diff options
Diffstat (limited to 'etc')
-rw-r--r-- | etc/firejail.config | 4 | ||||
-rw-r--r-- | etc/inc/disable-programs.inc | 12 | ||||
-rw-r--r-- | etc/profile-a-l/alpine.profile | 104 | ||||
-rw-r--r-- | etc/profile-a-l/alpinef.profile | 14 | ||||
-rw-r--r-- | etc/profile-a-l/cargo.profile | 1 | ||||
-rw-r--r-- | etc/profile-a-l/chromium-common.profile | 3 | ||||
-rw-r--r-- | etc/profile-a-l/firefox.profile | 3 | ||||
-rw-r--r-- | etc/profile-a-l/librewolf.profile | 3 | ||||
-rw-r--r-- | etc/profile-m-z/mcomix.profile | 74 | ||||
-rw-r--r-- | etc/profile-m-z/minecraft-launcher.profile | 1 | ||||
-rw-r--r-- | etc/profile-m-z/qcomicbook.profile | 68 | ||||
-rw-r--r-- | etc/profile-m-z/rtin.profile | 8 | ||||
-rw-r--r-- | etc/profile-m-z/rtv-addons.profile | 5 | ||||
-rw-r--r-- | etc/profile-m-z/rtv.profile | 7 | ||||
-rw-r--r-- | etc/profile-m-z/tin.profile | 69 | ||||
-rw-r--r-- | etc/profile-m-z/w3m.profile | 24 | ||||
-rw-r--r-- | etc/profile-m-z/weechat.profile | 1 | ||||
-rw-r--r-- | etc/templates/syscalls.txt | 2 |
18 files changed, 394 insertions, 9 deletions
diff --git a/etc/firejail.config b/etc/firejail.config index f5b3d5efa..43db49422 100644 --- a/etc/firejail.config +++ b/etc/firejail.config | |||
@@ -113,6 +113,10 @@ | |||
113 | # Enable or disable seccomp support, default enabled. | 113 | # Enable or disable seccomp support, default enabled. |
114 | # seccomp yes | 114 | # seccomp yes |
115 | 115 | ||
116 | # Add rules to the default seccomp filter. Same syntax as for --seccomp= | ||
117 | # None by default; this is an example. | ||
118 | # seccomp-filter-add !chroot,kcmp,mincore | ||
119 | |||
116 | # Seccomp error action, kill, log or errno (EPERM, ENOSYS etc) | 120 | # Seccomp error action, kill, log or errno (EPERM, ENOSYS etc) |
117 | # seccomp-error-action EPERM | 121 | # seccomp-error-action EPERM |
118 | 122 | ||
diff --git a/etc/inc/disable-programs.inc b/etc/inc/disable-programs.inc index 18d1978fc..0e575e5eb 100644 --- a/etc/inc/disable-programs.inc +++ b/etc/inc/disable-programs.inc | |||
@@ -39,6 +39,8 @@ blacklist ${HOME}/.WebStorm* | |||
39 | blacklist ${HOME}/.Wolfram Research | 39 | blacklist ${HOME}/.Wolfram Research |
40 | blacklist ${HOME}/.ZAP | 40 | blacklist ${HOME}/.ZAP |
41 | blacklist ${HOME}/.abook | 41 | blacklist ${HOME}/.abook |
42 | blacklist ${HOME}/.addressbook | ||
43 | blacklist ${HOME}/.alpine-smime | ||
42 | blacklist ${HOME}/.aMule | 44 | blacklist ${HOME}/.aMule |
43 | blacklist ${HOME}/.android | 45 | blacklist ${HOME}/.android |
44 | blacklist ${HOME}/.anydesk | 46 | blacklist ${HOME}/.anydesk |
@@ -810,6 +812,7 @@ blacklist ${HOME}/.netactview | |||
810 | blacklist ${HOME}/.neverball | 812 | blacklist ${HOME}/.neverball |
811 | blacklist ${HOME}/.newsbeuter | 813 | blacklist ${HOME}/.newsbeuter |
812 | blacklist ${HOME}/.newsboat | 814 | blacklist ${HOME}/.newsboat |
815 | blacklist ${HOME}/.newsrc | ||
813 | blacklist ${HOME}/.nicotine | 816 | blacklist ${HOME}/.nicotine |
814 | blacklist ${HOME}/.node-gyp | 817 | blacklist ${HOME}/.node-gyp |
815 | blacklist ${HOME}/.npm | 818 | blacklist ${HOME}/.npm |
@@ -830,6 +833,14 @@ blacklist ${HOME}/.paradoxinteractive | |||
830 | blacklist ${HOME}/.parallelrealities/blobwars | 833 | blacklist ${HOME}/.parallelrealities/blobwars |
831 | blacklist ${HOME}/.pcsxr | 834 | blacklist ${HOME}/.pcsxr |
832 | blacklist ${HOME}/.penguin-command | 835 | blacklist ${HOME}/.penguin-command |
836 | blacklist ${HOME}/.pine-crash | ||
837 | blacklist ${HOME}/.pine-debug1 | ||
838 | blacklist ${HOME}/.pine-debug2 | ||
839 | blacklist ${HOME}/.pine-debug3 | ||
840 | blacklist ${HOME}/.pine-debug4 | ||
841 | blacklist ${HOME}/.pine-interrupted-mail | ||
842 | blacklist ${HOME}/.pinerc | ||
843 | blacklist ${HOME}/.pinercex | ||
833 | blacklist ${HOME}/.pingus | 844 | blacklist ${HOME}/.pingus |
834 | blacklist ${HOME}/.pioneer | 845 | blacklist ${HOME}/.pioneer |
835 | blacklist ${HOME}/.purple | 846 | blacklist ${HOME}/.purple |
@@ -867,6 +878,7 @@ blacklist ${HOME}/.teeworlds | |||
867 | blacklist ${HOME}/.texlive20* | 878 | blacklist ${HOME}/.texlive20* |
868 | blacklist ${HOME}/.thunderbird | 879 | blacklist ${HOME}/.thunderbird |
869 | blacklist ${HOME}/.tilp | 880 | blacklist ${HOME}/.tilp |
881 | blacklist ${HOME}/.tin | ||
870 | blacklist ${HOME}/.tooling | 882 | blacklist ${HOME}/.tooling |
871 | blacklist ${HOME}/.tor-browser* | 883 | blacklist ${HOME}/.tor-browser* |
872 | blacklist ${HOME}/.torcs | 884 | blacklist ${HOME}/.torcs |
diff --git a/etc/profile-a-l/alpine.profile b/etc/profile-a-l/alpine.profile new file mode 100644 index 000000000..0b5cf0df0 --- /dev/null +++ b/etc/profile-a-l/alpine.profile | |||
@@ -0,0 +1,104 @@ | |||
1 | # Firejail profile for alpine | ||
2 | # Description: Text-based email and newsgroups reader | ||
3 | # This file is overwritten after every install/update | ||
4 | quiet | ||
5 | # Persistent local customizations | ||
6 | include alpine.local | ||
7 | # Persistent global definitions | ||
8 | include globals.local | ||
9 | |||
10 | # Workaround for bug https://github.com/netblue30/firejail/issues/2747 | ||
11 | # firejail --private-bin=sh --include='${CFG}/allow-bin-sh.inc' --profile=alpine sh -c '(alpine)' | ||
12 | |||
13 | noblacklist /var/mail | ||
14 | noblacklist /var/spool/mail | ||
15 | noblacklist ${DOCUMENTS} | ||
16 | noblacklist ${HOME}/.addressbook | ||
17 | noblacklist ${HOME}/.alpine-smime | ||
18 | noblacklist ${HOME}/.mailcap | ||
19 | noblacklist ${HOME}/.mh_profile | ||
20 | noblacklist ${HOME}/.mime.types | ||
21 | noblacklist ${HOME}/.newsrc | ||
22 | noblacklist ${HOME}/.pine-crash | ||
23 | noblacklist ${HOME}/.pine-debug1 | ||
24 | noblacklist ${HOME}/.pine-debug2 | ||
25 | noblacklist ${HOME}/.pine-debug3 | ||
26 | noblacklist ${HOME}/.pine-debug4 | ||
27 | noblacklist ${HOME}/.pine-interrupted-mail | ||
28 | noblacklist ${HOME}/.pinerc | ||
29 | noblacklist ${HOME}/.pinercex | ||
30 | noblacklist ${HOME}/.signature | ||
31 | noblacklist ${HOME}/mail | ||
32 | |||
33 | blacklist /tmp/.X11-unix | ||
34 | blacklist ${RUNUSER}/wayland-* | ||
35 | |||
36 | include disable-common.inc | ||
37 | include disable-devel.inc | ||
38 | include disable-exec.inc | ||
39 | include disable-interpreters.inc | ||
40 | include disable-passwdmgr.inc | ||
41 | include disable-programs.inc | ||
42 | include disable-shell.inc | ||
43 | include disable-xdg.inc | ||
44 | |||
45 | #whitelist ${DOCUMENTS} | ||
46 | #whitelist ${DOWNLOADS} | ||
47 | #whitelist ${HOME}/.addressbook | ||
48 | #whitelist ${HOME}/.alpine-smime | ||
49 | #whitelist ${HOME}/.mailcap | ||
50 | #whitelist ${HOME}/.mh_profile | ||
51 | #whitelist ${HOME}/.mime.types | ||
52 | #whitelist ${HOME}/.newsrc | ||
53 | #whitelist ${HOME}/.pine-crash | ||
54 | #whitelist ${HOME}/.pine-interrupted-mail | ||
55 | #whitelist ${HOME}/.pinerc | ||
56 | #whitelist ${HOME}/.pinercex | ||
57 | #whitelist ${HOME}/.pine-debug1 | ||
58 | #whitelist ${HOME}/.pine-debug2 | ||
59 | #whitelist ${HOME}/.pine-debug3 | ||
60 | #whitelist ${HOME}/.pine-debug4 | ||
61 | #whitelist ${HOME}/.signature | ||
62 | #whitelist ${HOME}/mail | ||
63 | whitelist /var/mail | ||
64 | whitelist /var/spool/mail | ||
65 | #include whitelist-common.inc | ||
66 | include whitelist-runuser-common.inc | ||
67 | include whitelist-usr-share-common.inc | ||
68 | include whitelist-var-common.inc | ||
69 | |||
70 | apparmor | ||
71 | caps.drop all | ||
72 | ipc-namespace | ||
73 | machine-id | ||
74 | netfilter | ||
75 | no3d | ||
76 | nodvd | ||
77 | nogroups | ||
78 | noinput | ||
79 | nonewprivs | ||
80 | noroot | ||
81 | nosound | ||
82 | notv | ||
83 | nou2f | ||
84 | novideo | ||
85 | protocol unix,inet,inet6 | ||
86 | seccomp | ||
87 | seccomp.block-secondary | ||
88 | shell none | ||
89 | tracelog | ||
90 | |||
91 | disable-mnt | ||
92 | private-bin alpine | ||
93 | private-cache | ||
94 | private-dev | ||
95 | private-etc alternatives,c-client.cf,ca-certificates,crypto-policies,host.conf,hostname,hosts,krb5.keytab,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,locale,locale.alias,locale.conf,localtime,mailcap,mime.types,nsswitch.conf,passwd,pine.conf,pinerc.fixed,pki,protocols,resolv.conf,rpc,services,ssl,terminfo,xdg | ||
96 | private-tmp | ||
97 | writable-run-user | ||
98 | writable-var | ||
99 | |||
100 | dbus-user none | ||
101 | dbus-system none | ||
102 | |||
103 | memory-deny-write-execute | ||
104 | read-only ${HOME}/.signature | ||
diff --git a/etc/profile-a-l/alpinef.profile b/etc/profile-a-l/alpinef.profile new file mode 100644 index 000000000..97b97fe5f --- /dev/null +++ b/etc/profile-a-l/alpinef.profile | |||
@@ -0,0 +1,14 @@ | |||
1 | # Firejail profile for alpinef | ||
2 | # Description: Text-based email and newsgroups reader using function keys | ||
3 | # This file is overwritten after every install/update | ||
4 | quiet | ||
5 | # Persistent local customizations | ||
6 | include alpinef.local | ||
7 | # Persistent global definitions | ||
8 | # added by included profile | ||
9 | #include globals.local | ||
10 | |||
11 | private-bin alpinef | ||
12 | |||
13 | # Redirect | ||
14 | include alpine.profile | ||
diff --git a/etc/profile-a-l/cargo.profile b/etc/profile-a-l/cargo.profile index 043fd6718..7cf04c550 100644 --- a/etc/profile-a-l/cargo.profile +++ b/etc/profile-a-l/cargo.profile | |||
@@ -34,6 +34,7 @@ include disable-xdg.inc | |||
34 | #whitelist ${HOME}/.cargo | 34 | #whitelist ${HOME}/.cargo |
35 | #whitelist ${HOME}/.rustup | 35 | #whitelist ${HOME}/.rustup |
36 | #include whitelist-common.inc | 36 | #include whitelist-common.inc |
37 | whitelist /usr/share/pkgconfig | ||
37 | include whitelist-runuser-common.inc | 38 | include whitelist-runuser-common.inc |
38 | include whitelist-usr-share-common.inc | 39 | include whitelist-usr-share-common.inc |
39 | include whitelist-var-common.inc | 40 | include whitelist-var-common.inc |
diff --git a/etc/profile-a-l/chromium-common.profile b/etc/profile-a-l/chromium-common.profile index f7493aa82..b0e0254d4 100644 --- a/etc/profile-a-l/chromium-common.profile +++ b/etc/profile-a-l/chromium-common.profile | |||
@@ -37,8 +37,9 @@ include whitelist-var-common.inc | |||
37 | # Add the next line to your chromium-common.local if your kernel allows unprivileged userns clone. | 37 | # Add the next line to your chromium-common.local if your kernel allows unprivileged userns clone. |
38 | #include chromium-common-hardened.inc.profile | 38 | #include chromium-common-hardened.inc.profile |
39 | 39 | ||
40 | # Add the next line to your chromium-common.local to allow screen sharing under wayland. | 40 | # Add the next two lines to your chromium-common.local to allow screen sharing under wayland. |
41 | #whitelist ${RUNUSER}/pipewire-0 | 41 | #whitelist ${RUNUSER}/pipewire-0 |
42 | #whitelist /usr/share/pipewire/client.conf | ||
42 | 43 | ||
43 | apparmor | 44 | apparmor |
44 | caps.keep sys_admin,sys_chroot | 45 | caps.keep sys_admin,sys_chroot |
diff --git a/etc/profile-a-l/firefox.profile b/etc/profile-a-l/firefox.profile index 7874c882f..3ad67734d 100644 --- a/etc/profile-a-l/firefox.profile +++ b/etc/profile-a-l/firefox.profile | |||
@@ -56,8 +56,9 @@ dbus-user.own org.mpris.MediaPlayer2.firefox.* | |||
56 | #dbus-user.own org.mpris.MediaPlayer2.plasma-browser-integration | 56 | #dbus-user.own org.mpris.MediaPlayer2.plasma-browser-integration |
57 | #dbus-user.talk org.kde.JobViewServer | 57 | #dbus-user.talk org.kde.JobViewServer |
58 | #dbus-user.talk org.kde.kuiserver | 58 | #dbus-user.talk org.kde.kuiserver |
59 | # Add the next two lines to your firefox.local to allow screen sharing under wayland. | 59 | # Add the next three lines to your firefox.local to allow screen sharing under wayland. |
60 | #whitelist ${RUNUSER}/pipewire-0 | 60 | #whitelist ${RUNUSER}/pipewire-0 |
61 | #whitelist /usr/share/pipewire/client.conf | ||
61 | #dbus-user.talk org.freedesktop.portal.* | 62 | #dbus-user.talk org.freedesktop.portal.* |
62 | # Add the next line to your firefox.local if screen sharing sharing still does not work | 63 | # Add the next line to your firefox.local if screen sharing sharing still does not work |
63 | # with the above lines (might depend on the portal implementation). | 64 | # with the above lines (might depend on the portal implementation). |
diff --git a/etc/profile-a-l/librewolf.profile b/etc/profile-a-l/librewolf.profile index 8e3e58f19..da047357a 100644 --- a/etc/profile-a-l/librewolf.profile +++ b/etc/profile-a-l/librewolf.profile | |||
@@ -44,8 +44,9 @@ dbus-user filter | |||
44 | #dbus-user.own org.mpris.MediaPlayer2.plasma-browser-integration | 44 | #dbus-user.own org.mpris.MediaPlayer2.plasma-browser-integration |
45 | #dbus-user.talk org.kde.JobViewServer | 45 | #dbus-user.talk org.kde.JobViewServer |
46 | #dbus-user.talk org.kde.kuiserver | 46 | #dbus-user.talk org.kde.kuiserver |
47 | # Add the next lines to your librewolf.local to allow screensharing under Wayland. | 47 | # Add the next three lines to your librewolf.local to allow screensharing under Wayland. |
48 | #whitelist ${RUNUSER}/pipewire-0 | 48 | #whitelist ${RUNUSER}/pipewire-0 |
49 | #whitelist /usr/share/pipewire/client.conf | ||
49 | #dbus-user.talk org.freedesktop.portal.* | 50 | #dbus-user.talk org.freedesktop.portal.* |
50 | # Also add the next line to your librewolf.local if screensharing does not work with | 51 | # Also add the next line to your librewolf.local if screensharing does not work with |
51 | # the above lines (depends on the portal implementation). | 52 | # the above lines (depends on the portal implementation). |
diff --git a/etc/profile-m-z/mcomix.profile b/etc/profile-m-z/mcomix.profile new file mode 100644 index 000000000..fcd1e24e5 --- /dev/null +++ b/etc/profile-m-z/mcomix.profile | |||
@@ -0,0 +1,74 @@ | |||
1 | # Firejail profile for mcomix | ||
2 | # Description: A comic book and manga viewer in python | ||
3 | # This file is overwritten after every install/update | ||
4 | # Persistent local customizations | ||
5 | include mcomix.local | ||
6 | # Persistent global definitions | ||
7 | include globals.local | ||
8 | |||
9 | noblacklist ${HOME}/.config/mcomix | ||
10 | noblacklist ${HOME}/.local/share/mcomix | ||
11 | noblacklist ${DOCUMENTS} | ||
12 | |||
13 | # Allow /bin/sh (blacklisted by disable-shell.inc) | ||
14 | include allow-bin-sh.inc | ||
15 | |||
16 | # Allow python (blacklisted by disable-interpreters.inc) | ||
17 | # mcomix <= 1.2 uses python2 | ||
18 | include allow-python2.inc | ||
19 | include allow-python3.inc | ||
20 | |||
21 | include disable-common.inc | ||
22 | include disable-devel.inc | ||
23 | include disable-exec.inc | ||
24 | include disable-interpreters.inc | ||
25 | include disable-passwdmgr.inc | ||
26 | include disable-programs.inc | ||
27 | include disable-shell.inc | ||
28 | include disable-write-mnt.inc | ||
29 | include disable-xdg.inc | ||
30 | |||
31 | mkdir ${HOME}/.config/mcomix | ||
32 | mkdir ${HOME}/.local/share/mcomix | ||
33 | whitelist /usr/share/mcomix | ||
34 | include whitelist-usr-share-common.inc | ||
35 | include whitelist-var-common.inc | ||
36 | include whitelist-runuser-common.inc | ||
37 | |||
38 | apparmor | ||
39 | caps.drop all | ||
40 | machine-id | ||
41 | net none | ||
42 | nodvd | ||
43 | nogroups | ||
44 | noinput | ||
45 | nonewprivs | ||
46 | noroot | ||
47 | nosound | ||
48 | notv | ||
49 | nou2f | ||
50 | novideo | ||
51 | protocol unix | ||
52 | seccomp | ||
53 | seccomp.block-secondary | ||
54 | shell none | ||
55 | tracelog | ||
56 | |||
57 | # mcomix <= 1.2 uses python2 | ||
58 | private-bin 7z,lha,mcomix,mutool,python*,rar,sh,unrar,unzip | ||
59 | private-cache | ||
60 | private-dev | ||
61 | # mcomix <= 1.2 uses gtk-2.0 | ||
62 | private-etc alternatives,dconf,fonts,gconf,gtk-2.0,gtk-3.0,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,locale,locale.alias,locale.conf,localtime,machine-id,mime.types,pango,passwd,X11,xdg | ||
63 | private-tmp | ||
64 | |||
65 | dbus-user none | ||
66 | dbus-system none | ||
67 | |||
68 | read-only ${HOME} | ||
69 | read-write ${HOME}/.config/mcomix | ||
70 | read-write ${HOME}/.local/share/mcomix | ||
71 | #to allow ${HOME}/.local/share/recently-used.xbel | ||
72 | read-write ${HOME}/.local/share | ||
73 | # used by mcomix <= 1.2, tip, make a symbolic link to .cache/thumbnails | ||
74 | read-write ${HOME}/.thumbnails | ||
diff --git a/etc/profile-m-z/minecraft-launcher.profile b/etc/profile-m-z/minecraft-launcher.profile index 2536d0b38..1028e374a 100644 --- a/etc/profile-m-z/minecraft-launcher.profile +++ b/etc/profile-m-z/minecraft-launcher.profile | |||
@@ -31,7 +31,6 @@ include whitelist-runuser-common.inc | |||
31 | include whitelist-usr-share-common.inc | 31 | include whitelist-usr-share-common.inc |
32 | include whitelist-var-common.inc | 32 | include whitelist-var-common.inc |
33 | 33 | ||
34 | apparmor | ||
35 | caps.drop all | 34 | caps.drop all |
36 | netfilter | 35 | netfilter |
37 | nodvd | 36 | nodvd |
diff --git a/etc/profile-m-z/qcomicbook.profile b/etc/profile-m-z/qcomicbook.profile new file mode 100644 index 000000000..0e52d7fc4 --- /dev/null +++ b/etc/profile-m-z/qcomicbook.profile | |||
@@ -0,0 +1,68 @@ | |||
1 | # Firejail profile for qcomicbook | ||
2 | # Description: A comic book and manga viewer in QT | ||
3 | # This file is overwritten after every install/update | ||
4 | # Persistent local customizations | ||
5 | include qcomicbook.local | ||
6 | # Persistent global definitions | ||
7 | include globals.local | ||
8 | |||
9 | noblacklist ${HOME}/.cache/PawelStolowski | ||
10 | noblacklist ${HOME}/.config/PawelStolowski | ||
11 | noblacklist ${HOME}/.local/share/PawelStolowski | ||
12 | noblacklist ${DOCUMENTS} | ||
13 | |||
14 | # Allow /bin/sh (blacklisted by disable-shell.inc) | ||
15 | include allow-bin-sh.inc | ||
16 | |||
17 | include disable-common.inc | ||
18 | include disable-devel.inc | ||
19 | include disable-exec.inc | ||
20 | include disable-interpreters.inc | ||
21 | include disable-passwdmgr.inc | ||
22 | include disable-programs.inc | ||
23 | include disable-shell.inc | ||
24 | include disable-write-mnt.inc | ||
25 | include disable-xdg.inc | ||
26 | |||
27 | mkdir ${HOME}/.cache/PawelStolowski | ||
28 | mkdir ${HOME}/.config/PawelStolowski | ||
29 | mkdir ${HOME}/.local/share/PawelStolowski | ||
30 | whitelist /usr/share/qcomicbook | ||
31 | include whitelist-runuser-common.inc | ||
32 | include whitelist-usr-share-common.inc | ||
33 | include whitelist-var-common.inc | ||
34 | |||
35 | apparmor | ||
36 | caps.drop all | ||
37 | machine-id | ||
38 | net none | ||
39 | nodvd | ||
40 | nogroups | ||
41 | noinput | ||
42 | nonewprivs | ||
43 | noroot | ||
44 | nosound | ||
45 | notv | ||
46 | nou2f | ||
47 | novideo | ||
48 | protocol unix | ||
49 | seccomp | ||
50 | seccomp.block-secondary | ||
51 | shell none | ||
52 | tracelog | ||
53 | |||
54 | private-bin 7z,7zr,qcomicbook,rar,sh,tar,unace,unrar,unzip | ||
55 | private-cache | ||
56 | private-dev | ||
57 | private-etc alternatives,fonts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,locale,locale.alias,locale.conf,localtime,machine-id,mime.types,pango,passwd,Trolltech.conf,X11,xdg | ||
58 | private-tmp | ||
59 | |||
60 | dbus-user none | ||
61 | dbus-system none | ||
62 | |||
63 | read-only ${HOME} | ||
64 | read-write ${HOME}/.cache/PawelStolowski | ||
65 | read-write ${HOME}/.config/PawelStolowski | ||
66 | read-write ${HOME}/.local/share/PawelStolowski | ||
67 | #to allow ${HOME}/.local/share/recently-used.xbel | ||
68 | read-write ${HOME}/.local/share | ||
diff --git a/etc/profile-m-z/rtin.profile b/etc/profile-m-z/rtin.profile new file mode 100644 index 000000000..cd84ce05e --- /dev/null +++ b/etc/profile-m-z/rtin.profile | |||
@@ -0,0 +1,8 @@ | |||
1 | # Firejail profile for rtin | ||
2 | # Description: ncurses-based Usenet newsreader | ||
3 | # symlink to tin, same as `tin -r` | ||
4 | # This file is overwritten after every install/update | ||
5 | # Persistent local customizations | ||
6 | include rtin.local | ||
7 | |||
8 | include tin.profile | ||
diff --git a/etc/profile-m-z/rtv-addons.profile b/etc/profile-m-z/rtv-addons.profile index c9da0b628..cc6db5043 100644 --- a/etc/profile-m-z/rtv-addons.profile +++ b/etc/profile-m-z/rtv-addons.profile | |||
@@ -21,3 +21,8 @@ whitelist ${HOME}/.config/mpv | |||
21 | whitelist ${HOME}/.mailcap | 21 | whitelist ${HOME}/.mailcap |
22 | whitelist ${HOME}/.netrc | 22 | whitelist ${HOME}/.netrc |
23 | whitelist ${HOME}/.w3m | 23 | whitelist ${HOME}/.w3m |
24 | |||
25 | #private-bin w3m,mpv,youtube-dl | ||
26 | |||
27 | # tells rtv, which browser to use | ||
28 | #env RTV_BROWSER=w3m | ||
diff --git a/etc/profile-m-z/rtv.profile b/etc/profile-m-z/rtv.profile index f0b8d31e9..2f1fe0155 100644 --- a/etc/profile-m-z/rtv.profile +++ b/etc/profile-m-z/rtv.profile | |||
@@ -12,6 +12,9 @@ blacklist ${RUNUSER}/wayland-* | |||
12 | noblacklist ${HOME}/.config/rtv | 12 | noblacklist ${HOME}/.config/rtv |
13 | noblacklist ${HOME}/.local/share/rtv | 13 | noblacklist ${HOME}/.local/share/rtv |
14 | 14 | ||
15 | # Allow /bin/sh (blacklisted by disable-shell.inc) | ||
16 | include allow-bin-sh.inc | ||
17 | |||
15 | # Allow python (blacklisted by disable-interpreters.inc) | 18 | # Allow python (blacklisted by disable-interpreters.inc) |
16 | include allow-python2.inc | 19 | include allow-python2.inc |
17 | include allow-python3.inc | 20 | include allow-python3.inc |
@@ -54,10 +57,10 @@ shell none | |||
54 | tracelog | 57 | tracelog |
55 | 58 | ||
56 | disable-mnt | 59 | disable-mnt |
57 | private-bin python*,rtv,sh,xdg-settings | 60 | private-bin less,python*,rtv,sh,xdg-settings |
58 | private-cache | 61 | private-cache |
59 | private-dev | 62 | private-dev |
60 | private-etc alternatives,ca-certificates,crypto-policies,host.conf,hostname,hosts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,locale,locale.alias,locale.conf,localtime,mime.types,nsswitch.conf,pki,protocols,resolv.conf,rpc,services,ssl,terminfo,xdg | 63 | private-etc alternatives,ca-certificates,crypto-policies,host.conf,hostname,hosts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,locale,locale.alias,locale.conf,localtime,mailcap,mime.types,nsswitch.conf,pki,protocols,resolv.conf,rpc,services,ssl,terminfo,xdg |
61 | 64 | ||
62 | dbus-user none | 65 | dbus-user none |
63 | dbus-system none | 66 | dbus-system none |
diff --git a/etc/profile-m-z/tin.profile b/etc/profile-m-z/tin.profile new file mode 100644 index 000000000..e0ed3090a --- /dev/null +++ b/etc/profile-m-z/tin.profile | |||
@@ -0,0 +1,69 @@ | |||
1 | # Firejail profile for tin | ||
2 | # Description: ncurses-based Usenet newsreader | ||
3 | # This file is overwritten after every install/update | ||
4 | # Persistent local customizations | ||
5 | include tin.local | ||
6 | # Persistent global definitions | ||
7 | include globals.local | ||
8 | |||
9 | noblacklist ${HOME}/.newsrc | ||
10 | noblacklist ${HOME}/.tin | ||
11 | |||
12 | blacklist /tmp/.X11-unix | ||
13 | blacklist ${RUNUSER} | ||
14 | blacklist /usr/libexec | ||
15 | |||
16 | include disable-common.inc | ||
17 | include disable-devel.inc | ||
18 | include disable-exec.inc | ||
19 | include disable-interpreters.inc | ||
20 | include disable-passwdmgr.inc | ||
21 | include disable-programs.inc | ||
22 | include disable-shell.inc | ||
23 | include disable-xdg.inc | ||
24 | |||
25 | mkdir ${HOME}/.tin | ||
26 | mkfile ${HOME}/.newsrc | ||
27 | # Note: files/directories directly in ${HOME} can't be whitelisted, as | ||
28 | # tin saves .newsrc by renaming a temporary file, which is not possible for | ||
29 | # bind-mounted files. | ||
30 | #whitelist ${HOME}/.newsrc | ||
31 | #whitelist ${HOME}/.tin | ||
32 | #include whitelist-common.inc | ||
33 | include whitelist-runuser-common.inc | ||
34 | include whitelist-usr-share-common.inc | ||
35 | include whitelist-var-common.inc | ||
36 | |||
37 | apparmor | ||
38 | caps.drop all | ||
39 | ipc-namespace | ||
40 | machine-id | ||
41 | netfilter | ||
42 | no3d | ||
43 | nodvd | ||
44 | nogroups | ||
45 | noinput | ||
46 | nonewprivs | ||
47 | noroot | ||
48 | nosound | ||
49 | notv | ||
50 | nou2f | ||
51 | novideo | ||
52 | protocol inet,inet6 | ||
53 | seccomp | ||
54 | seccomp.block-secondary | ||
55 | shell none | ||
56 | tracelog | ||
57 | |||
58 | disable-mnt | ||
59 | private-bin rtin,tin | ||
60 | private-cache | ||
61 | private-dev | ||
62 | private-etc passwd,resolv.conf,terminfo,tin | ||
63 | private-lib terminfo | ||
64 | private-tmp | ||
65 | |||
66 | dbus-user none | ||
67 | dbus-system none | ||
68 | |||
69 | memory-deny-write-execute | ||
diff --git a/etc/profile-m-z/w3m.profile b/etc/profile-m-z/w3m.profile index 131213ed2..69b2c6c59 100644 --- a/etc/profile-m-z/w3m.profile +++ b/etc/profile-m-z/w3m.profile | |||
@@ -17,18 +17,32 @@ noblacklist ${HOME}/.w3m | |||
17 | blacklist /tmp/.X11-unix | 17 | blacklist /tmp/.X11-unix |
18 | blacklist ${RUNUSER}/wayland-* | 18 | blacklist ${RUNUSER}/wayland-* |
19 | 19 | ||
20 | # Allow /bin/sh (blacklisted by disable-shell.inc) | ||
21 | include allow-bin-sh.inc | ||
22 | |||
23 | # Allow perl (blacklisted by disable-interpreters.inc) | ||
20 | include allow-perl.inc | 24 | include allow-perl.inc |
21 | 25 | ||
22 | include disable-common.inc | 26 | include disable-common.inc |
23 | include disable-devel.inc | 27 | include disable-devel.inc |
28 | include disable-exec.inc | ||
24 | include disable-interpreters.inc | 29 | include disable-interpreters.inc |
25 | include disable-passwdmgr.inc | 30 | include disable-passwdmgr.inc |
26 | include disable-programs.inc | 31 | include disable-programs.inc |
32 | include disable-shell.inc | ||
27 | include disable-xdg.inc | 33 | include disable-xdg.inc |
28 | 34 | ||
35 | mkdir ${HOME}/.w3m | ||
36 | whitelist /usr/share/w3m | ||
37 | whitelist ${DOWNLOADS} | ||
38 | whitelist ${HOME}/.w3m | ||
29 | include whitelist-runuser-common.inc | 39 | include whitelist-runuser-common.inc |
40 | include whitelist-usr-share-common.inc | ||
41 | include whitelist-var-common.inc | ||
30 | 42 | ||
31 | caps.drop all | 43 | caps.drop all |
44 | ipc-namespace | ||
45 | machine-id | ||
32 | netfilter | 46 | netfilter |
33 | no3d | 47 | no3d |
34 | nodvd | 48 | nodvd |
@@ -45,8 +59,14 @@ seccomp | |||
45 | shell none | 59 | shell none |
46 | tracelog | 60 | tracelog |
47 | 61 | ||
48 | # private-bin w3m | 62 | disable-mnt |
63 | private-bin perl,sh,w3m | ||
49 | private-cache | 64 | private-cache |
50 | private-dev | 65 | private-dev |
51 | private-etc alternatives,ca-certificates,crypto-policies,pki,resolv.conf,ssl | 66 | private-etc alternatives,ca-certificates,crypto-policies,mailcap,nsswitch.conf,pki,resolv.conf,ssl |
52 | private-tmp | 67 | private-tmp |
68 | |||
69 | dbus-user none | ||
70 | dbus-system none | ||
71 | |||
72 | memory-deny-write-execute | ||
diff --git a/etc/profile-m-z/weechat.profile b/etc/profile-m-z/weechat.profile index 3a93d2ec7..76935212f 100644 --- a/etc/profile-m-z/weechat.profile +++ b/etc/profile-m-z/weechat.profile | |||
@@ -11,6 +11,7 @@ noblacklist ${HOME}/.weechat | |||
11 | include disable-common.inc | 11 | include disable-common.inc |
12 | include disable-programs.inc | 12 | include disable-programs.inc |
13 | 13 | ||
14 | whitelist /usr/share/weechat | ||
14 | include whitelist-usr-share-common.inc | 15 | include whitelist-usr-share-common.inc |
15 | include whitelist-var-common.inc | 16 | include whitelist-var-common.inc |
16 | 17 | ||
diff --git a/etc/templates/syscalls.txt b/etc/templates/syscalls.txt index 0775f60ff..3992c984a 100644 --- a/etc/templates/syscalls.txt +++ b/etc/templates/syscalls.txt | |||
@@ -33,7 +33,7 @@ Definition of groups | |||
33 | @clock=adjtimex,clock_adjtime,clock_settime,settimeofday,stime | 33 | @clock=adjtimex,clock_adjtime,clock_settime,settimeofday,stime |
34 | @cpu-emulation=modify_ldt,subpage_prot,switch_endian,vm86,vm86old | 34 | @cpu-emulation=modify_ldt,subpage_prot,switch_endian,vm86,vm86old |
35 | @debug=lookup_dcookie,perf_event_open,process_vm_writev,rtas,s390_runtime_instr,sys_debug_setcontext | 35 | @debug=lookup_dcookie,perf_event_open,process_vm_writev,rtas,s390_runtime_instr,sys_debug_setcontext |
36 | @default=@clock,@cpu-emulation,@debug,@module,@mount,@obsolete,@raw-io,@reboot,@swap,open_by_handle_at,name_to_handle_at,ioprio_set,ni_syscall,syslog,fanotify_init,kcmp,add_key,request_key,mbind,migrate_pages,move_pages,keyctl,io_setup,io_destroy,io_getevents,io_submit,io_cancel,remap_file_pages,set_mempolicyvmsplice,userfaultfd,acct,bpf,nfsservctl,setdomainname,sethostname,vhangup | 36 | @default=@clock,@cpu-emulation,@debug,@module,@mount,@obsolete,@raw-io,@reboot,@swap,open_by_handle_at,name_to_handle_at,ioprio_set,ni_syscall,syslog,fanotify_init,add_key,request_key,mbind,migrate_pages,move_pages,keyctl,io_setup,io_destroy,io_getevents,io_submit,io_cancel,remap_file_pages,set_mempolicyvmsplice,userfaultfd,acct,bpf,nfsservctl,setdomainname,sethostname,vhangup |
37 | @default-nodebuggers=@default,ptrace,personality,process_vm_readv | 37 | @default-nodebuggers=@default,ptrace,personality,process_vm_readv |
38 | @default-keep=execveat,execve,prctl | 38 | @default-keep=execveat,execve,prctl |
39 | @file-system=access,chdir,chmod,close,creat,faccessat,faccessat2,fallocate,fchdir,fchmod,fchmodat,fcntl,fcntl64,fgetxattr,flistxattr,fremovexattr,fsetxattr,fstat,fstat64,fstatat64,fstatfs,fstatfs64,ftruncate,ftruncate64,futimesat,getcwd,getdents,getdents64,getxattr,inotify_add_watch,inotify_init,inotify_init1,inotify_rm_watch,lgetxattr,link,linkat,listxattr,llistxattr,lremovexattr,lsetxattr,lstat,lstat64,mkdir,mkdirat,mknod,mknodat,mmap,mmap2,munmap,newfstatat,oldfstat,oldlstat,oldstat,open,openat,readlink,readlinkat,removexattr,rename,renameat,renameat2,rmdir,setxattr,stat,stat64,statfs,statfs64,statx,symlink,symlinkat,truncate,truncate64,unlink,unlinkat,utime,utimensat,utimes | 39 | @file-system=access,chdir,chmod,close,creat,faccessat,faccessat2,fallocate,fchdir,fchmod,fchmodat,fcntl,fcntl64,fgetxattr,flistxattr,fremovexattr,fsetxattr,fstat,fstat64,fstatat64,fstatfs,fstatfs64,ftruncate,ftruncate64,futimesat,getcwd,getdents,getdents64,getxattr,inotify_add_watch,inotify_init,inotify_init1,inotify_rm_watch,lgetxattr,link,linkat,listxattr,llistxattr,lremovexattr,lsetxattr,lstat,lstat64,mkdir,mkdirat,mknod,mknodat,mmap,mmap2,munmap,newfstatat,oldfstat,oldlstat,oldstat,open,openat,readlink,readlinkat,removexattr,rename,renameat,renameat2,rmdir,setxattr,stat,stat64,statfs,statfs64,statx,symlink,symlinkat,truncate,truncate64,unlink,unlinkat,utime,utimensat,utimes |