diff options
Diffstat (limited to 'etc')
-rw-r--r-- | etc/arch-audit.profile | 40 | ||||
-rw-r--r-- | etc/audacious.profile | 1 | ||||
-rw-r--r-- | etc/conky.profile | 35 | ||||
-rw-r--r-- | etc/corebird.profile | 14 | ||||
-rw-r--r-- | etc/disable-common.inc | 8 | ||||
-rw-r--r-- | etc/disable-programs.inc | 1 | ||||
-rw-r--r-- | etc/ffmpeg.profile | 33 | ||||
-rw-r--r-- | etc/firefox.profile | 3 | ||||
-rw-r--r-- | etc/geary.profile | 1 | ||||
-rw-r--r-- | etc/musescore.profile | 1 | ||||
-rw-r--r-- | etc/quiterss.profile | 1 | ||||
-rw-r--r-- | etc/smtube.profile | 37 | ||||
-rw-r--r-- | etc/thunderbird.profile | 1 | ||||
-rw-r--r-- | etc/tuxguitar.profile | 1 | ||||
-rw-r--r-- | etc/whitelist-common.inc | 7 | ||||
-rw-r--r-- | etc/whitelist-var-common.inc | 1 |
16 files changed, 177 insertions, 8 deletions
diff --git a/etc/arch-audit.profile b/etc/arch-audit.profile new file mode 100644 index 000000000..d8ed64811 --- /dev/null +++ b/etc/arch-audit.profile | |||
@@ -0,0 +1,40 @@ | |||
1 | # Firejail profile for arch-audit | ||
2 | # This file is overwritten after every install/update | ||
3 | quiet | ||
4 | # Persistent local customizations | ||
5 | include /etc/firejail/arch-audit.local | ||
6 | # Persistent global definitions | ||
7 | include /etc/firejail/globals.local | ||
8 | |||
9 | |||
10 | noblacklist /var/lib/pacman | ||
11 | |||
12 | include /etc/firejail/disable-common.inc | ||
13 | include /etc/firejail/disable-devel.inc | ||
14 | include /etc/firejail/disable-passwdmgr.inc | ||
15 | include /etc/firejail/disable-programs.inc | ||
16 | |||
17 | caps.drop all | ||
18 | ipc-namespace | ||
19 | netfilter | ||
20 | no3d | ||
21 | nodvd | ||
22 | nogroups | ||
23 | nonewprivs | ||
24 | noroot | ||
25 | nosound | ||
26 | notv | ||
27 | novideo | ||
28 | protocol unix,inet,inet6 | ||
29 | seccomp | ||
30 | shell none | ||
31 | |||
32 | disable-mnt | ||
33 | private | ||
34 | private-bin arch-audit | ||
35 | private-dev | ||
36 | private-tmp | ||
37 | |||
38 | memory-deny-write-execute | ||
39 | noexec ${HOME} | ||
40 | noexec /tmp | ||
diff --git a/etc/audacious.profile b/etc/audacious.profile index bd2367fe0..52e701821 100644 --- a/etc/audacious.profile +++ b/etc/audacious.profile | |||
@@ -15,6 +15,7 @@ include /etc/firejail/disable-programs.inc | |||
15 | 15 | ||
16 | caps.drop all | 16 | caps.drop all |
17 | netfilter | 17 | netfilter |
18 | nogroups | ||
18 | nonewprivs | 19 | nonewprivs |
19 | noroot | 20 | noroot |
20 | notv | 21 | notv |
diff --git a/etc/conky.profile b/etc/conky.profile new file mode 100644 index 000000000..4ee25f099 --- /dev/null +++ b/etc/conky.profile | |||
@@ -0,0 +1,35 @@ | |||
1 | # Firejail profile for conky | ||
2 | # This file is overwritten after every install/update | ||
3 | # Persistent local customizations | ||
4 | include /etc/firejail/conky.local | ||
5 | # Persistent global definitions | ||
6 | include /etc/firejail/globals.local | ||
7 | |||
8 | |||
9 | include /etc/firejail/disable-common.inc | ||
10 | include /etc/firejail/disable-devel.inc | ||
11 | include /etc/firejail/disable-passwdmgr.inc | ||
12 | include /etc/firejail/disable-programs.inc | ||
13 | |||
14 | caps.drop all | ||
15 | ipc-namespace | ||
16 | netfilter | ||
17 | no3d | ||
18 | nodvd | ||
19 | nogroups | ||
20 | nonewprivs | ||
21 | noroot | ||
22 | nosound | ||
23 | notv | ||
24 | novideo | ||
25 | protocol unix,inet,inet6 | ||
26 | seccomp | ||
27 | shell none | ||
28 | |||
29 | disable-mnt | ||
30 | private-dev | ||
31 | private-tmp | ||
32 | |||
33 | memory-deny-write-execute | ||
34 | noexec ${HOME} | ||
35 | noexec /tmp | ||
diff --git a/etc/corebird.profile b/etc/corebird.profile index 87f7a970b..99a3335ef 100644 --- a/etc/corebird.profile +++ b/etc/corebird.profile | |||
@@ -5,16 +5,30 @@ include /etc/firejail/corebird.local | |||
5 | # Persistent global definitions | 5 | # Persistent global definitions |
6 | include /etc/firejail/globals.local | 6 | include /etc/firejail/globals.local |
7 | 7 | ||
8 | noblacklist ~/.config/corebird | ||
8 | 9 | ||
9 | include /etc/firejail/disable-common.inc | 10 | include /etc/firejail/disable-common.inc |
10 | include /etc/firejail/disable-devel.inc | 11 | include /etc/firejail/disable-devel.inc |
11 | include /etc/firejail/disable-passwdmgr.inc | 12 | include /etc/firejail/disable-passwdmgr.inc |
12 | include /etc/firejail/disable-programs.inc | 13 | include /etc/firejail/disable-programs.inc |
13 | 14 | ||
15 | include /etc/firejail/whitelist-var-common.inc | ||
16 | |||
14 | caps.drop all | 17 | caps.drop all |
15 | netfilter | 18 | netfilter |
16 | nodvd | 19 | nodvd |
20 | nogroups | ||
21 | nonewprivs | ||
17 | noroot | 22 | noroot |
18 | notv | 23 | notv |
24 | novideo | ||
19 | protocol unix,inet,inet6 | 25 | protocol unix,inet,inet6 |
20 | seccomp | 26 | seccomp |
27 | shell none | ||
28 | |||
29 | private-bin corebird | ||
30 | private-dev | ||
31 | private-tmp | ||
32 | |||
33 | noexec ${HOME} | ||
34 | noexec /tmp | ||
diff --git a/etc/disable-common.inc b/etc/disable-common.inc index ca6ba9710..abce0fe57 100644 --- a/etc/disable-common.inc +++ b/etc/disable-common.inc | |||
@@ -2,15 +2,14 @@ | |||
2 | # Persistent customizations should go in a .local file. | 2 | # Persistent customizations should go in a .local file. |
3 | include /etc/firejail/disable-common.local | 3 | include /etc/firejail/disable-common.local |
4 | 4 | ||
5 | # History files and clipboard managers in $HOME | 5 | # History files in $HOME and clipboard managers |
6 | blacklist-nolog ${HOME}/.*_history | 6 | blacklist-nolog ${HOME}/.*_history |
7 | blacklist-nolog ${HOME}/.adobe | 7 | blacklist-nolog ${HOME}/.adobe |
8 | blacklist-nolog ${HOME}/.bash_history | 8 | blacklist-nolog ${HOME}/.cache/greenclip* |
9 | blacklist-nolog ${HOME}/.history | 9 | blacklist-nolog ${HOME}/.history |
10 | blacklist-nolog ${HOME}/.local/share/fish/fish_history | 10 | blacklist-nolog ${HOME}/.local/share/fish/fish_history |
11 | blacklist-nolog ${HOME}/.macromedia | 11 | blacklist-nolog ${HOME}/.macromedia |
12 | blacklist-nolog /tmp/clipmenu* | 12 | blacklist-nolog /tmp/clipmenu* |
13 | blacklist-nolog ${HOME}/.cache/greenclip* | ||
14 | 13 | ||
15 | # X11 session autostart | 14 | # X11 session autostart |
16 | # blacklist ${HOME}/.xpra - this will kill --x11=xpra cmdline option for all programs | 15 | # blacklist ${HOME}/.xpra - this will kill --x11=xpra cmdline option for all programs |
@@ -229,7 +228,6 @@ blacklist ${HOME}/.mutt/muttrc | |||
229 | blacklist ${HOME}/.muttrc | 228 | blacklist ${HOME}/.muttrc |
230 | blacklist ${HOME}/.netrc | 229 | blacklist ${HOME}/.netrc |
231 | blacklist ${HOME}/.pki | 230 | blacklist ${HOME}/.pki |
232 | blacklist ${HOME}/.password-store | ||
233 | blacklist ${HOME}/.smbcredentials | 231 | blacklist ${HOME}/.smbcredentials |
234 | blacklist ${HOME}/.ssh | 232 | blacklist ${HOME}/.ssh |
235 | blacklist /etc/group+ | 233 | blacklist /etc/group+ |
diff --git a/etc/disable-programs.inc b/etc/disable-programs.inc index 88b7e7d32..615e28172 100644 --- a/etc/disable-programs.inc +++ b/etc/disable-programs.inc | |||
@@ -82,6 +82,7 @@ blacklist ${HOME}/.config/chromium-dev | |||
82 | blacklist ${HOME}/.config/chromium-flags.conf | 82 | blacklist ${HOME}/.config/chromium-flags.conf |
83 | blacklist ${HOME}/.config/clipit | 83 | blacklist ${HOME}/.config/clipit |
84 | blacklist ${HOME}/.config/cmus | 84 | blacklist ${HOME}/.config/cmus |
85 | blacklist ${HOME}/.config/corebird | ||
85 | blacklist ${HOME}/.config/darktable | 86 | blacklist ${HOME}/.config/darktable |
86 | blacklist ${HOME}/.config/deadbeef | 87 | blacklist ${HOME}/.config/deadbeef |
87 | blacklist ${HOME}/.config/deluge | 88 | blacklist ${HOME}/.config/deluge |
diff --git a/etc/ffmpeg.profile b/etc/ffmpeg.profile new file mode 100644 index 000000000..e098c95e3 --- /dev/null +++ b/etc/ffmpeg.profile | |||
@@ -0,0 +1,33 @@ | |||
1 | # Firejail profile for default | ||
2 | # This file is overwritten after every install/update | ||
3 | quiet | ||
4 | # Persistent local customizations | ||
5 | include /etc/firejail/ffmpeg.local | ||
6 | # Persistent global definitions | ||
7 | include /etc/firejail/globals.local | ||
8 | |||
9 | include /etc/firejail/disable-common.inc | ||
10 | include /etc/firejail/disable-devel.inc | ||
11 | include /etc/firejail/disable-passwdmgr.inc | ||
12 | include /etc/firejail/disable-programs.inc | ||
13 | |||
14 | caps.drop all | ||
15 | net none | ||
16 | no3d | ||
17 | nodvd | ||
18 | nosound | ||
19 | notv | ||
20 | novideo | ||
21 | nonewprivs | ||
22 | noroot | ||
23 | # protocol none - needs to be implemented! | ||
24 | seccomp | ||
25 | # seccomp.keep futex,write,read,munmap,fstat,mprotect,mmap,open,close,stat,lseek,brk,rt_sigaction,rt_sigprocmask,ioctl,access,select,madvise,getpid,clone,execve,fcntl,getdents,readlink,getrlimit,getrusage,statfs,getpriority,setpriority,arch_prctl,sched_getaffinity,set_tid_address,set_robust_list,getrandom | ||
26 | # memory-deny-write-execute - it breaks old versions of ffmpeg | ||
27 | shell none | ||
28 | tracelog | ||
29 | |||
30 | private-tmp | ||
31 | private-dev | ||
32 | private-bin ffmpeg | ||
33 | include /etc/firejail/whitelist-var-common.inc | ||
diff --git a/etc/firefox.profile b/etc/firefox.profile index f65b020a9..1f4a8e3f6 100644 --- a/etc/firefox.profile +++ b/etc/firefox.profile | |||
@@ -73,7 +73,8 @@ seccomp | |||
73 | shell none | 73 | shell none |
74 | tracelog | 74 | tracelog |
75 | 75 | ||
76 | # private-bin firefox,which,sh,dbus-launch,dbus-send,env | 76 | # firefox requires a shell to launch on Arch. We can possibly remove sh though. |
77 | # private-bin firefox,which,sh,dbus-launch,dbus-send,env,sh,bash | ||
77 | private-dev | 78 | private-dev |
78 | # private-etc passwd,group,hostname,hosts,localtime,nsswitch.conf,resolv.conf,xdg,gtk-2.0,gtk-3.0,X11,pango,fonts,firefox,mime.types,mailcap,asound.conf,pulse | 79 | # private-etc passwd,group,hostname,hosts,localtime,nsswitch.conf,resolv.conf,xdg,gtk-2.0,gtk-3.0,X11,pango,fonts,firefox,mime.types,mailcap,asound.conf,pulse |
79 | private-tmp | 80 | private-tmp |
diff --git a/etc/geary.profile b/etc/geary.profile index 7878154a6..3ab4a21d8 100644 --- a/etc/geary.profile +++ b/etc/geary.profile | |||
@@ -14,7 +14,6 @@ noblacklist ~/.local/share/geary | |||
14 | mkdir ~/.gnupg | 14 | mkdir ~/.gnupg |
15 | mkdir ~/.local/share/geary | 15 | mkdir ~/.local/share/geary |
16 | whitelist ~/.gnupg | 16 | whitelist ~/.gnupg |
17 | whitelist ~/.local/share/applications | ||
18 | whitelist ~/.local/share/geary | 17 | whitelist ~/.local/share/geary |
19 | include /etc/firejail/whitelist-common.inc | 18 | include /etc/firejail/whitelist-common.inc |
20 | 19 | ||
diff --git a/etc/musescore.profile b/etc/musescore.profile index 3b5a0b13c..b039d07b2 100644 --- a/etc/musescore.profile +++ b/etc/musescore.profile | |||
@@ -19,6 +19,7 @@ caps.drop all | |||
19 | netfilter | 19 | netfilter |
20 | no3d | 20 | no3d |
21 | nodvd | 21 | nodvd |
22 | nogroups | ||
22 | nonewprivs | 23 | nonewprivs |
23 | noroot | 24 | noroot |
24 | notv | 25 | notv |
diff --git a/etc/quiterss.profile b/etc/quiterss.profile index 96fe04e83..f820b590e 100644 --- a/etc/quiterss.profile +++ b/etc/quiterss.profile | |||
@@ -23,6 +23,7 @@ whitelist ${HOME}/.cache/QuiteRss | |||
23 | whitelist ${HOME}/.config/QuiteRss/ | 23 | whitelist ${HOME}/.config/QuiteRss/ |
24 | whitelist ${HOME}/.config/QuiteRssrc | 24 | whitelist ${HOME}/.config/QuiteRssrc |
25 | whitelist ${HOME}/.local/share/data/QuiteRss | 25 | whitelist ${HOME}/.local/share/data/QuiteRss |
26 | whitelist ${HOME}/.local/share/QuiteRss | ||
26 | whitelist ${HOME}/quiterssfeeds.opml | 27 | whitelist ${HOME}/quiterssfeeds.opml |
27 | include /etc/firejail/whitelist-common.inc | 28 | include /etc/firejail/whitelist-common.inc |
28 | 29 | ||
diff --git a/etc/smtube.profile b/etc/smtube.profile new file mode 100644 index 000000000..2694dd5b0 --- /dev/null +++ b/etc/smtube.profile | |||
@@ -0,0 +1,37 @@ | |||
1 | # Firejail profile for smtube | ||
2 | # This file is overwritten after every install/update | ||
3 | # Persistent local customizations | ||
4 | include /etc/firejail/smtube.local | ||
5 | # Persistent global definitions | ||
6 | include /etc/firejail/globals.local | ||
7 | |||
8 | noblacklist ${HOME}/.config/smplayer | ||
9 | noblacklist ${HOME}/.config/smtube | ||
10 | noblacklist ${HOME}/.config/mpv | ||
11 | noblacklist ${HOME}/.mplayer | ||
12 | noblacklist ${HOME}/.config/vlc | ||
13 | noblacklist ${HOME}/.local/share/vlc | ||
14 | |||
15 | include /etc/firejail/disable-common.inc | ||
16 | include /etc/firejail/disable-devel.inc | ||
17 | include /etc/firejail/disable-passwdmgr.inc | ||
18 | include /etc/firejail/disable-programs.inc | ||
19 | |||
20 | caps.drop all | ||
21 | netfilter | ||
22 | nodvd | ||
23 | notv | ||
24 | novideo | ||
25 | nogroups | ||
26 | nonewprivs | ||
27 | noroot | ||
28 | protocol unix,inet,inet6,netlink | ||
29 | seccomp | ||
30 | shell none | ||
31 | |||
32 | #no private-bin because users can add their own players to smtube and that would prevent that | ||
33 | private-dev | ||
34 | private-tmp | ||
35 | |||
36 | noexec ${HOME} | ||
37 | noexec /tmp | ||
diff --git a/etc/thunderbird.profile b/etc/thunderbird.profile index 17bf51873..8e878eb1c 100644 --- a/etc/thunderbird.profile +++ b/etc/thunderbird.profile | |||
@@ -20,7 +20,6 @@ mkdir ~/.thunderbird | |||
20 | whitelist ~/.cache/thunderbird | 20 | whitelist ~/.cache/thunderbird |
21 | whitelist ~/.gnupg | 21 | whitelist ~/.gnupg |
22 | whitelist ~/.icedove | 22 | whitelist ~/.icedove |
23 | whitelist ~/.local/share/applications | ||
24 | whitelist ~/.thunderbird | 23 | whitelist ~/.thunderbird |
25 | include /etc/firejail/whitelist-common.inc | 24 | include /etc/firejail/whitelist-common.inc |
26 | 25 | ||
diff --git a/etc/tuxguitar.profile b/etc/tuxguitar.profile index 5b6a257f6..fbc198cc3 100644 --- a/etc/tuxguitar.profile +++ b/etc/tuxguitar.profile | |||
@@ -17,6 +17,7 @@ caps.drop all | |||
17 | netfilter | 17 | netfilter |
18 | no3d | 18 | no3d |
19 | nodvd | 19 | nodvd |
20 | nogroups | ||
20 | nonewprivs | 21 | nonewprivs |
21 | noroot | 22 | noroot |
22 | notv | 23 | notv |
diff --git a/etc/whitelist-common.inc b/etc/whitelist-common.inc index ef95a7e5e..310149ecd 100644 --- a/etc/whitelist-common.inc +++ b/etc/whitelist-common.inc | |||
@@ -35,10 +35,14 @@ whitelist ~/.gtkrc-2.0 | |||
35 | whitelist ~/.gtk-2.0 | 35 | whitelist ~/.gtk-2.0 |
36 | whitelist ~/.config/gtk-2.0 | 36 | whitelist ~/.config/gtk-2.0 |
37 | whitelist ~/.config/gtk-3.0 | 37 | whitelist ~/.config/gtk-3.0 |
38 | whitelist ~/.config/gtkrc | ||
39 | whitelist ~/.config/gtkrc-2.0 | ||
38 | whitelist ~/.themes | 40 | whitelist ~/.themes |
39 | whitelist ~/.local/share/themes | 41 | whitelist ~/.local/share/themes |
40 | whitelist ~/.kde/share/config/gtkrc | 42 | whitelist ~/.kde/share/config/gtkrc |
41 | whitelist ~/.kde/share/config/gtkrc-2.0 | 43 | whitelist ~/.kde/share/config/gtkrc-2.0 |
44 | whitelist ~/.kde4/share/config/gtkrc | ||
45 | whitelist ~/.kde4/share/config/gtkrc-2.0 | ||
42 | whitelist ~/.gnome2 | 46 | whitelist ~/.gnome2 |
43 | whitelist ~/.gnome2-private | 47 | whitelist ~/.gnome2-private |
44 | 48 | ||
@@ -51,3 +55,6 @@ whitelist ~/.config/kdeglobals | |||
51 | whitelist ~/.kde/share/config/oxygenrc | 55 | whitelist ~/.kde/share/config/oxygenrc |
52 | whitelist ~/.kde/share/config/kdeglobals | 56 | whitelist ~/.kde/share/config/kdeglobals |
53 | whitelist ~/.kde/share/icons | 57 | whitelist ~/.kde/share/icons |
58 | whitelist ~/.kde4/share/config/oxygenrc | ||
59 | whitelist ~/.kde4/share/config/kdeglobals | ||
60 | whitelist ~/.kde4/share/icons | ||
diff --git a/etc/whitelist-var-common.inc b/etc/whitelist-var-common.inc index bd3473acc..024995f20 100644 --- a/etc/whitelist-var-common.inc +++ b/etc/whitelist-var-common.inc | |||
@@ -8,3 +8,4 @@ whitelist /var/lib/menu-xdg | |||
8 | whitelist /var/cache/fontconfig | 8 | whitelist /var/cache/fontconfig |
9 | whitelist /var/tmp | 9 | whitelist /var/tmp |
10 | whitelist /var/run | 10 | whitelist /var/run |
11 | whitelist /var/lock | ||