diff options
Diffstat (limited to 'etc')
315 files changed, 1057 insertions, 541 deletions
diff --git a/etc/apparmor/firejail-base b/etc/apparmor/firejail-base new file mode 100644 index 000000000..6e286d4af --- /dev/null +++ b/etc/apparmor/firejail-base | |||
@@ -0,0 +1,27 @@ | |||
1 | ######################################### | ||
2 | # Firejail base abstraction drop-in | ||
3 | # | ||
4 | # Adds basic Firejail support to AppArmor profiles. | ||
5 | # Please note: Firejail's nonewprivs and seccomp options | ||
6 | # are not compatible with AppArmor profile transitions. | ||
7 | # Also there is no support for Firejail chroot options. | ||
8 | ######################################### | ||
9 | |||
10 | # Discovery of process names | ||
11 | owner /proc/@{pid}/comm r, | ||
12 | |||
13 | ########## | ||
14 | # Following paths only exist inside a Firejail sandbox | ||
15 | ########## | ||
16 | |||
17 | # Library preloading | ||
18 | /{,var/}run/firejail/lib/*.so mr, | ||
19 | |||
20 | # Supporting seccomp | ||
21 | owner /{,var/}run/firejail/mnt/seccomp/seccomp.postexec r, | ||
22 | |||
23 | # Supporting trace | ||
24 | owner /{,var/}run/firejail/mnt/trace w, | ||
25 | |||
26 | # Supporting tracelog | ||
27 | /{,var/}run/firejail/mnt/fslogger r, | ||
diff --git a/etc/apparmor/firejail-default b/etc/apparmor/firejail-default index ca32f5b0d..a7044152e 100644 --- a/etc/apparmor/firejail-default +++ b/etc/apparmor/firejail-default | |||
@@ -129,7 +129,7 @@ signal (receive), | |||
129 | ########## | 129 | ########## |
130 | # The list of recognized capabilities varies from one apparmor version to another. | 130 | # The list of recognized capabilities varies from one apparmor version to another. |
131 | # For example on Debian 10 (apparmor 2.13.2) checkpoint_restore, perfmon, bpf are not available | 131 | # For example on Debian 10 (apparmor 2.13.2) checkpoint_restore, perfmon, bpf are not available |
132 | # We allow all caps by default and remove the ones we don't like: | 132 | # We allow all caps by default and remove the ones we don't like: |
133 | capability, | 133 | capability, |
134 | deny capability audit_write, | 134 | deny capability audit_write, |
135 | deny capability audit_control, | 135 | deny capability audit_control, |
diff --git a/etc/firejail.config b/etc/firejail.config index 2e355586b..7912b746c 100644 --- a/etc/firejail.config +++ b/etc/firejail.config | |||
@@ -2,6 +2,9 @@ | |||
2 | # keyword-argument pairs, one per line. Most features are enabled by default. | 2 | # keyword-argument pairs, one per line. Most features are enabled by default. |
3 | # Use 'yes' or 'no' as configuration values. | 3 | # Use 'yes' or 'no' as configuration values. |
4 | 4 | ||
5 | # Allow programs to display a tray icon | ||
6 | # allow-tray no | ||
7 | |||
5 | # Enable AppArmor functionality, default enabled. | 8 | # Enable AppArmor functionality, default enabled. |
6 | # apparmor yes | 9 | # apparmor yes |
7 | 10 | ||
@@ -63,7 +66,7 @@ | |||
63 | # a file argument, the default filter is hardcoded (see man 1 firejail). This | 66 | # a file argument, the default filter is hardcoded (see man 1 firejail). This |
64 | # configuration entry allows the user to change the default by specifying | 67 | # configuration entry allows the user to change the default by specifying |
65 | # a file containing the filter configuration. The filter file format is the | 68 | # a file containing the filter configuration. The filter file format is the |
66 | # format of iptables-save and iptable-restore commands. Example: | 69 | # format of iptables-save and iptables-restore commands. Example: |
67 | # netfilter-default /etc/iptables.iptables.rules | 70 | # netfilter-default /etc/iptables.iptables.rules |
68 | 71 | ||
69 | # Enable or disable networking features, default enabled. | 72 | # Enable or disable networking features, default enabled. |
diff --git a/etc/ids.config b/etc/ids.config index 09b0ae912..ff55416ca 100644 --- a/etc/ids.config +++ b/etc/ids.config | |||
@@ -37,6 +37,7 @@ include ids.config.local | |||
37 | 37 | ||
38 | ### shells local ### | 38 | ### shells local ### |
39 | # bash | 39 | # bash |
40 | ${HOME}/.bash_aliases | ||
40 | ${HOME}/.bash_login | 41 | ${HOME}/.bash_login |
41 | ${HOME}/.bash_logout | 42 | ${HOME}/.bash_logout |
42 | ${HOME}/.bash_profile | 43 | ${HOME}/.bash_profile |
@@ -99,10 +100,24 @@ ${HOME}/.xsessionrc | |||
99 | ### window/desktop manager ### | 100 | ### window/desktop manager ### |
100 | ${HOME}/Desktop/*.desktop | 101 | ${HOME}/Desktop/*.desktop |
101 | ${HOME}/.config/autostart | 102 | ${HOME}/.config/autostart |
103 | ${HOME}/.config/autostart-scripts | ||
102 | ${HOME}/.config/lxsession/LXDE/autostart | 104 | ${HOME}/.config/lxsession/LXDE/autostart |
105 | ${HOME}/.config/openbox/autostart | ||
106 | ${HOME}/.config/openbox/environment | ||
107 | ${HOME}/.config/plasma-workspace/env | ||
108 | ${HOME}/.config/plasma-workspace/shutdown | ||
103 | ${HOME}/.gnomerc | 109 | ${HOME}/.gnomerc |
104 | ${HOME}/.gtkrc | 110 | ${HOME}/.gtkrc |
111 | ${HOME}/.kde/Autostart | ||
112 | ${HOME}/.kde/env | ||
113 | ${HOME}/.kde/share/autostart | ||
114 | ${HOME}/.kde/shutdown | ||
115 | ${HOME}/.kde4/Autostart | ||
116 | ${HOME}/.kde4/env | ||
117 | ${HOME}/.kde4/share/autostart | ||
118 | ${HOME}/.kde4/shutdown | ||
105 | ${HOME}/.kderc | 119 | ${HOME}/.kderc |
120 | ${HOME}/.local/share/autostart | ||
106 | 121 | ||
107 | ### security ### | 122 | ### security ### |
108 | /etc/aide | 123 | /etc/aide |
@@ -123,6 +138,7 @@ ${HOME}/.kderc | |||
123 | /etc/tripwire | 138 | /etc/tripwire |
124 | ${HOME}/.config/firejail | 139 | ${HOME}/.config/firejail |
125 | ${HOME}/.gnupg | 140 | ${HOME}/.gnupg |
141 | ${HOME}/.pam_environment | ||
126 | 142 | ||
127 | ### network security ### | 143 | ### network security ### |
128 | /etc/ca-certificates* | 144 | /etc/ca-certificates* |
diff --git a/etc/inc/allow-common-devel.inc b/etc/inc/allow-common-devel.inc index 011bbe226..4e460fc10 100644 --- a/etc/inc/allow-common-devel.inc +++ b/etc/inc/allow-common-devel.inc | |||
@@ -27,5 +27,8 @@ noblacklist ${HOME}/.python-history | |||
27 | noblacklist ${HOME}/.python_history | 27 | noblacklist ${HOME}/.python_history |
28 | noblacklist ${HOME}/.pythonhist | 28 | noblacklist ${HOME}/.pythonhist |
29 | 29 | ||
30 | # Ruby | ||
31 | noblacklist ${HOME}/.bundle | ||
32 | |||
30 | # Rust | 33 | # Rust |
31 | noblacklist ${HOME}/.cargo/* | 34 | noblacklist ${HOME}/.cargo |
diff --git a/etc/inc/allow-ruby.inc b/etc/inc/allow-ruby.inc index a8c701219..00276cac7 100644 --- a/etc/inc/allow-ruby.inc +++ b/etc/inc/allow-ruby.inc | |||
@@ -4,3 +4,4 @@ include allow-ruby.local | |||
4 | 4 | ||
5 | noblacklist ${PATH}/ruby | 5 | noblacklist ${PATH}/ruby |
6 | noblacklist /usr/lib/ruby | 6 | noblacklist /usr/lib/ruby |
7 | noblacklist /usr/lib64/ruby | ||
diff --git a/etc/inc/disable-common.inc b/etc/inc/disable-common.inc index ae84ee38a..f3d685d18 100644 --- a/etc/inc/disable-common.inc +++ b/etc/inc/disable-common.inc | |||
@@ -458,7 +458,7 @@ blacklist /sbin | |||
458 | blacklist /usr/local/sbin | 458 | blacklist /usr/local/sbin |
459 | blacklist /usr/sbin | 459 | blacklist /usr/sbin |
460 | 460 | ||
461 | # system management | 461 | # system management and various SUID executables |
462 | blacklist ${PATH}/at | 462 | blacklist ${PATH}/at |
463 | blacklist ${PATH}/busybox | 463 | blacklist ${PATH}/busybox |
464 | blacklist ${PATH}/chage | 464 | blacklist ${PATH}/chage |
@@ -493,6 +493,12 @@ blacklist ${PATH}/umount | |||
493 | blacklist ${PATH}/unix_chkpwd | 493 | blacklist ${PATH}/unix_chkpwd |
494 | blacklist ${PATH}/xev | 494 | blacklist ${PATH}/xev |
495 | blacklist ${PATH}/xinput | 495 | blacklist ${PATH}/xinput |
496 | blacklist /usr/lib/openssh/ssh-keysign | ||
497 | blacklist ${PATH}/passwd | ||
498 | blacklist /usr/lib/xorg/Xorg.wrap | ||
499 | blacklist /usr/lib/policykit-1/polkit-agent-helper-1 | ||
500 | blacklist /usr/lib/dbus-1.0/dbus-daemon-launch-helper | ||
501 | blacklist /usr/lib/eject/dmcrypt-get-device | ||
496 | 502 | ||
497 | # other SUID binaries | 503 | # other SUID binaries |
498 | blacklist /usr/lib/virtualbox | 504 | blacklist /usr/lib/virtualbox |
diff --git a/etc/inc/disable-devel.inc b/etc/inc/disable-devel.inc index e74b1b40b..98bf5ecc8 100644 --- a/etc/inc/disable-devel.inc +++ b/etc/inc/disable-devel.inc | |||
@@ -60,9 +60,7 @@ blacklist /usr/lib/tcc | |||
60 | blacklist ${PATH}/valgrind* | 60 | blacklist ${PATH}/valgrind* |
61 | blacklist /usr/lib/valgrind | 61 | blacklist /usr/lib/valgrind |
62 | 62 | ||
63 | |||
64 | # Source-Code | 63 | # Source-Code |
65 | |||
66 | blacklist /usr/src | 64 | blacklist /usr/src |
67 | blacklist /usr/local/src | 65 | blacklist /usr/local/src |
68 | blacklist /usr/include | 66 | blacklist /usr/include |
diff --git a/etc/inc/disable-exec.inc b/etc/inc/disable-exec.inc index 9b5c40a2b..d7dcef7e7 100644 --- a/etc/inc/disable-exec.inc +++ b/etc/inc/disable-exec.inc | |||
@@ -6,6 +6,7 @@ noexec ${HOME} | |||
6 | noexec ${RUNUSER} | 6 | noexec ${RUNUSER} |
7 | noexec /dev/mqueue | 7 | noexec /dev/mqueue |
8 | noexec /dev/shm | 8 | noexec /dev/shm |
9 | noexec /run/shm | ||
9 | noexec /tmp | 10 | noexec /tmp |
10 | # /var is noexec by default for unprivileged users | 11 | # /var is noexec by default for unprivileged users |
11 | # except there is a writable-var option, so just in case: | 12 | # except there is a writable-var option, so just in case: |
diff --git a/etc/inc/disable-interpreters.inc b/etc/inc/disable-interpreters.inc index 5d8a236fb..804869e2a 100644 --- a/etc/inc/disable-interpreters.inc +++ b/etc/inc/disable-interpreters.inc | |||
@@ -48,6 +48,7 @@ blacklist /usr/share/php* | |||
48 | # Ruby | 48 | # Ruby |
49 | blacklist ${PATH}/ruby | 49 | blacklist ${PATH}/ruby |
50 | blacklist /usr/lib/ruby | 50 | blacklist /usr/lib/ruby |
51 | blacklist /usr/lib64/ruby | ||
51 | 52 | ||
52 | # Programs using python: deluge, firefox addons, filezilla, cherrytree, xchat, hexchat, libreoffice, scribus | 53 | # Programs using python: deluge, firefox addons, filezilla, cherrytree, xchat, hexchat, libreoffice, scribus |
53 | # Python 2 | 54 | # Python 2 |
diff --git a/etc/inc/disable-proc.inc b/etc/inc/disable-proc.inc new file mode 100644 index 000000000..81a8883f3 --- /dev/null +++ b/etc/inc/disable-proc.inc | |||
@@ -0,0 +1,82 @@ | |||
1 | # This file is overwritten during software install. | ||
2 | # Persistent customizations should go in a .local file. | ||
3 | include disable-proc.local | ||
4 | |||
5 | blacklist /proc/acpi | ||
6 | blacklist /proc/asound | ||
7 | blacklist /proc/bootconfig | ||
8 | blacklist /proc/buddyinfo | ||
9 | blacklist /proc/cgroups | ||
10 | blacklist /proc/cmdline | ||
11 | blacklist /proc/config.gz | ||
12 | blacklist /proc/consoles | ||
13 | #blacklist /proc/cpuinfo | ||
14 | blacklist /proc/crypto | ||
15 | blacklist /proc/devices | ||
16 | blacklist /proc/diskstats | ||
17 | blacklist /proc/dma | ||
18 | #blacklist /proc/driver | ||
19 | blacklist /proc/dynamic_debug | ||
20 | blacklist /proc/execdomains | ||
21 | blacklist /proc/fb | ||
22 | #blacklist /proc/filesystems | ||
23 | blacklist /proc/fs | ||
24 | blacklist /proc/i8k | ||
25 | blacklist /proc/interrupts | ||
26 | blacklist /proc/iomem | ||
27 | blacklist /proc/ioports | ||
28 | blacklist /proc/irq | ||
29 | blacklist /proc/kallsyms | ||
30 | blacklist /proc/kcore | ||
31 | blacklist /proc/keys | ||
32 | blacklist /proc/key-users | ||
33 | blacklist /proc/kmsg | ||
34 | blacklist /proc/kpagecgroup | ||
35 | blacklist /proc/kpagecount | ||
36 | blacklist /proc/kpageflags | ||
37 | blacklist /proc/latency_stats | ||
38 | #blacklist /proc/loadavg | ||
39 | blacklist /proc/locks | ||
40 | blacklist /proc/mdstat | ||
41 | #blacklist /proc/meminfo | ||
42 | blacklist /proc/misc | ||
43 | #blacklist /proc/modules | ||
44 | #blacklist /proc/mounts | ||
45 | blacklist /proc/mtrr | ||
46 | #blacklist /proc/net | ||
47 | blacklist /proc/partitions | ||
48 | blacklist /proc/pressure | ||
49 | blacklist /proc/sched_debug | ||
50 | blacklist /proc/schedstat | ||
51 | blacklist /proc/scsi | ||
52 | #blacklist /proc/self | ||
53 | blacklist /proc/slabinfo | ||
54 | blacklist /proc/softirqs | ||
55 | blacklist /proc/spl | ||
56 | #blacklist /proc/stat | ||
57 | blacklist /proc/swaps | ||
58 | #blacklist /proc/sys | ||
59 | blacklist /proc/sysrq-trigger | ||
60 | blacklist /proc/sysvipc | ||
61 | #blacklist /proc/thread-self | ||
62 | blacklist /proc/timer_list | ||
63 | blacklist /proc/tty | ||
64 | #blacklist /proc/uptime | ||
65 | #blacklist /proc/version | ||
66 | blacklist /proc/version_signature | ||
67 | blacklist /proc/vmallocinfo | ||
68 | #blacklist /proc/vmstat | ||
69 | #blacklist /proc/zoneinfo | ||
70 | |||
71 | blacklist /proc/sys/abi | ||
72 | blacklist /proc/sys/crypto | ||
73 | blacklist /proc/sys/debug | ||
74 | blacklist /proc/sys/dev | ||
75 | blacklist /proc/sys/fs | ||
76 | blacklist /proc/sys/net | ||
77 | blacklist /proc/sys/user | ||
78 | blacklist /proc/sys/vm | ||
79 | |||
80 | noblacklist /proc/sys/kernel/osrelease | ||
81 | noblacklist /proc/sys/kernel/yama | ||
82 | blacklist /proc/sys/*/* | ||
diff --git a/etc/inc/disable-programs.inc b/etc/inc/disable-programs.inc index 4941630a2..e78f15e10 100644 --- a/etc/inc/disable-programs.inc +++ b/etc/inc/disable-programs.inc | |||
@@ -49,11 +49,184 @@ blacklist ${HOME}/.bibletime | |||
49 | blacklist ${HOME}/.bitcoin | 49 | blacklist ${HOME}/.bitcoin |
50 | blacklist ${HOME}/.blobby | 50 | blacklist ${HOME}/.blobby |
51 | blacklist ${HOME}/.bogofilter | 51 | blacklist ${HOME}/.bogofilter |
52 | blacklist ${HOME}/.bundle | ||
52 | blacklist ${HOME}/.bzf | 53 | blacklist ${HOME}/.bzf |
53 | blacklist ${HOME}/.cargo/* | 54 | blacklist ${HOME}/.cache/0ad |
55 | blacklist ${HOME}/.cache/8pecxstudios | ||
56 | blacklist ${HOME}/.cache/Authenticator | ||
57 | blacklist ${HOME}/.cache/BraveSoftware | ||
58 | blacklist ${HOME}/.cache/Clementine | ||
59 | blacklist ${HOME}/.cache/ENCOM/Spectral | ||
60 | blacklist ${HOME}/.cache/Enox | ||
61 | blacklist ${HOME}/.cache/Enpass | ||
62 | blacklist ${HOME}/.cache/Ferdi | ||
63 | blacklist ${HOME}/.cache/Flavio Tordini | ||
64 | blacklist ${HOME}/.cache/Franz | ||
65 | blacklist ${HOME}/.cache/GoldenDict | ||
66 | blacklist ${HOME}/.cache/INRIA | ||
67 | blacklist ${HOME}/.cache/INRIA/Natron | ||
68 | blacklist ${HOME}/.cache/JetBrains/CLion* | ||
69 | blacklist ${HOME}/.cache/KDE/neochat | ||
70 | blacklist ${HOME}/.cache/Mendeley Ltd. | ||
71 | blacklist ${HOME}/.cache/MusicBrainz | ||
72 | blacklist ${HOME}/.cache/NewsFlashGTK | ||
73 | blacklist ${HOME}/.cache/Otter | ||
74 | blacklist ${HOME}/.cache/PawelStolowski | ||
75 | blacklist ${HOME}/.cache/Psi | ||
76 | blacklist ${HOME}/.cache/QuiteRss | ||
77 | blacklist ${HOME}/.cache/Quotient/quaternion | ||
78 | blacklist ${HOME}/.cache/Shortwave | ||
79 | blacklist ${HOME}/.cache/Tox | ||
80 | blacklist ${HOME}/.cache/Zeal | ||
81 | blacklist ${HOME}/.cache/agenda | ||
82 | blacklist ${HOME}/.cache/akonadi* | ||
83 | blacklist ${HOME}/.cache/atril | ||
84 | blacklist ${HOME}/.cache/attic | ||
85 | blacklist ${HOME}/.cache/babl | ||
86 | blacklist ${HOME}/.cache/bnox | ||
87 | blacklist ${HOME}/.cache/borg | ||
88 | blacklist ${HOME}/.cache/calibre | ||
89 | blacklist ${HOME}/.cache/cantata | ||
90 | blacklist ${HOME}/.cache/champlain | ||
91 | blacklist ${HOME}/.cache/chromium | ||
92 | blacklist ${HOME}/.cache/chromium-dev | ||
93 | blacklist ${HOME}/.cache/cliqz | ||
94 | blacklist ${HOME}/.cache/com.github.johnfactotum.Foliate | ||
95 | blacklist ${HOME}/.cache/darktable | ||
96 | blacklist ${HOME}/.cache/deja-dup | ||
97 | blacklist ${HOME}/.cache/discover | ||
98 | blacklist ${HOME}/.cache/dnox | ||
99 | blacklist ${HOME}/.cache/dolphin | ||
100 | blacklist ${HOME}/.cache/dolphin-emu | ||
101 | blacklist ${HOME}/.cache/ephemeral | ||
102 | blacklist ${HOME}/.cache/epiphany | ||
103 | blacklist ${HOME}/.cache/evolution | ||
104 | blacklist ${HOME}/.cache/falkon | ||
105 | blacklist ${HOME}/.cache/feedreader | ||
106 | blacklist ${HOME}/.cache/firedragon | ||
107 | blacklist ${HOME}/.cache/flaska.net/trojita | ||
108 | blacklist ${HOME}/.cache/folks | ||
109 | blacklist ${HOME}/.cache/font-manager | ||
110 | blacklist ${HOME}/.cache/fossamail | ||
111 | blacklist ${HOME}/.cache/fractal | ||
112 | blacklist ${HOME}/.cache/freecol | ||
113 | blacklist ${HOME}/.cache/gajim | ||
114 | blacklist ${HOME}/.cache/geary | ||
115 | blacklist ${HOME}/.cache/geeqie | ||
116 | blacklist ${HOME}/.cache/gegl-0.4 | ||
117 | blacklist ${HOME}/.cache/gfeeds | ||
118 | blacklist ${HOME}/.cache/gimp | ||
119 | blacklist ${HOME}/.cache/gnome-boxes | ||
120 | blacklist ${HOME}/.cache/gnome-builder | ||
121 | blacklist ${HOME}/.cache/gnome-control-center | ||
122 | blacklist ${HOME}/.cache/gnome-recipes | ||
123 | blacklist ${HOME}/.cache/gnome-screenshot | ||
124 | blacklist ${HOME}/.cache/gnome-software | ||
125 | blacklist ${HOME}/.cache/gnome-twitch | ||
126 | blacklist ${HOME}/.cache/godot | ||
127 | blacklist ${HOME}/.cache/google-chrome | ||
128 | blacklist ${HOME}/.cache/google-chrome-beta | ||
129 | blacklist ${HOME}/.cache/google-chrome-unstable | ||
130 | blacklist ${HOME}/.cache/gradio | ||
131 | blacklist ${HOME}/.cache/gummi | ||
132 | blacklist ${HOME}/.cache/icedove | ||
133 | blacklist ${HOME}/.cache/inkscape | ||
134 | blacklist ${HOME}/.cache/inox | ||
135 | blacklist ${HOME}/.cache/io.github.lainsce.Notejot | ||
136 | blacklist ${HOME}/.cache/iridium | ||
137 | blacklist ${HOME}/.cache/kcmshell5 | ||
138 | blacklist ${HOME}/.cache/kdenlive | ||
139 | blacklist ${HOME}/.cache/keepassxc | ||
140 | blacklist ${HOME}/.cache/kfind | ||
141 | blacklist ${HOME}/.cache/kinfocenter | ||
142 | blacklist ${HOME}/.cache/kmail2 | ||
143 | blacklist ${HOME}/.cache/krunner | ||
144 | blacklist ${HOME}/.cache/krunnerbookmarkrunnerfirefoxdbfile.sqlite* | ||
145 | blacklist ${HOME}/.cache/kscreenlocker_greet | ||
146 | blacklist ${HOME}/.cache/ksmserver-logout-greeter | ||
147 | blacklist ${HOME}/.cache/ksplashqml | ||
148 | blacklist ${HOME}/.cache/kube | ||
149 | blacklist ${HOME}/.cache/kwin | ||
150 | blacklist ${HOME}/.cache/libgweather | ||
151 | blacklist ${HOME}/.cache/librewolf | ||
152 | blacklist ${HOME}/.cache/liferea | ||
153 | blacklist ${HOME}/.cache/lutris | ||
154 | blacklist ${HOME}/.cache/marker | ||
155 | blacklist ${HOME}/.cache/matrix-mirage | ||
156 | blacklist ${HOME}/.cache/microsoft-edge-beta | ||
157 | blacklist ${HOME}/.cache/microsoft-edge-dev | ||
158 | blacklist ${HOME}/.cache/midori | ||
159 | blacklist ${HOME}/.cache/minetest | ||
160 | blacklist ${HOME}/.cache/mirage | ||
161 | blacklist ${HOME}/.cache/moonchild productions/basilisk | ||
162 | blacklist ${HOME}/.cache/moonchild productions/pale moon | ||
163 | blacklist ${HOME}/.cache/mozilla | ||
164 | blacklist ${HOME}/.cache/ms-excel-online | ||
165 | blacklist ${HOME}/.cache/ms-office-online | ||
166 | blacklist ${HOME}/.cache/ms-onenote-online | ||
167 | blacklist ${HOME}/.cache/ms-outlook-online | ||
168 | blacklist ${HOME}/.cache/ms-powerpoint-online | ||
169 | blacklist ${HOME}/.cache/ms-skype-online | ||
170 | blacklist ${HOME}/.cache/ms-word-online | ||
171 | blacklist ${HOME}/.cache/mutt | ||
172 | blacklist ${HOME}/.cache/mypaint | ||
173 | blacklist ${HOME}/.cache/netsurf | ||
174 | blacklist ${HOME}/.cache/nheko | ||
175 | blacklist ${HOME}/.cache/okular | ||
176 | blacklist ${HOME}/.cache/opera | ||
177 | blacklist ${HOME}/.cache/opera-beta | ||
178 | blacklist ${HOME}/.cache/org.gabmus.gfeeds | ||
179 | blacklist ${HOME}/.cache/org.gnome.Books | ||
180 | blacklist ${HOME}/.cache/org.gnome.Maps | ||
181 | blacklist ${HOME}/.cache/pdfmod | ||
182 | blacklist ${HOME}/.cache/peek | ||
183 | blacklist ${HOME}/.cache/pip | ||
184 | blacklist ${HOME}/.cache/pipe-viewer | ||
185 | blacklist ${HOME}/.cache/plasmashell | ||
186 | blacklist ${HOME}/.cache/plasmashellbookmarkrunnerfirefoxdbfile.sqlite* | ||
187 | blacklist ${HOME}/.cache/psi | ||
188 | blacklist ${HOME}/.cache/qBittorrent | ||
189 | blacklist ${HOME}/.cache/quodlibet | ||
190 | blacklist ${HOME}/.cache/qupzilla | ||
191 | blacklist ${HOME}/.cache/qutebrowser | ||
192 | blacklist ${HOME}/.cache/rednotebook | ||
193 | blacklist ${HOME}/.cache/rhythmbox | ||
194 | blacklist ${HOME}/.cache/shotwell | ||
195 | blacklist ${HOME}/.cache/simple-scan | ||
196 | blacklist ${HOME}/.cache/slimjet | ||
197 | blacklist ${HOME}/.cache/smuxi | ||
198 | blacklist ${HOME}/.cache/snox | ||
199 | blacklist ${HOME}/.cache/spotify | ||
200 | blacklist ${HOME}/.cache/straw-viewer | ||
201 | blacklist ${HOME}/.cache/strawberry | ||
202 | blacklist ${HOME}/.cache/supertuxkart | ||
203 | blacklist ${HOME}/.cache/systemsettings | ||
204 | blacklist ${HOME}/.cache/telepathy | ||
205 | blacklist ${HOME}/.cache/thunderbird | ||
206 | blacklist ${HOME}/.cache/torbrowser | ||
207 | blacklist ${HOME}/.cache/transmission | ||
208 | blacklist ${HOME}/.cache/ungoogled-chromium | ||
209 | blacklist ${HOME}/.cache/vivaldi | ||
210 | blacklist ${HOME}/.cache/vivaldi-snapshot | ||
211 | blacklist ${HOME}/.cache/vlc | ||
212 | blacklist ${HOME}/.cache/vmware | ||
213 | blacklist ${HOME}/.cache/warsow-2.1 | ||
214 | blacklist ${HOME}/.cache/waterfox | ||
215 | blacklist ${HOME}/.cache/wesnoth | ||
216 | blacklist ${HOME}/.cache/winetricks | ||
217 | blacklist ${HOME}/.cache/xmms2 | ||
218 | blacklist ${HOME}/.cache/xournalpp | ||
219 | blacklist ${HOME}/.cache/xreader | ||
220 | blacklist ${HOME}/.cache/yandex-browser | ||
221 | blacklist ${HOME}/.cache/yandex-browser-beta | ||
222 | blacklist ${HOME}/.cache/youtube-dl | ||
223 | blacklist ${HOME}/.cache/youtube-viewer | ||
224 | blacklist ${HOME}/.cache/yt-dlp | ||
225 | blacklist ${HOME}/.cache/zim | ||
226 | blacklist ${HOME}/.cargo | ||
54 | blacklist ${HOME}/.claws-mail | 227 | blacklist ${HOME}/.claws-mail |
55 | blacklist ${HOME}/.cliqz | ||
56 | blacklist ${HOME}/.clion* | 228 | blacklist ${HOME}/.clion* |
229 | blacklist ${HOME}/.cliqz | ||
57 | blacklist ${HOME}/.clonk | 230 | blacklist ${HOME}/.clonk |
58 | blacklist ${HOME}/.config/0ad | 231 | blacklist ${HOME}/.config/0ad |
59 | blacklist ${HOME}/.config/2048-qt | 232 | blacklist ${HOME}/.config/2048-qt |
@@ -92,8 +265,8 @@ blacklist ${HOME}/.config/Google Play Music Desktop Player | |||
92 | blacklist ${HOME}/.config/Gpredict | 265 | blacklist ${HOME}/.config/Gpredict |
93 | blacklist ${HOME}/.config/INRIA | 266 | blacklist ${HOME}/.config/INRIA |
94 | blacklist ${HOME}/.config/InSilmaril | 267 | blacklist ${HOME}/.config/InSilmaril |
95 | blacklist ${HOME}/.config/Jitsi Meet | ||
96 | blacklist ${HOME}/.config/JetBrains/CLion* | 268 | blacklist ${HOME}/.config/JetBrains/CLion* |
269 | blacklist ${HOME}/.config/Jitsi Meet | ||
97 | blacklist ${HOME}/.config/KDE/neochat | 270 | blacklist ${HOME}/.config/KDE/neochat |
98 | blacklist ${HOME}/.config/KeePass | 271 | blacklist ${HOME}/.config/KeePass |
99 | blacklist ${HOME}/.config/KeePassXCrc | 272 | blacklist ${HOME}/.config/KeePassXCrc |
@@ -142,6 +315,7 @@ blacklist ${HOME}/.config/SubDownloader | |||
142 | blacklist ${HOME}/.config/Thunar | 315 | blacklist ${HOME}/.config/Thunar |
143 | blacklist ${HOME}/.config/Twitch | 316 | blacklist ${HOME}/.config/Twitch |
144 | blacklist ${HOME}/.config/Unknown Organization | 317 | blacklist ${HOME}/.config/Unknown Organization |
318 | blacklist ${HOME}/.config/VSCodium | ||
145 | blacklist ${HOME}/.config/VirtualBox | 319 | blacklist ${HOME}/.config/VirtualBox |
146 | blacklist ${HOME}/.config/Whalebird | 320 | blacklist ${HOME}/.config/Whalebird |
147 | blacklist ${HOME}/.config/Wire | 321 | blacklist ${HOME}/.config/Wire |
@@ -496,12 +670,14 @@ blacklist ${HOME}/.frogatto | |||
496 | blacklist ${HOME}/.frozen-bubble | 670 | blacklist ${HOME}/.frozen-bubble |
497 | blacklist ${HOME}/.funnyboat | 671 | blacklist ${HOME}/.funnyboat |
498 | blacklist ${HOME}/.gallery-dl.conf | 672 | blacklist ${HOME}/.gallery-dl.conf |
673 | blacklist ${HOME}/.geekbench5 | ||
499 | blacklist ${HOME}/.gimp* | 674 | blacklist ${HOME}/.gimp* |
500 | blacklist ${HOME}/.gist | 675 | blacklist ${HOME}/.gist |
501 | blacklist ${HOME}/.gitconfig | 676 | blacklist ${HOME}/.gitconfig |
502 | blacklist ${HOME}/.gl-117 | 677 | blacklist ${HOME}/.gl-117 |
503 | blacklist ${HOME}/.glaxiumrc | 678 | blacklist ${HOME}/.glaxiumrc |
504 | blacklist ${HOME}/.gnome/gnome-schedule | 679 | blacklist ${HOME}/.gnome/gnome-schedule |
680 | blacklist ${HOME}/.goldendict | ||
505 | blacklist ${HOME}/.googleearth | 681 | blacklist ${HOME}/.googleearth |
506 | blacklist ${HOME}/.gradle | 682 | blacklist ${HOME}/.gradle |
507 | blacklist ${HOME}/.gramps | 683 | blacklist ${HOME}/.gramps |
@@ -954,176 +1130,3 @@ blacklist /var/games/slashem | |||
954 | blacklist /var/games/vulturesclaw | 1130 | blacklist /var/games/vulturesclaw |
955 | blacklist /var/games/vultureseye | 1131 | blacklist /var/games/vultureseye |
956 | blacklist /var/lib/games/Maelstrom-Scores | 1132 | blacklist /var/lib/games/Maelstrom-Scores |
957 | |||
958 | # ${HOME}/.cache directory | ||
959 | blacklist ${HOME}/.cache/0ad | ||
960 | blacklist ${HOME}/.cache/8pecxstudios | ||
961 | blacklist ${HOME}/.cache/Authenticator | ||
962 | blacklist ${HOME}/.cache/BraveSoftware | ||
963 | blacklist ${HOME}/.cache/Clementine | ||
964 | blacklist ${HOME}/.cache/ENCOM/Spectral | ||
965 | blacklist ${HOME}/.cache/Enox | ||
966 | blacklist ${HOME}/.cache/Enpass | ||
967 | blacklist ${HOME}/.cache/Ferdi | ||
968 | blacklist ${HOME}/.cache/Flavio Tordini | ||
969 | blacklist ${HOME}/.cache/Franz | ||
970 | blacklist ${HOME}/.cache/INRIA | ||
971 | blacklist ${HOME}/.cache/INRIA/Natron | ||
972 | blacklist ${HOME}/.cache/KDE/neochat | ||
973 | blacklist ${HOME}/.cache/Mendeley Ltd. | ||
974 | blacklist ${HOME}/.cache/MusicBrainz | ||
975 | blacklist ${HOME}/.cache/NewsFlashGTK | ||
976 | blacklist ${HOME}/.cache/Otter | ||
977 | blacklist ${HOME}/.cache/PawelStolowski | ||
978 | blacklist ${HOME}/.cache/Psi | ||
979 | blacklist ${HOME}/.cache/QuiteRss | ||
980 | blacklist ${HOME}/.cache/Quotient/quaternion | ||
981 | blacklist ${HOME}/.cache/Shortwave | ||
982 | blacklist ${HOME}/.cache/Tox | ||
983 | blacklist ${HOME}/.cache/Zeal | ||
984 | blacklist ${HOME}/.cache/agenda | ||
985 | blacklist ${HOME}/.cache/akonadi* | ||
986 | blacklist ${HOME}/.cache/atril | ||
987 | blacklist ${HOME}/.cache/attic | ||
988 | blacklist ${HOME}/.cache/babl | ||
989 | blacklist ${HOME}/.cache/bnox | ||
990 | blacklist ${HOME}/.cache/borg | ||
991 | blacklist ${HOME}/.cache/calibre | ||
992 | blacklist ${HOME}/.cache/cantata | ||
993 | blacklist ${HOME}/.cache/champlain | ||
994 | blacklist ${HOME}/.cache/chromium | ||
995 | blacklist ${HOME}/.cache/chromium-dev | ||
996 | blacklist ${HOME}/.cache/cliqz | ||
997 | blacklist ${HOME}/.cache/com.github.johnfactotum.Foliate | ||
998 | blacklist ${HOME}/.cache/darktable | ||
999 | blacklist ${HOME}/.cache/deja-dup | ||
1000 | blacklist ${HOME}/.cache/discover | ||
1001 | blacklist ${HOME}/.cache/dnox | ||
1002 | blacklist ${HOME}/.cache/dolphin | ||
1003 | blacklist ${HOME}/.cache/dolphin-emu | ||
1004 | blacklist ${HOME}/.cache/ephemeral | ||
1005 | blacklist ${HOME}/.cache/epiphany | ||
1006 | blacklist ${HOME}/.cache/evolution | ||
1007 | blacklist ${HOME}/.cache/falkon | ||
1008 | blacklist ${HOME}/.cache/feedreader | ||
1009 | blacklist ${HOME}/.cache/firedragon | ||
1010 | blacklist ${HOME}/.cache/flaska.net/trojita | ||
1011 | blacklist ${HOME}/.cache/folks | ||
1012 | blacklist ${HOME}/.cache/font-manager | ||
1013 | blacklist ${HOME}/.cache/fossamail | ||
1014 | blacklist ${HOME}/.cache/fractal | ||
1015 | blacklist ${HOME}/.cache/freecol | ||
1016 | blacklist ${HOME}/.cache/gajim | ||
1017 | blacklist ${HOME}/.cache/geary | ||
1018 | blacklist ${HOME}/.cache/geeqie | ||
1019 | blacklist ${HOME}/.cache/gegl-0.4 | ||
1020 | blacklist ${HOME}/.cache/gfeeds | ||
1021 | blacklist ${HOME}/.cache/gimp | ||
1022 | blacklist ${HOME}/.cache/gnome-boxes | ||
1023 | blacklist ${HOME}/.cache/gnome-builder | ||
1024 | blacklist ${HOME}/.cache/gnome-control-center | ||
1025 | blacklist ${HOME}/.cache/gnome-recipes | ||
1026 | blacklist ${HOME}/.cache/gnome-screenshot | ||
1027 | blacklist ${HOME}/.cache/gnome-software | ||
1028 | blacklist ${HOME}/.cache/gnome-twitch | ||
1029 | blacklist ${HOME}/.cache/godot | ||
1030 | blacklist ${HOME}/.cache/google-chrome | ||
1031 | blacklist ${HOME}/.cache/google-chrome-beta | ||
1032 | blacklist ${HOME}/.cache/google-chrome-unstable | ||
1033 | blacklist ${HOME}/.cache/gradio | ||
1034 | blacklist ${HOME}/.cache/gummi | ||
1035 | blacklist ${HOME}/.cache/icedove | ||
1036 | blacklist ${HOME}/.cache/inkscape | ||
1037 | blacklist ${HOME}/.cache/inox | ||
1038 | blacklist ${HOME}/.cache/io.github.lainsce.Notejot | ||
1039 | blacklist ${HOME}/.cache/iridium | ||
1040 | blacklist ${HOME}/.cache/JetBrains/CLion* | ||
1041 | blacklist ${HOME}/.cache/kcmshell5 | ||
1042 | blacklist ${HOME}/.cache/kdenlive | ||
1043 | blacklist ${HOME}/.cache/keepassxc | ||
1044 | blacklist ${HOME}/.cache/kfind | ||
1045 | blacklist ${HOME}/.cache/kinfocenter | ||
1046 | blacklist ${HOME}/.cache/kmail2 | ||
1047 | blacklist ${HOME}/.cache/krunner | ||
1048 | blacklist ${HOME}/.cache/krunnerbookmarkrunnerfirefoxdbfile.sqlite* | ||
1049 | blacklist ${HOME}/.cache/kscreenlocker_greet | ||
1050 | blacklist ${HOME}/.cache/ksmserver-logout-greeter | ||
1051 | blacklist ${HOME}/.cache/ksplashqml | ||
1052 | blacklist ${HOME}/.cache/kube | ||
1053 | blacklist ${HOME}/.cache/kwin | ||
1054 | blacklist ${HOME}/.cache/libgweather | ||
1055 | blacklist ${HOME}/.cache/librewolf | ||
1056 | blacklist ${HOME}/.cache/liferea | ||
1057 | blacklist ${HOME}/.cache/lutris | ||
1058 | blacklist ${HOME}/.cache/marker | ||
1059 | blacklist ${HOME}/.cache/matrix-mirage | ||
1060 | blacklist ${HOME}/.cache/microsoft-edge-beta | ||
1061 | blacklist ${HOME}/.cache/microsoft-edge-dev | ||
1062 | blacklist ${HOME}/.cache/midori | ||
1063 | blacklist ${HOME}/.cache/minetest | ||
1064 | blacklist ${HOME}/.cache/mirage | ||
1065 | blacklist ${HOME}/.cache/moonchild productions/basilisk | ||
1066 | blacklist ${HOME}/.cache/moonchild productions/pale moon | ||
1067 | blacklist ${HOME}/.cache/mozilla | ||
1068 | blacklist ${HOME}/.cache/ms-excel-online | ||
1069 | blacklist ${HOME}/.cache/ms-office-online | ||
1070 | blacklist ${HOME}/.cache/ms-onenote-online | ||
1071 | blacklist ${HOME}/.cache/ms-outlook-online | ||
1072 | blacklist ${HOME}/.cache/ms-powerpoint-online | ||
1073 | blacklist ${HOME}/.cache/ms-skype-online | ||
1074 | blacklist ${HOME}/.cache/ms-word-online | ||
1075 | blacklist ${HOME}/.cache/mutt | ||
1076 | blacklist ${HOME}/.cache/mypaint | ||
1077 | blacklist ${HOME}/.cache/netsurf | ||
1078 | blacklist ${HOME}/.cache/nheko | ||
1079 | blacklist ${HOME}/.cache/okular | ||
1080 | blacklist ${HOME}/.cache/opera | ||
1081 | blacklist ${HOME}/.cache/opera-beta | ||
1082 | blacklist ${HOME}/.cache/org.gabmus.gfeeds | ||
1083 | blacklist ${HOME}/.cache/org.gnome.Books | ||
1084 | blacklist ${HOME}/.cache/org.gnome.Maps | ||
1085 | blacklist ${HOME}/.cache/pdfmod | ||
1086 | blacklist ${HOME}/.cache/peek | ||
1087 | blacklist ${HOME}/.cache/pip | ||
1088 | blacklist ${HOME}/.cache/pipe-viewer | ||
1089 | blacklist ${HOME}/.cache/plasmashell | ||
1090 | blacklist ${HOME}/.cache/plasmashellbookmarkrunnerfirefoxdbfile.sqlite* | ||
1091 | blacklist ${HOME}/.cache/psi | ||
1092 | blacklist ${HOME}/.cache/qBittorrent | ||
1093 | blacklist ${HOME}/.cache/quodlibet | ||
1094 | blacklist ${HOME}/.cache/qupzilla | ||
1095 | blacklist ${HOME}/.cache/qutebrowser | ||
1096 | blacklist ${HOME}/.cache/rednotebook | ||
1097 | blacklist ${HOME}/.cache/rhythmbox | ||
1098 | blacklist ${HOME}/.cache/shotwell | ||
1099 | blacklist ${HOME}/.cache/simple-scan | ||
1100 | blacklist ${HOME}/.cache/slimjet | ||
1101 | blacklist ${HOME}/.cache/smuxi | ||
1102 | blacklist ${HOME}/.cache/snox | ||
1103 | blacklist ${HOME}/.cache/spotify | ||
1104 | blacklist ${HOME}/.cache/straw-viewer | ||
1105 | blacklist ${HOME}/.cache/strawberry | ||
1106 | blacklist ${HOME}/.cache/supertuxkart | ||
1107 | blacklist ${HOME}/.cache/systemsettings | ||
1108 | blacklist ${HOME}/.cache/telepathy | ||
1109 | blacklist ${HOME}/.cache/thunderbird | ||
1110 | blacklist ${HOME}/.cache/torbrowser | ||
1111 | blacklist ${HOME}/.cache/transmission | ||
1112 | blacklist ${HOME}/.cache/ungoogled-chromium | ||
1113 | blacklist ${HOME}/.cache/vivaldi | ||
1114 | blacklist ${HOME}/.cache/vivaldi-snapshot | ||
1115 | blacklist ${HOME}/.cache/vlc | ||
1116 | blacklist ${HOME}/.cache/vmware | ||
1117 | blacklist ${HOME}/.cache/warsow-2.1 | ||
1118 | blacklist ${HOME}/.cache/waterfox | ||
1119 | blacklist ${HOME}/.cache/wesnoth | ||
1120 | blacklist ${HOME}/.cache/winetricks | ||
1121 | blacklist ${HOME}/.cache/xmms2 | ||
1122 | blacklist ${HOME}/.cache/xournalpp | ||
1123 | blacklist ${HOME}/.cache/xreader | ||
1124 | blacklist ${HOME}/.cache/yandex-browser | ||
1125 | blacklist ${HOME}/.cache/yandex-browser-beta | ||
1126 | blacklist ${HOME}/.cache/youtube-dl | ||
1127 | blacklist ${HOME}/.cache/youtube-viewer | ||
1128 | blacklist ${HOME}/.cache/yt-dlp | ||
1129 | blacklist ${HOME}/.cache/zim | ||
diff --git a/etc/inc/whitelist-run-common.inc b/etc/inc/whitelist-run-common.inc index 224d21064..d74655a08 100644 --- a/etc/inc/whitelist-run-common.inc +++ b/etc/inc/whitelist-run-common.inc | |||
@@ -7,5 +7,9 @@ whitelist /run/cups/cups.sock | |||
7 | whitelist /run/dbus/system_bus_socket | 7 | whitelist /run/dbus/system_bus_socket |
8 | whitelist /run/media | 8 | whitelist /run/media |
9 | whitelist /run/resolvconf/resolv.conf | 9 | whitelist /run/resolvconf/resolv.conf |
10 | whitelist /run/shm | ||
11 | whitelist /run/systemd/journal/dev-log | ||
12 | whitelist /run/systemd/journal/socket | ||
10 | whitelist /run/systemd/resolve/resolv.conf | 13 | whitelist /run/systemd/resolve/resolv.conf |
11 | whitelist /run/systemd/resolve/stub-resolv.conf | 14 | whitelist /run/systemd/resolve/stub-resolv.conf |
15 | whitelist /run/udev/data | ||
diff --git a/etc/profile-a-l/Books.profile b/etc/profile-a-l/Books.profile index 76fd21d32..a256e942f 100644 --- a/etc/profile-a-l/Books.profile +++ b/etc/profile-a-l/Books.profile | |||
@@ -1,5 +1,10 @@ | |||
1 | # Firejail profile for gnome-books | 1 | # Firejail profile for gnome-books |
2 | # This file is overwritten after every install/update | 2 | # This file is overwritten after every install/update |
3 | # Persistent local customizations | ||
4 | include Books.local | ||
5 | # Persistent global definitions | ||
6 | # added by included profile | ||
7 | #include globals.local | ||
3 | 8 | ||
4 | 9 | ||
5 | # Temporary fix for https://github.com/netblue30/firejail/issues/2624 | 10 | # Temporary fix for https://github.com/netblue30/firejail/issues/2624 |
diff --git a/etc/profile-a-l/abiword.profile b/etc/profile-a-l/abiword.profile index 005a502c4..0e7126458 100644 --- a/etc/profile-a-l/abiword.profile +++ b/etc/profile-a-l/abiword.profile | |||
@@ -42,7 +42,7 @@ tracelog | |||
42 | private-bin abiword | 42 | private-bin abiword |
43 | private-cache | 43 | private-cache |
44 | private-dev | 44 | private-dev |
45 | private-etc fonts,gtk-3.0,passwd | 45 | private-etc alternatives,fonts,gtk-3.0,ld.so.cache,ld.so.preload,passwd |
46 | private-tmp | 46 | private-tmp |
47 | 47 | ||
48 | # dbus-user none | 48 | # dbus-user none |
diff --git a/etc/profile-a-l/agetpkg.profile b/etc/profile-a-l/agetpkg.profile index fea25fd58..dd3b2e59b 100644 --- a/etc/profile-a-l/agetpkg.profile +++ b/etc/profile-a-l/agetpkg.profile | |||
@@ -50,7 +50,7 @@ tracelog | |||
50 | private-bin agetpkg,python3 | 50 | private-bin agetpkg,python3 |
51 | private-cache | 51 | private-cache |
52 | private-dev | 52 | private-dev |
53 | private-etc ca-certificates,crypto-policies,pki,resolv.conf,ssl | 53 | private-etc alternatives,ca-certificates,crypto-policies,ld.so.cache,ld.so.preload,pki,resolv.conf,ssl |
54 | private-tmp | 54 | private-tmp |
55 | 55 | ||
56 | dbus-user none | 56 | dbus-user none |
diff --git a/etc/profile-a-l/akonadi_control.profile b/etc/profile-a-l/akonadi_control.profile index 168e81985..f3fb678d1 100644 --- a/etc/profile-a-l/akonadi_control.profile +++ b/etc/profile-a-l/akonadi_control.profile | |||
@@ -27,6 +27,7 @@ include disable-exec.inc | |||
27 | include disable-interpreters.inc | 27 | include disable-interpreters.inc |
28 | include disable-programs.inc | 28 | include disable-programs.inc |
29 | 29 | ||
30 | include whitelist-run-common.inc | ||
30 | include whitelist-var-common.inc | 31 | include whitelist-var-common.inc |
31 | 32 | ||
32 | # disabled options below are not compatible with the apparmor profile for mysqld-akonadi. | 33 | # disabled options below are not compatible with the apparmor profile for mysqld-akonadi. |
diff --git a/etc/profile-a-l/akregator.profile b/etc/profile-a-l/akregator.profile index d1e7df37b..39008d67a 100644 --- a/etc/profile-a-l/akregator.profile +++ b/etc/profile-a-l/akregator.profile | |||
@@ -25,6 +25,7 @@ whitelist ${HOME}/.local/share/akregator | |||
25 | whitelist ${HOME}/.local/share/kssl | 25 | whitelist ${HOME}/.local/share/kssl |
26 | whitelist ${HOME}/.local/share/kxmlgui5/akregator | 26 | whitelist ${HOME}/.local/share/kxmlgui5/akregator |
27 | include whitelist-common.inc | 27 | include whitelist-common.inc |
28 | include whitelist-run-common.inc | ||
28 | include whitelist-var-common.inc | 29 | include whitelist-var-common.inc |
29 | 30 | ||
30 | caps.drop all | 31 | caps.drop all |
diff --git a/etc/profile-a-l/alacarte.profile b/etc/profile-a-l/alacarte.profile index 69b499c74..5a528595b 100644 --- a/etc/profile-a-l/alacarte.profile +++ b/etc/profile-a-l/alacarte.profile | |||
@@ -53,7 +53,7 @@ disable-mnt | |||
53 | # private-bin alacarte,bash,python*,sh | 53 | # private-bin alacarte,bash,python*,sh |
54 | private-cache | 54 | private-cache |
55 | private-dev | 55 | private-dev |
56 | private-etc alternatives,dconf,fonts,gtk-3.0,locale.alias,locale.conf,login.defs,mime.types,nsswitch.conf,passwd,pki,X11,xdg | 56 | private-etc alternatives,dconf,fonts,gtk-3.0,ld.so.cache,ld.so.preload,locale.alias,locale.conf,login.defs,mime.types,nsswitch.conf,passwd,pki,X11,xdg |
57 | private-tmp | 57 | private-tmp |
58 | 58 | ||
59 | dbus-user none | 59 | dbus-user none |
diff --git a/etc/profile-a-l/alienarena.profile b/etc/profile-a-l/alienarena.profile index 62857a3e2..68512e37b 100644 --- a/etc/profile-a-l/alienarena.profile +++ b/etc/profile-a-l/alienarena.profile | |||
@@ -29,7 +29,6 @@ caps.drop all | |||
29 | netfilter | 29 | netfilter |
30 | nodvd | 30 | nodvd |
31 | nogroups | 31 | nogroups |
32 | noinput | ||
33 | nonewprivs | 32 | nonewprivs |
34 | noroot | 33 | noroot |
35 | notv | 34 | notv |
diff --git a/etc/profile-a-l/amarok.profile b/etc/profile-a-l/amarok.profile index e7b78f7d0..7d8ec481d 100644 --- a/etc/profile-a-l/amarok.profile +++ b/etc/profile-a-l/amarok.profile | |||
@@ -39,7 +39,7 @@ dbus-user.own org.kde.amarok | |||
39 | dbus-user.own org.mpris.amarok | 39 | dbus-user.own org.mpris.amarok |
40 | dbus-user.own org.mpris.MediaPlayer2.amarok | 40 | dbus-user.own org.mpris.MediaPlayer2.amarok |
41 | dbus-user.talk org.freedesktop.Notifications | 41 | dbus-user.talk org.freedesktop.Notifications |
42 | dbus-user.talk org.kde.StatusNotifierWatcher | 42 | ?ALLOW_TRAY: dbus-user.talk org.kde.StatusNotifierWatcher |
43 | # If you're not on kde-plasma add the next lines to your amarok.local. | 43 | # If you're not on kde-plasma add the next lines to your amarok.local. |
44 | #dbus-user.own org.kde.kded | 44 | #dbus-user.own org.kde.kded |
45 | #dbus-user.own org.kde.klauncher | 45 | #dbus-user.own org.kde.klauncher |
diff --git a/etc/profile-a-l/amule.profile b/etc/profile-a-l/amule.profile index 3ce05c5bc..e82c145d1 100644 --- a/etc/profile-a-l/amule.profile +++ b/etc/profile-a-l/amule.profile | |||
@@ -32,6 +32,7 @@ nosound | |||
32 | notv | 32 | notv |
33 | nou2f | 33 | nou2f |
34 | novideo | 34 | novideo |
35 | # Add netlink protocol to use UPnP | ||
35 | protocol unix,inet,inet6 | 36 | protocol unix,inet,inet6 |
36 | seccomp | 37 | seccomp |
37 | shell none | 38 | shell none |
diff --git a/etc/profile-a-l/anki.profile b/etc/profile-a-l/anki.profile index fa4dfbb6f..f6d711b2e 100644 --- a/etc/profile-a-l/anki.profile +++ b/etc/profile-a-l/anki.profile | |||
@@ -50,7 +50,7 @@ disable-mnt | |||
50 | private-bin anki,python* | 50 | private-bin anki,python* |
51 | private-cache | 51 | private-cache |
52 | private-dev | 52 | private-dev |
53 | private-etc alternatives,ca-certificates,fonts,gtk-2.0,hostname,hosts,machine-id,pki,resolv.conf,ssl,Trolltech.conf | 53 | private-etc alternatives,ca-certificates,fonts,gtk-2.0,hostname,hosts,ld.so.cache,ld.so.preload,machine-id,pki,resolv.conf,ssl,Trolltech.conf |
54 | private-tmp | 54 | private-tmp |
55 | 55 | ||
56 | dbus-user none | 56 | dbus-user none |
diff --git a/etc/profile-a-l/aria2c.profile b/etc/profile-a-l/aria2c.profile index 737cf3095..8aef75cd1 100644 --- a/etc/profile-a-l/aria2c.profile +++ b/etc/profile-a-l/aria2c.profile | |||
@@ -45,7 +45,7 @@ private-bin aria2c,gzip | |||
45 | # Add 'private-cache' to your aria2c.local if you don't use Lutris/winetricks (see issue #2772). | 45 | # Add 'private-cache' to your aria2c.local if you don't use Lutris/winetricks (see issue #2772). |
46 | #private-cache | 46 | #private-cache |
47 | private-dev | 47 | private-dev |
48 | private-etc alternatives,ca-certificates,crypto-policies,groups,login.defs,machine-id,nsswitch.conf,passwd,pki,resolv.conf,ssl | 48 | private-etc alternatives,ca-certificates,crypto-policies,groups,ld.so.cache,ld.so.preload,login.defs,machine-id,nsswitch.conf,passwd,pki,resolv.conf,ssl |
49 | private-lib libreadline.so.* | 49 | private-lib libreadline.so.* |
50 | private-tmp | 50 | private-tmp |
51 | 51 | ||
diff --git a/etc/profile-a-l/ark.profile b/etc/profile-a-l/ark.profile index 45071dc62..a26592f3a 100644 --- a/etc/profile-a-l/ark.profile +++ b/etc/profile-a-l/ark.profile | |||
@@ -16,6 +16,7 @@ include disable-interpreters.inc | |||
16 | include disable-programs.inc | 16 | include disable-programs.inc |
17 | 17 | ||
18 | whitelist /usr/share/ark | 18 | whitelist /usr/share/ark |
19 | include whitelist-run-common.inc | ||
19 | include whitelist-usr-share-common.inc | 20 | include whitelist-usr-share-common.inc |
20 | include whitelist-var-common.inc | 21 | include whitelist-var-common.inc |
21 | 22 | ||
diff --git a/etc/profile-a-l/arm.profile b/etc/profile-a-l/arm.profile index 3253fb586..6676d42e9 100644 --- a/etc/profile-a-l/arm.profile +++ b/etc/profile-a-l/arm.profile | |||
@@ -43,6 +43,6 @@ tracelog | |||
43 | disable-mnt | 43 | disable-mnt |
44 | private-bin arm,bash,ldconfig,lsof,ps,python*,sh,tor | 44 | private-bin arm,bash,ldconfig,lsof,ps,python*,sh,tor |
45 | private-dev | 45 | private-dev |
46 | private-etc alternatives,ca-certificates,crypto-policies,passwd,pki,ssl,tor | 46 | private-etc alternatives,ca-certificates,crypto-policies,ld.so.cache,ld.so.preload,passwd,pki,ssl,tor |
47 | private-tmp | 47 | private-tmp |
48 | 48 | ||
diff --git a/etc/profile-a-l/artha.profile b/etc/profile-a-l/artha.profile index 8d74b6ba4..254f3f571 100644 --- a/etc/profile-a-l/artha.profile +++ b/etc/profile-a-l/artha.profile | |||
@@ -56,7 +56,7 @@ disable-mnt | |||
56 | private-bin artha,enchant,notify-send | 56 | private-bin artha,enchant,notify-send |
57 | private-cache | 57 | private-cache |
58 | private-dev | 58 | private-dev |
59 | private-etc alternatives,fonts,machine-id | 59 | private-etc alternatives,fonts,ld.so.cache,ld.so.preload,machine-id |
60 | private-lib libnotify.so.* | 60 | private-lib libnotify.so.* |
61 | private-tmp | 61 | private-tmp |
62 | 62 | ||
diff --git a/etc/profile-a-l/atool.profile b/etc/profile-a-l/atool.profile index e377de2c8..6399bc1a3 100644 --- a/etc/profile-a-l/atool.profile +++ b/etc/profile-a-l/atool.profile | |||
@@ -13,7 +13,7 @@ include allow-perl.inc | |||
13 | noroot | 13 | noroot |
14 | 14 | ||
15 | # without login.defs atool complains and uses UID/GID 1000 by default | 15 | # without login.defs atool complains and uses UID/GID 1000 by default |
16 | private-etc alternatives,group,login.defs,passwd | 16 | private-etc alternatives,group,ld.so.cache,ld.so.preload,login.defs,passwd |
17 | private-tmp | 17 | private-tmp |
18 | 18 | ||
19 | # Redirect | 19 | # Redirect |
diff --git a/etc/profile-a-l/atril.profile b/etc/profile-a-l/atril.profile index f7c62926f..264bc0215 100644 --- a/etc/profile-a-l/atril.profile +++ b/etc/profile-a-l/atril.profile | |||
@@ -42,7 +42,7 @@ tracelog | |||
42 | 42 | ||
43 | private-bin 7z,7za,7zr,atril,atril-previewer,atril-thumbnailer,sh,tar,unrar,unzip,zipnote | 43 | private-bin 7z,7za,7zr,atril,atril-previewer,atril-thumbnailer,sh,tar,unrar,unzip,zipnote |
44 | private-dev | 44 | private-dev |
45 | private-etc alternatives,fonts,ld.so.cache | 45 | private-etc alternatives,fonts,ld.so.cache,ld.so.preload |
46 | # atril uses webkit gtk to display epub files | 46 | # atril uses webkit gtk to display epub files |
47 | # waiting for globbing support in private-lib; for now hardcoding it to webkit2gtk-4.0 | 47 | # waiting for globbing support in private-lib; for now hardcoding it to webkit2gtk-4.0 |
48 | #private-lib webkit2gtk-4.0 - problems on Arch with the new version of WebKit | 48 | #private-lib webkit2gtk-4.0 - problems on Arch with the new version of WebKit |
diff --git a/etc/profile-a-l/audacious.profile b/etc/profile-a-l/audacious.profile index d71370b7e..e9ecdd72e 100644 --- a/etc/profile-a-l/audacious.profile +++ b/etc/profile-a-l/audacious.profile | |||
@@ -17,6 +17,7 @@ include disable-interpreters.inc | |||
17 | include disable-programs.inc | 17 | include disable-programs.inc |
18 | include disable-xdg.inc | 18 | include disable-xdg.inc |
19 | 19 | ||
20 | include whitelist-run-common.inc | ||
20 | include whitelist-var-common.inc | 21 | include whitelist-var-common.inc |
21 | 22 | ||
22 | apparmor | 23 | apparmor |
diff --git a/etc/profile-a-l/authenticator-rs.profile b/etc/profile-a-l/authenticator-rs.profile index 411c5f4d3..a8af1928b 100644 --- a/etc/profile-a-l/authenticator-rs.profile +++ b/etc/profile-a-l/authenticator-rs.profile | |||
@@ -47,7 +47,7 @@ disable-mnt | |||
47 | private-bin authenticator-rs | 47 | private-bin authenticator-rs |
48 | private-cache | 48 | private-cache |
49 | private-dev | 49 | private-dev |
50 | private-etc alternatives,ca-certificates,crypto-policies,dconf,fonts,gtk-2.0,gtk-3.0,pki,resolv.conf,ssl,xdg | 50 | private-etc alternatives,ca-certificates,crypto-policies,dconf,fonts,gtk-2.0,gtk-3.0,ld.so.cache,ld.so.preload,pki,resolv.conf,ssl,xdg |
51 | private-tmp | 51 | private-tmp |
52 | 52 | ||
53 | dbus-user filter | 53 | dbus-user filter |
diff --git a/etc/profile-a-l/authenticator.profile b/etc/profile-a-l/authenticator.profile index 0f0fb7ceb..f9a03ca68 100644 --- a/etc/profile-a-l/authenticator.profile +++ b/etc/profile-a-l/authenticator.profile | |||
@@ -39,7 +39,7 @@ shell none | |||
39 | disable-mnt | 39 | disable-mnt |
40 | # private-bin authenticator,python* | 40 | # private-bin authenticator,python* |
41 | private-dev | 41 | private-dev |
42 | private-etc alternatives,ca-certificates,crypto-policies,fonts,ld.so.cache,pki,resolv.conf,ssl | 42 | private-etc alternatives,ca-certificates,crypto-policies,fonts,ld.so.cache,ld.so.preload,pki,resolv.conf,ssl |
43 | private-tmp | 43 | private-tmp |
44 | 44 | ||
45 | # makes settings immutable | 45 | # makes settings immutable |
diff --git a/etc/profile-a-l/baloo_file.profile b/etc/profile-a-l/baloo_file.profile index 252016bec..55d2453d8 100644 --- a/etc/profile-a-l/baloo_file.profile +++ b/etc/profile-a-l/baloo_file.profile | |||
@@ -25,6 +25,7 @@ include disable-exec.inc | |||
25 | include disable-interpreters.inc | 25 | include disable-interpreters.inc |
26 | include disable-programs.inc | 26 | include disable-programs.inc |
27 | 27 | ||
28 | include whitelist-run-common.inc | ||
28 | include whitelist-var-common.inc | 29 | include whitelist-var-common.inc |
29 | 30 | ||
30 | apparmor | 31 | apparmor |
diff --git a/etc/profile-a-l/balsa.profile b/etc/profile-a-l/balsa.profile index 197f787ca..be3543b08 100644 --- a/etc/profile-a-l/balsa.profile +++ b/etc/profile-a-l/balsa.profile | |||
@@ -66,7 +66,7 @@ tracelog | |||
66 | private-bin balsa,balsa-ab,gpg,gpg-agent,gpg2,gpgsm | 66 | private-bin balsa,balsa-ab,gpg,gpg-agent,gpg2,gpgsm |
67 | private-cache | 67 | private-cache |
68 | private-dev | 68 | private-dev |
69 | private-etc alternatives,ca-certificates,crypto-policies,dconf,fonts,gcrypt,groups,gtk-2.0,gtk-3.0,hostname,hosts,mailname,passwd,pki,resolv.conf,selinux,ssl,xdg | 69 | private-etc alternatives,ca-certificates,crypto-policies,dconf,fonts,gcrypt,groups,gtk-2.0,gtk-3.0,hostname,hosts,ld.so.cache,ld.so.preload,mailname,passwd,pki,resolv.conf,selinux,ssl,xdg |
70 | private-tmp | 70 | private-tmp |
71 | writable-run-user | 71 | writable-run-user |
72 | writable-var | 72 | writable-var |
@@ -79,4 +79,4 @@ dbus-user.talk org.freedesktop.secrets | |||
79 | dbus-user.talk org.gnome.keyring.SystemPrompter | 79 | dbus-user.talk org.gnome.keyring.SystemPrompter |
80 | dbus-system none | 80 | dbus-system none |
81 | 81 | ||
82 | read-only ${HOME}/.mozilla/firefox/profiles.ini \ No newline at end of file | 82 | read-only ${HOME}/.mozilla/firefox/profiles.ini |
diff --git a/etc/profile-a-l/bibletime.profile b/etc/profile-a-l/bibletime.profile index 0104dc181..be29ce8a7 100644 --- a/etc/profile-a-l/bibletime.profile +++ b/etc/profile-a-l/bibletime.profile | |||
@@ -52,7 +52,7 @@ disable-mnt | |||
52 | # private-bin bibletime,qt5ct | 52 | # private-bin bibletime,qt5ct |
53 | private-cache | 53 | private-cache |
54 | private-dev | 54 | private-dev |
55 | private-etc alternatives,ca-certificates,crypto-policies,fonts,login.defs,machine-id,passwd,pki,resolv.conf,ssl,sword,sword.conf | 55 | private-etc alternatives,ca-certificates,crypto-policies,fonts,ld.so.cache,ld.so.preload,login.defs,machine-id,passwd,pki,resolv.conf,ssl,sword,sword.conf |
56 | private-tmp | 56 | private-tmp |
57 | 57 | ||
58 | dbus-user none | 58 | dbus-user none |
diff --git a/etc/profile-a-l/bijiben.profile b/etc/profile-a-l/bijiben.profile index 61cd792b1..b86232860 100644 --- a/etc/profile-a-l/bijiben.profile +++ b/etc/profile-a-l/bijiben.profile | |||
@@ -51,7 +51,7 @@ disable-mnt | |||
51 | private-bin bijiben | 51 | private-bin bijiben |
52 | # private-cache -- access to .cache/tracker is required | 52 | # private-cache -- access to .cache/tracker is required |
53 | private-dev | 53 | private-dev |
54 | private-etc dconf,fonts,gtk-3.0,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload | 54 | private-etc alternatives,dconf,fonts,gtk-3.0,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload |
55 | private-tmp | 55 | private-tmp |
56 | 56 | ||
57 | dbus-user filter | 57 | dbus-user filter |
diff --git a/etc/profile-a-l/bitwarden.profile b/etc/profile-a-l/bitwarden.profile index ba2eb2ea7..f8114c71b 100644 --- a/etc/profile-a-l/bitwarden.profile +++ b/etc/profile-a-l/bitwarden.profile | |||
@@ -23,7 +23,7 @@ no3d | |||
23 | nosound | 23 | nosound |
24 | 24 | ||
25 | ?HAS_APPIMAGE: ignore private-dev | 25 | ?HAS_APPIMAGE: ignore private-dev |
26 | private-etc alternatives,ca-certificates,crypto-policies,fonts,hosts,nsswitch.conf,pki,resolv.conf,ssl | 26 | private-etc alternatives,ca-certificates,crypto-policies,fonts,hosts,ld.so.cache,ld.so.preload,nsswitch.conf,pki,resolv.conf,ssl |
27 | private-opt Bitwarden | 27 | private-opt Bitwarden |
28 | 28 | ||
29 | # Redirect | 29 | # Redirect |
diff --git a/etc/profile-a-l/bless.profile b/etc/profile-a-l/bless.profile index 61d1c3a1e..3e20ed133 100644 --- a/etc/profile-a-l/bless.profile +++ b/etc/profile-a-l/bless.profile | |||
@@ -35,7 +35,7 @@ shell none | |||
35 | # private-bin bash,bless,mono,sh | 35 | # private-bin bash,bless,mono,sh |
36 | private-cache | 36 | private-cache |
37 | private-dev | 37 | private-dev |
38 | private-etc alternatives,fonts,mono | 38 | private-etc alternatives,fonts,ld.so.cache,ld.so.preload,mono |
39 | private-tmp | 39 | private-tmp |
40 | 40 | ||
41 | dbus-user none | 41 | dbus-user none |
diff --git a/etc/profile-a-l/blobby.profile b/etc/profile-a-l/blobby.profile index 11d705c5b..d7df3bc49 100644 --- a/etc/profile-a-l/blobby.profile +++ b/etc/profile-a-l/blobby.profile | |||
@@ -41,7 +41,7 @@ tracelog | |||
41 | disable-mnt | 41 | disable-mnt |
42 | private-bin blobby | 42 | private-bin blobby |
43 | private-dev | 43 | private-dev |
44 | private-etc alsa,alternatives,asound.conf,drirc,group,hosts,login.defs,machine-id,passwd,pulse | 44 | private-etc alsa,alternatives,asound.conf,drirc,group,hosts,ld.so.cache,ld.so.preload,login.defs,machine-id,passwd,pulse |
45 | private-lib | 45 | private-lib |
46 | private-tmp | 46 | private-tmp |
47 | 47 | ||
diff --git a/etc/profile-a-l/blobwars.profile b/etc/profile-a-l/blobwars.profile index 6e3d4256c..cc2fda3f2 100644 --- a/etc/profile-a-l/blobwars.profile +++ b/etc/profile-a-l/blobwars.profile | |||
@@ -19,6 +19,7 @@ include disable-xdg.inc | |||
19 | mkdir ${HOME}/.parallelrealities/blobwars | 19 | mkdir ${HOME}/.parallelrealities/blobwars |
20 | whitelist ${HOME}/.parallelrealities/blobwars | 20 | whitelist ${HOME}/.parallelrealities/blobwars |
21 | whitelist /usr/share/blobwars | 21 | whitelist /usr/share/blobwars |
22 | whitelist /usr/share/games/blobwars | ||
22 | include whitelist-common.inc | 23 | include whitelist-common.inc |
23 | include whitelist-usr-share-common.inc | 24 | include whitelist-usr-share-common.inc |
24 | include whitelist-var-common.inc | 25 | include whitelist-var-common.inc |
@@ -28,7 +29,6 @@ caps.drop all | |||
28 | net none | 29 | net none |
29 | nodvd | 30 | nodvd |
30 | nogroups | 31 | nogroups |
31 | noinput | ||
32 | nonewprivs | 32 | nonewprivs |
33 | noroot | 33 | noroot |
34 | notv | 34 | notv |
@@ -43,7 +43,7 @@ disable-mnt | |||
43 | private-bin blobwars | 43 | private-bin blobwars |
44 | private-cache | 44 | private-cache |
45 | private-dev | 45 | private-dev |
46 | private-etc machine-id | 46 | private-etc alternatives,ld.so.cache,ld.so.preload,machine-id |
47 | private-tmp | 47 | private-tmp |
48 | 48 | ||
49 | dbus-user none | 49 | dbus-user none |
diff --git a/etc/profile-a-l/bsdtar.profile b/etc/profile-a-l/bsdtar.profile index d731a6a6e..fbc7c9056 100644 --- a/etc/profile-a-l/bsdtar.profile +++ b/etc/profile-a-l/bsdtar.profile | |||
@@ -6,7 +6,7 @@ include bsdtar.local | |||
6 | # Persistent global definitions | 6 | # Persistent global definitions |
7 | include globals.local | 7 | include globals.local |
8 | 8 | ||
9 | private-etc alternatives,group,localtime,passwd | 9 | private-etc alternatives,group,ld.so.cache,ld.so.preload,localtime,passwd |
10 | 10 | ||
11 | # Redirect | 11 | # Redirect |
12 | include archiver-common.profile | 12 | include archiver-common.profile |
diff --git a/etc/profile-a-l/build-systems-common.profile b/etc/profile-a-l/build-systems-common.profile new file mode 100644 index 000000000..1b199d612 --- /dev/null +++ b/etc/profile-a-l/build-systems-common.profile | |||
@@ -0,0 +1,66 @@ | |||
1 | # Firejail profile for build-systems-common | ||
2 | # This file is overwritten after every install/update | ||
3 | # Persistent local customizations | ||
4 | include build-systems-common.local | ||
5 | # Persistent global definitions | ||
6 | # added by caller profile | ||
7 | #include globals.local | ||
8 | |||
9 | ignore noexec ${HOME} | ||
10 | ignore noexec /tmp | ||
11 | |||
12 | # Allow /bin/sh (blacklisted by disable-shell.inc) | ||
13 | include allow-bin-sh.inc | ||
14 | |||
15 | # Allows files commonly used by IDEs | ||
16 | include allow-common-devel.inc | ||
17 | |||
18 | # Allow ssh (blacklisted by disable-common.inc) | ||
19 | #include allow-ssh.inc | ||
20 | |||
21 | blacklist ${RUNUSER} | ||
22 | |||
23 | include disable-common.inc | ||
24 | include disable-exec.inc | ||
25 | include disable-interpreters.inc | ||
26 | include disable-programs.inc | ||
27 | include disable-shell.inc | ||
28 | include disable-X11.inc | ||
29 | include disable-xdg.inc | ||
30 | |||
31 | #whitelist ${HOME}/Projects | ||
32 | #include whitelist-common.inc | ||
33 | |||
34 | whitelist /usr/share/pkgconfig | ||
35 | include whitelist-run-common.inc | ||
36 | include whitelist-usr-share-common.inc | ||
37 | include whitelist-var-common.inc | ||
38 | |||
39 | caps.drop all | ||
40 | ipc-namespace | ||
41 | machine-id | ||
42 | # net none | ||
43 | netfilter | ||
44 | no3d | ||
45 | nodvd | ||
46 | nogroups | ||
47 | noinput | ||
48 | nonewprivs | ||
49 | noroot | ||
50 | nosound | ||
51 | notv | ||
52 | nou2f | ||
53 | novideo | ||
54 | protocol unix,inet,inet6 | ||
55 | seccomp | ||
56 | seccomp.block-secondary | ||
57 | shell none | ||
58 | tracelog | ||
59 | |||
60 | disable-mnt | ||
61 | private-cache | ||
62 | private-dev | ||
63 | private-tmp | ||
64 | |||
65 | dbus-user none | ||
66 | dbus-system none | ||
diff --git a/etc/profile-a-l/bundle.profile b/etc/profile-a-l/bundle.profile new file mode 100644 index 000000000..bb82022b1 --- /dev/null +++ b/etc/profile-a-l/bundle.profile | |||
@@ -0,0 +1,23 @@ | |||
1 | # Firejail profile for bundle | ||
2 | # Description: Ruby Dependency Management | ||
3 | # This file is overwritten after every install/update | ||
4 | quiet | ||
5 | # Persistent local customizations | ||
6 | include bundle.local | ||
7 | # Persistent global definitions | ||
8 | include globals.local | ||
9 | |||
10 | noblacklist ${HOME}/.bundle | ||
11 | |||
12 | # Allow ruby (blacklisted by disable-interpreters.inc) | ||
13 | include allow-ruby.inc | ||
14 | |||
15 | #whitelist ${HOME}/.bundle | ||
16 | #whitelist ${HOME}/.gem | ||
17 | #whitelist ${HOME}/.local/share/gem | ||
18 | whitelist /usr/share/gems | ||
19 | whitelist /usr/share/ruby | ||
20 | whitelist /usr/share/rubygems | ||
21 | |||
22 | # Redirect | ||
23 | include build-systems-common.profile | ||
diff --git a/etc/profile-a-l/cameramonitor.profile b/etc/profile-a-l/cameramonitor.profile index ae9e0f1d2..92c455144 100644 --- a/etc/profile-a-l/cameramonitor.profile +++ b/etc/profile-a-l/cameramonitor.profile | |||
@@ -46,7 +46,7 @@ tracelog | |||
46 | disable-mnt | 46 | disable-mnt |
47 | private-bin cameramonitor,python* | 47 | private-bin cameramonitor,python* |
48 | private-cache | 48 | private-cache |
49 | private-etc alternatives,fonts | 49 | private-etc alternatives,fonts,ld.so.cache,ld.so.preload |
50 | private-tmp | 50 | private-tmp |
51 | 51 | ||
52 | # dbus-user none | 52 | # dbus-user none |
diff --git a/etc/profile-a-l/cargo.profile b/etc/profile-a-l/cargo.profile index ff46cd429..4c8afd895 100644 --- a/etc/profile-a-l/cargo.profile +++ b/etc/profile-a-l/cargo.profile | |||
@@ -7,66 +7,18 @@ include cargo.local | |||
7 | # Persistent global definitions | 7 | # Persistent global definitions |
8 | include globals.local | 8 | include globals.local |
9 | 9 | ||
10 | ignore noexec ${HOME} | 10 | ignore read-only ${HOME}/.cargo/bin |
11 | ignore noexec /tmp | ||
12 | |||
13 | blacklist /tmp/.X11-unix | ||
14 | blacklist ${RUNUSER} | ||
15 | 11 | ||
16 | noblacklist ${HOME}/.cargo/credentials | 12 | noblacklist ${HOME}/.cargo/credentials |
17 | noblacklist ${HOME}/.cargo/credentials.toml | 13 | noblacklist ${HOME}/.cargo/credentials.toml |
18 | 14 | ||
19 | # Allows files commonly used by IDEs | ||
20 | include allow-common-devel.inc | ||
21 | |||
22 | # Allow ssh (blacklisted by disable-common.inc) | ||
23 | #include allow-ssh.inc | ||
24 | |||
25 | include disable-common.inc | ||
26 | include disable-exec.inc | ||
27 | include disable-interpreters.inc | ||
28 | include disable-programs.inc | ||
29 | include disable-xdg.inc | ||
30 | |||
31 | #mkdir ${HOME}/.cargo | ||
32 | #whitelist ${HOME}/YOUR_CARGO_PROJECTS | ||
33 | #whitelist ${HOME}/.cargo | 15 | #whitelist ${HOME}/.cargo |
34 | #whitelist ${HOME}/.rustup | 16 | #whitelist ${HOME}/.rustup |
35 | #include whitelist-common.inc | ||
36 | whitelist /usr/share/pkgconfig | ||
37 | include whitelist-runuser-common.inc | ||
38 | include whitelist-usr-share-common.inc | ||
39 | include whitelist-var-common.inc | ||
40 | 17 | ||
41 | caps.drop all | ||
42 | ipc-namespace | ||
43 | machine-id | ||
44 | netfilter | ||
45 | no3d | ||
46 | nodvd | ||
47 | nogroups | ||
48 | noinput | ||
49 | nonewprivs | ||
50 | noroot | ||
51 | nosound | ||
52 | notv | ||
53 | nou2f | ||
54 | novideo | ||
55 | protocol unix,inet,inet6 | ||
56 | seccomp | ||
57 | seccomp.block-secondary | ||
58 | shell none | ||
59 | tracelog | ||
60 | |||
61 | disable-mnt | ||
62 | #private-bin cargo,rustc | 18 | #private-bin cargo,rustc |
63 | private-cache | ||
64 | private-dev | ||
65 | private-etc alternatives,ca-certificates,crypto-policies,group,host.conf,hostname,hosts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,locale,locale.alias,locale.conf,localtime,magic,magic.mgc,nsswitch.conf,passwd,pki,protocols,resolv.conf,rpc,services,ssl | 19 | private-etc alternatives,ca-certificates,crypto-policies,group,host.conf,hostname,hosts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,locale,locale.alias,locale.conf,localtime,magic,magic.mgc,nsswitch.conf,passwd,pki,protocols,resolv.conf,rpc,services,ssl |
66 | private-tmp | ||
67 | |||
68 | dbus-user none | ||
69 | dbus-system none | ||
70 | 20 | ||
71 | memory-deny-write-execute | 21 | memory-deny-write-execute |
72 | read-write ${HOME}/.cargo/bin | 22 | |
23 | # Redirect | ||
24 | include build-systems-common.profile | ||
diff --git a/etc/profile-a-l/cawbird.profile b/etc/profile-a-l/cawbird.profile index 78df5af83..c7a98250e 100644 --- a/etc/profile-a-l/cawbird.profile +++ b/etc/profile-a-l/cawbird.profile | |||
@@ -39,7 +39,7 @@ disable-mnt | |||
39 | private-bin cawbird | 39 | private-bin cawbird |
40 | private-cache | 40 | private-cache |
41 | private-dev | 41 | private-dev |
42 | private-etc alternatives,ca-certificates,crypto-policies,fonts,gtk-2.0,gtk-3.0,host.conf,hostname,hosts,mime.types,nsswitch.conf,pki,resolv.conf,ssl,X11,xdg | 42 | private-etc alternatives,ca-certificates,crypto-policies,fonts,gtk-2.0,gtk-3.0,host.conf,hostname,hosts,ld.so.cache,ld.so.preload,mime.types,nsswitch.conf,pki,resolv.conf,ssl,X11,xdg |
43 | private-tmp | 43 | private-tmp |
44 | 44 | ||
45 | # dbus-user none | 45 | # dbus-user none |
diff --git a/etc/profile-a-l/celluloid.profile b/etc/profile-a-l/celluloid.profile index 0beeaafdd..1a9340632 100644 --- a/etc/profile-a-l/celluloid.profile +++ b/etc/profile-a-l/celluloid.profile | |||
@@ -53,7 +53,7 @@ tracelog | |||
53 | 53 | ||
54 | private-bin celluloid,env,gnome-mpv,python*,youtube-dl | 54 | private-bin celluloid,env,gnome-mpv,python*,youtube-dl |
55 | private-cache | 55 | private-cache |
56 | private-etc alternatives,ca-certificates,crypto-policies,dconf,drirc,fonts,gtk-3.0,hosts,ld.so.cache,libva.conf,localtime,machine-id,pkcs11,pki,resolv.conf,selinux,ssl,xdg | 56 | private-etc alternatives,ca-certificates,crypto-policies,dconf,drirc,fonts,gtk-3.0,hosts,ld.so.cache,ld.so.preload,libva.conf,localtime,machine-id,pkcs11,pki,resolv.conf,selinux,ssl,xdg |
57 | private-dev | 57 | private-dev |
58 | private-tmp | 58 | private-tmp |
59 | 59 | ||
diff --git a/etc/profile-a-l/cheese.profile b/etc/profile-a-l/cheese.profile index c2fc064f3..713d8a5e4 100644 --- a/etc/profile-a-l/cheese.profile +++ b/etc/profile-a-l/cheese.profile | |||
@@ -9,17 +9,23 @@ include globals.local | |||
9 | noblacklist ${VIDEOS} | 9 | noblacklist ${VIDEOS} |
10 | noblacklist ${PICTURES} | 10 | noblacklist ${PICTURES} |
11 | 11 | ||
12 | include allow-python3.inc | ||
13 | |||
12 | include disable-common.inc | 14 | include disable-common.inc |
13 | include disable-devel.inc | 15 | include disable-devel.inc |
14 | include disable-exec.inc | 16 | include disable-exec.inc |
15 | include disable-interpreters.inc | 17 | include disable-interpreters.inc |
16 | include disable-programs.inc | 18 | include disable-programs.inc |
19 | include disable-shell.inc | ||
17 | include disable-xdg.inc | 20 | include disable-xdg.inc |
18 | 21 | ||
19 | whitelist ${VIDEOS} | 22 | whitelist ${VIDEOS} |
20 | whitelist ${PICTURES} | 23 | whitelist ${PICTURES} |
24 | whitelist /usr/libexec/gstreamer-1.0/gst-plugin-scanner | ||
21 | whitelist /usr/share/gnome-video-effects | 25 | whitelist /usr/share/gnome-video-effects |
26 | whitelist /usr/share/gstreamer-1.0 | ||
22 | include whitelist-common.inc | 27 | include whitelist-common.inc |
28 | include whitelist-run-common.inc | ||
23 | include whitelist-runuser-common.inc | 29 | include whitelist-runuser-common.inc |
24 | include whitelist-usr-share-common.inc | 30 | include whitelist-usr-share-common.inc |
25 | include whitelist-var-common.inc | 31 | include whitelist-var-common.inc |
@@ -30,21 +36,26 @@ machine-id | |||
30 | net none | 36 | net none |
31 | nodvd | 37 | nodvd |
32 | nogroups | 38 | nogroups |
39 | noinput | ||
33 | nonewprivs | 40 | nonewprivs |
34 | noroot | 41 | noroot |
42 | nosound | ||
35 | notv | 43 | notv |
36 | nou2f | 44 | nou2f |
37 | protocol unix | 45 | protocol unix |
38 | seccomp | 46 | seccomp |
47 | seccomp.block-secondary | ||
39 | shell none | 48 | shell none |
40 | tracelog | 49 | tracelog |
41 | 50 | ||
42 | disable-mnt | 51 | disable-mnt |
43 | private-bin cheese | 52 | private-bin cheese |
44 | private-cache | 53 | private-cache |
45 | private-etc alternatives,clutter-1.0,dconf,drirc,fonts,gtk-3.0 | 54 | private-dev |
55 | private-etc alternatives,clutter-1.0,dconf,drirc,fonts,gtk-3.0,ld.so.cache,ld.so.preload | ||
46 | private-tmp | 56 | private-tmp |
47 | 57 | ||
48 | dbus-user filter | 58 | dbus-user filter |
59 | dbus-user.own org.gnome.Cheese | ||
49 | dbus-user.talk ca.desrt.dconf | 60 | dbus-user.talk ca.desrt.dconf |
50 | dbus-system none | 61 | dbus-system none |
diff --git a/etc/profile-a-l/clawsker.profile b/etc/profile-a-l/clawsker.profile index 8ccf67ba1..677d2b7eb 100644 --- a/etc/profile-a-l/clawsker.profile +++ b/etc/profile-a-l/clawsker.profile | |||
@@ -44,7 +44,7 @@ disable-mnt | |||
44 | private-bin bash,clawsker,perl,sh,which | 44 | private-bin bash,clawsker,perl,sh,which |
45 | private-cache | 45 | private-cache |
46 | private-dev | 46 | private-dev |
47 | private-etc alternatives,fonts | 47 | private-etc alternatives,fonts,ld.so.cache,ld.so.preload |
48 | private-lib girepository-1.*,libdbus-glib-1.so.*,libetpan.so.*,libgirepository-1.*,libgtk-3.so.*,libgtk-x11-2.0.so.*,libstartup-notification-1.so.*,perl* | 48 | private-lib girepository-1.*,libdbus-glib-1.so.*,libetpan.so.*,libgirepository-1.*,libgtk-3.so.*,libgtk-x11-2.0.so.*,libstartup-notification-1.so.*,perl* |
49 | private-tmp | 49 | private-tmp |
50 | 50 | ||
diff --git a/etc/profile-a-l/cmake.profile b/etc/profile-a-l/cmake.profile new file mode 100644 index 000000000..26cc2a00a --- /dev/null +++ b/etc/profile-a-l/cmake.profile | |||
@@ -0,0 +1,13 @@ | |||
1 | # Firejail profile for cargo | ||
2 | # Description: The Rust package manager | ||
3 | # This file is overwritten after every install/update | ||
4 | quiet | ||
5 | # Persistent local customizations | ||
6 | include cargo.local | ||
7 | # Persistent global definitions | ||
8 | include globals.local | ||
9 | |||
10 | memory-deny-write-execute | ||
11 | |||
12 | # Redirect | ||
13 | include build-systems-common.profile | ||
diff --git a/etc/profile-a-l/cmus.profile b/etc/profile-a-l/cmus.profile index 19a30e694..7421debe0 100644 --- a/etc/profile-a-l/cmus.profile +++ b/etc/profile-a-l/cmus.profile | |||
@@ -27,4 +27,4 @@ seccomp | |||
27 | shell none | 27 | shell none |
28 | 28 | ||
29 | private-bin cmus | 29 | private-bin cmus |
30 | private-etc alternatives,asound.conf,ca-certificates,crypto-policies,group,machine-id,pki,pulse,resolv.conf,ssl | 30 | private-etc alternatives,asound.conf,ca-certificates,crypto-policies,group,ld.so.cache,ld.so.preload,machine-id,pki,pulse,resolv.conf,ssl |
diff --git a/etc/profile-a-l/codium.profile b/etc/profile-a-l/codium.profile new file mode 100644 index 000000000..9ff87ed8a --- /dev/null +++ b/etc/profile-a-l/codium.profile | |||
@@ -0,0 +1,10 @@ | |||
1 | # Firejail profile alias for VSCodium | ||
2 | # This file is overwritten after every install/update | ||
3 | # Persistent local customizations | ||
4 | include codium.local | ||
5 | # Persistent global definitions | ||
6 | # added by included profile | ||
7 | #include globals.local | ||
8 | |||
9 | # Redirect | ||
10 | include vscodium.profile | ||
diff --git a/etc/profile-a-l/cola.profile b/etc/profile-a-l/cola.profile index e5debfd82..97bf6d394 100644 --- a/etc/profile-a-l/cola.profile +++ b/etc/profile-a-l/cola.profile | |||
@@ -7,4 +7,4 @@ include cola.local | |||
7 | include globals.local | 7 | include globals.local |
8 | 8 | ||
9 | # Redirect | 9 | # Redirect |
10 | include git-cola.profile \ No newline at end of file | 10 | include git-cola.profile |
diff --git a/etc/profile-a-l/com.github.bleakgrey.tootle.profile b/etc/profile-a-l/com.github.bleakgrey.tootle.profile index 8d9de93bb..27780b669 100644 --- a/etc/profile-a-l/com.github.bleakgrey.tootle.profile +++ b/etc/profile-a-l/com.github.bleakgrey.tootle.profile | |||
@@ -45,7 +45,7 @@ disable-mnt | |||
45 | private-bin com.github.bleakgrey.tootle | 45 | private-bin com.github.bleakgrey.tootle |
46 | private-cache | 46 | private-cache |
47 | private-dev | 47 | private-dev |
48 | private-etc alsa,alternatives,asound.conf,ca-certificates,crypto-policies,dconf,fonts,gtk-2.0,gtk-3.0,host.conf,hostname,hosts,machine-id mime.types,nsswitch.conf,pki,pulse,resolv.conf,ssl,X11,xdg | 48 | private-etc alsa,alternatives,asound.conf,ca-certificates,crypto-policies,dconf,fonts,gtk-2.0,gtk-3.0,host.conf,hostname,hosts,ld.so.cache,ld.so.preload,machine-id mime.types,nsswitch.conf,pki,pulse,resolv.conf,ssl,X11,xdg |
49 | private-tmp | 49 | private-tmp |
50 | 50 | ||
51 | # Settings are immutable | 51 | # Settings are immutable |
diff --git a/etc/profile-a-l/com.github.dahenson.agenda.profile b/etc/profile-a-l/com.github.dahenson.agenda.profile index e7aa32be9..0e29d90de 100644 --- a/etc/profile-a-l/com.github.dahenson.agenda.profile +++ b/etc/profile-a-l/com.github.dahenson.agenda.profile | |||
@@ -52,7 +52,7 @@ disable-mnt | |||
52 | private-bin com.github.dahenson.agenda | 52 | private-bin com.github.dahenson.agenda |
53 | private-cache | 53 | private-cache |
54 | private-dev | 54 | private-dev |
55 | private-etc dconf,fonts,gtk-3.0 | 55 | private-etc alternatives,dconf,fonts,gtk-3.0,ld.so.cache,ld.so.preload |
56 | private-tmp | 56 | private-tmp |
57 | 57 | ||
58 | dbus-user filter | 58 | dbus-user filter |
diff --git a/etc/profile-a-l/com.github.johnfactotum.Foliate.profile b/etc/profile-a-l/com.github.johnfactotum.Foliate.profile index aa9a19fcb..24222164b 100644 --- a/etc/profile-a-l/com.github.johnfactotum.Foliate.profile +++ b/etc/profile-a-l/com.github.johnfactotum.Foliate.profile | |||
@@ -55,7 +55,7 @@ disable-mnt | |||
55 | private-bin com.github.johnfactotum.Foliate,gjs | 55 | private-bin com.github.johnfactotum.Foliate,gjs |
56 | private-cache | 56 | private-cache |
57 | private-dev | 57 | private-dev |
58 | private-etc dconf,fonts,gconf,gtk-3.0 | 58 | private-etc alternatives,dconf,fonts,gconf,gtk-3.0,ld.so.cache,ld.so.preload |
59 | private-tmp | 59 | private-tmp |
60 | 60 | ||
61 | read-only ${HOME} | 61 | read-only ${HOME} |
diff --git a/etc/profile-a-l/coyim.profile b/etc/profile-a-l/coyim.profile index 03218d85a..099253b21 100644 --- a/etc/profile-a-l/coyim.profile +++ b/etc/profile-a-l/coyim.profile | |||
@@ -40,7 +40,7 @@ tracelog | |||
40 | disable-mnt | 40 | disable-mnt |
41 | private-cache | 41 | private-cache |
42 | private-dev | 42 | private-dev |
43 | private-etc alternatives,ca-certificates,crypto-policies,fonts,machine-id,pki,ssl | 43 | private-etc alternatives,ca-certificates,crypto-policies,fonts,ld.so.cache,ld.so.preload,machine-id,pki,ssl |
44 | private-tmp | 44 | private-tmp |
45 | 45 | ||
46 | dbus-user none | 46 | dbus-user none |
diff --git a/etc/profile-a-l/crow.profile b/etc/profile-a-l/crow.profile index 177abf829..ed1213687 100644 --- a/etc/profile-a-l/crow.profile +++ b/etc/profile-a-l/crow.profile | |||
@@ -39,7 +39,7 @@ shell none | |||
39 | disable-mnt | 39 | disable-mnt |
40 | private-bin crow | 40 | private-bin crow |
41 | private-dev | 41 | private-dev |
42 | private-etc alternatives,asound.conf,ca-certificates,crypto-policies,dconf,fonts,machine-id,nsswitch.conf,pki,pulse,resolv.conf,ssl | 42 | private-etc alternatives,asound.conf,ca-certificates,crypto-policies,dconf,fonts,ld.so.cache,ld.so.preload,machine-id,nsswitch.conf,pki,pulse,resolv.conf,ssl |
43 | private-opt none | 43 | private-opt none |
44 | private-tmp | 44 | private-tmp |
45 | private-srv none | 45 | private-srv none |
diff --git a/etc/profile-a-l/d-feet.profile b/etc/profile-a-l/d-feet.profile index 0e4b8d475..c75bc756f 100644 --- a/etc/profile-a-l/d-feet.profile +++ b/etc/profile-a-l/d-feet.profile | |||
@@ -50,7 +50,7 @@ disable-mnt | |||
50 | private-bin d-feet,python* | 50 | private-bin d-feet,python* |
51 | private-cache | 51 | private-cache |
52 | private-dev | 52 | private-dev |
53 | private-etc alternatives,dbus-1,fonts,machine-id | 53 | private-etc alternatives,dbus-1,fonts,ld.so.cache,ld.so.preload,machine-id |
54 | private-tmp | 54 | private-tmp |
55 | 55 | ||
56 | #memory-deny-write-execute - breaks on Arch (see issue #1803) | 56 | #memory-deny-write-execute - breaks on Arch (see issue #1803) |
diff --git a/etc/profile-a-l/dbus-send.profile b/etc/profile-a-l/dbus-send.profile index 768f1ac2c..e1b96f186 100644 --- a/etc/profile-a-l/dbus-send.profile +++ b/etc/profile-a-l/dbus-send.profile | |||
@@ -51,7 +51,7 @@ private | |||
51 | private-bin dbus-send | 51 | private-bin dbus-send |
52 | private-cache | 52 | private-cache |
53 | private-dev | 53 | private-dev |
54 | private-etc alternatives,dbus-1 | 54 | private-etc alternatives,dbus-1,ld.so.cache,ld.so.preload |
55 | private-lib libpcre* | 55 | private-lib libpcre* |
56 | private-tmp | 56 | private-tmp |
57 | 57 | ||
diff --git a/etc/profile-a-l/dconf-editor.profile b/etc/profile-a-l/dconf-editor.profile index f57063ab6..8c3c22dcf 100644 --- a/etc/profile-a-l/dconf-editor.profile +++ b/etc/profile-a-l/dconf-editor.profile | |||
@@ -43,7 +43,7 @@ disable-mnt | |||
43 | private-bin dconf-editor | 43 | private-bin dconf-editor |
44 | private-cache | 44 | private-cache |
45 | private-dev | 45 | private-dev |
46 | private-etc alternatives,dconf,fonts,gtk-3.0,machine-id | 46 | private-etc alternatives,dconf,fonts,gtk-3.0,ld.so.cache,ld.so.preload,machine-id |
47 | private-lib | 47 | private-lib |
48 | private-tmp | 48 | private-tmp |
49 | 49 | ||
diff --git a/etc/profile-a-l/dconf.profile b/etc/profile-a-l/dconf.profile index 8b7c86789..b170842c3 100644 --- a/etc/profile-a-l/dconf.profile +++ b/etc/profile-a-l/dconf.profile | |||
@@ -46,7 +46,7 @@ disable-mnt | |||
46 | private-bin dconf,gsettings | 46 | private-bin dconf,gsettings |
47 | private-cache | 47 | private-cache |
48 | private-dev | 48 | private-dev |
49 | private-etc alternatives,dconf | 49 | private-etc alternatives,dconf,ld.so.cache,ld.so.preload |
50 | private-lib | 50 | private-lib |
51 | private-tmp | 51 | private-tmp |
52 | 52 | ||
diff --git a/etc/profile-a-l/ddgtk.profile b/etc/profile-a-l/ddgtk.profile index 701755d93..e9b8f5c47 100644 --- a/etc/profile-a-l/ddgtk.profile +++ b/etc/profile-a-l/ddgtk.profile | |||
@@ -45,7 +45,7 @@ tracelog | |||
45 | disable-mnt | 45 | disable-mnt |
46 | private-bin bash,dd,ddgtk,grep,lsblk,python*,sed,sh,tr | 46 | private-bin bash,dd,ddgtk,grep,lsblk,python*,sed,sh,tr |
47 | private-cache | 47 | private-cache |
48 | private-etc alternatives,fonts | 48 | private-etc alternatives,fonts,ld.so.cache,ld.so.preload |
49 | private-tmp | 49 | private-tmp |
50 | 50 | ||
51 | dbus-user none | 51 | dbus-user none |
diff --git a/etc/profile-a-l/devhelp.profile b/etc/profile-a-l/devhelp.profile index a416bc27e..562f6b105 100644 --- a/etc/profile-a-l/devhelp.profile +++ b/etc/profile-a-l/devhelp.profile | |||
@@ -42,7 +42,7 @@ disable-mnt | |||
42 | private-bin devhelp | 42 | private-bin devhelp |
43 | private-cache | 43 | private-cache |
44 | private-dev | 44 | private-dev |
45 | private-etc alternatives,dconf,fonts,ld.so.cache,machine-id,ssl | 45 | private-etc alternatives,dconf,fonts,ld.so.cache,ld.so.preload,machine-id,ssl |
46 | private-tmp | 46 | private-tmp |
47 | 47 | ||
48 | # makes settings immutable | 48 | # makes settings immutable |
diff --git a/etc/profile-a-l/devilspie.profile b/etc/profile-a-l/devilspie.profile index 89c8e1ae8..a0f24c388 100644 --- a/etc/profile-a-l/devilspie.profile +++ b/etc/profile-a-l/devilspie.profile | |||
@@ -48,7 +48,7 @@ disable-mnt | |||
48 | private-bin devilspie | 48 | private-bin devilspie |
49 | private-cache | 49 | private-cache |
50 | private-dev | 50 | private-dev |
51 | private-etc alternatives | 51 | private-etc alternatives,ld.so.cache,ld.so.preload |
52 | private-lib gconv | 52 | private-lib gconv |
53 | private-tmp | 53 | private-tmp |
54 | 54 | ||
diff --git a/etc/profile-a-l/discord-common.profile b/etc/profile-a-l/discord-common.profile index 2613027ba..c04e38899 100644 --- a/etc/profile-a-l/discord-common.profile +++ b/etc/profile-a-l/discord-common.profile | |||
@@ -24,7 +24,7 @@ whitelist ${HOME}/.config/BetterDiscord | |||
24 | whitelist ${HOME}/.local/share/betterdiscordctl | 24 | whitelist ${HOME}/.local/share/betterdiscordctl |
25 | 25 | ||
26 | private-bin bash,cut,echo,egrep,electron,electron[0-9],electron[0-9][0-9],fish,grep,head,sed,sh,tclsh,tr,xdg-mime,xdg-open,zsh | 26 | private-bin bash,cut,echo,egrep,electron,electron[0-9],electron[0-9][0-9],fish,grep,head,sed,sh,tclsh,tr,xdg-mime,xdg-open,zsh |
27 | private-etc alternatives,ca-certificates,crypto-policies,fonts,group,ld.so.cache,localtime,login.defs,machine-id,password,pki,pulse,resolv.conf,ssl | 27 | private-etc alternatives,ca-certificates,crypto-policies,fonts,group,ld.so.cache,ld.so.preload,localtime,login.defs,machine-id,password,pki,pulse,resolv.conf,ssl |
28 | 28 | ||
29 | join-or-start discord | 29 | join-or-start discord |
30 | 30 | ||
diff --git a/etc/profile-a-l/display.profile b/etc/profile-a-l/display.profile index 0f134bd87..8a8d816a3 100644 --- a/etc/profile-a-l/display.profile +++ b/etc/profile-a-l/display.profile | |||
@@ -40,7 +40,7 @@ shell none | |||
40 | private-bin display,python* | 40 | private-bin display,python* |
41 | private-dev | 41 | private-dev |
42 | # On Debian-based systems, display is a symlink in /etc/alternatives | 42 | # On Debian-based systems, display is a symlink in /etc/alternatives |
43 | private-etc alternatives | 43 | private-etc alternatives,ld.so.cache,ld.so.preload |
44 | private-tmp | 44 | private-tmp |
45 | 45 | ||
46 | dbus-user none | 46 | dbus-user none |
diff --git a/etc/profile-a-l/dragon.profile b/etc/profile-a-l/dragon.profile index 26243ab4e..d5591adfb 100644 --- a/etc/profile-a-l/dragon.profile +++ b/etc/profile-a-l/dragon.profile | |||
@@ -19,6 +19,7 @@ include disable-shell.inc | |||
19 | include disable-xdg.inc | 19 | include disable-xdg.inc |
20 | 20 | ||
21 | whitelist /usr/share/dragonplayer | 21 | whitelist /usr/share/dragonplayer |
22 | include whitelist-run-common.inc | ||
22 | include whitelist-usr-share-common.inc | 23 | include whitelist-usr-share-common.inc |
23 | include whitelist-var-common.inc | 24 | include whitelist-var-common.inc |
24 | 25 | ||
diff --git a/etc/profile-a-l/drawio.profile b/etc/profile-a-l/drawio.profile index 6d5e2501f..df7be55de 100644 --- a/etc/profile-a-l/drawio.profile +++ b/etc/profile-a-l/drawio.profile | |||
@@ -45,7 +45,7 @@ shell none | |||
45 | private-bin drawio | 45 | private-bin drawio |
46 | private-cache | 46 | private-cache |
47 | private-dev | 47 | private-dev |
48 | private-etc alternatives,fonts | 48 | private-etc alternatives,fonts,ld.so.cache,ld.so.preload |
49 | private-tmp | 49 | private-tmp |
50 | 50 | ||
51 | dbus-user none | 51 | dbus-user none |
diff --git a/etc/profile-a-l/easystroke.profile b/etc/profile-a-l/easystroke.profile index fd7f252b6..20cffae73 100644 --- a/etc/profile-a-l/easystroke.profile +++ b/etc/profile-a-l/easystroke.profile | |||
@@ -45,7 +45,7 @@ disable-mnt | |||
45 | #private-bin bash,easystroke,sh | 45 | #private-bin bash,easystroke,sh |
46 | private-cache | 46 | private-cache |
47 | private-dev | 47 | private-dev |
48 | private-etc alternatives,fonts,group,passwd | 48 | private-etc alternatives,fonts,group,ld.so.cache,ld.so.preload,passwd |
49 | # breaks custom shell command functionality | 49 | # breaks custom shell command functionality |
50 | #private-lib gdk-pixbuf-2.*,gio,gvfs/libgvfscommon.so,libgconf-2.so.*,librsvg-2.so.* | 50 | #private-lib gdk-pixbuf-2.*,gio,gvfs/libgvfscommon.so,libgconf-2.so.*,librsvg-2.so.* |
51 | private-tmp | 51 | private-tmp |
diff --git a/etc/profile-a-l/electron-mail.profile b/etc/profile-a-l/electron-mail.profile index 9aac3f570..09d14045a 100644 --- a/etc/profile-a-l/electron-mail.profile +++ b/etc/profile-a-l/electron-mail.profile | |||
@@ -45,7 +45,7 @@ shell none | |||
45 | private-bin electron-mail | 45 | private-bin electron-mail |
46 | private-cache | 46 | private-cache |
47 | private-dev | 47 | private-dev |
48 | private-etc alternatives,ca-certificates,crypto-policies,fonts,gtk-2.0,gtk-3.0,nsswitch.conf,pki,resolv.conf,selinux,ssl,xdg | 48 | private-etc alternatives,ca-certificates,crypto-policies,fonts,gtk-2.0,gtk-3.0,ld.so.cache,ld.so.preload,nsswitch.conf,pki,resolv.conf,selinux,ssl,xdg |
49 | private-opt ElectronMail | 49 | private-opt ElectronMail |
50 | private-tmp | 50 | private-tmp |
51 | 51 | ||
diff --git a/etc/profile-a-l/electrum.profile b/etc/profile-a-l/electrum.profile index 1647f2bc4..dfbe5cee4 100644 --- a/etc/profile-a-l/electrum.profile +++ b/etc/profile-a-l/electrum.profile | |||
@@ -47,7 +47,7 @@ private-bin electrum,python* | |||
47 | private-cache | 47 | private-cache |
48 | ?HAS_APPIMAGE: ignore private-dev | 48 | ?HAS_APPIMAGE: ignore private-dev |
49 | private-dev | 49 | private-dev |
50 | private-etc alternatives,ca-certificates,crypto-policies,dconf,fonts,machine-id,pki,resolv.conf,ssl | 50 | private-etc alternatives,ca-certificates,crypto-policies,dconf,fonts,ld.so.cache,ld.so.preload,machine-id,pki,resolv.conf,ssl |
51 | private-tmp | 51 | private-tmp |
52 | 52 | ||
53 | # dbus-user none | 53 | # dbus-user none |
diff --git a/etc/profile-a-l/email-common.profile b/etc/profile-a-l/email-common.profile index 03fd9033a..ac73f002f 100644 --- a/etc/profile-a-l/email-common.profile +++ b/etc/profile-a-l/email-common.profile | |||
@@ -12,7 +12,7 @@ noblacklist ${HOME}/.gnupg | |||
12 | noblacklist ${HOME}/.mozilla | 12 | noblacklist ${HOME}/.mozilla |
13 | noblacklist ${HOME}/.signature | 13 | noblacklist ${HOME}/.signature |
14 | # when storing mail outside the default ${HOME}/Mail path, 'noblacklist' the custom path in your email-common.local | 14 | # when storing mail outside the default ${HOME}/Mail path, 'noblacklist' the custom path in your email-common.local |
15 | # and 'blacklist' it in your disable-common.local too so it is kept hidden from other applications | 15 | # and 'blacklist' it in your disable-common.local too so it is kept hidden from other applications |
16 | noblacklist ${HOME}/Mail | 16 | noblacklist ${HOME}/Mail |
17 | 17 | ||
18 | noblacklist ${DOCUMENTS} | 18 | noblacklist ${DOCUMENTS} |
@@ -66,7 +66,7 @@ tracelog | |||
66 | # disable-mnt | 66 | # disable-mnt |
67 | private-cache | 67 | private-cache |
68 | private-dev | 68 | private-dev |
69 | private-etc alternatives,ca-certificates,crypto-policies,dconf,fonts,gcrypt,gnupg,groups,gtk-2.0,gtk-3.0,hostname,hosts,hosts.conf,mailname,nsswitch.conf,passwd,pki,resolv.conf,selinux,ssl,xdg | 69 | private-etc alternatives,ca-certificates,crypto-policies,dconf,fonts,gcrypt,gnupg,groups,gtk-2.0,gtk-3.0,hostname,hosts,hosts.conf,ld.so.cache,ld.so.preload,mailname,nsswitch.conf,passwd,pki,resolv.conf,selinux,ssl,xdg |
70 | private-tmp | 70 | private-tmp |
71 | # encrypting and signing email | 71 | # encrypting and signing email |
72 | writable-run-user | 72 | writable-run-user |
diff --git a/etc/profile-a-l/enchant.profile b/etc/profile-a-l/enchant.profile index dc383984e..eff0f64ea 100644 --- a/etc/profile-a-l/enchant.profile +++ b/etc/profile-a-l/enchant.profile | |||
@@ -48,7 +48,7 @@ x11 none | |||
48 | private-bin enchant,enchant-* | 48 | private-bin enchant,enchant-* |
49 | private-cache | 49 | private-cache |
50 | private-dev | 50 | private-dev |
51 | private-etc alternatives | 51 | private-etc alternatives,ld.so.cache,ld.so.preload |
52 | private-lib | 52 | private-lib |
53 | private-tmp | 53 | private-tmp |
54 | 54 | ||
diff --git a/etc/profile-a-l/eo-common.profile b/etc/profile-a-l/eo-common.profile index 02112ef20..31f39e210 100644 --- a/etc/profile-a-l/eo-common.profile +++ b/etc/profile-a-l/eo-common.profile | |||
@@ -47,6 +47,6 @@ tracelog | |||
47 | 47 | ||
48 | private-cache | 48 | private-cache |
49 | private-dev | 49 | private-dev |
50 | private-etc alternatives,dconf,fonts,gtk-3.0 | 50 | private-etc alternatives,dconf,fonts,gtk-3.0,ld.so.cache,ld.so.preload |
51 | private-lib eog,eom,gdk-pixbuf-2.*,gio,girepository-1.*,gvfs,libgconf-2.so.* | 51 | private-lib eog,eom,gdk-pixbuf-2.*,gio,girepository-1.*,gvfs,libgconf-2.so.* |
52 | private-tmp | 52 | private-tmp |
diff --git a/etc/profile-a-l/eog.profile b/etc/profile-a-l/eog.profile index 5892374bd..65e5c6e69 100644 --- a/etc/profile-a-l/eog.profile +++ b/etc/profile-a-l/eog.profile | |||
@@ -18,7 +18,7 @@ whitelist /usr/share/eog | |||
18 | 18 | ||
19 | private-bin eog | 19 | private-bin eog |
20 | 20 | ||
21 | # broken on Debian 10 (buster) running LXDE got the folowing error: | 21 | # broken on Debian 10 (buster) running LXDE got the following error: |
22 | # Failed to register: GDBus.Error:org.freedesktop.DBus.Error.ServiceUnknown: org.freedesktop.DBus.Error.ServiceUnknown | 22 | # Failed to register: GDBus.Error:org.freedesktop.DBus.Error.ServiceUnknown: org.freedesktop.DBus.Error.ServiceUnknown |
23 | #dbus-user filter | 23 | #dbus-user filter |
24 | #dbus-user.own org.gnome.eog | 24 | #dbus-user.own org.gnome.eog |
diff --git a/etc/profile-a-l/equalx.profile b/etc/profile-a-l/equalx.profile index 7566f7b50..0c3b790d5 100644 --- a/etc/profile-a-l/equalx.profile +++ b/etc/profile-a-l/equalx.profile | |||
@@ -54,7 +54,7 @@ disable-mnt | |||
54 | private-bin equalx,gs,pdflatex,pdftocairo | 54 | private-bin equalx,gs,pdflatex,pdftocairo |
55 | private-cache | 55 | private-cache |
56 | private-dev | 56 | private-dev |
57 | private-etc equalx,equalx.conf,fonts,gtk-2.0,latexmk.conf,machine-id,papersize,passwd,texlive,Trolltech.conf | 57 | private-etc alternatives,equalx,equalx.conf,fonts,gtk-2.0,latexmk.conf,ld.so.cache,ld.so.preload,machine-id,papersize,passwd,texlive,Trolltech.conf |
58 | private-tmp | 58 | private-tmp |
59 | 59 | ||
60 | dbus-user none | 60 | dbus-user none |
diff --git a/etc/profile-a-l/evince.profile b/etc/profile-a-l/evince.profile index 19ad5799c..63e456488 100644 --- a/etc/profile-a-l/evince.profile +++ b/etc/profile-a-l/evince.profile | |||
@@ -54,7 +54,7 @@ tracelog | |||
54 | private-bin evince,evince-previewer,evince-thumbnailer | 54 | private-bin evince,evince-previewer,evince-thumbnailer |
55 | private-cache | 55 | private-cache |
56 | private-dev | 56 | private-dev |
57 | private-etc alternatives,fonts,group,ld.so.cache,machine-id,passwd | 57 | private-etc alternatives,fonts,group,ld.so.cache,ld.so.preload,machine-id,passwd |
58 | # private-lib might break two-page-view on some systems | 58 | # private-lib might break two-page-view on some systems |
59 | private-lib evince,gcc/*/*/libgcc_s.so.*,gcc/*/*/libstdc++.so.*,gconv,gdk-pixbuf-2.*,gio,gvfs/libgvfscommon.so,libarchive.so.*,libdjvulibre.so.*,libgconf-2.so.*,libgraphite2.so.*,libpoppler-glib.so.*,librsvg-2.so.*,libspectre.so.* | 59 | private-lib evince,gcc/*/*/libgcc_s.so.*,gcc/*/*/libstdc++.so.*,gconv,gdk-pixbuf-2.*,gio,gvfs/libgvfscommon.so,libarchive.so.*,libdjvulibre.so.*,libgconf-2.so.*,libgraphite2.so.*,libpoppler-glib.so.*,librsvg-2.so.*,libspectre.so.* |
60 | private-tmp | 60 | private-tmp |
diff --git a/etc/profile-a-l/exiftool.profile b/etc/profile-a-l/exiftool.profile index 49a16f2f2..ae550e842 100644 --- a/etc/profile-a-l/exiftool.profile +++ b/etc/profile-a-l/exiftool.profile | |||
@@ -48,7 +48,7 @@ x11 none | |||
48 | #private-bin exiftool,perl | 48 | #private-bin exiftool,perl |
49 | private-cache | 49 | private-cache |
50 | private-dev | 50 | private-dev |
51 | private-etc alternatives | 51 | private-etc alternatives,ld.so.cache,ld.so.preload |
52 | private-tmp | 52 | private-tmp |
53 | 53 | ||
54 | dbus-user none | 54 | dbus-user none |
diff --git a/etc/profile-a-l/falkon.profile b/etc/profile-a-l/falkon.profile index 3911a8c75..321cb0145 100644 --- a/etc/profile-a-l/falkon.profile +++ b/etc/profile-a-l/falkon.profile | |||
@@ -23,6 +23,7 @@ whitelist ${HOME}/.cache/falkon | |||
23 | whitelist ${HOME}/.config/falkon | 23 | whitelist ${HOME}/.config/falkon |
24 | whitelist /usr/share/falkon | 24 | whitelist /usr/share/falkon |
25 | include whitelist-common.inc | 25 | include whitelist-common.inc |
26 | include whitelist-run-common.inc | ||
26 | include whitelist-runuser-common.inc | 27 | include whitelist-runuser-common.inc |
27 | include whitelist-usr-share-common.inc | 28 | include whitelist-usr-share-common.inc |
28 | include whitelist-var-common.inc | 29 | include whitelist-var-common.inc |
@@ -46,7 +47,7 @@ disable-mnt | |||
46 | # private-bin falkon | 47 | # private-bin falkon |
47 | private-cache | 48 | private-cache |
48 | private-dev | 49 | private-dev |
49 | private-etc adobe,alternatives,asound.conf,ati,ca-certificates,crypto-policies,dconf,drirc,fonts,group,gtk-2.0,gtk-3.0,hostname,hosts,localtime,machine-id,mailcap,mime.types,nsswitch.conf,pango,passwd,pki,pulse,resolv.conf,selinux,ssl,xdg | 50 | private-etc adobe,alternatives,asound.conf,ati,ca-certificates,crypto-policies,dconf,drirc,fonts,group,gtk-2.0,gtk-3.0,hostname,hosts,ld.so.cache,ld.so.preload,localtime,machine-id,mailcap,mime.types,nsswitch.conf,pango,passwd,pki,pulse,resolv.conf,selinux,ssl,xdg |
50 | private-tmp | 51 | private-tmp |
51 | 52 | ||
52 | # dbus-user filter | 53 | # dbus-user filter |
diff --git a/etc/profile-a-l/fdns.profile b/etc/profile-a-l/fdns.profile index 25e1082ad..ee775566e 100644 --- a/etc/profile-a-l/fdns.profile +++ b/etc/profile-a-l/fdns.profile | |||
@@ -42,7 +42,7 @@ private | |||
42 | private-bin bash,fdns,sh | 42 | private-bin bash,fdns,sh |
43 | private-cache | 43 | private-cache |
44 | #private-dev | 44 | #private-dev |
45 | private-etc ca-certificates,crypto-policies,fdns,ld.so.cache,ld.so.preload,localtime,nsswitch.conf,passwd,pki,ssl | 45 | private-etc alternatives,ca-certificates,crypto-policies,fdns,ld.so.cache,ld.so.preload,localtime,nsswitch.conf,passwd,pki,ssl |
46 | # private-lib | 46 | # private-lib |
47 | private-tmp | 47 | private-tmp |
48 | 48 | ||
diff --git a/etc/profile-a-l/feh-network.inc.profile b/etc/profile-a-l/feh-network.inc.profile index 690b39171..7293e89a8 100644 --- a/etc/profile-a-l/feh-network.inc.profile +++ b/etc/profile-a-l/feh-network.inc.profile | |||
@@ -5,4 +5,4 @@ include feh-network.inc.local | |||
5 | ignore net none | 5 | ignore net none |
6 | netfilter | 6 | netfilter |
7 | protocol unix,inet,inet6 | 7 | protocol unix,inet,inet6 |
8 | private-etc ca-certificates,crypto-policies,hosts,pki,resolv.conf,ssl | 8 | private-etc alternatives,ca-certificates,crypto-policies,hosts,ld.so.cache,ld.so.preload,pki,resolv.conf,ssl |
diff --git a/etc/profile-a-l/feh.profile b/etc/profile-a-l/feh.profile index 0fdb1d3d3..4b8d41170 100644 --- a/etc/profile-a-l/feh.profile +++ b/etc/profile-a-l/feh.profile | |||
@@ -36,7 +36,7 @@ shell none | |||
36 | private-bin feh,jpegexiforient,jpegtran | 36 | private-bin feh,jpegexiforient,jpegtran |
37 | private-cache | 37 | private-cache |
38 | private-dev | 38 | private-dev |
39 | private-etc alternatives,feh | 39 | private-etc alternatives,feh,ld.so.cache,ld.so.preload |
40 | private-tmp | 40 | private-tmp |
41 | 41 | ||
42 | dbus-user none | 42 | dbus-user none |
diff --git a/etc/profile-a-l/ffplay.profile b/etc/profile-a-l/ffplay.profile index 04134cbf4..52abb99d4 100644 --- a/etc/profile-a-l/ffplay.profile +++ b/etc/profile-a-l/ffplay.profile | |||
@@ -14,7 +14,7 @@ ignore nogroups | |||
14 | ignore nosound | 14 | ignore nosound |
15 | 15 | ||
16 | private-bin ffplay | 16 | private-bin ffplay |
17 | private-etc alsa,asound.conf,group | 17 | private-etc alsa,alternatives,asound.conf,group,ld.so.cache,ld.so.preload |
18 | 18 | ||
19 | # Redirect | 19 | # Redirect |
20 | include ffmpeg.profile | 20 | include ffmpeg.profile |
diff --git a/etc/profile-a-l/file-roller.profile b/etc/profile-a-l/file-roller.profile index 434466139..06a8f6170 100644 --- a/etc/profile-a-l/file-roller.profile +++ b/etc/profile-a-l/file-roller.profile | |||
@@ -43,7 +43,7 @@ tracelog | |||
43 | private-bin 7z,7za,7zr,ar,arj,atool,bash,brotli,bsdtar,bzip2,compress,cp,cpio,dpkg-deb,file-roller,gtar,gzip,isoinfo,lha,lrzip,lsar,lz4,lzip,lzma,lzop,mv,p7zip,rar,rm,rzip,sh,tar,unace,unalz,unar,uncompress,unrar,unsquashfs,unstuff,unzip,unzstd,xz,xzdec,zip,zoo,zstd | 43 | private-bin 7z,7za,7zr,ar,arj,atool,bash,brotli,bsdtar,bzip2,compress,cp,cpio,dpkg-deb,file-roller,gtar,gzip,isoinfo,lha,lrzip,lsar,lz4,lzip,lzma,lzop,mv,p7zip,rar,rm,rzip,sh,tar,unace,unalz,unar,uncompress,unrar,unsquashfs,unstuff,unzip,unzstd,xz,xzdec,zip,zoo,zstd |
44 | private-cache | 44 | private-cache |
45 | private-dev | 45 | private-dev |
46 | private-etc dconf,fonts,gtk-3.0,xdg | 46 | private-etc alternatives,dconf,fonts,gtk-3.0,ld.so.cache,ld.so.preload,xdg |
47 | # private-tmp | 47 | # private-tmp |
48 | 48 | ||
49 | dbus-system none | 49 | dbus-system none |
diff --git a/etc/profile-a-l/firefox-common.profile b/etc/profile-a-l/firefox-common.profile index 20ae039aa..ef647b5a0 100644 --- a/etc/profile-a-l/firefox-common.profile +++ b/etc/profile-a-l/firefox-common.profile | |||
@@ -19,6 +19,7 @@ include disable-common.inc | |||
19 | include disable-devel.inc | 19 | include disable-devel.inc |
20 | include disable-exec.inc | 20 | include disable-exec.inc |
21 | include disable-interpreters.inc | 21 | include disable-interpreters.inc |
22 | include disable-proc.inc | ||
22 | include disable-programs.inc | 23 | include disable-programs.inc |
23 | 24 | ||
24 | mkdir ${HOME}/.pki | 25 | mkdir ${HOME}/.pki |
diff --git a/etc/profile-a-l/flameshot.profile b/etc/profile-a-l/flameshot.profile index e9241efc3..f80297022 100644 --- a/etc/profile-a-l/flameshot.profile +++ b/etc/profile-a-l/flameshot.profile | |||
@@ -52,7 +52,7 @@ tracelog | |||
52 | disable-mnt | 52 | disable-mnt |
53 | private-bin flameshot | 53 | private-bin flameshot |
54 | private-cache | 54 | private-cache |
55 | private-etc alternatives,ca-certificates,crypto-policies,fonts,ld.so.conf,machine-id,pki,resolv.conf,ssl | 55 | private-etc alternatives,ca-certificates,crypto-policies,fonts,ld.so.cache,ld.so.conf,ld.so.preload,machine-id,pki,resolv.conf,ssl |
56 | private-dev | 56 | private-dev |
57 | #private-tmp | 57 | #private-tmp |
58 | 58 | ||
@@ -63,6 +63,6 @@ dbus-user.talk org.freedesktop.Notifications | |||
63 | dbus-user.talk org.freedesktop.portal.Desktop | 63 | dbus-user.talk org.freedesktop.portal.Desktop |
64 | dbus-user.talk org.gnome.Shell | 64 | dbus-user.talk org.gnome.Shell |
65 | dbus-user.talk org.kde.KWin | 65 | dbus-user.talk org.kde.KWin |
66 | dbus-user.talk org.kde.StatusNotifierWatcher | 66 | ?ALLOW_TRAY: dbus-user.talk org.kde.StatusNotifierWatcher |
67 | dbus-user.own org.kde.* | 67 | ?ALLOW_TRAY: dbus-user.own org.kde.* |
68 | dbus-system none | 68 | dbus-system none |
diff --git a/etc/profile-a-l/freetube.profile b/etc/profile-a-l/freetube.profile index 7beb2bcba..cb00ce11b 100644 --- a/etc/profile-a-l/freetube.profile +++ b/etc/profile-a-l/freetube.profile | |||
@@ -16,7 +16,7 @@ mkdir ${HOME}/.config/FreeTube | |||
16 | whitelist ${HOME}/.config/FreeTube | 16 | whitelist ${HOME}/.config/FreeTube |
17 | 17 | ||
18 | private-bin electron,electron[0-9],electron[0-9][0-9],freetube,sh | 18 | private-bin electron,electron[0-9],electron[0-9][0-9],freetube,sh |
19 | private-etc alsa,alternatives,asound.conf,ca-certificates,crypto-policies,fonts,gtk-2.0,gtk-3.0,host.conf,hostname,hosts,mime.types,nsswitch.conf,pki,pulse,resolv.conf,ssl,X11,xdg | 19 | private-etc alsa,alternatives,asound.conf,ca-certificates,crypto-policies,fonts,gtk-2.0,gtk-3.0,host.conf,hostname,hosts,ld.so.cache,ld.so.preload,mime.types,nsswitch.conf,pki,pulse,resolv.conf,ssl,X11,xdg |
20 | 20 | ||
21 | # Redirect | 21 | # Redirect |
22 | include electron.profile | 22 | include electron.profile |
diff --git a/etc/profile-a-l/frogatto.profile b/etc/profile-a-l/frogatto.profile index fa08b4956..8419998de 100644 --- a/etc/profile-a-l/frogatto.profile +++ b/etc/profile-a-l/frogatto.profile | |||
@@ -45,7 +45,7 @@ disable-mnt | |||
45 | private-bin frogatto,sh | 45 | private-bin frogatto,sh |
46 | private-cache | 46 | private-cache |
47 | private-dev | 47 | private-dev |
48 | private-etc machine-id | 48 | private-etc alternatives,ld.so.cache,ld.so.preload,machine-id |
49 | private-tmp | 49 | private-tmp |
50 | 50 | ||
51 | dbus-user none | 51 | dbus-user none |
diff --git a/etc/profile-a-l/frozen-bubble.profile b/etc/profile-a-l/frozen-bubble.profile index bb35c9447..88943760a 100644 --- a/etc/profile-a-l/frozen-bubble.profile +++ b/etc/profile-a-l/frozen-bubble.profile | |||
@@ -30,7 +30,6 @@ caps.drop all | |||
30 | net none | 30 | net none |
31 | nodvd | 31 | nodvd |
32 | nogroups | 32 | nogroups |
33 | noinput | ||
34 | nonewprivs | 33 | nonewprivs |
35 | noroot | 34 | noroot |
36 | notv | 35 | notv |
diff --git a/etc/profile-a-l/funnyboat.profile b/etc/profile-a-l/funnyboat.profile index 1009f345b..4a08fca9b 100644 --- a/etc/profile-a-l/funnyboat.profile +++ b/etc/profile-a-l/funnyboat.profile | |||
@@ -35,7 +35,6 @@ ipc-namespace | |||
35 | netfilter | 35 | netfilter |
36 | nodvd | 36 | nodvd |
37 | nogroups | 37 | nogroups |
38 | noinput | ||
39 | nonewprivs | 38 | nonewprivs |
40 | noroot | 39 | noroot |
41 | notv | 40 | notv |
diff --git a/etc/profile-a-l/gajim.profile b/etc/profile-a-l/gajim.profile index b0d017db9..6d764a0f9 100644 --- a/etc/profile-a-l/gajim.profile +++ b/etc/profile-a-l/gajim.profile | |||
@@ -59,7 +59,7 @@ disable-mnt | |||
59 | private-bin bash,gajim,gajim-history-manager,gpg,gpg2,paplay,python*,sh,zsh | 59 | private-bin bash,gajim,gajim-history-manager,gpg,gpg2,paplay,python*,sh,zsh |
60 | private-cache | 60 | private-cache |
61 | private-dev | 61 | private-dev |
62 | private-etc alsa,alternatives,asound.conf,ca-certificates,crypto-policies,fonts,group,hostname,hosts,ld.so.cache,ld.so.conf,localtime,machine-id,passwd,pki,pulse,resolv.conf,ssl,xdg | 62 | private-etc alsa,alternatives,asound.conf,ca-certificates,crypto-policies,fonts,group,hostname,hosts,ld.so.cache,ld.so.conf,ld.so.preload,localtime,machine-id,passwd,pki,pulse,resolv.conf,ssl,xdg |
63 | private-tmp | 63 | private-tmp |
64 | writable-run-user | 64 | writable-run-user |
65 | 65 | ||
diff --git a/etc/profile-a-l/galculator.profile b/etc/profile-a-l/galculator.profile index 50b1c319c..4efe41f8d 100644 --- a/etc/profile-a-l/galculator.profile +++ b/etc/profile-a-l/galculator.profile | |||
@@ -43,7 +43,7 @@ tracelog | |||
43 | private-bin galculator | 43 | private-bin galculator |
44 | private-cache | 44 | private-cache |
45 | private-dev | 45 | private-dev |
46 | private-etc alternatives,fonts | 46 | private-etc alternatives,fonts,ld.so.cache,ld.so.preload |
47 | private-lib | 47 | private-lib |
48 | private-tmp | 48 | private-tmp |
49 | 49 | ||
diff --git a/etc/profile-a-l/gallery-dl.profile b/etc/profile-a-l/gallery-dl.profile index 9c8200dc4..2947873ef 100644 --- a/etc/profile-a-l/gallery-dl.profile +++ b/etc/profile-a-l/gallery-dl.profile | |||
@@ -12,7 +12,7 @@ noblacklist ${HOME}/.config/gallery-dl | |||
12 | noblacklist ${HOME}/.gallery-dl.conf | 12 | noblacklist ${HOME}/.gallery-dl.conf |
13 | 13 | ||
14 | private-bin gallery-dl | 14 | private-bin gallery-dl |
15 | private-etc gallery-dl.conf | 15 | private-etc alternatives,gallery-dl.conf,ld.so.cache,ld.so.preload |
16 | 16 | ||
17 | # Redirect | 17 | # Redirect |
18 | include youtube-dl.profile | 18 | include youtube-dl.profile |
diff --git a/etc/profile-a-l/gapplication.profile b/etc/profile-a-l/gapplication.profile index 8263423a0..ec5b733c8 100644 --- a/etc/profile-a-l/gapplication.profile +++ b/etc/profile-a-l/gapplication.profile | |||
@@ -49,7 +49,7 @@ private | |||
49 | private-bin gapplication | 49 | private-bin gapplication |
50 | private-cache | 50 | private-cache |
51 | private-dev | 51 | private-dev |
52 | private-etc none | 52 | private-etc alternatives,ld.so.cache,ld.so.preload |
53 | private-tmp | 53 | private-tmp |
54 | 54 | ||
55 | # Add the next line to your gapplication.local to filter D-Bus names. | 55 | # Add the next line to your gapplication.local to filter D-Bus names. |
diff --git a/etc/profile-a-l/gcloud.profile b/etc/profile-a-l/gcloud.profile index 388f4c0df..297e5d345 100644 --- a/etc/profile-a-l/gcloud.profile +++ b/etc/profile-a-l/gcloud.profile | |||
@@ -36,7 +36,7 @@ tracelog | |||
36 | 36 | ||
37 | disable-mnt | 37 | disable-mnt |
38 | private-dev | 38 | private-dev |
39 | private-etc alternatives,ca-certificates,crypto-policies,hosts,ld.so.cache,localtime,nsswitch.conf,pki,resolv.conf,ssl | 39 | private-etc alternatives,ca-certificates,crypto-policies,hosts,ld.so.cache,ld.so.preload,localtime,nsswitch.conf,pki,resolv.conf,ssl |
40 | private-tmp | 40 | private-tmp |
41 | 41 | ||
42 | dbus-user none | 42 | dbus-user none |
diff --git a/etc/profile-a-l/gconf.profile b/etc/profile-a-l/gconf.profile index b01d88f80..a45374d4e 100644 --- a/etc/profile-a-l/gconf.profile +++ b/etc/profile-a-l/gconf.profile | |||
@@ -54,7 +54,7 @@ disable-mnt | |||
54 | private-bin gconf-editor,gconf-merge-*,gconfpkg,gconftool-2,gsettings-*-convert,python2* | 54 | private-bin gconf-editor,gconf-merge-*,gconfpkg,gconftool-2,gsettings-*-convert,python2* |
55 | private-cache | 55 | private-cache |
56 | private-dev | 56 | private-dev |
57 | private-etc alternatives,fonts,gconf | 57 | private-etc alternatives,fonts,gconf,ld.so.cache,ld.so.preload |
58 | private-lib GConf,libpython*,python2* | 58 | private-lib GConf,libpython*,python2* |
59 | private-tmp | 59 | private-tmp |
60 | 60 | ||
diff --git a/etc/profile-a-l/geary.profile b/etc/profile-a-l/geary.profile index 29c620556..cececd9e9 100644 --- a/etc/profile-a-l/geary.profile +++ b/etc/profile-a-l/geary.profile | |||
@@ -70,7 +70,7 @@ tracelog | |||
70 | private-bin geary | 70 | private-bin geary |
71 | private-cache | 71 | private-cache |
72 | private-dev | 72 | private-dev |
73 | private-etc alternatives,ca-certificates,crypto-policies,fonts,hostname,hosts,pki,resolv.conf,ssl,xdg | 73 | private-etc alternatives,ca-certificates,crypto-policies,fonts,hostname,hosts,ld.so.cache,ld.so.preload,pki,resolv.conf,ssl,xdg |
74 | private-tmp | 74 | private-tmp |
75 | 75 | ||
76 | dbus-user filter | 76 | dbus-user filter |
diff --git a/etc/profile-a-l/geekbench.profile b/etc/profile-a-l/geekbench.profile index f0e17963c..243b893b9 100644 --- a/etc/profile-a-l/geekbench.profile +++ b/etc/profile-a-l/geekbench.profile | |||
@@ -6,6 +6,10 @@ include geekbench.local | |||
6 | # Persistent global definitions | 6 | # Persistent global definitions |
7 | include globals.local | 7 | include globals.local |
8 | 8 | ||
9 | noblacklist ${HOME}/.geekbench5 | ||
10 | noblacklist /sbin | ||
11 | noblacklist /usr/sbin | ||
12 | |||
9 | include disable-common.inc | 13 | include disable-common.inc |
10 | include disable-devel.inc | 14 | include disable-devel.inc |
11 | include disable-exec.inc | 15 | include disable-exec.inc |
@@ -13,6 +17,8 @@ include disable-interpreters.inc | |||
13 | include disable-programs.inc | 17 | include disable-programs.inc |
14 | include disable-xdg.inc | 18 | include disable-xdg.inc |
15 | 19 | ||
20 | mkdir ${HOME}/.geekbench5 | ||
21 | whitelist ${HOME}/.geekbench5 | ||
16 | include whitelist-common.inc | 22 | include whitelist-common.inc |
17 | include whitelist-usr-share-common.inc | 23 | include whitelist-usr-share-common.inc |
18 | include whitelist-var-common.inc | 24 | include whitelist-var-common.inc |
@@ -39,16 +45,14 @@ shell none | |||
39 | tracelog | 45 | tracelog |
40 | 46 | ||
41 | disable-mnt | 47 | disable-mnt |
42 | private-bin bash,geekbenc*,sh | 48 | #private-bin bash,geekbench*,sh -- #4576 |
43 | private-cache | 49 | private-cache |
44 | private-dev | 50 | private-dev |
45 | private-etc alternatives,group,lsb-release,passwd | 51 | private-etc alternatives,group,ld.so.cache,ld.so.preload,lsb-release,passwd |
46 | private-lib gcc/*/*/libstdc++.so.* | ||
47 | private-opt none | ||
48 | private-tmp | 52 | private-tmp |
49 | 53 | ||
50 | dbus-user none | 54 | dbus-user none |
51 | dbus-system none | 55 | dbus-system none |
52 | 56 | ||
53 | #memory-deny-write-execute - breaks on Arch (see issue #1803) | ||
54 | read-only ${HOME} | 57 | read-only ${HOME} |
58 | read-write ${HOME}/.geekbench5 | ||
diff --git a/etc/profile-a-l/gget.profile b/etc/profile-a-l/gget.profile index b2adaa8e4..bc1199914 100644 --- a/etc/profile-a-l/gget.profile +++ b/etc/profile-a-l/gget.profile | |||
@@ -49,7 +49,7 @@ disable-mnt | |||
49 | private-bin gget | 49 | private-bin gget |
50 | private-cache | 50 | private-cache |
51 | private-dev | 51 | private-dev |
52 | private-etc alternatives,ca-certificates,crypto-policies,pki,resolv.conf,ssl | 52 | private-etc alternatives,ca-certificates,crypto-policies,ld.so.cache,ld.so.preload,pki,resolv.conf,ssl |
53 | private-lib | 53 | private-lib |
54 | private-tmp | 54 | private-tmp |
55 | 55 | ||
diff --git a/etc/profile-a-l/gimp.profile b/etc/profile-a-l/gimp.profile index df9c2ac7a..28070cb9c 100644 --- a/etc/profile-a-l/gimp.profile +++ b/etc/profile-a-l/gimp.profile | |||
@@ -39,6 +39,7 @@ whitelist /usr/share/gegl-0.4 | |||
39 | whitelist /usr/share/gimp | 39 | whitelist /usr/share/gimp |
40 | whitelist /usr/share/mypaint-data | 40 | whitelist /usr/share/mypaint-data |
41 | whitelist /usr/share/lensfun | 41 | whitelist /usr/share/lensfun |
42 | include whitelist-run-common.inc | ||
42 | include whitelist-usr-share-common.inc | 43 | include whitelist-usr-share-common.inc |
43 | include whitelist-var-common.inc | 44 | include whitelist-var-common.inc |
44 | 45 | ||
diff --git a/etc/profile-a-l/gist.profile b/etc/profile-a-l/gist.profile index 80fa18119..506ab7127 100644 --- a/etc/profile-a-l/gist.profile +++ b/etc/profile-a-l/gist.profile | |||
@@ -52,7 +52,7 @@ tracelog | |||
52 | disable-mnt | 52 | disable-mnt |
53 | private-cache | 53 | private-cache |
54 | private-dev | 54 | private-dev |
55 | private-etc alternatives | 55 | private-etc alternatives,ld.so.cache,ld.so.preload |
56 | private-tmp | 56 | private-tmp |
57 | 57 | ||
58 | dbus-user none | 58 | dbus-user none |
diff --git a/etc/profile-a-l/git-cola.profile b/etc/profile-a-l/git-cola.profile index f77adef63..6439c8821 100644 --- a/etc/profile-a-l/git-cola.profile +++ b/etc/profile-a-l/git-cola.profile | |||
@@ -70,7 +70,7 @@ tracelog | |||
70 | private-bin basename,bash,cola,envsubst,gettext,git,git-cola,git-dag,git-gui,gitk,gpg,gpg-agent,nano,ps,python*,sh,ssh,ssh-agent,tclsh,tr,wc,which,xed | 70 | private-bin basename,bash,cola,envsubst,gettext,git,git-cola,git-dag,git-gui,gitk,gpg,gpg-agent,nano,ps,python*,sh,ssh,ssh-agent,tclsh,tr,wc,which,xed |
71 | private-cache | 71 | private-cache |
72 | private-dev | 72 | private-dev |
73 | private-etc alternatives,ca-certificates,crypto-policies,dconf,fonts,gcrypt,gitconfig,gtk-2.0,gtk-3.0,host.conf,hostname,hosts,localtime,login.defs,machine-id,mime.types,nsswitch.conf,passwd,pki,resolv.conf,selinux,ssh,ssl,X11,xdg | 73 | private-etc alternatives,ca-certificates,crypto-policies,dconf,fonts,gcrypt,gitconfig,gtk-2.0,gtk-3.0,host.conf,hostname,hosts,ld.so.cache,ld.so.preload,localtime,login.defs,machine-id,mime.types,nsswitch.conf,passwd,pki,resolv.conf,selinux,ssh,ssl,X11,xdg |
74 | private-tmp | 74 | private-tmp |
75 | writable-run-user | 75 | writable-run-user |
76 | 76 | ||
diff --git a/etc/profile-a-l/gitter.profile b/etc/profile-a-l/gitter.profile index 5dfb48189..16358d064 100644 --- a/etc/profile-a-l/gitter.profile +++ b/etc/profile-a-l/gitter.profile | |||
@@ -37,7 +37,7 @@ shell none | |||
37 | 37 | ||
38 | disable-mnt | 38 | disable-mnt |
39 | private-bin bash,env,gitter | 39 | private-bin bash,env,gitter |
40 | private-etc alternatives,ca-certificates,crypto-policies,fonts,pki,pulse,resolv.conf,ssl | 40 | private-etc alternatives,ca-certificates,crypto-policies,fonts,ld.so.cache,ld.so.preload,pki,pulse,resolv.conf,ssl |
41 | private-opt Gitter | 41 | private-opt Gitter |
42 | private-dev | 42 | private-dev |
43 | private-tmp | 43 | private-tmp |
diff --git a/etc/profile-a-l/gl-117.profile b/etc/profile-a-l/gl-117.profile index 35d969e6d..edb85048b 100644 --- a/etc/profile-a-l/gl-117.profile +++ b/etc/profile-a-l/gl-117.profile | |||
@@ -29,7 +29,6 @@ caps.drop all | |||
29 | net none | 29 | net none |
30 | nodvd | 30 | nodvd |
31 | nogroups | 31 | nogroups |
32 | noinput | ||
33 | nonewprivs | 32 | nonewprivs |
34 | noroot | 33 | noroot |
35 | notv | 34 | notv |
diff --git a/etc/profile-a-l/glaxium.profile b/etc/profile-a-l/glaxium.profile index dec0daef2..b5f98b411 100644 --- a/etc/profile-a-l/glaxium.profile +++ b/etc/profile-a-l/glaxium.profile | |||
@@ -29,7 +29,6 @@ caps.drop all | |||
29 | net none | 29 | net none |
30 | nodvd | 30 | nodvd |
31 | nogroups | 31 | nogroups |
32 | noinput | ||
33 | nonewprivs | 32 | nonewprivs |
34 | noroot | 33 | noroot |
35 | notv | 34 | notv |
diff --git a/etc/profile-a-l/gmpc.profile b/etc/profile-a-l/gmpc.profile index 4aa4b6c20..e53297c06 100644 --- a/etc/profile-a-l/gmpc.profile +++ b/etc/profile-a-l/gmpc.profile | |||
@@ -44,7 +44,7 @@ tracelog | |||
44 | disable-mnt | 44 | disable-mnt |
45 | #private-bin gmpc | 45 | #private-bin gmpc |
46 | private-cache | 46 | private-cache |
47 | private-etc alternatives,fonts | 47 | private-etc alternatives,fonts,ld.so.cache,ld.so.preload |
48 | private-tmp | 48 | private-tmp |
49 | writable-run-user | 49 | writable-run-user |
50 | 50 | ||
diff --git a/etc/profile-a-l/gnome-calendar.profile b/etc/profile-a-l/gnome-calendar.profile index c8903a991..f9df83e2a 100644 --- a/etc/profile-a-l/gnome-calendar.profile +++ b/etc/profile-a-l/gnome-calendar.profile | |||
@@ -45,7 +45,7 @@ private | |||
45 | private-bin gnome-calendar | 45 | private-bin gnome-calendar |
46 | private-cache | 46 | private-cache |
47 | private-dev | 47 | private-dev |
48 | private-etc ca-certificates,crypto-policies,dconf,fonts,gtk-3.0,localtime,nsswitch.conf,pki,resolv.conf,ssl | 48 | private-etc alternatives,ca-certificates,crypto-policies,dconf,fonts,gtk-3.0,ld.so.cache,ld.so.preload,localtime,nsswitch.conf,pki,resolv.conf,ssl |
49 | private-tmp | 49 | private-tmp |
50 | 50 | ||
51 | dbus-user filter | 51 | dbus-user filter |
diff --git a/etc/profile-a-l/gnome-chess.profile b/etc/profile-a-l/gnome-chess.profile index d038d775a..dc9092a93 100644 --- a/etc/profile-a-l/gnome-chess.profile +++ b/etc/profile-a-l/gnome-chess.profile | |||
@@ -50,5 +50,5 @@ disable-mnt | |||
50 | private-bin fairymax,gnome-chess,gnuchess,hoichess | 50 | private-bin fairymax,gnome-chess,gnuchess,hoichess |
51 | private-cache | 51 | private-cache |
52 | private-dev | 52 | private-dev |
53 | private-etc alternatives,dconf,fonts,gnome-chess,gtk-3.0 | 53 | private-etc alternatives,dconf,fonts,gnome-chess,gtk-3.0,ld.so.cache,ld.so.preload |
54 | private-tmp | 54 | private-tmp |
diff --git a/etc/profile-a-l/gnome-clocks.profile b/etc/profile-a-l/gnome-clocks.profile index 96a39f6ce..90665add6 100644 --- a/etc/profile-a-l/gnome-clocks.profile +++ b/etc/profile-a-l/gnome-clocks.profile | |||
@@ -42,6 +42,6 @@ disable-mnt | |||
42 | private-bin gnome-clocks,gsound-play | 42 | private-bin gnome-clocks,gsound-play |
43 | private-cache | 43 | private-cache |
44 | private-dev | 44 | private-dev |
45 | private-etc alternatives,ca-certificates,crypto-policies,dconf,fonts,gtk-3.0,hosts,localtime,machine-id,pkcs11,pki,ssl | 45 | private-etc alternatives,ca-certificates,crypto-policies,dconf,fonts,gtk-3.0,hosts,ld.so.cache,ld.so.preload,localtime,machine-id,pkcs11,pki,ssl |
46 | private-tmp | 46 | private-tmp |
47 | 47 | ||
diff --git a/etc/profile-a-l/gnome-hexgl.profile b/etc/profile-a-l/gnome-hexgl.profile index 19a4bc5c7..ab6279608 100644 --- a/etc/profile-a-l/gnome-hexgl.profile +++ b/etc/profile-a-l/gnome-hexgl.profile | |||
@@ -42,7 +42,7 @@ private | |||
42 | private-bin gnome-hexgl | 42 | private-bin gnome-hexgl |
43 | private-cache | 43 | private-cache |
44 | private-dev | 44 | private-dev |
45 | private-etc alsa,asound.conf,machine-id,pulse | 45 | private-etc alsa,alternatives,asound.conf,ld.so.cache,ld.so.preload,machine-id,pulse |
46 | private-tmp | 46 | private-tmp |
47 | 47 | ||
48 | dbus-user none | 48 | dbus-user none |
diff --git a/etc/profile-a-l/gnome-latex.profile b/etc/profile-a-l/gnome-latex.profile index 26c2c4409..39a6718a6 100644 --- a/etc/profile-a-l/gnome-latex.profile +++ b/etc/profile-a-l/gnome-latex.profile | |||
@@ -48,6 +48,6 @@ tracelog | |||
48 | private-cache | 48 | private-cache |
49 | private-dev | 49 | private-dev |
50 | # passwd,login.defs,firejail are a temporary workaround for #2877 and can be removed once it is fixed | 50 | # passwd,login.defs,firejail are a temporary workaround for #2877 and can be removed once it is fixed |
51 | private-etc alternatives,dconf,fonts,gtk-3.0,latexmk.conf,login.defs,passwd,texlive | 51 | private-etc alternatives,dconf,fonts,gtk-3.0,latexmk.conf,ld.so.cache,ld.so.preload,login.defs,passwd,texlive |
52 | 52 | ||
53 | dbus-system none | 53 | dbus-system none |
diff --git a/etc/profile-a-l/gnome-logs.profile b/etc/profile-a-l/gnome-logs.profile index 2c15f7592..7ee4d8b75 100644 --- a/etc/profile-a-l/gnome-logs.profile +++ b/etc/profile-a-l/gnome-logs.profile | |||
@@ -40,7 +40,7 @@ disable-mnt | |||
40 | private-bin gnome-logs | 40 | private-bin gnome-logs |
41 | private-cache | 41 | private-cache |
42 | private-dev | 42 | private-dev |
43 | private-etc alternatives,fonts,localtime,machine-id | 43 | private-etc alternatives,fonts,ld.so.cache,ld.so.preload,localtime,machine-id |
44 | private-lib gdk-pixbuf-2.*,gio,gvfs/libgvfscommon.so,libgconf-2.so.*,librsvg-2.so.* | 44 | private-lib gdk-pixbuf-2.*,gio,gvfs/libgvfscommon.so,libgconf-2.so.*,librsvg-2.so.* |
45 | private-tmp | 45 | private-tmp |
46 | writable-var-log | 46 | writable-var-log |
diff --git a/etc/profile-a-l/gnome-music.profile b/etc/profile-a-l/gnome-music.profile index a00edfa37..7b79fa15d 100644 --- a/etc/profile-a-l/gnome-music.profile +++ b/etc/profile-a-l/gnome-music.profile | |||
@@ -42,6 +42,6 @@ tracelog | |||
42 | # private-bin calls a file manager - whatever is installed! | 42 | # private-bin calls a file manager - whatever is installed! |
43 | #private-bin env,gio-launch-desktop,gnome-music,python*,yelp | 43 | #private-bin env,gio-launch-desktop,gnome-music,python*,yelp |
44 | private-dev | 44 | private-dev |
45 | private-etc alternatives,asound.conf,dconf,fonts,fonts,gtk-3.0,machine-id,pulse,selinux,xdg | 45 | private-etc alternatives,asound.conf,dconf,fonts,fonts,gtk-3.0,ld.so.cache,ld.so.preload,machine-id,pulse,selinux,xdg |
46 | private-tmp | 46 | private-tmp |
47 | 47 | ||
diff --git a/etc/profile-a-l/gnome-passwordsafe.profile b/etc/profile-a-l/gnome-passwordsafe.profile index b69899c70..a96ec6f05 100644 --- a/etc/profile-a-l/gnome-passwordsafe.profile +++ b/etc/profile-a-l/gnome-passwordsafe.profile | |||
@@ -53,7 +53,7 @@ disable-mnt | |||
53 | private-bin gnome-passwordsafe,python3* | 53 | private-bin gnome-passwordsafe,python3* |
54 | private-cache | 54 | private-cache |
55 | private-dev | 55 | private-dev |
56 | private-etc dconf,fonts,gtk-3.0,passwd | 56 | private-etc alternatives,dconf,fonts,gtk-3.0,ld.so.cache,ld.so.preload,passwd |
57 | private-tmp | 57 | private-tmp |
58 | 58 | ||
59 | dbus-user filter | 59 | dbus-user filter |
diff --git a/etc/profile-a-l/gnome-pie.profile b/etc/profile-a-l/gnome-pie.profile index 3ab2e4aad..6d30213cb 100644 --- a/etc/profile-a-l/gnome-pie.profile +++ b/etc/profile-a-l/gnome-pie.profile | |||
@@ -34,7 +34,7 @@ shell none | |||
34 | disable-mnt | 34 | disable-mnt |
35 | private-cache | 35 | private-cache |
36 | private-dev | 36 | private-dev |
37 | private-etc alternatives,fonts,machine-id | 37 | private-etc alternatives,fonts,ld.so.cache,ld.so.preload,machine-id |
38 | private-lib gdk-pixbuf-2.*,gio,gvfs/libgvfscommon.so,libgconf-2.so.*,librsvg-2.so.* | 38 | private-lib gdk-pixbuf-2.*,gio,gvfs/libgvfscommon.so,libgconf-2.so.*,librsvg-2.so.* |
39 | private-tmp | 39 | private-tmp |
40 | 40 | ||
diff --git a/etc/profile-a-l/gnome-pomodoro.profile b/etc/profile-a-l/gnome-pomodoro.profile index 256a0c69f..99d569a04 100644 --- a/etc/profile-a-l/gnome-pomodoro.profile +++ b/etc/profile-a-l/gnome-pomodoro.profile | |||
@@ -44,7 +44,7 @@ disable-mnt | |||
44 | private-bin gnome-pomodoro | 44 | private-bin gnome-pomodoro |
45 | private-cache | 45 | private-cache |
46 | private-dev | 46 | private-dev |
47 | private-etc dconf,fonts,gtk-3.0,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,localtime,machine-id | 47 | private-etc alternatives,dconf,fonts,gtk-3.0,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,localtime,machine-id |
48 | private-tmp | 48 | private-tmp |
49 | 49 | ||
50 | dbus-user filter | 50 | dbus-user filter |
diff --git a/etc/profile-a-l/gnome-recipes.profile b/etc/profile-a-l/gnome-recipes.profile index 01162b552..b2ce4a92a 100644 --- a/etc/profile-a-l/gnome-recipes.profile +++ b/etc/profile-a-l/gnome-recipes.profile | |||
@@ -47,7 +47,7 @@ shell none | |||
47 | disable-mnt | 47 | disable-mnt |
48 | private-bin gnome-recipes,tar | 48 | private-bin gnome-recipes,tar |
49 | private-dev | 49 | private-dev |
50 | private-etc alternatives,ca-certificates,crypto-policies,fonts,pki,ssl | 50 | private-etc alternatives,ca-certificates,crypto-policies,fonts,ld.so.cache,ld.so.preload,pki,ssl |
51 | private-lib gdk-pixbuf-2.0,gio,gvfs/libgvfscommon.so,libgconf-2.so.*,libgnutls.so.*,libjpeg.so.*,libp11-kit.so.*,libproxy.so.*,librsvg-2.so.* | 51 | private-lib gdk-pixbuf-2.0,gio,gvfs/libgvfscommon.so,libgconf-2.so.*,libgnutls.so.*,libjpeg.so.*,libp11-kit.so.*,libproxy.so.*,librsvg-2.so.* |
52 | private-tmp | 52 | private-tmp |
53 | 53 | ||
diff --git a/etc/profile-a-l/gnome-screenshot.profile b/etc/profile-a-l/gnome-screenshot.profile index f5afa9fb3..36c6693a9 100644 --- a/etc/profile-a-l/gnome-screenshot.profile +++ b/etc/profile-a-l/gnome-screenshot.profile | |||
@@ -42,7 +42,7 @@ tracelog | |||
42 | disable-mnt | 42 | disable-mnt |
43 | private-bin gnome-screenshot | 43 | private-bin gnome-screenshot |
44 | private-dev | 44 | private-dev |
45 | private-etc dconf,fonts,gtk-3.0,localtime,machine-id | 45 | private-etc alternatives,dconf,fonts,gtk-3.0,ld.so.cache,ld.so.preload,localtime,machine-id |
46 | private-tmp | 46 | private-tmp |
47 | 47 | ||
48 | dbus-user filter | 48 | dbus-user filter |
diff --git a/etc/profile-a-l/gnome-sound-recorder.profile b/etc/profile-a-l/gnome-sound-recorder.profile index 159145b1b..28a0205b9 100644 --- a/etc/profile-a-l/gnome-sound-recorder.profile +++ b/etc/profile-a-l/gnome-sound-recorder.profile | |||
@@ -40,5 +40,5 @@ tracelog | |||
40 | disable-mnt | 40 | disable-mnt |
41 | private-cache | 41 | private-cache |
42 | private-dev | 42 | private-dev |
43 | private-etc alsa,asound.conf,dconf,fonts,gtk-2.0,gtk-3.0,machine-id,openal,pango,pulse,xdg | 43 | private-etc alsa,alternatives,asound.conf,dconf,fonts,gtk-2.0,gtk-3.0,ld.so.cache,ld.so.preload,machine-id,openal,pango,pulse,xdg |
44 | private-tmp | 44 | private-tmp |
diff --git a/etc/profile-a-l/gnome-system-log.profile b/etc/profile-a-l/gnome-system-log.profile index 3f9497e80..02b023855 100644 --- a/etc/profile-a-l/gnome-system-log.profile +++ b/etc/profile-a-l/gnome-system-log.profile | |||
@@ -43,7 +43,7 @@ disable-mnt | |||
43 | private-bin gnome-system-log | 43 | private-bin gnome-system-log |
44 | private-cache | 44 | private-cache |
45 | private-dev | 45 | private-dev |
46 | private-etc alternatives,fonts,localtime,machine-id | 46 | private-etc alternatives,fonts,ld.so.cache,ld.so.preload,localtime,machine-id |
47 | private-lib | 47 | private-lib |
48 | private-tmp | 48 | private-tmp |
49 | writable-var-log | 49 | writable-var-log |
diff --git a/etc/profile-a-l/gnome-todo.profile b/etc/profile-a-l/gnome-todo.profile index 4640f7f43..c6cd12250 100644 --- a/etc/profile-a-l/gnome-todo.profile +++ b/etc/profile-a-l/gnome-todo.profile | |||
@@ -46,7 +46,7 @@ disable-mnt | |||
46 | private-bin gnome-todo | 46 | private-bin gnome-todo |
47 | private-cache | 47 | private-cache |
48 | private-dev | 48 | private-dev |
49 | private-etc dconf,fonts,gtk-3.0,localtime,passwd,xdg | 49 | private-etc alternatives,dconf,fonts,gtk-3.0,ld.so.cache,ld.so.preload,localtime,passwd,xdg |
50 | private-tmp | 50 | private-tmp |
51 | 51 | ||
52 | dbus-user filter | 52 | dbus-user filter |
diff --git a/etc/profile-a-l/gnome_games-common.profile b/etc/profile-a-l/gnome_games-common.profile index 4ad39a988..9b4f68808 100644 --- a/etc/profile-a-l/gnome_games-common.profile +++ b/etc/profile-a-l/gnome_games-common.profile | |||
@@ -41,7 +41,7 @@ tracelog | |||
41 | disable-mnt | 41 | disable-mnt |
42 | private-cache | 42 | private-cache |
43 | private-dev | 43 | private-dev |
44 | private-etc dconf,fonts,gconf,gtk-2.0,gtk-3.0,machine-id,pango,passwd,X11 | 44 | private-etc alternatives,dconf,fonts,gconf,gtk-2.0,gtk-3.0,ld.so.cache,ld.so.preload,machine-id,pango,passwd,X11 |
45 | private-tmp | 45 | private-tmp |
46 | 46 | ||
47 | dbus-user filter | 47 | dbus-user filter |
diff --git a/etc/profile-a-l/gnote.profile b/etc/profile-a-l/gnote.profile index 2d4ce2437..928f2c548 100644 --- a/etc/profile-a-l/gnote.profile +++ b/etc/profile-a-l/gnote.profile | |||
@@ -51,7 +51,7 @@ disable-mnt | |||
51 | private-bin gnote | 51 | private-bin gnote |
52 | private-cache | 52 | private-cache |
53 | private-dev | 53 | private-dev |
54 | private-etc dconf,fonts,gtk-3.0,pango,X11 | 54 | private-etc alternatives,dconf,fonts,gtk-3.0,ld.so.cache,ld.so.preload,pango,X11 |
55 | private-tmp | 55 | private-tmp |
56 | 56 | ||
57 | dbus-user filter | 57 | dbus-user filter |
diff --git a/etc/profile-a-l/gnubik.profile b/etc/profile-a-l/gnubik.profile index 902e76416..c895b4ce9 100644 --- a/etc/profile-a-l/gnubik.profile +++ b/etc/profile-a-l/gnubik.profile | |||
@@ -43,7 +43,7 @@ private | |||
43 | private-bin gnubik | 43 | private-bin gnubik |
44 | private-cache | 44 | private-cache |
45 | private-dev | 45 | private-dev |
46 | private-etc drirc,fonts,gtk-2.0 | 46 | private-etc alternatives,drirc,fonts,gtk-2.0,ld.so.cache,ld.so.preload |
47 | private-tmp | 47 | private-tmp |
48 | 48 | ||
49 | dbus-user none | 49 | dbus-user none |
diff --git a/etc/profile-a-l/godot.profile b/etc/profile-a-l/godot.profile index b3c19e97f..46b362db9 100644 --- a/etc/profile-a-l/godot.profile +++ b/etc/profile-a-l/godot.profile | |||
@@ -38,7 +38,7 @@ tracelog | |||
38 | # private-bin godot | 38 | # private-bin godot |
39 | private-cache | 39 | private-cache |
40 | private-dev | 40 | private-dev |
41 | private-etc alsa,alternatives,asound.conf,ca-certificates,crypto-policies,drirc,fonts,machine-id,mono,nsswitch.conf,openal,pki,pulse,resolv.conf,ssl | 41 | private-etc alsa,alternatives,asound.conf,ca-certificates,crypto-policies,drirc,fonts,ld.so.cache,ld.so.preload,machine-id,mono,nsswitch.conf,openal,pki,pulse,resolv.conf,ssl |
42 | private-tmp | 42 | private-tmp |
43 | 43 | ||
44 | dbus-user none | 44 | dbus-user none |
diff --git a/etc/profile-a-l/goldendict.profile b/etc/profile-a-l/goldendict.profile new file mode 100644 index 000000000..5251ed427 --- /dev/null +++ b/etc/profile-a-l/goldendict.profile | |||
@@ -0,0 +1,57 @@ | |||
1 | # Firejail profile for goldendict | ||
2 | # This file is overwritten after every install/update | ||
3 | # Persistent local customizations | ||
4 | include goldendict.local | ||
5 | # Persistent global definitions | ||
6 | include globals.local | ||
7 | |||
8 | noblacklist ${HOME}/.goldendict | ||
9 | noblacklist ${HOME}/.cache/GoldenDict | ||
10 | |||
11 | include disable-common.inc | ||
12 | include disable-devel.inc | ||
13 | include disable-exec.inc | ||
14 | include disable-interpreters.inc | ||
15 | include disable-programs.inc | ||
16 | include disable-shell.inc | ||
17 | include disable-xdg.inc | ||
18 | |||
19 | mkdir ${HOME}/.goldendict | ||
20 | mkdir ${HOME}/.cache/GoldenDict | ||
21 | whitelist ${HOME}/.goldendict | ||
22 | whitelist ${HOME}/.cache/GoldenDict | ||
23 | # The default path of dictionaries | ||
24 | whitelist /usr/share/stardict/dic | ||
25 | include whitelist-common.inc | ||
26 | include whitelist-runuser-common.inc | ||
27 | include whitelist-usr-share-common.inc | ||
28 | include whitelist-var-common.inc | ||
29 | |||
30 | apparmor | ||
31 | caps.drop all | ||
32 | netfilter | ||
33 | # no3d leads to the libGL MESA-LOADER errors | ||
34 | #no3d | ||
35 | nodvd | ||
36 | nogroups | ||
37 | noinput | ||
38 | nonewprivs | ||
39 | noroot | ||
40 | notv | ||
41 | nou2f | ||
42 | novideo | ||
43 | protocol unix,inet,inet6,netlink | ||
44 | seccomp | ||
45 | seccomp.block-secondary | ||
46 | shell none | ||
47 | tracelog | ||
48 | |||
49 | disable-mnt | ||
50 | private-bin goldendict | ||
51 | private-cache | ||
52 | private-dev | ||
53 | private-etc alternatives,ca-certificates,crypto-policies,fonts,ld.so.cache,ld.so.preload,machine-id,nsswitch.conf,pki,resolv.conf,ssl | ||
54 | private-tmp | ||
55 | |||
56 | dbus-user none | ||
57 | dbus-system none | ||
diff --git a/etc/profile-a-l/googler-common.profile b/etc/profile-a-l/googler-common.profile index b8e2b04df..a35813a09 100644 --- a/etc/profile-a-l/googler-common.profile +++ b/etc/profile-a-l/googler-common.profile | |||
@@ -54,7 +54,7 @@ disable-mnt | |||
54 | private-bin env,python3*,sh,w3m | 54 | private-bin env,python3*,sh,w3m |
55 | private-cache | 55 | private-cache |
56 | private-dev | 56 | private-dev |
57 | private-etc ca-certificates,crypto-policies,host.conf,hostname,hosts,nsswitch.conf,pki,protocols,resolv.conf,rpc,services,ssl | 57 | private-etc alternatives,ca-certificates,crypto-policies,host.conf,hostname,hosts,ld.so.cache,ld.so.preload,nsswitch.conf,pki,protocols,resolv.conf,rpc,services,ssl |
58 | private-tmp | 58 | private-tmp |
59 | 59 | ||
60 | dbus-user none | 60 | dbus-user none |
diff --git a/etc/profile-a-l/gpicview.profile b/etc/profile-a-l/gpicview.profile index 9a782b238..26afe6e49 100644 --- a/etc/profile-a-l/gpicview.profile +++ b/etc/profile-a-l/gpicview.profile | |||
@@ -41,7 +41,7 @@ tracelog | |||
41 | private-bin gpicview | 41 | private-bin gpicview |
42 | private-cache | 42 | private-cache |
43 | private-dev | 43 | private-dev |
44 | private-etc alternatives,fonts,group,passwd | 44 | private-etc alternatives,fonts,group,ld.so.cache,ld.so.preload,passwd |
45 | private-lib | 45 | private-lib |
46 | private-tmp | 46 | private-tmp |
47 | 47 | ||
diff --git a/etc/profile-a-l/gpredict.profile b/etc/profile-a-l/gpredict.profile index 54e52d695..511be6fcc 100644 --- a/etc/profile-a-l/gpredict.profile +++ b/etc/profile-a-l/gpredict.profile | |||
@@ -36,6 +36,6 @@ tracelog | |||
36 | 36 | ||
37 | private-bin gpredict | 37 | private-bin gpredict |
38 | private-dev | 38 | private-dev |
39 | private-etc alternatives,ca-certificates,crypto-policies,fonts,pki,resolv.conf,ssl | 39 | private-etc alternatives,ca-certificates,crypto-policies,fonts,ld.so.cache,ld.so.preload,pki,resolv.conf,ssl |
40 | private-tmp | 40 | private-tmp |
41 | 41 | ||
diff --git a/etc/profile-a-l/gradio.profile b/etc/profile-a-l/gradio.profile index 31f95fb80..9cc25e45c 100644 --- a/etc/profile-a-l/gradio.profile +++ b/etc/profile-a-l/gradio.profile | |||
@@ -45,7 +45,7 @@ disable-mnt | |||
45 | private-bin gradio | 45 | private-bin gradio |
46 | private-cache | 46 | private-cache |
47 | private-dev | 47 | private-dev |
48 | private-etc alternatives,asound.conf,ca-certificates,crypto-policies,fonts,gtk-3.0,host.conf,hostname,hosts,machine-id,pki,pulse,resolv.conf,ssl,xdg | 48 | private-etc alternatives,asound.conf,ca-certificates,crypto-policies,fonts,gtk-3.0,host.conf,hostname,hosts,ld.so.cache,ld.so.preload,machine-id,pki,pulse,resolv.conf,ssl,xdg |
49 | private-tmp | 49 | private-tmp |
50 | 50 | ||
51 | dbus-user filter | 51 | dbus-user filter |
diff --git a/etc/profile-a-l/gravity-beams-and-evaporating-stars.profile b/etc/profile-a-l/gravity-beams-and-evaporating-stars.profile index c5bcc85f3..d76ca105f 100644 --- a/etc/profile-a-l/gravity-beams-and-evaporating-stars.profile +++ b/etc/profile-a-l/gravity-beams-and-evaporating-stars.profile | |||
@@ -40,7 +40,7 @@ private | |||
40 | private-bin gravity-beams-and-evaporating-stars | 40 | private-bin gravity-beams-and-evaporating-stars |
41 | private-cache | 41 | private-cache |
42 | private-dev | 42 | private-dev |
43 | private-etc fonts,machine-id | 43 | private-etc alternatives,fonts,ld.so.cache,ld.so.preload,machine-id |
44 | private-tmp | 44 | private-tmp |
45 | 45 | ||
46 | dbus-user none | 46 | dbus-user none |
diff --git a/etc/profile-a-l/gtk-update-icon-cache.profile b/etc/profile-a-l/gtk-update-icon-cache.profile index 3231374b7..ec8a614fd 100644 --- a/etc/profile-a-l/gtk-update-icon-cache.profile +++ b/etc/profile-a-l/gtk-update-icon-cache.profile | |||
@@ -46,7 +46,7 @@ disable-mnt | |||
46 | private-bin gtk-update-icon-cache | 46 | private-bin gtk-update-icon-cache |
47 | private-cache | 47 | private-cache |
48 | private-dev | 48 | private-dev |
49 | private-etc none | 49 | private-etc alternatives,ld.so.cache,ld.so.preload |
50 | private-lib | 50 | private-lib |
51 | private-tmp | 51 | private-tmp |
52 | 52 | ||
diff --git a/etc/profile-a-l/gwenview.profile b/etc/profile-a-l/gwenview.profile index 8c4453a8b..d98d341ae 100644 --- a/etc/profile-a-l/gwenview.profile +++ b/etc/profile-a-l/gwenview.profile | |||
@@ -25,6 +25,7 @@ include disable-interpreters.inc | |||
25 | include disable-programs.inc | 25 | include disable-programs.inc |
26 | include disable-shell.inc | 26 | include disable-shell.inc |
27 | 27 | ||
28 | include whitelist-run-common.inc | ||
28 | include whitelist-var-common.inc | 29 | include whitelist-var-common.inc |
29 | 30 | ||
30 | apparmor | 31 | apparmor |
@@ -46,7 +47,7 @@ shell none | |||
46 | 47 | ||
47 | private-bin gimp*,gwenview,kbuildsycoca4,kdeinit4 | 48 | private-bin gimp*,gwenview,kbuildsycoca4,kdeinit4 |
48 | private-dev | 49 | private-dev |
49 | private-etc alternatives,fonts,gimp,gtk-2.0,kde4rc,kde5rc,ld.so.cache,machine-id,passwd,pulse,xdg | 50 | private-etc alternatives,fonts,gimp,gtk-2.0,kde4rc,kde5rc,ld.so.cache,ld.so.preload,machine-id,passwd,pulse,xdg |
50 | 51 | ||
51 | # dbus-user none | 52 | # dbus-user none |
52 | # dbus-system none | 53 | # dbus-system none |
diff --git a/etc/profile-a-l/hyperrogue.profile b/etc/profile-a-l/hyperrogue.profile index f210a264f..74e0faa7f 100644 --- a/etc/profile-a-l/hyperrogue.profile +++ b/etc/profile-a-l/hyperrogue.profile | |||
@@ -44,7 +44,7 @@ private-bin hyperrogue | |||
44 | private-cache | 44 | private-cache |
45 | private-cwd ${HOME} | 45 | private-cwd ${HOME} |
46 | private-dev | 46 | private-dev |
47 | private-etc fonts,machine-id | 47 | private-etc alternatives,fonts,ld.so.cache,ld.so.preload,machine-id |
48 | private-tmp | 48 | private-tmp |
49 | 49 | ||
50 | dbus-user none | 50 | dbus-user none |
diff --git a/etc/profile-a-l/i2prouter.profile b/etc/profile-a-l/i2prouter.profile index c875cad72..200b4c8b1 100644 --- a/etc/profile-a-l/i2prouter.profile +++ b/etc/profile-a-l/i2prouter.profile | |||
@@ -68,5 +68,5 @@ shell none | |||
68 | disable-mnt | 68 | disable-mnt |
69 | private-cache | 69 | private-cache |
70 | private-dev | 70 | private-dev |
71 | private-etc alternatives,ca-certificates,crypto-policies,dconf,group,hostname,hosts,i2p,java-10-openjdk,java-11-openjdk,java-12-openjdk,java-13-openjdk,java-8-openjdk,java-9-openjdk,java-openjdk,ld.so.cache,localtime,machine-id,nsswitch.conf,passwd,pki,resolv.conf,ssl | 71 | private-etc alternatives,ca-certificates,crypto-policies,dconf,group,hostname,hosts,i2p,java-10-openjdk,java-11-openjdk,java-12-openjdk,java-13-openjdk,java-8-openjdk,java-9-openjdk,java-openjdk,ld.so.cache,ld.so.preload,localtime,machine-id,nsswitch.conf,passwd,pki,resolv.conf,ssl |
72 | private-tmp | 72 | private-tmp |
diff --git a/etc/profile-a-l/imv.profile b/etc/profile-a-l/imv.profile new file mode 100644 index 000000000..65e7537bf --- /dev/null +++ b/etc/profile-a-l/imv.profile | |||
@@ -0,0 +1,57 @@ | |||
1 | # Firejail profile for imv | ||
2 | # Description: imv is an image viewer. | ||
3 | # This file is overwritten after every install/update | ||
4 | # Persistent local customizations | ||
5 | include imv.local | ||
6 | # Persistent global definitions | ||
7 | include globals.local | ||
8 | |||
9 | include allow-bin-sh.inc | ||
10 | |||
11 | blacklist /usr/libexec | ||
12 | |||
13 | include disable-common.inc | ||
14 | include disable-devel.inc | ||
15 | include disable-exec.inc | ||
16 | include disable-interpreters.inc | ||
17 | include disable-programs.inc | ||
18 | include disable-shell.inc | ||
19 | include disable-write-mnt.inc | ||
20 | # Users may want to view images in ${HOME} | ||
21 | #include disable-xdg.inc | ||
22 | |||
23 | # Users may want to view images in ${HOME} | ||
24 | #include whitelist-common.inc | ||
25 | include whitelist-run-common.inc | ||
26 | include whitelist-runuser-common.inc | ||
27 | # Users may want to view images in /usr/share | ||
28 | #include whitelist-usr-share-common.inc | ||
29 | include whitelist-var-common.inc | ||
30 | |||
31 | apparmor | ||
32 | caps.drop all | ||
33 | net none | ||
34 | nodvd | ||
35 | nogroups | ||
36 | noinput | ||
37 | nonewprivs | ||
38 | noroot | ||
39 | nosound | ||
40 | notv | ||
41 | nou2f | ||
42 | novideo | ||
43 | protocol unix | ||
44 | seccomp | ||
45 | seccomp.block-secondary | ||
46 | shell none | ||
47 | tracelog | ||
48 | |||
49 | private-bin imv,imv-wayland,imv-x11,sh | ||
50 | private-cache | ||
51 | private-dev | ||
52 | private-tmp | ||
53 | |||
54 | dbus-user none | ||
55 | dbus-system none | ||
56 | |||
57 | read-only ${HOME} | ||
diff --git a/etc/profile-a-l/inkscape.profile b/etc/profile-a-l/inkscape.profile index 5e54b5441..016a4d6c8 100644 --- a/etc/profile-a-l/inkscape.profile +++ b/etc/profile-a-l/inkscape.profile | |||
@@ -1,6 +1,7 @@ | |||
1 | # Firejail profile for inkscape | 1 | # Firejail profile for inkscape |
2 | # Description: Vector-based drawing program | 2 | # Description: Vector-based drawing program |
3 | # This file is overwritten after every install/update | 3 | # This file is overwritten after every install/update |
4 | quiet | ||
4 | # Persistent local customizations | 5 | # Persistent local customizations |
5 | include inkscape.local | 6 | include inkscape.local |
6 | # Persistent global definitions | 7 | # Persistent global definitions |
@@ -28,6 +29,7 @@ include disable-programs.inc | |||
28 | include disable-xdg.inc | 29 | include disable-xdg.inc |
29 | 30 | ||
30 | whitelist /usr/share/inkscape | 31 | whitelist /usr/share/inkscape |
32 | include whitelist-run-common.inc | ||
31 | include whitelist-usr-share-common.inc | 33 | include whitelist-usr-share-common.inc |
32 | include whitelist-var-common.inc | 34 | include whitelist-var-common.inc |
33 | 35 | ||
diff --git a/etc/profile-a-l/ipcalc.profile b/etc/profile-a-l/ipcalc.profile index ea4ee5ae1..6eefd2945 100644 --- a/etc/profile-a-l/ipcalc.profile +++ b/etc/profile-a-l/ipcalc.profile | |||
@@ -50,7 +50,7 @@ private-bin bash,ipcalc,ipcalc-ng,perl,sh | |||
50 | # private-cache | 50 | # private-cache |
51 | private-dev | 51 | private-dev |
52 | # empty etc directory | 52 | # empty etc directory |
53 | private-etc none | 53 | private-etc alternatives,ld.so.cache,ld.so.preload |
54 | private-lib | 54 | private-lib |
55 | private-opt none | 55 | private-opt none |
56 | private-tmp | 56 | private-tmp |
diff --git a/etc/profile-a-l/jerry.profile b/etc/profile-a-l/jerry.profile index 1209c5e11..6ca977512 100644 --- a/etc/profile-a-l/jerry.profile +++ b/etc/profile-a-l/jerry.profile | |||
@@ -34,7 +34,7 @@ tracelog | |||
34 | 34 | ||
35 | private-bin bash,jerry,sh,stockfish | 35 | private-bin bash,jerry,sh,stockfish |
36 | private-dev | 36 | private-dev |
37 | private-etc fonts,gtk-2.0,gtk-3.0 | 37 | private-etc alternatives,fonts,gtk-2.0,gtk-3.0,ld.so.cache,ld.so.preload |
38 | private-tmp | 38 | private-tmp |
39 | 39 | ||
40 | dbus-user none | 40 | dbus-user none |
diff --git a/etc/profile-a-l/jumpnbump-menu.profile b/etc/profile-a-l/jumpnbump-menu.profile index 8d391b90f..59d762f55 100644 --- a/etc/profile-a-l/jumpnbump-menu.profile +++ b/etc/profile-a-l/jumpnbump-menu.profile | |||
@@ -10,7 +10,7 @@ include jumpnbump-menu.local | |||
10 | # Allow python (blacklisted by disable-interpreters.inc) | 10 | # Allow python (blacklisted by disable-interpreters.inc) |
11 | include allow-python3.inc | 11 | include allow-python3.inc |
12 | 12 | ||
13 | private-bin jumpnbump-menu,python3* | 13 | private-bin env,jumpnbump-menu,python3* |
14 | 14 | ||
15 | # Redirect | 15 | # Redirect |
16 | include jumpnbump.profile | 16 | include jumpnbump.profile |
diff --git a/etc/profile-a-l/jumpnbump.profile b/etc/profile-a-l/jumpnbump.profile index 77d3f6bf4..4a9232344 100644 --- a/etc/profile-a-l/jumpnbump.profile +++ b/etc/profile-a-l/jumpnbump.profile | |||
@@ -27,7 +27,6 @@ caps.drop all | |||
27 | net none | 27 | net none |
28 | nodvd | 28 | nodvd |
29 | nogroups | 29 | nogroups |
30 | noinput | ||
31 | nonewprivs | 30 | nonewprivs |
32 | noroot | 31 | noroot |
33 | notv | 32 | notv |
@@ -42,7 +41,7 @@ disable-mnt | |||
42 | private-bin jumpnbump | 41 | private-bin jumpnbump |
43 | private-cache | 42 | private-cache |
44 | private-dev | 43 | private-dev |
45 | private-etc none | 44 | private-etc alternatives,ld.so.cache,ld.so.preload |
46 | private-tmp | 45 | private-tmp |
47 | 46 | ||
48 | dbus-user none | 47 | dbus-user none |
diff --git a/etc/profile-a-l/kaffeine.profile b/etc/profile-a-l/kaffeine.profile index 8799a6f24..e74c57546 100644 --- a/etc/profile-a-l/kaffeine.profile +++ b/etc/profile-a-l/kaffeine.profile | |||
@@ -22,6 +22,7 @@ include disable-interpreters.inc | |||
22 | include disable-programs.inc | 22 | include disable-programs.inc |
23 | include disable-xdg.inc | 23 | include disable-xdg.inc |
24 | 24 | ||
25 | include whitelist-run-common.inc | ||
25 | include whitelist-var-common.inc | 26 | include whitelist-var-common.inc |
26 | 27 | ||
27 | caps.drop all | 28 | caps.drop all |
diff --git a/etc/profile-a-l/kalgebra.profile b/etc/profile-a-l/kalgebra.profile index 210b7cf03..6ad50cf14 100644 --- a/etc/profile-a-l/kalgebra.profile +++ b/etc/profile-a-l/kalgebra.profile | |||
@@ -42,7 +42,7 @@ disable-mnt | |||
42 | private-bin kalgebra,kalgebramobile | 42 | private-bin kalgebra,kalgebramobile |
43 | private-cache | 43 | private-cache |
44 | private-dev | 44 | private-dev |
45 | private-etc fonts,machine-id | 45 | private-etc alternatives,fonts,ld.so.cache,ld.so.preload,machine-id |
46 | private-tmp | 46 | private-tmp |
47 | 47 | ||
48 | dbus-user none | 48 | dbus-user none |
diff --git a/etc/profile-a-l/kate.profile b/etc/profile-a-l/kate.profile index d8b2dddb1..8c340d536 100644 --- a/etc/profile-a-l/kate.profile +++ b/etc/profile-a-l/kate.profile | |||
@@ -29,6 +29,7 @@ include disable-exec.inc | |||
29 | # include disable-interpreters.inc | 29 | # include disable-interpreters.inc |
30 | include disable-programs.inc | 30 | include disable-programs.inc |
31 | 31 | ||
32 | include whitelist-run-common.inc | ||
32 | include whitelist-var-common.inc | 33 | include whitelist-var-common.inc |
33 | 34 | ||
34 | # apparmor | 35 | # apparmor |
diff --git a/etc/profile-a-l/kazam.profile b/etc/profile-a-l/kazam.profile index 7b990bf41..277db1c24 100644 --- a/etc/profile-a-l/kazam.profile +++ b/etc/profile-a-l/kazam.profile | |||
@@ -49,7 +49,7 @@ disable-mnt | |||
49 | # private-bin kazam,python* | 49 | # private-bin kazam,python* |
50 | private-cache | 50 | private-cache |
51 | private-dev | 51 | private-dev |
52 | private-etc alsa,alternatives,asound.conf,dconf,fonts,gtk-2.0,gtk-3.0,machine-id,pulse,selinux,X11,xdg | 52 | private-etc alsa,alternatives,asound.conf,dconf,fonts,gtk-2.0,gtk-3.0,ld.so.cache,ld.so.preload,machine-id,pulse,selinux,X11,xdg |
53 | private-tmp | 53 | private-tmp |
54 | 54 | ||
55 | dbus-system none | 55 | dbus-system none |
diff --git a/etc/profile-a-l/kcalc.profile b/etc/profile-a-l/kcalc.profile index 46e8ccb82..06978cbf1 100644 --- a/etc/profile-a-l/kcalc.profile +++ b/etc/profile-a-l/kcalc.profile | |||
@@ -28,6 +28,7 @@ whitelist /usr/share/config.kcfg/kcalc.kcfg | |||
28 | whitelist /usr/share/kcalc | 28 | whitelist /usr/share/kcalc |
29 | whitelist /usr/share/kconf_update/kcalcrc.upd | 29 | whitelist /usr/share/kconf_update/kcalcrc.upd |
30 | include whitelist-common.inc | 30 | include whitelist-common.inc |
31 | include whitelist-run-common.inc | ||
31 | include whitelist-runuser-common.inc | 32 | include whitelist-runuser-common.inc |
32 | include whitelist-usr-share-common.inc | 33 | include whitelist-usr-share-common.inc |
33 | include whitelist-var-common.inc | 34 | include whitelist-var-common.inc |
@@ -55,7 +56,7 @@ disable-mnt | |||
55 | private-bin kcalc | 56 | private-bin kcalc |
56 | private-cache | 57 | private-cache |
57 | private-dev | 58 | private-dev |
58 | private-etc alternatives,fonts,ld.so.cache,locale,locale.conf | 59 | private-etc alternatives,fonts,ld.so.cache,ld.so.preload,locale,locale.conf |
59 | # private-lib - problems on Arch | 60 | # private-lib - problems on Arch |
60 | private-tmp | 61 | private-tmp |
61 | 62 | ||
diff --git a/etc/profile-a-l/kdiff3.profile b/etc/profile-a-l/kdiff3.profile index 7c9be2bcc..df7ee31dc 100644 --- a/etc/profile-a-l/kdiff3.profile +++ b/etc/profile-a-l/kdiff3.profile | |||
@@ -23,6 +23,8 @@ include disable-interpreters.inc | |||
23 | include disable-shell.inc | 23 | include disable-shell.inc |
24 | include disable-xdg.inc | 24 | include disable-xdg.inc |
25 | 25 | ||
26 | # Add the next line to your kdiff3.local if you don't need to compare files in /run. | ||
27 | #include whitelist-run-common.inc | ||
26 | include whitelist-runuser-common.inc | 28 | include whitelist-runuser-common.inc |
27 | # Add the next line to your kdiff3.local if you don't need to compare files in /usr/share. | 29 | # Add the next line to your kdiff3.local if you don't need to compare files in /usr/share. |
28 | #include whitelist-usr-share-common.inc | 30 | #include whitelist-usr-share-common.inc |
@@ -48,7 +50,7 @@ shell none | |||
48 | tracelog | 50 | tracelog |
49 | 51 | ||
50 | disable-mnt | 52 | disable-mnt |
51 | private-bin kdiff3 | 53 | private-bin kdiff3 |
52 | private-cache | 54 | private-cache |
53 | private-dev | 55 | private-dev |
54 | 56 | ||
diff --git a/etc/profile-a-l/keepassx.profile b/etc/profile-a-l/keepassx.profile index 768a3cef0..5e2d6d8df 100644 --- a/etc/profile-a-l/keepassx.profile +++ b/etc/profile-a-l/keepassx.profile | |||
@@ -41,7 +41,7 @@ tracelog | |||
41 | 41 | ||
42 | private-bin keepassx,keepassx2 | 42 | private-bin keepassx,keepassx2 |
43 | private-dev | 43 | private-dev |
44 | private-etc alternatives,fonts,machine-id | 44 | private-etc alternatives,fonts,ld.so.cache,ld.so.preload,machine-id |
45 | private-tmp | 45 | private-tmp |
46 | 46 | ||
47 | dbus-user none | 47 | dbus-user none |
diff --git a/etc/profile-a-l/keepassxc.profile b/etc/profile-a-l/keepassxc.profile index b915f6202..45a707071 100644 --- a/etc/profile-a-l/keepassxc.profile +++ b/etc/profile-a-l/keepassxc.profile | |||
@@ -88,7 +88,7 @@ tracelog | |||
88 | 88 | ||
89 | private-bin keepassxc,keepassxc-cli,keepassxc-proxy | 89 | private-bin keepassxc,keepassxc-cli,keepassxc-proxy |
90 | private-dev | 90 | private-dev |
91 | private-etc alternatives,fonts,ld.so.cache,machine-id | 91 | private-etc alternatives,fonts,ld.so.cache,ld.so.preload,machine-id |
92 | private-tmp | 92 | private-tmp |
93 | 93 | ||
94 | dbus-user filter | 94 | dbus-user filter |
@@ -98,11 +98,10 @@ dbus-user.talk org.freedesktop.ScreenSaver | |||
98 | dbus-user.talk org.gnome.ScreenSaver | 98 | dbus-user.talk org.gnome.ScreenSaver |
99 | dbus-user.talk org.gnome.SessionManager | 99 | dbus-user.talk org.gnome.SessionManager |
100 | dbus-user.talk org.xfce.ScreenSaver | 100 | dbus-user.talk org.xfce.ScreenSaver |
101 | ?ALLOW_TRAY: dbus-user.talk org.kde.StatusNotifierWatcher | ||
102 | ?ALLOW_TRAY: dbus-user.own org.kde.* | ||
101 | # Add the next line to your keepassxc.local to allow notifications. | 103 | # Add the next line to your keepassxc.local to allow notifications. |
102 | #dbus-user.talk org.freedesktop.Notifications | 104 | #dbus-user.talk org.freedesktop.Notifications |
103 | # Add the next line to your keepassxc.local to allow the tray menu. | ||
104 | #dbus-user.talk org.kde.StatusNotifierWatcher | ||
105 | #dbus-user.own org.kde.* | ||
106 | dbus-system filter | 105 | dbus-system filter |
107 | dbus-system.talk org.freedesktop.login1 | 106 | dbus-system.talk org.freedesktop.login1 |
108 | 107 | ||
diff --git a/etc/profile-a-l/kget.profile b/etc/profile-a-l/kget.profile index ec315b431..9b6646725 100644 --- a/etc/profile-a-l/kget.profile +++ b/etc/profile-a-l/kget.profile | |||
@@ -20,6 +20,7 @@ include disable-exec.inc | |||
20 | include disable-interpreters.inc | 20 | include disable-interpreters.inc |
21 | include disable-programs.inc | 21 | include disable-programs.inc |
22 | 22 | ||
23 | include whitelist-run-common.inc | ||
23 | include whitelist-var-common.inc | 24 | include whitelist-var-common.inc |
24 | 25 | ||
25 | caps.drop all | 26 | caps.drop all |
diff --git a/etc/profile-a-l/kid3.profile b/etc/profile-a-l/kid3.profile index e66716eeb..5563aa410 100644 --- a/etc/profile-a-l/kid3.profile +++ b/etc/profile-a-l/kid3.profile | |||
@@ -37,7 +37,7 @@ tracelog | |||
37 | 37 | ||
38 | private-cache | 38 | private-cache |
39 | private-dev | 39 | private-dev |
40 | private-etc alternatives,ca-certificates,crypto-policies,dconf,drirc,fonts,gtk-3.0,hostname,hosts,kde5rc,machine-id,pki,pulse,resolv.conf,ssl | 40 | private-etc alternatives,ca-certificates,crypto-policies,dconf,drirc,fonts,gtk-3.0,hostname,hosts,kde5rc,ld.so.cache,ld.so.preload,machine-id,pki,pulse,resolv.conf,ssl |
41 | private-tmp | 41 | private-tmp |
42 | private-opt none | 42 | private-opt none |
43 | private-srv none | 43 | private-srv none |
diff --git a/etc/profile-a-l/kiwix-desktop.profile b/etc/profile-a-l/kiwix-desktop.profile index 968402a8a..837ea9e36 100644 --- a/etc/profile-a-l/kiwix-desktop.profile +++ b/etc/profile-a-l/kiwix-desktop.profile | |||
@@ -44,7 +44,7 @@ shell none | |||
44 | disable-mnt | 44 | disable-mnt |
45 | private-cache | 45 | private-cache |
46 | private-dev | 46 | private-dev |
47 | private-etc alsa,alternatives,asound.conf,ca-certificates,crypto-policies,fonts,hostname,hosts,ld.so.cache,machine-id,pki,pulse,resolv.conf,ssl | 47 | private-etc alsa,alternatives,asound.conf,ca-certificates,crypto-policies,fonts,hostname,hosts,ld.so.cache,ld.so.preload,machine-id,pki,pulse,resolv.conf,ssl |
48 | private-tmp | 48 | private-tmp |
49 | 49 | ||
50 | dbus-user none | 50 | dbus-user none |
diff --git a/etc/profile-a-l/klavaro.profile b/etc/profile-a-l/klavaro.profile index f733fa42c..46164403b 100644 --- a/etc/profile-a-l/klavaro.profile +++ b/etc/profile-a-l/klavaro.profile | |||
@@ -45,7 +45,7 @@ disable-mnt | |||
45 | private-bin bash,klavaro,sh,tclsh,tclsh* | 45 | private-bin bash,klavaro,sh,tclsh,tclsh* |
46 | private-cache | 46 | private-cache |
47 | private-dev | 47 | private-dev |
48 | private-etc alternatives,fonts | 48 | private-etc alternatives,fonts,ld.so.cache,ld.so.preload |
49 | private-tmp | 49 | private-tmp |
50 | private-opt none | 50 | private-opt none |
51 | private-srv none | 51 | private-srv none |
diff --git a/etc/profile-a-l/kmail.profile b/etc/profile-a-l/kmail.profile index 2c645677c..0796e6876 100644 --- a/etc/profile-a-l/kmail.profile +++ b/etc/profile-a-l/kmail.profile | |||
@@ -37,6 +37,7 @@ include disable-exec.inc | |||
37 | include disable-interpreters.inc | 37 | include disable-interpreters.inc |
38 | include disable-programs.inc | 38 | include disable-programs.inc |
39 | 39 | ||
40 | include whitelist-run-common.inc | ||
40 | include whitelist-var-common.inc | 41 | include whitelist-var-common.inc |
41 | 42 | ||
42 | # apparmor | 43 | # apparmor |
diff --git a/etc/profile-a-l/konversation.profile b/etc/profile-a-l/konversation.profile index 723fef0d2..1121dc8a5 100644 --- a/etc/profile-a-l/konversation.profile +++ b/etc/profile-a-l/konversation.profile | |||
@@ -20,6 +20,7 @@ include disable-programs.inc | |||
20 | include disable-shell.inc | 20 | include disable-shell.inc |
21 | include disable-xdg.inc | 21 | include disable-xdg.inc |
22 | 22 | ||
23 | include whitelist-run-common.inc | ||
23 | include whitelist-var-common.inc | 24 | include whitelist-var-common.inc |
24 | 25 | ||
25 | caps.drop all | 26 | caps.drop all |
diff --git a/etc/profile-a-l/ktorrent.profile b/etc/profile-a-l/ktorrent.profile index 9d8aa1bd7..6e3b0c875 100644 --- a/etc/profile-a-l/ktorrent.profile +++ b/etc/profile-a-l/ktorrent.profile | |||
@@ -37,6 +37,7 @@ whitelist ${HOME}/.kde4/share/config/ktorrentrc | |||
37 | whitelist ${HOME}/.local/share/ktorrent | 37 | whitelist ${HOME}/.local/share/ktorrent |
38 | whitelist ${HOME}/.local/share/kxmlgui5/ktorrent | 38 | whitelist ${HOME}/.local/share/kxmlgui5/ktorrent |
39 | include whitelist-common.inc | 39 | include whitelist-common.inc |
40 | include whitelist-run-common.inc | ||
40 | include whitelist-var-common.inc | 41 | include whitelist-var-common.inc |
41 | 42 | ||
42 | caps.drop all | 43 | caps.drop all |
diff --git a/etc/profile-a-l/ktouch.profile b/etc/profile-a-l/ktouch.profile index 051782172..44da8acca 100644 --- a/etc/profile-a-l/ktouch.profile +++ b/etc/profile-a-l/ktouch.profile | |||
@@ -46,7 +46,7 @@ disable-mnt | |||
46 | private-bin ktouch | 46 | private-bin ktouch |
47 | private-cache | 47 | private-cache |
48 | private-dev | 48 | private-dev |
49 | private-etc alternatives,fonts,kde5rc,machine-id | 49 | private-etc alternatives,fonts,kde5rc,ld.so.cache,ld.so.preload,machine-id |
50 | private-tmp | 50 | private-tmp |
51 | 51 | ||
52 | dbus-user none | 52 | dbus-user none |
diff --git a/etc/profile-a-l/kube.profile b/etc/profile-a-l/kube.profile index 262ffb532..718cbbf40 100644 --- a/etc/profile-a-l/kube.profile +++ b/etc/profile-a-l/kube.profile | |||
@@ -68,7 +68,7 @@ tracelog | |||
68 | private-bin kube,sink_synchronizer | 68 | private-bin kube,sink_synchronizer |
69 | private-cache | 69 | private-cache |
70 | private-dev | 70 | private-dev |
71 | private-etc alternatives,ca-certificates,crypto-policies,fonts,gcrypt,gtk-2.0,gtk-3.0,hostname,hosts,pki,resolv.conf,selinux,ssl,xdg | 71 | private-etc alternatives,ca-certificates,crypto-policies,fonts,gcrypt,gtk-2.0,gtk-3.0,hostname,hosts,ld.so.cache,ld.so.preload,pki,resolv.conf,selinux,ssl,xdg |
72 | private-tmp | 72 | private-tmp |
73 | writable-run-user | 73 | writable-run-user |
74 | 74 | ||
diff --git a/etc/profile-a-l/kwin_x11.profile b/etc/profile-a-l/kwin_x11.profile index 5bbadfc73..0b8763c29 100644 --- a/etc/profile-a-l/kwin_x11.profile +++ b/etc/profile-a-l/kwin_x11.profile | |||
@@ -21,6 +21,7 @@ include disable-programs.inc | |||
21 | include disable-shell.inc | 21 | include disable-shell.inc |
22 | include disable-xdg.inc | 22 | include disable-xdg.inc |
23 | 23 | ||
24 | include whitelist-run-common.inc | ||
24 | include whitelist-var-common.inc | 25 | include whitelist-var-common.inc |
25 | 26 | ||
26 | caps.drop all | 27 | caps.drop all |
@@ -42,5 +43,5 @@ tracelog | |||
42 | disable-mnt | 43 | disable-mnt |
43 | private-bin kwin_x11 | 44 | private-bin kwin_x11 |
44 | private-dev | 45 | private-dev |
45 | private-etc alternatives,drirc,fonts,kde5rc,ld.so.cache,machine-id,xdg | 46 | private-etc alternatives,drirc,fonts,kde5rc,ld.so.cache,ld.so.preload,machine-id,xdg |
46 | private-tmp | 47 | private-tmp |
diff --git a/etc/profile-a-l/kwrite.profile b/etc/profile-a-l/kwrite.profile index 682c7782d..aff6f3181 100644 --- a/etc/profile-a-l/kwrite.profile +++ b/etc/profile-a-l/kwrite.profile | |||
@@ -24,6 +24,7 @@ include disable-programs.inc | |||
24 | include disable-shell.inc | 24 | include disable-shell.inc |
25 | include disable-xdg.inc | 25 | include disable-xdg.inc |
26 | 26 | ||
27 | include whitelist-run-common.inc | ||
27 | include whitelist-var-common.inc | 28 | include whitelist-var-common.inc |
28 | 29 | ||
29 | apparmor | 30 | apparmor |
@@ -46,7 +47,7 @@ tracelog | |||
46 | 47 | ||
47 | private-bin kbuildsycoca4,kdeinit4,kwrite | 48 | private-bin kbuildsycoca4,kdeinit4,kwrite |
48 | private-dev | 49 | private-dev |
49 | private-etc alternatives,fonts,kde4rc,kde5rc,ld.so.cache,machine-id,pulse,xdg | 50 | private-etc alternatives,fonts,kde4rc,kde5rc,ld.so.cache,ld.so.preload,machine-id,pulse,xdg |
50 | private-tmp | 51 | private-tmp |
51 | 52 | ||
52 | # dbus-user none | 53 | # dbus-user none |
diff --git a/etc/profile-a-l/libreoffice.profile b/etc/profile-a-l/libreoffice.profile index 328307705..12ff79748 100644 --- a/etc/profile-a-l/libreoffice.profile +++ b/etc/profile-a-l/libreoffice.profile | |||
@@ -21,6 +21,7 @@ include disable-devel.inc | |||
21 | include disable-exec.inc | 21 | include disable-exec.inc |
22 | include disable-programs.inc | 22 | include disable-programs.inc |
23 | 23 | ||
24 | include whitelist-run-common.inc | ||
24 | include whitelist-var-common.inc | 25 | include whitelist-var-common.inc |
25 | 26 | ||
26 | # Debian 10/Ubuntu 18.04 come with their own apparmor profile, but it is not in enforce mode. | 27 | # Debian 10/Ubuntu 18.04 come with their own apparmor profile, but it is not in enforce mode. |
diff --git a/etc/profile-a-l/links-common.profile b/etc/profile-a-l/links-common.profile index bd28f25d6..84f5dc50d 100644 --- a/etc/profile-a-l/links-common.profile +++ b/etc/profile-a-l/links-common.profile | |||
@@ -47,11 +47,11 @@ shell none | |||
47 | tracelog | 47 | tracelog |
48 | 48 | ||
49 | disable-mnt | 49 | disable-mnt |
50 | # Add 'private-bin PROGRAM1,PROGRAM2' to your links-common.local if you want to use user-configured programs. | 50 | # Add 'private-bin PROGRAM1,PROGRAM2' to your links-common.local if you want to use user-configured programs. |
51 | private-bin sh | 51 | private-bin sh |
52 | private-cache | 52 | private-cache |
53 | private-dev | 53 | private-dev |
54 | private-etc alternatives,ca-certificates,crypto-policies,nsswitch.conf,pki,resolv.conf,ssl | 54 | private-etc alternatives,ca-certificates,crypto-policies,ld.so.cache,ld.so.preload,nsswitch.conf,pki,resolv.conf,ssl |
55 | # Add the next line to your links-common.local to allow external media players. | 55 | # Add the next line to your links-common.local to allow external media players. |
56 | # private-etc alsa,asound.conf,machine-id,openal,pulse | 56 | # private-etc alsa,asound.conf,machine-id,openal,pulse |
57 | private-tmp | 57 | private-tmp |
diff --git a/etc/profile-a-l/lollypop.profile b/etc/profile-a-l/lollypop.profile index a187ca0fc..fde338ff0 100644 --- a/etc/profile-a-l/lollypop.profile +++ b/etc/profile-a-l/lollypop.profile | |||
@@ -37,6 +37,6 @@ seccomp | |||
37 | shell none | 37 | shell none |
38 | 38 | ||
39 | private-dev | 39 | private-dev |
40 | private-etc alternatives,asound.conf,ca-certificates,crypto-policies,fonts,gtk-3.0,host.conf,hostname,hosts,machine-id,pki,pulse,resolv.conf,ssl,xdg | 40 | private-etc alternatives,asound.conf,ca-certificates,crypto-policies,fonts,gtk-3.0,host.conf,hostname,hosts,ld.so.cache,ld.so.preload,machine-id,pki,pulse,resolv.conf,ssl,xdg |
41 | private-tmp | 41 | private-tmp |
42 | 42 | ||
diff --git a/etc/profile-a-l/lyx.profile b/etc/profile-a-l/lyx.profile index fa69463d1..ae2f2d434 100644 --- a/etc/profile-a-l/lyx.profile +++ b/etc/profile-a-l/lyx.profile | |||
@@ -32,7 +32,7 @@ apparmor | |||
32 | machine-id | 32 | machine-id |
33 | 33 | ||
34 | # private-bin atril,dvilualatex,env,latex,lua*,luatex,lyx,lyxclient,okular,pdf2latex,pdflatex,pdftex,perl*,python*,qpdf,qpdfview,sh,tex2lyx,texmf,xelatex | 34 | # private-bin atril,dvilualatex,env,latex,lua*,luatex,lyx,lyxclient,okular,pdf2latex,pdflatex,pdftex,perl*,python*,qpdf,qpdfview,sh,tex2lyx,texmf,xelatex |
35 | private-etc alternatives,dconf,fonts,gtk-2.0,gtk-3.0,locale,locale.alias,locale.conf,lyx,machine-id,mime.types,passwd,texmf,X11,xdg | 35 | private-etc alternatives,dconf,fonts,gtk-2.0,gtk-3.0,ld.so.cache,ld.so.preload,locale,locale.alias,locale.conf,lyx,machine-id,mime.types,passwd,texmf,X11,xdg |
36 | 36 | ||
37 | # Redirect | 37 | # Redirect |
38 | include latex-common.profile | 38 | include latex-common.profile |
diff --git a/etc/profile-m-z/QOwnNotes.profile b/etc/profile-m-z/QOwnNotes.profile index 15cb931dd..235640eeb 100644 --- a/etc/profile-m-z/QOwnNotes.profile +++ b/etc/profile-m-z/QOwnNotes.profile | |||
@@ -50,6 +50,6 @@ tracelog | |||
50 | disable-mnt | 50 | disable-mnt |
51 | private-bin gio,QOwnNotes | 51 | private-bin gio,QOwnNotes |
52 | private-dev | 52 | private-dev |
53 | private-etc alternatives,ca-certificates,crypto-policies,fonts,host.conf,hosts,ld.so.cache,machine-id,nsswitch.conf,pki,pulse,resolv.conf,ssl | 53 | private-etc alternatives,ca-certificates,crypto-policies,fonts,host.conf,hosts,ld.so.cache,ld.so.preload,machine-id,nsswitch.conf,pki,pulse,resolv.conf,ssl |
54 | private-tmp | 54 | private-tmp |
55 | 55 | ||
diff --git a/etc/profile-m-z/Viber.profile b/etc/profile-m-z/Viber.profile index 866d57e67..89ca53af6 100644 --- a/etc/profile-m-z/Viber.profile +++ b/etc/profile-m-z/Viber.profile | |||
@@ -33,5 +33,5 @@ shell none | |||
33 | 33 | ||
34 | disable-mnt | 34 | disable-mnt |
35 | private-bin awk,bash,dig,sh,Viber | 35 | private-bin awk,bash,dig,sh,Viber |
36 | private-etc alternatives,asound.conf,ca-certificates,crypto-policies,fonts,hosts,localtime,machine-id,mailcap,nsswitch.conf,pki,proxychains.conf,pulse,resolv.conf,ssl,X11 | 36 | private-etc alternatives,asound.conf,ca-certificates,crypto-policies,fonts,hosts,ld.so.cache,ld.so.preload,localtime,machine-id,mailcap,nsswitch.conf,pki,proxychains.conf,pulse,resolv.conf,ssl,X11 |
37 | private-tmp | 37 | private-tmp |
diff --git a/etc/profile-m-z/Xvfb.profile b/etc/profile-m-z/Xvfb.profile index 1acd43023..722e12d9c 100644 --- a/etc/profile-m-z/Xvfb.profile +++ b/etc/profile-m-z/Xvfb.profile | |||
@@ -43,5 +43,5 @@ private | |||
43 | # private-bin sh,xkbcomp,Xvfb | 43 | # private-bin sh,xkbcomp,Xvfb |
44 | # private-bin bash,cat,ls,sh,strace,xkbcomp,Xvfb | 44 | # private-bin bash,cat,ls,sh,strace,xkbcomp,Xvfb |
45 | private-dev | 45 | private-dev |
46 | private-etc alternatives,gai.conf,host.conf,hostname,hosts,ld.so.cache,ld.so.conf,nsswitch.conf,resolv.conf | 46 | private-etc alternatives,gai.conf,host.conf,hostname,hosts,ld.so.cache,ld.so.conf,ld.so.preload,nsswitch.conf,resolv.conf |
47 | private-tmp | 47 | private-tmp |
diff --git a/etc/profile-m-z/magicor.profile b/etc/profile-m-z/magicor.profile index fc5ae3ee9..47165dd3d 100644 --- a/etc/profile-m-z/magicor.profile +++ b/etc/profile-m-z/magicor.profile | |||
@@ -45,7 +45,7 @@ disable-mnt | |||
45 | private-bin magicor,python2* | 45 | private-bin magicor,python2* |
46 | private-cache | 46 | private-cache |
47 | private-dev | 47 | private-dev |
48 | private-etc machine-id | 48 | private-etc alternatives,ld.so.cache,ld.so.preload,machine-id |
49 | private-tmp | 49 | private-tmp |
50 | 50 | ||
51 | dbus-user none | 51 | dbus-user none |
diff --git a/etc/profile-m-z/make.profile b/etc/profile-m-z/make.profile new file mode 100644 index 000000000..7e9638fe4 --- /dev/null +++ b/etc/profile-m-z/make.profile | |||
@@ -0,0 +1,13 @@ | |||
1 | # Firejail profile for make | ||
2 | # Description: GNU make utility to maintain groups of programs | ||
3 | # This file is overwritten after every install/update | ||
4 | quiet | ||
5 | # Persistent local customizations | ||
6 | include make.local | ||
7 | # Persistent global definitions | ||
8 | include globals.local | ||
9 | |||
10 | memory-deny-write-execute | ||
11 | |||
12 | # Redirect | ||
13 | include build-systems-common.profile | ||
diff --git a/etc/profile-m-z/man.profile b/etc/profile-m-z/man.profile index b2f761230..9c5959091 100644 --- a/etc/profile-m-z/man.profile +++ b/etc/profile-m-z/man.profile | |||
@@ -58,7 +58,7 @@ disable-mnt | |||
58 | #private-bin apropos,bash,cat,catman,col,gpreconv,groff,grotty,gunzip,gzip,less,man,most,nroff,preconv,sed,sh,tbl,tr,troff,whatis,which,xtotroff,zcat,zsoelim | 58 | #private-bin apropos,bash,cat,catman,col,gpreconv,groff,grotty,gunzip,gzip,less,man,most,nroff,preconv,sed,sh,tbl,tr,troff,whatis,which,xtotroff,zcat,zsoelim |
59 | private-cache | 59 | private-cache |
60 | private-dev | 60 | private-dev |
61 | private-etc alternatives,fonts,groff,locale,locale.alias,locale.conf,man_db.conf,manpath.config,selinux,sysless,xdg | 61 | private-etc alternatives,fonts,groff,ld.so.cache,ld.so.preload,locale,locale.alias,locale.conf,man_db.conf,manpath.config,selinux,sysless,xdg |
62 | #private-tmp | 62 | #private-tmp |
63 | 63 | ||
64 | dbus-user none | 64 | dbus-user none |
diff --git a/etc/profile-m-z/masterpdfeditor.profile b/etc/profile-m-z/masterpdfeditor.profile index e61578ffe..764d040ab 100644 --- a/etc/profile-m-z/masterpdfeditor.profile +++ b/etc/profile-m-z/masterpdfeditor.profile | |||
@@ -36,6 +36,6 @@ tracelog | |||
36 | 36 | ||
37 | private-cache | 37 | private-cache |
38 | private-dev | 38 | private-dev |
39 | private-etc alternatives,fonts | 39 | private-etc alternatives,fonts,ld.so.cache,ld.so.preload |
40 | private-tmp | 40 | private-tmp |
41 | 41 | ||
diff --git a/etc/profile-m-z/mate-calc.profile b/etc/profile-m-z/mate-calc.profile index 64b184482..2be6b9af1 100644 --- a/etc/profile-m-z/mate-calc.profile +++ b/etc/profile-m-z/mate-calc.profile | |||
@@ -42,7 +42,7 @@ shell none | |||
42 | 42 | ||
43 | disable-mnt | 43 | disable-mnt |
44 | private-bin mate-calc,mate-calculator | 44 | private-bin mate-calc,mate-calculator |
45 | private-etc alternatives,dconf,fonts,gtk-3.0 | 45 | private-etc alternatives,dconf,fonts,gtk-3.0,ld.so.cache,ld.so.preload |
46 | private-dev | 46 | private-dev |
47 | private-opt none | 47 | private-opt none |
48 | private-tmp | 48 | private-tmp |
diff --git a/etc/profile-m-z/mate-color-select.profile b/etc/profile-m-z/mate-color-select.profile index a6b49315c..e16b0fc6c 100644 --- a/etc/profile-m-z/mate-color-select.profile +++ b/etc/profile-m-z/mate-color-select.profile | |||
@@ -33,7 +33,7 @@ shell none | |||
33 | 33 | ||
34 | disable-mnt | 34 | disable-mnt |
35 | private-bin mate-color-select | 35 | private-bin mate-color-select |
36 | private-etc alternatives,fonts | 36 | private-etc alternatives,fonts,ld.so.cache,ld.so.preload |
37 | private-dev | 37 | private-dev |
38 | private-lib | 38 | private-lib |
39 | private-tmp | 39 | private-tmp |
diff --git a/etc/profile-m-z/mate-dictionary.profile b/etc/profile-m-z/mate-dictionary.profile index 3f3d027b9..469416304 100644 --- a/etc/profile-m-z/mate-dictionary.profile +++ b/etc/profile-m-z/mate-dictionary.profile | |||
@@ -37,7 +37,7 @@ shell none | |||
37 | 37 | ||
38 | disable-mnt | 38 | disable-mnt |
39 | private-bin mate-dictionary | 39 | private-bin mate-dictionary |
40 | private-etc alternatives,ca-certificates,crypto-policies,fonts,pki,resolv.conf,ssl | 40 | private-etc alternatives,ca-certificates,crypto-policies,fonts,ld.so.cache,ld.so.preload,pki,resolv.conf,ssl |
41 | private-opt mate-dictionary | 41 | private-opt mate-dictionary |
42 | private-dev | 42 | private-dev |
43 | private-tmp | 43 | private-tmp |
diff --git a/etc/profile-m-z/mcabber.profile b/etc/profile-m-z/mcabber.profile index 7592d879c..4c4a6aa76 100644 --- a/etc/profile-m-z/mcabber.profile +++ b/etc/profile-m-z/mcabber.profile | |||
@@ -31,4 +31,4 @@ shell none | |||
31 | 31 | ||
32 | private-bin mcabber | 32 | private-bin mcabber |
33 | private-dev | 33 | private-dev |
34 | private-etc alternatives,ca-certificates,crypto-policies,pki,ssl | 34 | private-etc alternatives,ca-certificates,crypto-policies,ld.so.cache,ld.so.preload,pki,ssl |
diff --git a/etc/profile-m-z/mdr.profile b/etc/profile-m-z/mdr.profile index 08d56ede5..bcfd59cbb 100644 --- a/etc/profile-m-z/mdr.profile +++ b/etc/profile-m-z/mdr.profile | |||
@@ -45,7 +45,7 @@ disable-mnt | |||
45 | private-bin mdr | 45 | private-bin mdr |
46 | private-cache | 46 | private-cache |
47 | private-dev | 47 | private-dev |
48 | private-etc none | 48 | private-etc alternatives,ld.so.cache,ld.so.preload |
49 | private-lib | 49 | private-lib |
50 | private-tmp | 50 | private-tmp |
51 | 51 | ||
diff --git a/etc/profile-m-z/mediainfo.profile b/etc/profile-m-z/mediainfo.profile index 7597d4067..9bfbaf745 100644 --- a/etc/profile-m-z/mediainfo.profile +++ b/etc/profile-m-z/mediainfo.profile | |||
@@ -42,7 +42,7 @@ x11 none | |||
42 | private-bin mediainfo | 42 | private-bin mediainfo |
43 | private-cache | 43 | private-cache |
44 | private-dev | 44 | private-dev |
45 | private-etc alternatives | 45 | private-etc alternatives,ld.so.cache,ld.so.preload |
46 | private-tmp | 46 | private-tmp |
47 | 47 | ||
48 | dbus-user none | 48 | dbus-user none |
diff --git a/etc/profile-m-z/menulibre.profile b/etc/profile-m-z/menulibre.profile index 4845e9cce..ed0758a49 100644 --- a/etc/profile-m-z/menulibre.profile +++ b/etc/profile-m-z/menulibre.profile | |||
@@ -52,7 +52,7 @@ tracelog | |||
52 | disable-mnt | 52 | disable-mnt |
53 | private-cache | 53 | private-cache |
54 | private-dev | 54 | private-dev |
55 | private-etc alternatives,dconf,fonts,gtk-3.0,locale.alias,locale.conf,mime.types,nsswitch.conf,passwd,pki,selinux,X11,xdg | 55 | private-etc alternatives,dconf,fonts,gtk-3.0,ld.so.cache,ld.so.preload,locale.alias,locale.conf,mime.types,nsswitch.conf,passwd,pki,selinux,X11,xdg |
56 | private-tmp | 56 | private-tmp |
57 | 57 | ||
58 | dbus-user none | 58 | dbus-user none |
diff --git a/etc/profile-m-z/meson.profile b/etc/profile-m-z/meson.profile new file mode 100644 index 000000000..b4909a9d8 --- /dev/null +++ b/etc/profile-m-z/meson.profile | |||
@@ -0,0 +1,14 @@ | |||
1 | # Firejail profile for meson | ||
2 | # Description: A high productivity build system | ||
3 | # This file is overwritten after every install/update | ||
4 | quiet | ||
5 | # Persistent local customizations | ||
6 | include meson.local | ||
7 | # Persistent global definitions | ||
8 | include globals.local | ||
9 | |||
10 | # Allow python3 (blacklisted by disable-interpreters.inc) | ||
11 | include allow-python3.inc | ||
12 | |||
13 | # Redirect | ||
14 | include build-systems-common.profile | ||
diff --git a/etc/profile-m-z/microsoft-edge-beta.profile b/etc/profile-m-z/microsoft-edge-beta.profile index 34d9f470a..095038f08 100644 --- a/etc/profile-m-z/microsoft-edge-beta.profile +++ b/etc/profile-m-z/microsoft-edge-beta.profile | |||
@@ -17,4 +17,4 @@ whitelist ${HOME}/.config/microsoft-edge-beta | |||
17 | private-opt microsoft | 17 | private-opt microsoft |
18 | 18 | ||
19 | # Redirect | 19 | # Redirect |
20 | include chromium-common.profile \ No newline at end of file | 20 | include chromium-common.profile |
diff --git a/etc/profile-m-z/mindless.profile b/etc/profile-m-z/mindless.profile index ad7e40b12..16ace7ce4 100644 --- a/etc/profile-m-z/mindless.profile +++ b/etc/profile-m-z/mindless.profile | |||
@@ -42,7 +42,7 @@ private | |||
42 | private-bin mindless | 42 | private-bin mindless |
43 | private-cache | 43 | private-cache |
44 | private-dev | 44 | private-dev |
45 | private-etc fonts | 45 | private-etc alternatives,fonts,ld.so.cache,ld.so.preload |
46 | private-tmp | 46 | private-tmp |
47 | 47 | ||
48 | dbus-user none | 48 | dbus-user none |
diff --git a/etc/profile-m-z/mirrormagic.profile b/etc/profile-m-z/mirrormagic.profile index c47a16ffd..be846ce63 100644 --- a/etc/profile-m-z/mirrormagic.profile +++ b/etc/profile-m-z/mirrormagic.profile | |||
@@ -44,7 +44,7 @@ private | |||
44 | private-bin mirrormagic | 44 | private-bin mirrormagic |
45 | private-cache | 45 | private-cache |
46 | private-dev | 46 | private-dev |
47 | private-etc machine-id | 47 | private-etc alternatives,ld.so.cache,ld.so.preload,machine-id |
48 | private-tmp | 48 | private-tmp |
49 | 49 | ||
50 | dbus-user none | 50 | dbus-user none |
diff --git a/etc/profile-m-z/mocp.profile b/etc/profile-m-z/mocp.profile index dbc3c1d40..313d78030 100644 --- a/etc/profile-m-z/mocp.profile +++ b/etc/profile-m-z/mocp.profile | |||
@@ -42,7 +42,7 @@ tracelog | |||
42 | private-bin mocp | 42 | private-bin mocp |
43 | private-cache | 43 | private-cache |
44 | private-dev | 44 | private-dev |
45 | private-etc alternatives,asound.conf,ca-certificates,crypto-policies,group,machine-id,pki,pulse,resolv.conf,ssl | 45 | private-etc alternatives,asound.conf,ca-certificates,crypto-policies,group,ld.so.cache,ld.so.preload,machine-id,pki,pulse,resolv.conf,ssl |
46 | private-tmp | 46 | private-tmp |
47 | 47 | ||
48 | dbus-user none | 48 | dbus-user none |
diff --git a/etc/profile-m-z/mp3splt-gtk.profile b/etc/profile-m-z/mp3splt-gtk.profile index f0063d250..fe3c78b55 100644 --- a/etc/profile-m-z/mp3splt-gtk.profile +++ b/etc/profile-m-z/mp3splt-gtk.profile | |||
@@ -37,7 +37,7 @@ tracelog | |||
37 | private-bin mp3splt-gtk | 37 | private-bin mp3splt-gtk |
38 | private-cache | 38 | private-cache |
39 | private-dev | 39 | private-dev |
40 | private-etc alsa,alternatives,asound.conf,dconf,fonts,gtk-3.0,machine-id,openal,pulse | 40 | private-etc alsa,alternatives,asound.conf,dconf,fonts,gtk-3.0,ld.so.cache,ld.so.preload,machine-id,openal,pulse |
41 | private-tmp | 41 | private-tmp |
42 | 42 | ||
43 | dbus-user none | 43 | dbus-user none |
diff --git a/etc/profile-m-z/mp3splt.profile b/etc/profile-m-z/mp3splt.profile index 400d8a6b6..c89c72ce4 100644 --- a/etc/profile-m-z/mp3splt.profile +++ b/etc/profile-m-z/mp3splt.profile | |||
@@ -44,7 +44,7 @@ disable-mnt | |||
44 | private-bin flacsplt,mp3splt,mp3wrap,oggsplt | 44 | private-bin flacsplt,mp3splt,mp3wrap,oggsplt |
45 | private-cache | 45 | private-cache |
46 | private-dev | 46 | private-dev |
47 | private-etc alternatives | 47 | private-etc alternatives,ld.so.cache,ld.so.preload |
48 | private-tmp | 48 | private-tmp |
49 | 49 | ||
50 | memory-deny-write-execute | 50 | memory-deny-write-execute |
diff --git a/etc/profile-m-z/mpDris2.profile b/etc/profile-m-z/mpDris2.profile index 10964ef24..18a839363 100644 --- a/etc/profile-m-z/mpDris2.profile +++ b/etc/profile-m-z/mpDris2.profile | |||
@@ -49,7 +49,7 @@ shell none | |||
49 | private-bin mpDris2,notify-send,python* | 49 | private-bin mpDris2,notify-send,python* |
50 | private-cache | 50 | private-cache |
51 | private-dev | 51 | private-dev |
52 | private-etc alternatives,hosts,nsswitch.conf | 52 | private-etc alternatives,hosts,ld.so.cache,ld.so.preload,nsswitch.conf |
53 | private-lib libdbus-1.so.*,libdbus-glib-1.so.*,libgirepository-1.0.so.*,libnotify.so.*,libpython*,python2*,python3* | 53 | private-lib libdbus-1.so.*,libdbus-glib-1.so.*,libgirepository-1.0.so.*,libnotify.so.*,libpython*,python2*,python3* |
54 | private-tmp | 54 | private-tmp |
55 | 55 | ||
diff --git a/etc/profile-m-z/mpv.profile b/etc/profile-m-z/mpv.profile index fa433b672..efb11465b 100644 --- a/etc/profile-m-z/mpv.profile +++ b/etc/profile-m-z/mpv.profile | |||
@@ -11,7 +11,7 @@ include globals.local | |||
11 | # edit ~/.config/mpv/foobar.conf: | 11 | # edit ~/.config/mpv/foobar.conf: |
12 | # screenshot-directory=~/Pictures | 12 | # screenshot-directory=~/Pictures |
13 | 13 | ||
14 | # Mpv has a powerfull lua-API, some off these lua-scripts interact | 14 | # Mpv has a powerful lua-API, some off these lua-scripts interact |
15 | # with external resources which are blocked by firejail. In such cases | 15 | # with external resources which are blocked by firejail. In such cases |
16 | # you need to allow these resources by | 16 | # you need to allow these resources by |
17 | # - adding additional binaries to private-bin | 17 | # - adding additional binaries to private-bin |
@@ -74,7 +74,7 @@ seccomp.block-secondary | |||
74 | shell none | 74 | shell none |
75 | tracelog | 75 | tracelog |
76 | 76 | ||
77 | private-bin env,mpv,python*,waf,youtube-dl | 77 | private-bin env,mpv,python*,waf,youtube-dl,yt-dlp |
78 | # private-cache causes slow OSD, see #2838 | 78 | # private-cache causes slow OSD, see #2838 |
79 | #private-cache | 79 | #private-cache |
80 | private-dev | 80 | private-dev |
diff --git a/etc/profile-m-z/mrrescue.profile b/etc/profile-m-z/mrrescue.profile index 530e779fc..3fe88ec7f 100644 --- a/etc/profile-m-z/mrrescue.profile +++ b/etc/profile-m-z/mrrescue.profile | |||
@@ -37,7 +37,6 @@ caps.drop all | |||
37 | net none | 37 | net none |
38 | nodvd | 38 | nodvd |
39 | nogroups | 39 | nogroups |
40 | noinput | ||
41 | nonewprivs | 40 | nonewprivs |
42 | noroot | 41 | noroot |
43 | notv | 42 | notv |
@@ -53,7 +52,7 @@ disable-mnt | |||
53 | private-bin love,mrrescue,sh | 52 | private-bin love,mrrescue,sh |
54 | private-cache | 53 | private-cache |
55 | private-dev | 54 | private-dev |
56 | private-etc machine-id | 55 | private-etc alternatives,ld.so.cache,ld.so.preload,machine-id |
57 | private-tmp | 56 | private-tmp |
58 | 57 | ||
59 | dbus-user none | 58 | dbus-user none |
diff --git a/etc/profile-m-z/ms-office.profile b/etc/profile-m-z/ms-office.profile index ad12f53a4..e15b14db7 100644 --- a/etc/profile-m-z/ms-office.profile +++ b/etc/profile-m-z/ms-office.profile | |||
@@ -35,7 +35,7 @@ tracelog | |||
35 | 35 | ||
36 | disable-mnt | 36 | disable-mnt |
37 | private-bin bash,env,fonts,jak,ms-office,python*,sh | 37 | private-bin bash,env,fonts,jak,ms-office,python*,sh |
38 | private-etc alternatives,ca-certificates,crypto-policies,pki,resolv.conf,ssl | 38 | private-etc alternatives,ca-certificates,crypto-policies,ld.so.cache,ld.so.preload,pki,resolv.conf,ssl |
39 | private-dev | 39 | private-dev |
40 | private-tmp | 40 | private-tmp |
41 | 41 | ||
diff --git a/etc/profile-m-z/mupdf-x11-curl.profile b/etc/profile-m-z/mupdf-x11-curl.profile index a04d386a2..006f64ba8 100644 --- a/etc/profile-m-z/mupdf-x11-curl.profile +++ b/etc/profile-m-z/mupdf-x11-curl.profile | |||
@@ -12,7 +12,7 @@ ignore net none | |||
12 | netfilter | 12 | netfilter |
13 | protocol unix,inet,inet6 | 13 | protocol unix,inet,inet6 |
14 | 14 | ||
15 | private-etc ca-certificates,crypto-policies,hosts,nsswitch.conf,pki,resolv.conf,ssl | 15 | private-etc alternatives,ca-certificates,crypto-policies,hosts,ld.so.cache,ld.so.preload,nsswitch.conf,pki,resolv.conf,ssl |
16 | 16 | ||
17 | # Redirect | 17 | # Redirect |
18 | include mupdf.profile | 18 | include mupdf.profile |
diff --git a/etc/profile-m-z/musixmatch.profile b/etc/profile-m-z/musixmatch.profile index 07661cac8..796d7fbb0 100644 --- a/etc/profile-m-z/musixmatch.profile +++ b/etc/profile-m-z/musixmatch.profile | |||
@@ -29,9 +29,9 @@ notv | |||
29 | nou2f | 29 | nou2f |
30 | novideo | 30 | novideo |
31 | protocol unix,inet,inet6,netlink | 31 | protocol unix,inet,inet6,netlink |
32 | seccomp | 32 | seccomp !chroot |
33 | 33 | ||
34 | disable-mnt | 34 | disable-mnt |
35 | private-dev | 35 | private-dev |
36 | private-etc alternatives,asound.conf,ca-certificates,crypto-policies,machine-id,pki,pulse,ssl | 36 | private-etc alternatives,asound.conf,ca-certificates,crypto-policies,ld.so.cache,ld.so.preload,machine-id,pki,pulse,ssl |
37 | 37 | ||
diff --git a/etc/profile-m-z/mutt.profile b/etc/profile-m-z/mutt.profile index c4d96711c..d10c55549 100644 --- a/etc/profile-m-z/mutt.profile +++ b/etc/profile-m-z/mutt.profile | |||
@@ -134,7 +134,7 @@ tracelog | |||
134 | # disable-mnt | 134 | # disable-mnt |
135 | private-cache | 135 | private-cache |
136 | private-dev | 136 | private-dev |
137 | private-etc alternatives,ca-certificates,crypto-policies,fonts,gai.conf,gcrypt,gnupg,gnutls,hostname,hosts,hosts.conf,mail,mailname,Mutt,Muttrc,Muttrc.d,nntpserver,nsswitch.conf,passwd,pki,resolv.conf,ssl,terminfo,xdg | 137 | private-etc alternatives,ca-certificates,crypto-policies,fonts,gai.conf,gcrypt,gnupg,gnutls,hostname,hosts,hosts.conf,ld.so.cache,ld.so.preload,mail,mailname,Mutt,Muttrc,Muttrc.d,nntpserver,nsswitch.conf,passwd,pki,resolv.conf,ssl,terminfo,xdg |
138 | private-tmp | 138 | private-tmp |
139 | writable-run-user | 139 | writable-run-user |
140 | writable-var | 140 | writable-var |
diff --git a/etc/profile-m-z/mypaint.profile b/etc/profile-m-z/mypaint.profile index 1b4fc4346..74301df06 100644 --- a/etc/profile-m-z/mypaint.profile +++ b/etc/profile-m-z/mypaint.profile | |||
@@ -43,7 +43,7 @@ tracelog | |||
43 | 43 | ||
44 | private-cache | 44 | private-cache |
45 | private-dev | 45 | private-dev |
46 | private-etc alternatives,dconf,fonts,gtk-3.0 | 46 | private-etc alternatives,dconf,fonts,gtk-3.0,ld.so.cache,ld.so.preload |
47 | private-tmp | 47 | private-tmp |
48 | 48 | ||
49 | dbus-user none | 49 | dbus-user none |
diff --git a/etc/profile-m-z/nano.profile b/etc/profile-m-z/nano.profile index 996a1722a..f7c1f0ff7 100644 --- a/etc/profile-m-z/nano.profile +++ b/etc/profile-m-z/nano.profile | |||
@@ -49,7 +49,7 @@ private-dev | |||
49 | # Add the next lines to your nano.local if you want to edit files in /etc directly. | 49 | # Add the next lines to your nano.local if you want to edit files in /etc directly. |
50 | #ignore private-etc | 50 | #ignore private-etc |
51 | #writable-etc | 51 | #writable-etc |
52 | private-etc alternatives,nanorc | 52 | private-etc alternatives,ld.so.cache,ld.so.preload,nanorc |
53 | # Add the next line to your nano.local if you want to edit files in /var directly. | 53 | # Add the next line to your nano.local if you want to edit files in /var directly. |
54 | #writable-var | 54 | #writable-var |
55 | 55 | ||
diff --git a/etc/profile-m-z/neochat.profile b/etc/profile-m-z/neochat.profile index 58cc716d9..0f55b674f 100644 --- a/etc/profile-m-z/neochat.profile +++ b/etc/profile-m-z/neochat.profile | |||
@@ -60,6 +60,6 @@ private-tmp | |||
60 | dbus-user filter | 60 | dbus-user filter |
61 | dbus-user.own org.kde.neochat | 61 | dbus-user.own org.kde.neochat |
62 | dbus-user.talk org.freedesktop.Notifications | 62 | dbus-user.talk org.freedesktop.Notifications |
63 | dbus-user.talk org.kde.StatusNotifierWatcher | 63 | ?ALLOW_TRAY: dbus-user.talk org.kde.StatusNotifierWatcher |
64 | dbus-user.talk org.kde.kwalletd5 | 64 | dbus-user.talk org.kde.kwalletd5 |
65 | dbus-system none | 65 | dbus-system none |
diff --git a/etc/profile-m-z/neomutt.profile b/etc/profile-m-z/neomutt.profile index 7e627a52e..f31cf9dcb 100644 --- a/etc/profile-m-z/neomutt.profile +++ b/etc/profile-m-z/neomutt.profile | |||
@@ -137,7 +137,7 @@ tracelog | |||
137 | # disable-mnt | 137 | # disable-mnt |
138 | private-cache | 138 | private-cache |
139 | private-dev | 139 | private-dev |
140 | private-etc alternatives,ca-certificates,crypto-policies,dconf,fonts,gcrypt,gnupg,hostname,hosts,hosts.conf,mail,mailname,Mutt,Muttrc,Muttrc.d,neomuttrc,neomuttrc.d,nntpserver,nsswitch.conf,passwd,pki,resolv.conf,ssl,xdg | 140 | private-etc alternatives,ca-certificates,crypto-policies,dconf,fonts,gcrypt,gnupg,hostname,hosts,hosts.conf,ld.so.cache,ld.so.preload,mail,mailname,Mutt,Muttrc,Muttrc.d,neomuttrc,neomuttrc.d,nntpserver,nsswitch.conf,passwd,pki,resolv.conf,ssl,xdg |
141 | private-tmp | 141 | private-tmp |
142 | writable-run-user | 142 | writable-run-user |
143 | writable-var | 143 | writable-var |
diff --git a/etc/profile-m-z/netactview.profile b/etc/profile-m-z/netactview.profile index 1bcc6a962..d6ac8d5bc 100644 --- a/etc/profile-m-z/netactview.profile +++ b/etc/profile-m-z/netactview.profile | |||
@@ -45,7 +45,7 @@ disable-mnt | |||
45 | private-bin netactview,netactview_polkit | 45 | private-bin netactview,netactview_polkit |
46 | private-cache | 46 | private-cache |
47 | private-dev | 47 | private-dev |
48 | private-etc alternatives,fonts | 48 | private-etc alternatives,fonts,ld.so.cache,ld.so.preload |
49 | private-lib | 49 | private-lib |
50 | private-tmp | 50 | private-tmp |
51 | 51 | ||
diff --git a/etc/profile-m-z/newsboat.profile b/etc/profile-m-z/newsboat.profile index fa4ccea7c..cf72bf802 100644 --- a/etc/profile-m-z/newsboat.profile +++ b/etc/profile-m-z/newsboat.profile | |||
@@ -53,7 +53,7 @@ disable-mnt | |||
53 | private-bin gzip,lynx,newsboat,sh,w3m | 53 | private-bin gzip,lynx,newsboat,sh,w3m |
54 | private-cache | 54 | private-cache |
55 | private-dev | 55 | private-dev |
56 | private-etc alternatives,ca-certificates,crypto-policies,lynx.cfg,lynx.lss,pki,resolv.conf,ssl,terminfo | 56 | private-etc alternatives,ca-certificates,crypto-policies,ld.so.cache,ld.so.preload,lynx.cfg,lynx.lss,pki,resolv.conf,ssl,terminfo |
57 | private-tmp | 57 | private-tmp |
58 | 58 | ||
59 | dbus-user none | 59 | dbus-user none |
diff --git a/etc/profile-m-z/newsflash.profile b/etc/profile-m-z/newsflash.profile index 56cedec03..9966a0e1b 100644 --- a/etc/profile-m-z/newsflash.profile +++ b/etc/profile-m-z/newsflash.profile | |||
@@ -51,7 +51,7 @@ disable-mnt | |||
51 | private-bin com.gitlab.newsflash,newsflash | 51 | private-bin com.gitlab.newsflash,newsflash |
52 | private-cache | 52 | private-cache |
53 | private-dev | 53 | private-dev |
54 | private-etc ca-certificates,crypto-policies,dconf,fonts,gtk-3.0,hosts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,nsswitch.conf,pango,pki,resolv.conf,ssl,X11 | 54 | private-etc alternatives,ca-certificates,crypto-policies,dconf,fonts,gtk-3.0,hosts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,nsswitch.conf,pango,pki,resolv.conf,ssl,X11 |
55 | private-tmp | 55 | private-tmp |
56 | 56 | ||
57 | dbus-user none | 57 | dbus-user none |
diff --git a/etc/profile-m-z/nextcloud.profile b/etc/profile-m-z/nextcloud.profile index cb499ba34..354d3351e 100644 --- a/etc/profile-m-z/nextcloud.profile +++ b/etc/profile-m-z/nextcloud.profile | |||
@@ -61,12 +61,11 @@ tracelog | |||
61 | disable-mnt | 61 | disable-mnt |
62 | private-bin nextcloud,nextcloud-desktop | 62 | private-bin nextcloud,nextcloud-desktop |
63 | private-cache | 63 | private-cache |
64 | private-etc alternatives,ca-certificates,crypto-policies,drirc,fonts,gcrypt,host.conf,hosts,ld.so.cache,machine-id,Nextcloud,nsswitch.conf,os-release,passwd,pki,pulse,resolv.conf,selinux,ssl,xdg | 64 | private-etc alternatives,ca-certificates,crypto-policies,drirc,fonts,gcrypt,host.conf,hosts,ld.so.cache,ld.so.preload,machine-id,Nextcloud,nsswitch.conf,os-release,passwd,pki,pulse,resolv.conf,selinux,ssl,xdg |
65 | private-dev | 65 | private-dev |
66 | private-tmp | 66 | private-tmp |
67 | 67 | ||
68 | dbus-user filter | 68 | dbus-user filter |
69 | dbus-user.talk org.freedesktop.secrets | 69 | dbus-user.talk org.freedesktop.secrets |
70 | # Add the next line to your nextcloud.local for tray icon support | 70 | ?ALLOW_TRAY: dbus-user.talk org.kde.StatusNotifierWatcher |
71 | #dbus-user.talk org.kde.StatusNotifierWatcher | ||
72 | dbus-system none | 71 | dbus-system none |
diff --git a/etc/profile-m-z/nheko.profile b/etc/profile-m-z/nheko.profile index 035ad086a..89a146a09 100644 --- a/etc/profile-m-z/nheko.profile +++ b/etc/profile-m-z/nheko.profile | |||
@@ -51,11 +51,9 @@ private-dev | |||
51 | private-etc alsa,alternatives,asound.conf,ca-certificates,crypto-policies,fonts,gtk-2.0,gtk-3.0,host.conf,hostname,hosts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,locale,locale.alias,locale.conf,mime.types,nsswitch.conf,pki,pulse,resolv.conf,selinux,ssl,X11,xdg | 51 | private-etc alsa,alternatives,asound.conf,ca-certificates,crypto-policies,fonts,gtk-2.0,gtk-3.0,host.conf,hostname,hosts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,locale,locale.alias,locale.conf,mime.types,nsswitch.conf,pki,pulse,resolv.conf,selinux,ssl,X11,xdg |
52 | private-tmp | 52 | private-tmp |
53 | 53 | ||
54 | 54 | dbus-user filter | |
55 | # Add the next lines to your nheko.local to enable notification support. | 55 | dbus-user.talk org.freedesktop.secrets |
56 | #ignore dbus-user none | 56 | ?ALLOW_TRAY: dbus-user.talk org.kde.StatusNotifierWatcher |
57 | #dbus-user filter | 57 | # Add the next line to your nheko.local to enable notification support. |
58 | #dbus-user.talk org.freedesktop.Notifications | 58 | #dbus-user.talk org.freedesktop.Notifications |
59 | #dbus-user.talk org.kde.StatusNotifierWatcher | ||
60 | dbus-user none | ||
61 | dbus-system none | 59 | dbus-system none |
diff --git a/etc/profile-m-z/nitroshare.profile b/etc/profile-m-z/nitroshare.profile index d5dd4ca95..d6234cd04 100644 --- a/etc/profile-m-z/nitroshare.profile +++ b/etc/profile-m-z/nitroshare.profile | |||
@@ -42,7 +42,7 @@ disable-mnt | |||
42 | private-bin awk,grep,nitroshare,nitroshare-cli,nitroshare-nmh,nitroshare-send,nitroshare-ui | 42 | private-bin awk,grep,nitroshare,nitroshare-cli,nitroshare-nmh,nitroshare-send,nitroshare-ui |
43 | private-cache | 43 | private-cache |
44 | private-dev | 44 | private-dev |
45 | private-etc alternatives,ca-certificates,dconf,fonts,hostname,hosts,ld.so.cache,machine-id,nsswitch.conf,ssl | 45 | private-etc alternatives,ca-certificates,dconf,fonts,hostname,hosts,ld.so.cache,ld.so.preload,machine-id,nsswitch.conf,ssl |
46 | # private-lib libnitroshare.so.*,libqhttpengine.so.*,libqmdnsengine.so.*,nitroshare | 46 | # private-lib libnitroshare.so.*,libqhttpengine.so.*,libqmdnsengine.so.*,nitroshare |
47 | private-tmp | 47 | private-tmp |
48 | 48 | ||
diff --git a/etc/profile-m-z/nomacs.profile b/etc/profile-m-z/nomacs.profile index b044fb879..7ffb09e56 100644 --- a/etc/profile-m-z/nomacs.profile +++ b/etc/profile-m-z/nomacs.profile | |||
@@ -41,5 +41,5 @@ tracelog | |||
41 | #private-bin nomacs | 41 | #private-bin nomacs |
42 | private-cache | 42 | private-cache |
43 | private-dev | 43 | private-dev |
44 | private-etc alternatives,ca-certificates,crypto-policies,dconf,drirc,fonts,gtk-3.0,hosts,login.defs,machine-id,pki,resolv.conf,ssl | 44 | private-etc alternatives,ca-certificates,crypto-policies,dconf,drirc,fonts,gtk-3.0,hosts,ld.so.cache,ld.so.preload,login.defs,machine-id,pki,resolv.conf,ssl |
45 | private-tmp | 45 | private-tmp |
diff --git a/etc/profile-m-z/noprofile.profile b/etc/profile-m-z/noprofile.profile new file mode 100644 index 000000000..560ee9db3 --- /dev/null +++ b/etc/profile-m-z/noprofile.profile | |||
@@ -0,0 +1,28 @@ | |||
1 | # This is the weakest possible firejail profile. | ||
2 | # If a program still fail with this profile, it is incompatible with firejail. | ||
3 | # (from https://gist.github.com/rusty-snake/bb234cb3e50e1e4e7429f29a7931cc72) | ||
4 | # | ||
5 | # Usage: | ||
6 | # 1. download | ||
7 | # 2. firejail --profile=noprofile.profile /path/to/program | ||
8 | |||
9 | # Keep in mind that even with this profile some things are done | ||
10 | # which can break the program. | ||
11 | # - some env-vars are cleared | ||
12 | # - /etc/firejail/firejail.config can contain options such as 'force-nonewprivs yes' | ||
13 | # - a new private pid-namespace is created | ||
14 | # - a minimal hardcoded blacklist is applied | ||
15 | # - ... | ||
16 | |||
17 | noblacklist /sys/fs | ||
18 | noblacklist /sys/module | ||
19 | |||
20 | allow-debuggers | ||
21 | allusers | ||
22 | keep-config-pulse | ||
23 | keep-dev-shm | ||
24 | keep-var-tmp | ||
25 | writable-etc | ||
26 | writable-run-user | ||
27 | writable-var | ||
28 | writable-var-log | ||
diff --git a/etc/profile-m-z/notify-send.profile b/etc/profile-m-z/notify-send.profile index 5caf3374d..9f23c099d 100644 --- a/etc/profile-m-z/notify-send.profile +++ b/etc/profile-m-z/notify-send.profile | |||
@@ -49,7 +49,7 @@ private | |||
49 | private-bin notify-send | 49 | private-bin notify-send |
50 | private-cache | 50 | private-cache |
51 | private-dev | 51 | private-dev |
52 | private-etc none | 52 | private-etc alternatives,ld.so.cache,ld.so.preload |
53 | private-tmp | 53 | private-tmp |
54 | 54 | ||
55 | dbus-user filter | 55 | dbus-user filter |
diff --git a/etc/profile-m-z/nuclear.profile b/etc/profile-m-z/nuclear.profile index 886403b9e..9f4a6ec46 100644 --- a/etc/profile-m-z/nuclear.profile +++ b/etc/profile-m-z/nuclear.profile | |||
@@ -18,7 +18,7 @@ whitelist ${HOME}/.config/nuclear | |||
18 | no3d | 18 | no3d |
19 | 19 | ||
20 | # private-bin nuclear | 20 | # private-bin nuclear |
21 | private-etc alsa,alternatives,asound.conf,ca-certificates,crypto-policies,fonts,gtk-2.0,gtk-3.0,host.conf,hostname,hosts,mime.types,nsswitch.conf,pki,pulse,resolv.conf,selinux,ssl,X11,xdg | 21 | private-etc alsa,alternatives,asound.conf,ca-certificates,crypto-policies,fonts,gtk-2.0,gtk-3.0,host.conf,hostname,hosts,ld.so.cache,ld.so.preload,mime.types,nsswitch.conf,pki,pulse,resolv.conf,selinux,ssl,X11,xdg |
22 | private-opt nuclear | 22 | private-opt nuclear |
23 | 23 | ||
24 | # Redirect | 24 | # Redirect |
diff --git a/etc/profile-m-z/nyx.profile b/etc/profile-m-z/nyx.profile index 460a580b3..653591482 100644 --- a/etc/profile-m-z/nyx.profile +++ b/etc/profile-m-z/nyx.profile | |||
@@ -45,7 +45,7 @@ disable-mnt | |||
45 | private-bin nyx,python* | 45 | private-bin nyx,python* |
46 | private-cache | 46 | private-cache |
47 | private-dev | 47 | private-dev |
48 | private-etc alternatives,fonts,passwd,tor | 48 | private-etc alternatives,fonts,ld.so.cache,ld.so.preload,passwd,tor |
49 | private-opt none | 49 | private-opt none |
50 | private-srv none | 50 | private-srv none |
51 | private-tmp | 51 | private-tmp |
diff --git a/etc/profile-m-z/ocenaudio.profile b/etc/profile-m-z/ocenaudio.profile index 8e87f1d5d..0bfb35333 100644 --- a/etc/profile-m-z/ocenaudio.profile +++ b/etc/profile-m-z/ocenaudio.profile | |||
@@ -45,7 +45,7 @@ tracelog | |||
45 | private-bin ocenaudio | 45 | private-bin ocenaudio |
46 | private-cache | 46 | private-cache |
47 | private-dev | 47 | private-dev |
48 | private-etc alternatives,asound.conf,fonts,ld.so.cache,pulse | 48 | private-etc alternatives,asound.conf,fonts,ld.so.cache,ld.so.preload,pulse |
49 | private-tmp | 49 | private-tmp |
50 | 50 | ||
51 | # breaks preferences | 51 | # breaks preferences |
diff --git a/etc/profile-m-z/odt2txt.profile b/etc/profile-m-z/odt2txt.profile index 22cec475b..de62f4114 100644 --- a/etc/profile-m-z/odt2txt.profile +++ b/etc/profile-m-z/odt2txt.profile | |||
@@ -38,7 +38,7 @@ x11 none | |||
38 | private-bin odt2txt | 38 | private-bin odt2txt |
39 | private-cache | 39 | private-cache |
40 | private-dev | 40 | private-dev |
41 | private-etc alternatives | 41 | private-etc alternatives,ld.so.cache,ld.so.preload |
42 | private-tmp | 42 | private-tmp |
43 | 43 | ||
44 | dbus-user none | 44 | dbus-user none |
diff --git a/etc/profile-m-z/okular.profile b/etc/profile-m-z/okular.profile index 84edc65ef..fb28ad89f 100644 --- a/etc/profile-m-z/okular.profile +++ b/etc/profile-m-z/okular.profile | |||
@@ -36,6 +36,7 @@ whitelist /usr/share/kconf_update/okular.upd | |||
36 | whitelist /usr/share/kxmlgui5/okular | 36 | whitelist /usr/share/kxmlgui5/okular |
37 | whitelist /usr/share/okular | 37 | whitelist /usr/share/okular |
38 | whitelist /usr/share/poppler | 38 | whitelist /usr/share/poppler |
39 | include whitelist-run-common.inc | ||
39 | include whitelist-runuser-common.inc | 40 | include whitelist-runuser-common.inc |
40 | include whitelist-usr-share-common.inc | 41 | include whitelist-usr-share-common.inc |
41 | include whitelist-var-common.inc | 42 | include whitelist-var-common.inc |
@@ -61,7 +62,7 @@ tracelog | |||
61 | 62 | ||
62 | private-bin kbuildsycoca4,kdeinit4,lpr,okular,unar,unrar | 63 | private-bin kbuildsycoca4,kdeinit4,lpr,okular,unar,unrar |
63 | private-dev | 64 | private-dev |
64 | private-etc alternatives,cups,fonts,kde4rc,kde5rc,ld.so.cache,machine-id,passwd,xdg | 65 | private-etc alternatives,cups,fonts,kde4rc,kde5rc,ld.so.cache,ld.so.preload,machine-id,passwd,xdg |
65 | # private-tmp - on KDE we need access to the real /tmp for data exchange with email clients | 66 | # private-tmp - on KDE we need access to the real /tmp for data exchange with email clients |
66 | 67 | ||
67 | # dbus-user none | 68 | # dbus-user none |
diff --git a/etc/profile-m-z/onboard.profile b/etc/profile-m-z/onboard.profile index b0ffba19c..e05e58cad 100644 --- a/etc/profile-m-z/onboard.profile +++ b/etc/profile-m-z/onboard.profile | |||
@@ -50,7 +50,7 @@ disable-mnt | |||
50 | private-cache | 50 | private-cache |
51 | private-bin onboard,python*,tput | 51 | private-bin onboard,python*,tput |
52 | private-dev | 52 | private-dev |
53 | private-etc alternatives,dbus-1,dconf,fonts,gtk-2.0,gtk-3.0,locale,locale.alias,locale.conf,mime.types,selinux,X11,xdg | 53 | private-etc alternatives,dbus-1,dconf,fonts,gtk-2.0,gtk-3.0,ld.so.cache,ld.so.preload,locale,locale.alias,locale.conf,mime.types,selinux,X11,xdg |
54 | private-tmp | 54 | private-tmp |
55 | 55 | ||
56 | dbus-system none | 56 | dbus-system none |
diff --git a/etc/profile-m-z/open-invaders.profile b/etc/profile-m-z/open-invaders.profile index 12c7ea3d0..c2c22f42d 100644 --- a/etc/profile-m-z/open-invaders.profile +++ b/etc/profile-m-z/open-invaders.profile | |||
@@ -25,7 +25,6 @@ caps.drop all | |||
25 | net none | 25 | net none |
26 | nodvd | 26 | nodvd |
27 | nogroups | 27 | nogroups |
28 | noinput | ||
29 | nonewprivs | 28 | nonewprivs |
30 | noroot | 29 | noroot |
31 | notv | 30 | notv |
diff --git a/etc/profile-m-z/openarena.profile b/etc/profile-m-z/openarena.profile index 076a655a1..c3ac097a0 100644 --- a/etc/profile-m-z/openarena.profile +++ b/etc/profile-m-z/openarena.profile | |||
@@ -43,7 +43,7 @@ disable-mnt | |||
43 | private-bin bash,cut,glxinfo,grep,head,openarena,openarena_ded,quake3,zenity | 43 | private-bin bash,cut,glxinfo,grep,head,openarena,openarena_ded,quake3,zenity |
44 | private-cache | 44 | private-cache |
45 | private-dev | 45 | private-dev |
46 | private-etc drirc,machine-id,openal,passwd,selinux,udev,xdg | 46 | private-etc alternatives,drirc,ld.so.cache,ld.so.preload,machine-id,openal,passwd,selinux,udev,xdg |
47 | private-tmp | 47 | private-tmp |
48 | 48 | ||
49 | dbus-user none | 49 | dbus-user none |
diff --git a/etc/profile-m-z/openclonk.profile b/etc/profile-m-z/openclonk.profile index 253465991..68362cbc8 100644 --- a/etc/profile-m-z/openclonk.profile +++ b/etc/profile-m-z/openclonk.profile | |||
@@ -28,7 +28,6 @@ ipc-namespace | |||
28 | netfilter | 28 | netfilter |
29 | nodvd | 29 | nodvd |
30 | nogroups | 30 | nogroups |
31 | noinput | ||
32 | nonewprivs | 31 | nonewprivs |
33 | noroot | 32 | noroot |
34 | notv | 33 | notv |
diff --git a/etc/profile-m-z/pandoc.profile b/etc/profile-m-z/pandoc.profile index 2595d8a8f..c016b5103 100644 --- a/etc/profile-m-z/pandoc.profile +++ b/etc/profile-m-z/pandoc.profile | |||
@@ -11,6 +11,8 @@ blacklist ${RUNUSER} | |||
11 | 11 | ||
12 | noblacklist ${DOCUMENTS} | 12 | noblacklist ${DOCUMENTS} |
13 | 13 | ||
14 | include allow-bin-sh.inc | ||
15 | |||
14 | include disable-common.inc | 16 | include disable-common.inc |
15 | include disable-devel.inc | 17 | include disable-devel.inc |
16 | include disable-exec.inc | 18 | include disable-exec.inc |
@@ -19,6 +21,7 @@ include disable-programs.inc | |||
19 | include disable-shell.inc | 21 | include disable-shell.inc |
20 | include disable-xdg.inc | 22 | include disable-xdg.inc |
21 | 23 | ||
24 | include whitelist-runuser-common.inc | ||
22 | # breaks pdf output | 25 | # breaks pdf output |
23 | #include whitelist-var-common.inc | 26 | #include whitelist-var-common.inc |
24 | 27 | ||
@@ -39,15 +42,15 @@ nou2f | |||
39 | novideo | 42 | novideo |
40 | protocol unix | 43 | protocol unix |
41 | seccomp | 44 | seccomp |
45 | seccomp.block-secondary | ||
42 | shell none | 46 | shell none |
43 | tracelog | 47 | tracelog |
44 | x11 none | 48 | x11 none |
45 | 49 | ||
46 | disable-mnt | 50 | disable-mnt |
47 | private-bin context,latex,mktexfmt,pandoc,pdflatex,pdfroff,prince,weasyprint,wkhtmltopdf | ||
48 | private-cache | 51 | private-cache |
49 | private-dev | 52 | private-dev |
50 | private-etc alternatives,texlive,texmf | 53 | private-etc alternatives,ld.so.cache,ld.so.preload,texlive,texmf |
51 | private-tmp | 54 | private-tmp |
52 | 55 | ||
53 | dbus-user none | 56 | dbus-user none |
diff --git a/etc/profile-m-z/parole.profile b/etc/profile-m-z/parole.profile index 33d75f0d2..3d380542f 100644 --- a/etc/profile-m-z/parole.profile +++ b/etc/profile-m-z/parole.profile | |||
@@ -27,4 +27,4 @@ shell none | |||
27 | 27 | ||
28 | private-bin dbus-launch,parole | 28 | private-bin dbus-launch,parole |
29 | private-cache | 29 | private-cache |
30 | private-etc alternatives,asound.conf,ca-certificates,crypto-policies,fonts,group,machine-id,passwd,pki,pulse,ssl | 30 | private-etc alternatives,asound.conf,ca-certificates,crypto-policies,fonts,group,ld.so.cache,ld.so.preload,machine-id,passwd,pki,pulse,ssl |
diff --git a/etc/profile-m-z/pavucontrol.profile b/etc/profile-m-z/pavucontrol.profile index 0bd14e88e..d64aab200 100644 --- a/etc/profile-m-z/pavucontrol.profile +++ b/etc/profile-m-z/pavucontrol.profile | |||
@@ -45,7 +45,7 @@ disable-mnt | |||
45 | private-bin pavucontrol | 45 | private-bin pavucontrol |
46 | private-cache | 46 | private-cache |
47 | private-dev | 47 | private-dev |
48 | private-etc alternatives,asound.conf,avahi,fonts,machine-id,pulse | 48 | private-etc alternatives,asound.conf,avahi,fonts,ld.so.cache,ld.so.preload,machine-id,pulse |
49 | private-lib | 49 | private-lib |
50 | private-tmp | 50 | private-tmp |
51 | 51 | ||
diff --git a/etc/profile-m-z/pdfchain.profile b/etc/profile-m-z/pdfchain.profile index bebd4ba44..41ec98a39 100644 --- a/etc/profile-m-z/pdfchain.profile +++ b/etc/profile-m-z/pdfchain.profile | |||
@@ -34,7 +34,7 @@ shell none | |||
34 | 34 | ||
35 | private-bin pdfchain,pdftk,sh | 35 | private-bin pdfchain,pdftk,sh |
36 | private-dev | 36 | private-dev |
37 | private-etc alternatives,dconf,fonts,gtk-3.0,xdg | 37 | private-etc alternatives,dconf,fonts,gtk-3.0,ld.so.cache,ld.so.preload,xdg |
38 | private-tmp | 38 | private-tmp |
39 | 39 | ||
40 | dbus-user none | 40 | dbus-user none |
diff --git a/etc/profile-m-z/pdftotext.profile b/etc/profile-m-z/pdftotext.profile index 0cb08aa74..9d2f2b95f 100644 --- a/etc/profile-m-z/pdftotext.profile +++ b/etc/profile-m-z/pdftotext.profile | |||
@@ -48,7 +48,7 @@ x11 none | |||
48 | private-bin pdftotext | 48 | private-bin pdftotext |
49 | private-cache | 49 | private-cache |
50 | private-dev | 50 | private-dev |
51 | private-etc alternatives | 51 | private-etc alternatives,ld.so.cache,ld.so.preload |
52 | private-tmp | 52 | private-tmp |
53 | 53 | ||
54 | dbus-user none | 54 | dbus-user none |
diff --git a/etc/profile-m-z/peek.profile b/etc/profile-m-z/peek.profile index a8f925313..f5c295b5d 100644 --- a/etc/profile-m-z/peek.profile +++ b/etc/profile-m-z/peek.profile | |||
@@ -48,7 +48,7 @@ tracelog | |||
48 | disable-mnt | 48 | disable-mnt |
49 | private-bin bash,convert,ffmpeg,firejail,fish,peek,sh,which,zsh | 49 | private-bin bash,convert,ffmpeg,firejail,fish,peek,sh,which,zsh |
50 | private-dev | 50 | private-dev |
51 | private-etc dconf,firejail,fonts,gtk-3.0,login.defs,pango,passwd,X11 | 51 | private-etc alternatives,dconf,firejail,fonts,gtk-3.0,ld.so.cache,ld.so.preload,login.defs,pango,passwd,X11 |
52 | private-tmp | 52 | private-tmp |
53 | 53 | ||
54 | dbus-user filter | 54 | dbus-user filter |
diff --git a/etc/profile-m-z/photoflare.profile b/etc/profile-m-z/photoflare.profile index c012504c4..80efedec7 100644 --- a/etc/profile-m-z/photoflare.profile +++ b/etc/profile-m-z/photoflare.profile | |||
@@ -43,7 +43,7 @@ disable-mnt | |||
43 | private-bin photoflare | 43 | private-bin photoflare |
44 | private-cache | 44 | private-cache |
45 | private-dev | 45 | private-dev |
46 | private-etc alternatives,fonts,locale,locale.alias,locale.conf,mime.types,X11 | 46 | private-etc alternatives,fonts,ld.so.cache,ld.so.preload,locale,locale.alias,locale.conf,mime.types,X11 |
47 | private-tmp | 47 | private-tmp |
48 | 48 | ||
49 | dbus-user none | 49 | dbus-user none |
diff --git a/etc/profile-m-z/pingus.profile b/etc/profile-m-z/pingus.profile index 5b2d7a5a4..69c78740d 100644 --- a/etc/profile-m-z/pingus.profile +++ b/etc/profile-m-z/pingus.profile | |||
@@ -50,7 +50,7 @@ disable-mnt | |||
50 | private-bin pingus,pingus.bin,sh | 50 | private-bin pingus,pingus.bin,sh |
51 | private-cache | 51 | private-cache |
52 | private-dev | 52 | private-dev |
53 | private-etc machine-id | 53 | private-etc alternatives,ld.so.cache,ld.so.preload,machine-id |
54 | private-tmp | 54 | private-tmp |
55 | 55 | ||
56 | dbus-user none | 56 | dbus-user none |
diff --git a/etc/profile-m-z/pip.profile b/etc/profile-m-z/pip.profile new file mode 100644 index 000000000..a0926371f --- /dev/null +++ b/etc/profile-m-z/pip.profile | |||
@@ -0,0 +1,18 @@ | |||
1 | # Firejail profile for pip | ||
2 | # Description: package manager for Python packages | ||
3 | # This file is overwritten after every install/update | ||
4 | quiet | ||
5 | # Persistent local customizations | ||
6 | include meson.local | ||
7 | # Persistent global definitions | ||
8 | include globals.local | ||
9 | |||
10 | ignore read-only ${HOME}/.local/lib | ||
11 | |||
12 | # Allow python3 (blacklisted by disable-interpreters.inc) | ||
13 | include allow-python3.inc | ||
14 | |||
15 | #whitelist ${HOME}/.local/lib/python* | ||
16 | |||
17 | # Redirect | ||
18 | include build-systems-common.profile | ||
diff --git a/etc/profile-m-z/pkglog.profile b/etc/profile-m-z/pkglog.profile index c2707dac4..69b954f53 100644 --- a/etc/profile-m-z/pkglog.profile +++ b/etc/profile-m-z/pkglog.profile | |||
@@ -44,7 +44,7 @@ private | |||
44 | private-bin pkglog,python* | 44 | private-bin pkglog,python* |
45 | private-cache | 45 | private-cache |
46 | private-dev | 46 | private-dev |
47 | private-etc alternatives | 47 | private-etc alternatives,ld.so.cache,ld.so.preload |
48 | private-opt none | 48 | private-opt none |
49 | private-tmp | 49 | private-tmp |
50 | writable-var-log | 50 | writable-var-log |
diff --git a/etc/profile-m-z/plv.profile b/etc/profile-m-z/plv.profile index 80f768170..38ccf72e8 100644 --- a/etc/profile-m-z/plv.profile +++ b/etc/profile-m-z/plv.profile | |||
@@ -46,7 +46,7 @@ disable-mnt | |||
46 | private-bin plv | 46 | private-bin plv |
47 | private-cache | 47 | private-cache |
48 | private-dev | 48 | private-dev |
49 | private-etc alternatives,fonts | 49 | private-etc alternatives,fonts,ld.so.cache,ld.so.preload |
50 | private-opt none | 50 | private-opt none |
51 | private-tmp | 51 | private-tmp |
52 | writable-var-log | 52 | writable-var-log |
diff --git a/etc/profile-m-z/pngquant.profile b/etc/profile-m-z/pngquant.profile index 0b3d2b44c..6b989202f 100644 --- a/etc/profile-m-z/pngquant.profile +++ b/etc/profile-m-z/pngquant.profile | |||
@@ -47,7 +47,7 @@ x11 none | |||
47 | private-bin pngquant | 47 | private-bin pngquant |
48 | private-cache | 48 | private-cache |
49 | private-dev | 49 | private-dev |
50 | private-etc alternatives | 50 | private-etc alternatives,ld.so.cache,ld.so.preload |
51 | private-tmp | 51 | private-tmp |
52 | 52 | ||
53 | dbus-user none | 53 | dbus-user none |
diff --git a/etc/profile-m-z/pragha.profile b/etc/profile-m-z/pragha.profile index bc0ff0e85..fd595c27a 100644 --- a/etc/profile-m-z/pragha.profile +++ b/etc/profile-m-z/pragha.profile | |||
@@ -33,6 +33,6 @@ seccomp | |||
33 | shell none | 33 | shell none |
34 | 34 | ||
35 | private-dev | 35 | private-dev |
36 | private-etc alternatives,asound.conf,ca-certificates,crypto-policies,fonts,gtk-3.0,host.conf,hostname,hosts,machine-id,pki,pulse,resolv.conf,ssl,xdg | 36 | private-etc alternatives,asound.conf,ca-certificates,crypto-policies,fonts,gtk-3.0,host.conf,hostname,hosts,ld.so.cache,ld.so.preload,machine-id,pki,pulse,resolv.conf,ssl,xdg |
37 | private-tmp | 37 | private-tmp |
38 | 38 | ||
diff --git a/etc/profile-m-z/profanity.profile b/etc/profile-m-z/profanity.profile index 705af370b..25a248425 100644 --- a/etc/profile-m-z/profanity.profile +++ b/etc/profile-m-z/profanity.profile | |||
@@ -44,7 +44,7 @@ shell none | |||
44 | private-bin profanity | 44 | private-bin profanity |
45 | private-cache | 45 | private-cache |
46 | private-dev | 46 | private-dev |
47 | private-etc alternatives,ca-certificates,crypto-policies,localtime,mime.types,nsswitch.conf,pki,resolv.conf,ssl | 47 | private-etc alternatives,ca-certificates,crypto-policies,ld.so.cache,ld.so.preload,localtime,mime.types,nsswitch.conf,pki,resolv.conf,ssl |
48 | private-tmp | 48 | private-tmp |
49 | 49 | ||
50 | dbus-user none | 50 | dbus-user none |
diff --git a/etc/profile-m-z/psi.profile b/etc/profile-m-z/psi.profile index 450bb10c7..99a72adee 100644 --- a/etc/profile-m-z/psi.profile +++ b/etc/profile-m-z/psi.profile | |||
@@ -71,7 +71,7 @@ disable-mnt | |||
71 | private-bin getopt,psi | 71 | private-bin getopt,psi |
72 | private-cache | 72 | private-cache |
73 | private-dev | 73 | private-dev |
74 | private-etc alsa,alternatives,asound.conf,ca-certificates,crypto-policies,drirc,fonts,gcrypt,group,hostname,hosts,ld.so.cache,ld.so.conf,machine-id,passwd,pki,pulse,resolv.conf,selinux,ssl,xdg | 74 | private-etc alsa,alternatives,asound.conf,ca-certificates,crypto-policies,drirc,fonts,gcrypt,group,hostname,hosts,ld.so.cache,ld.so.conf,ld.so.preload,machine-id,passwd,pki,pulse,resolv.conf,selinux,ssl,xdg |
75 | private-tmp | 75 | private-tmp |
76 | 76 | ||
77 | dbus-user none | 77 | dbus-user none |
diff --git a/etc/profile-m-z/qgis.profile b/etc/profile-m-z/qgis.profile index 3dc232b55..555e1e41b 100644 --- a/etc/profile-m-z/qgis.profile +++ b/etc/profile-m-z/qgis.profile | |||
@@ -52,7 +52,7 @@ tracelog | |||
52 | disable-mnt | 52 | disable-mnt |
53 | private-cache | 53 | private-cache |
54 | private-dev | 54 | private-dev |
55 | private-etc alternatives,ca-certificates,crypto-policies,fonts,machine-id,pki,QGIS,QGIS.conf,resolv.conf,ssl,Trolltech.conf | 55 | private-etc alternatives,ca-certificates,crypto-policies,fonts,ld.so.cache,ld.so.preload,machine-id,pki,QGIS,QGIS.conf,resolv.conf,ssl,Trolltech.conf |
56 | private-tmp | 56 | private-tmp |
57 | 57 | ||
58 | dbus-user none | 58 | dbus-user none |
diff --git a/etc/profile-m-z/qnapi.profile b/etc/profile-m-z/qnapi.profile index 4eee0df5f..4a3ce366e 100644 --- a/etc/profile-m-z/qnapi.profile +++ b/etc/profile-m-z/qnapi.profile | |||
@@ -47,7 +47,7 @@ tracelog | |||
47 | private-bin 7z,qnapi | 47 | private-bin 7z,qnapi |
48 | private-cache | 48 | private-cache |
49 | private-dev | 49 | private-dev |
50 | private-etc alternatives,fonts | 50 | private-etc alternatives,fonts,ld.so.cache,ld.so.preload |
51 | private-opt none | 51 | private-opt none |
52 | private-tmp | 52 | private-tmp |
53 | 53 | ||
diff --git a/etc/profile-m-z/qrencode.profile b/etc/profile-m-z/qrencode.profile index 7ef676068..dd3f24875 100644 --- a/etc/profile-m-z/qrencode.profile +++ b/etc/profile-m-z/qrencode.profile | |||
@@ -47,7 +47,7 @@ disable-mnt | |||
47 | private-bin qrencode | 47 | private-bin qrencode |
48 | private-cache | 48 | private-cache |
49 | private-dev | 49 | private-dev |
50 | private-etc none | 50 | private-etc alternatives,ld.so.cache,ld.so.preload |
51 | private-lib libpcre* | 51 | private-lib libpcre* |
52 | private-tmp | 52 | private-tmp |
53 | 53 | ||
diff --git a/etc/profile-m-z/qtox.profile b/etc/profile-m-z/qtox.profile index bae802cc6..60e1539fa 100644 --- a/etc/profile-m-z/qtox.profile +++ b/etc/profile-m-z/qtox.profile | |||
@@ -43,7 +43,7 @@ disable-mnt | |||
43 | private-bin qtox | 43 | private-bin qtox |
44 | private-cache | 44 | private-cache |
45 | private-dev | 45 | private-dev |
46 | private-etc alternatives,ca-certificates,crypto-policies,fonts,ld.so.cache,localtime,machine-id,pki,pulse,resolv.conf,ssl | 46 | private-etc alternatives,ca-certificates,crypto-policies,fonts,ld.so.cache,ld.so.preload,localtime,machine-id,pki,pulse,resolv.conf,ssl |
47 | private-tmp | 47 | private-tmp |
48 | 48 | ||
49 | dbus-user none | 49 | dbus-user none |
diff --git a/etc/profile-m-z/regextester.profile b/etc/profile-m-z/regextester.profile index 1de59bc7c..f1ce313e7 100644 --- a/etc/profile-m-z/regextester.profile +++ b/etc/profile-m-z/regextester.profile | |||
@@ -43,7 +43,7 @@ disable-mnt | |||
43 | private-bin regextester | 43 | private-bin regextester |
44 | private-cache | 44 | private-cache |
45 | private-dev | 45 | private-dev |
46 | private-etc alternatives,fonts | 46 | private-etc alternatives,fonts,ld.so.cache,ld.so.preload |
47 | private-lib libgranite.so.* | 47 | private-lib libgranite.so.* |
48 | private-tmp | 48 | private-tmp |
49 | 49 | ||
diff --git a/etc/profile-m-z/retroarch.profile b/etc/profile-m-z/retroarch.profile new file mode 100644 index 000000000..1887a9b72 --- /dev/null +++ b/etc/profile-m-z/retroarch.profile | |||
@@ -0,0 +1,54 @@ | |||
1 | # Firejail profile for retroarch | ||
2 | # Description: retroarch is a frontend to libretro emulator cores. | ||
3 | # This file is overwritten after every install/update | ||
4 | # Persistent local customizations | ||
5 | include retroarch.local | ||
6 | # Persistent global definitions | ||
7 | include globals.local | ||
8 | |||
9 | blacklist /usr/libexec | ||
10 | |||
11 | include disable-common.inc | ||
12 | include disable-devel.inc | ||
13 | include disable-exec.inc | ||
14 | include disable-interpreters.inc | ||
15 | include disable-programs.inc | ||
16 | include disable-shell.inc | ||
17 | include disable-xdg.inc | ||
18 | |||
19 | mkdir ${HOME}/.config/retroarch | ||
20 | whitelist ${HOME}/.config/retroarch | ||
21 | whitelist /run/udev | ||
22 | whitelist /usr/share/retroarch | ||
23 | whitelist /usr/share/libretro | ||
24 | include whitelist-common.inc | ||
25 | include whitelist-run-common.inc | ||
26 | include whitelist-runuser-common.inc | ||
27 | include whitelist-usr-share-common.inc | ||
28 | include whitelist-var-common.inc | ||
29 | |||
30 | apparmor | ||
31 | caps.drop all | ||
32 | netfilter | ||
33 | nodvd | ||
34 | nogroups | ||
35 | nonewprivs | ||
36 | noroot | ||
37 | notv | ||
38 | nou2f | ||
39 | # If you need access to cameras, add `ignore novideo` to retroarch.local | ||
40 | novideo | ||
41 | protocol unix,inet,inet6,netlink | ||
42 | seccomp | ||
43 | seccomp.block-secondary | ||
44 | shell none | ||
45 | tracelog | ||
46 | |||
47 | disable-mnt | ||
48 | private-bin retroarch | ||
49 | private-cache | ||
50 | private-dev | ||
51 | private-tmp | ||
52 | |||
53 | dbus-user none | ||
54 | dbus-system none | ||
diff --git a/etc/profile-m-z/rsync-download_only.profile b/etc/profile-m-z/rsync-download_only.profile index 23a65f54a..e44e55a12 100644 --- a/etc/profile-m-z/rsync-download_only.profile +++ b/etc/profile-m-z/rsync-download_only.profile | |||
@@ -49,7 +49,7 @@ disable-mnt | |||
49 | private-bin rsync | 49 | private-bin rsync |
50 | private-cache | 50 | private-cache |
51 | private-dev | 51 | private-dev |
52 | private-etc alternatives,ca-certificates,crypto-policies,host.conf,hostname,hosts,nsswitch.conf,pki,protocols,resolv.conf,rpc,services,ssl | 52 | private-etc alternatives,ca-certificates,crypto-policies,host.conf,hostname,hosts,ld.so.cache,ld.so.preload,nsswitch.conf,pki,protocols,resolv.conf,rpc,services,ssl |
53 | private-tmp | 53 | private-tmp |
54 | 54 | ||
55 | dbus-user none | 55 | dbus-user none |
diff --git a/etc/profile-m-z/scorchwentbonkers.profile b/etc/profile-m-z/scorchwentbonkers.profile index 1069c34ea..70b5d844a 100644 --- a/etc/profile-m-z/scorchwentbonkers.profile +++ b/etc/profile-m-z/scorchwentbonkers.profile | |||
@@ -43,7 +43,7 @@ disable-mnt | |||
43 | private-bin scorchwentbonkers | 43 | private-bin scorchwentbonkers |
44 | private-cache | 44 | private-cache |
45 | private-dev | 45 | private-dev |
46 | private-etc alsa,asound.conf,machine-id,pulse | 46 | private-etc alsa,alternatives,asound.conf,ld.so.cache,ld.so.preload,machine-id,pulse |
47 | private-tmp | 47 | private-tmp |
48 | 48 | ||
49 | dbus-user none | 49 | dbus-user none |
diff --git a/etc/profile-m-z/seahorse-adventures.profile b/etc/profile-m-z/seahorse-adventures.profile index af7d5eeac..72d6d5cf7 100644 --- a/etc/profile-m-z/seahorse-adventures.profile +++ b/etc/profile-m-z/seahorse-adventures.profile | |||
@@ -48,7 +48,7 @@ private | |||
48 | private-bin bash,dash,python*,seahorse-adventures,sh | 48 | private-bin bash,dash,python*,seahorse-adventures,sh |
49 | private-cache | 49 | private-cache |
50 | private-dev | 50 | private-dev |
51 | private-etc machine-id | 51 | private-etc alternatives,ld.so.cache,ld.so.preload,machine-id |
52 | private-tmp | 52 | private-tmp |
53 | 53 | ||
54 | dbus-user none | 54 | dbus-user none |
diff --git a/etc/profile-m-z/seahorse-tool.profile b/etc/profile-m-z/seahorse-tool.profile index 96ff74edf..9ef174606 100644 --- a/etc/profile-m-z/seahorse-tool.profile +++ b/etc/profile-m-z/seahorse-tool.profile | |||
@@ -8,7 +8,7 @@ include seahorse-tool.local | |||
8 | #include globals.local | 8 | #include globals.local |
9 | 9 | ||
10 | # private-etc workaround for: #2877 | 10 | # private-etc workaround for: #2877 |
11 | private-etc firejail,login.defs,passwd | 11 | private-etc alternatives,firejail,ld.so.cache,ld.so.preload,login.defs,passwd |
12 | private-tmp | 12 | private-tmp |
13 | 13 | ||
14 | # Redirect | 14 | # Redirect |
diff --git a/etc/profile-m-z/seahorse.profile b/etc/profile-m-z/seahorse.profile index 94a27da87..7382e4712 100644 --- a/etc/profile-m-z/seahorse.profile +++ b/etc/profile-m-z/seahorse.profile | |||
@@ -60,7 +60,7 @@ tracelog | |||
60 | disable-mnt | 60 | disable-mnt |
61 | private-cache | 61 | private-cache |
62 | private-dev | 62 | private-dev |
63 | private-etc ca-certificates,crypto-policies,dconf,fonts,gconf,gtk-2.0,gtk-3.0,host.conf,hostname,hosts,ld.so.preload,nsswitch.conf,pango,pki,protocols,resolv.conf,rpc,services,ssh,ssl,X11 | 63 | private-etc alternatives,ca-certificates,crypto-policies,dconf,fonts,gconf,gtk-2.0,gtk-3.0,host.conf,hostname,hosts,ld.so.cache,ld.so.preload,nsswitch.conf,pango,pki,protocols,resolv.conf,rpc,services,ssh,ssl,X11 |
64 | writable-run-user | 64 | writable-run-user |
65 | 65 | ||
66 | dbus-user filter | 66 | dbus-user filter |
diff --git a/etc/profile-m-z/shotwell.profile b/etc/profile-m-z/shotwell.profile index b6a828636..3b569eeaf 100644 --- a/etc/profile-m-z/shotwell.profile +++ b/etc/profile-m-z/shotwell.profile | |||
@@ -49,7 +49,7 @@ tracelog | |||
49 | private-bin shotwell | 49 | private-bin shotwell |
50 | private-cache | 50 | private-cache |
51 | private-dev | 51 | private-dev |
52 | private-etc alternatives,fonts,machine-id | 52 | private-etc alternatives,fonts,ld.so.cache,ld.so.preload,machine-id |
53 | private-opt none | 53 | private-opt none |
54 | private-tmp | 54 | private-tmp |
55 | 55 | ||
diff --git a/etc/profile-m-z/slack.profile b/etc/profile-m-z/slack.profile index 51f6c8b00..a511ebb1c 100644 --- a/etc/profile-m-z/slack.profile +++ b/etc/profile-m-z/slack.profile | |||
@@ -26,7 +26,7 @@ mkdir ${HOME}/.config/Slack | |||
26 | whitelist ${HOME}/.config/Slack | 26 | whitelist ${HOME}/.config/Slack |
27 | 27 | ||
28 | private-bin electron,electron[0-9],electron[0-9][0-9],locale,sh,slack | 28 | private-bin electron,electron[0-9],electron[0-9][0-9],locale,sh,slack |
29 | private-etc alternatives,asound.conf,ca-certificates,crypto-policies,debian_version,fedora-release,fonts,group,ld.so.cache,ld.so.conf,localtime,machine-id,os-release,passwd,pki,pulse,redhat-release,resolv.conf,ssl,system-release,system-release-cpe | 29 | private-etc alternatives,asound.conf,ca-certificates,crypto-policies,debian_version,fedora-release,fonts,group,ld.so.cache,ld.so.conf,ld.so.preload,localtime,machine-id,os-release,passwd,pki,pulse,redhat-release,resolv.conf,ssl,system-release,system-release-cpe |
30 | 30 | ||
31 | # Redirect | 31 | # Redirect |
32 | include electron.profile | 32 | include electron.profile |
diff --git a/etc/profile-m-z/smuxi-frontend-gnome.profile b/etc/profile-m-z/smuxi-frontend-gnome.profile index 31d14924c..0cdb5537e 100644 --- a/etc/profile-m-z/smuxi-frontend-gnome.profile +++ b/etc/profile-m-z/smuxi-frontend-gnome.profile | |||
@@ -48,7 +48,7 @@ disable-mnt | |||
48 | private-bin bash,mono,mono-sgen,sh,smuxi-frontend-gnome | 48 | private-bin bash,mono,mono-sgen,sh,smuxi-frontend-gnome |
49 | private-cache | 49 | private-cache |
50 | private-dev | 50 | private-dev |
51 | private-etc alsa,alternatives,asound.conf,ca-certificates,crypto-policies,fonts,hostname,hosts,ld.so.cache,ld.so.conf,machine-id,mono,passwd,pki,pulse,resolv.conf,selinux,ssl,xdg | 51 | private-etc alsa,alternatives,asound.conf,ca-certificates,crypto-policies,fonts,hostname,hosts,ld.so.cache,ld.so.conf,ld.so.preload,machine-id,mono,passwd,pki,pulse,resolv.conf,selinux,ssl,xdg |
52 | private-tmp | 52 | private-tmp |
53 | 53 | ||
54 | dbus-user none | 54 | dbus-user none |
diff --git a/etc/profile-m-z/softmaker-common.profile b/etc/profile-m-z/softmaker-common.profile index ebdd5c1f8..099e6a2ad 100644 --- a/etc/profile-m-z/softmaker-common.profile +++ b/etc/profile-m-z/softmaker-common.profile | |||
@@ -6,9 +6,9 @@ include softmaker-common.local | |||
6 | # added by caller profile | 6 | # added by caller profile |
7 | #include globals.local | 7 | #include globals.local |
8 | 8 | ||
9 | # The offical packages install the desktop file under /usr/local/share/applications | 9 | # The official packages install the desktop file under /usr/local/share/applications |
10 | # with an absolute Exec line. These files are NOT handelt by firecfg, | 10 | # with an absolute Exec line. These files are NOT handled by firecfg, |
11 | # therefore you must manualy copy them in you home and remove '/usr/bin/'. | 11 | # therefore you must manually copy them in you home and remove '/usr/bin/'. |
12 | 12 | ||
13 | noblacklist ${HOME}/SoftMaker | 13 | noblacklist ${HOME}/SoftMaker |
14 | 14 | ||
@@ -43,7 +43,7 @@ tracelog | |||
43 | private-bin freeoffice-planmaker,freeoffice-presentations,freeoffice-textmaker,planmaker18,planmaker18free,presentations18,presentations18free,sh,textmaker18,textmaker18free | 43 | private-bin freeoffice-planmaker,freeoffice-presentations,freeoffice-textmaker,planmaker18,planmaker18free,presentations18,presentations18free,sh,textmaker18,textmaker18free |
44 | private-cache | 44 | private-cache |
45 | private-dev | 45 | private-dev |
46 | private-etc ca-certificates,crypto-policies,fonts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,machine-id,nsswitch.conf,pki,SoftMaker,ssl | 46 | private-etc alternatives,ca-certificates,crypto-policies,fonts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,machine-id,nsswitch.conf,pki,SoftMaker,ssl |
47 | private-tmp | 47 | private-tmp |
48 | 48 | ||
49 | dbus-user none | 49 | dbus-user none |
diff --git a/etc/profile-m-z/spectacle.profile b/etc/profile-m-z/spectacle.profile index d803fa5ce..fc4ae2b04 100644 --- a/etc/profile-m-z/spectacle.profile +++ b/etc/profile-m-z/spectacle.profile | |||
@@ -22,7 +22,7 @@ include disable-interpreters.inc | |||
22 | include disable-programs.inc | 22 | include disable-programs.inc |
23 | include disable-xdg.inc | 23 | include disable-xdg.inc |
24 | 24 | ||
25 | mkfile ${HOME}/.config/spectaclerc | 25 | mkfile ${HOME}/.config/spectaclerc |
26 | whitelist ${HOME}/.config/spectaclerc | 26 | whitelist ${HOME}/.config/spectaclerc |
27 | whitelist ${PICTURES} | 27 | whitelist ${PICTURES} |
28 | whitelist /usr/share/kconf_update/spectacle_newConfig.upd | 28 | whitelist /usr/share/kconf_update/spectacle_newConfig.upd |
@@ -56,7 +56,7 @@ disable-mnt | |||
56 | private-bin spectacle | 56 | private-bin spectacle |
57 | private-cache | 57 | private-cache |
58 | private-dev | 58 | private-dev |
59 | private-etc alternatives,fonts,ld.so.cache,ld.so.conf,ld.so.conf.d | 59 | private-etc alternatives,fonts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload |
60 | private-tmp | 60 | private-tmp |
61 | 61 | ||
62 | dbus-user filter | 62 | dbus-user filter |
diff --git a/etc/profile-m-z/spectral.profile b/etc/profile-m-z/spectral.profile index 5f17b73dc..3f7f68009 100644 --- a/etc/profile-m-z/spectral.profile +++ b/etc/profile-m-z/spectral.profile | |||
@@ -49,10 +49,8 @@ private-dev | |||
49 | private-etc alsa,alternatives,asound.conf,ca-certificates,crypto-policies,fonts,gtk-2.0,gtk-3.0,host.conf,hostname,hosts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,locale,locale.alias,locale.conf,mime.types,nsswitch.conf,pki,pulse,resolv.conf,selinux,ssl,X11,xdg | 49 | private-etc alsa,alternatives,asound.conf,ca-certificates,crypto-policies,fonts,gtk-2.0,gtk-3.0,host.conf,hostname,hosts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,locale,locale.alias,locale.conf,mime.types,nsswitch.conf,pki,pulse,resolv.conf,selinux,ssl,X11,xdg |
50 | private-tmp | 50 | private-tmp |
51 | 51 | ||
52 | dbus-user none | 52 | dbus-user filter |
53 | # Add the next lines to your spectral.local to enable notification support. | 53 | ?ALLOW_TRAY: dbus-user.talk org.kde.StatusNotifierWatcher |
54 | #ignore dbus-user none | 54 | # Add the next line to your spectral.local to enable notification support. |
55 | #dbus-user filter | ||
56 | #dbus-user.talk org.freedesktop.Notifications | 55 | #dbus-user.talk org.freedesktop.Notifications |
57 | #dbus-user.talk org.kde.StatusNotifierWatcher | ||
58 | dbus-system none | 56 | dbus-system none |
diff --git a/etc/profile-m-z/spotify.profile b/etc/profile-m-z/spotify.profile index ffee76d23..0ce918161 100644 --- a/etc/profile-m-z/spotify.profile +++ b/etc/profile-m-z/spotify.profile | |||
@@ -44,7 +44,7 @@ disable-mnt | |||
44 | private-bin bash,cat,dirname,find,grep,head,rm,sh,spotify,tclsh,touch,zenity | 44 | private-bin bash,cat,dirname,find,grep,head,rm,sh,spotify,tclsh,touch,zenity |
45 | private-dev | 45 | private-dev |
46 | # If you want to see album covers or want to use the radio, add 'ignore private-etc' to your spotify.local. | 46 | # If you want to see album covers or want to use the radio, add 'ignore private-etc' to your spotify.local. |
47 | private-etc alternatives,ca-certificates,crypto-policies,fonts,group,host.conf,hosts,ld.so.cache,machine-id,nsswitch.conf,pki,pulse,resolv.conf,ssl | 47 | private-etc alternatives,ca-certificates,crypto-policies,fonts,group,host.conf,hosts,ld.so.cache,ld.so.preload,machine-id,nsswitch.conf,pki,pulse,resolv.conf,ssl |
48 | private-opt spotify | 48 | private-opt spotify |
49 | private-srv none | 49 | private-srv none |
50 | private-tmp | 50 | private-tmp |
diff --git a/etc/profile-m-z/sqlitebrowser.profile b/etc/profile-m-z/sqlitebrowser.profile index e35f74404..deaf37f52 100644 --- a/etc/profile-m-z/sqlitebrowser.profile +++ b/etc/profile-m-z/sqlitebrowser.profile | |||
@@ -42,7 +42,7 @@ shell none | |||
42 | private-bin sqlitebrowser | 42 | private-bin sqlitebrowser |
43 | private-cache | 43 | private-cache |
44 | private-dev | 44 | private-dev |
45 | private-etc alternatives,ca-certificates,crypto-policies,fonts,group,machine-id,passwd,pki,ssl | 45 | private-etc alternatives,ca-certificates,crypto-policies,fonts,group,ld.so.cache,ld.so.preload,machine-id,passwd,pki,ssl |
46 | private-tmp | 46 | private-tmp |
47 | 47 | ||
48 | # breaks proxy creation | 48 | # breaks proxy creation |
diff --git a/etc/profile-m-z/ssh-agent.profile b/etc/profile-m-z/ssh-agent.profile index 11723664f..9d3fe9637 100644 --- a/etc/profile-m-z/ssh-agent.profile +++ b/etc/profile-m-z/ssh-agent.profile | |||
@@ -11,6 +11,7 @@ include allow-ssh.inc | |||
11 | 11 | ||
12 | blacklist /tmp/.X11-unix | 12 | blacklist /tmp/.X11-unix |
13 | blacklist ${RUNUSER}/wayland-* | 13 | blacklist ${RUNUSER}/wayland-* |
14 | noblacklist /usr/lib/openssh/ssh-keysign | ||
14 | 15 | ||
15 | include disable-common.inc | 16 | include disable-common.inc |
16 | include disable-programs.inc | 17 | include disable-programs.inc |
diff --git a/etc/profile-m-z/ssh.profile b/etc/profile-m-z/ssh.profile index 9295013e7..194b2082c 100644 --- a/etc/profile-m-z/ssh.profile +++ b/etc/profile-m-z/ssh.profile | |||
@@ -10,6 +10,7 @@ include globals.local | |||
10 | # nc can be used as ProxyCommand, e.g. when using tor | 10 | # nc can be used as ProxyCommand, e.g. when using tor |
11 | noblacklist ${PATH}/nc | 11 | noblacklist ${PATH}/nc |
12 | noblacklist ${PATH}/ncat | 12 | noblacklist ${PATH}/ncat |
13 | noblacklist /usr/lib/openssh/ssh-keysign | ||
13 | 14 | ||
14 | # Allow ssh (blacklisted by disable-common.inc) | 15 | # Allow ssh (blacklisted by disable-common.inc) |
15 | include allow-ssh.inc | 16 | include allow-ssh.inc |
diff --git a/etc/profile-m-z/standardnotes-desktop.profile b/etc/profile-m-z/standardnotes-desktop.profile index d54ddacdd..7a59274bf 100644 --- a/etc/profile-m-z/standardnotes-desktop.profile +++ b/etc/profile-m-z/standardnotes-desktop.profile | |||
@@ -38,7 +38,7 @@ seccomp !chroot | |||
38 | disable-mnt | 38 | disable-mnt |
39 | private-dev | 39 | private-dev |
40 | private-tmp | 40 | private-tmp |
41 | private-etc alternatives,ca-certificates,crypto-policies,fonts,host.conf,hostname,hosts,ld.so.cache,pki,resolv.conf,ssl,xdg | 41 | private-etc alternatives,ca-certificates,crypto-policies,fonts,host.conf,hostname,hosts,ld.so.cache,ld.so.preload,pki,resolv.conf,ssl,xdg |
42 | 42 | ||
43 | dbus-user none | 43 | dbus-user none |
44 | dbus-system none | 44 | dbus-system none |
diff --git a/etc/profile-m-z/straw-viewer.profile b/etc/profile-m-z/straw-viewer.profile index d73927f2a..513abc21b 100644 --- a/etc/profile-m-z/straw-viewer.profile +++ b/etc/profile-m-z/straw-viewer.profile | |||
@@ -18,4 +18,4 @@ whitelist ${HOME}/.config/straw-viewer | |||
18 | private-bin gtk-straw-viewer,straw-viewer | 18 | private-bin gtk-straw-viewer,straw-viewer |
19 | 19 | ||
20 | # Redirect | 20 | # Redirect |
21 | include youtube-viewers-common.profile \ No newline at end of file | 21 | include youtube-viewers-common.profile |
diff --git a/etc/profile-m-z/strawberry.profile b/etc/profile-m-z/strawberry.profile index dfb0a3e3b..32e43f079 100644 --- a/etc/profile-m-z/strawberry.profile +++ b/etc/profile-m-z/strawberry.profile | |||
@@ -43,7 +43,7 @@ disable-mnt | |||
43 | private-bin strawberry,strawberry-tagreader | 43 | private-bin strawberry,strawberry-tagreader |
44 | private-cache | 44 | private-cache |
45 | private-dev | 45 | private-dev |
46 | private-etc ca-certificates,crypto-policies,fonts,host.conf,hostname,hosts,nsswitch.conf,pki,resolv.conf,ssl | 46 | private-etc alternatives,ca-certificates,crypto-policies,fonts,host.conf,hostname,hosts,ld.so.cache,ld.so.preload,nsswitch.conf,pki,resolv.conf,ssl |
47 | private-tmp | 47 | private-tmp |
48 | 48 | ||
49 | dbus-system none | 49 | dbus-system none |
diff --git a/etc/profile-m-z/subdownloader.profile b/etc/profile-m-z/subdownloader.profile index 100ac9d14..a9f22085b 100644 --- a/etc/profile-m-z/subdownloader.profile +++ b/etc/profile-m-z/subdownloader.profile | |||
@@ -44,7 +44,7 @@ tracelog | |||
44 | 44 | ||
45 | private-cache | 45 | private-cache |
46 | private-dev | 46 | private-dev |
47 | private-etc alternatives,fonts | 47 | private-etc alternatives,fonts,ld.so.cache,ld.so.preload |
48 | private-tmp | 48 | private-tmp |
49 | 49 | ||
50 | dbus-user none | 50 | dbus-user none |
diff --git a/etc/profile-m-z/supertux2.profile b/etc/profile-m-z/supertux2.profile index 0e9113821..464fa1b08 100644 --- a/etc/profile-m-z/supertux2.profile +++ b/etc/profile-m-z/supertux2.profile | |||
@@ -30,7 +30,6 @@ caps.drop all | |||
30 | net none | 30 | net none |
31 | nodvd | 31 | nodvd |
32 | nogroups | 32 | nogroups |
33 | noinput | ||
34 | nonewprivs | 33 | nonewprivs |
35 | noroot | 34 | noroot |
36 | notv | 35 | notv |
@@ -45,7 +44,7 @@ tracelog | |||
45 | disable-mnt | 44 | disable-mnt |
46 | # private-bin supertux2 | 45 | # private-bin supertux2 |
47 | private-cache | 46 | private-cache |
48 | private-etc machine-id | 47 | private-etc alternatives,ld.so.cache,ld.so.preload,machine-id |
49 | private-dev | 48 | private-dev |
50 | private-tmp | 49 | private-tmp |
51 | 50 | ||
diff --git a/etc/profile-m-z/supertuxkart.profile b/etc/profile-m-z/supertuxkart.profile index 7ba7e7023..473472251 100644 --- a/etc/profile-m-z/supertuxkart.profile +++ b/etc/profile-m-z/supertuxkart.profile | |||
@@ -54,7 +54,7 @@ private-bin supertuxkart | |||
54 | private-cache | 54 | private-cache |
55 | # Add the next line to your supertuxkart.local if you do not need controller support. | 55 | # Add the next line to your supertuxkart.local if you do not need controller support. |
56 | #private-dev | 56 | #private-dev |
57 | private-etc alternatives,ca-certificates,crypto-policies,drirc,hosts,machine-id,openal,pki,resolv.conf,ssl | 57 | private-etc alternatives,ca-certificates,crypto-policies,drirc,hosts,ld.so.cache,ld.so.preload,machine-id,openal,pki,resolv.conf,ssl |
58 | private-tmp | 58 | private-tmp |
59 | private-opt none | 59 | private-opt none |
60 | private-srv none | 60 | private-srv none |
diff --git a/etc/profile-m-z/surf.profile b/etc/profile-m-z/surf.profile index 7c092fccc..c04f00cab 100644 --- a/etc/profile-m-z/surf.profile +++ b/etc/profile-m-z/surf.profile | |||
@@ -34,6 +34,6 @@ tracelog | |||
34 | disable-mnt | 34 | disable-mnt |
35 | private-bin bash,curl,dmenu,ls,printf,sed,sh,sleep,st,stterm,surf,xargs,xprop | 35 | private-bin bash,curl,dmenu,ls,printf,sed,sh,sleep,st,stterm,surf,xargs,xprop |
36 | private-dev | 36 | private-dev |
37 | private-etc alternatives,ca-certificates,crypto-policies,fonts,group,hosts,machine-id,passwd,pki,resolv.conf,ssl | 37 | private-etc alternatives,ca-certificates,crypto-policies,fonts,group,hosts,ld.so.cache,ld.so.preload,machine-id,passwd,pki,resolv.conf,ssl |
38 | private-tmp | 38 | private-tmp |
39 | 39 | ||
diff --git a/etc/profile-m-z/sway.profile b/etc/profile-m-z/sway.profile index 4637419bf..046d1b4be 100644 --- a/etc/profile-m-z/sway.profile +++ b/etc/profile-m-z/sway.profile | |||
@@ -1,5 +1,5 @@ | |||
1 | # Firejail profile for Sway | 1 | # Firejail profile for Sway |
2 | # Description: i3-compatible Wayland compositor | 2 | # Description: i3-compatible Wayland compositor |
3 | # This file is overwritten after every install/update | 3 | # This file is overwritten after every install/update |
4 | # Persistent local customizations | 4 | # Persistent local customizations |
5 | include sway.local | 5 | include sway.local |
diff --git a/etc/profile-m-z/sysprof.profile b/etc/profile-m-z/sysprof.profile index ac4a380bb..c7119ae0f 100644 --- a/etc/profile-m-z/sysprof.profile +++ b/etc/profile-m-z/sysprof.profile | |||
@@ -63,7 +63,7 @@ disable-mnt | |||
63 | #private-bin sysprof - breaks help menu | 63 | #private-bin sysprof - breaks help menu |
64 | private-cache | 64 | private-cache |
65 | private-dev | 65 | private-dev |
66 | private-etc alternatives,fonts,ld.so.cache,machine-id,ssl | 66 | private-etc alternatives,fonts,ld.so.cache,ld.so.preload,machine-id,ssl |
67 | # private-lib - breaks help menu | 67 | # private-lib - breaks help menu |
68 | #private-lib gdk-pixbuf-2.*,gio,gtk3,gvfs/libgvfscommon.so,libgconf-2.so.*,librsvg-2.so.*,libsysprof-2.so,libsysprof-ui-2.so | 68 | #private-lib gdk-pixbuf-2.*,gio,gtk3,gvfs/libgvfscommon.so,libgconf-2.so.*,librsvg-2.so.*,libsysprof-2.so,libsysprof-ui-2.so |
69 | private-tmp | 69 | private-tmp |
diff --git a/etc/profile-m-z/tar.profile b/etc/profile-m-z/tar.profile index 0d3a900e9..0817adda8 100644 --- a/etc/profile-m-z/tar.profile +++ b/etc/profile-m-z/tar.profile | |||
@@ -14,7 +14,7 @@ ignore include disable-shell.inc | |||
14 | # all capabilities this is automatically read-only. | 14 | # all capabilities this is automatically read-only. |
15 | noblacklist /var/lib/pacman | 15 | noblacklist /var/lib/pacman |
16 | 16 | ||
17 | private-etc alternatives,group,localtime,login.defs,passwd | 17 | private-etc alternatives,group,ld.so.cache,ld.so.preload,localtime,login.defs,passwd |
18 | #private-lib libfakeroot,liblzma.so.*,libreadline.so.* | 18 | #private-lib libfakeroot,liblzma.so.*,libreadline.so.* |
19 | # Debian based distributions need this for 'dpkg --unpack' (incl. synaptic) | 19 | # Debian based distributions need this for 'dpkg --unpack' (incl. synaptic) |
20 | writable-var | 20 | writable-var |
diff --git a/etc/profile-m-z/teams-for-linux.profile b/etc/profile-m-z/teams-for-linux.profile index c97921d92..ee19bcd00 100644 --- a/etc/profile-m-z/teams-for-linux.profile +++ b/etc/profile-m-z/teams-for-linux.profile | |||
@@ -20,7 +20,7 @@ mkdir ${HOME}/.config/teams-for-linux | |||
20 | whitelist ${HOME}/.config/teams-for-linux | 20 | whitelist ${HOME}/.config/teams-for-linux |
21 | 21 | ||
22 | private-bin bash,cut,echo,egrep,electron,electron[0-9],electron[0-9][0-9],grep,head,sed,sh,teams-for-linux,tr,xdg-mime,xdg-open,zsh | 22 | private-bin bash,cut,echo,egrep,electron,electron[0-9],electron[0-9][0-9],grep,head,sed,sh,teams-for-linux,tr,xdg-mime,xdg-open,zsh |
23 | private-etc ca-certificates,crypto-policies,fonts,ld.so.cache,localtime,machine-id,pki,resolv.conf,ssl | 23 | private-etc alternatives,ca-certificates,crypto-policies,fonts,ld.so.cache,ld.so.preload,localtime,machine-id,pki,resolv.conf,ssl |
24 | 24 | ||
25 | # Redirect | 25 | # Redirect |
26 | include electron.profile | 26 | include electron.profile |
diff --git a/etc/profile-m-z/teeworlds.profile b/etc/profile-m-z/teeworlds.profile index df54fb9ba..d0fb0d43e 100644 --- a/etc/profile-m-z/teeworlds.profile +++ b/etc/profile-m-z/teeworlds.profile | |||
@@ -26,7 +26,6 @@ ipc-namespace | |||
26 | netfilter | 26 | netfilter |
27 | nodvd | 27 | nodvd |
28 | nogroups | 28 | nogroups |
29 | noinput | ||
30 | nonewprivs | 29 | nonewprivs |
31 | noroot | 30 | noroot |
32 | notv | 31 | notv |
diff --git a/etc/profile-m-z/telegram.profile b/etc/profile-m-z/telegram.profile index 115be54eb..dc1f77664 100644 --- a/etc/profile-m-z/telegram.profile +++ b/etc/profile-m-z/telegram.profile | |||
@@ -41,16 +41,16 @@ seccomp.block-secondary | |||
41 | shell none | 41 | shell none |
42 | 42 | ||
43 | disable-mnt | 43 | disable-mnt |
44 | #private-bin telegram,Telegram,telegram-desktop | 44 | private-bin telegram,Telegram,telegram-desktop |
45 | private-cache | 45 | private-cache |
46 | private-dev | 46 | private-dev |
47 | private-etc alsa,alternatives,ca-certificates,crypto-policies,fonts,group,ld.so.cache,localtime,machine-id,os-release,passwd,pki,pulse,resolv.conf,ssl,xdg | 47 | private-etc alsa,alternatives,ca-certificates,crypto-policies,fonts,group,ld.so.cache,ld.so.preload,localtime,machine-id,os-release,passwd,pki,pulse,resolv.conf,ssl,xdg |
48 | private-tmp | 48 | private-tmp |
49 | 49 | ||
50 | dbus-user filter | 50 | dbus-user filter |
51 | dbus-user.own org.telegram.desktop.* | 51 | dbus-user.own org.telegram.desktop.* |
52 | dbus-user.talk org.freedesktop.Notifications | 52 | dbus-user.talk org.freedesktop.Notifications |
53 | dbus-user.talk org.kde.StatusNotifierWatcher | 53 | ?ALLOW_TRAY: dbus-user.talk org.kde.StatusNotifierWatcher |
54 | dbus-user.talk org.gnome.Mutter.IdleMonitor | 54 | dbus-user.talk org.gnome.Mutter.IdleMonitor |
55 | dbus-user.talk org.freedesktop.ScreenSaver | 55 | dbus-user.talk org.freedesktop.ScreenSaver |
56 | dbus-system none | 56 | dbus-system none |
diff --git a/etc/profile-m-z/tilp.profile b/etc/profile-m-z/tilp.profile index 7c18aab50..d2db44b1c 100644 --- a/etc/profile-m-z/tilp.profile +++ b/etc/profile-m-z/tilp.profile | |||
@@ -30,6 +30,6 @@ tracelog | |||
30 | disable-mnt | 30 | disable-mnt |
31 | private-bin tilp | 31 | private-bin tilp |
32 | private-cache | 32 | private-cache |
33 | private-etc alternatives,fonts | 33 | private-etc alternatives,fonts,ld.so.cache,ld.so.preload |
34 | private-tmp | 34 | private-tmp |
35 | 35 | ||
diff --git a/etc/profile-m-z/tin.profile b/etc/profile-m-z/tin.profile index 039063c1e..1d4ee9370 100644 --- a/etc/profile-m-z/tin.profile +++ b/etc/profile-m-z/tin.profile | |||
@@ -58,7 +58,7 @@ disable-mnt | |||
58 | private-bin rtin,tin | 58 | private-bin rtin,tin |
59 | private-cache | 59 | private-cache |
60 | private-dev | 60 | private-dev |
61 | private-etc passwd,resolv.conf,terminfo,tin | 61 | private-etc alternatives,ld.so.cache,ld.so.preload,passwd,resolv.conf,terminfo,tin |
62 | private-lib terminfo | 62 | private-lib terminfo |
63 | private-tmp | 63 | private-tmp |
64 | 64 | ||
diff --git a/etc/profile-m-z/tor.profile b/etc/profile-m-z/tor.profile index 08e949309..d8cd8eb44 100644 --- a/etc/profile-m-z/tor.profile +++ b/etc/profile-m-z/tor.profile | |||
@@ -46,6 +46,6 @@ private | |||
46 | private-bin bash,tor | 46 | private-bin bash,tor |
47 | private-cache | 47 | private-cache |
48 | private-dev | 48 | private-dev |
49 | private-etc alternatives,ca-certificates,crypto-policies,passwd,pki,ssl,tor | 49 | private-etc alternatives,ca-certificates,crypto-policies,ld.so.cache,ld.so.preload,passwd,pki,ssl,tor |
50 | private-tmp | 50 | private-tmp |
51 | writable-var | 51 | writable-var |
diff --git a/etc/profile-m-z/torbrowser.profile b/etc/profile-m-z/torbrowser.profile new file mode 100644 index 000000000..fc579b973 --- /dev/null +++ b/etc/profile-m-z/torbrowser.profile | |||
@@ -0,0 +1,26 @@ | |||
1 | # Firejail profile for torbrowser | ||
2 | # Description: This profile was tested with www-client/torbrowser::torbrowser | ||
3 | # on Gentoo Linux. | ||
4 | # This file is overwritten after every install/update | ||
5 | # Persistent local customizations | ||
6 | include torbrowser.local | ||
7 | # Persistent global definitions | ||
8 | include globals.local | ||
9 | |||
10 | ignore dbus-user none | ||
11 | |||
12 | noblacklist ${HOME}/.cache/mozilla | ||
13 | noblacklist ${HOME}/.mozilla | ||
14 | |||
15 | blacklist /usr/libexec | ||
16 | |||
17 | mkdir ${HOME}/.cache/mozilla/torbrowser | ||
18 | mkdir ${HOME}/.mozilla | ||
19 | whitelist ${HOME}/.cache/mozilla/torbrowser | ||
20 | whitelist ${HOME}/.mozilla | ||
21 | include whitelist-usr-share-common.inc | ||
22 | |||
23 | dbus-user filter | ||
24 | dbus-user.own org.mozilla.torbrowser.* | ||
25 | |||
26 | include firefox-common.profile | ||
diff --git a/etc/profile-m-z/torcs.profile b/etc/profile-m-z/torcs.profile index a7ebaf2af..19e586db4 100644 --- a/etc/profile-m-z/torcs.profile +++ b/etc/profile-m-z/torcs.profile | |||
@@ -28,7 +28,6 @@ ipc-namespace | |||
28 | net none | 28 | net none |
29 | nodvd | 29 | nodvd |
30 | nogroups | 30 | nogroups |
31 | noinput | ||
32 | nonewprivs | 31 | nonewprivs |
33 | noroot | 32 | noroot |
34 | notv | 33 | notv |
diff --git a/etc/profile-m-z/transgui.profile b/etc/profile-m-z/transgui.profile index 2b63f6448..4acb8e7e8 100644 --- a/etc/profile-m-z/transgui.profile +++ b/etc/profile-m-z/transgui.profile | |||
@@ -45,7 +45,7 @@ tracelog | |||
45 | private-bin geoiplookup,geoiplookup6,transgui | 45 | private-bin geoiplookup,geoiplookup6,transgui |
46 | private-cache | 46 | private-cache |
47 | private-dev | 47 | private-dev |
48 | private-etc alternatives,fonts | 48 | private-etc alternatives,fonts,ld.so.cache,ld.so.preload |
49 | private-lib libgdk_pixbuf-2.0.so.*,libGeoIP.so*,libgthread-2.0.so.*,libgtk-x11-2.0.so.*,libX11.so.* | 49 | private-lib libgdk_pixbuf-2.0.so.*,libGeoIP.so*,libgthread-2.0.so.*,libgtk-x11-2.0.so.*,libX11.so.* |
50 | private-tmp | 50 | private-tmp |
51 | 51 | ||
diff --git a/etc/profile-m-z/transmission-cli.profile b/etc/profile-m-z/transmission-cli.profile index 486be5fe6..8a1711e97 100644 --- a/etc/profile-m-z/transmission-cli.profile +++ b/etc/profile-m-z/transmission-cli.profile | |||
@@ -8,7 +8,7 @@ include transmission-cli.local | |||
8 | include globals.local | 8 | include globals.local |
9 | 9 | ||
10 | private-bin transmission-cli | 10 | private-bin transmission-cli |
11 | private-etc alternatives,ca-certificates,crypto-policies,nsswitch.conf,pki,resolv.conf,ssl | 11 | private-etc alternatives,ca-certificates,crypto-policies,ld.so.cache,ld.so.preload,nsswitch.conf,pki,resolv.conf,ssl |
12 | 12 | ||
13 | # Redirect | 13 | # Redirect |
14 | include transmission-common.profile | 14 | include transmission-common.profile |
diff --git a/etc/profile-m-z/transmission-daemon.profile b/etc/profile-m-z/transmission-daemon.profile index 348d3cb80..5d28f2f10 100644 --- a/etc/profile-m-z/transmission-daemon.profile +++ b/etc/profile-m-z/transmission-daemon.profile | |||
@@ -17,7 +17,7 @@ caps.keep ipc_lock,net_bind_service,setgid,setuid,sys_chroot | |||
17 | protocol packet | 17 | protocol packet |
18 | 18 | ||
19 | private-bin transmission-daemon | 19 | private-bin transmission-daemon |
20 | private-etc alternatives,ca-certificates,crypto-policies,nsswitch.conf,pki,resolv.conf,ssl | 20 | private-etc alternatives,ca-certificates,crypto-policies,ld.so.cache,ld.so.preload,nsswitch.conf,pki,resolv.conf,ssl |
21 | 21 | ||
22 | read-write /var/lib/transmission | 22 | read-write /var/lib/transmission |
23 | writable-var-log | 23 | writable-var-log |
diff --git a/etc/profile-m-z/transmission-remote-gtk.profile b/etc/profile-m-z/transmission-remote-gtk.profile index a6400e2c0..6a0f1bde3 100644 --- a/etc/profile-m-z/transmission-remote-gtk.profile +++ b/etc/profile-m-z/transmission-remote-gtk.profile | |||
@@ -12,7 +12,7 @@ noblacklist ${HOME}/.config/transmission-remote-gtk | |||
12 | mkdir ${HOME}/.config/transmission-remote-gtk | 12 | mkdir ${HOME}/.config/transmission-remote-gtk |
13 | whitelist ${HOME}/.config/transmission-remote-gtk | 13 | whitelist ${HOME}/.config/transmission-remote-gtk |
14 | 14 | ||
15 | private-etc fonts,hostname,hosts,resolv.conf | 15 | private-etc alternatives,fonts,hostname,hosts,ld.so.cache,ld.so.preload,resolv.conf |
16 | # Problems with private-lib (see issue #2889) | 16 | # Problems with private-lib (see issue #2889) |
17 | ignore private-lib | 17 | ignore private-lib |
18 | 18 | ||
diff --git a/etc/profile-m-z/transmission-remote.profile b/etc/profile-m-z/transmission-remote.profile index fee4999e6..565433d99 100644 --- a/etc/profile-m-z/transmission-remote.profile +++ b/etc/profile-m-z/transmission-remote.profile | |||
@@ -8,7 +8,7 @@ include transmission-remote.local | |||
8 | include globals.local | 8 | include globals.local |
9 | 9 | ||
10 | private-bin transmission-remote | 10 | private-bin transmission-remote |
11 | private-etc alternatives,hosts,nsswitch.conf | 11 | private-etc alternatives,hosts,ld.so.cache,ld.so.preload,nsswitch.conf |
12 | 12 | ||
13 | # Redirect | 13 | # Redirect |
14 | include transmission-common.profile | 14 | include transmission-common.profile |
diff --git a/etc/profile-m-z/transmission-show.profile b/etc/profile-m-z/transmission-show.profile index 5a3c83f58..0a5826ec4 100644 --- a/etc/profile-m-z/transmission-show.profile +++ b/etc/profile-m-z/transmission-show.profile | |||
@@ -8,7 +8,7 @@ include transmission-show.local | |||
8 | include globals.local | 8 | include globals.local |
9 | 9 | ||
10 | private-bin transmission-show | 10 | private-bin transmission-show |
11 | private-etc alternatives,hosts,nsswitch.conf | 11 | private-etc alternatives,hosts,ld.so.cache,ld.so.preload,nsswitch.conf |
12 | 12 | ||
13 | # Redirect | 13 | # Redirect |
14 | include transmission-common.profile | 14 | include transmission-common.profile |
diff --git a/etc/profile-m-z/tremulous.profile b/etc/profile-m-z/tremulous.profile index 4e16df553..96541ae25 100644 --- a/etc/profile-m-z/tremulous.profile +++ b/etc/profile-m-z/tremulous.profile | |||
@@ -8,6 +8,9 @@ include globals.local | |||
8 | 8 | ||
9 | noblacklist ${HOME}/.tremulous | 9 | noblacklist ${HOME}/.tremulous |
10 | 10 | ||
11 | # Allow /bin/sh (blacklisted by disable-shell.inc) | ||
12 | include allow-bin-sh.inc | ||
13 | |||
11 | include disable-common.inc | 14 | include disable-common.inc |
12 | include disable-devel.inc | 15 | include disable-devel.inc |
13 | include disable-exec.inc | 16 | include disable-exec.inc |
@@ -41,7 +44,7 @@ shell none | |||
41 | tracelog | 44 | tracelog |
42 | 45 | ||
43 | disable-mnt | 46 | disable-mnt |
44 | private-bin tremded,tremulous,tremulous-wrapper | 47 | private-bin env,sh,tremded,tremulous,tremulous-wrapper |
45 | private-cache | 48 | private-cache |
46 | private-dev | 49 | private-dev |
47 | private-tmp | 50 | private-tmp |
diff --git a/etc/profile-m-z/trojita.profile b/etc/profile-m-z/trojita.profile index 41426c606..60a192ac1 100644 --- a/etc/profile-m-z/trojita.profile +++ b/etc/profile-m-z/trojita.profile | |||
@@ -54,7 +54,7 @@ tracelog | |||
54 | private-bin trojita | 54 | private-bin trojita |
55 | private-cache | 55 | private-cache |
56 | private-dev | 56 | private-dev |
57 | private-etc alternatives,ca-certificates,crypto-policies,fonts,hostname,hosts,pki,resolv.conf,selinux,ssl,xdg | 57 | private-etc alternatives,ca-certificates,crypto-policies,fonts,hostname,hosts,ld.so.cache,ld.so.preload,pki,resolv.conf,selinux,ssl,xdg |
58 | private-tmp | 58 | private-tmp |
59 | 59 | ||
60 | dbus-user filter | 60 | dbus-user filter |
diff --git a/etc/profile-m-z/twitch.profile b/etc/profile-m-z/twitch.profile index d767b4c9d..987a2b719 100644 --- a/etc/profile-m-z/twitch.profile +++ b/etc/profile-m-z/twitch.profile | |||
@@ -18,7 +18,7 @@ mkdir ${HOME}/.config/Twitch | |||
18 | whitelist ${HOME}/.config/Twitch | 18 | whitelist ${HOME}/.config/Twitch |
19 | 19 | ||
20 | private-bin electron,electron[0-9],electron[0-9][0-9],twitch | 20 | private-bin electron,electron[0-9],electron[0-9][0-9],twitch |
21 | private-etc alsa,alternatives,asound.conf,ati,bumblebee,ca-certificates,crypto-policies,drirc,fonts,gtk-2.0,gtk-3.0,host.conf,hostname,hosts,mime.types,nsswitch.conf,nvidia,pki,pulse,resolv.conf,selinux,ssl,X11,xdg | 21 | private-etc alsa,alternatives,asound.conf,ati,bumblebee,ca-certificates,crypto-policies,drirc,fonts,gtk-2.0,gtk-3.0,host.conf,hostname,hosts,ld.so.cache,ld.so.preload,mime.types,nsswitch.conf,nvidia,pki,pulse,resolv.conf,selinux,ssl,X11,xdg |
22 | private-opt Twitch | 22 | private-opt Twitch |
23 | 23 | ||
24 | # Redirect | 24 | # Redirect |
diff --git a/etc/profile-m-z/unf.profile b/etc/profile-m-z/unf.profile index 212e6d181..1b82ad881 100644 --- a/etc/profile-m-z/unf.profile +++ b/etc/profile-m-z/unf.profile | |||
@@ -49,7 +49,7 @@ private-bin unf | |||
49 | private-cache | 49 | private-cache |
50 | ?HAS_APPIMAGE: ignore private-dev | 50 | ?HAS_APPIMAGE: ignore private-dev |
51 | private-dev | 51 | private-dev |
52 | private-etc alternatives | 52 | private-etc alternatives,ld.so.cache,ld.so.preload |
53 | private-lib gcc/*/*/libgcc_s.so.* | 53 | private-lib gcc/*/*/libgcc_s.so.* |
54 | private-tmp | 54 | private-tmp |
55 | 55 | ||
diff --git a/etc/profile-m-z/unrar.profile b/etc/profile-m-z/unrar.profile index 9d3d9b40e..443d1f415 100644 --- a/etc/profile-m-z/unrar.profile +++ b/etc/profile-m-z/unrar.profile | |||
@@ -8,7 +8,7 @@ include unrar.local | |||
8 | include globals.local | 8 | include globals.local |
9 | 9 | ||
10 | private-bin unrar | 10 | private-bin unrar |
11 | private-etc alternatives,group,localtime,passwd | 11 | private-etc alternatives,group,ld.so.cache,ld.so.preload,localtime,passwd |
12 | private-tmp | 12 | private-tmp |
13 | 13 | ||
14 | # Redirect | 14 | # Redirect |
diff --git a/etc/profile-m-z/unzip.profile b/etc/profile-m-z/unzip.profile index 0231e3dba..97df693ba 100644 --- a/etc/profile-m-z/unzip.profile +++ b/etc/profile-m-z/unzip.profile | |||
@@ -10,7 +10,7 @@ include globals.local | |||
10 | # GNOME Shell integration (chrome-gnome-shell) | 10 | # GNOME Shell integration (chrome-gnome-shell) |
11 | noblacklist ${HOME}/.local/share/gnome-shell | 11 | noblacklist ${HOME}/.local/share/gnome-shell |
12 | 12 | ||
13 | private-etc alternatives,group,localtime,passwd | 13 | private-etc alternatives,group,ld.so.cache,ld.so.preload,localtime,passwd |
14 | 14 | ||
15 | # Redirect | 15 | # Redirect |
16 | include archiver-common.profile | 16 | include archiver-common.profile |
diff --git a/etc/profile-m-z/utox.profile b/etc/profile-m-z/utox.profile index b164494fa..5a867a683 100644 --- a/etc/profile-m-z/utox.profile +++ b/etc/profile-m-z/utox.profile | |||
@@ -43,7 +43,7 @@ disable-mnt | |||
43 | private-bin utox | 43 | private-bin utox |
44 | private-cache | 44 | private-cache |
45 | private-dev | 45 | private-dev |
46 | private-etc alternatives,ca-certificates,crypto-policies,fonts,ld.so.cache,localtime,machine-id,openal,pki,pulse,resolv.conf,ssl | 46 | private-etc alternatives,ca-certificates,crypto-policies,fonts,ld.so.cache,ld.so.preload,localtime,machine-id,openal,pki,pulse,resolv.conf,ssl |
47 | private-tmp | 47 | private-tmp |
48 | 48 | ||
49 | memory-deny-write-execute | 49 | memory-deny-write-execute |
diff --git a/etc/profile-m-z/uudeview.profile b/etc/profile-m-z/uudeview.profile index 3b38f16e0..426766e17 100644 --- a/etc/profile-m-z/uudeview.profile +++ b/etc/profile-m-z/uudeview.profile | |||
@@ -41,7 +41,7 @@ x11 none | |||
41 | private-bin uudeview | 41 | private-bin uudeview |
42 | private-cache | 42 | private-cache |
43 | private-dev | 43 | private-dev |
44 | private-etc alternatives,ld.so.preload | 44 | private-etc alternatives,ld.so.cache,ld.so.preload |
45 | 45 | ||
46 | dbus-user none | 46 | dbus-user none |
47 | dbus-system none | 47 | dbus-system none |
diff --git a/etc/profile-m-z/viewnior.profile b/etc/profile-m-z/viewnior.profile index 469e65542..585a8eddb 100644 --- a/etc/profile-m-z/viewnior.profile +++ b/etc/profile-m-z/viewnior.profile | |||
@@ -43,7 +43,7 @@ tracelog | |||
43 | private-bin viewnior | 43 | private-bin viewnior |
44 | private-cache | 44 | private-cache |
45 | private-dev | 45 | private-dev |
46 | private-etc alternatives,fonts,machine-id | 46 | private-etc alternatives,fonts,ld.so.cache,ld.so.preload,machine-id |
47 | private-tmp | 47 | private-tmp |
48 | 48 | ||
49 | dbus-user none | 49 | dbus-user none |
diff --git a/etc/profile-m-z/virtualbox.profile b/etc/profile-m-z/virtualbox.profile index 6ab9aa15b..227ad83cc 100644 --- a/etc/profile-m-z/virtualbox.profile +++ b/etc/profile-m-z/virtualbox.profile | |||
@@ -45,7 +45,7 @@ tracelog | |||
45 | #disable-mnt | 45 | #disable-mnt |
46 | #private-bin awk,basename,bash,env,gawk,grep,ps,readlink,sh,virtualbox,VirtualBox,VBox*,vbox*,whoami | 46 | #private-bin awk,basename,bash,env,gawk,grep,ps,readlink,sh,virtualbox,VirtualBox,VBox*,vbox*,whoami |
47 | private-cache | 47 | private-cache |
48 | private-etc alsa,asound.conf,ca-certificates,conf.d,crypto-policies,dconf,fonts,hostname,hosts,ld.so.cache,localtime,machine-id,pki,pulse,resolv.conf,ssl | 48 | private-etc alsa,alternatives,asound.conf,ca-certificates,conf.d,crypto-policies,dconf,fonts,hostname,hosts,ld.so.cache,ld.so.preload,localtime,machine-id,pki,pulse,resolv.conf,ssl |
49 | private-tmp | 49 | private-tmp |
50 | 50 | ||
51 | dbus-user none | 51 | dbus-user none |
diff --git a/etc/profile-m-z/vmware.profile b/etc/profile-m-z/vmware.profile index cb85836b7..1e3983f0e 100644 --- a/etc/profile-m-z/vmware.profile +++ b/etc/profile-m-z/vmware.profile | |||
@@ -38,6 +38,6 @@ tracelog | |||
38 | #disable-mnt | 38 | #disable-mnt |
39 | # Add the next line to your vmware.local to enable private-bin. | 39 | # Add the next line to your vmware.local to enable private-bin. |
40 | #private-bin env,bash,sh,ovftool,vmafossexec,vmaf_*,vmnet-*,vmplayer,vmrest,vmrun,vmss2core,vmstat,vmware,vmware-* | 40 | #private-bin env,bash,sh,ovftool,vmafossexec,vmaf_*,vmnet-*,vmplayer,vmrest,vmrun,vmss2core,vmstat,vmware,vmware-* |
41 | private-etc alsa,asound.conf,ca-certificates,conf.d,crypto-policies,dconf,fonts,gtk-2.0,gtk-3.0,hostname,hosts,ld.so.cache,localtime,machine-id,passwd,pki,pulse,resolv.conf,ssl,vmware,vmware-installer,vmware-vix | 41 | private-etc alsa,alternatives,asound.conf,ca-certificates,conf.d,crypto-policies,dconf,fonts,gtk-2.0,gtk-3.0,hostname,hosts,ld.so.cache,ld.so.preload,localtime,machine-id,passwd,pki,pulse,resolv.conf,ssl,vmware,vmware-installer,vmware-vix |
42 | dbus-user none | 42 | dbus-user none |
43 | dbus-system none | 43 | dbus-system none |
diff --git a/etc/profile-m-z/vscodium.profile b/etc/profile-m-z/vscodium.profile index a4a4fb7d8..9c0a887b2 100644 --- a/etc/profile-m-z/vscodium.profile +++ b/etc/profile-m-z/vscodium.profile | |||
@@ -1,4 +1,4 @@ | |||
1 | # Firejail profile alias for Visual Studio Code | 1 | # Firejail profile alias for VSCodium |
2 | # This file is overwritten after every install/update | 2 | # This file is overwritten after every install/update |
3 | # Persistent local customizations | 3 | # Persistent local customizations |
4 | include vscodium.local | 4 | include vscodium.local |
@@ -7,6 +7,8 @@ include vscodium.local | |||
7 | #include globals.local | 7 | #include globals.local |
8 | 8 | ||
9 | noblacklist ${HOME}/.VSCodium | 9 | noblacklist ${HOME}/.VSCodium |
10 | noblacklist ${HOME}/.config/VSCodium | ||
11 | noblacklist ${HOME}/.vscode-oss | ||
10 | 12 | ||
11 | # Redirect | 13 | # Redirect |
12 | include code.profile | 14 | include code.profile |
diff --git a/etc/profile-m-z/w3m.profile b/etc/profile-m-z/w3m.profile index 81c8a2f5c..c9e209142 100644 --- a/etc/profile-m-z/w3m.profile +++ b/etc/profile-m-z/w3m.profile | |||
@@ -62,7 +62,7 @@ disable-mnt | |||
62 | private-bin perl,sh,w3m | 62 | private-bin perl,sh,w3m |
63 | private-cache | 63 | private-cache |
64 | private-dev | 64 | private-dev |
65 | private-etc alternatives,ca-certificates,crypto-policies,mailcap,nsswitch.conf,pki,resolv.conf,ssl | 65 | private-etc alternatives,ca-certificates,crypto-policies,ld.so.cache,ld.so.preload,mailcap,nsswitch.conf,pki,resolv.conf,ssl |
66 | private-tmp | 66 | private-tmp |
67 | 67 | ||
68 | dbus-user none | 68 | dbus-user none |
diff --git a/etc/profile-m-z/warmux.profile b/etc/profile-m-z/warmux.profile index 92e0e7a83..0a6f19b1e 100644 --- a/etc/profile-m-z/warmux.profile +++ b/etc/profile-m-z/warmux.profile | |||
@@ -49,7 +49,7 @@ disable-mnt | |||
49 | private-bin warmux | 49 | private-bin warmux |
50 | private-cache | 50 | private-cache |
51 | private-dev | 51 | private-dev |
52 | private-etc ca-certificates,crypto-policies,host.conf,hostname,hosts,machine-id,nsswitch.conf,pki,protocols,resolv.conf,rpc,services,ssl | 52 | private-etc alternatives,ca-certificates,crypto-policies,host.conf,hostname,hosts,ld.so.cache,ld.so.preload,machine-id,nsswitch.conf,pki,protocols,resolv.conf,rpc,services,ssl |
53 | private-tmp | 53 | private-tmp |
54 | 54 | ||
55 | dbus-user none | 55 | dbus-user none |
diff --git a/etc/profile-m-z/warsow.profile b/etc/profile-m-z/warsow.profile index 5659ec69c..2f818b733 100644 --- a/etc/profile-m-z/warsow.profile +++ b/etc/profile-m-z/warsow.profile | |||
@@ -11,6 +11,9 @@ ignore noexec ${HOME} | |||
11 | noblacklist ${HOME}/.cache/warsow-2.1 | 11 | noblacklist ${HOME}/.cache/warsow-2.1 |
12 | noblacklist ${HOME}/.local/share/warsow-2.1 | 12 | noblacklist ${HOME}/.local/share/warsow-2.1 |
13 | 13 | ||
14 | # Allow /bin/sh (blacklisted by disable-shell.inc) | ||
15 | include allow-bin-sh.inc | ||
16 | |||
14 | include disable-common.inc | 17 | include disable-common.inc |
15 | include disable-devel.inc | 18 | include disable-devel.inc |
16 | include disable-exec.inc | 19 | include disable-exec.inc |
@@ -34,19 +37,18 @@ ipc-namespace | |||
34 | netfilter | 37 | netfilter |
35 | nodvd | 38 | nodvd |
36 | nogroups | 39 | nogroups |
37 | noinput | ||
38 | nonewprivs | 40 | nonewprivs |
39 | noroot | 41 | noroot |
40 | notv | 42 | notv |
41 | nou2f | 43 | nou2f |
42 | novideo | 44 | novideo |
43 | protocol unix,inet,inet6 | 45 | protocol unix,inet,inet6,netlink |
44 | seccomp | 46 | seccomp |
45 | shell none | 47 | shell none |
46 | tracelog | 48 | tracelog |
47 | 49 | ||
48 | disable-mnt | 50 | disable-mnt |
49 | private-bin warsow | 51 | private-bin basename,bash,dirname,sed,sh,uname,warsow |
50 | private-cache | 52 | private-cache |
51 | private-dev | 53 | private-dev |
52 | private-tmp | 54 | private-tmp |
diff --git a/etc/profile-m-z/whalebird.profile b/etc/profile-m-z/whalebird.profile index 2f26bf14c..92ebebdae 100644 --- a/etc/profile-m-z/whalebird.profile +++ b/etc/profile-m-z/whalebird.profile | |||
@@ -21,7 +21,7 @@ whitelist ${HOME}/.config/Whalebird | |||
21 | no3d | 21 | no3d |
22 | 22 | ||
23 | private-bin electron,electron[0-9],electron[0-9][0-9],whalebird | 23 | private-bin electron,electron[0-9],electron[0-9][0-9],whalebird |
24 | private-etc fonts,machine-id | 24 | private-etc alternatives,fonts,ld.so.cache,ld.so.preload,machine-id |
25 | 25 | ||
26 | # Redirect | 26 | # Redirect |
27 | include electron.profile | 27 | include electron.profile |
diff --git a/etc/profile-m-z/whois.profile b/etc/profile-m-z/whois.profile index 755e62f60..afff6f587 100644 --- a/etc/profile-m-z/whois.profile +++ b/etc/profile-m-z/whois.profile | |||
@@ -47,7 +47,7 @@ private | |||
47 | private-bin bash,sh,whois | 47 | private-bin bash,sh,whois |
48 | private-cache | 48 | private-cache |
49 | private-dev | 49 | private-dev |
50 | private-etc alternatives,hosts,jwhois.conf,resolv.conf,services,whois.conf | 50 | private-etc alternatives,hosts,jwhois.conf,ld.so.cache,ld.so.preload,resolv.conf,services,whois.conf |
51 | private-lib gconv | 51 | private-lib gconv |
52 | private-tmp | 52 | private-tmp |
53 | 53 | ||
diff --git a/etc/profile-m-z/wire-desktop.profile b/etc/profile-m-z/wire-desktop.profile index 151cd2adb..d8742cd71 100644 --- a/etc/profile-m-z/wire-desktop.profile +++ b/etc/profile-m-z/wire-desktop.profile | |||
@@ -26,7 +26,7 @@ mkdir ${HOME}/.config/Wire | |||
26 | whitelist ${HOME}/.config/Wire | 26 | whitelist ${HOME}/.config/Wire |
27 | 27 | ||
28 | private-bin bash,electron,electron[0-9],electron[0-9][0-9],env,sh,wire-desktop | 28 | private-bin bash,electron,electron[0-9],electron[0-9][0-9],env,sh,wire-desktop |
29 | private-etc alternatives,ca-certificates,crypto-policies,fonts,machine-id,pki,resolv.conf,ssl | 29 | private-etc alternatives,ca-certificates,crypto-policies,fonts,ld.so.cache,ld.so.preload,machine-id,pki,resolv.conf,ssl |
30 | 30 | ||
31 | # Redirect | 31 | # Redirect |
32 | include electron.profile | 32 | include electron.profile |
diff --git a/etc/profile-m-z/wordwarvi.profile b/etc/profile-m-z/wordwarvi.profile index b2f3341ee..3147c2ac3 100644 --- a/etc/profile-m-z/wordwarvi.profile +++ b/etc/profile-m-z/wordwarvi.profile | |||
@@ -45,7 +45,7 @@ private | |||
45 | private-bin wordwarvi | 45 | private-bin wordwarvi |
46 | private-cache | 46 | private-cache |
47 | private-dev | 47 | private-dev |
48 | private-etc alsa,asound.conf,machine-id,pulse | 48 | private-etc alsa,alternatives,asound.conf,ld.so.cache,ld.so.preload,machine-id,pulse |
49 | private-tmp | 49 | private-tmp |
50 | 50 | ||
51 | dbus-user none | 51 | dbus-user none |
diff --git a/etc/profile-m-z/xbill.profile b/etc/profile-m-z/xbill.profile index c9e408ccd..bb119996c 100644 --- a/etc/profile-m-z/xbill.profile +++ b/etc/profile-m-z/xbill.profile | |||
@@ -44,7 +44,7 @@ private | |||
44 | private-bin xbill | 44 | private-bin xbill |
45 | private-cache | 45 | private-cache |
46 | private-dev | 46 | private-dev |
47 | private-etc none | 47 | private-etc alternatives,ld.so.cache,ld.so.preload |
48 | private-tmp | 48 | private-tmp |
49 | 49 | ||
50 | dbus-user none | 50 | dbus-user none |
diff --git a/etc/profile-m-z/xfce4-mixer.profile b/etc/profile-m-z/xfce4-mixer.profile index 05c46dffb..386ef2bd6 100644 --- a/etc/profile-m-z/xfce4-mixer.profile +++ b/etc/profile-m-z/xfce4-mixer.profile | |||
@@ -46,7 +46,7 @@ disable-mnt | |||
46 | private-bin xfce4-mixer,xfconf-query | 46 | private-bin xfce4-mixer,xfconf-query |
47 | private-cache | 47 | private-cache |
48 | private-dev | 48 | private-dev |
49 | private-etc alternatives,asound.conf,fonts,machine-id,pulse | 49 | private-etc alternatives,asound.conf,fonts,ld.so.cache,ld.so.preload,machine-id,pulse |
50 | private-tmp | 50 | private-tmp |
51 | 51 | ||
52 | dbus-user filter | 52 | dbus-user filter |
diff --git a/etc/profile-m-z/xfce4-screenshooter.profile b/etc/profile-m-z/xfce4-screenshooter.profile index b869ae005..d74ed5754 100644 --- a/etc/profile-m-z/xfce4-screenshooter.profile +++ b/etc/profile-m-z/xfce4-screenshooter.profile | |||
@@ -42,7 +42,7 @@ tracelog | |||
42 | disable-mnt | 42 | disable-mnt |
43 | private-bin xfce4-screenshooter,xfconf-query | 43 | private-bin xfce4-screenshooter,xfconf-query |
44 | private-dev | 44 | private-dev |
45 | private-etc ca-certificates,crypto-policies,dconf,fonts,gtk-3.0,pki,resolv.conf,ssl | 45 | private-etc alternatives,ca-certificates,crypto-policies,dconf,fonts,gtk-3.0,ld.so.cache,ld.so.preload,pki,resolv.conf,ssl |
46 | private-tmp | 46 | private-tmp |
47 | 47 | ||
48 | dbus-user none | 48 | dbus-user none |
diff --git a/etc/profile-m-z/xiphos.profile b/etc/profile-m-z/xiphos.profile index 070e5e0f7..c7fd0799b 100644 --- a/etc/profile-m-z/xiphos.profile +++ b/etc/profile-m-z/xiphos.profile | |||
@@ -47,5 +47,5 @@ disable-mnt | |||
47 | private-bin xiphos | 47 | private-bin xiphos |
48 | private-cache | 48 | private-cache |
49 | private-dev | 49 | private-dev |
50 | private-etc alternatives,ca-certificates,crypto-policies,fonts,pki,resolv.conf,ssli,sword,sword.conf | 50 | private-etc alternatives,ca-certificates,crypto-policies,fonts,ld.so.cache,ld.so.preload,pki,resolv.conf,ssli,sword,sword.conf |
51 | private-tmp | 51 | private-tmp |
diff --git a/etc/profile-m-z/xlinks.profile b/etc/profile-m-z/xlinks.profile index d5e25cfe7..404baf607 100644 --- a/etc/profile-m-z/xlinks.profile +++ b/etc/profile-m-z/xlinks.profile | |||
@@ -14,7 +14,7 @@ include whitelist-common.inc | |||
14 | # if you want to use user-configured programs add 'private-bin PROGRAM1,PROGRAM2' | 14 | # if you want to use user-configured programs add 'private-bin PROGRAM1,PROGRAM2' |
15 | # to your xlinks.local or append 'PROGRAM1,PROGRAM2' to this private-bin line | 15 | # to your xlinks.local or append 'PROGRAM1,PROGRAM2' to this private-bin line |
16 | private-bin xlinks | 16 | private-bin xlinks |
17 | private-etc fonts | 17 | private-etc alternatives,fonts,ld.so.cache,ld.so.preload |
18 | 18 | ||
19 | # Redirect | 19 | # Redirect |
20 | include links.profile | 20 | include links.profile |
diff --git a/etc/profile-m-z/xlinks2 b/etc/profile-m-z/xlinks2 index 1ae6a60ca..d7edd3543 100644 --- a/etc/profile-m-z/xlinks2 +++ b/etc/profile-m-z/xlinks2 | |||
@@ -14,7 +14,7 @@ include whitelist-common.inc | |||
14 | # if you want to use user-configured programs add 'private-bin PROGRAM1,PROGRAM2' | 14 | # if you want to use user-configured programs add 'private-bin PROGRAM1,PROGRAM2' |
15 | # to your xlinks.local or append 'PROGRAM1,PROGRAM2' to this private-bin line | 15 | # to your xlinks.local or append 'PROGRAM1,PROGRAM2' to this private-bin line |
16 | private-bin xlinks2 | 16 | private-bin xlinks2 |
17 | private-etc fonts | 17 | private-etc alternatives,fonts,ld.so.cache,ld.so.preload |
18 | 18 | ||
19 | # Redirect | 19 | # Redirect |
20 | include links2.profile | 20 | include links2.profile |
diff --git a/etc/profile-m-z/xmr-stak.profile b/etc/profile-m-z/xmr-stak.profile index 8179e8d76..e541436a4 100644 --- a/etc/profile-m-z/xmr-stak.profile +++ b/etc/profile-m-z/xmr-stak.profile | |||
@@ -38,7 +38,7 @@ disable-mnt | |||
38 | private ${HOME}/.xmr-stak | 38 | private ${HOME}/.xmr-stak |
39 | private-bin xmr-stak | 39 | private-bin xmr-stak |
40 | private-dev | 40 | private-dev |
41 | private-etc alternatives,ca-certificates,crypto-policies,nsswitch.conf,pki,resolv.conf,ssl | 41 | private-etc alternatives,ca-certificates,crypto-policies,ld.so.cache,ld.so.preload,nsswitch.conf,pki,resolv.conf,ssl |
42 | #private-lib libxmrstak_opencl_backend,libxmrstak_cuda_backend | 42 | #private-lib libxmrstak_opencl_backend,libxmrstak_cuda_backend |
43 | private-opt cuda | 43 | private-opt cuda |
44 | private-tmp | 44 | private-tmp |
diff --git a/etc/profile-m-z/xonotic.profile b/etc/profile-m-z/xonotic.profile index 6ffe9ece9..7c2b38d1d 100644 --- a/etc/profile-m-z/xonotic.profile +++ b/etc/profile-m-z/xonotic.profile | |||
@@ -32,7 +32,6 @@ caps.drop all | |||
32 | netfilter | 32 | netfilter |
33 | nodvd | 33 | nodvd |
34 | nogroups | 34 | nogroups |
35 | noinput | ||
36 | nonewprivs | 35 | nonewprivs |
37 | noroot | 36 | noroot |
38 | notv | 37 | notv |
diff --git a/etc/profile-m-z/xournal.profile b/etc/profile-m-z/xournal.profile index e4282a125..a0e77b4e7 100644 --- a/etc/profile-m-z/xournal.profile +++ b/etc/profile-m-z/xournal.profile | |||
@@ -43,7 +43,7 @@ tracelog | |||
43 | private-bin xournal | 43 | private-bin xournal |
44 | private-cache | 44 | private-cache |
45 | private-dev | 45 | private-dev |
46 | private-etc alternatives,fonts,group,machine-id,passwd | 46 | private-etc alternatives,fonts,group,ld.so.cache,ld.so.preload,machine-id,passwd |
47 | # TODO should use private-lib | 47 | # TODO should use private-lib |
48 | private-tmp | 48 | private-tmp |
49 | 49 | ||
diff --git a/etc/profile-m-z/xreader.profile b/etc/profile-m-z/xreader.profile index f59adc6e2..8b880426f 100644 --- a/etc/profile-m-z/xreader.profile +++ b/etc/profile-m-z/xreader.profile | |||
@@ -39,7 +39,7 @@ tracelog | |||
39 | 39 | ||
40 | private-bin xreader,xreader-previewer,xreader-thumbnailer | 40 | private-bin xreader,xreader-previewer,xreader-thumbnailer |
41 | private-dev | 41 | private-dev |
42 | private-etc alternatives,fonts,ld.so.cache | 42 | private-etc alternatives,fonts,ld.so.cache,ld.so.preload |
43 | private-tmp | 43 | private-tmp |
44 | 44 | ||
45 | memory-deny-write-execute | 45 | memory-deny-write-execute |
diff --git a/etc/profile-m-z/yelp.profile b/etc/profile-m-z/yelp.profile index 2a6dbe1bf..31a51b2c4 100644 --- a/etc/profile-m-z/yelp.profile +++ b/etc/profile-m-z/yelp.profile | |||
@@ -56,7 +56,7 @@ disable-mnt | |||
56 | private-bin groff,man,tbl,troff,yelp | 56 | private-bin groff,man,tbl,troff,yelp |
57 | private-cache | 57 | private-cache |
58 | private-dev | 58 | private-dev |
59 | private-etc alsa,alternatives,asound.conf,crypto-policies,cups,dconf,drirc,fonts,gcrypt,groff,gtk-3.0,machine-id,man_db.conf,openal,os-release,pulse,sgml,xml | 59 | private-etc alsa,alternatives,asound.conf,crypto-policies,cups,dconf,drirc,fonts,gcrypt,groff,gtk-3.0,ld.so.cache,ld.so.preload,machine-id,man_db.conf,openal,os-release,pulse,sgml,xml |
60 | private-tmp | 60 | private-tmp |
61 | 61 | ||
62 | dbus-user filter | 62 | dbus-user filter |
diff --git a/etc/profile-m-z/youtube-dl-gui.profile b/etc/profile-m-z/youtube-dl-gui.profile index 5d6fb47c1..94f37a92b 100644 --- a/etc/profile-m-z/youtube-dl-gui.profile +++ b/etc/profile-m-z/youtube-dl-gui.profile | |||
@@ -49,7 +49,7 @@ disable-mnt | |||
49 | private-bin atomicparsley,ffmpeg,ffprobe,python*,youtube-dl-gui | 49 | private-bin atomicparsley,ffmpeg,ffprobe,python*,youtube-dl-gui |
50 | private-cache | 50 | private-cache |
51 | private-dev | 51 | private-dev |
52 | private-etc alternatives,ca-certificates,crypto-policies,dconf,fonts,gtk-2.0,gtk-3.0,hostname,hosts,ld.so.cache,locale,locale.conf,passwd,pki,resolv.conf,ssl | 52 | private-etc alternatives,ca-certificates,crypto-policies,dconf,fonts,gtk-2.0,gtk-3.0,hostname,hosts,ld.so.cache,ld.so.preload,locale,locale.conf,passwd,pki,resolv.conf,ssl |
53 | private-tmp | 53 | private-tmp |
54 | 54 | ||
55 | dbus-user none | 55 | dbus-user none |
diff --git a/etc/profile-m-z/youtube-dl.profile b/etc/profile-m-z/youtube-dl.profile index 145e565fd..71e50ab11 100644 --- a/etc/profile-m-z/youtube-dl.profile +++ b/etc/profile-m-z/youtube-dl.profile | |||
@@ -58,7 +58,7 @@ tracelog | |||
58 | private-bin env,ffmpeg,python*,youtube-dl | 58 | private-bin env,ffmpeg,python*,youtube-dl |
59 | private-cache | 59 | private-cache |
60 | private-dev | 60 | private-dev |
61 | private-etc alternatives,ca-certificates,crypto-policies,hostname,hosts,ld.so.cache,mime.types,pki,resolv.conf,ssl,youtube-dl.conf | 61 | private-etc alternatives,ca-certificates,crypto-policies,hostname,hosts,ld.so.cache,ld.so.preload,mime.types,pki,resolv.conf,ssl,youtube-dl.conf |
62 | private-tmp | 62 | private-tmp |
63 | 63 | ||
64 | dbus-user none | 64 | dbus-user none |
diff --git a/etc/profile-m-z/youtube-viewer.profile b/etc/profile-m-z/youtube-viewer.profile index b54dd37ad..825599fcc 100644 --- a/etc/profile-m-z/youtube-viewer.profile +++ b/etc/profile-m-z/youtube-viewer.profile | |||
@@ -18,4 +18,4 @@ whitelist ${HOME}/.config/youtube-viewer | |||
18 | private-bin gtk-youtube-viewer,gtk2-youtube-viewer,gtk3-youtube-viewer,youtube-viewer | 18 | private-bin gtk-youtube-viewer,gtk2-youtube-viewer,gtk3-youtube-viewer,youtube-viewer |
19 | 19 | ||
20 | # Redirect | 20 | # Redirect |
21 | include youtube-viewers-common.profile \ No newline at end of file | 21 | include youtube-viewers-common.profile |
diff --git a/etc/profile-m-z/youtube-viewers-common.profile b/etc/profile-m-z/youtube-viewers-common.profile index a05f05c51..80d551038 100644 --- a/etc/profile-m-z/youtube-viewers-common.profile +++ b/etc/profile-m-z/youtube-viewers-common.profile | |||
@@ -53,7 +53,7 @@ disable-mnt | |||
53 | private-bin bash,ffmpeg,ffprobe,firefox,mpv,perl,python*,sh,smplayer,stty,wget,which,xterm,youtube-dl,yt-dlp | 53 | private-bin bash,ffmpeg,ffprobe,firefox,mpv,perl,python*,sh,smplayer,stty,wget,which,xterm,youtube-dl,yt-dlp |
54 | private-cache | 54 | private-cache |
55 | private-dev | 55 | private-dev |
56 | private-etc alsa,alternatives,asound.conf,ca-certificates,crypto-policies,fonts,gtk-2.0,gtk-3.0,host.conf,hostname,hosts,machine-id,mime.types,nsswitch.conf,passwd,pki,pulse,resolv.conf,ssl,X11,xdg | 56 | private-etc alsa,alternatives,asound.conf,ca-certificates,crypto-policies,fonts,gtk-2.0,gtk-3.0,host.conf,hostname,hosts,ld.so.cache,ld.so.preload,machine-id,mime.types,nsswitch.conf,passwd,pki,pulse,resolv.conf,ssl,X11,xdg |
57 | private-tmp | 57 | private-tmp |
58 | 58 | ||
59 | dbus-user none | 59 | dbus-user none |
diff --git a/etc/profile-m-z/youtube.profile b/etc/profile-m-z/youtube.profile index efb001ee6..5c4d697da 100644 --- a/etc/profile-m-z/youtube.profile +++ b/etc/profile-m-z/youtube.profile | |||
@@ -17,7 +17,7 @@ mkdir ${HOME}/.config/Youtube | |||
17 | whitelist ${HOME}/.config/Youtube | 17 | whitelist ${HOME}/.config/Youtube |
18 | 18 | ||
19 | private-bin electron,electron[0-9],electron[0-9][0-9],youtube | 19 | private-bin electron,electron[0-9],electron[0-9][0-9],youtube |
20 | private-etc alsa,alternatives,asound.conf,ati,bumblebee,ca-certificates,crypto-policies,drirc,fonts,gtk-2.0,gtk-3.0,host.conf,hostname,hosts,mime.types,nsswitch.conf,nvidia,pki,pulse,resolv.conf,selinux,ssl,X11,xdg | 20 | private-etc alsa,alternatives,asound.conf,ati,bumblebee,ca-certificates,crypto-policies,drirc,fonts,gtk-2.0,gtk-3.0,host.conf,hostname,hosts,ld.so.cache,ld.so.preload,mime.types,nsswitch.conf,nvidia,pki,pulse,resolv.conf,selinux,ssl,X11,xdg |
21 | private-opt Youtube | 21 | private-opt Youtube |
22 | 22 | ||
23 | # Redirect | 23 | # Redirect |
diff --git a/etc/profile-m-z/youtubemusic-nativefier.profile b/etc/profile-m-z/youtubemusic-nativefier.profile index ce7161a70..2b5ffeaaf 100644 --- a/etc/profile-m-z/youtubemusic-nativefier.profile +++ b/etc/profile-m-z/youtubemusic-nativefier.profile | |||
@@ -14,7 +14,7 @@ mkdir ${HOME}/.config/youtubemusic-nativefier-040164 | |||
14 | whitelist ${HOME}/.config/youtubemusic-nativefier-040164 | 14 | whitelist ${HOME}/.config/youtubemusic-nativefier-040164 |
15 | 15 | ||
16 | private-bin electron,electron[0-9],electron[0-9][0-9],youtubemusic-nativefier | 16 | private-bin electron,electron[0-9],electron[0-9][0-9],youtubemusic-nativefier |
17 | private-etc alsa,alternatives,asound.conf,ati,bumblebee,ca-certificates,crypto-policies,drirc,fonts,gtk-2.0,gtk-3.0,host.conf,hostname,hosts,mime.types,nsswitch.conf,nvidia,pki,pulse,resolv.conf,selinux,ssl,X11,xdg | 17 | private-etc alsa,alternatives,asound.conf,ati,bumblebee,ca-certificates,crypto-policies,drirc,fonts,gtk-2.0,gtk-3.0,host.conf,hostname,hosts,ld.so.cache,ld.so.preload,mime.types,nsswitch.conf,nvidia,pki,pulse,resolv.conf,selinux,ssl,X11,xdg |
18 | private-opt youtubemusic-nativefier | 18 | private-opt youtubemusic-nativefier |
19 | 19 | ||
20 | # Redirect | 20 | # Redirect |
diff --git a/etc/profile-m-z/yt-dlp.profile b/etc/profile-m-z/yt-dlp.profile index 1c3382a08..88e7a0949 100644 --- a/etc/profile-m-z/yt-dlp.profile +++ b/etc/profile-m-z/yt-dlp.profile | |||
@@ -13,7 +13,7 @@ noblacklist ${HOME}/.config/yt-dlp | |||
13 | noblacklist ${HOME}/yt-dlp.conf | 13 | noblacklist ${HOME}/yt-dlp.conf |
14 | 14 | ||
15 | private-bin yt-dlp | 15 | private-bin yt-dlp |
16 | private-etc yt-dlp.conf | 16 | private-etc alternatives,ld.so.cache,ld.so.preload,yt-dlp.conf |
17 | 17 | ||
18 | # Redirect | 18 | # Redirect |
19 | include youtube-dl.profile | 19 | include youtube-dl.profile |
diff --git a/etc/profile-m-z/ytmdesktop.profile b/etc/profile-m-z/ytmdesktop.profile index ab46fccc2..59b6e2543 100644 --- a/etc/profile-m-z/ytmdesktop.profile +++ b/etc/profile-m-z/ytmdesktop.profile | |||
@@ -14,7 +14,7 @@ mkdir ${HOME}/.config/youtube-music-desktop-app | |||
14 | whitelist ${HOME}/.config/youtube-music-desktop-app | 14 | whitelist ${HOME}/.config/youtube-music-desktop-app |
15 | 15 | ||
16 | # private-bin env,ytmdesktop | 16 | # private-bin env,ytmdesktop |
17 | private-etc alsa,alternatives,asound.conf,ati,bumblebee,ca-certificates,crypto-policies,drirc,fonts,gtk-2.0,gtk-3.0,host.conf,hostname,hosts,mime.types,nsswitch.conf,nvidia,pki,pulse,resolv.conf,selinux,ssl,X11,xdg | 17 | private-etc alsa,alternatives,asound.conf,ati,bumblebee,ca-certificates,crypto-policies,drirc,fonts,gtk-2.0,gtk-3.0,host.conf,hostname,hosts,ld.so.cache,ld.so.preload,mime.types,nsswitch.conf,nvidia,pki,pulse,resolv.conf,selinux,ssl,X11,xdg |
18 | # private-opt | 18 | # private-opt |
19 | 19 | ||
20 | # Redirect | 20 | # Redirect |
diff --git a/etc/profile-m-z/zulip.profile b/etc/profile-m-z/zulip.profile index 604da4c8e..8acfdd651 100644 --- a/etc/profile-m-z/zulip.profile +++ b/etc/profile-m-z/zulip.profile | |||
@@ -44,5 +44,5 @@ disable-mnt | |||
44 | private-bin locale,zulip | 44 | private-bin locale,zulip |
45 | private-cache | 45 | private-cache |
46 | private-dev | 46 | private-dev |
47 | private-etc asound.conf,fonts,machine-id | 47 | private-etc alternatives,asound.conf,fonts,ld.so.cache,ld.so.preload,machine-id |
48 | private-tmp | 48 | private-tmp |
diff --git a/etc/templates/profile.template b/etc/templates/profile.template index e580a0c0c..44197b547 100644 --- a/etc/templates/profile.template +++ b/etc/templates/profile.template | |||
@@ -116,6 +116,7 @@ include globals.local | |||
116 | #include disable-devel.inc | 116 | #include disable-devel.inc |
117 | #include disable-exec.inc | 117 | #include disable-exec.inc |
118 | #include disable-interpreters.inc | 118 | #include disable-interpreters.inc |
119 | #include disable-proc.inc | ||
119 | #include disable-programs.inc | 120 | #include disable-programs.inc |
120 | #include disable-shell.inc | 121 | #include disable-shell.inc |
121 | #include disable-write-mnt.inc | 122 | #include disable-write-mnt.inc |
@@ -204,7 +205,7 @@ include globals.local | |||
204 | 205 | ||
205 | # Since 0.9.63 also a more granular control of dbus is supported. | 206 | # Since 0.9.63 also a more granular control of dbus is supported. |
206 | # To get the dbus-addresses an application needs access to you can | 207 | # To get the dbus-addresses an application needs access to you can |
207 | # check with flatpak (when the application is distriputed that way): | 208 | # check with flatpak (when the application is distributed that way): |
208 | # flatpak remote-info --show-metadata flathub <APP-ID> | 209 | # flatpak remote-info --show-metadata flathub <APP-ID> |
209 | # Notes: | 210 | # Notes: |
210 | # - flatpak implicitly allows an app to own <APP-ID> on the session bus | 211 | # - flatpak implicitly allows an app to own <APP-ID> on the session bus |