aboutsummaryrefslogtreecommitdiffstats
path: root/etc
diff options
context:
space:
mode:
Diffstat (limited to 'etc')
-rw-r--r--etc/arch-audit.profile40
-rw-r--r--etc/audacious.profile1
-rw-r--r--etc/conky.profile35
-rw-r--r--etc/corebird.profile14
-rw-r--r--etc/disable-common.inc8
-rw-r--r--etc/disable-programs.inc1
-rw-r--r--etc/ffmpeg.profile33
-rw-r--r--etc/firefox.profile3
-rw-r--r--etc/geary.profile1
-rw-r--r--etc/musescore.profile1
-rw-r--r--etc/quiterss.profile1
-rw-r--r--etc/smtube.profile37
-rw-r--r--etc/thunderbird.profile1
-rw-r--r--etc/tuxguitar.profile1
-rw-r--r--etc/whitelist-common.inc7
-rw-r--r--etc/whitelist-var-common.inc1
16 files changed, 177 insertions, 8 deletions
diff --git a/etc/arch-audit.profile b/etc/arch-audit.profile
new file mode 100644
index 000000000..d8ed64811
--- /dev/null
+++ b/etc/arch-audit.profile
@@ -0,0 +1,40 @@
1# Firejail profile for arch-audit
2# This file is overwritten after every install/update
3quiet
4# Persistent local customizations
5include /etc/firejail/arch-audit.local
6# Persistent global definitions
7include /etc/firejail/globals.local
8
9
10noblacklist /var/lib/pacman
11
12include /etc/firejail/disable-common.inc
13include /etc/firejail/disable-devel.inc
14include /etc/firejail/disable-passwdmgr.inc
15include /etc/firejail/disable-programs.inc
16
17caps.drop all
18ipc-namespace
19netfilter
20no3d
21nodvd
22nogroups
23nonewprivs
24noroot
25nosound
26notv
27novideo
28protocol unix,inet,inet6
29seccomp
30shell none
31
32disable-mnt
33private
34private-bin arch-audit
35private-dev
36private-tmp
37
38memory-deny-write-execute
39noexec ${HOME}
40noexec /tmp
diff --git a/etc/audacious.profile b/etc/audacious.profile
index bd2367fe0..52e701821 100644
--- a/etc/audacious.profile
+++ b/etc/audacious.profile
@@ -15,6 +15,7 @@ include /etc/firejail/disable-programs.inc
15 15
16caps.drop all 16caps.drop all
17netfilter 17netfilter
18nogroups
18nonewprivs 19nonewprivs
19noroot 20noroot
20notv 21notv
diff --git a/etc/conky.profile b/etc/conky.profile
new file mode 100644
index 000000000..4ee25f099
--- /dev/null
+++ b/etc/conky.profile
@@ -0,0 +1,35 @@
1# Firejail profile for conky
2# This file is overwritten after every install/update
3# Persistent local customizations
4include /etc/firejail/conky.local
5# Persistent global definitions
6include /etc/firejail/globals.local
7
8
9include /etc/firejail/disable-common.inc
10include /etc/firejail/disable-devel.inc
11include /etc/firejail/disable-passwdmgr.inc
12include /etc/firejail/disable-programs.inc
13
14caps.drop all
15ipc-namespace
16netfilter
17no3d
18nodvd
19nogroups
20nonewprivs
21noroot
22nosound
23notv
24novideo
25protocol unix,inet,inet6
26seccomp
27shell none
28
29disable-mnt
30private-dev
31private-tmp
32
33memory-deny-write-execute
34noexec ${HOME}
35noexec /tmp
diff --git a/etc/corebird.profile b/etc/corebird.profile
index 87f7a970b..99a3335ef 100644
--- a/etc/corebird.profile
+++ b/etc/corebird.profile
@@ -5,16 +5,30 @@ include /etc/firejail/corebird.local
5# Persistent global definitions 5# Persistent global definitions
6include /etc/firejail/globals.local 6include /etc/firejail/globals.local
7 7
8noblacklist ~/.config/corebird
8 9
9include /etc/firejail/disable-common.inc 10include /etc/firejail/disable-common.inc
10include /etc/firejail/disable-devel.inc 11include /etc/firejail/disable-devel.inc
11include /etc/firejail/disable-passwdmgr.inc 12include /etc/firejail/disable-passwdmgr.inc
12include /etc/firejail/disable-programs.inc 13include /etc/firejail/disable-programs.inc
13 14
15include /etc/firejail/whitelist-var-common.inc
16
14caps.drop all 17caps.drop all
15netfilter 18netfilter
16nodvd 19nodvd
20nogroups
21nonewprivs
17noroot 22noroot
18notv 23notv
24novideo
19protocol unix,inet,inet6 25protocol unix,inet,inet6
20seccomp 26seccomp
27shell none
28
29private-bin corebird
30private-dev
31private-tmp
32
33noexec ${HOME}
34noexec /tmp
diff --git a/etc/disable-common.inc b/etc/disable-common.inc
index ca6ba9710..abce0fe57 100644
--- a/etc/disable-common.inc
+++ b/etc/disable-common.inc
@@ -2,15 +2,14 @@
2# Persistent customizations should go in a .local file. 2# Persistent customizations should go in a .local file.
3include /etc/firejail/disable-common.local 3include /etc/firejail/disable-common.local
4 4
5# History files and clipboard managers in $HOME 5# History files in $HOME and clipboard managers
6blacklist-nolog ${HOME}/.*_history 6blacklist-nolog ${HOME}/.*_history
7blacklist-nolog ${HOME}/.adobe 7blacklist-nolog ${HOME}/.adobe
8blacklist-nolog ${HOME}/.bash_history 8blacklist-nolog ${HOME}/.cache/greenclip*
9blacklist-nolog ${HOME}/.history 9blacklist-nolog ${HOME}/.history
10blacklist-nolog ${HOME}/.local/share/fish/fish_history 10blacklist-nolog ${HOME}/.local/share/fish/fish_history
11blacklist-nolog ${HOME}/.macromedia 11blacklist-nolog ${HOME}/.macromedia
12blacklist-nolog /tmp/clipmenu* 12blacklist-nolog /tmp/clipmenu*
13blacklist-nolog ${HOME}/.cache/greenclip*
14 13
15# X11 session autostart 14# X11 session autostart
16# blacklist ${HOME}/.xpra - this will kill --x11=xpra cmdline option for all programs 15# blacklist ${HOME}/.xpra - this will kill --x11=xpra cmdline option for all programs
@@ -229,7 +228,6 @@ blacklist ${HOME}/.mutt/muttrc
229blacklist ${HOME}/.muttrc 228blacklist ${HOME}/.muttrc
230blacklist ${HOME}/.netrc 229blacklist ${HOME}/.netrc
231blacklist ${HOME}/.pki 230blacklist ${HOME}/.pki
232blacklist ${HOME}/.password-store
233blacklist ${HOME}/.smbcredentials 231blacklist ${HOME}/.smbcredentials
234blacklist ${HOME}/.ssh 232blacklist ${HOME}/.ssh
235blacklist /etc/group+ 233blacklist /etc/group+
diff --git a/etc/disable-programs.inc b/etc/disable-programs.inc
index 88b7e7d32..615e28172 100644
--- a/etc/disable-programs.inc
+++ b/etc/disable-programs.inc
@@ -82,6 +82,7 @@ blacklist ${HOME}/.config/chromium-dev
82blacklist ${HOME}/.config/chromium-flags.conf 82blacklist ${HOME}/.config/chromium-flags.conf
83blacklist ${HOME}/.config/clipit 83blacklist ${HOME}/.config/clipit
84blacklist ${HOME}/.config/cmus 84blacklist ${HOME}/.config/cmus
85blacklist ${HOME}/.config/corebird
85blacklist ${HOME}/.config/darktable 86blacklist ${HOME}/.config/darktable
86blacklist ${HOME}/.config/deadbeef 87blacklist ${HOME}/.config/deadbeef
87blacklist ${HOME}/.config/deluge 88blacklist ${HOME}/.config/deluge
diff --git a/etc/ffmpeg.profile b/etc/ffmpeg.profile
new file mode 100644
index 000000000..e098c95e3
--- /dev/null
+++ b/etc/ffmpeg.profile
@@ -0,0 +1,33 @@
1# Firejail profile for default
2# This file is overwritten after every install/update
3quiet
4# Persistent local customizations
5include /etc/firejail/ffmpeg.local
6# Persistent global definitions
7include /etc/firejail/globals.local
8
9include /etc/firejail/disable-common.inc
10include /etc/firejail/disable-devel.inc
11include /etc/firejail/disable-passwdmgr.inc
12include /etc/firejail/disable-programs.inc
13
14caps.drop all
15net none
16no3d
17nodvd
18nosound
19notv
20novideo
21nonewprivs
22noroot
23# protocol none - needs to be implemented!
24seccomp
25# seccomp.keep futex,write,read,munmap,fstat,mprotect,mmap,open,close,stat,lseek,brk,rt_sigaction,rt_sigprocmask,ioctl,access,select,madvise,getpid,clone,execve,fcntl,getdents,readlink,getrlimit,getrusage,statfs,getpriority,setpriority,arch_prctl,sched_getaffinity,set_tid_address,set_robust_list,getrandom
26# memory-deny-write-execute - it breaks old versions of ffmpeg
27shell none
28tracelog
29
30private-tmp
31private-dev
32private-bin ffmpeg
33include /etc/firejail/whitelist-var-common.inc
diff --git a/etc/firefox.profile b/etc/firefox.profile
index f65b020a9..1f4a8e3f6 100644
--- a/etc/firefox.profile
+++ b/etc/firefox.profile
@@ -73,7 +73,8 @@ seccomp
73shell none 73shell none
74tracelog 74tracelog
75 75
76# private-bin firefox,which,sh,dbus-launch,dbus-send,env 76# firefox requires a shell to launch on Arch. We can possibly remove sh though.
77# private-bin firefox,which,sh,dbus-launch,dbus-send,env,sh,bash
77private-dev 78private-dev
78# private-etc passwd,group,hostname,hosts,localtime,nsswitch.conf,resolv.conf,xdg,gtk-2.0,gtk-3.0,X11,pango,fonts,firefox,mime.types,mailcap,asound.conf,pulse 79# private-etc passwd,group,hostname,hosts,localtime,nsswitch.conf,resolv.conf,xdg,gtk-2.0,gtk-3.0,X11,pango,fonts,firefox,mime.types,mailcap,asound.conf,pulse
79private-tmp 80private-tmp
diff --git a/etc/geary.profile b/etc/geary.profile
index 7878154a6..3ab4a21d8 100644
--- a/etc/geary.profile
+++ b/etc/geary.profile
@@ -14,7 +14,6 @@ noblacklist ~/.local/share/geary
14mkdir ~/.gnupg 14mkdir ~/.gnupg
15mkdir ~/.local/share/geary 15mkdir ~/.local/share/geary
16whitelist ~/.gnupg 16whitelist ~/.gnupg
17whitelist ~/.local/share/applications
18whitelist ~/.local/share/geary 17whitelist ~/.local/share/geary
19include /etc/firejail/whitelist-common.inc 18include /etc/firejail/whitelist-common.inc
20 19
diff --git a/etc/musescore.profile b/etc/musescore.profile
index 3b5a0b13c..b039d07b2 100644
--- a/etc/musescore.profile
+++ b/etc/musescore.profile
@@ -19,6 +19,7 @@ caps.drop all
19netfilter 19netfilter
20no3d 20no3d
21nodvd 21nodvd
22nogroups
22nonewprivs 23nonewprivs
23noroot 24noroot
24notv 25notv
diff --git a/etc/quiterss.profile b/etc/quiterss.profile
index 96fe04e83..f820b590e 100644
--- a/etc/quiterss.profile
+++ b/etc/quiterss.profile
@@ -23,6 +23,7 @@ whitelist ${HOME}/.cache/QuiteRss
23whitelist ${HOME}/.config/QuiteRss/ 23whitelist ${HOME}/.config/QuiteRss/
24whitelist ${HOME}/.config/QuiteRssrc 24whitelist ${HOME}/.config/QuiteRssrc
25whitelist ${HOME}/.local/share/data/QuiteRss 25whitelist ${HOME}/.local/share/data/QuiteRss
26whitelist ${HOME}/.local/share/QuiteRss
26whitelist ${HOME}/quiterssfeeds.opml 27whitelist ${HOME}/quiterssfeeds.opml
27include /etc/firejail/whitelist-common.inc 28include /etc/firejail/whitelist-common.inc
28 29
diff --git a/etc/smtube.profile b/etc/smtube.profile
new file mode 100644
index 000000000..2694dd5b0
--- /dev/null
+++ b/etc/smtube.profile
@@ -0,0 +1,37 @@
1# Firejail profile for smtube
2# This file is overwritten after every install/update
3# Persistent local customizations
4include /etc/firejail/smtube.local
5# Persistent global definitions
6include /etc/firejail/globals.local
7
8noblacklist ${HOME}/.config/smplayer
9noblacklist ${HOME}/.config/smtube
10noblacklist ${HOME}/.config/mpv
11noblacklist ${HOME}/.mplayer
12noblacklist ${HOME}/.config/vlc
13noblacklist ${HOME}/.local/share/vlc
14
15include /etc/firejail/disable-common.inc
16include /etc/firejail/disable-devel.inc
17include /etc/firejail/disable-passwdmgr.inc
18include /etc/firejail/disable-programs.inc
19
20caps.drop all
21netfilter
22nodvd
23notv
24novideo
25nogroups
26nonewprivs
27noroot
28protocol unix,inet,inet6,netlink
29seccomp
30shell none
31
32#no private-bin because users can add their own players to smtube and that would prevent that
33private-dev
34private-tmp
35
36noexec ${HOME}
37noexec /tmp
diff --git a/etc/thunderbird.profile b/etc/thunderbird.profile
index 17bf51873..8e878eb1c 100644
--- a/etc/thunderbird.profile
+++ b/etc/thunderbird.profile
@@ -20,7 +20,6 @@ mkdir ~/.thunderbird
20whitelist ~/.cache/thunderbird 20whitelist ~/.cache/thunderbird
21whitelist ~/.gnupg 21whitelist ~/.gnupg
22whitelist ~/.icedove 22whitelist ~/.icedove
23whitelist ~/.local/share/applications
24whitelist ~/.thunderbird 23whitelist ~/.thunderbird
25include /etc/firejail/whitelist-common.inc 24include /etc/firejail/whitelist-common.inc
26 25
diff --git a/etc/tuxguitar.profile b/etc/tuxguitar.profile
index 5b6a257f6..fbc198cc3 100644
--- a/etc/tuxguitar.profile
+++ b/etc/tuxguitar.profile
@@ -17,6 +17,7 @@ caps.drop all
17netfilter 17netfilter
18no3d 18no3d
19nodvd 19nodvd
20nogroups
20nonewprivs 21nonewprivs
21noroot 22noroot
22notv 23notv
diff --git a/etc/whitelist-common.inc b/etc/whitelist-common.inc
index ef95a7e5e..310149ecd 100644
--- a/etc/whitelist-common.inc
+++ b/etc/whitelist-common.inc
@@ -35,10 +35,14 @@ whitelist ~/.gtkrc-2.0
35whitelist ~/.gtk-2.0 35whitelist ~/.gtk-2.0
36whitelist ~/.config/gtk-2.0 36whitelist ~/.config/gtk-2.0
37whitelist ~/.config/gtk-3.0 37whitelist ~/.config/gtk-3.0
38whitelist ~/.config/gtkrc
39whitelist ~/.config/gtkrc-2.0
38whitelist ~/.themes 40whitelist ~/.themes
39whitelist ~/.local/share/themes 41whitelist ~/.local/share/themes
40whitelist ~/.kde/share/config/gtkrc 42whitelist ~/.kde/share/config/gtkrc
41whitelist ~/.kde/share/config/gtkrc-2.0 43whitelist ~/.kde/share/config/gtkrc-2.0
44whitelist ~/.kde4/share/config/gtkrc
45whitelist ~/.kde4/share/config/gtkrc-2.0
42whitelist ~/.gnome2 46whitelist ~/.gnome2
43whitelist ~/.gnome2-private 47whitelist ~/.gnome2-private
44 48
@@ -51,3 +55,6 @@ whitelist ~/.config/kdeglobals
51whitelist ~/.kde/share/config/oxygenrc 55whitelist ~/.kde/share/config/oxygenrc
52whitelist ~/.kde/share/config/kdeglobals 56whitelist ~/.kde/share/config/kdeglobals
53whitelist ~/.kde/share/icons 57whitelist ~/.kde/share/icons
58whitelist ~/.kde4/share/config/oxygenrc
59whitelist ~/.kde4/share/config/kdeglobals
60whitelist ~/.kde4/share/icons
diff --git a/etc/whitelist-var-common.inc b/etc/whitelist-var-common.inc
index bd3473acc..024995f20 100644
--- a/etc/whitelist-var-common.inc
+++ b/etc/whitelist-var-common.inc
@@ -8,3 +8,4 @@ whitelist /var/lib/menu-xdg
8whitelist /var/cache/fontconfig 8whitelist /var/cache/fontconfig
9whitelist /var/tmp 9whitelist /var/tmp
10whitelist /var/run 10whitelist /var/run
11whitelist /var/lock
generated by cgit v1.2.3-54-g00ecf (git 2.45.2) at 2024-07-08 20:03:29 +0000