diff options
Diffstat (limited to 'etc')
150 files changed, 895 insertions, 213 deletions
diff --git a/etc/7z.profile b/etc/7z.profile index 5ff02e1c0..b60bb9ee9 100644 --- a/etc/7z.profile +++ b/etc/7z.profile | |||
@@ -7,6 +7,8 @@ include 7z.local | |||
7 | # Persistent global definitions | 7 | # Persistent global definitions |
8 | include globals.local | 8 | include globals.local |
9 | 9 | ||
10 | blacklist ${RUNUSER}/wayland-* | ||
11 | |||
10 | include disable-common.inc | 12 | include disable-common.inc |
11 | include disable-devel.inc | 13 | include disable-devel.inc |
12 | include disable-exec.inc | 14 | include disable-exec.inc |
diff --git a/etc/allow-common-devel.inc b/etc/allow-common-devel.inc index 1d794462c..63174eda6 100644 --- a/etc/allow-common-devel.inc +++ b/etc/allow-common-devel.inc | |||
@@ -1,17 +1,21 @@ | |||
1 | # Rust | 1 | # This file is overwritten during software install. |
2 | noblacklist ${HOME}/.cargo/config | 2 | # Persistent customizations should go in a .local file. |
3 | noblacklist ${HOME}/.cargo/registry | 3 | include allow-common-devel.local |
4 | 4 | ||
5 | # Git | 5 | # Git |
6 | noblacklist ${HOME}/.config/git | 6 | noblacklist ${HOME}/.config/git |
7 | noblacklist ${HOME}/.gitconfig | 7 | noblacklist ${HOME}/.gitconfig |
8 | noblacklist ${HOME}/.git-credentials | 8 | noblacklist ${HOME}/.git-credentials |
9 | 9 | ||
10 | # Java | ||
11 | noblacklist ${HOME}/.gradle | ||
12 | noblacklist ${HOME}/.java | ||
13 | |||
10 | # Python | 14 | # Python |
11 | noblacklist ${HOME}/.python-history | 15 | noblacklist ${HOME}/.python-history |
12 | noblacklist ${HOME}/.python_history | 16 | noblacklist ${HOME}/.python_history |
13 | noblacklist ${HOME}/.pythonhist | 17 | noblacklist ${HOME}/.pythonhist |
14 | 18 | ||
15 | # Java | 19 | # Rust |
16 | noblacklist ${HOME}/.gradle | 20 | noblacklist ${HOME}/.cargo/config |
17 | noblacklist ${HOME}/.java | 21 | noblacklist ${HOME}/.cargo/registry |
diff --git a/etc/allow-gjs.inc b/etc/allow-gjs.inc new file mode 100644 index 000000000..f552ede9d --- /dev/null +++ b/etc/allow-gjs.inc | |||
@@ -0,0 +1,10 @@ | |||
1 | # This file is overwritten during software install. | ||
2 | # Persistent customizations should go in a .local file. | ||
3 | include allow-gjs.local | ||
4 | |||
5 | noblacklist ${PATH}/gjs | ||
6 | noblacklist ${PATH}/gjs-console | ||
7 | noblacklist /usr/lib/gjs | ||
8 | noblacklist /usr/lib64/gjs | ||
9 | noblacklist /usr/lib/libgjs* | ||
10 | noblacklist /usr/lib64/libgjs* | ||
diff --git a/etc/allow-java.inc b/etc/allow-java.inc index 5204d2dea..24d18fb77 100644 --- a/etc/allow-java.inc +++ b/etc/allow-java.inc | |||
@@ -1,6 +1,9 @@ | |||
1 | noblacklist ${HOME}/.java | 1 | # This file is overwritten during software install. |
2 | # Persistent customizations should go in a .local file. | ||
3 | include allow-java.local | ||
2 | 4 | ||
5 | noblacklist ${HOME}/.java | ||
3 | noblacklist ${PATH}/java | 6 | noblacklist ${PATH}/java |
4 | noblacklist /usr/lib/java | ||
5 | noblacklist /etc/java | 7 | noblacklist /etc/java |
8 | noblacklist /usr/lib/java | ||
6 | noblacklist /usr/share/java | 9 | noblacklist /usr/share/java |
diff --git a/etc/allow-lua.inc b/etc/allow-lua.inc index 51d76f9b1..fbdee22ee 100644 --- a/etc/allow-lua.inc +++ b/etc/allow-lua.inc | |||
@@ -1,3 +1,7 @@ | |||
1 | # This file is overwritten during software install. | ||
2 | # Persistent customizations should go in a .local file. | ||
3 | include allow-lua.local | ||
4 | |||
1 | noblacklist ${PATH}/lua* | 5 | noblacklist ${PATH}/lua* |
2 | noblacklist /usr/include/lua* | 6 | noblacklist /usr/include/lua* |
3 | noblacklist /usr/lib/lua | 7 | noblacklist /usr/lib/lua |
diff --git a/etc/allow-perl.inc b/etc/allow-perl.inc index d37328936..f44e1e3cc 100644 --- a/etc/allow-perl.inc +++ b/etc/allow-perl.inc | |||
@@ -1,5 +1,9 @@ | |||
1 | noblacklist ${PATH}/cpan* | 1 | # This file is overwritten during software install. |
2 | # Persistent customizations should go in a .local file. | ||
3 | include allow-perl.local | ||
4 | |||
2 | noblacklist ${PATH}/core_perl | 5 | noblacklist ${PATH}/core_perl |
6 | noblacklist ${PATH}/cpan* | ||
3 | noblacklist ${PATH}/perl | 7 | noblacklist ${PATH}/perl |
4 | noblacklist ${PATH}/site_perl | 8 | noblacklist ${PATH}/site_perl |
5 | noblacklist ${PATH}/vendor_perl | 9 | noblacklist ${PATH}/vendor_perl |
diff --git a/etc/allow-php.inc b/etc/allow-php.inc new file mode 100644 index 000000000..a0950dc26 --- /dev/null +++ b/etc/allow-php.inc | |||
@@ -0,0 +1,7 @@ | |||
1 | # This file is overwritten during software install. | ||
2 | # Persistent customizations should go in a .local file. | ||
3 | include allow-php.local | ||
4 | |||
5 | noblacklist ${PATH}/php* | ||
6 | noblacklist /usr/lib/php* | ||
7 | noblacklist /usr/share/php* | ||
diff --git a/etc/allow-python2.inc b/etc/allow-python2.inc index 8ea61648b..b0525e2e1 100644 --- a/etc/allow-python2.inc +++ b/etc/allow-python2.inc | |||
@@ -1,3 +1,7 @@ | |||
1 | # This file is overwritten during software install. | ||
2 | # Persistent customizations should go in a .local file. | ||
3 | include allow-python2.local | ||
4 | |||
1 | noblacklist ${PATH}/python2* | 5 | noblacklist ${PATH}/python2* |
2 | noblacklist /usr/include/python2* | 6 | noblacklist /usr/include/python2* |
3 | noblacklist /usr/lib/python2* | 7 | noblacklist /usr/lib/python2* |
diff --git a/etc/allow-python3.inc b/etc/allow-python3.inc index 91c7ffca4..d968886b0 100644 --- a/etc/allow-python3.inc +++ b/etc/allow-python3.inc | |||
@@ -1,5 +1,10 @@ | |||
1 | # This file is overwritten during software install. | ||
2 | # Persistent customizations should go in a .local file. | ||
3 | include allow-python3.local | ||
4 | |||
1 | noblacklist ${PATH}/python3* | 5 | noblacklist ${PATH}/python3* |
2 | noblacklist /usr/include/python3* | 6 | noblacklist /usr/include/python3* |
3 | noblacklist /usr/lib/python3* | 7 | noblacklist /usr/lib/python3* |
8 | noblacklist /usr/lib64/python3* | ||
4 | noblacklist /usr/local/lib/python3* | 9 | noblacklist /usr/local/lib/python3* |
5 | noblacklist /usr/share/python3* | 10 | noblacklist /usr/share/python3* |
diff --git a/etc/allow-ruby.inc b/etc/allow-ruby.inc index 3165a981a..a8c701219 100644 --- a/etc/allow-ruby.inc +++ b/etc/allow-ruby.inc | |||
@@ -1,2 +1,6 @@ | |||
1 | # This file is overwritten during software install. | ||
2 | # Persistent customizations should go in a .local file. | ||
3 | include allow-ruby.local | ||
4 | |||
1 | noblacklist ${PATH}/ruby | 5 | noblacklist ${PATH}/ruby |
2 | noblacklist /usr/lib/ruby | 6 | noblacklist /usr/lib/ruby |
diff --git a/etc/anki.profile b/etc/anki.profile index c349376ff..a0a79ef48 100644 --- a/etc/anki.profile +++ b/etc/anki.profile | |||
@@ -42,7 +42,8 @@ notv | |||
42 | nou2f | 42 | nou2f |
43 | novideo | 43 | novideo |
44 | protocol unix,inet,inet6 | 44 | protocol unix,inet,inet6 |
45 | seccomp | 45 | # QtWebengine needs chroot to set up its own sandbox |
46 | seccomp !chroot | ||
46 | shell none | 47 | shell none |
47 | tracelog | 48 | tracelog |
48 | 49 | ||
diff --git a/etc/ar.profile b/etc/ar.profile index 6b1fb830c..e28370450 100644 --- a/etc/ar.profile +++ b/etc/ar.profile | |||
@@ -7,6 +7,8 @@ include ar.local | |||
7 | # Persistent global definitions | 7 | # Persistent global definitions |
8 | include globals.local | 8 | include globals.local |
9 | 9 | ||
10 | blacklist ${RUNUSER}/wayland-* | ||
11 | |||
10 | include disable-common.inc | 12 | include disable-common.inc |
11 | include disable-devel.inc | 13 | include disable-devel.inc |
12 | include disable-exec.inc | 14 | include disable-exec.inc |
diff --git a/etc/aria2c.profile b/etc/aria2c.profile index 2fb6dd25f..7819300af 100644 --- a/etc/aria2c.profile +++ b/etc/aria2c.profile | |||
@@ -7,8 +7,11 @@ include aria2c.local | |||
7 | include globals.local | 7 | include globals.local |
8 | 8 | ||
9 | noblacklist ${HOME}/.aria2 | 9 | noblacklist ${HOME}/.aria2 |
10 | noblacklist ${HOME}/.config/aria2 | ||
11 | noblacklist ${HOME}/.netrc | ||
10 | 12 | ||
11 | blacklist /tmp/.X11-unix | 13 | blacklist /tmp/.X11-unix |
14 | blacklist ${RUNUSER}/wayland-* | ||
12 | 15 | ||
13 | include disable-common.inc | 16 | include disable-common.inc |
14 | include disable-devel.inc | 17 | include disable-devel.inc |
@@ -37,6 +40,7 @@ seccomp | |||
37 | shell none | 40 | shell none |
38 | 41 | ||
39 | # disable-mnt | 42 | # disable-mnt |
43 | # Add your custom event hook commands to 'private-bin' in your aria2c.local | ||
40 | private-bin aria2c,gzip | 44 | private-bin aria2c,gzip |
41 | # Uncomment the next line (or put 'private-cache' in your aria2c.local) if you don't use Lutris/winetricks (see issue #2772) | 45 | # Uncomment the next line (or put 'private-cache' in your aria2c.local) if you don't use Lutris/winetricks (see issue #2772) |
42 | #private-cache | 46 | #private-cache |
diff --git a/etc/artha.profile b/etc/artha.profile index 31f8887c4..aaaede7ee 100644 --- a/etc/artha.profile +++ b/etc/artha.profile | |||
@@ -11,6 +11,7 @@ noblacklist ${HOME}/.config/artha.log | |||
11 | noblacklist ${HOME}/.config/enchant | 11 | noblacklist ${HOME}/.config/enchant |
12 | 12 | ||
13 | blacklist /tmp/.X11-unix | 13 | blacklist /tmp/.X11-unix |
14 | blacklist ${RUNUSER}/wayland-* | ||
14 | 15 | ||
15 | include disable-common.inc | 16 | include disable-common.inc |
16 | include disable-devel.inc | 17 | include disable-devel.inc |
diff --git a/etc/atool.profile b/etc/atool.profile index fb75c8408..0250451fc 100644 --- a/etc/atool.profile +++ b/etc/atool.profile | |||
@@ -7,6 +7,8 @@ include atool.local | |||
7 | # Persistent global definitions | 7 | # Persistent global definitions |
8 | include globals.local | 8 | include globals.local |
9 | 9 | ||
10 | blacklist ${RUNUSER}/wayland-* | ||
11 | |||
10 | # Allow perl (blacklisted by disable-interpreters.inc) | 12 | # Allow perl (blacklisted by disable-interpreters.inc) |
11 | include allow-perl.inc | 13 | include allow-perl.inc |
12 | 14 | ||
diff --git a/etc/audio-recorder.profile b/etc/audio-recorder.profile index afd1033de..b2ed3b030 100644 --- a/etc/audio-recorder.profile +++ b/etc/audio-recorder.profile | |||
@@ -40,7 +40,6 @@ protocol unix | |||
40 | seccomp | 40 | seccomp |
41 | shell none | 41 | shell none |
42 | tracelog | 42 | tracelog |
43 | x11 none | ||
44 | 43 | ||
45 | disable-mnt | 44 | disable-mnt |
46 | # private-bin audio-recorder | 45 | # private-bin audio-recorder |
diff --git a/etc/baobab.profile b/etc/baobab.profile index e8287b448..18c862a4d 100644 --- a/etc/baobab.profile +++ b/etc/baobab.profile | |||
@@ -12,6 +12,7 @@ include disable-exec.inc | |||
12 | include disable-interpreters.inc | 12 | include disable-interpreters.inc |
13 | include disable-passwdmgr.inc | 13 | include disable-passwdmgr.inc |
14 | # include disable-programs.inc | 14 | # include disable-programs.inc |
15 | # include disable-xdg.inc | ||
15 | 16 | ||
16 | caps.drop all | 17 | caps.drop all |
17 | net none | 18 | net none |
@@ -32,3 +33,5 @@ shell none | |||
32 | private-bin baobab | 33 | private-bin baobab |
33 | private-dev | 34 | private-dev |
34 | private-tmp | 35 | private-tmp |
36 | |||
37 | read-only ${HOME} | ||
diff --git a/etc/beaker.profile b/etc/beaker.profile index 21eeac4b3..cc1886a49 100644 --- a/etc/beaker.profile +++ b/etc/beaker.profile | |||
@@ -13,7 +13,6 @@ include disable-interpreters.inc | |||
13 | 13 | ||
14 | mkdir ${HOME}/.config/Beaker Browser | 14 | mkdir ${HOME}/.config/Beaker Browser |
15 | whitelist ${HOME}/.config/Beaker Browser | 15 | whitelist ${HOME}/.config/Beaker Browser |
16 | whitelist ${DOWNLOADS} | ||
17 | include whitelist-common.inc | 16 | include whitelist-common.inc |
18 | 17 | ||
19 | # Redirect | 18 | # Redirect |
diff --git a/etc/bibtex.profile b/etc/bibtex.profile new file mode 100644 index 000000000..e868dcbab --- /dev/null +++ b/etc/bibtex.profile | |||
@@ -0,0 +1,12 @@ | |||
1 | # Firejail profile for bibtex | ||
2 | # This file is overwritten after every install/update | ||
3 | # Persistent local customizations | ||
4 | include bibtex.local | ||
5 | # Persistent global definitions | ||
6 | include globals.local | ||
7 | |||
8 | private-bin bibtex | ||
9 | |||
10 | # Redirect | ||
11 | include latex-common.profile | ||
12 | |||
diff --git a/etc/bsdtar.profile b/etc/bsdtar.profile index 17c67ed26..5ce9b6406 100644 --- a/etc/bsdtar.profile +++ b/etc/bsdtar.profile | |||
@@ -6,6 +6,8 @@ include bsdtar.local | |||
6 | # Persistent global definitions | 6 | # Persistent global definitions |
7 | include globals.local | 7 | include globals.local |
8 | 8 | ||
9 | blacklist ${RUNUSER}/wayland-* | ||
10 | |||
9 | include disable-common.inc | 11 | include disable-common.inc |
10 | # include disable-devel.inc | 12 | # include disable-devel.inc |
11 | include disable-exec.inc | 13 | include disable-exec.inc |
diff --git a/etc/celluloid.profile b/etc/celluloid.profile index ab68c7f13..d099ba11e 100644 --- a/etc/celluloid.profile +++ b/etc/celluloid.profile | |||
@@ -24,12 +24,13 @@ include disable-passwdmgr.inc | |||
24 | include disable-programs.inc | 24 | include disable-programs.inc |
25 | include disable-xdg.inc | 25 | include disable-xdg.inc |
26 | 26 | ||
27 | include whitelist-usr-share-common.inc | ||
27 | include whitelist-var-common.inc | 28 | include whitelist-var-common.inc |
28 | 29 | ||
29 | apparmor | 30 | apparmor |
30 | caps.drop all | 31 | caps.drop all |
31 | netfilter | 32 | netfilter |
32 | # nodbus -- uses dconf | 33 | # nodbus -- uses dconf, MPRIS |
33 | nogroups | 34 | nogroups |
34 | nonewprivs | 35 | nonewprivs |
35 | noroot | 36 | noroot |
@@ -45,3 +46,5 @@ private-etc alternatives,ca-certificates,crypto-policies,dconf,drirc,fonts,gtk-3 | |||
45 | private-dev | 46 | private-dev |
46 | private-tmp | 47 | private-tmp |
47 | 48 | ||
49 | read-only ${HOME} | ||
50 | read-write ${HOME}/.config/celluloid | ||
diff --git a/etc/checkbashisms.profile b/etc/checkbashisms.profile index c66776b9f..e15131dca 100644 --- a/etc/checkbashisms.profile +++ b/etc/checkbashisms.profile | |||
@@ -7,6 +7,8 @@ include checkbashisms.local | |||
7 | # Persistent global definitions | 7 | # Persistent global definitions |
8 | include globals.local | 8 | include globals.local |
9 | 9 | ||
10 | blacklist ${RUNUSER}/wayland-* | ||
11 | |||
10 | noblacklist ${DOCUMENTS} | 12 | noblacklist ${DOCUMENTS} |
11 | 13 | ||
12 | # Allow perl (blacklisted by disable-interpreters.inc) | 14 | # Allow perl (blacklisted by disable-interpreters.inc) |
diff --git a/etc/chromium-common.profile b/etc/chromium-common.profile index 7b88e417a..c54fb0e19 100644 --- a/etc/chromium-common.profile +++ b/etc/chromium-common.profile | |||
@@ -37,7 +37,7 @@ notv | |||
37 | shell none | 37 | shell none |
38 | 38 | ||
39 | disable-mnt | 39 | disable-mnt |
40 | private-dev | 40 | ?BROWSER_DISABLE_U2F: private-dev |
41 | # private-tmp - problems with multiple browser sessions | 41 | # private-tmp - problems with multiple browser sessions |
42 | 42 | ||
43 | # the file dialog needs to work without d-bus | 43 | # the file dialog needs to work without d-bus |
diff --git a/etc/clamav.profile b/etc/clamav.profile index 45e7723eb..51bc58108 100644 --- a/etc/clamav.profile +++ b/etc/clamav.profile | |||
@@ -7,6 +7,8 @@ include clamav.local | |||
7 | # Persistent global definitions | 7 | # Persistent global definitions |
8 | include globals.local | 8 | include globals.local |
9 | 9 | ||
10 | blacklist ${RUNUSER}/wayland-* | ||
11 | |||
10 | include disable-exec.inc | 12 | include disable-exec.inc |
11 | 13 | ||
12 | caps.drop all | 14 | caps.drop all |
diff --git a/etc/claws-mail.profile b/etc/claws-mail.profile index f07e2039b..24954b2d8 100644 --- a/etc/claws-mail.profile +++ b/etc/claws-mail.profile | |||
@@ -7,43 +7,16 @@ include claws-mail.local | |||
7 | include globals.local | 7 | include globals.local |
8 | 8 | ||
9 | noblacklist ${HOME}/.claws-mail | 9 | noblacklist ${HOME}/.claws-mail |
10 | noblacklist ${HOME}/.gnupg | ||
11 | noblacklist ${HOME}/.signature | ||
12 | # when storing mail outside the default ${HOME}/Mail path, 'noblacklist' the custom path in your claws-mail.local | ||
13 | # and 'blacklist' it in your disable-common.local too so it is kept hidden from other applications | ||
14 | noblacklist ${HOME}/Mail | ||
15 | 10 | ||
16 | include disable-common.inc | 11 | mkdir ${HOME}/.claws-mail |
17 | include disable-devel.inc | 12 | whitelist ${HOME}/.claws-mail |
18 | include disable-interpreters.inc | ||
19 | include disable-passwdmgr.inc | ||
20 | include disable-programs.inc | ||
21 | 13 | ||
22 | whitelist /usr/share/doc/claws-mail | 14 | # If you use python-based plugins you need to uncomment the below (or put them in your claws-mail.local) |
23 | whitelist /usr/share/gnupg | 15 | # Allow python (blacklisted by disable-interpreters.inc) |
24 | whitelist /usr/share/gnupg2 | 16 | #include allow-python2.inc |
25 | include whitelist-usr-share-common.inc | 17 | #include allow-python3.inc |
26 | |||
27 | caps.drop all | ||
28 | netfilter | ||
29 | no3d | ||
30 | nodvd | ||
31 | nogroups | ||
32 | nonewprivs | ||
33 | noroot | ||
34 | nosound | ||
35 | notv | ||
36 | nou2f | ||
37 | novideo | ||
38 | protocol unix,inet,inet6 | ||
39 | seccomp | ||
40 | shell none | ||
41 | 18 | ||
42 | private-cache | 19 | whitelist /usr/share/doc/claws-mail |
43 | private-dev | ||
44 | private-tmp | ||
45 | 20 | ||
46 | # If you want to read local mail stored in /var/mail, add the following to claws-mail.local: | 21 | # Redirect |
47 | # noblacklist /var/mail | 22 | include email-common.profile |
48 | # noblacklist /var/spool/mail | ||
49 | # writable-var | ||
diff --git a/etc/clipgrab.profile b/etc/clipgrab.profile new file mode 100644 index 000000000..786d1c866 --- /dev/null +++ b/etc/clipgrab.profile | |||
@@ -0,0 +1,45 @@ | |||
1 | # Firejail profile for clipgrab | ||
2 | # Description: A free video downloader and converter | ||
3 | # This file is overwritten after every install/update | ||
4 | # Persistent local customizations | ||
5 | include clipgrab.local | ||
6 | # Persistent global definitions | ||
7 | include globals.local | ||
8 | |||
9 | noblacklist ${HOME}/.config/Philipp Schmieder | ||
10 | noblacklist ${HOME}/.pki | ||
11 | noblacklist ${VIDEOS} | ||
12 | |||
13 | include disable-common.inc | ||
14 | include disable-devel.inc | ||
15 | include disable-exec.inc | ||
16 | include disable-interpreters.inc | ||
17 | include disable-passwdmgr.inc | ||
18 | include disable-programs.inc | ||
19 | include disable-xdg.inc | ||
20 | |||
21 | include whitelist-usr-share-common.inc | ||
22 | include whitelist-var-common.inc | ||
23 | |||
24 | apparmor | ||
25 | caps.drop all | ||
26 | machine-id | ||
27 | netfilter | ||
28 | # Breaks tray-icon, uncommend or add to clipgrab.local if you don't need it. | ||
29 | #nodbus | ||
30 | nodvd | ||
31 | nogroups | ||
32 | nonewprivs | ||
33 | noroot | ||
34 | nosound | ||
35 | notv | ||
36 | nou2f | ||
37 | novideo | ||
38 | protocol unix,inet,inet6,netlink | ||
39 | seccomp !chroot | ||
40 | shell none | ||
41 | |||
42 | disable-mnt | ||
43 | private-cache | ||
44 | private-dev | ||
45 | private-tmp | ||
diff --git a/etc/cmus.profile b/etc/cmus.profile index 7e12a06de..fa1e5d722 100644 --- a/etc/cmus.profile +++ b/etc/cmus.profile | |||
@@ -27,4 +27,4 @@ seccomp | |||
27 | shell none | 27 | shell none |
28 | 28 | ||
29 | private-bin cmus | 29 | private-bin cmus |
30 | private-etc alternatives,asound.conf,ca-certificates,crypto-policies,group,machine-id,pki,pulse,ssl | 30 | private-etc alternatives,asound.conf,ca-certificates,crypto-policies,group,machine-id,pki,pulse,resolv.conf,ssl |
diff --git a/etc/cpio.profile b/etc/cpio.profile index 17a765700..1156b7439 100644 --- a/etc/cpio.profile +++ b/etc/cpio.profile | |||
@@ -7,6 +7,8 @@ include cpio.local | |||
7 | # Persistent global definitions | 7 | # Persistent global definitions |
8 | include globals.local | 8 | include globals.local |
9 | 9 | ||
10 | blacklist ${RUNUSER}/wayland-* | ||
11 | |||
10 | noblacklist /sbin | 12 | noblacklist /sbin |
11 | noblacklist /usr/sbin | 13 | noblacklist /usr/sbin |
12 | 14 | ||
diff --git a/etc/curl.profile b/etc/curl.profile index 2624e5545..3f93e5f7e 100644 --- a/etc/curl.profile +++ b/etc/curl.profile | |||
@@ -9,10 +9,14 @@ include globals.local | |||
9 | 9 | ||
10 | noblacklist ${HOME}/.curlrc | 10 | noblacklist ${HOME}/.curlrc |
11 | 11 | ||
12 | blacklist /tmp/.X11-unix | ||
13 | |||
12 | include disable-common.inc | 14 | include disable-common.inc |
13 | include disable-exec.inc | 15 | include disable-exec.inc |
14 | include disable-passwdmgr.inc | 16 | include disable-passwdmgr.inc |
15 | include disable-programs.inc | 17 | include disable-programs.inc |
18 | # depending on workflow you can uncomment the below or put 'include disable-xdg.inc' in your curl.local | ||
19 | #include disable-xdg.inc | ||
16 | 20 | ||
17 | include whitelist-usr-share-common.inc | 21 | include whitelist-usr-share-common.inc |
18 | 22 | ||
@@ -33,6 +37,7 @@ novideo | |||
33 | protocol inet,inet6 | 37 | protocol inet,inet6 |
34 | seccomp | 38 | seccomp |
35 | shell none | 39 | shell none |
40 | tracelog | ||
36 | 41 | ||
37 | # private-bin curl | 42 | # private-bin curl |
38 | private-cache | 43 | private-cache |
diff --git a/etc/dconf.profile b/etc/dconf.profile index ebb362fb6..2ee573463 100644 --- a/etc/dconf.profile +++ b/etc/dconf.profile | |||
@@ -6,6 +6,8 @@ include dconf.local | |||
6 | # Persistent global definitions | 6 | # Persistent global definitions |
7 | include globals.local | 7 | include globals.local |
8 | 8 | ||
9 | blacklist ${RUNUSER}/wayland-* | ||
10 | |||
9 | include disable-common.inc | 11 | include disable-common.inc |
10 | include disable-devel.inc | 12 | include disable-devel.inc |
11 | include disable-exec.inc | 13 | include disable-exec.inc |
diff --git a/etc/ddgtk.profile b/etc/ddgtk.profile index ef65046e1..3dfc657bc 100644 --- a/etc/ddgtk.profile +++ b/etc/ddgtk.profile | |||
@@ -43,7 +43,6 @@ protocol unix | |||
43 | seccomp | 43 | seccomp |
44 | shell none | 44 | shell none |
45 | tracelog | 45 | tracelog |
46 | x11 none | ||
47 | 46 | ||
48 | disable-mnt | 47 | disable-mnt |
49 | private-bin bash,dd,ddgtk,grep,lsblk,python*,sed,sh,tr | 48 | private-bin bash,dd,ddgtk,grep,lsblk,python*,sed,sh,tr |
diff --git a/etc/devhelp.profile b/etc/devhelp.profile index 5c1935835..cc9553e73 100644 --- a/etc/devhelp.profile +++ b/etc/devhelp.profile | |||
@@ -16,6 +16,8 @@ include disable-programs.inc | |||
16 | include disable-xdg.inc | 16 | include disable-xdg.inc |
17 | 17 | ||
18 | whitelist /usr/share/devhelp | 18 | whitelist /usr/share/devhelp |
19 | whitelist /usr/share/doc | ||
20 | whitelist /usr/share/gtk-doc/html | ||
19 | include whitelist-common.inc | 21 | include whitelist-common.inc |
20 | include whitelist-usr-share-common.inc | 22 | include whitelist-usr-share-common.inc |
21 | 23 | ||
diff --git a/etc/devilspie.profile b/etc/devilspie.profile index ad891ffaf..b561787d8 100644 --- a/etc/devilspie.profile +++ b/etc/devilspie.profile | |||
@@ -6,6 +6,8 @@ include devilspie.local | |||
6 | # Persistent global definitions | 6 | # Persistent global definitions |
7 | include globals.local | 7 | include globals.local |
8 | 8 | ||
9 | blacklist ${RUNUSER}/wayland-* | ||
10 | |||
9 | noblacklist ${HOME}/.devilspie | 11 | noblacklist ${HOME}/.devilspie |
10 | 12 | ||
11 | include disable-common.inc | 13 | include disable-common.inc |
@@ -41,6 +43,7 @@ protocol unix | |||
41 | seccomp | 43 | seccomp |
42 | shell none | 44 | shell none |
43 | tracelog | 45 | tracelog |
46 | x11 none | ||
44 | 47 | ||
45 | disable-mnt | 48 | disable-mnt |
46 | private-bin devilspie | 49 | private-bin devilspie |
diff --git a/etc/devilspie2.profile b/etc/devilspie2.profile index f2bacda9a..9eab3f536 100644 --- a/etc/devilspie2.profile +++ b/etc/devilspie2.profile | |||
@@ -4,55 +4,21 @@ | |||
4 | # Persistent local customizations | 4 | # Persistent local customizations |
5 | include devilspie2.local | 5 | include devilspie2.local |
6 | # Persistent global definitions | 6 | # Persistent global definitions |
7 | include globals.local | 7 | #include globals.local |
8 | |||
9 | blacklist ${HOME}/.devilspie | ||
10 | |||
11 | blacklist ${RUNUSER}/wayland-* | ||
8 | 12 | ||
9 | noblacklist ${HOME}/.config/devilspie2 | 13 | noblacklist ${HOME}/.config/devilspie2 |
10 | 14 | ||
11 | # Allow lua (blacklisted by disable-interpreters.inc) | 15 | # Allow lua (blacklisted by disable-interpreters.inc) |
12 | include allow-lua.inc | 16 | include allow-lua.inc |
13 | 17 | ||
14 | include disable-common.inc | ||
15 | include disable-devel.inc | ||
16 | include disable-exec.inc | ||
17 | include disable-interpreters.inc | ||
18 | include disable-passwdmgr.inc | ||
19 | include disable-programs.inc | ||
20 | include disable-xdg.inc | ||
21 | |||
22 | mkdir ${HOME}/.config/devilspie2 | 18 | mkdir ${HOME}/.config/devilspie2 |
23 | whitelist ${HOME}/.config/devilspie2 | 19 | whitelist ${HOME}/.config/devilspie2 |
24 | include whitelist-common.inc | ||
25 | include whitelist-usr-share-common.inc | ||
26 | include whitelist-var-common.inc | ||
27 | 20 | ||
28 | apparmor | ||
29 | caps.drop all | ||
30 | ipc-namespace | ||
31 | machine-id | ||
32 | net none | ||
33 | no3d | ||
34 | nodbus | ||
35 | nodvd | ||
36 | nogroups | ||
37 | nonewprivs | ||
38 | noroot | ||
39 | nosound | ||
40 | notv | ||
41 | nou2f | ||
42 | novideo | ||
43 | protocol unix | ||
44 | seccomp | ||
45 | shell none | ||
46 | tracelog | ||
47 | |||
48 | disable-mnt | ||
49 | private-bin devilspie2 | 21 | private-bin devilspie2 |
50 | private-cache | ||
51 | private-dev | ||
52 | private-etc alternatives | ||
53 | private-lib gconv | ||
54 | private-tmp | ||
55 | |||
56 | memory-deny-write-execute | ||
57 | 22 | ||
58 | read-only ${HOME} | 23 | # Redirect |
24 | include devilspie.profile | ||
diff --git a/etc/dig.profile b/etc/dig.profile index af71ff17f..054e4891d 100644 --- a/etc/dig.profile +++ b/etc/dig.profile | |||
@@ -9,6 +9,8 @@ include globals.local | |||
9 | 9 | ||
10 | noblacklist ${HOME}/.digrc | 10 | noblacklist ${HOME}/.digrc |
11 | 11 | ||
12 | blacklist /tmp/.X11-unix | ||
13 | |||
12 | include disable-common.inc | 14 | include disable-common.inc |
13 | # include disable-devel.inc | 15 | # include disable-devel.inc |
14 | include disable-exec.inc | 16 | include disable-exec.inc |
@@ -24,7 +26,7 @@ include whitelist-usr-share-common.inc | |||
24 | include whitelist-var-common.inc | 26 | include whitelist-var-common.inc |
25 | 27 | ||
26 | caps.drop all | 28 | caps.drop all |
27 | # ipc-namespace | 29 | ipc-namespace |
28 | machine-id | 30 | machine-id |
29 | netfilter | 31 | netfilter |
30 | no3d | 32 | no3d |
@@ -40,6 +42,7 @@ novideo | |||
40 | protocol unix,inet,inet6 | 42 | protocol unix,inet,inet6 |
41 | seccomp | 43 | seccomp |
42 | shell none | 44 | shell none |
45 | tracelog | ||
43 | 46 | ||
44 | disable-mnt | 47 | disable-mnt |
45 | private | 48 | private |
diff --git a/etc/digikam.profile b/etc/digikam.profile index 1b80981f7..e66434444 100644 --- a/etc/digikam.profile +++ b/etc/digikam.profile | |||
@@ -32,7 +32,8 @@ nonewprivs | |||
32 | noroot | 32 | noroot |
33 | notv | 33 | notv |
34 | protocol unix,inet,inet6,netlink | 34 | protocol unix,inet,inet6,netlink |
35 | seccomp | 35 | # QtWebengine needs chroot to set up its own sandbox |
36 | seccomp !chroot | ||
36 | shell none | 37 | shell none |
37 | 38 | ||
38 | # private-dev - prevents libdc1394 loading; this lib is used to connect to a camera device | 39 | # private-dev - prevents libdc1394 loading; this lib is used to connect to a camera device |
diff --git a/etc/disable-common.inc b/etc/disable-common.inc index f50e10a00..9f351a673 100644 --- a/etc/disable-common.inc +++ b/etc/disable-common.inc | |||
@@ -151,6 +151,11 @@ blacklist /var/lib/systemd | |||
151 | # blacklist /var/run/systemd | 151 | # blacklist /var/run/systemd |
152 | # creates problems on Arch where /etc/resolv.conf is a symlink to /var/run/systemd/resolve/resolv.conf | 152 | # creates problems on Arch where /etc/resolv.conf is a symlink to /var/run/systemd/resolve/resolv.conf |
153 | 153 | ||
154 | # openrc | ||
155 | blacklist /etc/runlevels/ | ||
156 | blacklist /etc/init.d/ | ||
157 | blacklist /etc/rc.conf | ||
158 | |||
154 | # VirtualBox | 159 | # VirtualBox |
155 | blacklist ${HOME}/.VirtualBox | 160 | blacklist ${HOME}/.VirtualBox |
156 | blacklist ${HOME}/.config/VirtualBox | 161 | blacklist ${HOME}/.config/VirtualBox |
@@ -193,7 +198,7 @@ blacklist /var/lib/mysqld/mysql.sock | |||
193 | blacklist /var/lib/pacman | 198 | blacklist /var/lib/pacman |
194 | blacklist /var/lib/upower | 199 | blacklist /var/lib/upower |
195 | # blacklist /var/log - a virtual /var/log directory (mostly empty) is build up by default for | 200 | # blacklist /var/log - a virtual /var/log directory (mostly empty) is build up by default for |
196 | # every sandbox, unless --writeble-var-log switch is activated | 201 | # every sandbox, unless --writable-var-log switch is activated |
197 | blacklist /var/mail | 202 | blacklist /var/mail |
198 | blacklist /var/opt | 203 | blacklist /var/opt |
199 | blacklist /var/run/acpid.socket | 204 | blacklist /var/run/acpid.socket |
diff --git a/etc/disable-interpreters.inc b/etc/disable-interpreters.inc index 4c4eed25d..ae539e1bc 100644 --- a/etc/disable-interpreters.inc +++ b/etc/disable-interpreters.inc | |||
@@ -2,6 +2,14 @@ | |||
2 | # Persistent customizations should go in a .local file. | 2 | # Persistent customizations should go in a .local file. |
3 | include disable-interpreters.local | 3 | include disable-interpreters.local |
4 | 4 | ||
5 | # gjs | ||
6 | blacklist ${PATH}/gjs | ||
7 | blacklist ${PATH}/gjs-console | ||
8 | blacklist /usr/lib/gjs | ||
9 | blacklist /usr/lib64/gjs | ||
10 | blacklist /usr/lib/libgjs* | ||
11 | blacklist /usr/lib64/libgjs* | ||
12 | |||
5 | # Lua | 13 | # Lua |
6 | blacklist ${PATH}/lua* | 14 | blacklist ${PATH}/lua* |
7 | blacklist /usr/include/lua* | 15 | blacklist /usr/include/lua* |
@@ -47,5 +55,6 @@ blacklist /usr/share/python2* | |||
47 | blacklist ${PATH}/python3* | 55 | blacklist ${PATH}/python3* |
48 | blacklist /usr/include/python3* | 56 | blacklist /usr/include/python3* |
49 | blacklist /usr/lib/python3* | 57 | blacklist /usr/lib/python3* |
58 | blacklist /usr/lib64/python3* | ||
50 | blacklist /usr/local/lib/python3* | 59 | blacklist /usr/local/lib/python3* |
51 | blacklist /usr/share/python3* | 60 | blacklist /usr/share/python3* |
diff --git a/etc/disable-programs.inc b/etc/disable-programs.inc index 1c97ed8d6..baa9c3fab 100644 --- a/etc/disable-programs.inc +++ b/etc/disable-programs.inc | |||
@@ -85,6 +85,7 @@ blacklist ${HOME}/.config/Gpredict | |||
85 | blacklist ${HOME}/.config/INRIA | 85 | blacklist ${HOME}/.config/INRIA |
86 | blacklist ${HOME}/.config/InSilmaril | 86 | blacklist ${HOME}/.config/InSilmaril |
87 | blacklist ${HOME}/.config/Kid3 | 87 | blacklist ${HOME}/.config/Kid3 |
88 | blacklist ${HOME}/.config/Kingsoft | ||
88 | blacklist ${HOME}/.config/Luminance | 89 | blacklist ${HOME}/.config/Luminance |
89 | blacklist ${HOME}/.config/Meltytech | 90 | blacklist ${HOME}/.config/Meltytech |
90 | blacklist ${HOME}/.config/Mendeley Ltd. | 91 | blacklist ${HOME}/.config/Mendeley Ltd. |
@@ -97,6 +98,7 @@ blacklist ${HOME}/.config/MusicBrainz | |||
97 | blacklist ${HOME}/.config/Nathan Osman | 98 | blacklist ${HOME}/.config/Nathan Osman |
98 | blacklist ${HOME}/.config/Nylas Mail | 99 | blacklist ${HOME}/.config/Nylas Mail |
99 | blacklist ${HOME}/.config/PBE | 100 | blacklist ${HOME}/.config/PBE |
101 | blacklist ${HOME}/.config/Philipp Schmieder | ||
100 | blacklist ${HOME}/.config/QGIS | 102 | blacklist ${HOME}/.config/QGIS |
101 | blacklist ${HOME}/.config/QMediathekView | 103 | blacklist ${HOME}/.config/QMediathekView |
102 | blacklist ${HOME}/.config/Qlipper | 104 | blacklist ${HOME}/.config/Qlipper |
@@ -118,6 +120,7 @@ blacklist ${HOME}/.config/akonadi* | |||
118 | blacklist ${HOME}/.config/akregatorrc | 120 | blacklist ${HOME}/.config/akregatorrc |
119 | blacklist ${HOME}/.config/ardour4 | 121 | blacklist ${HOME}/.config/ardour4 |
120 | blacklist ${HOME}/.config/ardour5 | 122 | blacklist ${HOME}/.config/ardour5 |
123 | blacklist ${HOME}/.config/aria2 | ||
121 | blacklist ${HOME}/.config/arkrc | 124 | blacklist ${HOME}/.config/arkrc |
122 | blacklist ${HOME}/.config/artha.conf | 125 | blacklist ${HOME}/.config/artha.conf |
123 | blacklist ${HOME}/.config/artha.log | 126 | blacklist ${HOME}/.config/artha.log |
@@ -198,6 +201,7 @@ blacklist ${HOME}/.config/google-chrome-beta | |||
198 | blacklist ${HOME}/.config/google-chrome-unstable | 201 | blacklist ${HOME}/.config/google-chrome-unstable |
199 | blacklist ${HOME}/.config/gpicview | 202 | blacklist ${HOME}/.config/gpicview |
200 | blacklist ${HOME}/.config/gthumb | 203 | blacklist ${HOME}/.config/gthumb |
204 | blacklist ${HOME}/.config/gummi | ||
201 | blacklist ${HOME}/.config/gwenviewrc | 205 | blacklist ${HOME}/.config/gwenviewrc |
202 | blacklist ${HOME}/.config/hexchat | 206 | blacklist ${HOME}/.config/hexchat |
203 | blacklist ${HOME}/.config/i2p | 207 | blacklist ${HOME}/.config/i2p |
@@ -290,6 +294,7 @@ blacklist ${HOME}/.config/redshift | |||
290 | blacklist ${HOME}/.config/redshift.conf | 294 | blacklist ${HOME}/.config/redshift.conf |
291 | blacklist ${HOME}/.config/remmina | 295 | blacklist ${HOME}/.config/remmina |
292 | blacklist ${HOME}/.config/ristretto | 296 | blacklist ${HOME}/.config/ristretto |
297 | blacklist ${HOME}/.config/rtv | ||
293 | blacklist ${HOME}/.config/scribus | 298 | blacklist ${HOME}/.config/scribus |
294 | blacklist ${HOME}/.config/scribusrc | 299 | blacklist ${HOME}/.config/scribusrc |
295 | blacklist ${HOME}/.config/sinew.in | 300 | blacklist ${HOME}/.config/sinew.in |
@@ -311,6 +316,7 @@ blacklist ${HOME}/.config/tox | |||
311 | blacklist ${HOME}/.config/transgui | 316 | blacklist ${HOME}/.config/transgui |
312 | blacklist ${HOME}/.config/transmission | 317 | blacklist ${HOME}/.config/transmission |
313 | blacklist ${HOME}/.config/truecraft | 318 | blacklist ${HOME}/.config/truecraft |
319 | blacklist ${HOME}/.config/tvbrowser | ||
314 | blacklist ${HOME}/.config/uGet | 320 | blacklist ${HOME}/.config/uGet |
315 | blacklist ${HOME}/.config/uzbl | 321 | blacklist ${HOME}/.config/uzbl |
316 | blacklist ${HOME}/.config/viewnior | 322 | blacklist ${HOME}/.config/viewnior |
@@ -454,6 +460,7 @@ blacklist ${HOME}/.kde4/share/config/ktorrentrc | |||
454 | blacklist ${HOME}/.kde4/share/config/okularpartrc | 460 | blacklist ${HOME}/.kde4/share/config/okularpartrc |
455 | blacklist ${HOME}/.kde4/share/config/okularrc | 461 | blacklist ${HOME}/.kde4/share/config/okularrc |
456 | blacklist ${HOME}/.killingfloor | 462 | blacklist ${HOME}/.killingfloor |
463 | blacklist ${HOME}/.kingsoft | ||
457 | blacklist ${HOME}/.kino-history | 464 | blacklist ${HOME}/.kino-history |
458 | blacklist ${HOME}/.kinorc | 465 | blacklist ${HOME}/.kinorc |
459 | blacklist ${HOME}/.klatexformula | 466 | blacklist ${HOME}/.klatexformula |
@@ -470,6 +477,7 @@ blacklist ${HOME}/.local/share/Anki2 | |||
470 | blacklist ${HOME}/.local/share/Empathy | 477 | blacklist ${HOME}/.local/share/Empathy |
471 | blacklist ${HOME}/.local/share/Enpass | 478 | blacklist ${HOME}/.local/share/Enpass |
472 | blacklist ${HOME}/.local/share/JetBrains | 479 | blacklist ${HOME}/.local/share/JetBrains |
480 | blacklist ${HOME}/.local/share/Kingsoft | ||
473 | blacklist ${HOME}/.local/share/Mendeley Ltd. | 481 | blacklist ${HOME}/.local/share/Mendeley Ltd. |
474 | blacklist ${HOME}/.local/share/Mumble | 482 | blacklist ${HOME}/.local/share/Mumble |
475 | blacklist ${HOME}/.local/share/PBE | 483 | blacklist ${HOME}/.local/share/PBE |
@@ -573,6 +581,7 @@ blacklist ${HOME}/.local/share/qpdfview | |||
573 | blacklist ${HOME}/.local/share/qutebrowser | 581 | blacklist ${HOME}/.local/share/qutebrowser |
574 | blacklist ${HOME}/.local/share/remmina | 582 | blacklist ${HOME}/.local/share/remmina |
575 | blacklist ${HOME}/.local/share/rhythmbox | 583 | blacklist ${HOME}/.local/share/rhythmbox |
584 | blacklist ${HOME}/.local/share/rtv | ||
576 | blacklist ${HOME}/.local/share/scribus | 585 | blacklist ${HOME}/.local/share/scribus |
577 | blacklist ${HOME}/.local/share/signal-cli | 586 | blacklist ${HOME}/.local/share/signal-cli |
578 | blacklist ${HOME}/.local/share/spotify | 587 | blacklist ${HOME}/.local/share/spotify |
@@ -662,6 +671,7 @@ blacklist ${HOME}/.torcs | |||
662 | blacklist ${HOME}/.tremulous | 671 | blacklist ${HOME}/.tremulous |
663 | blacklist ${HOME}/.ts3client | 672 | blacklist ${HOME}/.ts3client |
664 | blacklist ${HOME}/.tuxguitar* | 673 | blacklist ${HOME}/.tuxguitar* |
674 | blacklist ${HOME}/.tvbrowser | ||
665 | blacklist ${HOME}/.unknown-horizons | 675 | blacklist ${HOME}/.unknown-horizons |
666 | blacklist ${HOME}/.viking | 676 | blacklist ${HOME}/.viking |
667 | blacklist ${HOME}/.viking-maps | 677 | blacklist ${HOME}/.viking-maps |
@@ -737,15 +747,17 @@ blacklist ${HOME}/.cache/freecol | |||
737 | blacklist ${HOME}/.cache/gajim | 747 | blacklist ${HOME}/.cache/gajim |
738 | blacklist ${HOME}/.cache/gegl-0.4 | 748 | blacklist ${HOME}/.cache/gegl-0.4 |
739 | blacklist ${HOME}/.cache/geeqie | 749 | blacklist ${HOME}/.cache/geeqie |
750 | blacklist ${HOME}/.cache/gfeeds | ||
740 | blacklist ${HOME}/.cache/gimp | 751 | blacklist ${HOME}/.cache/gimp |
752 | blacklist ${HOME}/.cache/gnome-builder | ||
753 | blacklist ${HOME}/.cache/gnome-recipes | ||
754 | blacklist ${HOME}/.cache/gnome-twitch | ||
741 | blacklist ${HOME}/.cache/godot | 755 | blacklist ${HOME}/.cache/godot |
742 | blacklist ${HOME}/.cache/google-chrome | 756 | blacklist ${HOME}/.cache/google-chrome |
743 | blacklist ${HOME}/.cache/google-chrome-beta | 757 | blacklist ${HOME}/.cache/google-chrome-beta |
744 | blacklist ${HOME}/.cache/google-chrome-unstable | 758 | blacklist ${HOME}/.cache/google-chrome-unstable |
745 | blacklist ${HOME}/.cache/gnome-builder | ||
746 | blacklist ${HOME}/.cache/gnome-recipes | ||
747 | blacklist ${HOME}/.cache/gnome-twitch | ||
748 | blacklist ${HOME}/.cache/gradio | 759 | blacklist ${HOME}/.cache/gradio |
760 | blacklist ${HOME}/.cache/gummi | ||
749 | blacklist ${HOME}/.cache/icedove | 761 | blacklist ${HOME}/.cache/icedove |
750 | blacklist ${HOME}/.cache/INRIA/Natron | 762 | blacklist ${HOME}/.cache/INRIA/Natron |
751 | blacklist ${HOME}/.cache/inkscape | 763 | blacklist ${HOME}/.cache/inkscape |
diff --git a/etc/dnscrypt-proxy.profile b/etc/dnscrypt-proxy.profile index d0430d5ca..6637b8d02 100644 --- a/etc/dnscrypt-proxy.profile +++ b/etc/dnscrypt-proxy.profile | |||
@@ -7,6 +7,9 @@ include dnscrypt-proxy.local | |||
7 | # Persistent global definitions | 7 | # Persistent global definitions |
8 | include globals.local | 8 | include globals.local |
9 | 9 | ||
10 | blacklist /tmp/.X11-unix | ||
11 | blacklist ${RUNUSER}/wayland-* | ||
12 | |||
10 | noblacklist /sbin | 13 | noblacklist /sbin |
11 | noblacklist /usr/sbin | 14 | noblacklist /usr/sbin |
12 | 15 | ||
@@ -20,10 +23,13 @@ include disable-xdg.inc | |||
20 | 23 | ||
21 | whitelist /usr/share/dnscrypt-proxy | 24 | whitelist /usr/share/dnscrypt-proxy |
22 | include whitelist-usr-share-common.inc | 25 | include whitelist-usr-share-common.inc |
26 | include whitelist-var-common.inc | ||
23 | 27 | ||
28 | apparmor | ||
24 | caps.keep ipc_lock,net_bind_service,setgid,setuid,sys_chroot | 29 | caps.keep ipc_lock,net_bind_service,setgid,setuid,sys_chroot |
25 | ipc-namespace | 30 | ipc-namespace |
26 | machine-id | 31 | machine-id |
32 | netfilter | ||
27 | no3d | 33 | no3d |
28 | nodbus | 34 | nodbus |
29 | nodvd | 35 | nodvd |
@@ -34,6 +40,8 @@ nou2f | |||
34 | novideo | 40 | novideo |
35 | protocol inet,inet6 | 41 | protocol inet,inet6 |
36 | seccomp.drop _sysctl,acct,add_key,adjtimex,clock_adjtime,delete_module,fanotify_init,finit_module,get_mempolicy,init_module,io_cancel,io_destroy,io_getevents,io_setup,io_submit,ioperm,iopl,kcmp,kexec_file_load,kexec_load,keyctl,lookup_dcookie,mbind,migrate_pages,modify_ldt,mount,move_pages,open_by_handle_at,perf_event_open,perf_event_open,pivot_root,process_vm_readv,process_vm_writev,ptrace,remap_file_pages,request_key,set_mempolicy,swapoff,swapon,sysfs,syslog,umount2,uselib,vmsplice | 42 | seccomp.drop _sysctl,acct,add_key,adjtimex,clock_adjtime,delete_module,fanotify_init,finit_module,get_mempolicy,init_module,io_cancel,io_destroy,io_getevents,io_setup,io_submit,ioperm,iopl,kcmp,kexec_file_load,kexec_load,keyctl,lookup_dcookie,mbind,migrate_pages,modify_ldt,mount,move_pages,open_by_handle_at,perf_event_open,perf_event_open,pivot_root,process_vm_readv,process_vm_writev,ptrace,remap_file_pages,request_key,set_mempolicy,swapoff,swapon,sysfs,syslog,umount2,uselib,vmsplice |
43 | shell none | ||
44 | tracelog | ||
37 | 45 | ||
38 | disable-mnt | 46 | disable-mnt |
39 | private | 47 | private |
diff --git a/etc/dnsmasq.profile b/etc/dnsmasq.profile index dfb1b61c1..6db71bd49 100644 --- a/etc/dnsmasq.profile +++ b/etc/dnsmasq.profile | |||
@@ -11,6 +11,7 @@ noblacklist /sbin | |||
11 | noblacklist /usr/sbin | 11 | noblacklist /usr/sbin |
12 | 12 | ||
13 | blacklist /tmp/.X11-unix | 13 | blacklist /tmp/.X11-unix |
14 | blacklist ${RUNUSER}/wayland-* | ||
14 | 15 | ||
15 | include disable-common.inc | 16 | include disable-common.inc |
16 | include disable-devel.inc | 17 | include disable-devel.inc |
diff --git a/etc/easystroke.profile b/etc/easystroke.profile index 623a4cadc..1297f5f40 100644 --- a/etc/easystroke.profile +++ b/etc/easystroke.profile | |||
@@ -16,7 +16,11 @@ include disable-passwdmgr.inc | |||
16 | include disable-programs.inc | 16 | include disable-programs.inc |
17 | include disable-xdg.inc | 17 | include disable-xdg.inc |
18 | 18 | ||
19 | mkdir ${HOME}/.easystroke | ||
20 | whitelist ${HOME}/.easystroke | ||
21 | include whitelist-common.inc | ||
19 | include whitelist-usr-share-common.inc | 22 | include whitelist-usr-share-common.inc |
23 | include whitelist-var-common.inc | ||
20 | 24 | ||
21 | apparmor | 25 | apparmor |
22 | caps.drop all | 26 | caps.drop all |
@@ -35,6 +39,7 @@ novideo | |||
35 | protocol unix | 39 | protocol unix |
36 | seccomp | 40 | seccomp |
37 | shell none | 41 | shell none |
42 | tracelog | ||
38 | 43 | ||
39 | disable-mnt | 44 | disable-mnt |
40 | # breaks custom shell command functionality | 45 | # breaks custom shell command functionality |
diff --git a/etc/elinks.profile b/etc/elinks.profile index 94f4179c7..82d1ba528 100644 --- a/etc/elinks.profile +++ b/etc/elinks.profile | |||
@@ -9,6 +9,7 @@ include globals.local | |||
9 | noblacklist ${HOME}/.elinks | 9 | noblacklist ${HOME}/.elinks |
10 | 10 | ||
11 | blacklist /tmp/.X11-unix | 11 | blacklist /tmp/.X11-unix |
12 | blacklist ${RUNUSER}/wayland-* | ||
12 | 13 | ||
13 | include disable-common.inc | 14 | include disable-common.inc |
14 | include disable-devel.inc | 15 | include disable-devel.inc |
diff --git a/etc/email-common.profile b/etc/email-common.profile new file mode 100644 index 000000000..f9d96858b --- /dev/null +++ b/etc/email-common.profile | |||
@@ -0,0 +1,68 @@ | |||
1 | # Firejail profile for email-common | ||
2 | # Description: Common profile for claws-mail and sylpheed email clients | ||
3 | # This file is overwritten after every install/update | ||
4 | # Persistent local customizations | ||
5 | include email-common.local | ||
6 | # Persistent global definitions | ||
7 | # added by caller profile | ||
8 | #include globals.local | ||
9 | |||
10 | noblacklist ${HOME}/.gnupg | ||
11 | noblacklist ${HOME}/.signature | ||
12 | # when storing mail outside the default ${HOME}/Mail path, 'noblacklist' the custom path in your email-common.local | ||
13 | # and 'blacklist' it in your disable-common.local too so it is kept hidden from other applications | ||
14 | noblacklist ${HOME}/Mail | ||
15 | |||
16 | noblacklist ${DOCUMENTS} | ||
17 | |||
18 | include disable-common.inc | ||
19 | include disable-devel.inc | ||
20 | include disable-interpreters.inc | ||
21 | include disable-passwdmgr.inc | ||
22 | include disable-programs.inc | ||
23 | include disable-xdg.inc | ||
24 | |||
25 | whitelist ${DOCUMENTS} | ||
26 | whitelist ${DOWNLOADS} | ||
27 | mkfile ${HOME}/.config/mimeapps.list | ||
28 | mkdir ${HOME}/.gnupg | ||
29 | mkfile ${HOME}/.signature | ||
30 | whitelist ${HOME}/.config/mimeapps.list | ||
31 | whitelist ${HOME}/.gnupg | ||
32 | whitelist ${HOME}/.signature | ||
33 | # when storing mail outside the default ${HOME}/Mail path, 'whitelist' the custom path in your email-common.local | ||
34 | whitelist ${HOME}/Mail | ||
35 | whitelist /usr/share/gnupg | ||
36 | whitelist /usr/share/gnupg2 | ||
37 | include whitelist-common.inc | ||
38 | include whitelist-usr-share-common.inc | ||
39 | include whitelist-var-common.inc | ||
40 | |||
41 | caps.drop all | ||
42 | netfilter | ||
43 | no3d | ||
44 | nodvd | ||
45 | nogroups | ||
46 | nonewprivs | ||
47 | noroot | ||
48 | nosound | ||
49 | notv | ||
50 | nou2f | ||
51 | novideo | ||
52 | protocol unix,inet,inet6 | ||
53 | seccomp | ||
54 | shell none | ||
55 | tracelog | ||
56 | |||
57 | private-cache | ||
58 | private-dev | ||
59 | private-tmp | ||
60 | |||
61 | # encrypting and signing email | ||
62 | read-only ${HOME}/.config/mimeapps.list | ||
63 | writable-run-user | ||
64 | |||
65 | # If you want to read local mail stored in /var/mail, add the following to email-common.local: | ||
66 | # whitelist /var/mail | ||
67 | # whitelist /var/spool/mail | ||
68 | # writable-var | ||
diff --git a/etc/enchant.profile b/etc/enchant.profile index d276cec84..fa556c7d2 100644 --- a/etc/enchant.profile +++ b/etc/enchant.profile | |||
@@ -6,6 +6,8 @@ include enchant.local | |||
6 | # Persistent global definitions | 6 | # Persistent global definitions |
7 | include globals.local | 7 | include globals.local |
8 | 8 | ||
9 | blacklist ${RUNUSER}/wayland-* | ||
10 | |||
9 | noblacklist ${HOME}/.config/enchant | 11 | noblacklist ${HOME}/.config/enchant |
10 | 12 | ||
11 | include disable-common.inc | 13 | include disable-common.inc |
@@ -16,7 +18,11 @@ include disable-passwdmgr.inc | |||
16 | include disable-programs.inc | 18 | include disable-programs.inc |
17 | include disable-xdg.inc | 19 | include disable-xdg.inc |
18 | 20 | ||
21 | mkdir ${HOME}/.config/enchant | ||
22 | whitelist ${HOME}/.config/enchant | ||
23 | include whitelist-common.inc | ||
19 | include whitelist-usr-share-common.inc | 24 | include whitelist-usr-share-common.inc |
25 | include whitelist-var-common.inc | ||
20 | 26 | ||
21 | apparmor | 27 | apparmor |
22 | caps.drop all | 28 | caps.drop all |
diff --git a/etc/ephemeral.profile b/etc/ephemeral.profile index fa7746da5..c688c2324 100644 --- a/etc/ephemeral.profile +++ b/etc/ephemeral.profile | |||
@@ -55,7 +55,7 @@ tracelog | |||
55 | 55 | ||
56 | disable-mnt | 56 | disable-mnt |
57 | private-cache | 57 | private-cache |
58 | private-dev | 58 | ?BROWSER_DISABLE_U2F: private-dev |
59 | # private-etc below works fine on most distributions. There are some problems on CentOS. | 59 | # private-etc below works fine on most distributions. There are some problems on CentOS. |
60 | #private-etc alternatives,asound.conf,ca-certificates,crypto-policies,dconf,fonts,group,gtk-2.0,gtk-3.0,hostname,hosts,ld.so.cache,localtime,login.defs,machine-id,mailcap,mime.types,nsswitch.conf,os-release,pango,passwd,pki,pulse,resolv.conf,selinux,ssl,X11,xdg | 60 | #private-etc alternatives,asound.conf,ca-certificates,crypto-policies,dconf,fonts,group,gtk-2.0,gtk-3.0,hostname,hosts,ld.so.cache,localtime,login.defs,machine-id,mailcap,mime.types,nsswitch.conf,os-release,pango,passwd,pki,pulse,resolv.conf,selinux,ssl,X11,xdg |
61 | private-tmp | 61 | private-tmp |
diff --git a/etc/et.profile b/etc/et.profile new file mode 100644 index 000000000..4e70bb114 --- /dev/null +++ b/etc/et.profile | |||
@@ -0,0 +1,11 @@ | |||
1 | # Firejail profile for et | ||
2 | # Description: WPS Office - Spreadsheets | ||
3 | # This file is overwritten after every install/update | ||
4 | # Persistent local customizations | ||
5 | include et.local | ||
6 | # Persistent global definitions | ||
7 | # added by included profile | ||
8 | #include globals.local | ||
9 | |||
10 | # Redirect | ||
11 | include wps.profile | ||
diff --git a/etc/evince.profile b/etc/evince.profile index 570d7d63d..143a347e6 100644 --- a/etc/evince.profile +++ b/etc/evince.profile | |||
@@ -17,6 +17,7 @@ include disable-passwdmgr.inc | |||
17 | include disable-programs.inc | 17 | include disable-programs.inc |
18 | include disable-xdg.inc | 18 | include disable-xdg.inc |
19 | 19 | ||
20 | whitelist /usr/share/doc | ||
20 | whitelist /usr/share/evince | 21 | whitelist /usr/share/evince |
21 | whitelist /usr/share/poppler | 22 | whitelist /usr/share/poppler |
22 | whitelist /usr/share/tracker | 23 | whitelist /usr/share/tracker |
diff --git a/etc/exfalso.profile b/etc/exfalso.profile index 7d91f2854..04bafdde4 100644 --- a/etc/exfalso.profile +++ b/etc/exfalso.profile | |||
@@ -31,6 +31,7 @@ include whitelist-usr-share-common.inc | |||
31 | include whitelist-var-common.inc | 31 | include whitelist-var-common.inc |
32 | 32 | ||
33 | caps.drop all | 33 | caps.drop all |
34 | ipc-namespace | ||
34 | machine-id | 35 | machine-id |
35 | netfilter | 36 | netfilter |
36 | no3d | 37 | no3d |
diff --git a/etc/exiftool.profile b/etc/exiftool.profile index e9c7d290a..9316a0585 100644 --- a/etc/exiftool.profile +++ b/etc/exiftool.profile | |||
@@ -6,6 +6,8 @@ include exiftool.local | |||
6 | # Persistent global definitions | 6 | # Persistent global definitions |
7 | include globals.local | 7 | include globals.local |
8 | 8 | ||
9 | blacklist ${RUNUSER}/wayland-* | ||
10 | |||
9 | # Allow perl (blacklisted by disable-interpreters.inc) | 11 | # Allow perl (blacklisted by disable-interpreters.inc) |
10 | include allow-perl.inc | 12 | include allow-perl.inc |
11 | 13 | ||
diff --git a/etc/feedreader.profile b/etc/feedreader.profile index c12ab2399..5a72b60ea 100644 --- a/etc/feedreader.profile +++ b/etc/feedreader.profile | |||
@@ -40,8 +40,10 @@ novideo | |||
40 | protocol unix,inet,inet6 | 40 | protocol unix,inet,inet6 |
41 | seccomp | 41 | seccomp |
42 | shell none | 42 | shell none |
43 | tracelog | ||
43 | 44 | ||
44 | disable-mnt | 45 | disable-mnt |
46 | private-cache | ||
45 | private-dev | 47 | private-dev |
46 | private-tmp | 48 | private-tmp |
47 | 49 | ||
diff --git a/etc/ffmpeg.profile b/etc/ffmpeg.profile index 67c0ed311..b392087e8 100644 --- a/etc/ffmpeg.profile +++ b/etc/ffmpeg.profile | |||
@@ -47,7 +47,7 @@ tracelog | |||
47 | private-bin ffmpeg | 47 | private-bin ffmpeg |
48 | private-cache | 48 | private-cache |
49 | private-dev | 49 | private-dev |
50 | private-etc alternatives,ca-certificates,hosts,pkcs11,pki,resolv.conf,ssl | 50 | private-etc alternatives,ca-certificates,crypto-policies,hosts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,nsswitch.conf,pkcs11,pki,resolv.conf,ssl |
51 | private-tmp | 51 | private-tmp |
52 | 52 | ||
53 | # memory-deny-write-execute - it breaks old versions of ffmpeg | 53 | # memory-deny-write-execute - it breaks old versions of ffmpeg |
diff --git a/etc/file.profile b/etc/file.profile index 37c7ee9e7..9b21818f8 100644 --- a/etc/file.profile +++ b/etc/file.profile | |||
@@ -7,6 +7,8 @@ include file.local | |||
7 | # Persistent global definitions | 7 | # Persistent global definitions |
8 | include globals.local | 8 | include globals.local |
9 | 9 | ||
10 | blacklist ${RUNUSER}/wayland-* | ||
11 | |||
10 | include disable-common.inc | 12 | include disable-common.inc |
11 | include disable-exec.inc | 13 | include disable-exec.inc |
12 | include disable-passwdmgr.inc | 14 | include disable-passwdmgr.inc |
diff --git a/etc/firefox-common.profile b/etc/firefox-common.profile index 7777d07ce..323070289 100644 --- a/etc/firefox-common.profile +++ b/etc/firefox-common.profile | |||
@@ -52,7 +52,7 @@ shell none | |||
52 | #tracelog | 52 | #tracelog |
53 | 53 | ||
54 | disable-mnt | 54 | disable-mnt |
55 | private-dev | 55 | ?BROWSER_DISABLE_U2F: private-dev |
56 | # private-etc below works fine on most distributions. There are some problems on CentOS. | 56 | # private-etc below works fine on most distributions. There are some problems on CentOS. |
57 | #private-etc alternatives,asound.conf,ca-certificates,crypto-policies,dconf,fonts,group,gtk-2.0,gtk-3.0,hostname,hosts,ld.so.cache,localtime,machine-id,mailcap,mime.types,nsswitch.conf,pango,passwd,pki,pulse,resolv.conf,selinux,ssl,X11,xdg | 57 | #private-etc alternatives,asound.conf,ca-certificates,crypto-policies,dconf,fonts,group,gtk-2.0,gtk-3.0,hostname,hosts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,localtime,machine-id,mailcap,mime.types,nsswitch.conf,pango,passwd,pki,pulse,resolv.conf,selinux,ssl,X11,xdg |
58 | private-tmp | 58 | private-tmp |
diff --git a/etc/firefox-x11.profile b/etc/firefox-x11.profile new file mode 100644 index 000000000..ffd64aad7 --- /dev/null +++ b/etc/firefox-x11.profile | |||
@@ -0,0 +1,10 @@ | |||
1 | # Firejail profile alias for firefox-x11 | ||
2 | # This file is overwritten after every install/update | ||
3 | # Persistent local customizations | ||
4 | include firefox-x11.local | ||
5 | # Persistent global definitions | ||
6 | # added by included profile | ||
7 | #include globals.local | ||
8 | |||
9 | # Redirect | ||
10 | include firefox.profile | ||
diff --git a/etc/firefox.profile b/etc/firefox.profile index 0278c70f2..0530516d8 100644 --- a/etc/firefox.profile +++ b/etc/firefox.profile | |||
@@ -14,7 +14,10 @@ mkdir ${HOME}/.mozilla | |||
14 | whitelist ${HOME}/.cache/mozilla/firefox | 14 | whitelist ${HOME}/.cache/mozilla/firefox |
15 | whitelist ${HOME}/.mozilla | 15 | whitelist ${HOME}/.mozilla |
16 | 16 | ||
17 | whitelist /usr/share/doc | ||
18 | whitelist /usr/share/gtk-doc/html | ||
17 | whitelist /usr/share/mozilla | 19 | whitelist /usr/share/mozilla |
20 | whitelist /usr/share/webext | ||
18 | include whitelist-usr-share-common.inc | 21 | include whitelist-usr-share-common.inc |
19 | 22 | ||
20 | # firefox requires a shell to launch on Arch. | 23 | # firefox requires a shell to launch on Arch. |
diff --git a/etc/firejail.config b/etc/firejail.config index 3bff2f7ed..6fb7d829a 100644 --- a/etc/firejail.config +++ b/etc/firejail.config | |||
@@ -62,9 +62,9 @@ | |||
62 | # root user can always join sandboxes. | 62 | # root user can always join sandboxes. |
63 | # join yes | 63 | # join yes |
64 | 64 | ||
65 | # Timeout when joining a sandbox, default five seconds. Wait up to | 65 | # Timeout when joining a sandbox, default five seconds. It is not |
66 | # the specified period of time to allow sandbox setup to finish. | 66 | # possible to join a sandbox while it is still starting up. Wait up |
67 | # It is not possible to join a sandbox while it is still starting up. | 67 | # to the specified period of time to allow sandbox setup to finish. |
68 | # join-timeout 5 | 68 | # join-timeout 5 |
69 | 69 | ||
70 | # Enable or disable sandbox name change, default enabled. | 70 | # Enable or disable sandbox name change, default enabled. |
diff --git a/etc/freecad.profile b/etc/freecad.profile index 079c85fb1..6f0f52a55 100644 --- a/etc/freecad.profile +++ b/etc/freecad.profile | |||
@@ -9,6 +9,10 @@ include globals.local | |||
9 | noblacklist ${HOME}/.config/FreeCAD | 9 | noblacklist ${HOME}/.config/FreeCAD |
10 | noblacklist ${DOCUMENTS} | 10 | noblacklist ${DOCUMENTS} |
11 | 11 | ||
12 | # Allow python (blacklisted by disable-interpreters.inc) | ||
13 | include allow-python2.inc | ||
14 | include allow-python3.inc | ||
15 | |||
12 | include disable-common.inc | 16 | include disable-common.inc |
13 | include disable-devel.inc | 17 | include disable-devel.inc |
14 | include disable-exec.inc | 18 | include disable-exec.inc |
@@ -33,7 +37,7 @@ protocol unix | |||
33 | seccomp | 37 | seccomp |
34 | shell none | 38 | shell none |
35 | 39 | ||
36 | private-bin freecad,freecadcmd | 40 | private-bin freecad,freecadcmd,python* |
37 | private-cache | 41 | private-cache |
38 | private-dev | 42 | private-dev |
39 | private-tmp | 43 | private-tmp |
diff --git a/etc/gconf-editor.profile b/etc/gconf-editor.profile index a2c441a20..cb39174e5 100644 --- a/etc/gconf-editor.profile +++ b/etc/gconf-editor.profile | |||
@@ -9,7 +9,8 @@ include gconf-editor.local | |||
9 | 9 | ||
10 | blacklist /tmp/.X11-unix | 10 | blacklist /tmp/.X11-unix |
11 | 11 | ||
12 | ignore net none | 12 | whitelist /usr/share/gconf-editor |
13 | |||
13 | ignore x11 none | 14 | ignore x11 none |
14 | 15 | ||
15 | # Redirect | 16 | # Redirect |
diff --git a/etc/gconf.profile b/etc/gconf.profile index 25145c77d..f070e6944 100644 --- a/etc/gconf.profile +++ b/etc/gconf.profile | |||
@@ -6,6 +6,8 @@ include gconf.local | |||
6 | # Persistent global definitions | 6 | # Persistent global definitions |
7 | include globals.local | 7 | include globals.local |
8 | 8 | ||
9 | blacklist ${RUNUSER}/wayland-* | ||
10 | |||
9 | noblacklist ${HOME}/.config/gconf | 11 | noblacklist ${HOME}/.config/gconf |
10 | 12 | ||
11 | # Allow python (blacklisted by disable-interpreters.inc) | 13 | # Allow python (blacklisted by disable-interpreters.inc) |
diff --git a/etc/gedit.profile b/etc/gedit.profile index 7dd6f270e..a4471077a 100644 --- a/etc/gedit.profile +++ b/etc/gedit.profile | |||
@@ -42,6 +42,7 @@ tracelog | |||
42 | 42 | ||
43 | # private-bin gedit | 43 | # private-bin gedit |
44 | private-dev | 44 | private-dev |
45 | private-lib aspell,gconv,gedit,libgspell-1.so.*,libgtksourceview-*,libpeas-gtk-1.0.so.*,libreadline.so.*,libtinfo.so.* | 45 | # private-lib breaks python plugins, uncomment or add to your gedit.local if you don't use them. |
46 | #private-lib aspell,gconv,gedit,libgspell-1.so.*,libgtksourceview-*,libpeas-gtk-1.0.so.*,libreadline.so.*,libtinfo.so.* | ||
46 | private-tmp | 47 | private-tmp |
47 | 48 | ||
diff --git a/etc/geekbench.profile b/etc/geekbench.profile index bf9d27788..36f9f2a55 100644 --- a/etc/geekbench.profile +++ b/etc/geekbench.profile | |||
@@ -43,7 +43,7 @@ private-bin bash,geekbenc*,sh | |||
43 | private-cache | 43 | private-cache |
44 | private-dev | 44 | private-dev |
45 | private-etc alternatives,group,lsb-release,passwd | 45 | private-etc alternatives,group,lsb-release,passwd |
46 | private-lib libstdc++.so.* | 46 | private-lib gcc/*/*/libstdc++.so.* |
47 | private-opt none | 47 | private-opt none |
48 | private-tmp | 48 | private-tmp |
49 | 49 | ||
diff --git a/etc/gfeeds.profile b/etc/gfeeds.profile index dcb33bc38..d332c1bbe 100644 --- a/etc/gfeeds.profile +++ b/etc/gfeeds.profile | |||
@@ -6,6 +6,7 @@ include gfeeds.local | |||
6 | # Persistent global definitions | 6 | # Persistent global definitions |
7 | include globals.local | 7 | include globals.local |
8 | 8 | ||
9 | noblacklist ${HOME}/.cache/gfeeds | ||
9 | noblacklist ${HOME}/.cache/org.gabmus.gfeeds | 10 | noblacklist ${HOME}/.cache/org.gabmus.gfeeds |
10 | noblacklist ${HOME}/.config/org.gabmus.gfeeds.json | 11 | noblacklist ${HOME}/.config/org.gabmus.gfeeds.json |
11 | 12 | ||
@@ -20,8 +21,10 @@ include disable-passwdmgr.inc | |||
20 | include disable-programs.inc | 21 | include disable-programs.inc |
21 | include disable-xdg.inc | 22 | include disable-xdg.inc |
22 | 23 | ||
24 | mkdir ${HOME}/.cache/gfeeds | ||
23 | mkdir ${HOME}/.cache/org.gabmus.gfeeds | 25 | mkdir ${HOME}/.cache/org.gabmus.gfeeds |
24 | mkfile ${HOME}/.config/org.gabmus.gfeeds.json | 26 | mkfile ${HOME}/.config/org.gabmus.gfeeds.json |
27 | whitelist ${HOME}/.cache/gfeeds | ||
25 | whitelist ${HOME}/.cache/org.gabmus.gfeeds | 28 | whitelist ${HOME}/.cache/org.gabmus.gfeeds |
26 | whitelist ${HOME}/.config/org.gabmus.gfeeds.json | 29 | whitelist ${HOME}/.config/org.gabmus.gfeeds.json |
27 | whitelist /usr/share/gfeeds | 30 | whitelist /usr/share/gfeeds |
diff --git a/etc/gimp.profile b/etc/gimp.profile index 5c0631eb2..57cea28f9 100644 --- a/etc/gimp.profile +++ b/etc/gimp.profile | |||
@@ -21,6 +21,7 @@ noblacklist ${PICTURES} | |||
21 | 21 | ||
22 | include disable-common.inc | 22 | include disable-common.inc |
23 | include disable-exec.inc | 23 | include disable-exec.inc |
24 | include disable-devel.inc | ||
24 | include disable-passwdmgr.inc | 25 | include disable-passwdmgr.inc |
25 | include disable-programs.inc | 26 | include disable-programs.inc |
26 | include disable-xdg.inc | 27 | include disable-xdg.inc |
@@ -44,7 +45,7 @@ nosound | |||
44 | notv | 45 | notv |
45 | nou2f | 46 | nou2f |
46 | protocol unix | 47 | protocol unix |
47 | seccomp | 48 | seccomp !mbind |
48 | shell none | 49 | shell none |
49 | tracelog | 50 | tracelog |
50 | 51 | ||
diff --git a/etc/gist.profile b/etc/gist.profile index 7413238c8..59fcb2775 100644 --- a/etc/gist.profile +++ b/etc/gist.profile | |||
@@ -8,6 +8,7 @@ include gist.local | |||
8 | include globals.local | 8 | include globals.local |
9 | 9 | ||
10 | blacklist /tmp/.X11-unix | 10 | blacklist /tmp/.X11-unix |
11 | blacklist ${RUNUSER}/wayland-* | ||
11 | 12 | ||
12 | noblacklist ${HOME}/.gist | 13 | noblacklist ${HOME}/.gist |
13 | 14 | ||
diff --git a/etc/git.profile b/etc/git.profile index dbaaefcc4..da55f8744 100644 --- a/etc/git.profile +++ b/etc/git.profile | |||
@@ -20,6 +20,7 @@ noblacklist ${HOME}/.vim | |||
20 | noblacklist ${HOME}/.viminfo | 20 | noblacklist ${HOME}/.viminfo |
21 | 21 | ||
22 | blacklist /tmp/.X11-unix | 22 | blacklist /tmp/.X11-unix |
23 | blacklist ${RUNUSER}/wayland-* | ||
23 | 24 | ||
24 | include disable-common.inc | 25 | include disable-common.inc |
25 | include disable-exec.inc | 26 | include disable-exec.inc |
diff --git a/etc/gjs.profile b/etc/gjs.profile index 871020ae0..aba020bc7 100644 --- a/etc/gjs.profile +++ b/etc/gjs.profile | |||
@@ -13,6 +13,9 @@ noblacklist ${HOME}/.cache/org.gnome.Books | |||
13 | noblacklist ${HOME}/.config/libreoffice | 13 | noblacklist ${HOME}/.config/libreoffice |
14 | noblacklist ${HOME}/.local/share/gnome-photos | 14 | noblacklist ${HOME}/.local/share/gnome-photos |
15 | 15 | ||
16 | # Allow gjs (blacklisted by disable-interpreters.inc) | ||
17 | include allow-gjs.inc | ||
18 | |||
16 | include disable-common.inc | 19 | include disable-common.inc |
17 | include disable-devel.inc | 20 | include disable-devel.inc |
18 | include disable-interpreters.inc | 21 | include disable-interpreters.inc |
diff --git a/etc/gnome-books.profile b/etc/gnome-books.profile index 25cd94f0c..84e38d0e1 100644 --- a/etc/gnome-books.profile +++ b/etc/gnome-books.profile | |||
@@ -10,6 +10,9 @@ include globals.local | |||
10 | noblacklist ${HOME}/.cache/org.gnome.Books | 10 | noblacklist ${HOME}/.cache/org.gnome.Books |
11 | noblacklist ${DOCUMENTS} | 11 | noblacklist ${DOCUMENTS} |
12 | 12 | ||
13 | # Allow gjs (blacklisted by disable-interpreters.inc) | ||
14 | include allow-gjs.inc | ||
15 | |||
13 | include disable-common.inc | 16 | include disable-common.inc |
14 | include disable-devel.inc | 17 | include disable-devel.inc |
15 | include disable-exec.inc | 18 | include disable-exec.inc |
diff --git a/etc/gnome-characters.profile b/etc/gnome-characters.profile index c3e9466d7..2d4724610 100644 --- a/etc/gnome-characters.profile +++ b/etc/gnome-characters.profile | |||
@@ -6,6 +6,9 @@ include gnome-characters.local | |||
6 | # Persistent global definitions | 6 | # Persistent global definitions |
7 | include globals.local | 7 | include globals.local |
8 | 8 | ||
9 | # Allow gjs (blacklisted by disable-interpreters.inc) | ||
10 | include allow-gjs.inc | ||
11 | |||
9 | include disable-common.inc | 12 | include disable-common.inc |
10 | include disable-devel.inc | 13 | include disable-devel.inc |
11 | include disable-exec.inc | 14 | include disable-exec.inc |
diff --git a/etc/gnome-documents.profile b/etc/gnome-documents.profile index 078e8c34e..705fe624e 100644 --- a/etc/gnome-documents.profile +++ b/etc/gnome-documents.profile | |||
@@ -11,6 +11,9 @@ include globals.local | |||
11 | noblacklist ${HOME}/.config/libreoffice | 11 | noblacklist ${HOME}/.config/libreoffice |
12 | noblacklist ${DOCUMENTS} | 12 | noblacklist ${DOCUMENTS} |
13 | 13 | ||
14 | # Allow gjs (blacklisted by disable-interpreters.inc) | ||
15 | include allow-gjs.inc | ||
16 | |||
14 | include disable-common.inc | 17 | include disable-common.inc |
15 | include disable-devel.inc | 18 | include disable-devel.inc |
16 | include disable-exec.inc | 19 | include disable-exec.inc |
diff --git a/etc/gnome-maps.profile b/etc/gnome-maps.profile index 78f5ddc3a..6540186fe 100644 --- a/etc/gnome-maps.profile +++ b/etc/gnome-maps.profile | |||
@@ -13,6 +13,9 @@ noblacklist ${HOME}/.cache/org.gnome.Maps | |||
13 | noblacklist ${HOME}/.local/share/flatpak | 13 | noblacklist ${HOME}/.local/share/flatpak |
14 | noblacklist ${HOME}/.local/share/maps-places.json | 14 | noblacklist ${HOME}/.local/share/maps-places.json |
15 | 15 | ||
16 | # Allow gjs (blacklisted by disable-interpreters.inc) | ||
17 | include allow-gjs.inc | ||
18 | |||
16 | include disable-common.inc | 19 | include disable-common.inc |
17 | include disable-devel.inc | 20 | include disable-devel.inc |
18 | include disable-exec.inc | 21 | include disable-exec.inc |
diff --git a/etc/gnome-passwordsafe.profile b/etc/gnome-passwordsafe.profile new file mode 100644 index 000000000..685a5cc3f --- /dev/null +++ b/etc/gnome-passwordsafe.profile | |||
@@ -0,0 +1,56 @@ | |||
1 | # Firejail profile for gnome-passwordsafe | ||
2 | # Description: Password manager for GNOME | ||
3 | # This file is overwritten after every install/update | ||
4 | # Persistent local customizations | ||
5 | include gnome-passwordsafe.local | ||
6 | # Persistent global definitions | ||
7 | include globals.local | ||
8 | |||
9 | noblacklist ${DOCUMENTS} | ||
10 | noblacklist ${HOME}/*.kdb | ||
11 | noblacklist ${HOME}/*.kdbx | ||
12 | |||
13 | # Allow python (blacklisted by disable-interpreters.inc) | ||
14 | include allow-python3.inc | ||
15 | |||
16 | include disable-common.inc | ||
17 | include disable-devel.inc | ||
18 | include disable-exec.inc | ||
19 | include disable-interpreters.inc | ||
20 | include disable-passwdmgr.inc | ||
21 | include disable-programs.inc | ||
22 | include disable-xdg.inc | ||
23 | |||
24 | whitelist ${RUNUSER}/bus | ||
25 | whitelist ${RUNUSER}/wayland-? | ||
26 | whitelist ${RUNUSER}/gdm/Xauthority | ||
27 | |||
28 | whitelist /usr/share/cracklib | ||
29 | whitelist /usr/share/passwordsafe | ||
30 | include whitelist-usr-share-common.inc | ||
31 | include whitelist-var-common.inc | ||
32 | |||
33 | apparmor | ||
34 | caps.drop all | ||
35 | machine-id | ||
36 | net none | ||
37 | no3d | ||
38 | nodvd | ||
39 | nogroups | ||
40 | nonewprivs | ||
41 | noroot | ||
42 | nosound | ||
43 | notv | ||
44 | nou2f | ||
45 | novideo | ||
46 | protocol unix | ||
47 | seccomp | ||
48 | shell none | ||
49 | tracelog | ||
50 | |||
51 | disable-mnt | ||
52 | private-bin gnome-passwordsafe,python3* | ||
53 | private-cache | ||
54 | private-dev | ||
55 | private-etc dconf,fonts,gtk-3.0,passwd | ||
56 | private-tmp | ||
diff --git a/etc/gnome-sound-recorder.profile b/etc/gnome-sound-recorder.profile index 135106c1e..7f8fc8a0c 100644 --- a/etc/gnome-sound-recorder.profile +++ b/etc/gnome-sound-recorder.profile | |||
@@ -10,6 +10,9 @@ noblacklist ${MUSIC} | |||
10 | noblacklist ${HOME}/.local/share/flatpak | 10 | noblacklist ${HOME}/.local/share/flatpak |
11 | noblacklist ${HOME}/.local/share/Trash | 11 | noblacklist ${HOME}/.local/share/Trash |
12 | 12 | ||
13 | # Allow gjs (blacklisted by disable-interpreters.inc) | ||
14 | include allow-gjs.inc | ||
15 | |||
13 | include disable-common.inc | 16 | include disable-common.inc |
14 | include disable-devel.inc | 17 | include disable-devel.inc |
15 | include disable-exec.inc | 18 | include disable-exec.inc |
diff --git a/etc/gnome-weather.profile b/etc/gnome-weather.profile index a43db7e2f..10db6296b 100644 --- a/etc/gnome-weather.profile +++ b/etc/gnome-weather.profile | |||
@@ -10,6 +10,9 @@ include globals.local | |||
10 | 10 | ||
11 | noblacklist ${HOME}/.cache/libgweather | 11 | noblacklist ${HOME}/.cache/libgweather |
12 | 12 | ||
13 | # Allow gjs (blacklisted by disable-interpreters.inc) | ||
14 | include allow-gjs.inc | ||
15 | |||
13 | include disable-common.inc | 16 | include disable-common.inc |
14 | include disable-devel.inc | 17 | include disable-devel.inc |
15 | include disable-exec.inc | 18 | include disable-exec.inc |
diff --git a/etc/gpg-agent.profile b/etc/gpg-agent.profile index c11773147..2710ac88e 100644 --- a/etc/gpg-agent.profile +++ b/etc/gpg-agent.profile | |||
@@ -10,6 +10,7 @@ include globals.local | |||
10 | noblacklist ${HOME}/.gnupg | 10 | noblacklist ${HOME}/.gnupg |
11 | 11 | ||
12 | blacklist /tmp/.X11-unix | 12 | blacklist /tmp/.X11-unix |
13 | blacklist ${RUNUSER}/wayland-* | ||
13 | 14 | ||
14 | include disable-common.inc | 15 | include disable-common.inc |
15 | include disable-devel.inc | 16 | include disable-devel.inc |
diff --git a/etc/gpg.profile b/etc/gpg.profile index 5eb18a0bc..a60d42cf8 100644 --- a/etc/gpg.profile +++ b/etc/gpg.profile | |||
@@ -10,6 +10,7 @@ include globals.local | |||
10 | noblacklist ${HOME}/.gnupg | 10 | noblacklist ${HOME}/.gnupg |
11 | 11 | ||
12 | blacklist /tmp/.X11-unix | 12 | blacklist /tmp/.X11-unix |
13 | blacklist ${RUNUSER}/wayland-* | ||
13 | 14 | ||
14 | include disable-common.inc | 15 | include disable-common.inc |
15 | include disable-devel.inc | 16 | include disable-devel.inc |
diff --git a/etc/gtk-update-icon-cache.profile b/etc/gtk-update-icon-cache.profile index fd35a563b..668a48f9a 100644 --- a/etc/gtk-update-icon-cache.profile +++ b/etc/gtk-update-icon-cache.profile | |||
@@ -7,6 +7,8 @@ include gtk-update-icon-cache.local | |||
7 | # Persistent global definitions | 7 | # Persistent global definitions |
8 | include globals.local | 8 | include globals.local |
9 | 9 | ||
10 | blacklist ${RUNUSER}/wayland-* | ||
11 | |||
10 | include disable-common.inc | 12 | include disable-common.inc |
11 | include disable-devel.inc | 13 | include disable-devel.inc |
12 | include disable-exec.inc | 14 | include disable-exec.inc |
diff --git a/etc/gummi.profile b/etc/gummi.profile new file mode 100644 index 000000000..922b2cbde --- /dev/null +++ b/etc/gummi.profile | |||
@@ -0,0 +1,19 @@ | |||
1 | # Firejail profile for gummi | ||
2 | # This file is overwritten after every install/update | ||
3 | # Persistent local customizations | ||
4 | include gummi.local | ||
5 | # Persistent global definitions | ||
6 | include globals.local | ||
7 | |||
8 | noblacklist ${HOME}/.cache/gummi | ||
9 | noblacklist ${HOME}/.config/gummi | ||
10 | |||
11 | include allow-lua.inc | ||
12 | include allow-perl.inc | ||
13 | include allow-python3.inc | ||
14 | |||
15 | private-bin dvipdf,dvips,env,gummi,latex,latexmk,lua*,lualatex,luatex,pdflatex,pdftex,perl,ps2pdf,python3*,rubber,synctex,tex,xelatex,xetex | ||
16 | |||
17 | # Redirect | ||
18 | include latex-common.profile | ||
19 | |||
diff --git a/etc/gzip.profile b/etc/gzip.profile index 48e495c60..1af15d227 100644 --- a/etc/gzip.profile +++ b/etc/gzip.profile | |||
@@ -7,6 +7,8 @@ include gzip.local | |||
7 | # Persistent global definitions | 7 | # Persistent global definitions |
8 | include globals.local | 8 | include globals.local |
9 | 9 | ||
10 | blacklist ${RUNUSER}/wayland-* | ||
11 | |||
10 | # Arch Linux (based distributions) need access to /var/lib/pacman. As we drop all capabilities this is automatically read-only. | 12 | # Arch Linux (based distributions) need access to /var/lib/pacman. As we drop all capabilities this is automatically read-only. |
11 | noblacklist /var/lib/pacman | 13 | noblacklist /var/lib/pacman |
12 | 14 | ||
diff --git a/etc/hashcat.profile b/etc/hashcat.profile index da59984d7..b4d6d52f0 100644 --- a/etc/hashcat.profile +++ b/etc/hashcat.profile | |||
@@ -7,6 +7,8 @@ include hashcat.local | |||
7 | # Persistent global definitions | 7 | # Persistent global definitions |
8 | include globals.local | 8 | include globals.local |
9 | 9 | ||
10 | blacklist ${RUNUSER}/wayland-* | ||
11 | |||
10 | noblacklist ${HOME}/.hashcat | 12 | noblacklist ${HOME}/.hashcat |
11 | noblacklist /usr/include | 13 | noblacklist /usr/include |
12 | noblacklist ${DOCUMENTS} | 14 | noblacklist ${DOCUMENTS} |
diff --git a/etc/hexchat.profile b/etc/hexchat.profile index d032c93e6..7723cbd6b 100644 --- a/etc/hexchat.profile +++ b/etc/hexchat.profile | |||
@@ -19,6 +19,7 @@ include disable-exec.inc | |||
19 | include disable-interpreters.inc | 19 | include disable-interpreters.inc |
20 | include disable-passwdmgr.inc | 20 | include disable-passwdmgr.inc |
21 | include disable-programs.inc | 21 | include disable-programs.inc |
22 | include disable-xdg.inc | ||
22 | 23 | ||
23 | mkdir ${HOME}/.config/hexchat | 24 | mkdir ${HOME}/.config/hexchat |
24 | whitelist ${HOME}/.config/hexchat | 25 | whitelist ${HOME}/.config/hexchat |
@@ -26,14 +27,13 @@ include whitelist-common.inc | |||
26 | include whitelist-var-common.inc | 27 | include whitelist-var-common.inc |
27 | 28 | ||
28 | caps.drop all | 29 | caps.drop all |
29 | machine-id | 30 | #machine-id -- breaks sound |
30 | netfilter | 31 | netfilter |
31 | no3d | 32 | no3d |
32 | nodvd | 33 | nodvd |
33 | nogroups | 34 | nogroups |
34 | nonewprivs | 35 | nonewprivs |
35 | noroot | 36 | noroot |
36 | nosound | ||
37 | notv | 37 | notv |
38 | nou2f | 38 | nou2f |
39 | novideo | 39 | novideo |
diff --git a/etc/highlight.profile b/etc/highlight.profile index 249d5cd17..036de8d99 100644 --- a/etc/highlight.profile +++ b/etc/highlight.profile | |||
@@ -6,6 +6,8 @@ include highlight.local | |||
6 | # Persistent global definitions | 6 | # Persistent global definitions |
7 | include globals.local | 7 | include globals.local |
8 | 8 | ||
9 | blacklist ${RUNUSER}/wayland-* | ||
10 | |||
9 | include disable-common.inc | 11 | include disable-common.inc |
10 | include disable-devel.inc | 12 | include disable-devel.inc |
11 | include disable-interpreters.inc | 13 | include disable-interpreters.inc |
diff --git a/etc/i2prouter.profile b/etc/i2prouter.profile index e46fb3317..9ffdb9e9b 100644 --- a/etc/i2prouter.profile +++ b/etc/i2prouter.profile | |||
@@ -6,19 +6,19 @@ include i2prouter.local | |||
6 | # Persistent global definitions | 6 | # Persistent global definitions |
7 | include globals.local | 7 | include globals.local |
8 | 8 | ||
9 | # Notice: default browser will not be able to automatically open, due to sandbox. | 9 | # Notice: default browser will most likely not be able to automatically open, due to sandbox. |
10 | # Auto-opening default browser can be disabled in the I2P router console. | 10 | # Auto-opening default browser can be disabled in the I2P router console. |
11 | # This profile will not currently work with any Arch User Repository i2p packages, | 11 | # This profile will not currently work with any Arch User Repository I2P packages, |
12 | # use the distro-independent official java installer instead | 12 | # use the distro-independent official I2P java installer instead |
13 | 13 | ||
14 | # Only needed if i2prouter binary is in home directory, java installer does this | 14 | # Only needed if i2prouter binary is in home directory, official I2P java installer does this |
15 | ignore noexec ${HOME} | 15 | ignore noexec ${HOME} |
16 | 16 | ||
17 | noblacklist ${HOME}/.config/i2p | 17 | noblacklist ${HOME}/.config/i2p |
18 | noblacklist ${HOME}/.i2p | 18 | noblacklist ${HOME}/.i2p |
19 | noblacklist ${HOME}/.local/share/i2p | 19 | noblacklist ${HOME}/.local/share/i2p |
20 | noblacklist ${HOME}/i2p | 20 | noblacklist ${HOME}/i2p |
21 | # Only needed if wrapper is placed in /usr/sbin/, ubuntu official ppa package does this | 21 | # Only needed if wrapper is placed in /usr/sbin/, ubuntu official I2P ppa package does this |
22 | noblacklist /usr/sbin | 22 | noblacklist /usr/sbin |
23 | 23 | ||
24 | # Allow java (blacklisted by disable-devel.inc) | 24 | # Allow java (blacklisted by disable-devel.inc) |
@@ -40,13 +40,13 @@ whitelist ${HOME}/.config/i2p | |||
40 | whitelist ${HOME}/.i2p | 40 | whitelist ${HOME}/.i2p |
41 | whitelist ${HOME}/.local/share/i2p | 41 | whitelist ${HOME}/.local/share/i2p |
42 | whitelist ${HOME}/i2p | 42 | whitelist ${HOME}/i2p |
43 | # Only needed if wrapper is placed in /usr/sbin/, ubuntu official ppa package does this | 43 | # Only needed if wrapper is placed in /usr/sbin/, ubuntu official I2P ppa package does this |
44 | whitelist /usr/sbin/wrapper* | 44 | whitelist /usr/sbin/wrapper* |
45 | 45 | ||
46 | include whitelist-common.inc | 46 | include whitelist-common.inc |
47 | 47 | ||
48 | # May break I2P if wrapper is placed in the home directory | 48 | # May break I2P if wrapper is placed in the home directory; official I2P java installer does this |
49 | # If using ubuntu official ppa, this should be fine to uncomment, as it puts wrapper in /usr/sbin/ | 49 | # If using ubuntu official I2P ppa, this should be fine to uncomment, as it puts wrapper in /usr/sbin/ |
50 | #apparmor | 50 | #apparmor |
51 | caps.drop all | 51 | caps.drop all |
52 | ipc-namespace | 52 | ipc-namespace |
@@ -67,5 +67,5 @@ shell none | |||
67 | disable-mnt | 67 | disable-mnt |
68 | private-cache | 68 | private-cache |
69 | private-dev | 69 | private-dev |
70 | private-etc alternatives,ca-certificates,crypto-policies,i2p,java-8-openjdk,pki,ssl | 70 | private-etc alternatives,ca-certificates,crypto-policies,dconf,group,hostname,hosts,i2p,java-10-openjdk,java-11-openjdk,java-12-openjdk,java-13-openjdk,java-8-openjdk,java-9-openjdk,java-openjdk,ld.so.cache,localtime,machine-id,nsswitch.conf,passwd,pki,resolv.conf,ssl |
71 | private-tmp | 71 | private-tmp |
diff --git a/etc/img2txt.profile b/etc/img2txt.profile index c17e82870..419da765d 100644 --- a/etc/img2txt.profile +++ b/etc/img2txt.profile | |||
@@ -5,6 +5,8 @@ include img2txt.local | |||
5 | # Persistent global definitions | 5 | # Persistent global definitions |
6 | include globals.local | 6 | include globals.local |
7 | 7 | ||
8 | blacklist ${RUNUSER}/wayland-* | ||
9 | |||
8 | noblacklist ${DOCUMENTS} | 10 | noblacklist ${DOCUMENTS} |
9 | noblacklist ${PICTURES} | 11 | noblacklist ${PICTURES} |
10 | 12 | ||
diff --git a/etc/keepass.profile b/etc/keepass.profile index 57a24d821..9852f8a79 100644 --- a/etc/keepass.profile +++ b/etc/keepass.profile | |||
@@ -34,7 +34,7 @@ nosound | |||
34 | notv | 34 | notv |
35 | nou2f | 35 | nou2f |
36 | novideo | 36 | novideo |
37 | protocol unix,inet,inet6 | 37 | protocol unix,inet,inet6,netlink |
38 | seccomp | 38 | seccomp |
39 | shell none | 39 | shell none |
40 | 40 | ||
diff --git a/etc/latex-common.profile b/etc/latex-common.profile new file mode 100644 index 000000000..712ada722 --- /dev/null +++ b/etc/latex-common.profile | |||
@@ -0,0 +1,39 @@ | |||
1 | # Firejail profile for latex-common | ||
2 | # This file is overwritten after every install/update | ||
3 | # Persistent local customizations | ||
4 | include latex-common.local | ||
5 | # Persistent global definitions | ||
6 | # added by caller profile | ||
7 | #include globals.local | ||
8 | |||
9 | include disable-common.inc | ||
10 | include disable-devel.inc | ||
11 | include disable-exec.inc | ||
12 | include disable-interpreters.inc | ||
13 | include disable-passwdmgr.inc | ||
14 | include disable-programs.inc | ||
15 | |||
16 | whitelist /var/lib | ||
17 | include whitelist-var-common.inc | ||
18 | |||
19 | caps.drop all | ||
20 | net none | ||
21 | no3d | ||
22 | nodbus | ||
23 | nodvd | ||
24 | nogroups | ||
25 | nonewprivs | ||
26 | noroot | ||
27 | nosound | ||
28 | notv | ||
29 | nou2f | ||
30 | novideo | ||
31 | protocol unix | ||
32 | seccomp | ||
33 | shell none | ||
34 | tracelog | ||
35 | |||
36 | private-cache | ||
37 | private-dev | ||
38 | private-tmp | ||
39 | |||
diff --git a/etc/latex.profile b/etc/latex.profile new file mode 100644 index 000000000..2230dd570 --- /dev/null +++ b/etc/latex.profile | |||
@@ -0,0 +1,12 @@ | |||
1 | # Firejail profile for latex | ||
2 | # This file is overwritten after every install/update | ||
3 | # Persistent local customizations | ||
4 | include latex.local | ||
5 | # Persistent global definitions | ||
6 | include globals.local | ||
7 | |||
8 | private-bin latex | ||
9 | |||
10 | # Redirect | ||
11 | include latex-common.profile | ||
12 | |||
diff --git a/etc/less.profile b/etc/less.profile index 282b033a6..00624e0f1 100644 --- a/etc/less.profile +++ b/etc/less.profile | |||
@@ -7,6 +7,8 @@ include less.local | |||
7 | # Persistent global definitions | 7 | # Persistent global definitions |
8 | include globals.local | 8 | include globals.local |
9 | 9 | ||
10 | blacklist ${RUNUSER}/wayland-* | ||
11 | |||
10 | noblacklist ${HOME}/.lesshst | 12 | noblacklist ${HOME}/.lesshst |
11 | 13 | ||
12 | include disable-devel.inc | 14 | include disable-devel.inc |
diff --git a/etc/links.profile b/etc/links.profile index bd0b0cc92..a31001c87 100644 --- a/etc/links.profile +++ b/etc/links.profile | |||
@@ -9,6 +9,7 @@ include globals.local | |||
9 | noblacklist ${HOME}/.links | 9 | noblacklist ${HOME}/.links |
10 | 10 | ||
11 | blacklist /tmp/.X11-unix | 11 | blacklist /tmp/.X11-unix |
12 | blacklist ${RUNUSER}/wayland-* | ||
12 | 13 | ||
13 | include disable-common.inc | 14 | include disable-common.inc |
14 | include disable-devel.inc | 15 | include disable-devel.inc |
diff --git a/etc/lynx.profile b/etc/lynx.profile index 063285316..fb6fe94ec 100644 --- a/etc/lynx.profile +++ b/etc/lynx.profile | |||
@@ -7,6 +7,7 @@ include lynx.local | |||
7 | include globals.local | 7 | include globals.local |
8 | 8 | ||
9 | blacklist /tmp/.X11-unix | 9 | blacklist /tmp/.X11-unix |
10 | blacklist ${RUNUSER}/wayland-* | ||
10 | 11 | ||
11 | include disable-common.inc | 12 | include disable-common.inc |
12 | include disable-devel.inc | 13 | include disable-devel.inc |
diff --git a/etc/mediainfo.profile b/etc/mediainfo.profile index 00730c00b..fb8db3e3d 100644 --- a/etc/mediainfo.profile +++ b/etc/mediainfo.profile | |||
@@ -6,6 +6,8 @@ include mediainfo.local | |||
6 | # Persistent global definitions | 6 | # Persistent global definitions |
7 | include globals.local | 7 | include globals.local |
8 | 8 | ||
9 | blacklist ${RUNUSER}/wayland-* | ||
10 | |||
9 | include disable-common.inc | 11 | include disable-common.inc |
10 | include disable-devel.inc | 12 | include disable-devel.inc |
11 | include disable-exec.inc | 13 | include disable-exec.inc |
diff --git a/etc/meld.profile b/etc/meld.profile index 22ec2b999..f360b1ded 100644 --- a/etc/meld.profile +++ b/etc/meld.profile | |||
@@ -22,8 +22,8 @@ noblacklist ${HOME}/.ssh | |||
22 | noblacklist ${HOME}/.subversion | 22 | noblacklist ${HOME}/.subversion |
23 | 23 | ||
24 | # Allow python (blacklisted by disable-interpreters.inc) | 24 | # Allow python (blacklisted by disable-interpreters.inc) |
25 | include allow-python2.inc | 25 | # Python 2 is EOL (see #3164). Uncomment the next line (or put it into your meld.local) if you understand the risks but want python 2 support for older meld versions. |
26 | include allow-python3.inc | 26 | #include allow-python3.inc |
27 | 27 | ||
28 | # Uncomment the next line (or put it into your meld.local) if you don't need to compare files in disable-common.inc. | 28 | # Uncomment the next line (or put it into your meld.local) if you don't need to compare files in disable-common.inc. |
29 | #include disable-common.inc | 29 | #include disable-common.inc |
diff --git a/etc/midori.profile b/etc/midori.profile index ffae4919f..e11e2acaa 100644 --- a/etc/midori.profile +++ b/etc/midori.profile | |||
@@ -9,6 +9,7 @@ include globals.local | |||
9 | # noexec ${HOME} breaks DRM binaries. | 9 | # noexec ${HOME} breaks DRM binaries. |
10 | ?BROWSER_ALLOW_DRM: ignore noexec ${HOME} | 10 | ?BROWSER_ALLOW_DRM: ignore noexec ${HOME} |
11 | 11 | ||
12 | noblacklist ${HOME}/.cache/midori | ||
12 | noblacklist ${HOME}/.config/midori | 13 | noblacklist ${HOME}/.config/midori |
13 | noblacklist ${HOME}/.local/share/midori | 14 | noblacklist ${HOME}/.local/share/midori |
14 | # noblacklist ${HOME}/.local/share/webkit | 15 | # noblacklist ${HOME}/.local/share/webkit |
@@ -16,11 +17,17 @@ noblacklist ${HOME}/.local/share/midori | |||
16 | noblacklist ${HOME}/.pki | 17 | noblacklist ${HOME}/.pki |
17 | noblacklist ${HOME}/.local/share/pki | 18 | noblacklist ${HOME}/.local/share/pki |
18 | 19 | ||
20 | noblacklist ${HOME}/.cache/gnome-mplayer | ||
21 | noblacklist ${HOME}/.config/gnome-mplayer | ||
22 | noblacklist ${HOME}/.lastpass | ||
23 | |||
19 | include disable-common.inc | 24 | include disable-common.inc |
20 | include disable-devel.inc | 25 | include disable-devel.inc |
21 | include disable-exec.inc | 26 | include disable-exec.inc |
22 | include disable-interpreters.inc | 27 | include disable-interpreters.inc |
28 | #include disable-passwdmgr.inc | ||
23 | include disable-programs.inc | 29 | include disable-programs.inc |
30 | include disable-xdg.inc | ||
24 | 31 | ||
25 | mkdir ${HOME}/.cache/midori | 32 | mkdir ${HOME}/.cache/midori |
26 | mkdir ${HOME}/.config/midori | 33 | mkdir ${HOME}/.config/midori |
diff --git a/etc/mp3splt.profile b/etc/mp3splt.profile index 95173a890..7754d276b 100644 --- a/etc/mp3splt.profile +++ b/etc/mp3splt.profile | |||
@@ -6,6 +6,8 @@ include mp3splt.local | |||
6 | # Persistent global definitions | 6 | # Persistent global definitions |
7 | include globals.local | 7 | include globals.local |
8 | 8 | ||
9 | blacklist ${RUNUSER}/wayland-* | ||
10 | |||
9 | noblacklist ${MUSIC} | 11 | noblacklist ${MUSIC} |
10 | 12 | ||
11 | include disable-common.inc | 13 | include disable-common.inc |
diff --git a/etc/multimc.profile b/etc/multimc.profile new file mode 100644 index 000000000..338f494c9 --- /dev/null +++ b/etc/multimc.profile | |||
@@ -0,0 +1,5 @@ | |||
1 | # Firejail profile alias for multimc5 | ||
2 | # This file is overwritten after every install/update | ||
3 | |||
4 | # Redirect | ||
5 | include multimc5.profile | ||
diff --git a/etc/musescore.profile b/etc/musescore.profile index 9750a31f4..b3693c956 100644 --- a/etc/musescore.profile +++ b/etc/musescore.profile | |||
@@ -33,7 +33,8 @@ noroot | |||
33 | notv | 33 | notv |
34 | novideo | 34 | novideo |
35 | protocol unix,inet,inet6 | 35 | protocol unix,inet,inet6 |
36 | seccomp | 36 | # QtWebengine needs chroot to set up its own sandbox |
37 | seccomp !chroot | ||
37 | shell none | 38 | shell none |
38 | tracelog | 39 | tracelog |
39 | 40 | ||
diff --git a/etc/mutt.profile b/etc/mutt.profile index 92babd50f..1fc412955 100644 --- a/etc/mutt.profile +++ b/etc/mutt.profile | |||
@@ -32,6 +32,7 @@ noblacklist ${HOME}/postponed | |||
32 | noblacklist ${HOME}/sent | 32 | noblacklist ${HOME}/sent |
33 | 33 | ||
34 | blacklist /tmp/.X11-unix | 34 | blacklist /tmp/.X11-unix |
35 | blacklist ${RUNUSER}/wayland-* | ||
35 | 36 | ||
36 | include disable-common.inc | 37 | include disable-common.inc |
37 | include disable-devel.inc | 38 | include disable-devel.inc |
diff --git a/etc/nano.profile b/etc/nano.profile index af6fcc3fe..bc8c3dde0 100644 --- a/etc/nano.profile +++ b/etc/nano.profile | |||
@@ -7,6 +7,8 @@ include nano.local | |||
7 | # Persistent global definitions | 7 | # Persistent global definitions |
8 | include globals.local | 8 | include globals.local |
9 | 9 | ||
10 | blacklist ${RUNUSER}/wayland-* | ||
11 | |||
10 | noblacklist ${HOME}/.config/nano | 12 | noblacklist ${HOME}/.config/nano |
11 | noblacklist ${HOME}/.nanorc | 13 | noblacklist ${HOME}/.nanorc |
12 | 14 | ||
diff --git a/etc/ncdu.profile b/etc/ncdu.profile index 0d7915839..9fda6ebe0 100644 --- a/etc/ncdu.profile +++ b/etc/ncdu.profile | |||
@@ -6,6 +6,8 @@ include ncdu.local | |||
6 | # Persistent global definitions | 6 | # Persistent global definitions |
7 | include globals.local | 7 | include globals.local |
8 | 8 | ||
9 | blacklist ${RUNUSER}/wayland-* | ||
10 | |||
9 | include disable-exec.inc | 11 | include disable-exec.inc |
10 | 12 | ||
11 | caps.drop all | 13 | caps.drop all |
diff --git a/etc/odt2txt.profile b/etc/odt2txt.profile index 719753c87..c0c5b671c 100644 --- a/etc/odt2txt.profile +++ b/etc/odt2txt.profile | |||
@@ -6,6 +6,8 @@ include odt2txt.local | |||
6 | # Persistent global definitions | 6 | # Persistent global definitions |
7 | include globals.local | 7 | include globals.local |
8 | 8 | ||
9 | blacklist ${RUNUSER}/wayland-* | ||
10 | |||
9 | noblacklist ${DOCUMENTS} | 11 | noblacklist ${DOCUMENTS} |
10 | 12 | ||
11 | include disable-common.inc | 13 | include disable-common.inc |
diff --git a/etc/pandoc.profile b/etc/pandoc.profile index 57b5d7e39..9a8d82a96 100644 --- a/etc/pandoc.profile +++ b/etc/pandoc.profile | |||
@@ -7,6 +7,8 @@ include pandoc.local | |||
7 | # Persistent global definitions | 7 | # Persistent global definitions |
8 | include globals.local | 8 | include globals.local |
9 | 9 | ||
10 | blacklist ${RUNUSER}/wayland-* | ||
11 | |||
10 | noblacklist ${DOCUMENTS} | 12 | noblacklist ${DOCUMENTS} |
11 | 13 | ||
12 | include disable-common.inc | 14 | include disable-common.inc |
diff --git a/etc/patch.profile b/etc/patch.profile index 03f5a4b71..4a3365378 100644 --- a/etc/patch.profile +++ b/etc/patch.profile | |||
@@ -7,6 +7,8 @@ include patch.local | |||
7 | # Persistent global definitions | 7 | # Persistent global definitions |
8 | include globals.local | 8 | include globals.local |
9 | 9 | ||
10 | blacklist ${RUNUSER}/wayland-* | ||
11 | |||
10 | noblacklist ${DOCUMENTS} | 12 | noblacklist ${DOCUMENTS} |
11 | 13 | ||
12 | include disable-common.inc | 14 | include disable-common.inc |
diff --git a/etc/pdflatex.profile b/etc/pdflatex.profile new file mode 100644 index 000000000..caf980d4d --- /dev/null +++ b/etc/pdflatex.profile | |||
@@ -0,0 +1,12 @@ | |||
1 | # Firejail profile for pdflatex | ||
2 | # This file is overwritten after every install/update | ||
3 | # Persistent local customizations | ||
4 | include pdflatex.local | ||
5 | # Persistent global definitions | ||
6 | include globals.local | ||
7 | |||
8 | private-bin pdflatex | ||
9 | |||
10 | # Redirect | ||
11 | include latex-common.profile | ||
12 | |||
diff --git a/etc/pdftotext.profile b/etc/pdftotext.profile index e9572d914..73ebf4615 100644 --- a/etc/pdftotext.profile +++ b/etc/pdftotext.profile | |||
@@ -6,6 +6,8 @@ include pdftotext.local | |||
6 | # Persistent global definitions | 6 | # Persistent global definitions |
7 | include globals.local | 7 | include globals.local |
8 | 8 | ||
9 | blacklist ${RUNUSER}/wayland-* | ||
10 | |||
9 | noblacklist ${DOCUMENTS} | 11 | noblacklist ${DOCUMENTS} |
10 | 12 | ||
11 | include disable-common.inc | 13 | include disable-common.inc |
@@ -22,6 +24,7 @@ include whitelist-usr-share-common.inc | |||
22 | include whitelist-var-common.inc | 24 | include whitelist-var-common.inc |
23 | 25 | ||
24 | caps.drop all | 26 | caps.drop all |
27 | ipc-namespace | ||
25 | machine-id | 28 | machine-id |
26 | net none | 29 | net none |
27 | no3d | 30 | no3d |
@@ -41,6 +44,7 @@ tracelog | |||
41 | x11 none | 44 | x11 none |
42 | 45 | ||
43 | private-bin pdftotext | 46 | private-bin pdftotext |
47 | private-cache | ||
44 | private-dev | 48 | private-dev |
45 | private-etc alternatives | 49 | private-etc alternatives |
46 | private-tmp | 50 | private-tmp |
diff --git a/etc/pngquant.profile b/etc/pngquant.profile index 8c06cef1a..f9ce43c4c 100644 --- a/etc/pngquant.profile +++ b/etc/pngquant.profile | |||
@@ -7,6 +7,8 @@ include pngquant.local | |||
7 | # Persistent global definitions | 7 | # Persistent global definitions |
8 | include globals.local | 8 | include globals.local |
9 | 9 | ||
10 | blacklist ${RUNUSER}/wayland-* | ||
11 | |||
10 | include disable-common.inc | 12 | include disable-common.inc |
11 | include disable-devel.inc | 13 | include disable-devel.inc |
12 | include disable-exec.inc | 14 | include disable-exec.inc |
diff --git a/etc/polari.profile b/etc/polari.profile index b9f81eece..939e2537e 100644 --- a/etc/polari.profile +++ b/etc/polari.profile | |||
@@ -6,6 +6,8 @@ include polari.local | |||
6 | # Persistent global definitions | 6 | # Persistent global definitions |
7 | include globals.local | 7 | include globals.local |
8 | 8 | ||
9 | # Allow gjs (blacklisted by disable-interpreters.inc) | ||
10 | include allow-gjs.inc | ||
9 | 11 | ||
10 | include disable-common.inc | 12 | include disable-common.inc |
11 | include disable-devel.inc | 13 | include disable-devel.inc |
diff --git a/etc/psi-plus.profile b/etc/psi-plus.profile index 087f90966..16fffe517 100644 --- a/etc/psi-plus.profile +++ b/etc/psi-plus.profile | |||
@@ -36,10 +36,10 @@ notv | |||
36 | nou2f | 36 | nou2f |
37 | novideo | 37 | novideo |
38 | protocol unix,inet,inet6 | 38 | protocol unix,inet,inet6 |
39 | seccomp | 39 | # QtWebengine needs chroot to set up its own sandbox |
40 | seccomp !chroot | ||
40 | shell none | 41 | shell none |
41 | 42 | ||
42 | disable-mnt | 43 | disable-mnt |
43 | private-dev | 44 | private-dev |
44 | private-tmp | 45 | private-tmp |
45 | |||
diff --git a/etc/quassel.profile b/etc/quassel.profile index a78d1edcd..c65089e20 100644 --- a/etc/quassel.profile +++ b/etc/quassel.profile | |||
@@ -19,7 +19,8 @@ nonewprivs | |||
19 | noroot | 19 | noroot |
20 | notv | 20 | notv |
21 | protocol unix,inet,inet6 | 21 | protocol unix,inet,inet6 |
22 | seccomp | 22 | # QtWebengine needs chroot to set up its own sandbox |
23 | seccomp !chroot | ||
23 | 24 | ||
24 | private-cache | 25 | private-cache |
25 | private-tmp | 26 | private-tmp |
diff --git a/etc/rsync-download_only.profile b/etc/rsync-download_only.profile index bda3bca92..84147f0a5 100644 --- a/etc/rsync-download_only.profile +++ b/etc/rsync-download_only.profile | |||
@@ -13,6 +13,7 @@ include globals.local | |||
13 | # Usage: firejail --profile=rsync-download_only rsync | 13 | # Usage: firejail --profile=rsync-download_only rsync |
14 | 14 | ||
15 | blacklist /tmp/.X11-unix | 15 | blacklist /tmp/.X11-unix |
16 | blacklist ${RUNUSER}/wayland-* | ||
16 | 17 | ||
17 | include disable-common.inc | 18 | include disable-common.inc |
18 | include disable-devel.inc | 19 | include disable-devel.inc |
diff --git a/etc/rtv.profile b/etc/rtv.profile new file mode 100644 index 000000000..af4b7e94b --- /dev/null +++ b/etc/rtv.profile | |||
@@ -0,0 +1,56 @@ | |||
1 | # Firejail profile for rtv | ||
2 | # Description: Browse Reddit from your terminal | ||
3 | # This file is overwritten after every install/update | ||
4 | # Persistent local customizations | ||
5 | include rtv.local | ||
6 | # Persistent global definitions | ||
7 | include globals.local | ||
8 | |||
9 | blacklist /tmp/.X11-unix | ||
10 | blacklist ${RUNUSER}/wayland-* | ||
11 | |||
12 | noblacklist ${HOME}/.config/rtv | ||
13 | noblacklist ${HOME}/.local/share/rtv | ||
14 | |||
15 | # Allow python (blacklisted by disable-interpreters.inc) | ||
16 | include allow-python2.inc | ||
17 | include allow-python3.inc | ||
18 | |||
19 | include disable-common.inc | ||
20 | include disable-devel.inc | ||
21 | include disable-exec.inc | ||
22 | include disable-interpreters.inc | ||
23 | include disable-passwdmgr.inc | ||
24 | include disable-programs.inc | ||
25 | include disable-xdg.inc | ||
26 | |||
27 | mkdir ${HOME}/.config/rtv | ||
28 | mkdir ${HOME}/.local/share/rtv | ||
29 | whitelist ${HOME}/.config/rtv | ||
30 | whitelist ${HOME}/.local/share/rtv | ||
31 | include whitelist-var-common.inc | ||
32 | |||
33 | apparmor | ||
34 | caps.drop all | ||
35 | machine-id | ||
36 | netfilter | ||
37 | no3d | ||
38 | nodbus | ||
39 | nodvd | ||
40 | nogroups | ||
41 | nonewprivs | ||
42 | noroot | ||
43 | nosound | ||
44 | notv | ||
45 | nou2f | ||
46 | novideo | ||
47 | protocol unix,inet,inet6 | ||
48 | seccomp | ||
49 | shell none | ||
50 | tracelog | ||
51 | |||
52 | disable-mnt | ||
53 | private-bin python*,rtv,sh,xdg-settings | ||
54 | private-cache | ||
55 | private-dev | ||
56 | private-etc alternatives,ca-certificates,crypto-policies,host.conf,hostname,hosts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,locale,locale.alias,locale.conf,localtime,mime.types,nsswitch.conf,pki,protocols,resolv.conf,rpc,services,ssl,terminfo,xdg | ||
diff --git a/etc/server.profile b/etc/server.profile index 6e077ff84..ce318a828 100644 --- a/etc/server.profile +++ b/etc/server.profile | |||
@@ -14,6 +14,7 @@ noblacklist /usr/sbin | |||
14 | # noblacklist /var/opt | 14 | # noblacklist /var/opt |
15 | 15 | ||
16 | blacklist /tmp/.X11-unix | 16 | blacklist /tmp/.X11-unix |
17 | blacklist ${RUNUSER}/wayland-* | ||
17 | 18 | ||
18 | include disable-common.inc | 19 | include disable-common.inc |
19 | # include disable-devel.inc | 20 | # include disable-devel.inc |
diff --git a/etc/shellcheck.profile b/etc/shellcheck.profile index d26096c77..f8744bdf8 100644 --- a/etc/shellcheck.profile +++ b/etc/shellcheck.profile | |||
@@ -7,6 +7,8 @@ include shellcheck.local | |||
7 | # Persistent global definitions | 7 | # Persistent global definitions |
8 | include globals.local | 8 | include globals.local |
9 | 9 | ||
10 | blacklist ${RUNUSER}/wayland-* | ||
11 | |||
10 | noblacklist ${DOCUMENTS} | 12 | noblacklist ${DOCUMENTS} |
11 | 13 | ||
12 | include disable-common.inc | 14 | include disable-common.inc |
diff --git a/etc/shotcut.profile b/etc/shotcut.profile index 5b3c5439d..072cc2c0d 100644 --- a/etc/shotcut.profile +++ b/etc/shotcut.profile | |||
@@ -29,6 +29,7 @@ nou2f | |||
29 | protocol unix | 29 | protocol unix |
30 | seccomp | 30 | seccomp |
31 | shell none | 31 | shell none |
32 | tracelog | ||
32 | 33 | ||
33 | #private-bin melt,nice,qmelt,shotcut | 34 | #private-bin melt,nice,qmelt,shotcut |
34 | private-cache | 35 | private-cache |
diff --git a/etc/signal-cli.profile b/etc/signal-cli.profile index bb1bf732d..6a2f5c434 100644 --- a/etc/signal-cli.profile +++ b/etc/signal-cli.profile | |||
@@ -7,6 +7,7 @@ include signal-cli.local | |||
7 | include globals.local | 7 | include globals.local |
8 | 8 | ||
9 | blacklist /tmp/.X11-unix | 9 | blacklist /tmp/.X11-unix |
10 | blacklist ${RUNUSER}/wayland-* | ||
10 | 11 | ||
11 | noblacklist ${HOME}/.local/share/signal-cli | 12 | noblacklist ${HOME}/.local/share/signal-cli |
12 | 13 | ||
diff --git a/etc/spectre-meltdown-checker.profile b/etc/spectre-meltdown-checker.profile index 3306181e4..e27df4cc8 100644 --- a/etc/spectre-meltdown-checker.profile +++ b/etc/spectre-meltdown-checker.profile | |||
@@ -6,6 +6,8 @@ include spectre-meltdown-checker.local | |||
6 | # Persistent global definitions | 6 | # Persistent global definitions |
7 | include globals.local | 7 | include globals.local |
8 | 8 | ||
9 | blacklist ${RUNUSER}/wayland-* | ||
10 | |||
9 | noblacklist ${PATH}/mount | 11 | noblacklist ${PATH}/mount |
10 | noblacklist ${PATH}/umount | 12 | noblacklist ${PATH}/umount |
11 | 13 | ||
diff --git a/etc/ssh-agent.profile b/etc/ssh-agent.profile index 8e355a176..cf509852a 100644 --- a/etc/ssh-agent.profile +++ b/etc/ssh-agent.profile | |||
@@ -11,6 +11,7 @@ noblacklist /tmp/ssh-* | |||
11 | noblacklist ${HOME}/.ssh | 11 | noblacklist ${HOME}/.ssh |
12 | 12 | ||
13 | blacklist /tmp/.X11-unix | 13 | blacklist /tmp/.X11-unix |
14 | blacklist ${RUNUSER}/wayland-* | ||
14 | 15 | ||
15 | include disable-common.inc | 16 | include disable-common.inc |
16 | include disable-passwdmgr.inc | 17 | include disable-passwdmgr.inc |
diff --git a/etc/standardnotes-desktop.profile b/etc/standardnotes-desktop.profile index aa6902854..a402aca5a 100644 --- a/etc/standardnotes-desktop.profile +++ b/etc/standardnotes-desktop.profile | |||
@@ -39,5 +39,5 @@ seccomp !chroot | |||
39 | disable-mnt | 39 | disable-mnt |
40 | private-dev | 40 | private-dev |
41 | private-tmp | 41 | private-tmp |
42 | private-etc alternatives,ca-certificates,crypto-policies,fonts,host.conf,hostname,hosts,pki,resolv.conf,ssl,xdg | 42 | private-etc alternatives,ca-certificates,crypto-policies,fonts,host.conf,hostname,hosts,ld.so.cache,pki,resolv.conf,ssl,xdg |
43 | 43 | ||
diff --git a/etc/start-tor-browser.profile b/etc/start-tor-browser.profile index a8b5d109e..f9daf8f09 100644 --- a/etc/start-tor-browser.profile +++ b/etc/start-tor-browser.profile | |||
@@ -36,5 +36,5 @@ shell none | |||
36 | disable-mnt | 36 | disable-mnt |
37 | private-bin bash,cat,cp,cut,dirname,env,getconf,gpg,grep,gxmessage,id,kdialog,ln,mkdir,pwd,readlink,realpath,rm,sed,sh,tail,test,update-desktop-database,xmessage,zenity | 37 | private-bin bash,cat,cp,cut,dirname,env,getconf,gpg,grep,gxmessage,id,kdialog,ln,mkdir,pwd,readlink,realpath,rm,sed,sh,tail,test,update-desktop-database,xmessage,zenity |
38 | private-dev | 38 | private-dev |
39 | private-etc alsa,alternatives,asound.conf,ca-certificates,crypto-policies,fonts,hostname,hosts,ld.so.cache,machine-id,pki,pulse,resolv.conf,ssl | 39 | private-etc alsa,alternatives,asound.conf,ca-certificates,crypto-policies,fonts,hostname,hosts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,machine-id,pki,pulse,resolv.conf,ssl |
40 | private-tmp | 40 | private-tmp |
diff --git a/etc/strings.profile b/etc/strings.profile index 52b762108..7dc453b1f 100644 --- a/etc/strings.profile +++ b/etc/strings.profile | |||
@@ -7,6 +7,8 @@ include strings.local | |||
7 | # Persistent global definitions | 7 | # Persistent global definitions |
8 | include globals.local | 8 | include globals.local |
9 | 9 | ||
10 | blacklist ${RUNUSER}/wayland-* | ||
11 | |||
10 | #include disable-common.inc | 12 | #include disable-common.inc |
11 | include disable-devel.inc | 13 | include disable-devel.inc |
12 | include disable-exec.inc | 14 | include disable-exec.inc |
diff --git a/etc/sylpheed.profile b/etc/sylpheed.profile index 8e99fe1d6..4344fe73a 100644 --- a/etc/sylpheed.profile +++ b/etc/sylpheed.profile | |||
@@ -4,17 +4,14 @@ | |||
4 | # Persistent local customizations | 4 | # Persistent local customizations |
5 | include sylpheed.local | 5 | include sylpheed.local |
6 | # Persistent global definitions | 6 | # Persistent global definitions |
7 | # added by included profile | 7 | include globals.local |
8 | #include globals.local | ||
9 | 8 | ||
10 | noblacklist ${HOME}/.sylpheed-2.0 | 9 | noblacklist ${HOME}/.sylpheed-2.0 |
11 | # when storing mail outside the default ${HOME}/Mail path, 'noblacklist' the custom path in your sylpheed.local | ||
12 | # and 'blacklist' it in your disable-common.local too so it is kept hidden from other applications | ||
13 | 10 | ||
14 | blacklist ${HOME}/.claws-mail | 11 | mkdir ${HOME}/.sylpheed-2.0 |
12 | whitelist ${HOME}/.sylpheed-2.0 | ||
15 | 13 | ||
16 | nowhitelist /usr/share/doc/claws-mail | ||
17 | whitelist /usr/share/sylpheed | 14 | whitelist /usr/share/sylpheed |
18 | 15 | ||
19 | # Redirect | 16 | # Redirect |
20 | include claws-mail.profile | 17 | include email-common.profile |
diff --git a/etc/tar.profile b/etc/tar.profile index 455a370de..0858dcb26 100644 --- a/etc/tar.profile +++ b/etc/tar.profile | |||
@@ -7,6 +7,8 @@ include tar.local | |||
7 | # Persistent global definitions | 7 | # Persistent global definitions |
8 | include globals.local | 8 | include globals.local |
9 | 9 | ||
10 | blacklist ${RUNUSER}/wayland-* | ||
11 | |||
10 | # Arch Linux (based distributions) need access to /var/lib/pacman. As we drop all capabilities this is automatically read-only. | 12 | # Arch Linux (based distributions) need access to /var/lib/pacman. As we drop all capabilities this is automatically read-only. |
11 | noblacklist /var/lib/pacman | 13 | noblacklist /var/lib/pacman |
12 | 14 | ||
diff --git a/etc/teams-for-linux.profile b/etc/teams-for-linux.profile index d9e874be2..882d8d0f3 100644 --- a/etc/teams-for-linux.profile +++ b/etc/teams-for-linux.profile | |||
@@ -1,37 +1,27 @@ | |||
1 | # Firejail profile for teams-for-linux | 1 | # Firejail profile for teams-for-linux |
2 | # Description: Teams for Linux is an Electron application for Microsoft's team collaboration and chat program | 2 | # Description: Unofficial Microsoft Teams client for Linux using Electron. |
3 | # This file is overwritten after every install/update | 3 | # This file is overwritten after every install/update |
4 | # Persistent local customizations | 4 | # Persistent local customizations |
5 | include teams-for-linux.local | 5 | include teams-for-linux.local |
6 | # Persistent global definitions | 6 | # Persistent global definitions |
7 | include globals.local | 7 | # added by included profile |
8 | #include globals.local | ||
9 | |||
10 | ignore nodbus | ||
8 | 11 | ||
9 | noblacklist ${HOME}/.config/teams-for-linux | 12 | noblacklist ${HOME}/.config/teams-for-linux |
10 | 13 | ||
11 | include disable-common.inc | ||
12 | include disable-devel.inc | 14 | include disable-devel.inc |
13 | include disable-exec.inc | 15 | include disable-exec.inc |
14 | include disable-interpreters.inc | 16 | include disable-interpreters.inc |
15 | include disable-passwdmgr.inc | ||
16 | include disable-programs.inc | ||
17 | 17 | ||
18 | mkdir ${HOME}/.config/teams-for-linux | 18 | mkdir ${HOME}/.config/teams-for-linux |
19 | whitelist ${HOME}/.config/teams-for-linux | 19 | whitelist ${HOME}/.config/teams-for-linux |
20 | whitelist ${DOWNLOADS} | ||
21 | include whitelist-common.inc | 20 | include whitelist-common.inc |
22 | include whitelist-var-common.inc | 21 | include whitelist-var-common.inc |
23 | 22 | ||
24 | caps.drop all | ||
25 | netfilter | ||
26 | nodvd | ||
27 | nogroups | ||
28 | nonewprivs | ||
29 | noroot | ||
30 | notv | ||
31 | nou2f | 23 | nou2f |
32 | novideo | 24 | novideo |
33 | protocol unix,inet,inet6,netlink | ||
34 | seccomp | ||
35 | shell none | 25 | shell none |
36 | 26 | ||
37 | disable-mnt | 27 | disable-mnt |
@@ -40,3 +30,6 @@ private-cache | |||
40 | private-dev | 30 | private-dev |
41 | private-etc ca-certificates,crypto-policies,fonts,ld.so.cache,localtime,machine-id,pki,resolv.conf,ssl | 31 | private-etc ca-certificates,crypto-policies,fonts,ld.so.cache,localtime,machine-id,pki,resolv.conf,ssl |
42 | private-tmp | 32 | private-tmp |
33 | |||
34 | # Redirect | ||
35 | include electron.profile | ||
diff --git a/etc/templates/profile.template b/etc/templates/profile.template index 7bfc3cf0d..0362b82af 100644 --- a/etc/templates/profile.template +++ b/etc/templates/profile.template | |||
@@ -42,6 +42,7 @@ | |||
42 | # ${HOME} (user's home) | 42 | # ${HOME} (user's home) |
43 | # ${PATH} (contents of PATH envvar) | 43 | # ${PATH} (contents of PATH envvar) |
44 | # ${MUSIC} | 44 | # ${MUSIC} |
45 | # ${RUNUSER} (/run/user/UID) | ||
45 | # ${VIDEOS} | 46 | # ${VIDEOS} |
46 | # | 47 | # |
47 | # Check contents of ~/.config/user-dirs.dirs to see how they translate to actual paths. | 48 | # Check contents of ~/.config/user-dirs.dirs to see how they translate to actual paths. |
@@ -59,6 +60,8 @@ include globals.local | |||
59 | ##blacklist PATH | 60 | ##blacklist PATH |
60 | # Disable X11 (CLI only), see also 'x11 none' below | 61 | # Disable X11 (CLI only), see also 'x11 none' below |
61 | #blacklist /tmp/.X11-unix | 62 | #blacklist /tmp/.X11-unix |
63 | # Disable Wayland | ||
64 | #blacklist ${RUNUSER}/wayland-* | ||
62 | 65 | ||
63 | # It is common practice to add files/dirs containing program-specific configuration | 66 | # It is common practice to add files/dirs containing program-specific configuration |
64 | # (often ${HOME}/PROGRAMNAME or ${HOME}/.config/PROGRAMNAME) into disable-programs.inc | 67 | # (often ${HOME}/PROGRAMNAME or ${HOME}/.config/PROGRAMNAME) into disable-programs.inc |
@@ -90,6 +93,9 @@ include globals.local | |||
90 | # Allow ruby (blacklisted by disable-interpreters.inc) | 93 | # Allow ruby (blacklisted by disable-interpreters.inc) |
91 | #include allow-ruby.inc | 94 | #include allow-ruby.inc |
92 | 95 | ||
96 | # Allow gjs (blacklisted by disable-interpreters.inc) | ||
97 | #include allow-gjs.inc | ||
98 | |||
93 | # Allows files commonly used by IDEs | 99 | # Allows files commonly used by IDEs |
94 | #include allow-common-devel.inc | 100 | #include allow-common-devel.inc |
95 | 101 | ||
diff --git a/etc/tex.profile b/etc/tex.profile new file mode 100644 index 000000000..f56c3038e --- /dev/null +++ b/etc/tex.profile | |||
@@ -0,0 +1,12 @@ | |||
1 | # Firejail profile for tex | ||
2 | # This file is overwritten after every install/update | ||
3 | # Persistent local customizations | ||
4 | include tex.local | ||
5 | # Persistent global definitions | ||
6 | include globals.local | ||
7 | |||
8 | private-bin tex | ||
9 | |||
10 | # Redirect | ||
11 | include latex-common.profile | ||
12 | |||
diff --git a/etc/thunderbird.profile b/etc/thunderbird.profile index e30b57498..6e888c163 100644 --- a/etc/thunderbird.profile +++ b/etc/thunderbird.profile | |||
@@ -6,13 +6,16 @@ include thunderbird.local | |||
6 | # Persistent global definitions | 6 | # Persistent global definitions |
7 | include globals.local | 7 | include globals.local |
8 | 8 | ||
9 | # Users have thunderbird set to open a browser by clicking a link in an email | 9 | # writable-run-user and dbus are needed by enigmail |
10 | # We are not allowed to blacklist browser-specific directories | 10 | ignore nodbus |
11 | writable-run-user | ||
11 | 12 | ||
12 | noblacklist ${HOME}/.cache/thunderbird | 13 | # If you want to read local mail stored in /var/mail, add the following to thunderbird.local: |
13 | noblacklist ${HOME}/.gnupg | 14 | #noblacklist /var/mail |
14 | # noblacklist ${HOME}/.icedove | 15 | #noblacklist /var/spool/mail |
15 | noblacklist ${HOME}/.thunderbird | 16 | #whitelist /var/mail |
17 | #whitelist /var/spool/mail | ||
18 | #writable-var | ||
16 | 19 | ||
17 | # Uncomment the next 4 lines or put them in your thunderbird.local to | 20 | # Uncomment the next 4 lines or put them in your thunderbird.local to |
18 | # allow Firefox to load your profile when clicking a link in an email | 21 | # allow Firefox to load your profile when clicking a link in an email |
@@ -21,6 +24,14 @@ noblacklist ${HOME}/.thunderbird | |||
21 | #whitelist ${HOME}/.cache/mozilla/firefox | 24 | #whitelist ${HOME}/.cache/mozilla/firefox |
22 | #whitelist ${HOME}/.mozilla | 25 | #whitelist ${HOME}/.mozilla |
23 | 26 | ||
27 | noblacklist ${HOME}/.cache/thunderbird | ||
28 | noblacklist ${HOME}/.gnupg | ||
29 | # noblacklist ${HOME}/.icedove | ||
30 | noblacklist ${HOME}/.thunderbird | ||
31 | |||
32 | include disable-passwdmgr.inc | ||
33 | include disable-xdg.inc | ||
34 | |||
24 | # If you have setup Thunderbird to archive emails to a local folder, | 35 | # If you have setup Thunderbird to archive emails to a local folder, |
25 | # make sure you add the path to that folder to the mkdir and whitelist | 36 | # make sure you add the path to that folder to the mkdir and whitelist |
26 | # rules below. Otherwise they will be deleted when you close Thunderbird. | 37 | # rules below. Otherwise they will be deleted when you close Thunderbird. |
@@ -34,23 +45,19 @@ whitelist ${HOME}/.gnupg | |||
34 | # whitelist ${HOME}/.icedove | 45 | # whitelist ${HOME}/.icedove |
35 | whitelist ${HOME}/.thunderbird | 46 | whitelist ${HOME}/.thunderbird |
36 | 47 | ||
37 | #whitelist /usr/share/mozilla | 48 | whitelist /usr/share/gnupg |
38 | #include whitelist-usr-share-common.inc | 49 | whitelist /usr/share/mozilla |
50 | whitelist /usr/share/webext | ||
51 | include whitelist-usr-share-common.inc | ||
52 | |||
53 | # machine-id breaks audio in browsers; enable or put it in your thunderbird.local when sound is not required | ||
54 | #machine-id | ||
55 | novideo | ||
39 | 56 | ||
40 | # We need the real /tmp for data exchange when xdg-open handles email attachments on KDE | 57 | # We need the real /tmp for data exchange when xdg-open handles email attachments on KDE |
41 | ignore private-tmp | 58 | ignore private-tmp |
42 | # machine-id breaks audio in browsers; enable or put it in your thunderbird.local when sound is not required | ||
43 | # machine-id | ||
44 | read-only ${HOME}/.config/mimeapps.list | ||
45 | # writable-run-user and dbus are needed by enigmail | ||
46 | writable-run-user | ||
47 | ignore nodbus | ||
48 | 59 | ||
49 | # If you want to read local mail stored in /var/mail, add the following to thunderbird.local: | 60 | read-only ${HOME}/.config/mimeapps.list |
50 | # noblacklist /var/mail | ||
51 | # noblacklist /var/spool/mail | ||
52 | # writable-var | ||
53 | 61 | ||
54 | # allow browsers | ||
55 | # Redirect | 62 | # Redirect |
56 | include firefox-common.profile | 63 | include firefox-common.profile |
diff --git a/etc/torbrowser-launcher.profile b/etc/torbrowser-launcher.profile index be03afdb5..72bdf9fa1 100644 --- a/etc/torbrowser-launcher.profile +++ b/etc/torbrowser-launcher.profile | |||
@@ -50,5 +50,5 @@ shell none | |||
50 | disable-mnt | 50 | disable-mnt |
51 | private-bin bash,cat,cp,cut,dirname,env,expr,file,gpg,grep,gxmessage,id,kdialog,ln,mkdir,mv,python*,rm,sed,sh,tail,tar,tclsh,test,tor-browser,tor-browser-en,torbrowser-launcher,update-desktop-database,xmessage,xz,zenity | 51 | private-bin bash,cat,cp,cut,dirname,env,expr,file,gpg,grep,gxmessage,id,kdialog,ln,mkdir,mv,python*,rm,sed,sh,tail,tar,tclsh,test,tor-browser,tor-browser-en,torbrowser-launcher,update-desktop-database,xmessage,xz,zenity |
52 | private-dev | 52 | private-dev |
53 | private-etc alsa,alternatives,asound.conf,ca-certificates,crypto-policies,fonts,ld.so.cache,machine-id,pki,pulse,resolv.conf,ssl | 53 | private-etc alsa,alternatives,asound.conf,ca-certificates,crypto-policies,fonts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,machine-id,pki,pulse,resolv.conf,ssl |
54 | private-tmp | 54 | private-tmp |
diff --git a/etc/tracker.profile b/etc/tracker.profile index 6e107d99e..d47185b1d 100644 --- a/etc/tracker.profile +++ b/etc/tracker.profile | |||
@@ -9,6 +9,7 @@ include globals.local | |||
9 | # Tracker is started by systemd on most systems. Therefore it is not firejailed by default | 9 | # Tracker is started by systemd on most systems. Therefore it is not firejailed by default |
10 | 10 | ||
11 | blacklist /tmp/.X11-unix | 11 | blacklist /tmp/.X11-unix |
12 | blacklist ${RUNUSER}/wayland-* | ||
12 | 13 | ||
13 | include disable-common.inc | 14 | include disable-common.inc |
14 | include disable-devel.inc | 15 | include disable-devel.inc |
diff --git a/etc/transmission-common.profile b/etc/transmission-common.profile index a8b667e91..b9f49c4a4 100644 --- a/etc/transmission-common.profile +++ b/etc/transmission-common.profile | |||
@@ -3,6 +3,9 @@ | |||
3 | # This file is overwritten after every install/update | 3 | # This file is overwritten after every install/update |
4 | # Persistent local customizations | 4 | # Persistent local customizations |
5 | include transmission-common.local | 5 | include transmission-common.local |
6 | # Persistent global definitions | ||
7 | # added by caller profile | ||
8 | #include globals.local | ||
6 | 9 | ||
7 | noblacklist ${HOME}/.cache/transmission | 10 | noblacklist ${HOME}/.cache/transmission |
8 | noblacklist ${HOME}/.config/transmission | 11 | noblacklist ${HOME}/.config/transmission |
@@ -40,6 +43,7 @@ seccomp | |||
40 | shell none | 43 | shell none |
41 | tracelog | 44 | tracelog |
42 | 45 | ||
46 | private-cache | ||
43 | private-dev | 47 | private-dev |
44 | private-lib | 48 | private-lib |
45 | private-tmp | 49 | private-tmp |
diff --git a/etc/transmission-daemon.profile b/etc/transmission-daemon.profile index f1e7fcb17..1841b8ed0 100644 --- a/etc/transmission-daemon.profile +++ b/etc/transmission-daemon.profile | |||
@@ -7,6 +7,8 @@ include transmission-daemon.local | |||
7 | # Persistent global definitions | 7 | # Persistent global definitions |
8 | include globals.local | 8 | include globals.local |
9 | 9 | ||
10 | mkdir ${HOME}/.config/transmission-daemon | ||
11 | whitelist ${HOME}/.config/transmission-daemon | ||
10 | whitelist /var/lib/transmission | 12 | whitelist /var/lib/transmission |
11 | 13 | ||
12 | caps.keep ipc_lock,net_bind_service,setgid,setuid,sys_chroot | 14 | caps.keep ipc_lock,net_bind_service,setgid,setuid,sys_chroot |
diff --git a/etc/tvbrowser.profile b/etc/tvbrowser.profile new file mode 100644 index 000000000..6e028b086 --- /dev/null +++ b/etc/tvbrowser.profile | |||
@@ -0,0 +1,51 @@ | |||
1 | # Firejail profile for tvbrowser | ||
2 | # Description: java tv programm form tvbrowser.org | ||
3 | # This file is overwritten after every install/update | ||
4 | # Persistent local customizations | ||
5 | include tvbrowser.local | ||
6 | # Persistent global definitions | ||
7 | include globals.local | ||
8 | |||
9 | noblacklist ${HOME}/.config/tvbrowser | ||
10 | noblacklist ${HOME}/.tvbrowser | ||
11 | |||
12 | # Allow java (blacklisted by disable-devel.inc) | ||
13 | include allow-java.inc | ||
14 | |||
15 | include disable-common.inc | ||
16 | include disable-devel.inc | ||
17 | include disable-exec.inc | ||
18 | include disable-interpreters.inc | ||
19 | include disable-passwdmgr.inc | ||
20 | include disable-programs.inc | ||
21 | include disable-xdg.inc | ||
22 | |||
23 | mkdir ${HOME}/.config/tvbrowser | ||
24 | mkdir ${HOME}/.tvbrowser | ||
25 | whitelist ${HOME}/.config/tvbrowser | ||
26 | whitelist ${HOME}/.tvbrowser | ||
27 | whitelist /usr/share/tvbrowser | ||
28 | include whitelist-common.inc | ||
29 | include whitelist-usr-share-common.inc | ||
30 | include whitelist-var-common.inc | ||
31 | |||
32 | caps.drop all | ||
33 | netfilter | ||
34 | no3d | ||
35 | nodbus | ||
36 | nodvd | ||
37 | nogroups | ||
38 | nonewprivs | ||
39 | noroot | ||
40 | notv | ||
41 | nou2f | ||
42 | novideo | ||
43 | protocol unix,inet,inet6 | ||
44 | seccomp | ||
45 | shell none | ||
46 | tracelog | ||
47 | |||
48 | disable-mnt | ||
49 | private-cache | ||
50 | private-dev | ||
51 | private-tmp | ||
diff --git a/etc/udiskie.profile b/etc/udiskie.profile index f6e85d60e..265f6429d 100644 --- a/etc/udiskie.profile +++ b/etc/udiskie.profile | |||
@@ -31,7 +31,7 @@ notv | |||
31 | nou2f | 31 | nou2f |
32 | novideo | 32 | novideo |
33 | protocol unix | 33 | protocol unix |
34 | seccomp | 34 | seccomp !request_key |
35 | shell none | 35 | shell none |
36 | tracelog | 36 | tracelog |
37 | 37 | ||
diff --git a/etc/unbound.profile b/etc/unbound.profile index 67448d766..36533a762 100644 --- a/etc/unbound.profile +++ b/etc/unbound.profile | |||
@@ -10,6 +10,7 @@ noblacklist /sbin | |||
10 | noblacklist /usr/sbin | 10 | noblacklist /usr/sbin |
11 | 11 | ||
12 | blacklist /tmp/.X11-unix | 12 | blacklist /tmp/.X11-unix |
13 | blacklist ${RUNUSER}/wayland-* | ||
13 | 14 | ||
14 | include disable-common.inc | 15 | include disable-common.inc |
15 | include disable-devel.inc | 16 | include disable-devel.inc |
diff --git a/etc/unf.profile b/etc/unf.profile index 1f0b2aa32..b8eccf4dc 100644 --- a/etc/unf.profile +++ b/etc/unf.profile | |||
@@ -7,6 +7,8 @@ include unf.local | |||
7 | # Persistent global definitions | 7 | # Persistent global definitions |
8 | include globals.local | 8 | include globals.local |
9 | 9 | ||
10 | blacklist ${RUNUSER}/wayland-* | ||
11 | |||
10 | include disable-common.inc | 12 | include disable-common.inc |
11 | include disable-devel.inc | 13 | include disable-devel.inc |
12 | include disable-exec.inc | 14 | include disable-exec.inc |
@@ -48,7 +50,7 @@ private-cache | |||
48 | ?HAS_APPIMAGE: ignore private-dev | 50 | ?HAS_APPIMAGE: ignore private-dev |
49 | private-dev | 51 | private-dev |
50 | private-etc alternatives | 52 | private-etc alternatives |
51 | private-lib libgcc_s.so.* | 53 | private-lib gcc/*/*/libgcc_s.so.* |
52 | private-tmp | 54 | private-tmp |
53 | 55 | ||
54 | memory-deny-write-execute | 56 | memory-deny-write-execute |
diff --git a/etc/unrar.profile b/etc/unrar.profile index 428173e7d..bf28746b0 100644 --- a/etc/unrar.profile +++ b/etc/unrar.profile | |||
@@ -7,6 +7,8 @@ include unrar.local | |||
7 | # Persistent global definitions | 7 | # Persistent global definitions |
8 | include globals.local | 8 | include globals.local |
9 | 9 | ||
10 | blacklist ${RUNUSER}/wayland-* | ||
11 | |||
10 | include disable-common.inc | 12 | include disable-common.inc |
11 | include disable-devel.inc | 13 | include disable-devel.inc |
12 | include disable-exec.inc | 14 | include disable-exec.inc |
diff --git a/etc/unzip.profile b/etc/unzip.profile index 60e447049..7882f2b63 100644 --- a/etc/unzip.profile +++ b/etc/unzip.profile | |||
@@ -7,6 +7,8 @@ include unzip.local | |||
7 | # Persistent global definitions | 7 | # Persistent global definitions |
8 | include globals.local | 8 | include globals.local |
9 | 9 | ||
10 | blacklist ${RUNUSER}/wayland-* | ||
11 | |||
10 | # GNOME Shell integration (chrome-gnome-shell) | 12 | # GNOME Shell integration (chrome-gnome-shell) |
11 | noblacklist ${HOME}/.local/share/gnome-shell | 13 | noblacklist ${HOME}/.local/share/gnome-shell |
12 | 14 | ||
diff --git a/etc/uudeview.profile b/etc/uudeview.profile index 60a7f0d20..bd2ee01d5 100644 --- a/etc/uudeview.profile +++ b/etc/uudeview.profile | |||
@@ -7,6 +7,8 @@ include uudeview.local | |||
7 | # Persistent global definitions | 7 | # Persistent global definitions |
8 | include globals.local | 8 | include globals.local |
9 | 9 | ||
10 | blacklist ${RUNUSER}/wayland-* | ||
11 | |||
10 | include disable-common.inc | 12 | include disable-common.inc |
11 | include disable-devel.inc | 13 | include disable-devel.inc |
12 | include disable-exec.inc | 14 | include disable-exec.inc |
diff --git a/etc/w3m.profile b/etc/w3m.profile index 76531d315..97465baa1 100644 --- a/etc/w3m.profile +++ b/etc/w3m.profile | |||
@@ -9,6 +9,7 @@ include globals.local | |||
9 | noblacklist ${HOME}/.w3m | 9 | noblacklist ${HOME}/.w3m |
10 | 10 | ||
11 | blacklist /tmp/.X11-unix | 11 | blacklist /tmp/.X11-unix |
12 | blacklist ${RUNUSER}/wayland-* | ||
12 | 13 | ||
13 | include allow-perl.inc | 14 | include allow-perl.inc |
14 | 15 | ||
diff --git a/etc/wget.profile b/etc/wget.profile index c1f7dfc3f..401926e2d 100644 --- a/etc/wget.profile +++ b/etc/wget.profile | |||
@@ -12,6 +12,7 @@ noblacklist ${HOME}/.wget-hsts | |||
12 | noblacklist ${HOME}/.wgetrc | 12 | noblacklist ${HOME}/.wgetrc |
13 | 13 | ||
14 | blacklist /tmp/.X11-unix | 14 | blacklist /tmp/.X11-unix |
15 | blacklist ${RUNUSER}/wayland-* | ||
15 | 16 | ||
16 | include disable-common.inc | 17 | include disable-common.inc |
17 | include disable-devel.inc | 18 | include disable-devel.inc |
diff --git a/etc/whalebird.profile b/etc/whalebird.profile index 26932b6b3..2e24dd8e0 100644 --- a/etc/whalebird.profile +++ b/etc/whalebird.profile | |||
@@ -4,37 +4,27 @@ | |||
4 | # Persistent local customizations | 4 | # Persistent local customizations |
5 | include whalebird.local | 5 | include whalebird.local |
6 | # Persistent global definitions | 6 | # Persistent global definitions |
7 | include globals.local | 7 | # added by included profile |
8 | #include globals.local | ||
9 | |||
10 | ignore nodbus | ||
8 | 11 | ||
9 | noblacklist ${HOME}/.config/Whalebird | 12 | noblacklist ${HOME}/.config/Whalebird |
10 | 13 | ||
11 | include disable-common.inc | ||
12 | include disable-devel.inc | 14 | include disable-devel.inc |
13 | include disable-exec.inc | 15 | include disable-exec.inc |
14 | include disable-interpreters.inc | 16 | include disable-interpreters.inc |
15 | include disable-passwdmgr.inc | ||
16 | include disable-programs.inc | ||
17 | include disable-xdg.inc | 17 | include disable-xdg.inc |
18 | 18 | ||
19 | mkdir ${HOME}/.config/Whalebird | 19 | mkdir ${HOME}/.config/Whalebird |
20 | whitelist ${HOME}/.config/Whalebird | 20 | whitelist ${HOME}/.config/Whalebird |
21 | whitelist ${DOWNLOADS} | ||
22 | include whitelist-common.inc | 21 | include whitelist-common.inc |
23 | include whitelist-var-common.inc | 22 | include whitelist-var-common.inc |
24 | 23 | ||
25 | apparmor | ||
26 | caps.drop all | ||
27 | netfilter | ||
28 | no3d | 24 | no3d |
29 | nodvd | ||
30 | nogroups | ||
31 | nonewprivs | ||
32 | noroot | ||
33 | notv | ||
34 | nou2f | 25 | nou2f |
35 | novideo | 26 | novideo |
36 | protocol unix,inet,inet6 | 27 | protocol unix,inet,inet6 |
37 | seccomp | ||
38 | shell none | 28 | shell none |
39 | 29 | ||
40 | disable-mnt | 30 | disable-mnt |
@@ -43,3 +33,6 @@ private-cache | |||
43 | private-dev | 33 | private-dev |
44 | private-etc fonts,machine-id | 34 | private-etc fonts,machine-id |
45 | private-tmp | 35 | private-tmp |
36 | |||
37 | # Redirect | ||
38 | include electron.profile | ||
diff --git a/etc/whitelist-usr-share-common.inc b/etc/whitelist-usr-share-common.inc index 322bdefe9..710007163 100644 --- a/etc/whitelist-usr-share-common.inc +++ b/etc/whitelist-usr-share-common.inc | |||
@@ -13,6 +13,7 @@ whitelist /usr/share/distro-info | |||
13 | whitelist /usr/share/drirc.d | 13 | whitelist /usr/share/drirc.d |
14 | whitelist /usr/share/enchant | 14 | whitelist /usr/share/enchant |
15 | whitelist /usr/share/enchant-2 | 15 | whitelist /usr/share/enchant-2 |
16 | whitelist /usr/share/file | ||
16 | whitelist /usr/share/fontconfig | 17 | whitelist /usr/share/fontconfig |
17 | whitelist /usr/share/fonts | 18 | whitelist /usr/share/fonts |
18 | whitelist /usr/share/gir-1.0 | 19 | whitelist /usr/share/gir-1.0 |
@@ -26,6 +27,7 @@ whitelist /usr/share/gtksourceview-4 | |||
26 | whitelist /usr/share/hunspell | 27 | whitelist /usr/share/hunspell |
27 | whitelist /usr/share/hwdata | 28 | whitelist /usr/share/hwdata |
28 | whitelist /usr/share/icons | 29 | whitelist /usr/share/icons |
30 | whitelist /usr/share/icu | ||
29 | whitelist /usr/share/knotifications5 | 31 | whitelist /usr/share/knotifications5 |
30 | whitelist /usr/share/kservices5 | 32 | whitelist /usr/share/kservices5 |
31 | whitelist /usr/share/Kvantum | 33 | whitelist /usr/share/Kvantum |
diff --git a/etc/whois.profile b/etc/whois.profile index bd0870bea..0e60e18ab 100644 --- a/etc/whois.profile +++ b/etc/whois.profile | |||
@@ -8,6 +8,7 @@ include whois.local | |||
8 | include globals.local | 8 | include globals.local |
9 | 9 | ||
10 | blacklist /tmp/.X11-unix | 10 | blacklist /tmp/.X11-unix |
11 | blacklist ${RUNUSER}/wayland-* | ||
11 | 12 | ||
12 | include disable-common.inc | 13 | include disable-common.inc |
13 | include disable-devel.inc | 14 | include disable-devel.inc |
@@ -45,8 +46,8 @@ private | |||
45 | private-bin bash,sh,whois | 46 | private-bin bash,sh,whois |
46 | private-cache | 47 | private-cache |
47 | private-dev | 48 | private-dev |
48 | private-etc alternatives,hosts,jwhois.conf,services,whois.conf | 49 | private-etc alternatives,hosts,jwhois.conf,resolv.conf,services,whois.conf |
49 | private-lib | 50 | private-lib gconv |
50 | private-tmp | 51 | private-tmp |
51 | 52 | ||
52 | memory-deny-write-execute | 53 | memory-deny-write-execute |
diff --git a/etc/wire-desktop.profile b/etc/wire-desktop.profile index 490255fa6..3c783322b 100644 --- a/etc/wire-desktop.profile +++ b/etc/wire-desktop.profile | |||
@@ -1,40 +1,35 @@ | |||
1 | # Firejail profile for wire-desktop | 1 | # Firejail profile for wire-desktop |
2 | # Description: End-to-end encrypted messenger with file sharing, voice calls and video conferences | ||
2 | # This file is overwritten after every install/update | 3 | # This file is overwritten after every install/update |
3 | # Persistent local customizations | 4 | # Persistent local customizations |
4 | include wire-desktop.local | 5 | include wire-desktop.local |
5 | # Persistent global definitions | 6 | # Persistent global definitions |
6 | include globals.local | 7 | # added by included profile |
8 | #include globals.local | ||
9 | |||
10 | # Debian/Ubuntu use /opt/Wire. As that is not in PATH by default, run `firejail /opt/Wire/wire-desktop` to start it. | ||
11 | |||
12 | ignore caps.drop all | ||
13 | ignore nodbus | ||
7 | 14 | ||
8 | noblacklist ${HOME}/.config/Wire | 15 | noblacklist ${HOME}/.config/Wire |
9 | 16 | ||
10 | include disable-common.inc | ||
11 | include disable-devel.inc | 17 | include disable-devel.inc |
12 | include disable-interpreters.inc | 18 | include disable-interpreters.inc |
13 | include disable-passwdmgr.inc | ||
14 | include disable-programs.inc | ||
15 | 19 | ||
16 | mkdir ${HOME}/.config/Wire | 20 | mkdir ${HOME}/.config/Wire |
17 | whitelist ${HOME}/.config/Wire | 21 | whitelist ${HOME}/.config/Wire |
18 | whitelist ${DOWNLOADS} | ||
19 | include whitelist-common.inc | 22 | include whitelist-common.inc |
20 | 23 | ||
21 | caps.drop all | 24 | caps.keep sys_admin,sys_chroot |
22 | netfilter | ||
23 | nodvd | ||
24 | nogroups | ||
25 | nonewprivs | ||
26 | noroot | ||
27 | notv | ||
28 | nou2f | 25 | nou2f |
29 | protocol unix,inet,inet6,netlink | ||
30 | seccomp | ||
31 | shell none | 26 | shell none |
32 | 27 | ||
33 | # Note: The current version of Wire is located in /opt/wire-desktop/wire-desktop, and therefore | ||
34 | # it is not in PATH. To use Wire with firejail, run "firejail /opt/wire-desktop/wire-desktop" | ||
35 | |||
36 | disable-mnt | 28 | disable-mnt |
37 | private-bin bash,electron,electron4,env,sh,wire-desktop | 29 | private-bin bash,electron,electron4,env,sh,wire-desktop |
38 | private-dev | 30 | private-dev |
39 | private-etc alternatives,ca-certificates,crypto-policies,fonts,machine-id,pki,resolv.conf,ssl | 31 | private-etc alternatives,ca-certificates,crypto-policies,fonts,machine-id,pki,resolv.conf,ssl |
40 | private-tmp | 32 | private-tmp |
33 | |||
34 | # Redirect | ||
35 | include electron.profile | ||
diff --git a/etc/wpp.profile b/etc/wpp.profile new file mode 100644 index 000000000..a219397a9 --- /dev/null +++ b/etc/wpp.profile | |||
@@ -0,0 +1,14 @@ | |||
1 | # Firejail profile for wpp | ||
2 | # Description: WPS Office - Presentation | ||
3 | # This file is overwritten after every install/update | ||
4 | # Persistent local customizations | ||
5 | include wpp.local | ||
6 | # Persistent global definitions | ||
7 | # added by included profile | ||
8 | #include globals.local | ||
9 | |||
10 | ignore machine-id | ||
11 | ignore nosound | ||
12 | |||
13 | # Redirect | ||
14 | include wps.profile | ||
diff --git a/etc/wps.profile b/etc/wps.profile new file mode 100644 index 000000000..47bba2dda --- /dev/null +++ b/etc/wps.profile | |||
@@ -0,0 +1,47 @@ | |||
1 | # Firejail profile for wps | ||
2 | # Description: WPS Office - Writer | ||
3 | # This file is overwritten after every install/update | ||
4 | # Persistent local customizations | ||
5 | include wps.local | ||
6 | # Persistent global definitions | ||
7 | include globals.local | ||
8 | |||
9 | noblacklist ${HOME}/.kingsoft | ||
10 | noblacklist ${HOME}/.config/Kingsoft | ||
11 | noblacklist ${HOME}/.local/share/Kingsoft | ||
12 | |||
13 | include disable-common.inc | ||
14 | include disable-devel.inc | ||
15 | include disable-exec.inc | ||
16 | include disable-interpreters.inc | ||
17 | include disable-passwdmgr.inc | ||
18 | include disable-programs.inc | ||
19 | |||
20 | include whitelist-usr-share-common.inc | ||
21 | include whitelist-var-common.inc | ||
22 | |||
23 | apparmor | ||
24 | caps.drop all | ||
25 | machine-id | ||
26 | # Uncomment the next line (or add to wps.local) if you don't use network features. | ||
27 | #net none | ||
28 | netfilter | ||
29 | no3d | ||
30 | nodbus | ||
31 | nodvd | ||
32 | nogroups | ||
33 | nonewprivs | ||
34 | noroot | ||
35 | nosound | ||
36 | notv | ||
37 | nou2f | ||
38 | novideo | ||
39 | protocol unix,inet,inet6 | ||
40 | # seccomp cause some minor issues, if you can live with them enable it. | ||
41 | #seccomp | ||
42 | shell none | ||
43 | tracelog | ||
44 | |||
45 | private-cache | ||
46 | private-dev | ||
47 | private-tmp | ||
diff --git a/etc/wpspdf.profile b/etc/wpspdf.profile new file mode 100644 index 000000000..82080acbc --- /dev/null +++ b/etc/wpspdf.profile | |||
@@ -0,0 +1,11 @@ | |||
1 | # Firejail profile for wpspdf | ||
2 | # Description: Kingsoft Pdf Reader | ||
3 | # This file is overwritten after every install/update | ||
4 | # Persistent local customizations | ||
5 | include et.local | ||
6 | # Persistent global definitions | ||
7 | # added by included profile | ||
8 | #include globals.local | ||
9 | |||
10 | # Redirect | ||
11 | include wps.profile | ||
diff --git a/etc/xzdec.profile b/etc/xzdec.profile index 93c288d6e..ca6aaf1d5 100644 --- a/etc/xzdec.profile +++ b/etc/xzdec.profile | |||
@@ -7,6 +7,8 @@ include xzdec.local | |||
7 | # Persistent global definitions | 7 | # Persistent global definitions |
8 | include globals.local | 8 | include globals.local |
9 | 9 | ||
10 | blacklist ${RUNUSER}/wayland-* | ||
11 | |||
10 | include disable-common.inc | 12 | include disable-common.inc |
11 | include disable-devel.inc | 13 | include disable-devel.inc |
12 | include disable-exec.inc | 14 | include disable-exec.inc |
diff --git a/etc/yelp.profile b/etc/yelp.profile index 41138cd17..acd483209 100644 --- a/etc/yelp.profile +++ b/etc/yelp.profile | |||
@@ -18,6 +18,7 @@ include disable-xdg.inc | |||
18 | 18 | ||
19 | mkdir ${HOME}/.config/yelp | 19 | mkdir ${HOME}/.config/yelp |
20 | whitelist ${HOME}/.config/yelp | 20 | whitelist ${HOME}/.config/yelp |
21 | whitelist /usr/share/doc | ||
21 | whitelist /usr/share/help | 22 | whitelist /usr/share/help |
22 | whitelist /usr/share/yelp | 23 | whitelist /usr/share/yelp |
23 | whitelist /usr/share/yelp-xsl | 24 | whitelist /usr/share/yelp-xsl |
diff --git a/etc/youtube-dl.profile b/etc/youtube-dl.profile index 5fa72c9dc..19effef47 100644 --- a/etc/youtube-dl.profile +++ b/etc/youtube-dl.profile | |||
@@ -21,6 +21,7 @@ include allow-python2.inc | |||
21 | include allow-python3.inc | 21 | include allow-python3.inc |
22 | 22 | ||
23 | blacklist /tmp/.X11-unix | 23 | blacklist /tmp/.X11-unix |
24 | blacklist ${RUNUSER}/wayland-* | ||
24 | 25 | ||
25 | include disable-common.inc | 26 | include disable-common.inc |
26 | include disable-devel.inc | 27 | include disable-devel.inc |
diff --git a/etc/zathura.profile b/etc/zathura.profile index 68a5701ee..703c8edd4 100644 --- a/etc/zathura.profile +++ b/etc/zathura.profile | |||
@@ -18,10 +18,18 @@ include disable-passwdmgr.inc | |||
18 | include disable-programs.inc | 18 | include disable-programs.inc |
19 | include disable-xdg.inc | 19 | include disable-xdg.inc |
20 | 20 | ||
21 | mkdir ${HOME}/.config/zathura | ||
22 | mkdir ${HOME}/.local/share/zathura | ||
23 | whitelist /usr/share/doc | ||
24 | whitelist /usr/share/zathura | ||
25 | include whitelist-usr-share-common.inc | ||
26 | include whitelist-var-common.inc | ||
27 | |||
21 | caps.drop all | 28 | caps.drop all |
29 | ipc-namespace | ||
22 | machine-id | 30 | machine-id |
23 | # net none | 31 | net none |
24 | # nodbus | 32 | nodbus |
25 | nodvd | 33 | nodvd |
26 | nogroups | 34 | nogroups |
27 | nonewprivs | 35 | nonewprivs |
@@ -38,11 +46,10 @@ tracelog | |||
38 | private-bin zathura | 46 | private-bin zathura |
39 | private-cache | 47 | private-cache |
40 | private-dev | 48 | private-dev |
41 | private-etc alternatives,fonts,machine-id | 49 | private-etc alternatives,fonts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,machine-id |
50 | private-lib gcc/*/*/libgcc_s.so.*,gcc/*/*/libstdc++.so.*,libarchive.so.*,libdjvulibre.so.*,libgirara-gtk*,libpoppler-glib.so.*,libspectre.so.*,zathura | ||
42 | private-tmp | 51 | private-tmp |
43 | 52 | ||
44 | mkdir ${HOME}/.config/zathura | ||
45 | mkdir ${HOME}/.local/share/zathura | ||
46 | read-only ${HOME} | 53 | read-only ${HOME} |
47 | read-write ${HOME}/.config/zathura | 54 | read-write ${HOME}/.config/zathura |
48 | read-write ${HOME}/.local/share/zathura | 55 | read-write ${HOME}/.local/share/zathura |
diff --git a/etc/zstd.profile b/etc/zstd.profile index ea7bbfb0d..93b849568 100644 --- a/etc/zstd.profile +++ b/etc/zstd.profile | |||
@@ -7,6 +7,8 @@ include zstd.local | |||
7 | # Persistent global definitions | 7 | # Persistent global definitions |
8 | include globals.local | 8 | include globals.local |
9 | 9 | ||
10 | blacklist ${RUNUSER}/wayland-* | ||
11 | |||
10 | include disable-common.inc | 12 | include disable-common.inc |
11 | include disable-devel.inc | 13 | include disable-devel.inc |
12 | include disable-exec.inc | 14 | include disable-exec.inc |