc6549..c7c810cda 100644 --- a/etc/torbrowser-launcher.profile +++ b/etc/torbrowser-launcher.profile | |||
@@ -6,6 +6,8 @@ include torbrowser-launcher.local | |||
6 | # Persistent global definitions | 6 | # Persistent global definitions |
7 | include globals.local | 7 | include globals.local |
8 | 8 | ||
9 | ignore noexec ${HOME} | ||
10 | |||
9 | noblacklist ${HOME}/.config/torbrowser | 11 | noblacklist ${HOME}/.config/torbrowser |
10 | noblacklist ${HOME}/.local/share/torbrowser | 12 | noblacklist ${HOME}/.local/share/torbrowser |
11 | 13 | ||
@@ -14,9 +16,12 @@ noblacklist ${PATH}/python2* | |||
14 | noblacklist ${PATH}/python3* | 16 | noblacklist ${PATH}/python3* |
15 | noblacklist /usr/lib/python2* | 17 | noblacklist /usr/lib/python2* |
16 | noblacklist /usr/lib/python3* | 18 | noblacklist /usr/lib/python3* |
19 | noblacklist /usr/local/lib/python2* | ||
20 | noblacklist /usr/local/lib/python3* | ||
17 | 21 | ||
18 | include disable-common.inc | 22 | include disable-common.inc |
19 | include disable-devel.inc | 23 | include disable-devel.inc |
24 | include disable-exec.inc | ||
20 | include disable-interpreters.inc | 25 | include disable-interpreters.inc |
21 | include disable-passwdmgr.inc | 26 | include disable-passwdmgr.inc |
22 | include disable-programs.inc | 27 | include disable-programs.inc |
@@ -51,5 +56,3 @@ private-bin bash,cp,dirname,env,expr,file,getconf,gpg,grep,id,ln,mkdir,python*,r | |||
51 | private-dev | 56 | private-dev |
52 | private-etc alternatives,fonts,hostname,hosts,resolv.conf,pki,ssl,ca-certificates,crypto-policies,alsa,asound.conf,pulse,machine-id,ld.so.cache | 57 | private-etc alternatives,fonts,hostname,hosts,resolv.conf,pki,ssl,ca-certificates,crypto-policies,alsa,asound.conf,pulse,machine-id,ld.so.cache |
53 | private-tmp | 58 | private-tmp |
54 | |||
55 | noexec /tmp | ||
diff --git a/etc/torcs.profile b/etc/torcs.profile new file mode 100644 index 000000000..d9c59b276 --- /dev/null +++ b/etc/torcs.profile | |||
@@ -0,0 +1,43 @@ | |||
1 | # Firejail profile for torcs | ||
2 | # Description: The Open Racing Car Simulator | ||
3 | # This file is overwritten after every install/update | ||
4 | # Persistent local customizations | ||
5 | include torcs.local | ||
6 | # Persistent global definitions | ||
7 | include globals.local | ||
8 | |||
9 | noblacklist ${HOME}/.torcs | ||
10 | |||
11 | include disable-common.inc | ||
12 | include disable-devel.inc | ||
13 | include disable-exec.inc | ||
14 | include disable-interpreters.inc | ||
15 | include disable-passwdmgr.inc | ||
16 | include disable-programs.inc | ||
17 | include disable-xdg.inc | ||
18 | |||
19 | mkdir ${HOME}/.torcs | ||
20 | whitelist ${HOME}/.torcs | ||
21 | include whitelist-common.inc | ||
22 | include whitelist-var-common.inc | ||
23 | |||
24 | caps.drop all | ||
25 | ipc-namespace | ||
26 | net none | ||
27 | nodbus | ||
28 | nodvd | ||
29 | nogroups | ||
30 | nonewprivs | ||
31 | noroot | ||
32 | notv | ||
33 | nou2f | ||
34 | novideo | ||
35 | protocol unix | ||
36 | seccomp | ||
37 | shell none | ||
38 | tracelog | ||
39 | |||
40 | disable-mnt | ||
41 | private-cache | ||
42 | private-dev | ||
43 | private-tmp | ||
diff --git a/etc/totem.profile b/etc/totem.profile index fd473b03c..f541d3cc2 100644 --- a/etc/totem.profile +++ b/etc/totem.profile | |||
@@ -13,6 +13,7 @@ noblacklist ${VIDEOS} | |||
13 | 13 | ||
14 | include disable-common.inc | 14 | include disable-common.inc |
15 | include disable-devel.inc | 15 | include disable-devel.inc |
16 | include disable-exec.inc | ||
16 | include disable-interpreters.inc | 17 | include disable-interpreters.inc |
17 | include disable-passwdmgr.inc | 18 | include disable-passwdmgr.inc |
18 | include disable-programs.inc | 19 | include disable-programs.inc |
@@ -39,5 +40,3 @@ private-dev | |||
39 | # private-etc alternatives,fonts,machine-id,pulse,asound.conf,ca-certificates,ssl,pki,crypto-policies | 40 | # private-etc alternatives,fonts,machine-id,pulse,asound.conf,ca-certificates,ssl,pki,crypto-policies |
40 | private-tmp | 41 | private-tmp |
41 | 42 | ||
42 | noexec ${HOME} | ||
43 | noexec /tmp | ||
diff --git a/etc/transgui.profile b/etc/transgui.profile index 83191ab58..8043bfa01 100644 --- a/etc/transgui.profile +++ b/etc/transgui.profile | |||
@@ -10,6 +10,7 @@ noblacklist ${HOME}/.config/transgui | |||
10 | 10 | ||
11 | include disable-common.inc | 11 | include disable-common.inc |
12 | include disable-devel.inc | 12 | include disable-devel.inc |
13 | include disable-exec.inc | ||
13 | include disable-interpreters.inc | 14 | include disable-interpreters.inc |
14 | include disable-passwdmgr.inc | 15 | include disable-passwdmgr.inc |
15 | include disable-programs.inc | 16 | include disable-programs.inc |
@@ -48,5 +49,3 @@ private-lib libgdk_pixbuf-2.0.so.*,libGeoIP.so*,libgthread-2.0.so.*,libgtk-x11-2 | |||
48 | private-tmp | 49 | private-tmp |
49 | 50 | ||
50 | memory-deny-write-execute | 51 | memory-deny-write-execute |
51 | noexec ${HOME} | ||
52 | noexec /tmp | ||
diff --git a/etc/transmission-cli.profile b/etc/transmission-cli.profile index 65682df52..60732bcf2 100644 --- a/etc/transmission-cli.profile +++ b/etc/transmission-cli.profile | |||
@@ -12,6 +12,7 @@ noblacklist ${HOME}/.config/transmission | |||
12 | 12 | ||
13 | include disable-common.inc | 13 | include disable-common.inc |
14 | include disable-devel.inc | 14 | include disable-devel.inc |
15 | include disable-exec.inc | ||
15 | include disable-interpreters.inc | 16 | include disable-interpreters.inc |
16 | include disable-passwdmgr.inc | 17 | include disable-passwdmgr.inc |
17 | include disable-programs.inc | 18 | include disable-programs.inc |
@@ -40,5 +41,3 @@ private-lib | |||
40 | private-tmp | 41 | private-tmp |
41 | 42 | ||
42 | memory-deny-write-execute | 43 | memory-deny-write-execute |
43 | noexec ${HOME} | ||
44 | noexec /tmp | ||
diff --git a/etc/transmission-daemon.profile b/etc/transmission-daemon.profile index c101e18b5..c67200826 100644 --- a/etc/transmission-daemon.profile +++ b/etc/transmission-daemon.profile | |||
@@ -12,6 +12,7 @@ noblacklist ${HOME}/.config/transmission | |||
12 | 12 | ||
13 | include disable-common.inc | 13 | include disable-common.inc |
14 | include disable-devel.inc | 14 | include disable-devel.inc |
15 | include disable-exec.inc | ||
15 | include disable-interpreters.inc | 16 | include disable-interpreters.inc |
16 | include disable-passwdmgr.inc | 17 | include disable-passwdmgr.inc |
17 | include disable-programs.inc | 18 | include disable-programs.inc |
@@ -41,5 +42,3 @@ private-lib | |||
41 | private-tmp | 42 | private-tmp |
42 | 43 | ||
43 | memory-deny-write-execute | 44 | memory-deny-write-execute |
44 | noexec ${HOME} | ||
45 | noexec /tmp | ||
diff --git a/etc/transmission-gtk.profile b/etc/transmission-gtk.profile index 6fd310a73..29df63573 100644 --- a/etc/transmission-gtk.profile +++ b/etc/transmission-gtk.profile | |||
@@ -11,6 +11,7 @@ noblacklist ${HOME}/.config/transmission | |||
11 | 11 | ||
12 | include disable-common.inc | 12 | include disable-common.inc |
13 | include disable-devel.inc | 13 | include disable-devel.inc |
14 | include disable-exec.inc | ||
14 | include disable-interpreters.inc | 15 | include disable-interpreters.inc |
15 | include disable-passwdmgr.inc | 16 | include disable-passwdmgr.inc |
16 | include disable-programs.inc | 17 | include disable-programs.inc |
@@ -47,5 +48,3 @@ private-tmp | |||
47 | 48 | ||
48 | # Causes freeze during opening file dialog in Archlinux, see issue #1855 | 49 | # Causes freeze during opening file dialog in Archlinux, see issue #1855 |
49 | # memory-deny-write-execute | 50 | # memory-deny-write-execute |
50 | noexec ${HOME} | ||
51 | noexec /tmp | ||
diff --git a/etc/transmission-qt.profile b/etc/transmission-qt.profile index f35eb0036..9fda5245f 100644 --- a/etc/transmission-qt.profile +++ b/etc/transmission-qt.profile | |||
@@ -11,6 +11,7 @@ noblacklist ${HOME}/.config/transmission | |||
11 | 11 | ||
12 | include disable-common.inc | 12 | include disable-common.inc |
13 | include disable-devel.inc | 13 | include disable-devel.inc |
14 | include disable-exec.inc | ||
14 | include disable-interpreters.inc | 15 | include disable-interpreters.inc |
15 | include disable-passwdmgr.inc | 16 | include disable-passwdmgr.inc |
16 | include disable-programs.inc | 17 | include disable-programs.inc |
@@ -46,5 +47,3 @@ private-dev | |||
46 | private-tmp | 47 | private-tmp |
47 | 48 | ||
48 | # memory-deny-write-execute - problems on Qt 5.10.0, KDE Frameworks 5.41.0 | 49 | # memory-deny-write-execute - problems on Qt 5.10.0, KDE Frameworks 5.41.0 |
49 | noexec ${HOME} | ||
50 | noexec /tmp | ||
diff --git a/etc/transmission-remote-cli.profile b/etc/transmission-remote-cli.profile index a2e950176..3e3ad1a07 100644 --- a/etc/transmission-remote-cli.profile +++ b/etc/transmission-remote-cli.profile | |||
@@ -7,11 +7,13 @@ include transmission-remote-cli.local | |||
7 | # added by included profile | 7 | # added by included profile |
8 | #include globals.local | 8 | #include globals.local |
9 | 9 | ||
10 | # Allow python (disabled by disable-interpreters.inc) | 10 | # Allow python (blacklisted by disable-interpreters.inc) |
11 | noblacklist ${PATH}/python2* | 11 | noblacklist ${PATH}/python2* |
12 | noblacklist ${PATH}/python3* | 12 | noblacklist ${PATH}/python3* |
13 | noblacklist /usr/lib/python2* | 13 | noblacklist /usr/lib/python2* |
14 | noblacklist /usr/lib/python3* | 14 | noblacklist /usr/lib/python3* |
15 | noblacklist /usr/local/lib/python2* | ||
16 | noblacklist /usr/local/lib/python3* | ||
15 | 17 | ||
16 | mkdir ${HOME}/.cache/transmission | 18 | mkdir ${HOME}/.cache/transmission |
17 | mkdir ${HOME}/.config/transmission | 19 | mkdir ${HOME}/.config/transmission |
diff --git a/etc/transmission-remote.profile b/etc/transmission-remote.profile index 7e6f67317..d9ba7be71 100644 --- a/etc/transmission-remote.profile +++ b/etc/transmission-remote.profile | |||
@@ -12,6 +12,7 @@ noblacklist ${HOME}/.config/transmission | |||
12 | 12 | ||
13 | include disable-common.inc | 13 | include disable-common.inc |
14 | include disable-devel.inc | 14 | include disable-devel.inc |
15 | include disable-exec.inc | ||
15 | include disable-interpreters.inc | 16 | include disable-interpreters.inc |
16 | include disable-passwdmgr.inc | 17 | include disable-passwdmgr.inc |
17 | include disable-programs.inc | 18 | include disable-programs.inc |
@@ -40,5 +41,3 @@ private-lib | |||
40 | private-tmp | 41 | private-tmp |
41 | 42 | ||
42 | memory-deny-write-execute | 43 | memory-deny-write-execute |
43 | noexec ${HOME} | ||
44 | noexec /tmp | ||
diff --git a/etc/transmission-show.profile b/etc/transmission-show.profile index 691b8959e..58f7af47c 100644 --- a/etc/transmission-show.profile +++ b/etc/transmission-show.profile | |||
@@ -11,6 +11,7 @@ noblacklist ${HOME}/.config/transmission | |||
11 | 11 | ||
12 | include disable-common.inc | 12 | include disable-common.inc |
13 | include disable-devel.inc | 13 | include disable-devel.inc |
14 | include disable-exec.inc | ||
14 | include disable-interpreters.inc | 15 | include disable-interpreters.inc |
15 | include disable-passwdmgr.inc | 16 | include disable-passwdmgr.inc |
16 | include disable-programs.inc | 17 | include disable-programs.inc |
@@ -38,5 +39,3 @@ private-lib | |||
38 | private-tmp | 39 | private-tmp |
39 | 40 | ||
40 | memory-deny-write-execute | 41 | memory-deny-write-execute |
41 | noexec ${HOME} | ||
42 | noexec /tmp | ||
diff --git a/etc/tremulous.profile b/etc/tremulous.profile new file mode 100644 index 000000000..a56ac2c07 --- /dev/null +++ b/etc/tremulous.profile | |||
@@ -0,0 +1,44 @@ | |||
1 | # Firejail profile for tremulous | ||
2 | # Description: First Person Shooter game based on the Quake 3 engine | ||
3 | # This file is overwritten after every install/update | ||
4 | # Persistent local customizations | ||
5 | include tremulous.local | ||
6 | # Persistent global definitions | ||
7 | include globals.local | ||
8 | |||
9 | noblacklist ${HOME}/.tremulous | ||
10 | |||
11 | include disable-common.inc | ||
12 | include disable-devel.inc | ||
13 | include disable-exec.inc | ||
14 | include disable-interpreters.inc | ||
15 | include disable-passwdmgr.inc | ||
16 | include disable-programs.inc | ||
17 | include disable-xdg.inc | ||
18 | |||
19 | mkdir ${HOME}/.tremulous | ||
20 | whitelist ${HOME}/.tremulous | ||
21 | include whitelist-common.inc | ||
22 | include whitelist-var-common.inc | ||
23 | |||
24 | caps.drop all | ||
25 | ipc-namespace | ||
26 | netfilter | ||
27 | nodbus | ||
28 | nodvd | ||
29 | nogroups | ||
30 | nonewprivs | ||
31 | noroot | ||
32 | notv | ||
33 | nou2f | ||
34 | novideo | ||
35 | protocol unix,inet,inet6 | ||
36 | seccomp | ||
37 | shell none | ||
38 | tracelog | ||
39 | |||
40 | disable-mnt | ||
41 | private-bin tremulous,tremulous-wrapper,tremded | ||
42 | private-cache | ||
43 | private-dev | ||
44 | private-tmp | ||
diff --git a/etc/uzbl-browser.profile b/etc/uzbl-browser.profile index 7e6b35d13..dbee819cd 100644 --- a/etc/uzbl-browser.profile +++ b/etc/uzbl-browser.profile | |||
@@ -14,6 +14,8 @@ noblacklist ${PATH}/python2* | |||
14 | noblacklist ${PATH}/python3* | 14 | noblacklist ${PATH}/python3* |
15 | noblacklist /usr/lib/python2* | 15 | noblacklist /usr/lib/python2* |
16 | noblacklist /usr/lib/python3* | 16 | noblacklist /usr/lib/python3* |
17 | noblacklist /usr/local/lib/python2* | ||
18 | noblacklist /usr/local/lib/python3* | ||
17 | 19 | ||
18 | include disable-common.inc | 20 | include disable-common.inc |
19 | include disable-devel.inc | 21 | include disable-devel.inc |
diff --git a/etc/viewnior.profile b/etc/viewnior.profile index 94b6c2052..f9fb1cefe 100644 --- a/etc/viewnior.profile +++ b/etc/viewnior.profile | |||
@@ -14,10 +14,12 @@ noblacklist ${HOME}/.steam | |||
14 | 14 | ||
15 | include disable-common.inc | 15 | include disable-common.inc |
16 | include disable-devel.inc | 16 | include disable-devel.inc |
17 | include disable-exec.inc | ||
17 | include disable-interpreters.inc | 18 | include disable-interpreters.inc |
18 | include disable-passwdmgr.inc | 19 | include disable-passwdmgr.inc |
19 | include disable-programs.inc | 20 | include disable-programs.inc |
20 | 21 | ||
22 | apparmor | ||
21 | caps.drop all | 23 | caps.drop all |
22 | net none | 24 | net none |
23 | no3d | 25 | no3d |
@@ -38,10 +40,8 @@ tracelog | |||
38 | private-bin viewnior | 40 | private-bin viewnior |
39 | private-cache | 41 | private-cache |
40 | private-dev | 42 | private-dev |
41 | private-etc alternatives,fonts | 43 | private-etc alternatives,fonts,machine-id |
42 | private-tmp | 44 | private-tmp |
43 | 45 | ||
44 | # memory-deny-write-executes breaks on Arch - see issue #1808 | 46 | # memory-deny-write-executes breaks on Arch - see issue #1808 |
45 | #memory-deny-write-execute | 47 | #memory-deny-write-execute |
46 | noexec ${HOME} | ||
47 | noexec /tmp | ||
diff --git a/etc/vlc.profile b/etc/vlc.profile index 370180b6b..64ac7a4f0 100644 --- a/etc/vlc.profile +++ b/etc/vlc.profile | |||
@@ -14,6 +14,7 @@ noblacklist ${VIDEOS} | |||
14 | 14 | ||
15 | include disable-common.inc | 15 | include disable-common.inc |
16 | include disable-devel.inc | 16 | include disable-devel.inc |
17 | include disable-exec.inc | ||
17 | include disable-interpreters.inc | 18 | include disable-interpreters.inc |
18 | include disable-passwdmgr.inc | 19 | include disable-passwdmgr.inc |
19 | include disable-programs.inc | 20 | include disable-programs.inc |
@@ -39,5 +40,3 @@ private-tmp | |||
39 | 40 | ||
40 | # mdwe is disabled due to breaking hardware accelerated decoding | 41 | # mdwe is disabled due to breaking hardware accelerated decoding |
41 | #memory-deny-write-execute | 42 | #memory-deny-write-execute |
42 | noexec ${HOME} | ||
43 | noexec /tmp | ||
diff --git a/etc/vulturesclaw.profile b/etc/vulturesclaw.profile new file mode 100644 index 000000000..2e9078a7b --- /dev/null +++ b/etc/vulturesclaw.profile | |||
@@ -0,0 +1,8 @@ | |||
1 | # Firejail profile alias for nethack-vultures | ||
2 | # This file is overwritten after every install/update | ||
3 | |||
4 | noblacklist /var/games/vulturesclaw | ||
5 | whitelist /var/games/vulturesclaw | ||
6 | |||
7 | # Redirect | ||
8 | include nethack-vultures.profile | ||
diff --git a/etc/vultureseye.profile b/etc/vultureseye.profile new file mode 100644 index 000000000..44c263cfc --- /dev/null +++ b/etc/vultureseye.profile | |||
@@ -0,0 +1,8 @@ | |||
1 | # Firejail profile alias for nethack-vultures | ||
2 | # This file is overwritten after every install/update | ||
3 | |||
4 | noblacklist /var/games/vultureseye | ||
5 | whitelist /var/games/vultureseye | ||
6 | |||
7 | # Redirect | ||
8 | include nethack-vultures.profile | ||
diff --git a/etc/warsow.profile b/etc/warsow.profile new file mode 100644 index 000000000..e884ab07a --- /dev/null +++ b/etc/warsow.profile | |||
@@ -0,0 +1,49 @@ | |||
1 | # Firejail profile for warsow | ||
2 | # Description: Fast paced 3D first person shooter | ||
3 | # This file is overwritten after every install/update | ||
4 | # Persistent local customizations | ||
5 | include warsow.local | ||
6 | # Persistent global definitions | ||
7 | include globals.local | ||
8 | |||
9 | ignore noexec ${HOME} | ||
10 | |||
11 | noblacklist ${HOME}/.cache/warsow-2.1 | ||
12 | noblacklist ${HOME}/.local/share/warsow-2.1 | ||
13 | |||
14 | include disable-common.inc | ||
15 | include disable-devel.inc | ||
16 | include disable-exec.inc | ||
17 | include disable-interpreters.inc | ||
18 | include disable-passwdmgr.inc | ||
19 | include disable-programs.inc | ||
20 | include disable-xdg.inc | ||
21 | |||
22 | mkdir ${HOME}/.cache/warsow-2.1 | ||
23 | mkdir ${HOME}/.local/share/warsow-2.1 | ||
24 | whitelist ${HOME}/.cache/warsow-2.1 | ||
25 | whitelist ${HOME}/.local/share/warsow-2.1 | ||
26 | include whitelist-common.inc | ||
27 | include whitelist-var-common.inc | ||
28 | |||
29 | caps.drop all | ||
30 | ipc-namespace | ||
31 | netfilter | ||
32 | nodbus | ||
33 | nodvd | ||
34 | nogroups | ||
35 | nonewprivs | ||
36 | noroot | ||
37 | notv | ||
38 | nou2f | ||
39 | novideo | ||
40 | protocol unix,inet,inet6 | ||
41 | seccomp | ||
42 | shell none | ||
43 | tracelog | ||
44 | |||
45 | disable-mnt | ||
46 | private-bin warsow | ||
47 | private-cache | ||
48 | private-dev | ||
49 | private-tmp | ||
diff --git a/etc/widelands.profile b/etc/widelands.profile new file mode 100644 index 000000000..c6b5f27da --- /dev/null +++ b/etc/widelands.profile | |||
@@ -0,0 +1,44 @@ | |||
1 | # Firejail profile for widelands | ||
2 | # Description: Open source realtime-strategy game | ||
3 | # This file is overwritten after every install/update | ||
4 | # Persistent local customizations | ||
5 | include widelands.local | ||
6 | # Persistent global definitions | ||
7 | include globals.local | ||
8 | |||
9 | noblacklist ${HOME}/.widelands | ||
10 | |||
11 | include disable-common.inc | ||
12 | include disable-devel.inc | ||
13 | include disable-exec.inc | ||
14 | include disable-interpreters.inc | ||
15 | include disable-passwdmgr.inc | ||
16 | include disable-programs.inc | ||
17 | include disable-xdg.inc | ||
18 | |||
19 | mkdir ${HOME}/.widelands | ||
20 | whitelist ${HOME}/.widelands | ||
21 | include whitelist-common.inc | ||
22 | include whitelist-var-common.inc | ||
23 | |||
24 | caps.drop all | ||
25 | ipc-namespace | ||
26 | netfilter | ||
27 | nodbus | ||
28 | nodvd | ||
29 | nogroups | ||
30 | nonewprivs | ||
31 | noroot | ||
32 | notv | ||
33 | nou2f | ||
34 | novideo | ||
35 | protocol unix,inet,inet6,netlink | ||
36 | seccomp | ||
37 | shell none | ||
38 | tracelog | ||
39 | |||
40 | disable-mnt | ||
41 | private-bin widelands | ||
42 | private-cache | ||
43 | private-dev | ||
44 | private-tmp | ||
diff --git a/etc/wireshark.profile b/etc/wireshark.profile index a08b97d05..9b9757cd5 100644 --- a/etc/wireshark.profile +++ b/etc/wireshark.profile | |||
@@ -18,6 +18,7 @@ noblacklist /usr/share/lua | |||
18 | 18 | ||
19 | include disable-common.inc | 19 | include disable-common.inc |
20 | include disable-devel.inc | 20 | include disable-devel.inc |
21 | include disable-exec.inc | ||
21 | include disable-interpreters.inc | 22 | include disable-interpreters.inc |
22 | include disable-passwdmgr.inc | 23 | include disable-passwdmgr.inc |
23 | include disable-programs.inc | 24 | include disable-programs.inc |
@@ -48,5 +49,3 @@ private-dev | |||
48 | # private-etc alternatives,fonts,group,hosts,machine-id,passwd,ca-certificates,ssl,pki,crypto-policies | 49 | # private-etc alternatives,fonts,group,hosts,machine-id,passwd,ca-certificates,ssl,pki,crypto-policies |
49 | private-tmp | 50 | private-tmp |
50 | 51 | ||
51 | noexec ${HOME} | ||
52 | noexec /tmp | ||
diff --git a/etc/xed.profile b/etc/xed.profile index cd565f684..117f48f83 100644 --- a/etc/xed.profile +++ b/etc/xed.profile | |||
@@ -12,9 +12,12 @@ noblacklist ${PATH}/python2* | |||
12 | noblacklist ${PATH}/python3* | 12 | noblacklist ${PATH}/python3* |
13 | noblacklist /usr/lib/python2* | 13 | noblacklist /usr/lib/python2* |
14 | noblacklist /usr/lib/python3* | 14 | noblacklist /usr/lib/python3* |
15 | noblacklist /usr/local/lib/python2* | ||
16 | noblacklist /usr/local/lib/python3* | ||
15 | 17 | ||
16 | include disable-common.inc | 18 | include disable-common.inc |
17 | include disable-devel.inc | 19 | include disable-devel.inc |
20 | include disable-exec.inc | ||
18 | include disable-interpreters.inc | 21 | include disable-interpreters.inc |
19 | include disable-passwdmgr.inc | 22 | include disable-passwdmgr.inc |
20 | include disable-programs.inc | 23 | include disable-programs.inc |
@@ -47,5 +50,3 @@ private-tmp | |||
47 | 50 | ||
48 | # xed uses python plugins, memory-deny-write-execute breaks python | 51 | # xed uses python plugins, memory-deny-write-execute breaks python |
49 | # memory-deny-write-execute | 52 | # memory-deny-write-execute |
50 | noexec ${HOME} | ||
51 | noexec /tmp | ||
diff --git a/etc/xfce4-mixer.profile b/etc/xfce4-mixer.profile index 9c8c5c531..952625ef8 100644 --- a/etc/xfce4-mixer.profile +++ b/etc/xfce4-mixer.profile | |||
@@ -10,6 +10,7 @@ noblacklist ${HOME}/.config/xfce4/xfconf/xfce-perchannel-xml/xfce4-mixer.xml | |||
10 | 10 | ||
11 | include disable-common.inc | 11 | include disable-common.inc |
12 | include disable-devel.inc | 12 | include disable-devel.inc |
13 | include disable-exec.inc | ||
13 | include disable-interpreters.inc | 14 | include disable-interpreters.inc |
14 | include disable-passwdmgr.inc | 15 | include disable-passwdmgr.inc |
15 | include disable-programs.inc | 16 | include disable-programs.inc |
@@ -45,5 +46,3 @@ private-etc alternatives,asound.conf,fonts,pulse,machine-id | |||
45 | private-tmp | 46 | private-tmp |
46 | 47 | ||
47 | memory-deny-write-execute | 48 | memory-deny-write-execute |
48 | noexec ${HOME} | ||
49 | noexec /tmp | ||
diff --git a/etc/xplayer.profile b/etc/xplayer.profile index 0df879d7c..b4932c99e 100644 --- a/etc/xplayer.profile +++ b/etc/xplayer.profile | |||
@@ -15,9 +15,12 @@ noblacklist ${PATH}/python2* | |||
15 | noblacklist ${PATH}/python3* | 15 | noblacklist ${PATH}/python3* |
16 | noblacklist /usr/lib/python2* | 16 | noblacklist /usr/lib/python2* |
17 | noblacklist /usr/lib/python3* | 17 | noblacklist /usr/lib/python3* |
18 | noblacklist /usr/local/lib/python2* | ||
19 | noblacklist /usr/local/lib/python3* | ||
18 | 20 | ||
19 | include disable-common.inc | 21 | include disable-common.inc |
20 | include disable-devel.inc | 22 | include disable-devel.inc |
23 | include disable-exec.inc | ||
21 | include disable-interpreters.inc | 24 | include disable-interpreters.inc |
22 | include disable-passwdmgr.inc | 25 | include disable-passwdmgr.inc |
23 | include disable-programs.inc | 26 | include disable-programs.inc |
@@ -43,5 +46,3 @@ private-dev | |||
43 | # private-etc alternatives,fonts,machine-id,pulse,asound.conf,ca-certificates,ssl,pki,crypto-policies | 46 | # private-etc alternatives,fonts,machine-id,pulse,asound.conf,ca-certificates,ssl,pki,crypto-policies |
44 | private-tmp | 47 | private-tmp |
45 | 48 | ||
46 | noexec ${HOME} | ||
47 | noexec /tmp | ||
diff --git a/etc/xpra.profile b/etc/xpra.profile index 2ff6c2a5d..d967c1da2 100644 --- a/etc/xpra.profile +++ b/etc/xpra.profile | |||
@@ -21,6 +21,8 @@ noblacklist ${PATH}/python2* | |||
21 | noblacklist ${PATH}/python3* | 21 | noblacklist ${PATH}/python3* |
22 | noblacklist /usr/lib/python2* | 22 | noblacklist /usr/lib/python2* |
23 | noblacklist /usr/lib/python3* | 23 | noblacklist /usr/lib/python3* |
24 | noblacklist /usr/local/lib/python2* | ||
25 | noblacklist /usr/local/lib/python3* | ||
24 | 26 | ||
25 | include disable-common.inc | 27 | include disable-common.inc |
26 | include disable-devel.inc | 28 | include disable-devel.inc |
diff --git a/etc/xreader.profile b/etc/xreader.profile index e0a3ddee3..643c5a317 100644 --- a/etc/xreader.profile +++ b/etc/xreader.profile | |||
@@ -12,6 +12,7 @@ noblacklist ${DOCUMENTS} | |||
12 | 12 | ||
13 | include disable-common.inc | 13 | include disable-common.inc |
14 | include disable-devel.inc | 14 | include disable-devel.inc |
15 | include disable-exec.inc | ||
15 | include disable-interpreters.inc | 16 | include disable-interpreters.inc |
16 | include disable-passwdmgr.inc | 17 | include disable-passwdmgr.inc |
17 | include disable-programs.inc | 18 | include disable-programs.inc |
@@ -42,5 +43,3 @@ private-etc alternatives,fonts,ld.so.cache | |||
42 | private-tmp | 43 | private-tmp |
43 | 44 | ||
44 | memory-deny-write-execute | 45 | memory-deny-write-execute |
45 | noexec ${HOME} | ||
46 | noexec /tmp | ||
diff --git a/etc/xviewer.profile b/etc/xviewer.profile index c73630053..b483e9404 100644 --- a/etc/xviewer.profile +++ b/etc/xviewer.profile | |||
@@ -12,6 +12,7 @@ noblacklist ${HOME}/.steam | |||
12 | 12 | ||
13 | include disable-common.inc | 13 | include disable-common.inc |
14 | include disable-devel.inc | 14 | include disable-devel.inc |
15 | include disable-exec.inc | ||
15 | include disable-interpreters.inc | 16 | include disable-interpreters.inc |
16 | include disable-passwdmgr.inc | 17 | include disable-passwdmgr.inc |
17 | include disable-programs.inc | 18 | include disable-programs.inc |
@@ -43,5 +44,3 @@ private-lib | |||
43 | private-tmp | 44 | private-tmp |
44 | 45 | ||
45 | memory-deny-write-execute | 46 | memory-deny-write-execute |
46 | noexec ${HOME} | ||
47 | noexec /tmp | ||
diff --git a/etc/youtube-dl.profile b/etc/youtube-dl.profile index 0878c91ef..621ffb2b0 100644 --- a/etc/youtube-dl.profile +++ b/etc/youtube-dl.profile | |||
@@ -19,8 +19,12 @@ noblacklist /usr/lib/python3* | |||
19 | noblacklist /usr/local/lib/python2* | 19 | noblacklist /usr/local/lib/python2* |
20 | noblacklist /usr/local/lib/python3* | 20 | noblacklist /usr/local/lib/python3* |
21 | 21 | ||
22 | # breaks when installed via pip | ||
23 | ignore noexec ${HOME} | ||
24 | |||
22 | include disable-common.inc | 25 | include disable-common.inc |
23 | include disable-devel.inc | 26 | include disable-devel.inc |
27 | include disable-exec.inc | ||
24 | include disable-interpreters.inc | 28 | include disable-interpreters.inc |
25 | include disable-passwdmgr.inc | 29 | include disable-passwdmgr.inc |
26 | include disable-programs.inc | 30 | include disable-programs.inc |
@@ -28,10 +32,13 @@ include disable-xdg.inc | |||
28 | 32 | ||
29 | include whitelist-var-common.inc | 33 | include whitelist-var-common.inc |
30 | 34 | ||
35 | apparmor | ||
31 | caps.drop all | 36 | caps.drop all |
32 | ipc-namespace | 37 | ipc-namespace |
38 | machine-id | ||
33 | netfilter | 39 | netfilter |
34 | no3d | 40 | no3d |
41 | nodbus | ||
35 | nodvd | 42 | nodvd |
36 | nogroups | 43 | nogroups |
37 | nonewprivs | 44 | nonewprivs |
@@ -45,8 +52,11 @@ seccomp | |||
45 | shell none | 52 | shell none |
46 | tracelog | 53 | tracelog |
47 | 54 | ||
55 | disable-mnt | ||
56 | private-bin youtube-dl,python*,ffmpeg | ||
57 | private-cache | ||
48 | private-dev | 58 | private-dev |
59 | private-etc alternatives,ssl,pki,ca-certificates,hostname,hosts,resolv.conf,youtube-dl.conf,crypto-policies,mime.types | ||
60 | private-tmp | ||
49 | 61 | ||
50 | # breaks when installed via pip | 62 | # memory-deny-write-execute - breaks on Arch |
51 | #noexec ${HOME} | ||
52 | noexec /tmp | ||
diff --git a/etc/zpaq.profile b/etc/zpaq.profile new file mode 100644 index 000000000..6d4501e4f --- /dev/null +++ b/etc/zpaq.profile | |||
@@ -0,0 +1,15 @@ | |||
1 | # Firejail profile for zpaq | ||
2 | # Description: Programmable file compressor, library and utilities. Based on the PAQ compression algorithm. | ||
3 | # This file is overwritten after every install/update | ||
4 | # Persistent local customizations | ||
5 | include zpaq.local | ||
6 | # Persistent global definitions | ||
7 | # added by included profile | ||
8 | #include globals.local | ||
9 | |||
10 | # mdwx breaks 'list' functionality | ||
11 | ignore memory-deny-write-execute | ||
12 | |||
13 | |||
14 | # Redirect | ||
15 | include cpio.profile | ||