11 files changed, 89 insertions, 52 deletions
diff --git a/etc/audacity.profile b/etc/audacity.profile
index 8971ce1a2..162201cb8 100644
--- a/etc/audacity.profile
+++ b/etc/audacity.profile
@@ -7,10 +7,13 @@ include /etc/firejail/disable-passwdmgr.inc
 include /etc/firejail/disable-programs.inc
 caps.drop all
-netfilter
 nonewprivs
-noroot
 nogroups
-#private-bin audacity
+noroot
-protocol unix,inet,inet6
+protocol unix
 seccomp
+shell none
+tracelog
+private-bin audacity
+private-dev
diff --git a/etc/aweather.profile b/etc/aweather.profile
index dd508e736..d617fb701 100644
--- a/etc/aweather.profile
+++ b/etc/aweather.profile
@@ -1,24 +1,25 @@
 # Firejail profile for aweather.
-# Noblacklist
 noblacklist ~/.config/aweather
-# Include
 include /etc/firejail/disable-common.inc
 include /etc/firejail/disable-devel.inc
 include /etc/firejail/disable-passwdmgr.inc
 include /etc/firejail/disable-programs.inc
-# Call these options
+# Whitelist
+mkdir ~/.config
+mkdir ~/.config/aweather
+whitelist ~/.config/aweather
 caps.drop all
 netfilter
 nonewprivs
+nogroups
 noroot
+nosound
 protocol unix,inet,inet6,netlink
 seccomp
+shell none
 tracelog
-# Whitelist
+private-bin aweather
-mkdir ~/.config
+private-dev
-mkdir ~/.config/aweather
-whitelist ~/.config/aweather
diff --git a/etc/gitter.profile b/etc/gitter.profile
index 0c2bd1353..2882c59a6 100644
--- a/etc/gitter.profile
+++ b/etc/gitter.profile
@@ -1,6 +1,5 @@
 # Firejail profile for Gitter
 noblacklist ~/.config/Gitter
 include /etc/firejail/disable-common.inc
 include /etc/firejail/disable-passwdmgr.inc
 include /etc/firejail/disable-programs.inc
@@ -8,6 +7,12 @@ include /etc/firejail/disable-devel.inc
 caps.drop all
 netfilter
+nonewprivs
+nogroups
 noroot
 protocol unix,inet,inet6,netlink
 seccomp
+shell none
+private-bin gitter
+private-dev
diff --git a/etc/gpredict.profile b/etc/gpredict.profile
index ba9fce37b..02bb4d24d 100644
--- a/etc/gpredict.profile
+++ b/etc/gpredict.profile
@@ -1,24 +1,25 @@
 # Firejail profile for gpredict.
-# Noblacklist
 noblacklist ~/.config/Gpredict
-# Include
 include /etc/firejail/disable-common.inc
 include /etc/firejail/disable-devel.inc
 include /etc/firejail/disable-passwdmgr.inc
 include /etc/firejail/disable-programs.inc
-# Call these options
+# Whitelist
+mkdir ~/.config
+mkdir ~/.config/Gpredict
+whitelist ~/.config/Gpredict
 caps.drop all
 netfilter
 nonewprivs
+nogroups
 noroot
+nosound
 protocol unix,inet,inet6,netlink
 seccomp
+shell none
 tracelog
-# Whitelist
+private-bin gpredict
-mkdir ~/.config
+private-dev
-mkdir ~/.config/Gpredict
-whitelist ~/.config/Gpredict
diff --git a/etc/palemoon.profile b/etc/palemoon.profile
index a74954ddb..302c20d7d 100644
--- a/etc/palemoon.profile
+++ b/etc/palemoon.profile
@@ -1,31 +1,30 @@
 # Firejail profile for Pale Moon
-# Noblacklists
 noblacklist ~/.moonchild productions/pale moon
 noblacklist ~/.cache/moonchild productions/pale moon
-# Included profiles
 include /etc/firejail/disable-common.inc
 include /etc/firejail/disable-programs.inc
 include /etc/firejail/disable-devel.inc
 include /etc/firejail/whitelist-common.inc
-# Options
+whitelist ${DOWNLOADS}
+mkdir ~/.moonchild productions
+whitelist ~/.moonchild productions
+mkdir ~/.cache
+mkdir ~/.cache/moonchild productions
+mkdir ~/.cache/moonchild productions/pale moon
+whitelist ~/.cache/moonchild productions/pale moon
 caps.drop all
 netfilter
+nogroups
 nonewprivs
 noroot
 protocol unix,inet,inet6,netlink
 seccomp
+shell none
 tracelog
-whitelist ${DOWNLOADS}
+private-bin palemoon
-mkdir ~/.moonchild productions
-whitelist ~/.moonchild productions
-mkdir ~/.cache
-mkdir ~/.cache/moonchild productions
-mkdir ~/.cache/moonchild productions/pale moon
-whitelist ~/.cache/moonchild productions/pale moon
 # These are uncommented in the Firefox profile. If you run into trouble you may
 # want to uncomment (some of) them.
@@ -56,3 +55,4 @@ whitelist ~/.config/lastpass
 # experimental features
 #private-etc passwd,group,hostname,hosts,localtime,nsswitch.conf,resolv.conf,gtk-2.0,pango,fonts,iceweasel,firefox,adobe,mime.types,mailcap,asound.conf,pulse
+#private-dev (disabled for now as it will interfere with webcam use in palemoon)
diff --git a/etc/rhythmbox.profile b/etc/rhythmbox.profile
index 0782a653d..9f087ea1d 100644
--- a/etc/rhythmbox.profile
+++ b/etc/rhythmbox.profile
@@ -5,8 +5,14 @@ include /etc/firejail/disable-devel.inc
 include /etc/firejail/disable-passwdmgr.inc
 caps.drop all
+nogroups
 netfilter
 nonewprivs
 noroot
 protocol unix,inet,inet6
 seccomp
+shell none
+tracelog
+private-bin rhythmbox
+private-dev
diff --git a/etc/spotify.profile b/etc/spotify.profile
index 9ba25b818..ca575970b 100644
--- a/etc/spotify.profile
+++ b/etc/spotify.profile
@@ -24,7 +24,12 @@ include /etc/firejail/whitelist-common.inc
 caps.drop all
 netfilter
+nogroups
 nonewprivs
 noroot
 protocol unix,inet,inet6,netlink
 seccomp
+shell none
+private-bin spotify
+private-dev
diff --git a/etc/stellarium.profile b/etc/stellarium.profile
index 148ec949d..d0c1326b3 100644
--- a/etc/stellarium.profile
+++ b/etc/stellarium.profile
@@ -1,28 +1,29 @@
 # Firejail profile for Stellarium.
-# Noblacklist
 noblacklist ~/.stellarium
 noblacklist ~/.config/stellarium
-# Include
 include /etc/firejail/disable-common.inc
 include /etc/firejail/disable-devel.inc
 include /etc/firejail/disable-passwdmgr.inc
 include /etc/firejail/disable-programs.inc
-# Call these options
+# Whitelist
+mkdir ~/.stellarium
+whitelist ~/.stellarium
+mkdir ~/.config
+mkdir ~/.config/stellarium
+whitelist ~/.config/stellarium
 caps.drop all
 netfilter
+nogroups
 nonewprivs
 noroot
+nosound
 protocol unix,inet,inet6,netlink
 seccomp
+shell none
 tracelog
-# Whitelist
+private-bin stellarium
-mkdir ~/.stellarium
+private-dev
-whitelist ~/.stellarium
-mkdir ~/.config
-mkdir ~/.config/stellarium
-whitelist ~/.config/stellarium
diff --git a/etc/warzone2100.profile b/etc/warzone2100.profile
index ceeaca012..ff37e2800 100644
--- a/etc/warzone2100.profile
+++ b/etc/warzone2100.profile
@@ -6,15 +6,20 @@ include /etc/firejail/disable-devel.inc
 include /etc/firejail/disable-passwdmgr.inc
 include /etc/firejail/disable-programs.inc
+# Whitelist
+mkdir ~/.warzone2100-3.1
+whitelist ~/.warzone2100-3.1
 # Call these options
 caps.drop all
 netfilter
+nogroups
 nonewprivs
 noroot
 protocol unix,inet,inet6,netlink
 seccomp
+shell none
 tracelog
-# Whitelist
+private-bin warzone2100
-mkdir ~/.warzone2100-3.1
+private-dev
-whitelist ~/.warzone2100-3.1
diff --git a/etc/xplayer.profile b/etc/xplayer.profile
index cd9cbed45..a46b2fa06 100644
--- a/etc/xplayer.profile
+++ b/etc/xplayer.profile
@@ -10,7 +10,12 @@ include /etc/firejail/disable-passwdmgr.inc
 caps.drop all
 netfilter
 nonewprivs
+nogroups
 noroot
 protocol unix,inet,inet6
 seccomp
+shell none
 tracelog
+private-bin xplayer,xplayer-audio-preview,xplayer-video-thumbnailer
+private-dev
diff --git a/etc/xviewer.profile b/etc/xviewer.profile
index 51949526d..7a4ae4858 100644
--- a/etc/xviewer.profile
+++ b/etc/xviewer.profile
@@ -6,9 +6,14 @@ include /etc/firejail/disable-devel.inc
 include /etc/firejail/disable-passwdmgr.inc
 caps.drop all
-netfilter
-noroot
 nonewprivs
-protocol unix,inet,inet6
+nogroups
+noroot
+nosound
+protocol unix
 seccomp
+shell none
 tracelog
+private-dev
+private-bin xviewer

diff --git a/etc/audacity.profile b/etc/audacity.profile index 8971ce1a2..162201cb8 100644 --- a/etc/audacity.profile +++ b/etc/audacity.profile
@@ -7,10 +7,13 @@ include /etc/firejail/disable-passwdmgr.inc
7	include /etc/firejail/disable-programs.inc	7	include /etc/firejail/disable-programs.inc
8		8
9	caps.drop all	9	caps.drop all
10	netfilter
11	nonewprivs	10	nonewprivs
12	noroot
13	nogroups	11	nogroups
14	#private-bin audacity	12	noroot
15	protocol unix,inet,inet6	13	protocol unix
16	seccomp	14	seccomp
		15	shell none
		16	tracelog
		17
		18	private-bin audacity
		19	private-dev


diff --git a/etc/aweather.profile b/etc/aweather.profile index dd508e736..d617fb701 100644 --- a/etc/aweather.profile +++ b/etc/aweather.profile
@@ -1,24 +1,25 @@
1	# Firejail profile for aweather.	1	# Firejail profile for aweather.
2
3	# Noblacklist
4	noblacklist ~/.config/aweather	2	noblacklist ~/.config/aweather
5
6	# Include
7	include /etc/firejail/disable-common.inc	3	include /etc/firejail/disable-common.inc
8	include /etc/firejail/disable-devel.inc	4	include /etc/firejail/disable-devel.inc
9	include /etc/firejail/disable-passwdmgr.inc	5	include /etc/firejail/disable-passwdmgr.inc
10	include /etc/firejail/disable-programs.inc	6	include /etc/firejail/disable-programs.inc
11		7
12	# Call these options	8	# Whitelist
		9	mkdir ~/.config
		10	mkdir ~/.config/aweather
		11	whitelist ~/.config/aweather
		12
13	caps.drop all	13	caps.drop all
14	netfilter	14	netfilter
15	nonewprivs	15	nonewprivs
		16	nogroups
16	noroot	17	noroot
		18	nosound
17	protocol unix,inet,inet6,netlink	19	protocol unix,inet,inet6,netlink
18	seccomp	20	seccomp
		21	shell none
19	tracelog	22	tracelog
20		23
21	# Whitelist	24	private-bin aweather
22	mkdir ~/.config	25	private-dev
23	mkdir ~/.config/aweather
24	whitelist ~/.config/aweather


diff --git a/etc/gitter.profile b/etc/gitter.profile index 0c2bd1353..2882c59a6 100644 --- a/etc/gitter.profile +++ b/etc/gitter.profile
@@ -1,6 +1,5 @@
1	# Firejail profile for Gitter	1	# Firejail profile for Gitter
2	noblacklist ~/.config/Gitter	2	noblacklist ~/.config/Gitter
3
4	include /etc/firejail/disable-common.inc	3	include /etc/firejail/disable-common.inc
5	include /etc/firejail/disable-passwdmgr.inc	4	include /etc/firejail/disable-passwdmgr.inc
6	include /etc/firejail/disable-programs.inc	5	include /etc/firejail/disable-programs.inc
@@ -8,6 +7,12 @@ include /etc/firejail/disable-devel.inc
8		7
9	caps.drop all	8	caps.drop all
10	netfilter	9	netfilter
		10	nonewprivs
		11	nogroups
11	noroot	12	noroot
12	protocol unix,inet,inet6,netlink	13	protocol unix,inet,inet6,netlink
13	seccomp	14	seccomp
		15	shell none
		16
		17	private-bin gitter
		18	private-dev


diff --git a/etc/gpredict.profile b/etc/gpredict.profile index ba9fce37b..02bb4d24d 100644 --- a/etc/gpredict.profile +++ b/etc/gpredict.profile
@@ -1,24 +1,25 @@
1	# Firejail profile for gpredict.	1	# Firejail profile for gpredict.
2
3	# Noblacklist
4	noblacklist ~/.config/Gpredict	2	noblacklist ~/.config/Gpredict
5
6	# Include
7	include /etc/firejail/disable-common.inc	3	include /etc/firejail/disable-common.inc
8	include /etc/firejail/disable-devel.inc	4	include /etc/firejail/disable-devel.inc
9	include /etc/firejail/disable-passwdmgr.inc	5	include /etc/firejail/disable-passwdmgr.inc
10	include /etc/firejail/disable-programs.inc	6	include /etc/firejail/disable-programs.inc
11		7
12	# Call these options	8	# Whitelist
		9	mkdir ~/.config
		10	mkdir ~/.config/Gpredict
		11	whitelist ~/.config/Gpredict
		12
13	caps.drop all	13	caps.drop all
14	netfilter	14	netfilter
15	nonewprivs	15	nonewprivs
		16	nogroups
16	noroot	17	noroot
		18	nosound
17	protocol unix,inet,inet6,netlink	19	protocol unix,inet,inet6,netlink
18	seccomp	20	seccomp
		21	shell none
19	tracelog	22	tracelog
20		23
21	# Whitelist	24	private-bin gpredict
22	mkdir ~/.config	25	private-dev
23	mkdir ~/.config/Gpredict
24	whitelist ~/.config/Gpredict


diff --git a/etc/palemoon.profile b/etc/palemoon.profile index a74954ddb..302c20d7d 100644 --- a/etc/palemoon.profile +++ b/etc/palemoon.profile
@@ -1,31 +1,30 @@
1	# Firejail profile for Pale Moon	1	# Firejail profile for Pale Moon
2
3	# Noblacklists
4	noblacklist ~/.moonchild productions/pale moon	2	noblacklist ~/.moonchild productions/pale moon
5	noblacklist ~/.cache/moonchild productions/pale moon	3	noblacklist ~/.cache/moonchild productions/pale moon
6
7	# Included profiles
8	include /etc/firejail/disable-common.inc	4	include /etc/firejail/disable-common.inc
9	include /etc/firejail/disable-programs.inc	5	include /etc/firejail/disable-programs.inc
10	include /etc/firejail/disable-devel.inc	6	include /etc/firejail/disable-devel.inc
11	include /etc/firejail/whitelist-common.inc	7	include /etc/firejail/whitelist-common.inc
12		8
13	# Options	9	whitelist ${DOWNLOADS}
		10	mkdir ~/.moonchild productions
		11	whitelist ~/.moonchild productions
		12	mkdir ~/.cache
		13	mkdir ~/.cache/moonchild productions
		14	mkdir ~/.cache/moonchild productions/pale moon
		15	whitelist ~/.cache/moonchild productions/pale moon
		16
14	caps.drop all	17	caps.drop all
15	netfilter	18	netfilter
		19	nogroups
16	nonewprivs	20	nonewprivs
17	noroot	21	noroot
18	protocol unix,inet,inet6,netlink	22	protocol unix,inet,inet6,netlink
19	seccomp	23	seccomp
		24	shell none
20	tracelog	25	tracelog
21		26
22	whitelist ${DOWNLOADS}	27	private-bin palemoon
23	mkdir ~/.moonchild productions
24	whitelist ~/.moonchild productions
25	mkdir ~/.cache
26	mkdir ~/.cache/moonchild productions
27	mkdir ~/.cache/moonchild productions/pale moon
28	whitelist ~/.cache/moonchild productions/pale moon
29		28
30	# These are uncommented in the Firefox profile. If you run into trouble you may	29	# These are uncommented in the Firefox profile. If you run into trouble you may
31	# want to uncomment (some of) them.	30	# want to uncomment (some of) them.
@@ -56,3 +55,4 @@ whitelist ~/.config/lastpass
56		55
57	# experimental features	56	# experimental features
58	#private-etc passwd,group,hostname,hosts,localtime,nsswitch.conf,resolv.conf,gtk-2.0,pango,fonts,iceweasel,firefox,adobe,mime.types,mailcap,asound.conf,pulse	57	#private-etc passwd,group,hostname,hosts,localtime,nsswitch.conf,resolv.conf,gtk-2.0,pango,fonts,iceweasel,firefox,adobe,mime.types,mailcap,asound.conf,pulse
		58	#private-dev (disabled for now as it will interfere with webcam use in palemoon)


diff --git a/etc/rhythmbox.profile b/etc/rhythmbox.profile index 0782a653d..9f087ea1d 100644 --- a/etc/rhythmbox.profile +++ b/etc/rhythmbox.profile
@@ -5,8 +5,14 @@ include /etc/firejail/disable-devel.inc
5	include /etc/firejail/disable-passwdmgr.inc	5	include /etc/firejail/disable-passwdmgr.inc
6		6
7	caps.drop all	7	caps.drop all
		8	nogroups
8	netfilter	9	netfilter
9	nonewprivs	10	nonewprivs
10	noroot	11	noroot
11	protocol unix,inet,inet6	12	protocol unix,inet,inet6
12	seccomp	13	seccomp
		14	shell none
		15	tracelog
		16
		17	private-bin rhythmbox
		18	private-dev


diff --git a/etc/spotify.profile b/etc/spotify.profile index 9ba25b818..ca575970b 100644 --- a/etc/spotify.profile +++ b/etc/spotify.profile
@@ -24,7 +24,12 @@ include /etc/firejail/whitelist-common.inc
24		24
25	caps.drop all	25	caps.drop all
26	netfilter	26	netfilter
		27	nogroups
27	nonewprivs	28	nonewprivs
28	noroot	29	noroot
29	protocol unix,inet,inet6,netlink	30	protocol unix,inet,inet6,netlink
30	seccomp	31	seccomp
		32	shell none
		33
		34	private-bin spotify
		35	private-dev


diff --git a/etc/stellarium.profile b/etc/stellarium.profile index 148ec949d..d0c1326b3 100644 --- a/etc/stellarium.profile +++ b/etc/stellarium.profile
@@ -1,28 +1,29 @@
1	# Firejail profile for Stellarium.	1	# Firejail profile for Stellarium.
2
3	# Noblacklist
4	noblacklist ~/.stellarium	2	noblacklist ~/.stellarium
5	noblacklist ~/.config/stellarium	3	noblacklist ~/.config/stellarium
6
7	# Include
8	include /etc/firejail/disable-common.inc	4	include /etc/firejail/disable-common.inc
9	include /etc/firejail/disable-devel.inc	5	include /etc/firejail/disable-devel.inc
10	include /etc/firejail/disable-passwdmgr.inc	6	include /etc/firejail/disable-passwdmgr.inc
11	include /etc/firejail/disable-programs.inc	7	include /etc/firejail/disable-programs.inc
12		8
13	# Call these options	9	# Whitelist
		10	mkdir ~/.stellarium
		11	whitelist ~/.stellarium
		12	mkdir ~/.config
		13	mkdir ~/.config/stellarium
		14	whitelist ~/.config/stellarium
		15
14	caps.drop all	16	caps.drop all
15	netfilter	17	netfilter
		18	nogroups
16	nonewprivs	19	nonewprivs
17	noroot	20	noroot
		21	nosound
18	protocol unix,inet,inet6,netlink	22	protocol unix,inet,inet6,netlink
19	seccomp	23	seccomp
		24	shell none
20	tracelog	25	tracelog
21		26
22	# Whitelist	27	private-bin stellarium
23	mkdir ~/.stellarium	28	private-dev
24	whitelist ~/.stellarium
25		29
26	mkdir ~/.config
27	mkdir ~/.config/stellarium
28	whitelist ~/.config/stellarium


diff --git a/etc/warzone2100.profile b/etc/warzone2100.profile index ceeaca012..ff37e2800 100644 --- a/etc/warzone2100.profile +++ b/etc/warzone2100.profile
@@ -6,15 +6,20 @@ include /etc/firejail/disable-devel.inc
6	include /etc/firejail/disable-passwdmgr.inc	6	include /etc/firejail/disable-passwdmgr.inc
7	include /etc/firejail/disable-programs.inc	7	include /etc/firejail/disable-programs.inc
8		8
		9	# Whitelist
		10	mkdir ~/.warzone2100-3.1
		11	whitelist ~/.warzone2100-3.1
		12
9	# Call these options	13	# Call these options
10	caps.drop all	14	caps.drop all
11	netfilter	15	netfilter
		16	nogroups
12	nonewprivs	17	nonewprivs
13	noroot	18	noroot
14	protocol unix,inet,inet6,netlink	19	protocol unix,inet,inet6,netlink
15	seccomp	20	seccomp
		21	shell none
16	tracelog	22	tracelog
17		23
18	# Whitelist	24	private-bin warzone2100
19	mkdir ~/.warzone2100-3.1	25	private-dev
20	whitelist ~/.warzone2100-3.1


diff --git a/etc/xplayer.profile b/etc/xplayer.profile index cd9cbed45..a46b2fa06 100644 --- a/etc/xplayer.profile +++ b/etc/xplayer.profile
@@ -10,7 +10,12 @@ include /etc/firejail/disable-passwdmgr.inc
10	caps.drop all	10	caps.drop all
11	netfilter	11	netfilter
12	nonewprivs	12	nonewprivs
		13	nogroups
13	noroot	14	noroot
14	protocol unix,inet,inet6	15	protocol unix,inet,inet6
15	seccomp	16	seccomp
		17	shell none
16	tracelog	18	tracelog
		19
		20	private-bin xplayer,xplayer-audio-preview,xplayer-video-thumbnailer
		21	private-dev


diff --git a/etc/xviewer.profile b/etc/xviewer.profile index 51949526d..7a4ae4858 100644 --- a/etc/xviewer.profile +++ b/etc/xviewer.profile
@@ -6,9 +6,14 @@ include /etc/firejail/disable-devel.inc
6	include /etc/firejail/disable-passwdmgr.inc	6	include /etc/firejail/disable-passwdmgr.inc
7		7
8	caps.drop all	8	caps.drop all
9	netfilter
10	noroot
11	nonewprivs	9	nonewprivs
12	protocol unix,inet,inet6	10	nogroups
		11	noroot
		12	nosound
		13	protocol unix
13	seccomp	14	seccomp
		15	shell none
14	tracelog	16	tracelog
		17
		18	private-dev
		19	private-bin xviewer