diff options
Diffstat (limited to 'etc')
-rw-r--r-- | etc/inc/disable-programs.inc | 10 | ||||
-rw-r--r-- | etc/profile-a-l/b2sum.profile | 13 | ||||
-rw-r--r-- | etc/profile-a-l/bcompare.profile | 62 | ||||
-rw-r--r-- | etc/profile-a-l/cksum.profile | 13 | ||||
-rw-r--r-- | etc/profile-a-l/clawsker.profile | 2 | ||||
-rw-r--r-- | etc/profile-a-l/engrampa.profile | 3 | ||||
-rw-r--r-- | etc/profile-a-l/firefox.profile | 5 | ||||
-rw-r--r-- | etc/profile-a-l/gnome-logs.profile | 9 | ||||
-rw-r--r-- | etc/profile-a-l/hasher-common.profile | 60 | ||||
-rw-r--r-- | etc/profile-a-l/k3b.profile | 2 | ||||
-rw-r--r-- | etc/profile-m-z/man.profile | 12 | ||||
-rw-r--r-- | etc/profile-m-z/md5sum.profile | 13 | ||||
-rw-r--r-- | etc/profile-m-z/nheko.profile | 9 | ||||
-rw-r--r-- | etc/profile-m-z/nodejs-common.profile | 4 | ||||
-rw-r--r-- | etc/profile-m-z/sha1sum.profile | 13 | ||||
-rw-r--r-- | etc/profile-m-z/sha224sum.profile | 13 | ||||
-rw-r--r-- | etc/profile-m-z/sha256sum.profile | 13 | ||||
-rw-r--r-- | etc/profile-m-z/sha384sum.profile | 13 | ||||
-rw-r--r-- | etc/profile-m-z/sha512sum.profile | 13 | ||||
-rw-r--r-- | etc/profile-m-z/sum.profile | 13 | ||||
-rw-r--r-- | etc/profile-m-z/youtube-viewer.profile | 3 |
21 files changed, 281 insertions, 17 deletions
diff --git a/etc/inc/disable-programs.inc b/etc/inc/disable-programs.inc index 72fc13103..6f3d5bbdb 100644 --- a/etc/inc/disable-programs.inc +++ b/etc/inc/disable-programs.inc | |||
@@ -121,6 +121,7 @@ blacklist ${HOME}/.config/Nathan Osman | |||
121 | blacklist ${HOME}/.config/Nextcloud | 121 | blacklist ${HOME}/.config/Nextcloud |
122 | blacklist ${HOME}/.config/Nylas Mail | 122 | blacklist ${HOME}/.config/Nylas Mail |
123 | blacklist ${HOME}/.config/PacmanLogViewer | 123 | blacklist ${HOME}/.config/PacmanLogViewer |
124 | blacklist ${HOME}/.config/PawelStolowski | ||
124 | blacklist ${HOME}/.config/PBE | 125 | blacklist ${HOME}/.config/PBE |
125 | blacklist ${HOME}/.config/Philipp Schmieder | 126 | blacklist ${HOME}/.config/Philipp Schmieder |
126 | blacklist ${HOME}/.config/QGIS | 127 | blacklist ${HOME}/.config/QGIS |
@@ -166,6 +167,7 @@ blacklist ${HOME}/.config/aweather | |||
166 | blacklist ${HOME}/.config/backintime | 167 | blacklist ${HOME}/.config/backintime |
167 | blacklist ${HOME}/.config/baloofilerc | 168 | blacklist ${HOME}/.config/baloofilerc |
168 | blacklist ${HOME}/.config/baloorc | 169 | blacklist ${HOME}/.config/baloorc |
170 | blacklist ${HOME}/.config/bcompare | ||
169 | blacklist ${HOME}/.config/blender | 171 | blacklist ${HOME}/.config/blender |
170 | blacklist ${HOME}/.config/bless | 172 | blacklist ${HOME}/.config/bless |
171 | blacklist ${HOME}/.config/bnox | 173 | blacklist ${HOME}/.config/bnox |
@@ -312,6 +314,7 @@ blacklist ${HOME}/.config/mate-calc | |||
312 | blacklist ${HOME}/.config/mate/eom | 314 | blacklist ${HOME}/.config/mate/eom |
313 | blacklist ${HOME}/.config/mate/mate-dictionary | 315 | blacklist ${HOME}/.config/mate/mate-dictionary |
314 | blacklist ${HOME}/.config/matrix-mirage | 316 | blacklist ${HOME}/.config/matrix-mirage |
317 | blacklist ${HOME}/.config/mcomix | ||
315 | blacklist ${HOME}/.config/meld | 318 | blacklist ${HOME}/.config/meld |
316 | blacklist ${HOME}/.config/meteo-qt | 319 | blacklist ${HOME}/.config/meteo-qt |
317 | blacklist ${HOME}/.config/menulibre.cfg | 320 | blacklist ${HOME}/.config/menulibre.cfg |
@@ -360,6 +363,7 @@ blacklist ${HOME}/.config/pavucontrol.ini | |||
360 | blacklist ${HOME}/.config/pcmanfm | 363 | blacklist ${HOME}/.config/pcmanfm |
361 | blacklist ${HOME}/.config/pdfmod | 364 | blacklist ${HOME}/.config/pdfmod |
362 | blacklist ${HOME}/.config/Pinta | 365 | blacklist ${HOME}/.config/Pinta |
366 | blacklist ${HOME}/.config/pipe-viewer | ||
363 | blacklist ${HOME}/.config/pitivi | 367 | blacklist ${HOME}/.config/pitivi |
364 | blacklist ${HOME}/.config/pix | 368 | blacklist ${HOME}/.config/pix |
365 | blacklist ${HOME}/.config/pluma | 369 | blacklist ${HOME}/.config/pluma |
@@ -589,6 +593,7 @@ blacklist ${HOME}/.local/share/Mendeley Ltd. | |||
589 | blacklist ${HOME}/.local/share/Mumble | 593 | blacklist ${HOME}/.local/share/Mumble |
590 | blacklist ${HOME}/.local/share/Nextcloud | 594 | blacklist ${HOME}/.local/share/Nextcloud |
591 | blacklist ${HOME}/.local/share/PBE | 595 | blacklist ${HOME}/.local/share/PBE |
596 | blacklist ${HOME}/.local/share/PawelStolowski | ||
592 | blacklist ${HOME}/.local/share/Psi | 597 | blacklist ${HOME}/.local/share/Psi |
593 | blacklist ${HOME}/.local/share/QGIS | 598 | blacklist ${HOME}/.local/share/QGIS |
594 | blacklist ${HOME}/.local/share/QMediathekView | 599 | blacklist ${HOME}/.local/share/QMediathekView |
@@ -694,6 +699,7 @@ blacklist ${HOME}/.local/share/man | |||
694 | blacklist ${HOME}/.local/share/mana | 699 | blacklist ${HOME}/.local/share/mana |
695 | blacklist ${HOME}/.local/share/maps-places.json | 700 | blacklist ${HOME}/.local/share/maps-places.json |
696 | blacklist ${HOME}/.local/share/matrix-mirage | 701 | blacklist ${HOME}/.local/share/matrix-mirage |
702 | blacklist ${HOME}/.local/share/mcomix | ||
697 | blacklist ${HOME}/.local/share/meld | 703 | blacklist ${HOME}/.local/share/meld |
698 | blacklist ${HOME}/.local/share/midori | 704 | blacklist ${HOME}/.local/share/midori |
699 | blacklist ${HOME}/.local/share/minder | 705 | blacklist ${HOME}/.local/share/minder |
@@ -709,6 +715,7 @@ blacklist ${HOME}/.local/share/nemo-python | |||
709 | blacklist ${HOME}/.local/share/news-flash | 715 | blacklist ${HOME}/.local/share/news-flash |
710 | blacklist ${HOME}/.local/share/newsbeuter | 716 | blacklist ${HOME}/.local/share/newsbeuter |
711 | blacklist ${HOME}/.local/share/newsboat | 717 | blacklist ${HOME}/.local/share/newsboat |
718 | blacklist ${HOME}/.local/share/nheko | ||
712 | blacklist ${HOME}/.local/share/nomacs | 719 | blacklist ${HOME}/.local/share/nomacs |
713 | blacklist ${HOME}/.local/share/notes | 720 | blacklist ${HOME}/.local/share/notes |
714 | blacklist ${HOME}/.local/share/ocenaudio | 721 | blacklist ${HOME}/.local/share/ocenaudio |
@@ -901,6 +908,7 @@ blacklist ${HOME}/.cache/INRIA | |||
901 | blacklist ${HOME}/.cache/MusicBrainz | 908 | blacklist ${HOME}/.cache/MusicBrainz |
902 | blacklist ${HOME}/.cache/NewsFlashGTK | 909 | blacklist ${HOME}/.cache/NewsFlashGTK |
903 | blacklist ${HOME}/.cache/Otter | 910 | blacklist ${HOME}/.cache/Otter |
911 | blacklist ${HOME}/.cache/PawelStolowski | ||
904 | blacklist ${HOME}/.cache/Psi | 912 | blacklist ${HOME}/.cache/Psi |
905 | blacklist ${HOME}/.cache/QuiteRss | 913 | blacklist ${HOME}/.cache/QuiteRss |
906 | blacklist ${HOME}/.cache/Quotient/quaternion | 914 | blacklist ${HOME}/.cache/Quotient/quaternion |
@@ -1009,6 +1017,7 @@ blacklist ${HOME}/.cache/org.gnome.Maps | |||
1009 | blacklist ${HOME}/.cache/pdfmod | 1017 | blacklist ${HOME}/.cache/pdfmod |
1010 | blacklist ${HOME}/.cache/peek | 1018 | blacklist ${HOME}/.cache/peek |
1011 | blacklist ${HOME}/.cache/pip | 1019 | blacklist ${HOME}/.cache/pip |
1020 | blacklist ${HOME}/.cache/pipe-viewer | ||
1012 | blacklist ${HOME}/.cache/plasmashell | 1021 | blacklist ${HOME}/.cache/plasmashell |
1013 | blacklist ${HOME}/.cache/plasmashellbookmarkrunnerfirefoxdbfile.sqlite* | 1022 | blacklist ${HOME}/.cache/plasmashellbookmarkrunnerfirefoxdbfile.sqlite* |
1014 | blacklist ${HOME}/.cache/psi | 1023 | blacklist ${HOME}/.cache/psi |
@@ -1044,3 +1053,4 @@ blacklist ${HOME}/.cache/xreader | |||
1044 | blacklist ${HOME}/.cache/yandex-browser | 1053 | blacklist ${HOME}/.cache/yandex-browser |
1045 | blacklist ${HOME}/.cache/yandex-browser-beta | 1054 | blacklist ${HOME}/.cache/yandex-browser-beta |
1046 | blacklist ${HOME}/.cache/youtube-dl | 1055 | blacklist ${HOME}/.cache/youtube-dl |
1056 | blacklist ${HOME}/.cache/youtube-viewer | ||
diff --git a/etc/profile-a-l/b2sum.profile b/etc/profile-a-l/b2sum.profile new file mode 100644 index 000000000..48cb9619b --- /dev/null +++ b/etc/profile-a-l/b2sum.profile | |||
@@ -0,0 +1,13 @@ | |||
1 | # Firejail profile for b2sum | ||
2 | # Description: compute and check BLAKE2 message digest | ||
3 | # This file is overwritten after every install/update | ||
4 | quiet | ||
5 | # Persistent local customizations | ||
6 | include b2sum.local | ||
7 | # Persistent global definitions | ||
8 | include globals.local | ||
9 | |||
10 | private-bin b2sum | ||
11 | |||
12 | # Redirect | ||
13 | include hasher-common.profile | ||
diff --git a/etc/profile-a-l/bcompare.profile b/etc/profile-a-l/bcompare.profile new file mode 100644 index 000000000..178e2dc9f --- /dev/null +++ b/etc/profile-a-l/bcompare.profile | |||
@@ -0,0 +1,62 @@ | |||
1 | # Firejail profile for Beyond Compare by Scooter Software | ||
2 | # Description: directory and file compare utility | ||
3 | # Disables the network, which only impacts checking for updates. | ||
4 | # This file is overwritten after every install/update | ||
5 | # Persistent local customizations | ||
6 | include bcompare.local | ||
7 | # Persistent global definitions | ||
8 | include globals.local | ||
9 | |||
10 | noblacklist ${HOME}/.config/bcompare | ||
11 | # In case the user decides to include disable-programs.inc, still allow | ||
12 | # KDE's Gwenview to view images via right click -> Open With -> Associated Application | ||
13 | noblacklist ${HOME}/.config/gwenviewrc | ||
14 | |||
15 | # Uncomment the next line (or put it into your bcompare.local) if you don't need to compare files in disable-common.inc | ||
16 | #include disable-common.inc | ||
17 | include disable-devel.inc | ||
18 | include disable-exec.inc | ||
19 | include disable-interpreters.inc | ||
20 | include disable-passwdmgr.inc | ||
21 | # Uncomment the next line (or put it into your bcompare.local) if you don't need to compare files in disable-programs.inc | ||
22 | #include disable-programs.inc | ||
23 | # Uncommenting this breaks launch | ||
24 | # include disable-shell.inc | ||
25 | include disable-write-mnt.inc | ||
26 | # Don't disable ${DOCUMENTS}, ${MUSIC}, ${PICTURES}, ${VIDEOS} | ||
27 | # include disable-xdg.inc | ||
28 | |||
29 | # include whitelist-common.inc | ||
30 | # include whitelist-runuser-common.inc | ||
31 | # include whitelist-usr-share-common.inc | ||
32 | # include whitelist-var-common.inc | ||
33 | |||
34 | apparmor | ||
35 | caps.drop all | ||
36 | # Uncommenting might break Pulse Audio | ||
37 | #machine-id | ||
38 | net none | ||
39 | no3d | ||
40 | nodvd | ||
41 | nogroups | ||
42 | nonewprivs | ||
43 | noroot | ||
44 | # Allow applications launched on sound files to play them | ||
45 | #nosound | ||
46 | notv | ||
47 | nou2f | ||
48 | novideo | ||
49 | protocol unix | ||
50 | seccomp | ||
51 | shell none | ||
52 | tracelog | ||
53 | |||
54 | private-cache | ||
55 | private-dev | ||
56 | # see /usr/share/doc/firejail/profile.template for more common private-etc paths. | ||
57 | # private-etc alternatives,fonts,machine-id | ||
58 | # Necessary because of the `include disable-exec.inc` line. Prevents error "Error fstat: fs.c:504 fs_remount_simple: Transport endpoint is not connected ... cannot sync with peer: unexpected EOF Peer [...] unexpectedly exited with status 1" | ||
59 | private-tmp | ||
60 | |||
61 | dbus-user none | ||
62 | dbus-system none | ||
diff --git a/etc/profile-a-l/cksum.profile b/etc/profile-a-l/cksum.profile new file mode 100644 index 000000000..2baeed2ed --- /dev/null +++ b/etc/profile-a-l/cksum.profile | |||
@@ -0,0 +1,13 @@ | |||
1 | # Firejail profile for cksum | ||
2 | # Description: checksum and count the bytes in a file | ||
3 | # This file is overwritten after every install/update | ||
4 | quiet | ||
5 | # Persistent local customizations | ||
6 | include cksum.local | ||
7 | # Persistent global definitions | ||
8 | include globals.local | ||
9 | |||
10 | private-bin cksum | ||
11 | |||
12 | # Redirect | ||
13 | include hasher-common.profile | ||
diff --git a/etc/profile-a-l/clawsker.profile b/etc/profile-a-l/clawsker.profile index ac74d25c9..f71b35c26 100644 --- a/etc/profile-a-l/clawsker.profile +++ b/etc/profile-a-l/clawsker.profile | |||
@@ -45,7 +45,7 @@ private-bin bash,clawsker,perl,sh,which | |||
45 | private-cache | 45 | private-cache |
46 | private-dev | 46 | private-dev |
47 | private-etc alternatives,fonts | 47 | private-etc alternatives,fonts |
48 | private-lib girepository-1.*,libdbus-glib-1.so.*,libetpan.so.*,libgirepository-1.*,libgtk-x11-2.0.so.*,libstartup-notification-1.so.*,perl* | 48 | private-lib girepository-1.*,libdbus-glib-1.so.*,libetpan.so.*,libgirepository-1.*,libgtk-3.so.*,libgtk-x11-2.0.so.*,libstartup-notification-1.so.*,perl* |
49 | private-tmp | 49 | private-tmp |
50 | 50 | ||
51 | dbus-user none | 51 | dbus-user none |
diff --git a/etc/profile-a-l/engrampa.profile b/etc/profile-a-l/engrampa.profile index 54fe6a0f9..7ec611293 100644 --- a/etc/profile-a-l/engrampa.profile +++ b/etc/profile-a-l/engrampa.profile | |||
@@ -17,6 +17,7 @@ include whitelist-var-common.inc | |||
17 | 17 | ||
18 | apparmor | 18 | apparmor |
19 | caps.drop all | 19 | caps.drop all |
20 | net none | ||
20 | no3d | 21 | no3d |
21 | nodvd | 22 | nodvd |
22 | nogroups | 23 | nogroups |
@@ -35,4 +36,6 @@ tracelog | |||
35 | private-dev | 36 | private-dev |
36 | # private-tmp | 37 | # private-tmp |
37 | 38 | ||
39 | dbus-user filter | ||
40 | dbus-user.talk ca.desrt.dconf | ||
38 | dbus-system none | 41 | dbus-system none |
diff --git a/etc/profile-a-l/firefox.profile b/etc/profile-a-l/firefox.profile index 20bd9824c..68dd350ca 100644 --- a/etc/profile-a-l/firefox.profile +++ b/etc/profile-a-l/firefox.profile | |||
@@ -14,6 +14,11 @@ mkdir ${HOME}/.mozilla | |||
14 | whitelist ${HOME}/.cache/mozilla/firefox | 14 | whitelist ${HOME}/.cache/mozilla/firefox |
15 | whitelist ${HOME}/.mozilla | 15 | whitelist ${HOME}/.mozilla |
16 | 16 | ||
17 | # Uncomment or put in your firefox.local one of the following whitelist to enable KeePassXC Plugin | ||
18 | # NOTE: start KeePassXC before Firefox and keep it open to allow communication between them | ||
19 | #whitelist ${RUNUSER}/kpxc_server | ||
20 | #whitelist ${RUNUSER}/org.keepassxc.KeePassXC.BrowserServer | ||
21 | |||
17 | whitelist /usr/share/doc | 22 | whitelist /usr/share/doc |
18 | whitelist /usr/share/firefox | 23 | whitelist /usr/share/firefox |
19 | whitelist /usr/share/gnome-shell/search-providers/firefox-search-provider.ini | 24 | whitelist /usr/share/gnome-shell/search-providers/firefox-search-provider.ini |
diff --git a/etc/profile-a-l/gnome-logs.profile b/etc/profile-a-l/gnome-logs.profile index 41218d3f7..d29c7609e 100644 --- a/etc/profile-a-l/gnome-logs.profile +++ b/etc/profile-a-l/gnome-logs.profile | |||
@@ -26,12 +26,7 @@ ipc-namespace | |||
26 | net none | 26 | net none |
27 | no3d | 27 | no3d |
28 | nodvd | 28 | nodvd |
29 | # When using 'volatile' storage (https://www.freedesktop.org/software/systemd/man/journald.conf.html), | ||
30 | # comment both 'nogroups' and 'noroot' | ||
31 | # or put 'ignore nogroups' and 'ignore noroot' in your gnome-logs.local. | ||
32 | nogroups | ||
33 | nonewprivs | 29 | nonewprivs |
34 | noroot | ||
35 | nosound | 30 | nosound |
36 | notv | 31 | notv |
37 | nou2f | 32 | nou2f |
@@ -50,7 +45,9 @@ private-lib gdk-pixbuf-2.*,gio,gvfs/libgvfscommon.so,libgconf-2.so.*,librsvg-2.s | |||
50 | private-tmp | 45 | private-tmp |
51 | writable-var-log | 46 | writable-var-log |
52 | 47 | ||
53 | dbus-user none | 48 | dbus-user filter |
49 | dbus-user.own org.gnome.Logs | ||
50 | dbus-user.talk ca.desrt.dconf | ||
54 | dbus-system none | 51 | dbus-system none |
55 | 52 | ||
56 | # comment this if you export logs to a file in your ${HOME} | 53 | # comment this if you export logs to a file in your ${HOME} |
diff --git a/etc/profile-a-l/hasher-common.profile b/etc/profile-a-l/hasher-common.profile new file mode 100644 index 000000000..2f684349d --- /dev/null +++ b/etc/profile-a-l/hasher-common.profile | |||
@@ -0,0 +1,60 @@ | |||
1 | # This file is overwritten during software install. | ||
2 | # Persistent customizations should go in a .local file. | ||
3 | include hasher-common.local | ||
4 | |||
5 | # common profile for hasher/checksum tools | ||
6 | |||
7 | blacklist ${RUNUSER} | ||
8 | |||
9 | # WARNING: | ||
10 | # Users can (un)restrict file access for **all** hashers by commenting/uncommenting the needed | ||
11 | # include file(s) here or by putting those into hasher-common.local. | ||
12 | # Another option is to do this **per hasher** in the relevant <hasher>.local. | ||
13 | # Just beware that things tend to break when overtightening profiles. For example, because you only | ||
14 | # need to hash/check files in ${DOWNLOADS}, other applications may need access to ${HOME}/.local/share. | ||
15 | |||
16 | # Uncomment the next line (or put it into your hasher-common.local) if you don't need to hash files in disable-common.inc. | ||
17 | #include disable-common.inc | ||
18 | include disable-devel.inc | ||
19 | include disable-exec.inc | ||
20 | include disable-interpreters.inc | ||
21 | include disable-passwdmgr.inc | ||
22 | # Uncomment the next line (or put it into your hasher-common.local) if you don't need to hash files in disable-programs.inc. | ||
23 | #include disable-programs.inc | ||
24 | include disable-shell.inc | ||
25 | include disable-write-mnt.inc | ||
26 | # Uncomment the next line (or put it into your hasher-common.local) if you don't need to hash files in disable-xdg.inc. | ||
27 | #include disable-xdg.inc | ||
28 | |||
29 | apparmor | ||
30 | caps.drop all | ||
31 | ipc-namespace | ||
32 | machine-id | ||
33 | net none | ||
34 | no3d | ||
35 | nodvd | ||
36 | nogroups | ||
37 | nonewprivs | ||
38 | noroot | ||
39 | nosound | ||
40 | notv | ||
41 | nou2f | ||
42 | novideo | ||
43 | protocol unix | ||
44 | seccomp | ||
45 | seccomp.block-secondary | ||
46 | shell none | ||
47 | tracelog | ||
48 | x11 none | ||
49 | |||
50 | # Uncomment the next line (or put it into your hasher-common.local) if you don't need to hash files in /tmp. | ||
51 | #private-cache | ||
52 | private-dev | ||
53 | # Uncomment the next line (or put it into your hasher-common.local) if you don't need to hash files in /tmp. | ||
54 | #private-tmp | ||
55 | |||
56 | dbus-user none | ||
57 | dbus-system none | ||
58 | |||
59 | memory-deny-write-execute | ||
60 | read-only ${HOME} | ||
diff --git a/etc/profile-a-l/k3b.profile b/etc/profile-a-l/k3b.profile index 86292744c..3e686a454 100644 --- a/etc/profile-a-l/k3b.profile +++ b/etc/profile-a-l/k3b.profile | |||
@@ -21,7 +21,7 @@ include disable-xdg.inc | |||
21 | 21 | ||
22 | include whitelist-var-common.inc | 22 | include whitelist-var-common.inc |
23 | 23 | ||
24 | caps.keep ipc_lock,sys_nice,sys_rawio,sys_resource | 24 | caps.keep chown,dac_override,ipc_lock,net_bind_service,sys_admin,sys_nice,sys_rawio,sys_resource |
25 | # net none | 25 | # net none |
26 | netfilter | 26 | netfilter |
27 | no3d | 27 | no3d |
diff --git a/etc/profile-m-z/man.profile b/etc/profile-m-z/man.profile index 965750bf0..678bb0b8a 100644 --- a/etc/profile-m-z/man.profile +++ b/etc/profile-m-z/man.profile | |||
@@ -19,16 +19,16 @@ include disable-passwdmgr.inc | |||
19 | include disable-programs.inc | 19 | include disable-programs.inc |
20 | include disable-xdg.inc | 20 | include disable-xdg.inc |
21 | 21 | ||
22 | mkdir ${HOME}/.local/share/man | 22 | #mkdir ${HOME}/.local/share/man |
23 | whitelist ${HOME}/.local/share/man | 23 | #whitelist ${HOME}/.local/share/man |
24 | whitelist ${HOME}/.manpath | 24 | #whitelist ${HOME}/.manpath |
25 | whitelist /usr/share/groff | 25 | whitelist /usr/share/groff |
26 | whitelist /usr/share/info | 26 | whitelist /usr/share/info |
27 | whitelist /usr/share/lintian | 27 | whitelist /usr/share/lintian |
28 | whitelist /usr/share/locale | 28 | whitelist /usr/share/locale |
29 | whitelist /usr/share/man | 29 | whitelist /usr/share/man |
30 | whitelist /var/cache/man | 30 | whitelist /var/cache/man |
31 | include whitelist-common.inc | 31 | #include whitelist-common.inc |
32 | include whitelist-runuser-common.inc | 32 | include whitelist-runuser-common.inc |
33 | include whitelist-usr-share-common.inc | 33 | include whitelist-usr-share-common.inc |
34 | include whitelist-var-common.inc | 34 | include whitelist-var-common.inc |
@@ -58,9 +58,11 @@ disable-mnt | |||
58 | private-cache | 58 | private-cache |
59 | private-dev | 59 | private-dev |
60 | private-etc alternatives,fonts,groff,locale,locale.alias,locale.conf,man_db.conf,manpath.config,selinux,sysless,xdg | 60 | private-etc alternatives,fonts,groff,locale,locale.alias,locale.conf,man_db.conf,manpath.config,selinux,sysless,xdg |
61 | private-tmp | 61 | #private-tmp |
62 | 62 | ||
63 | dbus-user none | 63 | dbus-user none |
64 | dbus-system none | 64 | dbus-system none |
65 | 65 | ||
66 | memory-deny-write-execute | 66 | memory-deny-write-execute |
67 | read-only ${HOME} | ||
68 | read-only /tmp | ||
diff --git a/etc/profile-m-z/md5sum.profile b/etc/profile-m-z/md5sum.profile new file mode 100644 index 000000000..3612c73fd --- /dev/null +++ b/etc/profile-m-z/md5sum.profile | |||
@@ -0,0 +1,13 @@ | |||
1 | # Firejail profile for md5sum | ||
2 | # Description: compute and check MD5 message digest | ||
3 | # This file is overwritten after every install/update | ||
4 | quiet | ||
5 | # Persistent local customizations | ||
6 | include md5sum.local | ||
7 | # Persistent global definitions | ||
8 | include globals.local | ||
9 | |||
10 | private-bin md5sum | ||
11 | |||
12 | # Redirect | ||
13 | include hasher-common.profile | ||
diff --git a/etc/profile-m-z/nheko.profile b/etc/profile-m-z/nheko.profile index 42e7e92fc..2fbbef832 100644 --- a/etc/profile-m-z/nheko.profile +++ b/etc/profile-m-z/nheko.profile | |||
@@ -6,8 +6,9 @@ include nheko.local | |||
6 | # Persistent global definitions | 6 | # Persistent global definitions |
7 | include globals.local | 7 | include globals.local |
8 | 8 | ||
9 | noblacklist ${HOME}/.config/nheko | ||
10 | noblacklist ${HOME}/.cache/nheko | 9 | noblacklist ${HOME}/.cache/nheko |
10 | noblacklist ${HOME}/.config/nheko | ||
11 | noblacklist ${HOME}/.local/share/nheko | ||
11 | 12 | ||
12 | include disable-common.inc | 13 | include disable-common.inc |
13 | include disable-devel.inc | 14 | include disable-devel.inc |
@@ -18,10 +19,12 @@ include disable-programs.inc | |||
18 | include disable-shell.inc | 19 | include disable-shell.inc |
19 | include disable-xdg.inc | 20 | include disable-xdg.inc |
20 | 21 | ||
22 | mkdir ${HOME}/.cache/nheko | ||
21 | mkdir ${HOME}/.config/nheko | 23 | mkdir ${HOME}/.config/nheko |
22 | mkdir ${HOME}/.cache/nheko/nheko | 24 | mkdir ${HOME}/.local/share/nheko |
23 | whitelist ${HOME}/.config/nheko | ||
24 | whitelist ${HOME}/.cache/nheko | 25 | whitelist ${HOME}/.cache/nheko |
26 | whitelist ${HOME}/.config/nheko | ||
27 | whitelist ${HOME}/.local/share/nheko | ||
25 | whitelist ${DOWNLOADS} | 28 | whitelist ${DOWNLOADS} |
26 | include whitelist-common.inc | 29 | include whitelist-common.inc |
27 | include whitelist-runuser-common.inc | 30 | include whitelist-runuser-common.inc |
diff --git a/etc/profile-m-z/nodejs-common.profile b/etc/profile-m-z/nodejs-common.profile index c12fc9a78..202905631 100644 --- a/etc/profile-m-z/nodejs-common.profile +++ b/etc/profile-m-z/nodejs-common.profile | |||
@@ -1,5 +1,5 @@ | |||
1 | # Firejail profile for Node.js | 1 | # Firejail profile for Node.js |
2 | # Description: Common profile for npm/yarn | 2 | # Description: Asynchronous event-driven JavaScript runtime |
3 | # This file is overwritten after every install/update | 3 | # This file is overwritten after every install/update |
4 | # Persistent local customizations | 4 | # Persistent local customizations |
5 | include nodejs-common.local | 5 | include nodejs-common.local |
@@ -45,7 +45,9 @@ shell none | |||
45 | 45 | ||
46 | disable-mnt | 46 | disable-mnt |
47 | private-dev | 47 | private-dev |
48 | # May need to add `passwd` to `private-etc` below to enable debugging with some IDEs | ||
48 | private-etc alternatives,ca-certificates,crypto-policies,host.conf,hostname,hosts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,locale,locale.alias,locale.conf,localtime,login.defs,mime.types,nsswitch.conf,pki,protocols,resolv.conf,rpc,services,ssl,xdg | 49 | private-etc alternatives,ca-certificates,crypto-policies,host.conf,hostname,hosts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,locale,locale.alias,locale.conf,localtime,login.defs,mime.types,nsswitch.conf,pki,protocols,resolv.conf,rpc,services,ssl,xdg |
50 | # May need to be commented out in order to enable debugging with some IDEs | ||
49 | private-tmp | 51 | private-tmp |
50 | 52 | ||
51 | dbus-user none | 53 | dbus-user none |
diff --git a/etc/profile-m-z/sha1sum.profile b/etc/profile-m-z/sha1sum.profile new file mode 100644 index 000000000..b2064b95d --- /dev/null +++ b/etc/profile-m-z/sha1sum.profile | |||
@@ -0,0 +1,13 @@ | |||
1 | # Firejail profile for sha1sum | ||
2 | # Description: compute and check SHA1 message digest | ||
3 | # This file is overwritten after every install/update | ||
4 | quiet | ||
5 | # Persistent local customizations | ||
6 | include sha1sum.local | ||
7 | # Persistent global definitions | ||
8 | include globals.local | ||
9 | |||
10 | private-bin sha1sum | ||
11 | |||
12 | # Redirect | ||
13 | include hasher-common.profile | ||
diff --git a/etc/profile-m-z/sha224sum.profile b/etc/profile-m-z/sha224sum.profile new file mode 100644 index 000000000..cb26cc5ff --- /dev/null +++ b/etc/profile-m-z/sha224sum.profile | |||
@@ -0,0 +1,13 @@ | |||
1 | # Firejail profile for sha224sum | ||
2 | # Description: compute and check SHA224 message digest | ||
3 | # This file is overwritten after every install/update | ||
4 | quiet | ||
5 | # Persistent local customizations | ||
6 | include sha224sum.local | ||
7 | # Persistent global definitions | ||
8 | include globals.local | ||
9 | |||
10 | private-bin sha224sum | ||
11 | |||
12 | # Redirect | ||
13 | include hasher-common.profile | ||
diff --git a/etc/profile-m-z/sha256sum.profile b/etc/profile-m-z/sha256sum.profile new file mode 100644 index 000000000..48944ebea --- /dev/null +++ b/etc/profile-m-z/sha256sum.profile | |||
@@ -0,0 +1,13 @@ | |||
1 | # Firejail profile for sha256sum | ||
2 | # Description: compute and check SHA256 message digest | ||
3 | # This file is overwritten after every install/update | ||
4 | quiet | ||
5 | # Persistent local customizations | ||
6 | include sha256sum.local | ||
7 | # Persistent global definitions | ||
8 | include globals.local | ||
9 | |||
10 | private-bin sha256sum | ||
11 | |||
12 | # Redirect | ||
13 | include hasher-common.profile | ||
diff --git a/etc/profile-m-z/sha384sum.profile b/etc/profile-m-z/sha384sum.profile new file mode 100644 index 000000000..6d876daed --- /dev/null +++ b/etc/profile-m-z/sha384sum.profile | |||
@@ -0,0 +1,13 @@ | |||
1 | # Firejail profile for sha384sum | ||
2 | # Description: compute and check SHA384 message digest | ||
3 | # This file is overwritten after every install/update | ||
4 | quiet | ||
5 | # Persistent local customizations | ||
6 | include sha384sum.local | ||
7 | # Persistent global definitions | ||
8 | include globals.local | ||
9 | |||
10 | private-bin sha384sum | ||
11 | |||
12 | # Redirect | ||
13 | include hasher-common.profile | ||
diff --git a/etc/profile-m-z/sha512sum.profile b/etc/profile-m-z/sha512sum.profile new file mode 100644 index 000000000..7ebaf3540 --- /dev/null +++ b/etc/profile-m-z/sha512sum.profile | |||
@@ -0,0 +1,13 @@ | |||
1 | # Firejail profile for sha512sum | ||
2 | # Description: compute and check SHA512 message digest | ||
3 | # This file is overwritten after every install/update | ||
4 | quiet | ||
5 | # Persistent local customizations | ||
6 | include sha512sum.local | ||
7 | # Persistent global definitions | ||
8 | include globals.local | ||
9 | |||
10 | private-bin sha512sum | ||
11 | |||
12 | # Redirect | ||
13 | include hasher-common.profile | ||
diff --git a/etc/profile-m-z/sum.profile b/etc/profile-m-z/sum.profile new file mode 100644 index 000000000..cd73af919 --- /dev/null +++ b/etc/profile-m-z/sum.profile | |||
@@ -0,0 +1,13 @@ | |||
1 | # Firejail profile for sum | ||
2 | # Description: checksum and count the blocks in a file | ||
3 | # This file is overwritten after every install/update | ||
4 | quiet | ||
5 | # Persistent local customizations | ||
6 | include sum.local | ||
7 | # Persistent global definitions | ||
8 | include globals.local | ||
9 | |||
10 | private-bin sum | ||
11 | |||
12 | # Redirect | ||
13 | include hasher-common.profile | ||
diff --git a/etc/profile-m-z/youtube-viewer.profile b/etc/profile-m-z/youtube-viewer.profile index e8fe4a360..b8f97db1d 100644 --- a/etc/profile-m-z/youtube-viewer.profile +++ b/etc/profile-m-z/youtube-viewer.profile | |||
@@ -7,6 +7,7 @@ include youtube-viewer.local | |||
7 | # Persistent global definitions | 7 | # Persistent global definitions |
8 | include globals.local | 8 | include globals.local |
9 | 9 | ||
10 | noblacklist ${HOME}/.cache/youtube-viewer | ||
10 | noblacklist ${HOME}/.config/youtube-viewer | 11 | noblacklist ${HOME}/.config/youtube-viewer |
11 | 12 | ||
12 | # Allow perl (blacklisted by disable-interpreters.inc) | 13 | # Allow perl (blacklisted by disable-interpreters.inc) |
@@ -24,7 +25,9 @@ include disable-passwdmgr.inc | |||
24 | include disable-programs.inc | 25 | include disable-programs.inc |
25 | include disable-xdg.inc | 26 | include disable-xdg.inc |
26 | 27 | ||
28 | mkdir ${HOME}/.cache/youtube-viewer | ||
27 | mkdir ${HOME}/.config/youtube-viewer | 29 | mkdir ${HOME}/.config/youtube-viewer |
30 | whitelist ${HOME}/.cache/youtube-viewer | ||
28 | whitelist ${HOME}/.config/youtube-viewer | 31 | whitelist ${HOME}/.config/youtube-viewer |
29 | include whitelist-common.inc | 32 | include whitelist-common.inc |
30 | include whitelist-usr-share-common.inc | 33 | include whitelist-usr-share-common.inc |