diff options
Diffstat (limited to 'etc')
57 files changed, 79 insertions, 28 deletions
diff --git a/etc/amarok.profile b/etc/amarok.profile index e10cfbefe..478d5285c 100644 --- a/etc/amarok.profile +++ b/etc/amarok.profile | |||
@@ -17,6 +17,7 @@ nogroups | |||
17 | nonewprivs | 17 | nonewprivs |
18 | noroot | 18 | noroot |
19 | notv | 19 | notv |
20 | novideo | ||
20 | protocol unix,inet,inet6 | 21 | protocol unix,inet,inet6 |
21 | # seccomp | 22 | # seccomp |
22 | shell none | 23 | shell none |
diff --git a/etc/audacious.profile b/etc/audacious.profile index eddc100ca..bd2367fe0 100644 --- a/etc/audacious.profile +++ b/etc/audacious.profile | |||
@@ -24,8 +24,10 @@ seccomp | |||
24 | shell none | 24 | shell none |
25 | tracelog | 25 | tracelog |
26 | 26 | ||
27 | private-bin audacious | 27 | # private-bin audacious |
28 | private-dev | 28 | private-dev |
29 | private-tmp | 29 | private-tmp |
30 | 30 | ||
31 | memory-deny-write-execute | 31 | memory-deny-write-execute |
32 | noexec ${HOME} | ||
33 | noexec /tmp | ||
diff --git a/etc/claws-mail.profile b/etc/claws-mail.profile index bc045fb77..4ab49163b 100644 --- a/etc/claws-mail.profile +++ b/etc/claws-mail.profile | |||
@@ -22,6 +22,7 @@ nonewprivs | |||
22 | noroot | 22 | noroot |
23 | nosound | 23 | nosound |
24 | notv | 24 | notv |
25 | novideo | ||
25 | protocol unix,inet,inet6 | 26 | protocol unix,inet,inet6 |
26 | seccomp | 27 | seccomp |
27 | shell none | 28 | shell none |
diff --git a/etc/cmus.profile b/etc/cmus.profile index cf0830475..2d6f2454b 100644 --- a/etc/cmus.profile +++ b/etc/cmus.profile | |||
@@ -17,6 +17,7 @@ netfilter | |||
17 | nonewprivs | 17 | nonewprivs |
18 | noroot | 18 | noroot |
19 | notv | 19 | notv |
20 | novideo | ||
20 | protocol unix,inet,inet6 | 21 | protocol unix,inet,inet6 |
21 | seccomp | 22 | seccomp |
22 | shell none | 23 | shell none |
diff --git a/etc/cpio.profile b/etc/cpio.profile index f082d2e40..4122e2c92 100644 --- a/etc/cpio.profile +++ b/etc/cpio.profile | |||
@@ -22,6 +22,7 @@ no3d | |||
22 | nodvd | 22 | nodvd |
23 | nosound | 23 | nosound |
24 | notv | 24 | notv |
25 | novideo | ||
25 | seccomp | 26 | seccomp |
26 | shell none | 27 | shell none |
27 | tracelog | 28 | tracelog |
diff --git a/etc/curl.profile b/etc/curl.profile index af7eabf59..972bbe9cc 100644 --- a/etc/curl.profile +++ b/etc/curl.profile | |||
@@ -23,6 +23,7 @@ nonewprivs | |||
23 | noroot | 23 | noroot |
24 | nosound | 24 | nosound |
25 | notv | 25 | notv |
26 | novideo | ||
26 | protocol unix,inet,inet6 | 27 | protocol unix,inet,inet6 |
27 | seccomp | 28 | seccomp |
28 | shell none | 29 | shell none |
diff --git a/etc/cvlc.profile b/etc/cvlc.profile index e0d32da0f..f095f487e 100644 --- a/etc/cvlc.profile +++ b/etc/cvlc.profile | |||
@@ -5,29 +5,8 @@ include /etc/firejail/cvlc.local | |||
5 | # Persistent global definitions | 5 | # Persistent global definitions |
6 | include /etc/firejail/globals.local | 6 | include /etc/firejail/globals.local |
7 | 7 | ||
8 | noblacklist ${HOME}/.config/vlc | ||
9 | |||
10 | include /etc/firejail/disable-common.inc | ||
11 | include /etc/firejail/disable-devel.inc | ||
12 | include /etc/firejail/disable-passwdmgr.inc | ||
13 | include /etc/firejail/disable-programs.inc | ||
14 | |||
15 | caps.drop all | ||
16 | netfilter | ||
17 | # nogroups | ||
18 | nonewprivs | ||
19 | noroot | ||
20 | protocol unix,inet,inet6,netlink | ||
21 | seccomp | ||
22 | shell none | ||
23 | tracelog | ||
24 | |||
25 | # clvc doesn't like private-bin | 8 | # clvc doesn't like private-bin |
26 | # private-bin vlc,cvlc,nvlc,rvlc,qvlc,svlc | 9 | ignore private-bin |
27 | private-dev | ||
28 | private-tmp | ||
29 | 10 | ||
30 | # mdwe is disabled due to breaking hardware accelerated decoding | 11 | # Redirect |
31 | # memory-deny-write-execute | 12 | include /etc/firejail/vlc.profile |
32 | noexec ${HOME} | ||
33 | noexec /tmp | ||
diff --git a/etc/dnscrypt-proxy.profile b/etc/dnscrypt-proxy.profile index d82efef04..7d48905ee 100644 --- a/etc/dnscrypt-proxy.profile +++ b/etc/dnscrypt-proxy.profile | |||
@@ -17,6 +17,7 @@ no3d | |||
17 | nodvd | 17 | nodvd |
18 | nosound | 18 | nosound |
19 | notv | 19 | notv |
20 | novideo | ||
20 | seccomp.drop mount,umount2,ptrace,kexec_load,kexec_file_load,open_by_handle_at,init_module,finit_module,delete_module,iopl,ioperm,swapon,swapoff,syslog,process_vm_readv,process_vm_writev,sysfs,_sysctl,adjtimex,clock_adjtime,lookup_dcookie,perf_event_open,fanotify_init,kcmp,add_key,request_key,keyctl,uselib,acct,modify_ldt,pivot_root,io_setup,io_destroy,io_getevents,io_submit,io_cancel,remap_file_pages,mbind,get_mempolicy,set_mempolicy,migrate_pages,move_pages,vmsplice,perf_event_open | 21 | seccomp.drop mount,umount2,ptrace,kexec_load,kexec_file_load,open_by_handle_at,init_module,finit_module,delete_module,iopl,ioperm,swapon,swapoff,syslog,process_vm_readv,process_vm_writev,sysfs,_sysctl,adjtimex,clock_adjtime,lookup_dcookie,perf_event_open,fanotify_init,kcmp,add_key,request_key,keyctl,uselib,acct,modify_ldt,pivot_root,io_setup,io_destroy,io_getevents,io_submit,io_cancel,remap_file_pages,mbind,get_mempolicy,set_mempolicy,migrate_pages,move_pages,vmsplice,perf_event_open |
21 | 22 | ||
22 | private | 23 | private |
diff --git a/etc/dnsmasq.profile b/etc/dnsmasq.profile index bf52a5d8a..0893dff35 100644 --- a/etc/dnsmasq.profile +++ b/etc/dnsmasq.profile | |||
@@ -20,6 +20,7 @@ nodvd | |||
20 | nonewprivs | 20 | nonewprivs |
21 | nosound | 21 | nosound |
22 | notv | 22 | notv |
23 | novideo | ||
23 | protocol unix,inet,inet6,netlink | 24 | protocol unix,inet,inet6,netlink |
24 | seccomp | 25 | seccomp |
25 | 26 | ||
diff --git a/etc/dosbox.profile b/etc/dosbox.profile index bec2960f1..fa9b26e82 100644 --- a/etc/dosbox.profile +++ b/etc/dosbox.profile | |||
@@ -19,6 +19,7 @@ nogroups | |||
19 | nonewprivs | 19 | nonewprivs |
20 | noroot | 20 | noroot |
21 | notv | 21 | notv |
22 | novideo | ||
22 | protocol unix,inet,inet6 | 23 | protocol unix,inet,inet6 |
23 | seccomp | 24 | seccomp |
24 | shell none | 25 | shell none |
diff --git a/etc/enchant.profile b/etc/enchant.profile index a7b549a4c..b7034b937 100644 --- a/etc/enchant.profile +++ b/etc/enchant.profile | |||
@@ -20,6 +20,7 @@ nonewprivs | |||
20 | noroot | 20 | noroot |
21 | nosound | 21 | nosound |
22 | notv | 22 | notv |
23 | novideo | ||
23 | protocol unix | 24 | protocol unix |
24 | seccomp | 25 | seccomp |
25 | shell none | 26 | shell none |
diff --git a/etc/evolution.profile b/etc/evolution.profile index 2f7f25ff8..9f29b229b 100644 --- a/etc/evolution.profile +++ b/etc/evolution.profile | |||
@@ -29,6 +29,7 @@ nonewprivs | |||
29 | noroot | 29 | noroot |
30 | nosound | 30 | nosound |
31 | notv | 31 | notv |
32 | novideo | ||
32 | protocol unix,inet,inet6 | 33 | protocol unix,inet,inet6 |
33 | seccomp | 34 | seccomp |
34 | shell none | 35 | shell none |
diff --git a/etc/exiftool.profile b/etc/exiftool.profile index 565212161..75e5be1b9 100644 --- a/etc/exiftool.profile +++ b/etc/exiftool.profile | |||
@@ -26,6 +26,7 @@ nonewprivs | |||
26 | noroot | 26 | noroot |
27 | nosound | 27 | nosound |
28 | notv | 28 | notv |
29 | novideo | ||
29 | protocol unix | 30 | protocol unix |
30 | seccomp | 31 | seccomp |
31 | shell none | 32 | shell none |
diff --git a/etc/fbreader.profile b/etc/fbreader.profile index 19d45a1d8..01da2cafe 100644 --- a/etc/fbreader.profile +++ b/etc/fbreader.profile | |||
@@ -19,6 +19,7 @@ nonewprivs | |||
19 | noroot | 19 | noroot |
20 | nosound | 20 | nosound |
21 | notv | 21 | notv |
22 | novideo | ||
22 | protocol unix,inet,inet6 | 23 | protocol unix,inet,inet6 |
23 | seccomp | 24 | seccomp |
24 | shell none | 25 | shell none |
diff --git a/etc/feh.profile b/etc/feh.profile index 61b456e34..7935b1354 100644 --- a/etc/feh.profile +++ b/etc/feh.profile | |||
@@ -13,17 +13,19 @@ include /etc/firejail/disable-programs.inc | |||
13 | 13 | ||
14 | caps.drop all | 14 | caps.drop all |
15 | net none | 15 | net none |
16 | no3d | ||
16 | nodvd | 17 | nodvd |
17 | nogroups | 18 | nogroups |
18 | nonewprivs | 19 | nonewprivs |
19 | noroot | 20 | noroot |
20 | nosound | 21 | nosound |
21 | notv | 22 | notv |
23 | novideo | ||
22 | protocol unix | 24 | protocol unix |
23 | seccomp | 25 | seccomp |
24 | shell none | 26 | shell none |
25 | 27 | ||
26 | private-bin feh | 28 | private-bin feh,jpegexiforient,jpegtran |
27 | private-dev | 29 | private-dev |
28 | private-etc feh | 30 | private-etc feh |
29 | private-tmp | 31 | private-tmp |
diff --git a/etc/file.profile b/etc/file.profile index 9a4dba7ef..f3b08e34b 100644 --- a/etc/file.profile +++ b/etc/file.profile | |||
@@ -30,3 +30,7 @@ x11 none | |||
30 | private-bin file | 30 | private-bin file |
31 | private-dev | 31 | private-dev |
32 | private-etc magic.mgc,magic,localtime | 32 | private-etc magic.mgc,magic,localtime |
33 | |||
34 | memory-deny-write-execute | ||
35 | noexec ${HOME} | ||
36 | noexec /tmp | ||
diff --git a/etc/filezilla.profile b/etc/filezilla.profile index 63bfd1e0d..866aaabca 100644 --- a/etc/filezilla.profile +++ b/etc/filezilla.profile | |||
@@ -19,6 +19,7 @@ nonewprivs | |||
19 | noroot | 19 | noroot |
20 | nosound | 20 | nosound |
21 | notv | 21 | notv |
22 | novideo | ||
22 | protocol unix,inet,inet6 | 23 | protocol unix,inet,inet6 |
23 | seccomp | 24 | seccomp |
24 | shell none | 25 | shell none |
diff --git a/etc/firefox.profile b/etc/firefox.profile index 619fa1562..1bd45ebd1 100644 --- a/etc/firefox.profile +++ b/etc/firefox.profile | |||
@@ -10,7 +10,11 @@ noblacklist ~/.config/okularpartrc | |||
10 | noblacklist ~/.config/okularrc | 10 | noblacklist ~/.config/okularrc |
11 | noblacklist ~/.config/qpdfview | 11 | noblacklist ~/.config/qpdfview |
12 | noblacklist ~/.kde/share/apps/okular | 12 | noblacklist ~/.kde/share/apps/okular |
13 | noblacklist ~/.kde/share/config/okularpartrc | ||
14 | noblacklist ~/.kde/share/config/okularrc | ||
13 | noblacklist ~/.kde4/share/apps/okular | 15 | noblacklist ~/.kde4/share/apps/okular |
16 | noblacklist ~/.kde4/share/config/okularpartrc | ||
17 | noblacklist ~/.kde4/share/config/okularrc | ||
14 | noblacklist ~/.local/share/gnome-shell/extensions | 18 | noblacklist ~/.local/share/gnome-shell/extensions |
15 | noblacklist ~/.local/share/okular | 19 | noblacklist ~/.local/share/okular |
16 | noblacklist ~/.local/share/qpdfview | 20 | noblacklist ~/.local/share/qpdfview |
@@ -34,7 +38,11 @@ whitelist ~/.config/pipelight-silverlight5.1 | |||
34 | whitelist ~/.config/pipelight-widevine | 38 | whitelist ~/.config/pipelight-widevine |
35 | whitelist ~/.config/qpdfview | 39 | whitelist ~/.config/qpdfview |
36 | whitelist ~/.kde/share/apps/okular | 40 | whitelist ~/.kde/share/apps/okular |
41 | whitelist ~/.kde/share/config/okularpartrc | ||
42 | whitelist ~/.kde/share/config/okularrc | ||
37 | whitelist ~/.kde4/share/apps/okular | 43 | whitelist ~/.kde4/share/apps/okular |
44 | whitelist ~/.kde4/share/config/okularpartrc | ||
45 | whitelist ~/.kde4/share/config/okularrc | ||
38 | whitelist ~/.keysnail.js | 46 | whitelist ~/.keysnail.js |
39 | whitelist ~/.lastpass | 47 | whitelist ~/.lastpass |
40 | whitelist ~/.local/share/gnome-shell/extensions | 48 | whitelist ~/.local/share/gnome-shell/extensions |
@@ -66,7 +74,6 @@ tracelog | |||
66 | 74 | ||
67 | # private-bin firefox,which,sh,dbus-launch,dbus-send,env | 75 | # private-bin firefox,which,sh,dbus-launch,dbus-send,env |
68 | private-dev | 76 | private-dev |
69 | # private-dev might prevent video calls going out | ||
70 | # private-etc passwd,group,hostname,hosts,localtime,nsswitch.conf,resolv.conf,xdg,gtk-2.0,gtk-3.0,X11,pango,fonts,firefox,mime.types,mailcap,asound.conf,pulse | 77 | # private-etc passwd,group,hostname,hosts,localtime,nsswitch.conf,resolv.conf,xdg,gtk-2.0,gtk-3.0,X11,pango,fonts,firefox,mime.types,mailcap,asound.conf,pulse |
71 | private-tmp | 78 | private-tmp |
72 | 79 | ||
diff --git a/etc/galculator.profile b/etc/galculator.profile index a2e855656..37f147f0f 100644 --- a/etc/galculator.profile +++ b/etc/galculator.profile | |||
@@ -24,6 +24,7 @@ nonewprivs | |||
24 | noroot | 24 | noroot |
25 | nosound | 25 | nosound |
26 | notv | 26 | notv |
27 | novideo | ||
27 | protocol unix | 28 | protocol unix |
28 | seccomp | 29 | seccomp |
29 | shell none | 30 | shell none |
diff --git a/etc/geeqie.profile b/etc/geeqie.profile index c9f9d0074..a50fd4370 100644 --- a/etc/geeqie.profile +++ b/etc/geeqie.profile | |||
@@ -21,6 +21,7 @@ nonewprivs | |||
21 | noroot | 21 | noroot |
22 | nosound | 22 | nosound |
23 | notv | 23 | notv |
24 | novideo | ||
24 | protocol unix | 25 | protocol unix |
25 | seccomp | 26 | seccomp |
26 | shell none | 27 | shell none |
diff --git a/etc/git.profile b/etc/git.profile index 92bf66b92..14fb55118 100644 --- a/etc/git.profile +++ b/etc/git.profile | |||
@@ -29,6 +29,7 @@ nonewprivs | |||
29 | noroot | 29 | noroot |
30 | nosound | 30 | nosound |
31 | notv | 31 | notv |
32 | novideo | ||
32 | protocol unix,inet,inet6 | 33 | protocol unix,inet,inet6 |
33 | seccomp | 34 | seccomp |
34 | shell none | 35 | shell none |
diff --git a/etc/gnome-calculator.profile b/etc/gnome-calculator.profile index 4921fb0c4..6547c73df 100644 --- a/etc/gnome-calculator.profile +++ b/etc/gnome-calculator.profile | |||
@@ -21,6 +21,7 @@ nonewprivs | |||
21 | noroot | 21 | noroot |
22 | nosound | 22 | nosound |
23 | notv | 23 | notv |
24 | novideo | ||
24 | protocol unix,inet,inet6 | 25 | protocol unix,inet,inet6 |
25 | seccomp | 26 | seccomp |
26 | shell none | 27 | shell none |
diff --git a/etc/gpa.profile b/etc/gpa.profile index 58dfcd3e1..8d721e2c0 100644 --- a/etc/gpa.profile +++ b/etc/gpa.profile | |||
@@ -20,6 +20,7 @@ nonewprivs | |||
20 | noroot | 20 | noroot |
21 | nosound | 21 | nosound |
22 | notv | 22 | notv |
23 | novideo | ||
23 | protocol unix,inet,inet6 | 24 | protocol unix,inet,inet6 |
24 | seccomp | 25 | seccomp |
25 | shell none | 26 | shell none |
diff --git a/etc/gpg-agent.profile b/etc/gpg-agent.profile index 13bceaa5a..8fd2ce232 100644 --- a/etc/gpg-agent.profile +++ b/etc/gpg-agent.profile | |||
@@ -23,6 +23,7 @@ nonewprivs | |||
23 | noroot | 23 | noroot |
24 | nosound | 24 | nosound |
25 | notv | 25 | notv |
26 | novideo | ||
26 | protocol unix,inet,inet6 | 27 | protocol unix,inet,inet6 |
27 | seccomp | 28 | seccomp |
28 | shell none | 29 | shell none |
diff --git a/etc/gpg.profile b/etc/gpg.profile index d99afdfe2..8c39f85e3 100644 --- a/etc/gpg.profile +++ b/etc/gpg.profile | |||
@@ -23,6 +23,7 @@ nonewprivs | |||
23 | noroot | 23 | noroot |
24 | nosound | 24 | nosound |
25 | notv | 25 | notv |
26 | novideo | ||
26 | protocol unix,inet,inet6 | 27 | protocol unix,inet,inet6 |
27 | seccomp | 28 | seccomp |
28 | shell none | 29 | shell none |
diff --git a/etc/gthumb.profile b/etc/gthumb.profile index 63ad07894..287e214e1 100644 --- a/etc/gthumb.profile +++ b/etc/gthumb.profile | |||
@@ -21,6 +21,7 @@ nonewprivs | |||
21 | noroot | 21 | noroot |
22 | nosound | 22 | nosound |
23 | notv | 23 | notv |
24 | novideo | ||
24 | protocol unix | 25 | protocol unix |
25 | seccomp | 26 | seccomp |
26 | shell none | 27 | shell none |
diff --git a/etc/guayadeque.profile b/etc/guayadeque.profile index 7713f216f..14662443c 100644 --- a/etc/guayadeque.profile +++ b/etc/guayadeque.profile | |||
@@ -18,6 +18,7 @@ nogroups | |||
18 | nonewprivs | 18 | nonewprivs |
19 | noroot | 19 | noroot |
20 | notv | 20 | notv |
21 | novideo | ||
21 | protocol unix,inet,inet6,netlink | 22 | protocol unix,inet,inet6,netlink |
22 | seccomp | 23 | seccomp |
23 | shell none | 24 | shell none |
diff --git a/etc/gzip.profile b/etc/gzip.profile index 3f6ecec2c..0f04953d8 100644 --- a/etc/gzip.profile +++ b/etc/gzip.profile | |||
@@ -14,6 +14,7 @@ no3d | |||
14 | nodvd | 14 | nodvd |
15 | nosound | 15 | nosound |
16 | notv | 16 | notv |
17 | novideo | ||
17 | shell none | 18 | shell none |
18 | tracelog | 19 | tracelog |
19 | 20 | ||
diff --git a/etc/img2txt.profile b/etc/img2txt.profile index bd454a2c8..943350484 100644 --- a/etc/img2txt.profile +++ b/etc/img2txt.profile | |||
@@ -19,6 +19,7 @@ nonewprivs | |||
19 | noroot | 19 | noroot |
20 | nosound | 20 | nosound |
21 | notv | 21 | notv |
22 | novideo | ||
22 | protocol unix | 23 | protocol unix |
23 | seccomp | 24 | seccomp |
24 | shell none | 25 | shell none |
diff --git a/etc/lynx.profile b/etc/lynx.profile index db01a5b8f..d54bed564 100644 --- a/etc/lynx.profile +++ b/etc/lynx.profile | |||
@@ -21,6 +21,7 @@ nonewprivs | |||
21 | noroot | 21 | noroot |
22 | nosound | 22 | nosound |
23 | notv | 23 | notv |
24 | novideo | ||
24 | protocol unix,inet,inet6 | 25 | protocol unix,inet,inet6 |
25 | seccomp | 26 | seccomp |
26 | shell none | 27 | shell none |
diff --git a/etc/mediainfo.profile b/etc/mediainfo.profile index d6a55610f..e502269f7 100644 --- a/etc/mediainfo.profile +++ b/etc/mediainfo.profile | |||
@@ -21,6 +21,7 @@ nonewprivs | |||
21 | noroot | 21 | noroot |
22 | nosound | 22 | nosound |
23 | notv | 23 | notv |
24 | novideo | ||
24 | protocol unix | 25 | protocol unix |
25 | seccomp | 26 | seccomp |
26 | shell none | 27 | shell none |
diff --git a/etc/mupdf.profile b/etc/mupdf.profile index c7bb458df..62527c17d 100644 --- a/etc/mupdf.profile +++ b/etc/mupdf.profile | |||
@@ -19,6 +19,7 @@ nonewprivs | |||
19 | noroot | 19 | noroot |
20 | nosound | 20 | nosound |
21 | notv | 21 | notv |
22 | novideo | ||
22 | protocol unix | 23 | protocol unix |
23 | seccomp | 24 | seccomp |
24 | # seccomp.keep access,arch_prctl,brk,clone,close,connect,execve,exit_group,fchmod,fchown,fcntl,fstat,futex,getcwd,getpeername,getrlimit,getsockname,getsockopt,lseek,lstat,mlock,mmap,mprotect,mremap,munmap,nanosleep,open,poll,prctl,read,recvfrom,recvmsg,restart_syscall,rt_sigaction,rt_sigprocmask,select,sendmsg,set_robust_list,set_tid_address,setresgid,setresuid,shmat,shmctl,shmget,shutdown,socket,stat,sysinfo,uname,unshare,wait4,write,writev | 25 | # seccomp.keep access,arch_prctl,brk,clone,close,connect,execve,exit_group,fchmod,fchown,fcntl,fstat,futex,getcwd,getpeername,getrlimit,getsockname,getsockopt,lseek,lstat,mlock,mmap,mprotect,mremap,munmap,nanosleep,open,poll,prctl,read,recvfrom,recvmsg,restart_syscall,rt_sigaction,rt_sigprocmask,select,sendmsg,set_robust_list,set_tid_address,setresgid,setresuid,shmat,shmctl,shmget,shutdown,socket,stat,sysinfo,uname,unshare,wait4,write,writev |
diff --git a/etc/mupen64plus.profile b/etc/mupen64plus.profile index 9f3be0d27..4937df51f 100644 --- a/etc/mupen64plus.profile +++ b/etc/mupen64plus.profile | |||
@@ -26,4 +26,5 @@ nodvd | |||
26 | nonewprivs | 26 | nonewprivs |
27 | noroot | 27 | noroot |
28 | notv | 28 | notv |
29 | novideo | ||
29 | seccomp | 30 | seccomp |
diff --git a/etc/mutt.profile b/etc/mutt.profile index 206edefae..aafa3d75d 100644 --- a/etc/mutt.profile +++ b/etc/mutt.profile | |||
@@ -44,6 +44,7 @@ nonewprivs | |||
44 | noroot | 44 | noroot |
45 | nosound | 45 | nosound |
46 | notv | 46 | notv |
47 | novideo | ||
47 | protocol unix,inet,inet6 | 48 | protocol unix,inet,inet6 |
48 | seccomp | 49 | seccomp |
49 | shell none | 50 | shell none |
diff --git a/etc/nylas.profile b/etc/nylas.profile index 5d84d1326..d96c6b0d4 100644 --- a/etc/nylas.profile +++ b/etc/nylas.profile | |||
@@ -26,6 +26,7 @@ nonewprivs | |||
26 | noroot | 26 | noroot |
27 | nosound | 27 | nosound |
28 | notv | 28 | notv |
29 | novideo | ||
29 | protocol unix,inet,inet6,netlink | 30 | protocol unix,inet,inet6,netlink |
30 | seccomp | 31 | seccomp |
31 | shell none | 32 | shell none |
diff --git a/etc/odt2txt.profile b/etc/odt2txt.profile index da2d03635..e8c2d54c7 100644 --- a/etc/odt2txt.profile +++ b/etc/odt2txt.profile | |||
@@ -21,6 +21,7 @@ nonewprivs | |||
21 | noroot | 21 | noroot |
22 | nosound | 22 | nosound |
23 | notv | 23 | notv |
24 | novideo | ||
24 | protocol unix | 25 | protocol unix |
25 | seccomp | 26 | seccomp |
26 | shell none | 27 | shell none |
diff --git a/etc/pix.profile b/etc/pix.profile index ed9298727..5440e4634 100644 --- a/etc/pix.profile +++ b/etc/pix.profile | |||
@@ -22,6 +22,7 @@ nonewprivs | |||
22 | noroot | 22 | noroot |
23 | nosound | 23 | nosound |
24 | notv | 24 | notv |
25 | novideo | ||
25 | protocol unix | 26 | protocol unix |
26 | seccomp | 27 | seccomp |
27 | shell none | 28 | shell none |
diff --git a/etc/qbittorrent.profile b/etc/qbittorrent.profile index ea635ab6e..86db5c26c 100644 --- a/etc/qbittorrent.profile +++ b/etc/qbittorrent.profile | |||
@@ -35,6 +35,7 @@ nonewprivs | |||
35 | noroot | 35 | noroot |
36 | nosound | 36 | nosound |
37 | notv | 37 | notv |
38 | novideo | ||
38 | protocol unix,inet,inet6,netlink | 39 | protocol unix,inet,inet6,netlink |
39 | seccomp | 40 | seccomp |
40 | # shell none | 41 | # shell none |
diff --git a/etc/qpdfview.profile b/etc/qpdfview.profile index 7d69f38f9..2d1df0f72 100644 --- a/etc/qpdfview.profile +++ b/etc/qpdfview.profile | |||
@@ -32,3 +32,5 @@ private-dev | |||
32 | private-tmp | 32 | private-tmp |
33 | 33 | ||
34 | memory-deny-write-execute | 34 | memory-deny-write-execute |
35 | noexec ${HOME} | ||
36 | noexec /tmp | ||
diff --git a/etc/rtorrent.profile b/etc/rtorrent.profile index a44d99e5b..c18a1b06c 100644 --- a/etc/rtorrent.profile +++ b/etc/rtorrent.profile | |||
@@ -18,6 +18,7 @@ nonewprivs | |||
18 | noroot | 18 | noroot |
19 | nosound | 19 | nosound |
20 | notv | 20 | notv |
21 | novideo | ||
21 | protocol unix,inet,inet6 | 22 | protocol unix,inet,inet6 |
22 | seccomp | 23 | seccomp |
23 | shell none | 24 | shell none |
diff --git a/etc/tar.profile b/etc/tar.profile index 34a4f34d6..f14894c25 100644 --- a/etc/tar.profile +++ b/etc/tar.profile | |||
@@ -15,6 +15,7 @@ no3d | |||
15 | nodvd | 15 | nodvd |
16 | nosound | 16 | nosound |
17 | notv | 17 | notv |
18 | novideo | ||
18 | shell none | 19 | shell none |
19 | tracelog | 20 | tracelog |
20 | 21 | ||
diff --git a/etc/transmission-cli.profile b/etc/transmission-cli.profile index 5752c96f3..c7446ed68 100644 --- a/etc/transmission-cli.profile +++ b/etc/transmission-cli.profile | |||
@@ -20,6 +20,7 @@ nonewprivs | |||
20 | noroot | 20 | noroot |
21 | nosound | 21 | nosound |
22 | notv | 22 | notv |
23 | novideo | ||
23 | protocol unix,inet,inet6 | 24 | protocol unix,inet,inet6 |
24 | seccomp | 25 | seccomp |
25 | shell none | 26 | shell none |
diff --git a/etc/transmission-gtk.profile b/etc/transmission-gtk.profile index c4bf7a08d..0bb721c64 100644 --- a/etc/transmission-gtk.profile +++ b/etc/transmission-gtk.profile | |||
@@ -27,6 +27,7 @@ nonewprivs | |||
27 | noroot | 27 | noroot |
28 | nosound | 28 | nosound |
29 | notv | 29 | notv |
30 | novideo | ||
30 | protocol unix,inet,inet6 | 31 | protocol unix,inet,inet6 |
31 | seccomp | 32 | seccomp |
32 | shell none | 33 | shell none |
diff --git a/etc/transmission-qt.profile b/etc/transmission-qt.profile index 5351a1efa..08964bbab 100644 --- a/etc/transmission-qt.profile +++ b/etc/transmission-qt.profile | |||
@@ -27,6 +27,7 @@ nonewprivs | |||
27 | noroot | 27 | noroot |
28 | nosound | 28 | nosound |
29 | notv | 29 | notv |
30 | novideo | ||
30 | protocol unix,inet,inet6 | 31 | protocol unix,inet,inet6 |
31 | seccomp | 32 | seccomp |
32 | shell none | 33 | shell none |
diff --git a/etc/transmission-show.profile b/etc/transmission-show.profile index 130defc8e..0b09bffcb 100644 --- a/etc/transmission-show.profile +++ b/etc/transmission-show.profile | |||
@@ -20,6 +20,7 @@ nonewprivs | |||
20 | noroot | 20 | noroot |
21 | nosound | 21 | nosound |
22 | notv | 22 | notv |
23 | novideo | ||
23 | protocol unix | 24 | protocol unix |
24 | seccomp | 25 | seccomp |
25 | shell none | 26 | shell none |
diff --git a/etc/uget-gtk.profile b/etc/uget-gtk.profile index 877ad635b..56ff4f886 100644 --- a/etc/uget-gtk.profile +++ b/etc/uget-gtk.profile | |||
@@ -23,6 +23,7 @@ nonewprivs | |||
23 | noroot | 23 | noroot |
24 | nosound | 24 | nosound |
25 | notv | 25 | notv |
26 | novideo | ||
26 | protocol unix,inet,inet6 | 27 | protocol unix,inet,inet6 |
27 | seccomp | 28 | seccomp |
28 | shell none | 29 | shell none |
diff --git a/etc/unbound.profile b/etc/unbound.profile index c1cb86893..4775a450d 100644 --- a/etc/unbound.profile +++ b/etc/unbound.profile | |||
@@ -17,6 +17,7 @@ no3d | |||
17 | nodvd | 17 | nodvd |
18 | nosound | 18 | nosound |
19 | notv | 19 | notv |
20 | novideo | ||
20 | seccomp.drop mount,umount2,ptrace,kexec_load,kexec_file_load,open_by_handle_at,init_module,finit_module,delete_module,iopl,ioperm,swapon,swapoff,syslog,process_vm_readv,process_vm_writev,sysfs,_sysctl,adjtimex,clock_adjtime,lookup_dcookie,perf_event_open,fanotify_init,kcmp,add_key,request_key,keyctl,uselib,acct,modify_ldt,pivot_root,io_setup,io_destroy,io_getevents,io_submit,io_cancel,remap_file_pages,mbind,get_mempolicy,set_mempolicy,migrate_pages,move_pages,vmsplice,perf_event_open | 21 | seccomp.drop mount,umount2,ptrace,kexec_load,kexec_file_load,open_by_handle_at,init_module,finit_module,delete_module,iopl,ioperm,swapon,swapoff,syslog,process_vm_readv,process_vm_writev,sysfs,_sysctl,adjtimex,clock_adjtime,lookup_dcookie,perf_event_open,fanotify_init,kcmp,add_key,request_key,keyctl,uselib,acct,modify_ldt,pivot_root,io_setup,io_destroy,io_getevents,io_submit,io_cancel,remap_file_pages,mbind,get_mempolicy,set_mempolicy,migrate_pages,move_pages,vmsplice,perf_event_open |
21 | 22 | ||
22 | private | 23 | private |
diff --git a/etc/unrar.profile b/etc/unrar.profile index 6a3ac5527..12559a721 100644 --- a/etc/unrar.profile +++ b/etc/unrar.profile | |||
@@ -15,6 +15,7 @@ no3d | |||
15 | nodvd | 15 | nodvd |
16 | nosound | 16 | nosound |
17 | notv | 17 | notv |
18 | novideo | ||
18 | shell none | 19 | shell none |
19 | tracelog | 20 | tracelog |
20 | 21 | ||
diff --git a/etc/unzip.profile b/etc/unzip.profile index bb30d74cd..9828fa9b4 100644 --- a/etc/unzip.profile +++ b/etc/unzip.profile | |||
@@ -15,6 +15,7 @@ no3d | |||
15 | nodvd | 15 | nodvd |
16 | nosound | 16 | nosound |
17 | notv | 17 | notv |
18 | novideo | ||
18 | shell none | 19 | shell none |
19 | tracelog | 20 | tracelog |
20 | 21 | ||
diff --git a/etc/uudeview.profile b/etc/uudeview.profile index 192d13f80..b30cbaa2a 100644 --- a/etc/uudeview.profile +++ b/etc/uudeview.profile | |||
@@ -13,6 +13,7 @@ net none | |||
13 | nodvd | 13 | nodvd |
14 | nosound | 14 | nosound |
15 | notv | 15 | notv |
16 | novideo | ||
16 | shell none | 17 | shell none |
17 | tracelog | 18 | tracelog |
18 | 19 | ||
diff --git a/etc/viewnior.profile b/etc/viewnior.profile index a02845885..af4a2d655 100644 --- a/etc/viewnior.profile +++ b/etc/viewnior.profile | |||
@@ -19,12 +19,14 @@ include /etc/firejail/disable-programs.inc | |||
19 | 19 | ||
20 | caps.drop all | 20 | caps.drop all |
21 | net none | 21 | net none |
22 | no3d | ||
22 | nodvd | 23 | nodvd |
23 | nogroups | 24 | nogroups |
24 | nonewprivs | 25 | nonewprivs |
25 | noroot | 26 | noroot |
26 | nosound | 27 | nosound |
27 | notv | 28 | notv |
29 | novideo | ||
28 | protocol unix | 30 | protocol unix |
29 | seccomp | 31 | seccomp |
30 | shell none | 32 | shell none |
@@ -34,3 +36,7 @@ private-bin viewnior | |||
34 | private-dev | 36 | private-dev |
35 | private-etc fonts | 37 | private-etc fonts |
36 | private-tmp | 38 | private-tmp |
39 | |||
40 | memory-deny-write-execute | ||
41 | noexec ${HOME} | ||
42 | noexec /tmp | ||
diff --git a/etc/vim.profile b/etc/vim.profile index 7b5566f5b..97ed06d96 100644 --- a/etc/vim.profile +++ b/etc/vim.profile | |||
@@ -20,5 +20,6 @@ nogroups | |||
20 | nonewprivs | 20 | nonewprivs |
21 | noroot | 21 | noroot |
22 | notv | 22 | notv |
23 | novideo | ||
23 | protocol unix,inet,inet6 | 24 | protocol unix,inet,inet6 |
24 | seccomp | 25 | seccomp |
diff --git a/etc/w3m.profile b/etc/w3m.profile index b25e19135..0d3037b26 100644 --- a/etc/w3m.profile +++ b/etc/w3m.profile | |||
@@ -23,6 +23,7 @@ nonewprivs | |||
23 | noroot | 23 | noroot |
24 | nosound | 24 | nosound |
25 | notv | 25 | notv |
26 | novideo | ||
26 | protocol unix,inet,inet6 | 27 | protocol unix,inet,inet6 |
27 | seccomp | 28 | seccomp |
28 | shell none | 29 | shell none |
diff --git a/etc/xiphos.profile b/etc/xiphos.profile index 38e568860..5a07d4b74 100644 --- a/etc/xiphos.profile +++ b/etc/xiphos.profile | |||
@@ -28,6 +28,7 @@ nonewprivs | |||
28 | noroot | 28 | noroot |
29 | nosound | 29 | nosound |
30 | notv | 30 | notv |
31 | novideo | ||
31 | protocol unix,inet,inet6 | 32 | protocol unix,inet,inet6 |
32 | seccomp | 33 | seccomp |
33 | shell none | 34 | shell none |
diff --git a/etc/xmms.profile b/etc/xmms.profile index d2e6eddac..717c81fd0 100644 --- a/etc/xmms.profile +++ b/etc/xmms.profile | |||
@@ -18,6 +18,7 @@ no3d | |||
18 | nonewprivs | 18 | nonewprivs |
19 | noroot | 19 | noroot |
20 | notv | 20 | notv |
21 | novideo | ||
21 | protocol unix,inet,inet6 | 22 | protocol unix,inet,inet6 |
22 | seccomp | 23 | seccomp |
23 | shell none | 24 | shell none |
diff --git a/etc/xreader.profile b/etc/xreader.profile index dd09c8a92..c02b9a014 100644 --- a/etc/xreader.profile +++ b/etc/xreader.profile | |||
@@ -30,7 +30,7 @@ tracelog | |||
30 | 30 | ||
31 | private-bin xreader,xreader-previewer,xreader-thumbnailer | 31 | private-bin xreader,xreader-previewer,xreader-thumbnailer |
32 | private-dev | 32 | private-dev |
33 | # private-etc fonts | 33 | # private-etc fonts,ld.so.cache |
34 | # xreader needs access to /tmp/mozilla* to work in firefox | 34 | # xreader needs access to /tmp/mozilla* to work in firefox |
35 | # private-tmp | 35 | # private-tmp |
36 | 36 | ||
diff --git a/etc/xzdec.profile b/etc/xzdec.profile index 7f21f5d2f..d5c4ac6f0 100644 --- a/etc/xzdec.profile +++ b/etc/xzdec.profile | |||
@@ -14,6 +14,7 @@ no3d | |||
14 | nodvd | 14 | nodvd |
15 | nosound | 15 | nosound |
16 | notv | 16 | notv |
17 | novideo | ||
17 | shell none | 18 | shell none |
18 | tracelog | 19 | tracelog |
19 | 20 | ||