diff options
Diffstat (limited to 'etc')
-rw-r--r-- | etc/arduino.profile | 6 | ||||
-rw-r--r-- | etc/bitlbee.profile | 1 | ||||
-rw-r--r-- | etc/disable-common.inc | 4 | ||||
-rw-r--r-- | etc/disable-programs.inc | 1 | ||||
-rw-r--r-- | etc/discord.profile | 33 | ||||
-rw-r--r-- | etc/firefox-common-addons.inc | 13 | ||||
-rw-r--r-- | etc/firejail-default | 6 | ||||
-rw-r--r-- | etc/flowblade.profile | 6 | ||||
-rw-r--r-- | etc/jd-gui.profile | 6 | ||||
-rw-r--r-- | etc/less.profile | 2 | ||||
-rw-r--r-- | etc/openshot.profile | 6 | ||||
-rw-r--r-- | etc/pycharm-community.profile | 6 | ||||
-rw-r--r-- | etc/ranger.profile | 10 | ||||
-rw-r--r-- | etc/steam.profile | 6 | ||||
-rw-r--r-- | etc/terasology.profile | 6 | ||||
-rw-r--r-- | etc/uzbl-browser.profile | 7 | ||||
-rw-r--r-- | etc/zaproxy.profile | 6 | ||||
-rw-r--r-- | etc/zathura.profile | 3 |
18 files changed, 119 insertions, 9 deletions
diff --git a/etc/arduino.profile b/etc/arduino.profile index e7d0d68dd..14741c964 100644 --- a/etc/arduino.profile +++ b/etc/arduino.profile | |||
@@ -9,6 +9,12 @@ noblacklist ${HOME}/.arduino15 | |||
9 | noblacklist ${HOME}/.java | 9 | noblacklist ${HOME}/.java |
10 | noblacklist ${HOME}/Arduino | 10 | noblacklist ${HOME}/Arduino |
11 | 11 | ||
12 | # Allow access to java | ||
13 | noblacklist ${PATH}/java | ||
14 | noblacklist /usr/lib/java | ||
15 | noblacklist /etc/java | ||
16 | noblacklist /usr/share/java | ||
17 | |||
12 | include /etc/firejail/disable-common.inc | 18 | include /etc/firejail/disable-common.inc |
13 | include /etc/firejail/disable-devel.inc | 19 | include /etc/firejail/disable-devel.inc |
14 | include /etc/firejail/disable-interpreters.inc | 20 | include /etc/firejail/disable-interpreters.inc |
diff --git a/etc/bitlbee.profile b/etc/bitlbee.profile index b6baa66bc..1cd5d6a69 100644 --- a/etc/bitlbee.profile +++ b/etc/bitlbee.profile | |||
@@ -28,7 +28,6 @@ seccomp | |||
28 | disable-mnt | 28 | disable-mnt |
29 | private | 29 | private |
30 | private-dev | 30 | private-dev |
31 | private-dev | ||
32 | private-tmp | 31 | private-tmp |
33 | read-write /var/lib/bitlbee | 32 | read-write /var/lib/bitlbee |
34 | 33 | ||
diff --git a/etc/disable-common.inc b/etc/disable-common.inc index ff5dc7b6b..7bc66b1e9 100644 --- a/etc/disable-common.inc +++ b/etc/disable-common.inc | |||
@@ -116,6 +116,10 @@ blacklist /run/user/*/kdeinit5__* | |||
116 | # blacklist /tmp/ksocket-*/kdeinit4__* | 116 | # blacklist /tmp/ksocket-*/kdeinit4__* |
117 | # - causes issues when kdeinit4 gets killed; enable on KDE Plasma 4 | 117 | # - causes issues when kdeinit4 gets killed; enable on KDE Plasma 4 |
118 | 118 | ||
119 | # gnome | ||
120 | # contains extensions, last used times of applications, and notifications | ||
121 | blacklist ${HOME}/.local/share/gnome-shell | ||
122 | |||
119 | # systemd | 123 | # systemd |
120 | blacklist ${HOME}/.config/systemd | 124 | blacklist ${HOME}/.config/systemd |
121 | blacklist ${HOME}/.local/share/systemd | 125 | blacklist ${HOME}/.local/share/systemd |
diff --git a/etc/disable-programs.inc b/etc/disable-programs.inc index b68dde0c4..eddb12e08 100644 --- a/etc/disable-programs.inc +++ b/etc/disable-programs.inc | |||
@@ -429,6 +429,7 @@ blacklist ${HOME}/.local/share/telepathy | |||
429 | blacklist ${HOME}/.local/share/terasology | 429 | blacklist ${HOME}/.local/share/terasology |
430 | blacklist ${HOME}/.local/share/torbrowser | 430 | blacklist ${HOME}/.local/share/torbrowser |
431 | blacklist ${HOME}/.local/share/totem | 431 | blacklist ${HOME}/.local/share/totem |
432 | blacklist ${HOME}/.local/share/uzbl | ||
432 | blacklist ${HOME}/.local/share/vlc | 433 | blacklist ${HOME}/.local/share/vlc |
433 | blacklist ${HOME}/.local/share/vpltd | 434 | blacklist ${HOME}/.local/share/vpltd |
434 | blacklist ${HOME}/.local/share/vulkan | 435 | blacklist ${HOME}/.local/share/vulkan |
diff --git a/etc/discord.profile b/etc/discord.profile new file mode 100644 index 000000000..bb59ed42d --- /dev/null +++ b/etc/discord.profile | |||
@@ -0,0 +1,33 @@ | |||
1 | # Firejail profile for Discord | ||
2 | # This file is overwritten after every install/update | ||
3 | # Persistent local customizations | ||
4 | include /etc/firejail/discord.local | ||
5 | # Persistent global definitions | ||
6 | include /etc/firejail/globals.local | ||
7 | |||
8 | include /etc/firejail/disable-common.inc | ||
9 | include /etc/firejail/disable-devel.inc | ||
10 | include /etc/firejail/disable-passwdmgr.inc | ||
11 | include /etc/firejail/disable-programs.inc | ||
12 | |||
13 | mkdir ${HOME}/.config/discord | ||
14 | whitelist ${HOME}/.config/discord | ||
15 | |||
16 | caps.drop all | ||
17 | netfilter | ||
18 | nodvd | ||
19 | nogroups | ||
20 | nonewprivs | ||
21 | noroot | ||
22 | notv | ||
23 | novideo | ||
24 | protocol unix,inet,inet6,netlink | ||
25 | seccomp | ||
26 | |||
27 | private-bin discord,sh,xdg-mime | ||
28 | private-dev | ||
29 | private-etc fonts | ||
30 | private-tmp | ||
31 | |||
32 | noexec ${HOME} | ||
33 | noexec /tmp | ||
diff --git a/etc/firefox-common-addons.inc b/etc/firefox-common-addons.inc index b237c3c05..333ebdaa2 100644 --- a/etc/firefox-common-addons.inc +++ b/etc/firefox-common-addons.inc | |||
@@ -16,7 +16,6 @@ noblacklist ${HOME}/.kde4/share/apps/okular | |||
16 | noblacklist ${HOME}/.kde4/share/config/kgetrc | 16 | noblacklist ${HOME}/.kde4/share/config/kgetrc |
17 | noblacklist ${HOME}/.kde4/share/config/okularpartrc | 17 | noblacklist ${HOME}/.kde4/share/config/okularpartrc |
18 | noblacklist ${HOME}/.kde4/share/config/okularrc | 18 | noblacklist ${HOME}/.kde4/share/config/okularrc |
19 | # noblacklist ${HOME}/.local/share/gnome-shell/extensions | ||
20 | noblacklist ${HOME}/.local/share/kget | 19 | noblacklist ${HOME}/.local/share/kget |
21 | noblacklist ${HOME}/.local/share/okular | 20 | noblacklist ${HOME}/.local/share/okular |
22 | noblacklist ${HOME}/.local/share/qpdfview | 21 | noblacklist ${HOME}/.local/share/qpdfview |
@@ -41,7 +40,6 @@ whitelist ${HOME}/.kde4/share/config/okularpartrc | |||
41 | whitelist ${HOME}/.kde4/share/config/okularrc | 40 | whitelist ${HOME}/.kde4/share/config/okularrc |
42 | whitelist ${HOME}/.keysnail.js | 41 | whitelist ${HOME}/.keysnail.js |
43 | whitelist ${HOME}/.lastpass | 42 | whitelist ${HOME}/.lastpass |
44 | whitelist ${HOME}/.local/share/gnome-shell/extensions | ||
45 | whitelist ${HOME}/.local/share/kget | 43 | whitelist ${HOME}/.local/share/kget |
46 | whitelist ${HOME}/.local/share/okular | 44 | whitelist ${HOME}/.local/share/okular |
47 | whitelist ${HOME}/.local/share/qpdfview | 45 | whitelist ${HOME}/.local/share/qpdfview |
@@ -53,3 +51,14 @@ whitelist ${HOME}/.wine-pipelight | |||
53 | whitelist ${HOME}/.wine-pipelight64 | 51 | whitelist ${HOME}/.wine-pipelight64 |
54 | whitelist ${HOME}/.zotero | 52 | whitelist ${HOME}/.zotero |
55 | whitelist ${HOME}/dwhelper | 53 | whitelist ${HOME}/dwhelper |
54 | |||
55 | # GNOME Shell integration (chrome-gnome-shell) needs dbus and python 3 (blacklisted by disable-interpreters.inc) | ||
56 | noblacklist ${HOME}/.local/share/gnome-shell/extensions | ||
57 | whitelist ${HOME}/.local/share/gnome-shell/extensions | ||
58 | ignore nodbus | ||
59 | noblacklist ${PATH}/python3* | ||
60 | noblacklist /usr/lib/python3* | ||
61 | |||
62 | # Flash plugin | ||
63 | # private-etc must first be enabled in firefox-common.profile and in profiles including it. | ||
64 | #private-etc adobe | ||
diff --git a/etc/firejail-default b/etc/firejail-default index ad3fdd718..2e48439f5 100644 --- a/etc/firejail-default +++ b/etc/firejail-default | |||
@@ -165,10 +165,10 @@ capability sys_time, | |||
165 | capability sys_tty_config, | 165 | capability sys_tty_config, |
166 | capability mknod, | 166 | capability mknod, |
167 | capability lease, | 167 | capability lease, |
168 | capability audit_write, | 168 | #capability audit_write, |
169 | capability audit_control, | 169 | #capability audit_control, |
170 | capability setfcap, | 170 | capability setfcap, |
171 | capability mac_override, | 171 | #capability mac_override, |
172 | #capability mac_admin, | 172 | #capability mac_admin, |
173 | 173 | ||
174 | ########## | 174 | ########## |
diff --git a/etc/flowblade.profile b/etc/flowblade.profile index bad8538cf..e06107f0f 100644 --- a/etc/flowblade.profile +++ b/etc/flowblade.profile | |||
@@ -8,6 +8,12 @@ include /etc/firejail/globals.local | |||
8 | noblacklist ${HOME}/.config/flowblade | 8 | noblacklist ${HOME}/.config/flowblade |
9 | noblacklist ${HOME}/.flowblade | 9 | noblacklist ${HOME}/.flowblade |
10 | 10 | ||
11 | # Allow python (blacklisted by disable-interpreters.inc) | ||
12 | noblacklist ${PATH}/python2* | ||
13 | noblacklist ${PATH}/python3* | ||
14 | noblacklist /usr/lib/python2* | ||
15 | noblacklist /usr/lib/python3* | ||
16 | |||
11 | include /etc/firejail/disable-common.inc | 17 | include /etc/firejail/disable-common.inc |
12 | include /etc/firejail/disable-devel.inc | 18 | include /etc/firejail/disable-devel.inc |
13 | include /etc/firejail/disable-interpreters.inc | 19 | include /etc/firejail/disable-interpreters.inc |
diff --git a/etc/jd-gui.profile b/etc/jd-gui.profile index f435b4ed7..9a325d18b 100644 --- a/etc/jd-gui.profile +++ b/etc/jd-gui.profile | |||
@@ -8,6 +8,12 @@ include /etc/firejail/globals.local | |||
8 | noblacklist ${HOME}/.config/jd-gui.cfg | 8 | noblacklist ${HOME}/.config/jd-gui.cfg |
9 | noblacklist ${HOME}/.java | 9 | noblacklist ${HOME}/.java |
10 | 10 | ||
11 | # Allow access to java | ||
12 | noblacklist ${PATH}/java | ||
13 | noblacklist /usr/lib/java | ||
14 | noblacklist /etc/java | ||
15 | noblacklist /usr/share/java | ||
16 | |||
11 | include /etc/firejail/disable-common.inc | 17 | include /etc/firejail/disable-common.inc |
12 | include /etc/firejail/disable-devel.inc | 18 | include /etc/firejail/disable-devel.inc |
13 | include /etc/firejail/disable-interpreters.inc | 19 | include /etc/firejail/disable-interpreters.inc |
diff --git a/etc/less.profile b/etc/less.profile index e2616ba4f..9b04329f2 100644 --- a/etc/less.profile +++ b/etc/less.profile | |||
@@ -20,7 +20,7 @@ shell none | |||
20 | tracelog | 20 | tracelog |
21 | writable-var-log | 21 | writable-var-log |
22 | 22 | ||
23 | # The user can have a custom coloring scritps configured in ${HOME}/.lessfilter. | 23 | # The user can have a custom coloring script configured in ${HOME}/.lessfilter. |
24 | # Enable private-bin and private-lib if you are not using any filter. | 24 | # Enable private-bin and private-lib if you are not using any filter. |
25 | # private-bin less | 25 | # private-bin less |
26 | # private-lib | 26 | # private-lib |
diff --git a/etc/openshot.profile b/etc/openshot.profile index 114580f1e..832008564 100644 --- a/etc/openshot.profile +++ b/etc/openshot.profile | |||
@@ -8,6 +8,12 @@ include /etc/firejail/globals.local | |||
8 | noblacklist ${HOME}/.openshot | 8 | noblacklist ${HOME}/.openshot |
9 | noblacklist ${HOME}/.openshot_qt | 9 | noblacklist ${HOME}/.openshot_qt |
10 | 10 | ||
11 | # Allow python (blacklisted by disable-interpreters.inc) | ||
12 | noblacklist ${PATH}/python2* | ||
13 | noblacklist ${PATH}/python3* | ||
14 | noblacklist /usr/lib/python2* | ||
15 | noblacklist /usr/lib/python3* | ||
16 | |||
11 | include /etc/firejail/disable-common.inc | 17 | include /etc/firejail/disable-common.inc |
12 | include /etc/firejail/disable-devel.inc | 18 | include /etc/firejail/disable-devel.inc |
13 | include /etc/firejail/disable-interpreters.inc | 19 | include /etc/firejail/disable-interpreters.inc |
diff --git a/etc/pycharm-community.profile b/etc/pycharm-community.profile index b5e508d06..bbb907577 100644 --- a/etc/pycharm-community.profile +++ b/etc/pycharm-community.profile | |||
@@ -9,6 +9,12 @@ noblacklist ${HOME}/snap | |||
9 | noblacklist ${HOME}/.PyCharmCE* | 9 | noblacklist ${HOME}/.PyCharmCE* |
10 | noblacklist ${HOME}/.java | 10 | noblacklist ${HOME}/.java |
11 | 11 | ||
12 | # Allow access to java | ||
13 | noblacklist ${PATH}/java | ||
14 | noblacklist /usr/lib/java | ||
15 | noblacklist /etc/java | ||
16 | noblacklist /usr/share/java | ||
17 | |||
12 | include /etc/firejail/disable-common.inc | 18 | include /etc/firejail/disable-common.inc |
13 | include /etc/firejail/disable-devel.inc | 19 | include /etc/firejail/disable-devel.inc |
14 | include /etc/firejail/disable-passwdmgr.inc | 20 | include /etc/firejail/disable-passwdmgr.inc |
diff --git a/etc/ranger.profile b/etc/ranger.profile index 94b282669..ff65a057b 100644 --- a/etc/ranger.profile +++ b/etc/ranger.profile | |||
@@ -5,11 +5,19 @@ include /etc/firejail/ranger.local | |||
5 | # Persistent global definitions | 5 | # Persistent global definitions |
6 | include /etc/firejail/globals.local | 6 | include /etc/firejail/globals.local |
7 | 7 | ||
8 | noblacklist ${HOME}/.config/ranger | ||
9 | |||
10 | # Allow python (blacklisted by disable-interpreters.inc) | ||
11 | noblacklist ${PATH}/python2* | ||
12 | noblacklist ${PATH}/python3* | ||
13 | noblacklist /usr/lib/python2* | ||
14 | noblacklist /usr/lib/python3* | ||
15 | |||
16 | # Allow perl | ||
8 | # noblacklist ${PATH}/cpan* | 17 | # noblacklist ${PATH}/cpan* |
9 | noblacklist ${PATH}/perl | 18 | noblacklist ${PATH}/perl |
10 | noblacklist /usr/lib/perl* | 19 | noblacklist /usr/lib/perl* |
11 | noblacklist /usr/share/perl* | 20 | noblacklist /usr/share/perl* |
12 | noblacklist ${HOME}/.config/ranger | ||
13 | 21 | ||
14 | include /etc/firejail/disable-common.inc | 22 | include /etc/firejail/disable-common.inc |
15 | include /etc/firejail/disable-devel.inc | 23 | include /etc/firejail/disable-devel.inc |
diff --git a/etc/steam.profile b/etc/steam.profile index e1e6fd0e1..7b3149843 100644 --- a/etc/steam.profile +++ b/etc/steam.profile | |||
@@ -24,6 +24,12 @@ noblacklist /usr/lib/llvm* | |||
24 | # needed for STEAM_RUNTIME_PREFER_HOST_LIBRARIES=1 to work | 24 | # needed for STEAM_RUNTIME_PREFER_HOST_LIBRARIES=1 to work |
25 | noblacklist /sbin | 25 | noblacklist /sbin |
26 | 26 | ||
27 | # Allow access to java | ||
28 | noblacklist ${PATH}/java | ||
29 | noblacklist /usr/lib/java | ||
30 | noblacklist /etc/java | ||
31 | noblacklist /usr/share/java | ||
32 | |||
27 | include /etc/firejail/disable-common.inc | 33 | include /etc/firejail/disable-common.inc |
28 | include /etc/firejail/disable-devel.inc | 34 | include /etc/firejail/disable-devel.inc |
29 | include /etc/firejail/disable-interpreters.inc | 35 | include /etc/firejail/disable-interpreters.inc |
diff --git a/etc/terasology.profile b/etc/terasology.profile index 0a4067341..fa45eb880 100644 --- a/etc/terasology.profile +++ b/etc/terasology.profile | |||
@@ -8,6 +8,12 @@ include /etc/firejail/globals.local | |||
8 | noblacklist ${HOME}/.java | 8 | noblacklist ${HOME}/.java |
9 | noblacklist ${HOME}/.local/share/terasology | 9 | noblacklist ${HOME}/.local/share/terasology |
10 | 10 | ||
11 | # Allow access to java | ||
12 | noblacklist ${PATH}/java | ||
13 | noblacklist /usr/lib/java | ||
14 | noblacklist /etc/java | ||
15 | noblacklist /usr/share/java | ||
16 | |||
11 | include /etc/firejail/disable-common.inc | 17 | include /etc/firejail/disable-common.inc |
12 | include /etc/firejail/disable-devel.inc | 18 | include /etc/firejail/disable-devel.inc |
13 | include /etc/firejail/disable-interpreters.inc | 19 | include /etc/firejail/disable-interpreters.inc |
diff --git a/etc/uzbl-browser.profile b/etc/uzbl-browser.profile index 0a3549c97..b8a3fa497 100644 --- a/etc/uzbl-browser.profile +++ b/etc/uzbl-browser.profile | |||
@@ -7,6 +7,13 @@ include /etc/firejail/globals.local | |||
7 | 7 | ||
8 | noblacklist ${HOME}/.config/uzbl | 8 | noblacklist ${HOME}/.config/uzbl |
9 | noblacklist ${HOME}/.gnupg | 9 | noblacklist ${HOME}/.gnupg |
10 | noblacklist ${HOME}/.local/share/uzbl | ||
11 | |||
12 | # Allow python (blacklisted by disable-interpreters.inc) | ||
13 | noblacklist ${PATH}/python2* | ||
14 | noblacklist ${PATH}/python3* | ||
15 | noblacklist /usr/lib/python2* | ||
16 | noblacklist /usr/lib/python3* | ||
10 | 17 | ||
11 | include /etc/firejail/disable-common.inc | 18 | include /etc/firejail/disable-common.inc |
12 | include /etc/firejail/disable-devel.inc | 19 | include /etc/firejail/disable-devel.inc |
diff --git a/etc/zaproxy.profile b/etc/zaproxy.profile index 8e63014ce..66f91250d 100644 --- a/etc/zaproxy.profile +++ b/etc/zaproxy.profile | |||
@@ -8,6 +8,12 @@ include /etc/firejail/globals.local | |||
8 | noblacklist ${HOME}/.java | 8 | noblacklist ${HOME}/.java |
9 | noblacklist ${HOME}/.ZAP | 9 | noblacklist ${HOME}/.ZAP |
10 | 10 | ||
11 | # Allow access to java | ||
12 | noblacklist ${PATH}/java | ||
13 | noblacklist /usr/lib/java | ||
14 | noblacklist /etc/java | ||
15 | noblacklist /usr/share/java | ||
16 | |||
11 | include /etc/firejail/disable-common.inc | 17 | include /etc/firejail/disable-common.inc |
12 | include /etc/firejail/disable-devel.inc | 18 | include /etc/firejail/disable-devel.inc |
13 | include /etc/firejail/disable-interpreters.inc | 19 | include /etc/firejail/disable-interpreters.inc |
diff --git a/etc/zathura.profile b/etc/zathura.profile index b47aeb0da..028e15ef5 100644 --- a/etc/zathura.profile +++ b/etc/zathura.profile | |||
@@ -15,6 +15,7 @@ include /etc/firejail/disable-passwdmgr.inc | |||
15 | include /etc/firejail/disable-programs.inc | 15 | include /etc/firejail/disable-programs.inc |
16 | 16 | ||
17 | caps.drop all | 17 | caps.drop all |
18 | machine-id | ||
18 | # net none | 19 | # net none |
19 | # nodbus | 20 | # nodbus |
20 | nodvd | 21 | nodvd |
@@ -29,7 +30,7 @@ shell none | |||
29 | 30 | ||
30 | private-bin zathura | 31 | private-bin zathura |
31 | private-dev | 32 | private-dev |
32 | private-etc fonts | 33 | private-etc fonts,machine-id |
33 | private-tmp | 34 | private-tmp |
34 | 35 | ||
35 | read-only ${HOME}/ | 36 | read-only ${HOME}/ |