35 files changed, 408 insertions, 0 deletions
diff --git a/etc/audacious.profile b/etc/audacious.profile
new file mode 100644
index 000000000..23f223a29
--- /dev/null
+++ b/etc/audacious.profile
@@ -0,0 +1,8 @@
+# Audacious profile
+include /etc/firejail/disable-mgmt.inc
+include /etc/firejail/disable-secret.inc
+include /etc/firejail/disable-common.inc
+caps.drop all
+seccomp
+noroot
diff --git a/etc/chromium-browser.profile b/etc/chromium-browser.profile
new file mode 100644
index 000000000..4cdc098d1
--- /dev/null
+++ b/etc/chromium-browser.profile
@@ -0,0 +1,3 @@
+# Chromium browser profile
+include /etc/firejail/chromium.profile
diff --git a/etc/chromium.profile b/etc/chromium.profile
new file mode 100644
index 000000000..4f6e7e450
--- /dev/null
+++ b/etc/chromium.profile
@@ -0,0 +1,7 @@
+# Chromium browser profile
+include /etc/firejail/disable-mgmt.inc
+include /etc/firejail/disable-secret.inc
+include /etc/firejail/disable-common.inc chromium
+netfilter
diff --git a/etc/clementine.profile b/etc/clementine.profile
new file mode 100644
index 000000000..dd855cc62
--- /dev/null
+++ b/etc/clementine.profile
@@ -0,0 +1,7 @@
+# Clementine profile
+include /etc/firejail/disable-mgmt.inc
+include /etc/firejail/disable-secret.inc
+include /etc/firejail/disable-common.inc
+caps.drop all
+seccomp
+noroot
diff --git a/etc/deadbeef.profile b/etc/deadbeef.profile
new file mode 100644
index 000000000..e2f5787cc
--- /dev/null
+++ b/etc/deadbeef.profile
@@ -0,0 +1,8 @@
+# DeaDBeeF profile
+include /etc/firejail/disable-mgmt.inc
+include /etc/firejail/disable-secret.inc
+include /etc/firejail/disable-common.inc
+caps.drop all
+seccomp
+noroot
diff --git a/etc/deluge.profile b/etc/deluge.profile
new file mode 100644
index 000000000..138d0a133
--- /dev/null
+++ b/etc/deluge.profile
@@ -0,0 +1,9 @@
+# deluge profile
+include /etc/firejail/disable-mgmt.inc
+include /etc/firejail/disable-secret.inc
+include /etc/firejail/disable-common.inc
+caps.drop all
+seccomp
+netfilter
+noroot
diff --git a/etc/disable-common.inc b/etc/disable-common.inc
new file mode 100644
index 000000000..926000411
--- /dev/null
+++ b/etc/disable-common.inc
@@ -0,0 +1,10 @@
+blacklist ${HOME}/.adobe
+blacklist ${HOME}/.macromedia
+blacklist ${HOME}/.mozilla
+blacklist ${HOME}/.icedove
+blacklist ${HOME}/.thunderbird
+blacklist ${HOME}/.config/midori
+blacklist ${HOME}/.config/opera
+blacklist ${HOME}/.config/chromium
+blacklist ${HOME}/.config/google-chrome
+blacklist ${HOME}/.filezilla
diff --git a/etc/disable-mgmt.inc b/etc/disable-mgmt.inc
new file mode 100644
index 000000000..f04619ea0
--- /dev/null
+++ b/etc/disable-mgmt.inc
@@ -0,0 +1,12 @@
+# system directories    
+blacklist /sbin
+blacklist /usr/sbin
+# system management
+blacklist ${PATH}/umount
+blacklist ${PATH}/mount
+blacklist ${PATH}/fusermount
+blacklist ${PATH}/su
+blacklist ${PATH}/sudo
+blacklist ${PATH}/xinput
+blacklist ${PATH}/strace
diff --git a/etc/disable-secret.inc b/etc/disable-secret.inc
new file mode 100644
index 000000000..8ac1b3792
--- /dev/null
+++ b/etc/disable-secret.inc
@@ -0,0 +1,9 @@
+# HOME directory
+blacklist ${HOME}/.ssh
+tmpfs ${HOME}/.gnome2_private
+blacklist ${HOME}/.gnome2/keyrings
+blacklist ${HOME}/kde4/share/apps/kwallet
+blacklist ${HOME}/kde/share/apps/kwallet
+blacklist ${HOME}/.pki/nssdb
+blacklist ${HOME}/.gnupg
+blacklist ${HOME}/.local/share/recently-used.xbel
diff --git a/etc/dropbox.profile b/etc/dropbox.profile
new file mode 100644
index 000000000..82b54adb1
--- /dev/null
+++ b/etc/dropbox.profile
@@ -0,0 +1,7 @@
+# dropbox profile
+include /etc/firejail/disable-mgmt.inc
+include /etc/firejail/disable-secret.inc
+include /etc/firejail/disable-common.inc
+caps
+seccomp
+noroot
diff --git a/etc/empathy.profile b/etc/empathy.profile
new file mode 100644
index 000000000..d24cae528
--- /dev/null
+++ b/etc/empathy.profile
@@ -0,0 +1,6 @@
+# Empathy profile
+include /etc/firejail/disable-mgmt.inc
+include /etc/firejail/disable-secret.inc
+include /etc/firejail/disable-common.inc
+caps.drop all
+seccomp
diff --git a/etc/evince.profile b/etc/evince.profile
new file mode 100644
index 000000000..4d96d5904
--- /dev/null
+++ b/etc/evince.profile
@@ -0,0 +1,8 @@
+# evince profile
+include /etc/firejail/disable-mgmt.inc
+include /etc/firejail/disable-secret.inc
+include /etc/firejail/disable-common.inc
+caps.drop all
+seccomp
+netfilter
+noroot
diff --git a/etc/filezilla.profile b/etc/filezilla.profile
new file mode 100644
index 000000000..a54b5a734
--- /dev/null
+++ b/etc/filezilla.profile
@@ -0,0 +1,10 @@
+# FileZilla profile
+include /etc/firejail/disable-mgmt.inc
+include /etc/firejail/disable-secret.inc
+include /etc/firejail/disable-common.inc .filezilla
+caps.drop all
+seccomp
+noroot
+netfilter
diff --git a/etc/firefox.profile b/etc/firefox.profile
new file mode 100644
index 000000000..dc3489d35
--- /dev/null
+++ b/etc/firefox.profile
@@ -0,0 +1,9 @@
+# Firejail profile for Mozilla Firefox (Iceweasel in Debian)
+include /etc/firejail/disable-mgmt.inc
+include /etc/firejail/disable-secret.inc
+include /etc/firejail/disable-common.inc .mozilla
+caps.drop all
+seccomp
+netfilter
+noroot
diff --git a/etc/firejail.bash_completion b/etc/firejail.bash_completion
new file mode 100644
index 000000000..50eccf536
--- /dev/null
+++ b/etc/firejail.bash_completion
@@ -0,0 +1,86 @@
+# bash completion for firejail                            -*- shell-script -*-
+#********************************************************************
+# Script based on completions/configure script in bash-completion package in
+# Debian. The original package is release under GPL v2 license, the webpage is
+# http://bash-completion.alioth.debian.org
+#*******************************************************************
+__interfaces(){
+    cut -f 1 -d ':' /proc/net/dev | tail -n +3 | grep -v lo | xargs
+}
+_firejail()
+{
+    local cur prev words cword split
+    _init_completion -s || return
+    case $prev in
+        --help|--version|-debug-caps|--debug-syscalls|--list|--tree|--top|--join|--shutdown)
+            return 0
+            ;;
+        --profile)
+            _filedir
+            return 0
+            ;;
+        --chroot)
+            _filedir -d
+            return 0
+            ;;
+        --cgroup)
+            _filedir -d
+            return 0
+            ;;
+        --tmpfs)
+            _filedir
+            return 0
+            ;;
+        --blacklist)
+            _filedir
+            return 0
+            ;;
+        --read-only)
+            _filedir
+            return 0
+            ;;
+        --bind)
+            _filedir
+            return 0
+            ;;
+        --private)
+            _filedir
+            return 0
+            ;;
+        --shell)
+            _filedir
+            return 0
+            ;;
+         --net)
+                comps=$(__interfaces)
+            COMPREPLY=( $(compgen -W '$comps' -- "$cur") )
+            return 0
+                ;;
+    esac
+    $split && return 0
+    # if $COMP_CONFIGURE_HINTS is not null, then completions of the form
+    # --option=SETTING will include 'SETTING' as a contextual hint
+    [[ "$cur" != -* ]] && _filedir && return 0
+    if [[ -n $COMP_CONFIGURE_HINTS ]]; then
+        COMPREPLY=( $( compgen -W "$( $1 --help 2>&1 | \
+            awk '/^  --[A-Za-z]/ { print $1; \
+            if ($2 ~ /--[A-Za-z]/) print $2 }' | sed -e 's/[[,].*//g' )" \
+            -- "$cur" ) )
+        [[ $COMPREPLY == *=* ]] && compopt -o nospace
+    else
+        COMPREPLY=( $( compgen -W '$( _parse_help "$1" )' -- "$cur" ) )
+        [[ $COMPREPLY == *= ]] && compopt -o nospace
+    fi
+} &&
+complete -F _firejail firejail
diff --git a/etc/firemon.bash_completion b/etc/firemon.bash_completion
new file mode 100644
index 000000000..befbf2388
--- /dev/null
+++ b/etc/firemon.bash_completion
@@ -0,0 +1,39 @@
+# bash completion for firemon                          -*- shell-script -*-
+#********************************************************************
+# Script based on completions/configure script in bash-completion package in
+# Debian. The original package is release under GPL v2 license, the webpage is
+# http://bash-completion.alioth.debian.org
+#*******************************************************************
+_firemon()
+{
+    local cur prev words cword split
+    _init_completion -s || return
+    case $prev in
+        --help|--version)
+            return
+            ;;
+    esac
+    $split && return 0
+    # if $COMP_CONFIGURE_HINTS is not null, then completions of the form
+    # --option=SETTING will include 'SETTING' as a contextual hint
+    [[ "$cur" != -* ]] && return 0
+    if [[ -n $COMP_CONFIGURE_HINTS ]]; then
+        COMPREPLY=( $( compgen -W "$( $1 --help 2>&1 | \
+            awk '/^  --[A-Za-z]/ { print $1; \
+            if ($2 ~ /--[A-Za-z]/) print $2 }' | sed -e 's/[[,].*//g' )" \
+            -- "$cur" ) )
+        [[ $COMPREPLY == *=* ]] && compopt -o nospace
+    else
+        COMPREPLY=( $( compgen -W '$( _parse_help "$1" )' -- "$cur" ) )
+        [[ $COMPREPLY == *= ]] && compopt -o nospace
+    fi
+} &&
+complete -F _firemon firemon
diff --git a/etc/generic.profile b/etc/generic.profile
new file mode 100644
index 000000000..83bf59e0a
--- /dev/null
+++ b/etc/generic.profile
@@ -0,0 +1,41 @@
+################################
+# Generic profile based on Firefox profile
+################################
+#include /etc/firejail/disable-mgmt.inc
+# system directories    
+blacklist /sbin
+blacklist /usr/sbin
+# system management
+blacklist ${PATH}/umount
+blacklist ${PATH}/mount
+blacklist ${PATH}/fusermount
+blacklist ${PATH}/su
+blacklist ${PATH}/sudo
+blacklist ${PATH}/xinput
+blacklist ${PATH}/strace
+#include /etc/firejail/disable-secret.inc
+# HOME directory
+blacklist ${HOME}/.ssh
+tmpfs ${HOME}/.gnome2_private
+blacklist ${HOME}/.gnome2/keyrings
+blacklist ${HOME}/kde4/share/apps/kwallet
+blacklist ${HOME}/kde/share/apps/kwallet
+blacklist ${HOME}/.pki/nssdb
+blacklist ${HOME}/.gnupg
+blacklist ${HOME}/.local/share/recently-used.xbel
+blacklist ${HOME}/.adobe
+blacklist ${HOME}/.macromedia
+blacklist ${HOME}/.mozilla
+blacklist ${HOME}/.icedove
+blacklist ${HOME}/.thunderbird
+blacklist ${HOME}/.config/opera
+blacklist ${HOME}/.config/chromium
+blacklist ${HOME}/.config/google-chrome
+caps.drop all
+seccomp
+netfilter
+noroot
diff --git a/etc/gnome-mplayer.profile b/etc/gnome-mplayer.profile
new file mode 100644
index 000000000..b69cf3a57
--- /dev/null
+++ b/etc/gnome-mplayer.profile
@@ -0,0 +1,7 @@
+# GNOME MPlayer profile
+include /etc/firejail/disable-mgmt.inc
+include /etc/firejail/disable-secret.inc
+include /etc/firejail/disable-common.inc
+caps.drop all
+seccomp
+noroot
diff --git a/etc/icecat.profile b/etc/icecat.profile
new file mode 100644
index 000000000..25d426ad2
--- /dev/null
+++ b/etc/icecat.profile
@@ -0,0 +1,2 @@
+# Firejail profile for GNU Icecat
+include /etc/firejail/firefox.profile
diff --git a/etc/icedove.profile b/etc/icedove.profile
new file mode 100644
index 000000000..057e0c9ef
--- /dev/null
+++ b/etc/icedove.profile
@@ -0,0 +1,3 @@
+# Firejail profile for Mozilla Thunderbird (Icedove in Debian)
+include /etc/firejail/thunderbird.profile
diff --git a/etc/iceweasel.profile b/etc/iceweasel.profile
new file mode 100644
index 000000000..e9b32846a
--- /dev/null
+++ b/etc/iceweasel.profile
@@ -0,0 +1,2 @@
+# Firejail profile for Mozilla Firefox (Iceweasel in Debian)
+include /etc/firejail/firefox.profile
diff --git a/etc/login.users b/etc/login.users
new file mode 100644
index 000000000..5d5969091
--- /dev/null
+++ b/etc/login.users
@@ -0,0 +1,14 @@
+# /etc/firejail/login.users - restricted user shell configuration
+#
+# Each user entry consists of a user name and firejail
+# program arguments:
+#
+#       user name: arguments
+#
+# For example:
+#
+#       netblue:--debug --net=none
+#
+# The extra arguments are inserted into program command line if firejail
+# was started as a login shell.
diff --git a/etc/midori.profile b/etc/midori.profile
new file mode 100644
index 000000000..5479ba172
--- /dev/null
+++ b/etc/midori.profile
@@ -0,0 +1,9 @@
+# Midory browser profile
+include /etc/firejail/disable-mgmt.inc
+include /etc/firejail/disable-secret.inc
+include /etc/firejail/disable-common.inc midori
+caps.drop all
+seccomp
+netfilter
+noroot
diff --git a/etc/opera.profile b/etc/opera.profile
new file mode 100644
index 000000000..852f10719
--- /dev/null
+++ b/etc/opera.profile
@@ -0,0 +1,8 @@
+# Chromium browser profile
+include /etc/firejail/disable-mgmt.inc
+include /etc/firejail/disable-secret.inc
+include /etc/firejail/disable-common.inc opera
+netfilter
+noroot
diff --git a/etc/pidgin.profile b/etc/pidgin.profile
new file mode 100644
index 000000000..6f5594919
--- /dev/null
+++ b/etc/pidgin.profile
@@ -0,0 +1,7 @@
+# Pidgin profile
+include /etc/firejail/disable-mgmt.inc
+include /etc/firejail/disable-secret.inc
+include /etc/firejail/disable-common.inc
+caps.drop all
+seccomp
+noroot
diff --git a/etc/qbittorrent.profile b/etc/qbittorrent.profile
new file mode 100644
index 000000000..f85dfc994
--- /dev/null
+++ b/etc/qbittorrent.profile
@@ -0,0 +1,9 @@
+# abittorrent profile
+include /etc/firejail/disable-mgmt.inc
+include /etc/firejail/disable-secret.inc
+include /etc/firejail/disable-common.inc
+caps.drop all
+seccomp
+netfilter
+noroot
diff --git a/etc/quassel.profile b/etc/quassel.profile
new file mode 100644
index 000000000..a2057ad01
--- /dev/null
+++ b/etc/quassel.profile
@@ -0,0 +1,7 @@
+# Quassel IRC profile
+include /etc/firejail/disable-mgmt.inc
+include /etc/firejail/disable-secret.inc
+include /etc/firejail/disable-common.inc
+caps.drop all
+seccomp
+noroot
diff --git a/etc/rhythmbox.profile b/etc/rhythmbox.profile
new file mode 100644
index 000000000..42d4dc0fa
--- /dev/null
+++ b/etc/rhythmbox.profile
@@ -0,0 +1,7 @@
+# Rhythmbox profile
+include /etc/firejail/disable-mgmt.inc
+include /etc/firejail/disable-secret.inc
+include /etc/firejail/disable-common.inc
+caps.drop all
+seccomp
+noroot
diff --git a/etc/server.profile b/etc/server.profile
new file mode 100644
index 000000000..bb15774fa
--- /dev/null
+++ b/etc/server.profile
@@ -0,0 +1,6 @@
+# generic server profile
+include /etc/firejail/disable-mgmt.inc sbin
+private
+private-dev
+seccomp
diff --git a/etc/thunderbird.profile b/etc/thunderbird.profile
new file mode 100644
index 000000000..8b63a6ec5
--- /dev/null
+++ b/etc/thunderbird.profile
@@ -0,0 +1,9 @@
+# Firejail profile for Mozilla Thunderbird (Icedove in Debian)
+include /etc/firejail/disable-mgmt.inc
+include /etc/firejail/disable-secret.inc
+include /etc/firejail/disable-common.inc thunderbird icedove
+caps.drop all
+seccomp
+netfilter
+noroot
diff --git a/etc/totem.profile b/etc/totem.profile
new file mode 100644
index 000000000..50115deb5
--- /dev/null
+++ b/etc/totem.profile
@@ -0,0 +1,7 @@
+# Totem profile
+include /etc/firejail/disable-mgmt.inc
+include /etc/firejail/disable-secret.inc
+include /etc/firejail/disable-common.inc
+caps.drop all
+seccomp
+noroot
diff --git a/etc/transmission-gtk.profile b/etc/transmission-gtk.profile
new file mode 100644
index 000000000..9ccece285
--- /dev/null
+++ b/etc/transmission-gtk.profile
@@ -0,0 +1,9 @@
+# transmission-gtk profile
+include /etc/firejail/disable-mgmt.inc
+include /etc/firejail/disable-secret.inc
+include /etc/firejail/disable-common.inc
+caps.drop all
+seccomp
+netfilter
+noroot
diff --git a/etc/transmission-qt.profile b/etc/transmission-qt.profile
new file mode 100644
index 000000000..65a045f8e
--- /dev/null
+++ b/etc/transmission-qt.profile
@@ -0,0 +1,9 @@
+# transmission-qt profile
+include /etc/firejail/disable-mgmt.inc
+include /etc/firejail/disable-secret.inc
+include /etc/firejail/disable-common.inc
+caps.drop all
+seccomp
+netfilter
+noroot
diff --git a/etc/vlc.profile b/etc/vlc.profile
new file mode 100644
index 000000000..76e1395f9
--- /dev/null
+++ b/etc/vlc.profile
@@ -0,0 +1,7 @@
+# VLC profile
+include /etc/firejail/disable-mgmt.inc
+include /etc/firejail/disable-secret.inc
+include /etc/firejail/disable-common.inc
+caps.drop all
+seccomp
+noroot
diff --git a/etc/xchat.profile b/etc/xchat.profile
new file mode 100644
index 000000000..b8d8cb1e2
--- /dev/null
+++ b/etc/xchat.profile
@@ -0,0 +1,7 @@
+# XChat profile
+include /etc/firejail/disable-mgmt.inc
+include /etc/firejail/disable-secret.inc
+include /etc/firejail/disable-common.inc
+caps.drop all
+seccomp
+noroot

diff --git a/etc/audacious.profile b/etc/audacious.profile new file mode 100644 index 000000000..23f223a29 --- /dev/null +++ b/etc/audacious.profile
@@ -0,0 +1,8 @@
	1	# Audacious profile
	2	include /etc/firejail/disable-mgmt.inc
	3	include /etc/firejail/disable-secret.inc
	4	include /etc/firejail/disable-common.inc
	5	caps.drop all
	6	seccomp
	7	noroot
	8


diff --git a/etc/chromium-browser.profile b/etc/chromium-browser.profile new file mode 100644 index 000000000..4cdc098d1 --- /dev/null +++ b/etc/chromium-browser.profile
@@ -0,0 +1,3 @@
	1	# Chromium browser profile
	2	include /etc/firejail/chromium.profile
	3


diff --git a/etc/chromium.profile b/etc/chromium.profile new file mode 100644 index 000000000..4f6e7e450 --- /dev/null +++ b/etc/chromium.profile
@@ -0,0 +1,7 @@
	1	# Chromium browser profile
	2	include /etc/firejail/disable-mgmt.inc
	3	include /etc/firejail/disable-secret.inc
	4	include /etc/firejail/disable-common.inc chromium
	5	netfilter
	6
	7


diff --git a/etc/clementine.profile b/etc/clementine.profile new file mode 100644 index 000000000..dd855cc62 --- /dev/null +++ b/etc/clementine.profile
@@ -0,0 +1,7 @@
	1	# Clementine profile
	2	include /etc/firejail/disable-mgmt.inc
	3	include /etc/firejail/disable-secret.inc
	4	include /etc/firejail/disable-common.inc
	5	caps.drop all
	6	seccomp
	7	noroot


diff --git a/etc/deadbeef.profile b/etc/deadbeef.profile new file mode 100644 index 000000000..e2f5787cc --- /dev/null +++ b/etc/deadbeef.profile
@@ -0,0 +1,8 @@
	1	# DeaDBeeF profile
	2	include /etc/firejail/disable-mgmt.inc
	3	include /etc/firejail/disable-secret.inc
	4	include /etc/firejail/disable-common.inc
	5	caps.drop all
	6	seccomp
	7	noroot
	8


diff --git a/etc/deluge.profile b/etc/deluge.profile new file mode 100644 index 000000000..138d0a133 --- /dev/null +++ b/etc/deluge.profile
@@ -0,0 +1,9 @@
	1	# deluge profile
	2	include /etc/firejail/disable-mgmt.inc
	3	include /etc/firejail/disable-secret.inc
	4	include /etc/firejail/disable-common.inc
	5	caps.drop all
	6	seccomp
	7	netfilter
	8	noroot
	9


diff --git a/etc/disable-common.inc b/etc/disable-common.inc new file mode 100644 index 000000000..926000411 --- /dev/null +++ b/etc/disable-common.inc
@@ -0,0 +1,10 @@
	1	blacklist ${HOME}/.adobe
	2	blacklist ${HOME}/.macromedia
	3	blacklist ${HOME}/.mozilla
	4	blacklist ${HOME}/.icedove
	5	blacklist ${HOME}/.thunderbird
	6	blacklist ${HOME}/.config/midori
	7	blacklist ${HOME}/.config/opera
	8	blacklist ${HOME}/.config/chromium
	9	blacklist ${HOME}/.config/google-chrome
	10	blacklist ${HOME}/.filezilla


diff --git a/etc/disable-mgmt.inc b/etc/disable-mgmt.inc new file mode 100644 index 000000000..f04619ea0 --- /dev/null +++ b/etc/disable-mgmt.inc
@@ -0,0 +1,12 @@
	1	# system directories
	2	blacklist /sbin
	3	blacklist /usr/sbin
	4
	5	# system management
	6	blacklist ${PATH}/umount
	7	blacklist ${PATH}/mount
	8	blacklist ${PATH}/fusermount
	9	blacklist ${PATH}/su
	10	blacklist ${PATH}/sudo
	11	blacklist ${PATH}/xinput
	12	blacklist ${PATH}/strace


diff --git a/etc/disable-secret.inc b/etc/disable-secret.inc new file mode 100644 index 000000000..8ac1b3792 --- /dev/null +++ b/etc/disable-secret.inc
@@ -0,0 +1,9 @@
	1	# HOME directory
	2	blacklist ${HOME}/.ssh
	3	tmpfs ${HOME}/.gnome2_private
	4	blacklist ${HOME}/.gnome2/keyrings
	5	blacklist ${HOME}/kde4/share/apps/kwallet
	6	blacklist ${HOME}/kde/share/apps/kwallet
	7	blacklist ${HOME}/.pki/nssdb
	8	blacklist ${HOME}/.gnupg
	9	blacklist ${HOME}/.local/share/recently-used.xbel


diff --git a/etc/dropbox.profile b/etc/dropbox.profile new file mode 100644 index 000000000..82b54adb1 --- /dev/null +++ b/etc/dropbox.profile
@@ -0,0 +1,7 @@
	1	# dropbox profile
	2	include /etc/firejail/disable-mgmt.inc
	3	include /etc/firejail/disable-secret.inc
	4	include /etc/firejail/disable-common.inc
	5	caps
	6	seccomp
	7	noroot


diff --git a/etc/empathy.profile b/etc/empathy.profile new file mode 100644 index 000000000..d24cae528 --- /dev/null +++ b/etc/empathy.profile
@@ -0,0 +1,6 @@
	1	# Empathy profile
	2	include /etc/firejail/disable-mgmt.inc
	3	include /etc/firejail/disable-secret.inc
	4	include /etc/firejail/disable-common.inc
	5	caps.drop all
	6	seccomp


diff --git a/etc/evince.profile b/etc/evince.profile new file mode 100644 index 000000000..4d96d5904 --- /dev/null +++ b/etc/evince.profile
@@ -0,0 +1,8 @@
	1	# evince profile
	2	include /etc/firejail/disable-mgmt.inc
	3	include /etc/firejail/disable-secret.inc
	4	include /etc/firejail/disable-common.inc
	5	caps.drop all
	6	seccomp
	7	netfilter
	8	noroot


diff --git a/etc/filezilla.profile b/etc/filezilla.profile new file mode 100644 index 000000000..a54b5a734 --- /dev/null +++ b/etc/filezilla.profile
@@ -0,0 +1,10 @@
	1	# FileZilla profile
	2	include /etc/firejail/disable-mgmt.inc
	3	include /etc/firejail/disable-secret.inc
	4	include /etc/firejail/disable-common.inc .filezilla
	5	caps.drop all
	6	seccomp
	7	noroot
	8	netfilter
	9
	10


diff --git a/etc/firefox.profile b/etc/firefox.profile new file mode 100644 index 000000000..dc3489d35 --- /dev/null +++ b/etc/firefox.profile
@@ -0,0 +1,9 @@
	1	# Firejail profile for Mozilla Firefox (Iceweasel in Debian)
	2	include /etc/firejail/disable-mgmt.inc
	3	include /etc/firejail/disable-secret.inc
	4	include /etc/firejail/disable-common.inc .mozilla
	5	caps.drop all
	6	seccomp
	7	netfilter
	8	noroot
	9


diff --git a/etc/firejail.bash_completion b/etc/firejail.bash_completion new file mode 100644 index 000000000..50eccf536 --- /dev/null +++ b/etc/firejail.bash_completion
@@ -0,0 +1,86 @@
	1	# bash completion for firejail -- shell-script --
	2	#********************************************************************
	3	# Script based on completions/configure script in bash-completion package in
	4	# Debian. The original package is release under GPL v2 license, the webpage is
	5	# http://bash-completion.alioth.debian.org
	6	#*******************************************************************
	7
	8	__interfaces(){
	9	cut -f 1 -d ':' /proc/net/dev \| tail -n +3 \| grep -v lo \| xargs
	10	}
	11
	12
	13	_firejail()
	14	{
	15	local cur prev words cword split
	16	_init_completion -s \|\| return
	17
	18	case $prev in
	19	--help\|--version\|-debug-caps\|--debug-syscalls\|--list\|--tree\|--top\|--join\|--shutdown)
	20	return 0
	21	;;
	22	--profile)
	23	_filedir
	24	return 0
	25	;;
	26	--chroot)
	27	_filedir -d
	28	return 0
	29	;;
	30	--cgroup)
	31	_filedir -d
	32	return 0
	33	;;
	34	--tmpfs)
	35	_filedir
	36	return 0
	37	;;
	38	--blacklist)
	39	_filedir
	40	return 0
	41	;;
	42	--read-only)
	43	_filedir
	44	return 0
	45	;;
	46	--bind)
	47	_filedir
	48	return 0
	49	;;
	50	--private)
	51	_filedir
	52	return 0
	53	;;
	54	--shell)
	55	_filedir
	56	return 0
	57	;;
	58	--net)
	59	comps=$(__interfaces)
	60	COMPREPLY=( $(compgen -W '$comps' -- "$cur") )
	61	return 0
	62	;;
	63	esac
	64
	65	$split && return 0
	66
	67	# if $COMP_CONFIGURE_HINTS is not null, then completions of the form
	68	# --option=SETTING will include 'SETTING' as a contextual hint
	69	[[ "$cur" != -* ]] && _filedir && return 0
	70
	71	if [[ -n $COMP_CONFIGURE_HINTS ]]; then
	72	COMPREPLY=( $( compgen -W "$( $1 --help 2>&1 \| \
	73	awk '/^ --[A-Za-z]/ { print $1; \
	74	if ($2 ~ /--[A-Za-z]/) print $2 }' \| sed -e 's/[[,].*//g' )" \
	75	-- "$cur" ) )
	76	[[ $COMPREPLY == = ]] && compopt -o nospace
	77	else
	78	COMPREPLY=( $( compgen -W '$( _parse_help "$1" )' -- "$cur" ) )
	79	[[ $COMPREPLY == *= ]] && compopt -o nospace
	80	fi
	81
	82	} &&
	83	complete -F _firejail firejail
	84
	85
	86


diff --git a/etc/firemon.bash_completion b/etc/firemon.bash_completion new file mode 100644 index 000000000..befbf2388 --- /dev/null +++ b/etc/firemon.bash_completion
@@ -0,0 +1,39 @@
	1	# bash completion for firemon -- shell-script --
	2	#********************************************************************
	3	# Script based on completions/configure script in bash-completion package in
	4	# Debian. The original package is release under GPL v2 license, the webpage is
	5	# http://bash-completion.alioth.debian.org
	6	#*******************************************************************
	7
	8	_firemon()
	9	{
	10	local cur prev words cword split
	11	_init_completion -s \|\| return
	12
	13	case $prev in
	14	--help\|--version)
	15	return
	16	;;
	17	esac
	18
	19	$split && return 0
	20
	21	# if $COMP_CONFIGURE_HINTS is not null, then completions of the form
	22	# --option=SETTING will include 'SETTING' as a contextual hint
	23	[[ "$cur" != -* ]] && return 0
	24
	25	if [[ -n $COMP_CONFIGURE_HINTS ]]; then
	26	COMPREPLY=( $( compgen -W "$( $1 --help 2>&1 \| \
	27	awk '/^ --[A-Za-z]/ { print $1; \
	28	if ($2 ~ /--[A-Za-z]/) print $2 }' \| sed -e 's/[[,].*//g' )" \
	29	-- "$cur" ) )
	30	[[ $COMPREPLY == = ]] && compopt -o nospace
	31	else
	32	COMPREPLY=( $( compgen -W '$( _parse_help "$1" )' -- "$cur" ) )
	33	[[ $COMPREPLY == *= ]] && compopt -o nospace
	34	fi
	35	} &&
	36	complete -F _firemon firemon
	37
	38
	39


diff --git a/etc/generic.profile b/etc/generic.profile new file mode 100644 index 000000000..83bf59e0a --- /dev/null +++ b/etc/generic.profile
@@ -0,0 +1,41 @@
	1	################################
	2	# Generic profile based on Firefox profile
	3	################################
	4	#include /etc/firejail/disable-mgmt.inc
	5	# system directories
	6	blacklist /sbin
	7	blacklist /usr/sbin
	8	# system management
	9	blacklist ${PATH}/umount
	10	blacklist ${PATH}/mount
	11	blacklist ${PATH}/fusermount
	12	blacklist ${PATH}/su
	13	blacklist ${PATH}/sudo
	14	blacklist ${PATH}/xinput
	15	blacklist ${PATH}/strace
	16
	17	#include /etc/firejail/disable-secret.inc
	18	# HOME directory
	19	blacklist ${HOME}/.ssh
	20	tmpfs ${HOME}/.gnome2_private
	21	blacklist ${HOME}/.gnome2/keyrings
	22	blacklist ${HOME}/kde4/share/apps/kwallet
	23	blacklist ${HOME}/kde/share/apps/kwallet
	24	blacklist ${HOME}/.pki/nssdb
	25	blacklist ${HOME}/.gnupg
	26	blacklist ${HOME}/.local/share/recently-used.xbel
	27
	28	blacklist ${HOME}/.adobe
	29	blacklist ${HOME}/.macromedia
	30	blacklist ${HOME}/.mozilla
	31	blacklist ${HOME}/.icedove
	32	blacklist ${HOME}/.thunderbird
	33	blacklist ${HOME}/.config/opera
	34	blacklist ${HOME}/.config/chromium
	35	blacklist ${HOME}/.config/google-chrome
	36
	37	caps.drop all
	38	seccomp
	39	netfilter
	40	noroot
	41


diff --git a/etc/gnome-mplayer.profile b/etc/gnome-mplayer.profile new file mode 100644 index 000000000..b69cf3a57 --- /dev/null +++ b/etc/gnome-mplayer.profile
@@ -0,0 +1,7 @@
	1	# GNOME MPlayer profile
	2	include /etc/firejail/disable-mgmt.inc
	3	include /etc/firejail/disable-secret.inc
	4	include /etc/firejail/disable-common.inc
	5	caps.drop all
	6	seccomp
	7	noroot


diff --git a/etc/icecat.profile b/etc/icecat.profile new file mode 100644 index 000000000..25d426ad2 --- /dev/null +++ b/etc/icecat.profile
@@ -0,0 +1,2 @@
	1	# Firejail profile for GNU Icecat
	2	include /etc/firejail/firefox.profile


diff --git a/etc/icedove.profile b/etc/icedove.profile new file mode 100644 index 000000000..057e0c9ef --- /dev/null +++ b/etc/icedove.profile
@@ -0,0 +1,3 @@
	1	# Firejail profile for Mozilla Thunderbird (Icedove in Debian)
	2	include /etc/firejail/thunderbird.profile
	3


diff --git a/etc/iceweasel.profile b/etc/iceweasel.profile new file mode 100644 index 000000000..e9b32846a --- /dev/null +++ b/etc/iceweasel.profile
@@ -0,0 +1,2 @@
	1	# Firejail profile for Mozilla Firefox (Iceweasel in Debian)
	2	include /etc/firejail/firefox.profile


diff --git a/etc/login.users b/etc/login.users new file mode 100644 index 000000000..5d5969091 --- /dev/null +++ b/etc/login.users
@@ -0,0 +1,14 @@
	1	# /etc/firejail/login.users - restricted user shell configuration
	2	#
	3	# Each user entry consists of a user name and firejail
	4	# program arguments:
	5	#
	6	# user name: arguments
	7	#
	8	# For example:
	9	#
	10	# netblue:--debug --net=none
	11	#
	12	# The extra arguments are inserted into program command line if firejail
	13	# was started as a login shell.
	14


diff --git a/etc/midori.profile b/etc/midori.profile new file mode 100644 index 000000000..5479ba172 --- /dev/null +++ b/etc/midori.profile
@@ -0,0 +1,9 @@
	1	# Midory browser profile
	2	include /etc/firejail/disable-mgmt.inc
	3	include /etc/firejail/disable-secret.inc
	4	include /etc/firejail/disable-common.inc midori
	5	caps.drop all
	6	seccomp
	7	netfilter
	8	noroot
	9


diff --git a/etc/opera.profile b/etc/opera.profile new file mode 100644 index 000000000..852f10719 --- /dev/null +++ b/etc/opera.profile
@@ -0,0 +1,8 @@
	1	# Chromium browser profile
	2	include /etc/firejail/disable-mgmt.inc
	3	include /etc/firejail/disable-secret.inc
	4	include /etc/firejail/disable-common.inc opera
	5	netfilter
	6	noroot
	7
	8


diff --git a/etc/pidgin.profile b/etc/pidgin.profile new file mode 100644 index 000000000..6f5594919 --- /dev/null +++ b/etc/pidgin.profile
@@ -0,0 +1,7 @@
	1	# Pidgin profile
	2	include /etc/firejail/disable-mgmt.inc
	3	include /etc/firejail/disable-secret.inc
	4	include /etc/firejail/disable-common.inc
	5	caps.drop all
	6	seccomp
	7	noroot


diff --git a/etc/qbittorrent.profile b/etc/qbittorrent.profile new file mode 100644 index 000000000..f85dfc994 --- /dev/null +++ b/etc/qbittorrent.profile
@@ -0,0 +1,9 @@
	1	# abittorrent profile
	2	include /etc/firejail/disable-mgmt.inc
	3	include /etc/firejail/disable-secret.inc
	4	include /etc/firejail/disable-common.inc
	5	caps.drop all
	6	seccomp
	7	netfilter
	8	noroot
	9


diff --git a/etc/quassel.profile b/etc/quassel.profile new file mode 100644 index 000000000..a2057ad01 --- /dev/null +++ b/etc/quassel.profile
@@ -0,0 +1,7 @@
	1	# Quassel IRC profile
	2	include /etc/firejail/disable-mgmt.inc
	3	include /etc/firejail/disable-secret.inc
	4	include /etc/firejail/disable-common.inc
	5	caps.drop all
	6	seccomp
	7	noroot


diff --git a/etc/rhythmbox.profile b/etc/rhythmbox.profile new file mode 100644 index 000000000..42d4dc0fa --- /dev/null +++ b/etc/rhythmbox.profile
@@ -0,0 +1,7 @@
	1	# Rhythmbox profile
	2	include /etc/firejail/disable-mgmt.inc
	3	include /etc/firejail/disable-secret.inc
	4	include /etc/firejail/disable-common.inc
	5	caps.drop all
	6	seccomp
	7	noroot


diff --git a/etc/server.profile b/etc/server.profile new file mode 100644 index 000000000..bb15774fa --- /dev/null +++ b/etc/server.profile
@@ -0,0 +1,6 @@
	1	# generic server profile
	2	include /etc/firejail/disable-mgmt.inc sbin
	3	private
	4	private-dev
	5	seccomp
	6


diff --git a/etc/thunderbird.profile b/etc/thunderbird.profile new file mode 100644 index 000000000..8b63a6ec5 --- /dev/null +++ b/etc/thunderbird.profile
@@ -0,0 +1,9 @@
	1	# Firejail profile for Mozilla Thunderbird (Icedove in Debian)
	2	include /etc/firejail/disable-mgmt.inc
	3	include /etc/firejail/disable-secret.inc
	4	include /etc/firejail/disable-common.inc thunderbird icedove
	5	caps.drop all
	6	seccomp
	7	netfilter
	8	noroot
	9


diff --git a/etc/totem.profile b/etc/totem.profile new file mode 100644 index 000000000..50115deb5 --- /dev/null +++ b/etc/totem.profile
@@ -0,0 +1,7 @@
	1	# Totem profile
	2	include /etc/firejail/disable-mgmt.inc
	3	include /etc/firejail/disable-secret.inc
	4	include /etc/firejail/disable-common.inc
	5	caps.drop all
	6	seccomp
	7	noroot


diff --git a/etc/transmission-gtk.profile b/etc/transmission-gtk.profile new file mode 100644 index 000000000..9ccece285 --- /dev/null +++ b/etc/transmission-gtk.profile
@@ -0,0 +1,9 @@
	1	# transmission-gtk profile
	2	include /etc/firejail/disable-mgmt.inc
	3	include /etc/firejail/disable-secret.inc
	4	include /etc/firejail/disable-common.inc
	5	caps.drop all
	6	seccomp
	7	netfilter
	8	noroot
	9


diff --git a/etc/transmission-qt.profile b/etc/transmission-qt.profile new file mode 100644 index 000000000..65a045f8e --- /dev/null +++ b/etc/transmission-qt.profile
@@ -0,0 +1,9 @@
	1	# transmission-qt profile
	2	include /etc/firejail/disable-mgmt.inc
	3	include /etc/firejail/disable-secret.inc
	4	include /etc/firejail/disable-common.inc
	5	caps.drop all
	6	seccomp
	7	netfilter
	8	noroot
	9


diff --git a/etc/vlc.profile b/etc/vlc.profile new file mode 100644 index 000000000..76e1395f9 --- /dev/null +++ b/etc/vlc.profile
@@ -0,0 +1,7 @@
	1	# VLC profile
	2	include /etc/firejail/disable-mgmt.inc
	3	include /etc/firejail/disable-secret.inc
	4	include /etc/firejail/disable-common.inc
	5	caps.drop all
	6	seccomp
	7	noroot


diff --git a/etc/xchat.profile b/etc/xchat.profile new file mode 100644 index 000000000..b8d8cb1e2 --- /dev/null +++ b/etc/xchat.profile
@@ -0,0 +1,7 @@
	1	# XChat profile
	2	include /etc/firejail/disable-mgmt.inc
	3	include /etc/firejail/disable-secret.inc
	4	include /etc/firejail/disable-common.inc
	5	caps.drop all
	6	seccomp
	7	noroot