diff options
Diffstat (limited to 'etc')
59 files changed, 405 insertions, 31 deletions
diff --git a/etc/android-studio.profile b/etc/android-studio.profile index 1e1953780..6be92e1c0 100644 --- a/etc/android-studio.profile +++ b/etc/android-studio.profile | |||
@@ -9,6 +9,8 @@ noblacklist ${HOME}/.AndroidStudio* | |||
9 | noblacklist ${HOME}/.android | 9 | noblacklist ${HOME}/.android |
10 | noblacklist ${HOME}/.gitconfig | 10 | noblacklist ${HOME}/.gitconfig |
11 | noblacklist ${HOME}/.gradle | 11 | noblacklist ${HOME}/.gradle |
12 | noblacklist ${HOME}/.jack-server | ||
13 | noblacklist ${HOME}/.jack-settings | ||
12 | noblacklist ${HOME}/.java | 14 | noblacklist ${HOME}/.java |
13 | noblacklist ${HOME}/.local/share/JetBrains | 15 | noblacklist ${HOME}/.local/share/JetBrains |
14 | noblacklist ${HOME}/.ssh | 16 | noblacklist ${HOME}/.ssh |
diff --git a/etc/aosp.profile b/etc/aosp.profile new file mode 100644 index 000000000..5ceef9348 --- /dev/null +++ b/etc/aosp.profile | |||
@@ -0,0 +1,42 @@ | |||
1 | # Firejail profile for aosp | ||
2 | # This file is overwritten after every install/update | ||
3 | # Persistent local customizations | ||
4 | include /etc/firejail/aosp.local | ||
5 | # Persistent global definitions | ||
6 | include /etc/firejail/globals.local | ||
7 | |||
8 | |||
9 | noblacklist ${HOME}/.android | ||
10 | noblacklist ${HOME}/.bash_history | ||
11 | noblacklist ${HOME}/.gitconfig | ||
12 | noblacklist ${HOME}/.gradle | ||
13 | noblacklist ${HOME}/.jack-server | ||
14 | noblacklist ${HOME}/.jack-settings | ||
15 | noblacklist ${HOME}/.java | ||
16 | noblacklist ${HOME}/.repo_.gitconfig.json | ||
17 | noblacklist ${HOME}/.repoconfig | ||
18 | noblacklist ${HOME}/.ssh | ||
19 | noblacklist ${HOME}/.tooling | ||
20 | |||
21 | include /etc/firejail/disable-common.inc | ||
22 | include /etc/firejail/disable-passwdmgr.inc | ||
23 | include /etc/firejail/disable-programs.inc | ||
24 | |||
25 | include /etc/firejail/whitelist-var-common.inc | ||
26 | |||
27 | caps.drop all | ||
28 | ipc-namespace | ||
29 | netfilter | ||
30 | no3d | ||
31 | nodvd | ||
32 | nogroups | ||
33 | nonewprivs | ||
34 | noroot | ||
35 | nosound | ||
36 | notv | ||
37 | novideo | ||
38 | protocol unix,inet,inet6 | ||
39 | #seccomp | ||
40 | shell none | ||
41 | |||
42 | private-tmp | ||
diff --git a/etc/ark.profile b/etc/ark.profile index 38bd5246e..ba9cb1134 100644 --- a/etc/ark.profile +++ b/etc/ark.profile | |||
@@ -12,6 +12,8 @@ include /etc/firejail/disable-devel.inc | |||
12 | include /etc/firejail/disable-passwdmgr.inc | 12 | include /etc/firejail/disable-passwdmgr.inc |
13 | include /etc/firejail/disable-programs.inc | 13 | include /etc/firejail/disable-programs.inc |
14 | 14 | ||
15 | include /etc/firejail/whitelist-var-common.inc | ||
16 | |||
15 | caps.drop all | 17 | caps.drop all |
16 | netfilter | 18 | netfilter |
17 | nodvd | 19 | nodvd |
diff --git a/etc/atom.profile b/etc/atom.profile index 8629c3dd8..db3cbc687 100644 --- a/etc/atom.profile +++ b/etc/atom.profile | |||
@@ -23,7 +23,11 @@ notv | |||
23 | novideo | 23 | novideo |
24 | protocol unix,inet,inet6,netlink | 24 | protocol unix,inet,inet6,netlink |
25 | seccomp | 25 | seccomp |
26 | # net none | ||
26 | shell none | 27 | shell none |
27 | 28 | ||
28 | private-dev | 29 | private-dev |
29 | private-tmp | 30 | private-tmp |
31 | |||
32 | noexec ${HOME} | ||
33 | noexec /tmp | ||
diff --git a/etc/atril.profile b/etc/atril.profile index 2e4af9086..052b41655 100644 --- a/etc/atril.profile +++ b/etc/atril.profile | |||
@@ -13,6 +13,8 @@ include /etc/firejail/disable-devel.inc | |||
13 | include /etc/firejail/disable-passwdmgr.inc | 13 | include /etc/firejail/disable-passwdmgr.inc |
14 | include /etc/firejail/disable-programs.inc | 14 | include /etc/firejail/disable-programs.inc |
15 | 15 | ||
16 | include /etc/firejail/whitelist-var-common.inc | ||
17 | |||
16 | caps.drop all | 18 | caps.drop all |
17 | no3d | 19 | no3d |
18 | nodvd | 20 | nodvd |
diff --git a/etc/audacious.profile b/etc/audacious.profile index 52e701821..7e2b91773 100644 --- a/etc/audacious.profile +++ b/etc/audacious.profile | |||
@@ -13,6 +13,8 @@ include /etc/firejail/disable-devel.inc | |||
13 | include /etc/firejail/disable-passwdmgr.inc | 13 | include /etc/firejail/disable-passwdmgr.inc |
14 | include /etc/firejail/disable-programs.inc | 14 | include /etc/firejail/disable-programs.inc |
15 | 15 | ||
16 | include /etc/firejail/whitelist-var-common.inc | ||
17 | |||
16 | caps.drop all | 18 | caps.drop all |
17 | netfilter | 19 | netfilter |
18 | nogroups | 20 | nogroups |
diff --git a/etc/audacity.profile b/etc/audacity.profile index 9fbc2b16d..88aea243e 100644 --- a/etc/audacity.profile +++ b/etc/audacity.profile | |||
@@ -12,6 +12,8 @@ include /etc/firejail/disable-devel.inc | |||
12 | include /etc/firejail/disable-passwdmgr.inc | 12 | include /etc/firejail/disable-passwdmgr.inc |
13 | include /etc/firejail/disable-programs.inc | 13 | include /etc/firejail/disable-programs.inc |
14 | 14 | ||
15 | include /etc/firejail/whitelist-var-common.inc | ||
16 | |||
15 | caps.drop all | 17 | caps.drop all |
16 | net none | 18 | net none |
17 | no3d | 19 | no3d |
diff --git a/etc/baloo_file.profile b/etc/baloo_file.profile index 4e603971f..2c2d70c00 100644 --- a/etc/baloo_file.profile +++ b/etc/baloo_file.profile | |||
@@ -17,6 +17,8 @@ include /etc/firejail/disable-devel.inc | |||
17 | include /etc/firejail/disable-passwdmgr.inc | 17 | include /etc/firejail/disable-passwdmgr.inc |
18 | include /etc/firejail/disable-programs.inc | 18 | include /etc/firejail/disable-programs.inc |
19 | 19 | ||
20 | include /etc/firejail/whitelist-var-common.inc | ||
21 | |||
20 | caps.drop all | 22 | caps.drop all |
21 | no3d | 23 | no3d |
22 | nodvd | 24 | nodvd |
@@ -29,8 +31,10 @@ novideo | |||
29 | protocol unix | 31 | protocol unix |
30 | # Baloo makes ioprio_set system calls, which are blacklisted by default. | 32 | # Baloo makes ioprio_set system calls, which are blacklisted by default. |
31 | seccomp.drop @cpu-emulation,@debug,@obsolete,@privileged,@resources,add_key,fanotify_init,io_cancel,io_destroy,io_getevents,io_setup,io_submit,kcmp,keyctl,name_to_handle_at,ni_syscall,open_by_handle_at,personality,process_vm_readv,ptrace,remap_file_pages,request_key,syslog,umount,userfaultfd,vmsplice | 33 | seccomp.drop @cpu-emulation,@debug,@obsolete,@privileged,@resources,add_key,fanotify_init,io_cancel,io_destroy,io_getevents,io_setup,io_submit,kcmp,keyctl,name_to_handle_at,ni_syscall,open_by_handle_at,personality,process_vm_readv,ptrace,remap_file_pages,request_key,syslog,umount,userfaultfd,vmsplice |
34 | shell none | ||
32 | x11 xorg | 35 | x11 xorg |
33 | 36 | ||
37 | private-bin baloo_file,baloo_file_extractor,kbuildsycoca4 | ||
34 | private-dev | 38 | private-dev |
35 | private-tmp | 39 | private-tmp |
36 | 40 | ||
diff --git a/etc/bluefish.profile b/etc/bluefish.profile new file mode 100644 index 000000000..f7e322838 --- /dev/null +++ b/etc/bluefish.profile | |||
@@ -0,0 +1,34 @@ | |||
1 | # Firejail profile for bluefish | ||
2 | # This file is overwritten after every install/update | ||
3 | # Persistent local customizations | ||
4 | include /etc/firejail/bluefish.local | ||
5 | # Persistent global definitions | ||
6 | include /etc/firejail/globals.local | ||
7 | |||
8 | |||
9 | include /etc/firejail/disable-common.inc | ||
10 | include /etc/firejail/disable-devel.inc | ||
11 | include /etc/firejail/disable-passwdmgr.inc | ||
12 | include /etc/firejail/disable-programs.inc | ||
13 | |||
14 | caps.drop all | ||
15 | net none | ||
16 | no3d | ||
17 | nodvd | ||
18 | nogroups | ||
19 | nonewprivs | ||
20 | noroot | ||
21 | nosound | ||
22 | notv | ||
23 | novideo | ||
24 | protocol unix | ||
25 | seccomp | ||
26 | shell none | ||
27 | tracelog | ||
28 | |||
29 | private-bin bluefish | ||
30 | private-dev | ||
31 | private-tmp | ||
32 | |||
33 | noexec ${HOME} | ||
34 | noexec /tmp | ||
diff --git a/etc/calligra.profile b/etc/calligra.profile index e90c8efe8..d2b76d22c 100644 --- a/etc/calligra.profile +++ b/etc/calligra.profile | |||
@@ -12,6 +12,7 @@ include /etc/firejail/disable-programs.inc | |||
12 | 12 | ||
13 | caps.drop all | 13 | caps.drop all |
14 | ipc-namespace | 14 | ipc-namespace |
15 | net none | ||
15 | nodvd | 16 | nodvd |
16 | nogroups | 17 | nogroups |
17 | nonewprivs | 18 | nonewprivs |
@@ -25,5 +26,5 @@ shell none | |||
25 | private-bin calligra,calligraauthor,calligraconverter,calligraflow,calligraplan,calligraplanwork,calligrasheets,calligrastage,calligrawords,dbus-launch | 26 | private-bin calligra,calligraauthor,calligraconverter,calligraflow,calligraplan,calligraplanwork,calligrasheets,calligrastage,calligrawords,dbus-launch |
26 | private-dev | 27 | private-dev |
27 | 28 | ||
28 | noexec ${HOME} | 29 | #noexec ${HOME} |
29 | noexec /tmp | 30 | noexec /tmp |
diff --git a/etc/cin.profile b/etc/cin.profile index eeeda476f..6b3e3888b 100644 --- a/etc/cin.profile +++ b/etc/cin.profile | |||
@@ -24,7 +24,7 @@ protocol unix | |||
24 | seccomp | 24 | seccomp |
25 | shell none | 25 | shell none |
26 | 26 | ||
27 | #private-bin cin | 27 | private-bin cin,ffmpeg |
28 | private-dev | 28 | private-dev |
29 | 29 | ||
30 | noexec ${HOME} | 30 | noexec ${HOME} |
diff --git a/etc/cinelerra.profile b/etc/cinelerra.profile new file mode 100644 index 000000000..e6a1941b5 --- /dev/null +++ b/etc/cinelerra.profile | |||
@@ -0,0 +1,6 @@ | |||
1 | # Firejail profile alias for cin | ||
2 | # This file is overwritten after every install/update | ||
3 | |||
4 | |||
5 | # Redirect | ||
6 | include /etc/firejail/cin.profile | ||
diff --git a/etc/clamdscan.profile b/etc/clamdscan.profile index 1fc728206..f6861dfa1 100644 --- a/etc/clamdscan.profile +++ b/etc/clamdscan.profile | |||
@@ -1,5 +1,6 @@ | |||
1 | # Firejail profile alias for clamav | 1 | # Firejail profile alias for clamav |
2 | # This file is overwritten after every install/update | 2 | # This file is overwritten after every install/update |
3 | quiet | ||
3 | 4 | ||
4 | 5 | ||
5 | # Redirect | 6 | # Redirect |
diff --git a/etc/clamdtop.profile b/etc/clamdtop.profile index 1fc728206..f6861dfa1 100644 --- a/etc/clamdtop.profile +++ b/etc/clamdtop.profile | |||
@@ -1,5 +1,6 @@ | |||
1 | # Firejail profile alias for clamav | 1 | # Firejail profile alias for clamav |
2 | # This file is overwritten after every install/update | 2 | # This file is overwritten after every install/update |
3 | quiet | ||
3 | 4 | ||
4 | 5 | ||
5 | # Redirect | 6 | # Redirect |
diff --git a/etc/clamscan.profile b/etc/clamscan.profile index 1fc728206..f6861dfa1 100644 --- a/etc/clamscan.profile +++ b/etc/clamscan.profile | |||
@@ -1,5 +1,6 @@ | |||
1 | # Firejail profile alias for clamav | 1 | # Firejail profile alias for clamav |
2 | # This file is overwritten after every install/update | 2 | # This file is overwritten after every install/update |
3 | quiet | ||
3 | 4 | ||
4 | 5 | ||
5 | # Redirect | 6 | # Redirect |
diff --git a/etc/cliqz.profile b/etc/cliqz.profile new file mode 100644 index 000000000..a7c791a02 --- /dev/null +++ b/etc/cliqz.profile | |||
@@ -0,0 +1,83 @@ | |||
1 | # Firejail profile for cliqz | ||
2 | # This file is overwritten after every install/update | ||
3 | # Persistent local customizations | ||
4 | include /etc/firejail/cliqz.local | ||
5 | # Persistent global definitions | ||
6 | include /etc/firejail/globals.local | ||
7 | |||
8 | noblacklist ~/.cache/cliqz | ||
9 | noblacklist ~/.config/cliqz | ||
10 | noblacklist ~/.config/okularpartrc | ||
11 | noblacklist ~/.config/okularrc | ||
12 | noblacklist ~/.config/qpdfview | ||
13 | noblacklist ~/.kde/share/apps/okular | ||
14 | noblacklist ~/.kde/share/config/okularpartrc | ||
15 | noblacklist ~/.kde/share/config/okularrc | ||
16 | noblacklist ~/.kde4/share/apps/okular | ||
17 | noblacklist ~/.kde4/share/config/okularpartrc | ||
18 | noblacklist ~/.kde4/share/config/okularrc | ||
19 | noblacklist ~/.local/share/gnome-shell/extensions | ||
20 | noblacklist ~/.local/share/okular | ||
21 | noblacklist ~/.local/share/qpdfview | ||
22 | |||
23 | noblacklist ~/.pki | ||
24 | |||
25 | include /etc/firejail/disable-common.inc | ||
26 | include /etc/firejail/disable-devel.inc | ||
27 | include /etc/firejail/disable-programs.inc | ||
28 | |||
29 | mkdir ~/.cache/mozilla/firefox | ||
30 | mkdir ~/.mozilla | ||
31 | mkdir ~/.pki | ||
32 | whitelist ${DOWNLOADS} | ||
33 | whitelist ~/.cache/gnome-mplayer/plugin | ||
34 | whitelist ~/.cache/mozilla/firefox | ||
35 | whitelist ~/.config/gnome-mplayer | ||
36 | whitelist ~/.config/okularpartrc | ||
37 | whitelist ~/.config/okularrc | ||
38 | whitelist ~/.config/pipelight-silverlight5.1 | ||
39 | whitelist ~/.config/pipelight-widevine | ||
40 | whitelist ~/.config/qpdfview | ||
41 | whitelist ~/.kde/share/apps/okular | ||
42 | whitelist ~/.kde/share/config/okularpartrc | ||
43 | whitelist ~/.kde/share/config/okularrc | ||
44 | whitelist ~/.kde4/share/apps/okular | ||
45 | whitelist ~/.kde4/share/config/okularpartrc | ||
46 | whitelist ~/.kde4/share/config/okularrc | ||
47 | whitelist ~/.keysnail.js | ||
48 | whitelist ~/.lastpass | ||
49 | whitelist ~/.local/share/gnome-shell/extensions | ||
50 | whitelist ~/.local/share/okular | ||
51 | whitelist ~/.local/share/qpdfview | ||
52 | whitelist ~/.mozilla | ||
53 | whitelist ~/.pentadactyl | ||
54 | whitelist ~/.pentadactylrc | ||
55 | whitelist ~/.pki | ||
56 | whitelist ~/.vimperator | ||
57 | whitelist ~/.vimperatorrc | ||
58 | whitelist ~/.wine-pipelight | ||
59 | whitelist ~/.wine-pipelight64 | ||
60 | whitelist ~/.zotero | ||
61 | whitelist ~/dwhelper | ||
62 | include /etc/firejail/whitelist-common.inc | ||
63 | include /etc/firejail/whitelist-var-common.inc | ||
64 | |||
65 | caps.drop all | ||
66 | netfilter | ||
67 | nodvd | ||
68 | nogroups | ||
69 | nonewprivs | ||
70 | noroot | ||
71 | notv | ||
72 | protocol unix,inet,inet6,netlink | ||
73 | seccomp | ||
74 | shell none | ||
75 | tracelog | ||
76 | |||
77 | # private-bin firefox,which,sh,dbus-launch,dbus-send,env | ||
78 | private-dev | ||
79 | # private-etc passwd,group,hostname,hosts,localtime,nsswitch.conf,resolv.conf,xdg,gtk-2.0,gtk-3.0,X11,pango,fonts,firefox,mime.types,mailcap,asound.conf,pulse | ||
80 | private-tmp | ||
81 | |||
82 | noexec ${HOME} | ||
83 | noexec /tmp | ||
diff --git a/etc/dia.profile b/etc/dia.profile index abe83ac8c..800c3bbf1 100644 --- a/etc/dia.profile +++ b/etc/dia.profile | |||
@@ -13,7 +13,7 @@ include /etc/firejail/disable-passwdmgr.inc | |||
13 | include /etc/firejail/disable-programs.inc | 13 | include /etc/firejail/disable-programs.inc |
14 | 14 | ||
15 | caps.drop all | 15 | caps.drop all |
16 | netfilter | 16 | net none |
17 | no3d | 17 | no3d |
18 | nodvd | 18 | nodvd |
19 | nogroups | 19 | nogroups |
diff --git a/etc/disable-common.inc b/etc/disable-common.inc index abce0fe57..d943950d4 100644 --- a/etc/disable-common.inc +++ b/etc/disable-common.inc | |||
@@ -120,7 +120,8 @@ blacklist /var/lib/mysql/mysql.sock | |||
120 | blacklist /var/lib/mysqld/mysql.sock | 120 | blacklist /var/lib/mysqld/mysql.sock |
121 | blacklist /var/lib/pacman | 121 | blacklist /var/lib/pacman |
122 | blacklist /var/lib/upower | 122 | blacklist /var/lib/upower |
123 | blacklist /var/log | 123 | # blacklist /var/log - a virtual /var/log directory (mostly empty) is buid up by default for |
124 | # every sandbox, unless --writeble-var-log switch is activated | ||
124 | blacklist /var/mail | 125 | blacklist /var/mail |
125 | blacklist /var/opt | 126 | blacklist /var/opt |
126 | blacklist /var/run/acpid.socket | 127 | blacklist /var/run/acpid.socket |
diff --git a/etc/disable-programs.inc b/etc/disable-programs.inc index 615e28172..064e60294 100644 --- a/etc/disable-programs.inc +++ b/etc/disable-programs.inc | |||
@@ -81,6 +81,7 @@ blacklist ${HOME}/.config/chromium | |||
81 | blacklist ${HOME}/.config/chromium-dev | 81 | blacklist ${HOME}/.config/chromium-dev |
82 | blacklist ${HOME}/.config/chromium-flags.conf | 82 | blacklist ${HOME}/.config/chromium-flags.conf |
83 | blacklist ${HOME}/.config/clipit | 83 | blacklist ${HOME}/.config/clipit |
84 | blacklist ${HOME}/.config/cliqz | ||
84 | blacklist ${HOME}/.config/cmus | 85 | blacklist ${HOME}/.config/cmus |
85 | blacklist ${HOME}/.config/corebird | 86 | blacklist ${HOME}/.config/corebird |
86 | blacklist ${HOME}/.config/darktable | 87 | blacklist ${HOME}/.config/darktable |
@@ -142,6 +143,8 @@ blacklist ${HOME}/.config/opera-beta | |||
142 | blacklist ${HOME}/.config/orage | 143 | blacklist ${HOME}/.config/orage |
143 | blacklist ${HOME}/.config/org.kde.gwenviewrc | 144 | blacklist ${HOME}/.config/org.kde.gwenviewrc |
144 | blacklist ${HOME}/.config/pcmanfm | 145 | blacklist ${HOME}/.config/pcmanfm |
146 | blacklist ${HOME}/.config/pdfmod | ||
147 | blacklist ${HOME}/.config/Pinta | ||
145 | blacklist ${HOME}/.config/pix | 148 | blacklist ${HOME}/.config/pix |
146 | blacklist ${HOME}/.config/pluma | 149 | blacklist ${HOME}/.config/pluma |
147 | blacklist ${HOME}/.config/psi+ | 150 | blacklist ${HOME}/.config/psi+ |
@@ -220,6 +223,8 @@ blacklist ${HOME}/.hugin | |||
220 | blacklist ${HOME}/.icedove | 223 | blacklist ${HOME}/.icedove |
221 | blacklist ${HOME}/.imagej | 224 | blacklist ${HOME}/.imagej |
222 | blacklist ${HOME}/.inkscape | 225 | blacklist ${HOME}/.inkscape |
226 | blacklist ${HOME}/.jack-server | ||
227 | blacklist ${HOME}/.jack-settings | ||
223 | blacklist ${HOME}/.java | 228 | blacklist ${HOME}/.java |
224 | blacklist ${HOME}/.jitsi | 229 | blacklist ${HOME}/.jitsi |
225 | blacklist ${HOME}/.kde/share/apps/gwenview | 230 | blacklist ${HOME}/.kde/share/apps/gwenview |
@@ -360,6 +365,8 @@ blacklist ${HOME}/.pingus | |||
360 | blacklist ${HOME}/.purple | 365 | blacklist ${HOME}/.purple |
361 | blacklist ${HOME}/.qemu-launcher | 366 | blacklist ${HOME}/.qemu-launcher |
362 | blacklist ${HOME}/.remmina | 367 | blacklist ${HOME}/.remmina |
368 | blacklist ${HOME}/.repo_.gitconfig.json | ||
369 | blacklist ${HOME}/.repoconfig | ||
363 | blacklist ${HOME}/.retroshare | 370 | blacklist ${HOME}/.retroshare |
364 | blacklist ${HOME}/.scribus | 371 | blacklist ${HOME}/.scribus |
365 | blacklist ${HOME}/.scribusrc | 372 | blacklist ${HOME}/.scribusrc |
@@ -376,6 +383,7 @@ blacklist ${HOME}/.synfig | |||
376 | blacklist ${HOME}/.tconn | 383 | blacklist ${HOME}/.tconn |
377 | blacklist ${HOME}/.thunderbird | 384 | blacklist ${HOME}/.thunderbird |
378 | blacklist ${HOME}/.tooling | 385 | blacklist ${HOME}/.tooling |
386 | blacklist ${HOME}/.tor-browser-en | ||
379 | blacklist ${HOME}/.ts3client | 387 | blacklist ${HOME}/.ts3client |
380 | blacklist ${HOME}/.tuxguitar* | 388 | blacklist ${HOME}/.tuxguitar* |
381 | blacklist ${HOME}/.unknow-horizons | 389 | blacklist ${HOME}/.unknow-horizons |
@@ -408,6 +416,7 @@ blacklist ${HOME}/.cache/calibre | |||
408 | blacklist ${HOME}/.cache/champlain | 416 | blacklist ${HOME}/.cache/champlain |
409 | blacklist ${HOME}/.cache/chromium | 417 | blacklist ${HOME}/.cache/chromium |
410 | blacklist ${HOME}/.cache/chromium-dev | 418 | blacklist ${HOME}/.cache/chromium-dev |
419 | blacklist ${HOME}/.cache/cliqz | ||
411 | blacklist ${HOME}/.cache/darktable | 420 | blacklist ${HOME}/.cache/darktable |
412 | blacklist ${HOME}/.cache/epiphany | 421 | blacklist ${HOME}/.cache/epiphany |
413 | blacklist ${HOME}/.cache/evolution | 422 | blacklist ${HOME}/.cache/evolution |
@@ -427,6 +436,7 @@ blacklist ${HOME}/.cache/netsurf | |||
427 | blacklist ${HOME}/.cache/opera | 436 | blacklist ${HOME}/.cache/opera |
428 | blacklist ${HOME}/.cache/opera-beta | 437 | blacklist ${HOME}/.cache/opera-beta |
429 | blacklist ${HOME}/.cache/org.gnome.Books | 438 | blacklist ${HOME}/.cache/org.gnome.Books |
439 | blacklist ${HOME}/.cache/pdfmod | ||
430 | blacklist ${HOME}/.cache/peek | 440 | blacklist ${HOME}/.cache/peek |
431 | blacklist ${HOME}/.cache/qBittorrent | 441 | blacklist ${HOME}/.cache/qBittorrent |
432 | blacklist ${HOME}/.cache/qupzilla | 442 | blacklist ${HOME}/.cache/qupzilla |
diff --git a/etc/dnscrypt-proxy.profile b/etc/dnscrypt-proxy.profile index 86af9c7b3..6d4f6349a 100644 --- a/etc/dnscrypt-proxy.profile +++ b/etc/dnscrypt-proxy.profile | |||
@@ -9,7 +9,6 @@ blacklist /tmp/.X11-unix | |||
9 | 9 | ||
10 | noblacklist /sbin | 10 | noblacklist /sbin |
11 | noblacklist /usr/sbin | 11 | noblacklist /usr/sbin |
12 | noblacklist /var/log | ||
13 | 12 | ||
14 | include /etc/firejail/disable-common.inc | 13 | include /etc/firejail/disable-common.inc |
15 | include /etc/firejail/disable-devel.inc | 14 | include /etc/firejail/disable-devel.inc |
@@ -31,4 +30,4 @@ private | |||
31 | private-dev | 30 | private-dev |
32 | 31 | ||
33 | # mdwe can break modules/plugins | 32 | # mdwe can break modules/plugins |
34 | # memory-deny-write-execute | 33 | memory-deny-write-execute |
diff --git a/etc/dnsmasq.profile b/etc/dnsmasq.profile index d4cd0530e..2a1302adb 100644 --- a/etc/dnsmasq.profile +++ b/etc/dnsmasq.profile | |||
@@ -9,7 +9,6 @@ blacklist /tmp/.X11-unix | |||
9 | 9 | ||
10 | noblacklist /sbin | 10 | noblacklist /sbin |
11 | noblacklist /usr/sbin | 11 | noblacklist /usr/sbin |
12 | noblacklist /var/log | ||
13 | 12 | ||
14 | include /etc/firejail/disable-common.inc | 13 | include /etc/firejail/disable-common.inc |
15 | include /etc/firejail/disable-devel.inc | 14 | include /etc/firejail/disable-devel.inc |
diff --git a/etc/engrampa.profile b/etc/engrampa.profile index 7bc5e7481..c198adba9 100644 --- a/etc/engrampa.profile +++ b/etc/engrampa.profile | |||
@@ -11,6 +11,8 @@ include /etc/firejail/disable-devel.inc | |||
11 | include /etc/firejail/disable-passwdmgr.inc | 11 | include /etc/firejail/disable-passwdmgr.inc |
12 | include /etc/firejail/disable-programs.inc | 12 | include /etc/firejail/disable-programs.inc |
13 | 13 | ||
14 | include /etc/firejail/whitelist-var-common.inc | ||
15 | |||
14 | caps.drop all | 16 | caps.drop all |
15 | # net none - makes settings immutable | 17 | # net none - makes settings immutable |
16 | no3d | 18 | no3d |
diff --git a/etc/eog.profile b/etc/eog.profile index e5161b313..5ff926371 100644 --- a/etc/eog.profile +++ b/etc/eog.profile | |||
@@ -15,6 +15,8 @@ include /etc/firejail/disable-devel.inc | |||
15 | include /etc/firejail/disable-passwdmgr.inc | 15 | include /etc/firejail/disable-passwdmgr.inc |
16 | include /etc/firejail/disable-programs.inc | 16 | include /etc/firejail/disable-programs.inc |
17 | 17 | ||
18 | include /etc/firejail/whitelist-var-common.inc | ||
19 | |||
18 | caps.drop all | 20 | caps.drop all |
19 | # net none - makes settings immutable | 21 | # net none - makes settings immutable |
20 | no3d | 22 | no3d |
diff --git a/etc/eom.profile b/etc/eom.profile index 3fb1fcaf4..802578959 100644 --- a/etc/eom.profile +++ b/etc/eom.profile | |||
@@ -15,6 +15,8 @@ include /etc/firejail/disable-devel.inc | |||
15 | include /etc/firejail/disable-passwdmgr.inc | 15 | include /etc/firejail/disable-passwdmgr.inc |
16 | include /etc/firejail/disable-programs.inc | 16 | include /etc/firejail/disable-programs.inc |
17 | 17 | ||
18 | include /etc/firejail/whitelist-var-common.inc | ||
19 | |||
18 | caps.drop all | 20 | caps.drop all |
19 | # net none - makes settings immutable | 21 | # net none - makes settings immutable |
20 | no3d | 22 | no3d |
diff --git a/etc/evince.profile b/etc/evince.profile index f503b9a8e..466260c49 100644 --- a/etc/evince.profile +++ b/etc/evince.profile | |||
@@ -15,6 +15,7 @@ include /etc/firejail/disable-programs.inc | |||
15 | include /etc/firejail/whitelist-var-common.inc | 15 | include /etc/firejail/whitelist-var-common.inc |
16 | 16 | ||
17 | caps.drop all | 17 | caps.drop all |
18 | # net none breaks AppArmor on Ubuntu systems | ||
18 | netfilter | 19 | netfilter |
19 | no3d | 20 | no3d |
20 | nodvd | 21 | nodvd |
diff --git a/etc/ffmpeg.profile b/etc/ffmpeg.profile index e098c95e3..5db39cf61 100644 --- a/etc/ffmpeg.profile +++ b/etc/ffmpeg.profile | |||
@@ -1,4 +1,4 @@ | |||
1 | # Firejail profile for default | 1 | # Firejail profile for ffmpeg |
2 | # This file is overwritten after every install/update | 2 | # This file is overwritten after every install/update |
3 | quiet | 3 | quiet |
4 | # Persistent local customizations | 4 | # Persistent local customizations |
@@ -11,6 +11,8 @@ include /etc/firejail/disable-devel.inc | |||
11 | include /etc/firejail/disable-passwdmgr.inc | 11 | include /etc/firejail/disable-passwdmgr.inc |
12 | include /etc/firejail/disable-programs.inc | 12 | include /etc/firejail/disable-programs.inc |
13 | 13 | ||
14 | include /etc/firejail/whitelist-var-common.inc | ||
15 | |||
14 | caps.drop all | 16 | caps.drop all |
15 | net none | 17 | net none |
16 | no3d | 18 | no3d |
@@ -23,11 +25,11 @@ noroot | |||
23 | # protocol none - needs to be implemented! | 25 | # protocol none - needs to be implemented! |
24 | seccomp | 26 | seccomp |
25 | # seccomp.keep futex,write,read,munmap,fstat,mprotect,mmap,open,close,stat,lseek,brk,rt_sigaction,rt_sigprocmask,ioctl,access,select,madvise,getpid,clone,execve,fcntl,getdents,readlink,getrlimit,getrusage,statfs,getpriority,setpriority,arch_prctl,sched_getaffinity,set_tid_address,set_robust_list,getrandom | 27 | # seccomp.keep futex,write,read,munmap,fstat,mprotect,mmap,open,close,stat,lseek,brk,rt_sigaction,rt_sigprocmask,ioctl,access,select,madvise,getpid,clone,execve,fcntl,getdents,readlink,getrlimit,getrusage,statfs,getpriority,setpriority,arch_prctl,sched_getaffinity,set_tid_address,set_robust_list,getrandom |
26 | # memory-deny-write-execute - it breaks old versions of ffmpeg | ||
27 | shell none | 28 | shell none |
28 | tracelog | 29 | tracelog |
29 | 30 | ||
30 | private-tmp | ||
31 | private-dev | ||
32 | private-bin ffmpeg | 31 | private-bin ffmpeg |
33 | include /etc/firejail/whitelist-var-common.inc | 32 | private-dev |
33 | private-tmp | ||
34 | |||
35 | # memory-deny-write-execute - it breaks old versions of ffmpeg | ||
diff --git a/etc/file-roller.profile b/etc/file-roller.profile index 8484aa162..01e689b9d 100644 --- a/etc/file-roller.profile +++ b/etc/file-roller.profile | |||
@@ -11,6 +11,8 @@ include /etc/firejail/disable-devel.inc | |||
11 | include /etc/firejail/disable-passwdmgr.inc | 11 | include /etc/firejail/disable-passwdmgr.inc |
12 | include /etc/firejail/disable-programs.inc | 12 | include /etc/firejail/disable-programs.inc |
13 | 13 | ||
14 | include /etc/firejail/whitelist-var-common.inc | ||
15 | |||
14 | caps.drop all | 16 | caps.drop all |
15 | # net none - makes settings immutable | 17 | # net none - makes settings immutable |
16 | no3d | 18 | no3d |
diff --git a/etc/gedit.profile b/etc/gedit.profile index 3d7af1496..e17d94da0 100644 --- a/etc/gedit.profile +++ b/etc/gedit.profile | |||
@@ -5,9 +5,10 @@ include /etc/firejail/gedit.local | |||
5 | # Persistent global definitions | 5 | # Persistent global definitions |
6 | include /etc/firejail/globals.local | 6 | include /etc/firejail/globals.local |
7 | 7 | ||
8 | # when gedit is started via gnome-shell, firejail is not applied because systemd will start it | ||
9 | 8 | ||
10 | noblacklist ~/.config/gedit | 9 | noblacklist ${HOME}/.config/enchant |
10 | noblacklist ${HOME}/.config/gedit | ||
11 | noblacklist ${HOME}/.gitconfig | ||
11 | 12 | ||
12 | include /etc/firejail/disable-common.inc | 13 | include /etc/firejail/disable-common.inc |
13 | # include /etc/firejail/disable-devel.inc | 14 | # include /etc/firejail/disable-devel.inc |
diff --git a/etc/gitter.profile b/etc/gitter.profile index 5a172fcc4..0a47bf888 100644 --- a/etc/gitter.profile +++ b/etc/gitter.profile | |||
@@ -25,6 +25,7 @@ protocol unix,inet,inet6,netlink | |||
25 | seccomp | 25 | seccomp |
26 | shell none | 26 | shell none |
27 | 27 | ||
28 | private-bin gitter | 28 | private-bin bash,env,gitter |
29 | private-opt Gitter | ||
29 | private-dev | 30 | private-dev |
30 | private-tmp | 31 | private-tmp |
diff --git a/etc/gnome-calculator.profile b/etc/gnome-calculator.profile index 326222426..9e70a563a 100644 --- a/etc/gnome-calculator.profile +++ b/etc/gnome-calculator.profile | |||
@@ -28,10 +28,8 @@ seccomp | |||
28 | shell none | 28 | shell none |
29 | 29 | ||
30 | disable-mnt | 30 | disable-mnt |
31 | private | ||
32 | private-bin gnome-calculator | 31 | private-bin gnome-calculator |
33 | private-dev | 32 | private-dev |
34 | # private-etc fonts | ||
35 | private-tmp | 33 | private-tmp |
36 | 34 | ||
37 | memory-deny-write-execute | 35 | memory-deny-write-execute |
diff --git a/etc/gwenview.profile b/etc/gwenview.profile index 7f1577afe..2b025e56c 100644 --- a/etc/gwenview.profile +++ b/etc/gwenview.profile | |||
@@ -19,6 +19,8 @@ include /etc/firejail/disable-devel.inc | |||
19 | include /etc/firejail/disable-passwdmgr.inc | 19 | include /etc/firejail/disable-passwdmgr.inc |
20 | include /etc/firejail/disable-programs.inc | 20 | include /etc/firejail/disable-programs.inc |
21 | 21 | ||
22 | include /etc/firejail/whitelist-var-common.inc | ||
23 | |||
22 | caps.drop all | 24 | caps.drop all |
23 | nodvd | 25 | nodvd |
24 | nogroups | 26 | nogroups |
diff --git a/etc/hugin.profile b/etc/hugin.profile index ff88e0d5c..64b6e0c69 100644 --- a/etc/hugin.profile +++ b/etc/hugin.profile | |||
@@ -13,7 +13,7 @@ include /etc/firejail/disable-passwdmgr.inc | |||
13 | include /etc/firejail/disable-programs.inc | 13 | include /etc/firejail/disable-programs.inc |
14 | 14 | ||
15 | caps.drop all | 15 | caps.drop all |
16 | netfilter | 16 | net none |
17 | nodvd | 17 | nodvd |
18 | nogroups | 18 | nogroups |
19 | nonewprivs | 19 | nonewprivs |
diff --git a/etc/idea.sh.profile b/etc/idea.sh.profile index 928ec7327..caec416e9 100644 --- a/etc/idea.sh.profile +++ b/etc/idea.sh.profile | |||
@@ -9,6 +9,8 @@ noblacklist ${HOME}/.IdeaIC* | |||
9 | noblacklist ${HOME}/.android | 9 | noblacklist ${HOME}/.android |
10 | noblacklist ${HOME}/.gitconfig | 10 | noblacklist ${HOME}/.gitconfig |
11 | noblacklist ${HOME}/.gradle | 11 | noblacklist ${HOME}/.gradle |
12 | noblacklist ${HOME}/.jack-server | ||
13 | noblacklist ${HOME}/.jack-settings | ||
12 | noblacklist ${HOME}/.java | 14 | noblacklist ${HOME}/.java |
13 | noblacklist ${HOME}/.local/share/JetBrains | 15 | noblacklist ${HOME}/.local/share/JetBrains |
14 | noblacklist ${HOME}/.ssh | 16 | noblacklist ${HOME}/.ssh |
diff --git a/etc/inkscape.profile b/etc/inkscape.profile index c062ab8ef..04c1020ab 100644 --- a/etc/inkscape.profile +++ b/etc/inkscape.profile | |||
@@ -27,7 +27,7 @@ protocol unix | |||
27 | seccomp | 27 | seccomp |
28 | shell none | 28 | shell none |
29 | 29 | ||
30 | #private-bin inkscape | 30 | private-bin inkscape,potrace |
31 | private-dev | 31 | private-dev |
32 | private-tmp | 32 | private-tmp |
33 | 33 | ||
diff --git a/etc/inox.profile b/etc/inox.profile index 6273c4de6..de4d6205b 100644 --- a/etc/inox.profile +++ b/etc/inox.profile | |||
@@ -21,6 +21,10 @@ whitelist ~/.config/inox | |||
21 | whitelist ~/.pki | 21 | whitelist ~/.pki |
22 | include /etc/firejail/whitelist-common.inc | 22 | include /etc/firejail/whitelist-common.inc |
23 | 23 | ||
24 | caps.keep sys_chroot,sys_admin | ||
24 | netfilter | 25 | netfilter |
25 | nodvd | 26 | nodvd |
27 | nogroups | ||
28 | noroot | ||
26 | notv | 29 | notv |
30 | shell none | ||
diff --git a/etc/kdenlive.profile b/etc/kdenlive.profile index a1a5f957c..10c2909a0 100644 --- a/etc/kdenlive.profile +++ b/etc/kdenlive.profile | |||
@@ -26,5 +26,5 @@ private-bin kdenlive,kdenlive_render,dbus-launch,melt,ffmpeg,ffplay,ffprobe,dvda | |||
26 | private-dev | 26 | private-dev |
27 | #private-etc fonts,alternatives,X11,pulse,passwd | 27 | #private-etc fonts,alternatives,X11,pulse,passwd |
28 | 28 | ||
29 | noexec ${HOME} | 29 | #noexec ${HOME} |
30 | noexec /tmp | 30 | noexec /tmp |
diff --git a/etc/konversation.profile b/etc/konversation.profile index 8ffc43487..7d09857ba 100644 --- a/etc/konversation.profile +++ b/etc/konversation.profile | |||
@@ -11,6 +11,8 @@ include /etc/firejail/disable-devel.inc | |||
11 | include /etc/firejail/disable-passwdmgr.inc | 11 | include /etc/firejail/disable-passwdmgr.inc |
12 | include /etc/firejail/disable-programs.inc | 12 | include /etc/firejail/disable-programs.inc |
13 | 13 | ||
14 | include /etc/firejail/whitelist-var-common.inc | ||
15 | |||
14 | caps.drop all | 16 | caps.drop all |
15 | netfilter | 17 | netfilter |
16 | nodvd | 18 | nodvd |
diff --git a/etc/ktorrent.profile b/etc/ktorrent.profile index c0b37df3c..e95bc23ca 100644 --- a/etc/ktorrent.profile +++ b/etc/ktorrent.profile | |||
@@ -31,6 +31,7 @@ whitelist ~/.kde4/share/apps/ktorrent | |||
31 | whitelist ~/.kde4/share/config/ktorrentrc | 31 | whitelist ~/.kde4/share/config/ktorrentrc |
32 | whitelist ~/.local/share/ktorrent | 32 | whitelist ~/.local/share/ktorrent |
33 | include /etc/firejail/whitelist-common.inc | 33 | include /etc/firejail/whitelist-common.inc |
34 | include /etc/firejail/whitelist-var-common.inc | ||
34 | 35 | ||
35 | caps.drop all | 36 | caps.drop all |
36 | netfilter | 37 | netfilter |
diff --git a/etc/mate-calc.profile b/etc/mate-calc.profile index caf3095a5..c59b2dcc7 100644 --- a/etc/mate-calc.profile +++ b/etc/mate-calc.profile | |||
@@ -12,8 +12,15 @@ include /etc/firejail/disable-devel.inc | |||
12 | include /etc/firejail/disable-passwdmgr.inc | 12 | include /etc/firejail/disable-passwdmgr.inc |
13 | include /etc/firejail/disable-programs.inc | 13 | include /etc/firejail/disable-programs.inc |
14 | 14 | ||
15 | whitelist ${HOME}/.cache/mate-calc | ||
16 | whitelist ${HOME}/.config/caja | ||
17 | whitelist ${HOME}/.config/gtk-3.0 | ||
18 | whitelist ${HOME}/.config/dconf | ||
19 | whitelist ${HOME}./config/mate-menu | ||
20 | whitelist ${HOME}/.themes | ||
21 | |||
15 | caps.drop all | 22 | caps.drop all |
16 | netfilter | 23 | net none |
17 | no3d | 24 | no3d |
18 | nodvd | 25 | nodvd |
19 | nogroups | 26 | nogroups |
@@ -27,8 +34,12 @@ seccomp | |||
27 | shell none | 34 | shell none |
28 | 35 | ||
29 | disable-mnt | 36 | disable-mnt |
37 | private-bin mate-calc,mate-calculator | ||
38 | private-etc fonts | ||
30 | private-dev | 39 | private-dev |
40 | private-opt none | ||
31 | private-tmp | 41 | private-tmp |
32 | 42 | ||
43 | memory-deny-write-execute | ||
33 | noexec ${HOME} | 44 | noexec ${HOME} |
34 | noexec /tmp | 45 | noexec /tmp |
diff --git a/etc/mate-color-select.profile b/etc/mate-color-select.profile index 26ce42fbf..7df7d7faa 100644 --- a/etc/mate-color-select.profile +++ b/etc/mate-color-select.profile | |||
@@ -11,6 +11,11 @@ include /etc/firejail/disable-devel.inc | |||
11 | include /etc/firejail/disable-passwdmgr.inc | 11 | include /etc/firejail/disable-passwdmgr.inc |
12 | include /etc/firejail/disable-programs.inc | 12 | include /etc/firejail/disable-programs.inc |
13 | 13 | ||
14 | whitelist ${HOME}/.config/gtk-3.0 | ||
15 | whitelist ${HOME}/.fonts | ||
16 | whitelist ${HOME}/.icons | ||
17 | whitelist ${HOME}/.themes | ||
18 | |||
14 | caps.drop all | 19 | caps.drop all |
15 | netfilter | 20 | netfilter |
16 | no3d | 21 | no3d |
@@ -26,9 +31,11 @@ seccomp | |||
26 | shell none | 31 | shell none |
27 | 32 | ||
28 | disable-mnt | 33 | disable-mnt |
29 | private | 34 | private-bin mate-color-select |
35 | private-etc fonts | ||
30 | private-dev | 36 | private-dev |
31 | private-tmp | 37 | private-tmp |
32 | 38 | ||
39 | memory-deny-write-execute | ||
33 | noexec ${HOME} | 40 | noexec ${HOME} |
34 | noexec /tmp | 41 | noexec /tmp |
diff --git a/etc/mate-dictionary.profile b/etc/mate-dictionary.profile index f0de57e0d..3f85addaf 100644 --- a/etc/mate-dictionary.profile +++ b/etc/mate-dictionary.profile | |||
@@ -12,6 +12,12 @@ include /etc/firejail/disable-devel.inc | |||
12 | include /etc/firejail/disable-passwdmgr.inc | 12 | include /etc/firejail/disable-passwdmgr.inc |
13 | include /etc/firejail/disable-programs.inc | 13 | include /etc/firejail/disable-programs.inc |
14 | 14 | ||
15 | whitelist ${HOME}/.config/mate/mate-dictionary | ||
16 | whitelist ${HOME}/.config/gtk-3.0 | ||
17 | whitelist ${HOME}/.fonts | ||
18 | whitelist ${HOME}/.icons | ||
19 | whitelist ${HOME}/.themes | ||
20 | |||
15 | caps.drop all | 21 | caps.drop all |
16 | netfilter | 22 | netfilter |
17 | no3d | 23 | no3d |
@@ -27,8 +33,12 @@ seccomp | |||
27 | shell none | 33 | shell none |
28 | 34 | ||
29 | disable-mnt | 35 | disable-mnt |
36 | private-bin mate-dictionary | ||
37 | private-etc fonts,resolv.conf | ||
38 | private-opt mate-dictionary | ||
30 | private-dev | 39 | private-dev |
31 | private-tmp | 40 | private-tmp |
32 | 41 | ||
42 | memory-deny-write-execute | ||
33 | noexec ${HOME} | 43 | noexec ${HOME} |
34 | noexec /tmp | 44 | noexec /tmp |
diff --git a/etc/mediathekview.profile b/etc/mediathekview.profile index 1cda5022d..dc9946794 100644 --- a/etc/mediathekview.profile +++ b/etc/mediathekview.profile | |||
@@ -21,6 +21,8 @@ include /etc/firejail/disable-devel.inc | |||
21 | include /etc/firejail/disable-passwdmgr.inc | 21 | include /etc/firejail/disable-passwdmgr.inc |
22 | include /etc/firejail/disable-programs.inc | 22 | include /etc/firejail/disable-programs.inc |
23 | 23 | ||
24 | include /etc/firejail/whitelist-var-common.inc | ||
25 | |||
24 | caps.drop all | 26 | caps.drop all |
25 | netfilter | 27 | netfilter |
26 | nodvd | 28 | nodvd |
diff --git a/etc/musescore.profile b/etc/musescore.profile index b039d07b2..b3d04c08f 100644 --- a/etc/musescore.profile +++ b/etc/musescore.profile | |||
@@ -15,6 +15,8 @@ include /etc/firejail/disable-devel.inc | |||
15 | include /etc/firejail/disable-passwdmgr.inc | 15 | include /etc/firejail/disable-passwdmgr.inc |
16 | include /etc/firejail/disable-programs.inc | 16 | include /etc/firejail/disable-programs.inc |
17 | 17 | ||
18 | include /etc/firejail/whitelist-var-common.inc | ||
19 | |||
18 | caps.drop all | 20 | caps.drop all |
19 | netfilter | 21 | netfilter |
20 | no3d | 22 | no3d |
diff --git a/etc/natron.profile b/etc/natron.profile index d77539d83..b76649605 100644 --- a/etc/natron.profile +++ b/etc/natron.profile | |||
@@ -26,6 +26,7 @@ notv | |||
26 | protocol unix,inet,inet6 | 26 | protocol unix,inet,inet6 |
27 | seccomp | 27 | seccomp |
28 | shell none | 28 | shell none |
29 | net none | ||
29 | 30 | ||
30 | private-bin natron,Natron,NatronRenderer | 31 | private-bin natron,Natron,NatronRenderer |
31 | 32 | ||
diff --git a/etc/okular.profile b/etc/okular.profile index 94736fbae..60390e4d8 100644 --- a/etc/okular.profile +++ b/etc/okular.profile | |||
@@ -36,7 +36,7 @@ seccomp | |||
36 | shell none | 36 | shell none |
37 | tracelog | 37 | tracelog |
38 | 38 | ||
39 | # private-bin okular,kbuildsycoca4,lpr | 39 | # private-bin okular,kbuildsycoca4,kdeinit4,lpr |
40 | private-dev | 40 | private-dev |
41 | # private-etc fonts,X11 | 41 | # private-etc fonts,X11 |
42 | private-tmp | 42 | private-tmp |
diff --git a/etc/openshot-qt.profile b/etc/openshot-qt.profile new file mode 100644 index 000000000..cbd1f8fe8 --- /dev/null +++ b/etc/openshot-qt.profile | |||
@@ -0,0 +1,6 @@ | |||
1 | # Firejail profile alias for openshot | ||
2 | # This file is overwritten after every install/update | ||
3 | |||
4 | |||
5 | # Redirect | ||
6 | include /etc/firejail/openshot.profile | ||
diff --git a/etc/pdfmod.profile b/etc/pdfmod.profile new file mode 100644 index 000000000..8489e79a6 --- /dev/null +++ b/etc/pdfmod.profile | |||
@@ -0,0 +1,38 @@ | |||
1 | # Firejail profile for pdfmod | ||
2 | # This file is overwritten after every install/update | ||
3 | # Persistent local customizations | ||
4 | include /etc/firejail/pdfmod.local | ||
5 | # Persistent global definitions | ||
6 | include /etc/firejail/globals.local | ||
7 | |||
8 | |||
9 | noblacklist ${HOME}/.cache/pdfmod | ||
10 | noblacklist ${HOME}/.config/pdfmod | ||
11 | |||
12 | include /etc/firejail/disable-common.inc | ||
13 | include /etc/firejail/disable-devel.inc | ||
14 | include /etc/firejail/disable-passwdmgr.inc | ||
15 | include /etc/firejail/disable-programs.inc | ||
16 | |||
17 | include /etc/firejail/whitelist-var-common.inc | ||
18 | |||
19 | caps.drop all | ||
20 | ipc-namespace | ||
21 | net none | ||
22 | no3d | ||
23 | nodvd | ||
24 | nogroups | ||
25 | nonewprivs | ||
26 | noroot | ||
27 | nosound | ||
28 | notv | ||
29 | novideo | ||
30 | protocol unix | ||
31 | seccomp | ||
32 | shell none | ||
33 | |||
34 | private-dev | ||
35 | private-tmp | ||
36 | |||
37 | noexec ${HOME} | ||
38 | noexec /tmp | ||
diff --git a/etc/pinta.profile b/etc/pinta.profile new file mode 100644 index 000000000..cb6e05d35 --- /dev/null +++ b/etc/pinta.profile | |||
@@ -0,0 +1,34 @@ | |||
1 | # Firejail profile for pinta | ||
2 | # This file is overwritten after every install/update | ||
3 | # Persistent local customizations | ||
4 | include /etc/firejail/pinta.local | ||
5 | # Persistent global definitions | ||
6 | include /etc/firejail/globals.local | ||
7 | |||
8 | |||
9 | noblacklist ${HOME}/.config/Pinta | ||
10 | |||
11 | include /etc/firejail/disable-common.inc | ||
12 | include /etc/firejail/disable-devel.inc | ||
13 | include /etc/firejail/disable-passwdmgr.inc | ||
14 | include /etc/firejail/disable-programs.inc | ||
15 | |||
16 | caps.drop all | ||
17 | ipc-namespace | ||
18 | net none | ||
19 | nodvd | ||
20 | nogroups | ||
21 | nonewprivs | ||
22 | noroot | ||
23 | nosound | ||
24 | notv | ||
25 | novideo | ||
26 | protocol unix | ||
27 | seccomp | ||
28 | shell none | ||
29 | |||
30 | private-dev | ||
31 | private-tmp | ||
32 | |||
33 | noexec ${HOME} | ||
34 | noexec /tmp | ||
diff --git a/etc/scribus.profile b/etc/scribus.profile index dd06fa59f..1b2d0c0b8 100644 --- a/etc/scribus.profile +++ b/etc/scribus.profile | |||
@@ -26,7 +26,10 @@ include /etc/firejail/disable-devel.inc | |||
26 | include /etc/firejail/disable-passwdmgr.inc | 26 | include /etc/firejail/disable-passwdmgr.inc |
27 | include /etc/firejail/disable-programs.inc | 27 | include /etc/firejail/disable-programs.inc |
28 | 28 | ||
29 | include /etc/firejail/whitelist-var-common.inc | ||
30 | |||
29 | caps.drop all | 31 | caps.drop all |
32 | net none | ||
30 | nodvd | 33 | nodvd |
31 | nogroups | 34 | nogroups |
32 | nonewprivs | 35 | nonewprivs |
diff --git a/etc/server.profile b/etc/server.profile index edd4666e1..860e0056d 100644 --- a/etc/server.profile +++ b/etc/server.profile | |||
@@ -13,7 +13,6 @@ blacklist /tmp/.X11-unix | |||
13 | 13 | ||
14 | noblacklist /sbin | 14 | noblacklist /sbin |
15 | noblacklist /usr/sbin | 15 | noblacklist /usr/sbin |
16 | # noblacklist /var/log | ||
17 | # noblacklist /var/opt | 16 | # noblacklist /var/opt |
18 | 17 | ||
19 | include /etc/firejail/disable-common.inc | 18 | include /etc/firejail/disable-common.inc |
@@ -29,6 +28,8 @@ notv | |||
29 | novideo | 28 | novideo |
30 | seccomp | 29 | seccomp |
31 | 30 | ||
31 | # netfilter /etc/firejail/webserver.net | ||
32 | |||
32 | # disable-mnt | 33 | # disable-mnt |
33 | private | 34 | private |
34 | # private-bin program | 35 | # private-bin program |
diff --git a/etc/shotcut.profile b/etc/shotcut.profile index e30bc1f46..4e8b1da05 100644 --- a/etc/shotcut.profile +++ b/etc/shotcut.profile | |||
@@ -27,5 +27,5 @@ shell none | |||
27 | #private-bin shotcut,melt,qmelt,nice | 27 | #private-bin shotcut,melt,qmelt,nice |
28 | private-dev | 28 | private-dev |
29 | 29 | ||
30 | noexec ${HOME} | 30 | #noexec ${HOME} |
31 | noexec /tmp | 31 | noexec /tmp |
diff --git a/etc/steam.profile b/etc/steam.profile index b4b9ede70..33c082533 100644 --- a/etc/steam.profile +++ b/etc/steam.profile | |||
@@ -46,5 +46,6 @@ shell none | |||
46 | 46 | ||
47 | # private-dev should be commented for controllers | 47 | # private-dev should be commented for controllers |
48 | private-dev | 48 | private-dev |
49 | private-etc asound.conf,ca-certificates,dbus-1,drirc,fonts,group,gtk-2.0,gtk-3.0,host.conf,hostname,hosts,ld.so.cache,ld.so.preload,ld.so.conf,ld.so.conf.d,localtime,lsb-release,machine-id,mime.types,passwd,pulse,resolv.conf,ssl | 49 | # private-etc breaks some games |
50 | #private-etc asound.conf,ca-certificates,dbus-1,drirc,fonts,group,gtk-2.0,gtk-3.0,host.conf,hostname,hosts,ld.so.cache,ld.so.preload,ld.so.conf,ld.so.conf.d,localtime,lsb-release,machine-id,mime.types,passwd,pulse,resolv.conf,ssl | ||
50 | private-tmp | 51 | private-tmp |
diff --git a/etc/synfigstudio.profile b/etc/synfigstudio.profile index b0014ace6..2617c0e51 100644 --- a/etc/synfigstudio.profile +++ b/etc/synfigstudio.profile | |||
@@ -14,7 +14,7 @@ include /etc/firejail/disable-passwdmgr.inc | |||
14 | include /etc/firejail/disable-programs.inc | 14 | include /etc/firejail/disable-programs.inc |
15 | 15 | ||
16 | caps.drop all | 16 | caps.drop all |
17 | netfilter | 17 | net none |
18 | nodvd | 18 | nodvd |
19 | nogroups | 19 | nogroups |
20 | nonewprivs | 20 | nonewprivs |
@@ -26,7 +26,7 @@ protocol unix | |||
26 | seccomp | 26 | seccomp |
27 | shell none | 27 | shell none |
28 | 28 | ||
29 | #private-bin synfigstudio | 29 | #private-bin synfigstudio,synfig,ffmpeg |
30 | private-dev | 30 | private-dev |
31 | private-tmp | 31 | private-tmp |
32 | 32 | ||
diff --git a/etc/tuxguitar.profile b/etc/tuxguitar.profile index fbc198cc3..30e2a619d 100644 --- a/etc/tuxguitar.profile +++ b/etc/tuxguitar.profile | |||
@@ -13,6 +13,8 @@ include /etc/firejail/disable-devel.inc | |||
13 | include /etc/firejail/disable-passwdmgr.inc | 13 | include /etc/firejail/disable-passwdmgr.inc |
14 | include /etc/firejail/disable-programs.inc | 14 | include /etc/firejail/disable-programs.inc |
15 | 15 | ||
16 | include /etc/firejail/whitelist-var-common.inc | ||
17 | |||
16 | caps.drop all | 18 | caps.drop all |
17 | netfilter | 19 | netfilter |
18 | no3d | 20 | no3d |
diff --git a/etc/uefitool.profile b/etc/uefitool.profile new file mode 100644 index 000000000..138f69aa8 --- /dev/null +++ b/etc/uefitool.profile | |||
@@ -0,0 +1,33 @@ | |||
1 | # Firejail profile for uefitool | ||
2 | # This file is overwritten after every install/update | ||
3 | # Persistent local customizations | ||
4 | include /etc/firejail/uefitool.local | ||
5 | # Persistent global definitions | ||
6 | include /etc/firejail/globals.local | ||
7 | |||
8 | |||
9 | include /etc/firejail/disable-common.inc | ||
10 | include /etc/firejail/disable-devel.inc | ||
11 | include /etc/firejail/disable-passwdmgr.inc | ||
12 | include /etc/firejail/disable-programs.inc | ||
13 | |||
14 | caps.drop all | ||
15 | ipc-namespace | ||
16 | net none | ||
17 | no3d | ||
18 | nodvd | ||
19 | nogroups | ||
20 | nonewprivs | ||
21 | noroot | ||
22 | nosound | ||
23 | notv | ||
24 | novideo | ||
25 | protocol unix | ||
26 | seccomp | ||
27 | shell none | ||
28 | |||
29 | private-dev | ||
30 | private-tmp | ||
31 | |||
32 | noexec ${HOME} | ||
33 | noexec /tmp | ||
diff --git a/etc/unbound.profile b/etc/unbound.profile index 2a38aa7c6..d380b5698 100644 --- a/etc/unbound.profile +++ b/etc/unbound.profile | |||
@@ -9,7 +9,6 @@ blacklist /tmp/.X11-unix | |||
9 | 9 | ||
10 | noblacklist /sbin | 10 | noblacklist /sbin |
11 | noblacklist /usr/sbin | 11 | noblacklist /usr/sbin |
12 | noblacklist /var/log | ||
13 | 12 | ||
14 | include /etc/firejail/disable-common.inc | 13 | include /etc/firejail/disable-common.inc |
15 | include /etc/firejail/disable-devel.inc | 14 | include /etc/firejail/disable-devel.inc |
@@ -31,4 +30,4 @@ private | |||
31 | private-dev | 30 | private-dev |
32 | 31 | ||
33 | # mdwe can break modules/plugins | 32 | # mdwe can break modules/plugins |
34 | # memory-deny-write-execute | 33 | memory-deny-write-execute |
diff --git a/etc/waterfox.profile b/etc/waterfox.profile index 2322c1fae..67995f345 100644 --- a/etc/waterfox.profile +++ b/etc/waterfox.profile | |||
@@ -65,6 +65,7 @@ whitelist ~/.wine-pipelight64 | |||
65 | whitelist ~/.zotero | 65 | whitelist ~/.zotero |
66 | whitelist ~/dwhelper | 66 | whitelist ~/dwhelper |
67 | include /etc/firejail/whitelist-common.inc | 67 | include /etc/firejail/whitelist-common.inc |
68 | include /etc/firejail/whitelist-var-common.inc | ||
68 | 69 | ||
69 | caps.drop all | 70 | caps.drop all |
70 | netfilter | 71 | netfilter |
@@ -78,7 +79,8 @@ seccomp | |||
78 | shell none | 79 | shell none |
79 | tracelog | 80 | tracelog |
80 | 81 | ||
81 | # private-bin waterfox,which,sh,dbus-launch,dbus-send,env | 82 | # waterfox requires a shell to launch on Arch. We can possibly remove sh though. |
83 | # private-bin waterfox,which,sh,dbus-launch,dbus-send,env,dash,bash | ||
82 | private-dev | 84 | private-dev |
83 | # private-etc passwd,group,hostname,hosts,localtime,nsswitch.conf,resolv.conf,xdg,gtk-2.0,gtk-3.0,X11,pango,fonts,waterfox,mime.types,mailcap,asound.conf,pulse | 85 | # private-etc passwd,group,hostname,hosts,localtime,nsswitch.conf,resolv.conf,xdg,gtk-2.0,gtk-3.0,X11,pango,fonts,waterfox,mime.types,mailcap,asound.conf,pulse |
84 | private-tmp | 86 | private-tmp |
diff --git a/etc/xreader.profile b/etc/xreader.profile index c02b9a014..bebcb262f 100644 --- a/etc/xreader.profile +++ b/etc/xreader.profile | |||
@@ -14,6 +14,8 @@ include /etc/firejail/disable-devel.inc | |||
14 | include /etc/firejail/disable-passwdmgr.inc | 14 | include /etc/firejail/disable-passwdmgr.inc |
15 | include /etc/firejail/disable-programs.inc | 15 | include /etc/firejail/disable-programs.inc |
16 | 16 | ||
17 | include /etc/firejail/whitelist-var-common.inc | ||
18 | |||
17 | caps.drop all | 19 | caps.drop all |
18 | no3d | 20 | no3d |
19 | nodvd | 21 | nodvd |
diff --git a/etc/xviewer.profile b/etc/xviewer.profile index b9ff3948a..53f2a0c82 100644 --- a/etc/xviewer.profile +++ b/etc/xviewer.profile | |||
@@ -15,6 +15,8 @@ include /etc/firejail/disable-devel.inc | |||
15 | include /etc/firejail/disable-passwdmgr.inc | 15 | include /etc/firejail/disable-passwdmgr.inc |
16 | include /etc/firejail/disable-programs.inc | 16 | include /etc/firejail/disable-programs.inc |
17 | 17 | ||
18 | include /etc/firejail/whitelist-var-common.inc | ||
19 | |||
18 | caps.drop all | 20 | caps.drop all |
19 | # net none - makes settings immutable | 21 | # net none - makes settings immutable |
20 | no3d | 22 | no3d |