aboutsummaryrefslogtreecommitdiffstats
path: root/etc
diff options
context:
space:
mode:
Diffstat (limited to 'etc')
-rw-r--r--etc/0ad.profile35
-rw-r--r--etc/Cyberfox.profile3
-rw-r--r--etc/Mathematica.profile13
-rw-r--r--etc/Telegram.profile2
-rw-r--r--etc/abrowser.profile52
-rw-r--r--etc/atom-beta.profile19
-rw-r--r--etc/atom.profile18
-rw-r--r--etc/atril.profile17
-rw-r--r--etc/audacious.profile17
-rw-r--r--etc/audacity.profile19
-rw-r--r--etc/aweather.profile25
-rw-r--r--etc/bitlbee.profile11
-rw-r--r--etc/brave.profile19
-rw-r--r--etc/cherrytree.profile24
-rw-r--r--etc/chromium.profile5
-rw-r--r--etc/clementine.profile17
-rw-r--r--etc/cmus.profile18
-rw-r--r--etc/conkeror.profile13
-rw-r--r--etc/corebird.profile12
-rw-r--r--etc/cpio.profile22
-rw-r--r--etc/cyberfox.profile51
-rw-r--r--etc/deadbeef.profile19
-rw-r--r--etc/default.profile15
-rw-r--r--etc/deluge.profile26
-rw-r--r--etc/dillo.profile23
-rw-r--r--etc/disable-common.inc144
-rw-r--r--etc/disable-devel.inc27
-rw-r--r--etc/disable-mgmt.inc17
-rw-r--r--etc/disable-passwdmgr.inc7
-rw-r--r--etc/disable-programs.inc129
-rw-r--r--etc/disable-secret.inc23
-rw-r--r--etc/disable-terminals.inc6
-rw-r--r--etc/dnscrypt-proxy.profile7
-rw-r--r--etc/dnsmasq.profile16
-rw-r--r--etc/dropbox.profile27
-rw-r--r--etc/empathy.profile12
-rw-r--r--etc/eom.profile20
-rw-r--r--etc/epiphany.profile16
-rw-r--r--etc/evince.profile21
-rw-r--r--etc/fbreader.profile22
-rw-r--r--etc/filezilla.profile20
-rw-r--r--etc/firefox-esr.profile2
-rw-r--r--etc/firefox.profile20
-rw-r--r--etc/firejail.config45
-rw-r--r--etc/flashpeak-slimjet.profile41
-rw-r--r--etc/franz.profile26
-rw-r--r--etc/generic.profile17
-rw-r--r--etc/gitter.profile18
-rw-r--r--etc/gnome-mplayer.profile19
-rw-r--r--etc/google-chrome-beta.profile5
-rw-r--r--etc/google-chrome-unstable.profile5
-rw-r--r--etc/google-chrome.profile5
-rw-r--r--etc/google-play-music-desktop-player.profile18
-rw-r--r--etc/gpredict.profile25
-rw-r--r--etc/gthumb.profile21
-rw-r--r--etc/gwenview.profile21
-rw-r--r--etc/gzip.profile8
-rw-r--r--etc/hedgewars.profile10
-rw-r--r--etc/hexchat.profile20
-rw-r--r--etc/icedove.profile20
-rw-r--r--etc/jitsi.profile16
-rw-r--r--etc/kmail.profile19
-rw-r--r--etc/konversation.profile12
-rw-r--r--etc/less.profile8
-rw-r--r--etc/libreoffice.profile19
-rw-r--r--etc/localc.profile5
-rw-r--r--etc/lodraw.profile5
-rw-r--r--etc/loffice.profile5
-rw-r--r--etc/lofromtemplate.profile5
-rw-r--r--etc/login.users2
-rw-r--r--etc/loimpress.profile5
-rw-r--r--etc/lomath.profile5
-rw-r--r--etc/loweb.profile5
-rw-r--r--etc/lowriter.profile5
-rw-r--r--etc/lxterminal.profile18
-rw-r--r--etc/mcabber.profile21
-rw-r--r--etc/midori.profile11
-rw-r--r--etc/mpv.profile18
-rw-r--r--etc/mupen64plus.profile15
-rw-r--r--etc/netsurf.profile32
-rw-r--r--etc/nolocal.net3
-rw-r--r--etc/okular.profile23
-rw-r--r--etc/openbox.profile11
-rw-r--r--etc/opera-beta.profile5
-rw-r--r--etc/opera.profile8
-rw-r--r--etc/palemoon.profile58
-rw-r--r--etc/parole.profile16
-rw-r--r--etc/pidgin.profile20
-rw-r--r--etc/pix.profile23
-rw-r--r--etc/polari.profile14
-rw-r--r--etc/psi-plus.profile27
-rw-r--r--etc/qbittorrent.profile23
-rw-r--r--etc/qtox.profile22
-rw-r--r--etc/quassel.profile12
-rw-r--r--etc/quiterss.profile32
-rw-r--r--etc/qutebrowser.profile23
-rw-r--r--etc/rhythmbox.profile23
-rw-r--r--etc/rtorrent.profile17
-rw-r--r--etc/seamonkey.profile21
-rw-r--r--etc/server.profile6
-rw-r--r--etc/skype.profile8
-rw-r--r--etc/snap.profile14
-rw-r--r--etc/soffice.profile5
-rw-r--r--etc/spotify.profile20
-rw-r--r--etc/ssh.profile13
-rw-r--r--etc/steam.profile9
-rw-r--r--etc/stellarium.profile29
-rw-r--r--etc/strings.profile8
-rw-r--r--etc/telegram.profile14
-rw-r--r--etc/thunderbird.profile35
-rw-r--r--etc/totem.profile19
-rw-r--r--etc/transmission-gtk.profile29
-rw-r--r--etc/transmission-qt.profile28
-rw-r--r--etc/uget-gtk.profile20
-rw-r--r--etc/unbound.profile7
-rw-r--r--etc/uudeview.profile13
-rw-r--r--etc/vivaldi.profile6
-rw-r--r--etc/vlc.profile24
-rw-r--r--etc/warzone2100.profile25
-rw-r--r--etc/weechat.profile15
-rw-r--r--etc/wesnoth.profile13
-rw-r--r--etc/whitelist-common.inc1
-rw-r--r--etc/wine.profile7
-rw-r--r--etc/xchat.profile14
-rw-r--r--etc/xplayer.profile21
-rw-r--r--etc/xreader.profile22
-rw-r--r--etc/xviewer.profile19
-rw-r--r--etc/xz.profile2
-rw-r--r--etc/xzdec.profile8
129 files changed, 1883 insertions, 538 deletions
diff --git a/etc/0ad.profile b/etc/0ad.profile
new file mode 100644
index 000000000..11fb45463
--- /dev/null
+++ b/etc/0ad.profile
@@ -0,0 +1,35 @@
1# Firejail profile for 0ad.
2noblacklist ~/.cache/0ad
3noblacklist ~/.config/0ad
4noblacklist ~/.local/share/0ad
5include /etc/firejail/disable-common.inc
6include /etc/firejail/disable-devel.inc
7include /etc/firejail/disable-passwdmgr.inc
8include /etc/firejail/disable-programs.inc
9
10# Whitelists
11mkdir ~/.cache
12mkdir ~/.cache/0ad
13whitelist ~/.cache/0ad
14
15mkdir ~/.config
16mkdir ~/.config/0ad
17whitelist ~/.config/0ad
18
19mkdir ~/.local
20mkdir ~/.local/share
21mkdir ~/.local/share/0ad
22whitelist ~/.local/share/0ad
23
24caps.drop all
25netfilter
26nonewprivs
27nogroups
28noroot
29protocol unix,inet,inet6
30seccomp
31shell none
32tracelog
33
34private-dev
35
diff --git a/etc/Cyberfox.profile b/etc/Cyberfox.profile
new file mode 100644
index 000000000..1f74606ce
--- /dev/null
+++ b/etc/Cyberfox.profile
@@ -0,0 +1,3 @@
1# Firejail profile for Cyberfox (based on Mozilla Firefox)
2
3include /etc/firejail/cyberfox.profile
diff --git a/etc/Mathematica.profile b/etc/Mathematica.profile
index 73fb0c9e0..e719f070f 100644
--- a/etc/Mathematica.profile
+++ b/etc/Mathematica.profile
@@ -1,15 +1,20 @@
1# Mathematica profile 1# Mathematica profile
2noblacklist ${HOME}/.Mathematica
3noblacklist ${HOME}/.Wolfram Research
4
2mkdir ~/.Mathematica 5mkdir ~/.Mathematica
3whitelist ~/.Mathematica 6whitelist ~/.Mathematica
4mkdir ~/.Wolfram Research 7mkdir ~/.Wolfram Research
5whitelist ~/.Wolfram Research 8whitelist ~/.Wolfram Research
6whitelist ~/Documents/Wolfram Mathematica 9whitelist ~/Documents/Wolfram Mathematica
7include /etc/firejail/whitelist-common.inc 10include /etc/firejail/whitelist-common.inc
8include /etc/firejail/disable-mgmt.inc 11
9include /etc/firejail/disable-secret.inc
10include /etc/firejail/disable-common.inc 12include /etc/firejail/disable-common.inc
13include /etc/firejail/disable-programs.inc
11include /etc/firejail/disable-devel.inc 14include /etc/firejail/disable-devel.inc
12include /etc/firejail/disable-terminals.inc 15include /etc/firejail/disable-passwdmgr.inc
16
13caps.drop all 17caps.drop all
14seccomp 18nonewprivs
15noroot 19noroot
20seccomp
diff --git a/etc/Telegram.profile b/etc/Telegram.profile
new file mode 100644
index 000000000..2e0f97821
--- /dev/null
+++ b/etc/Telegram.profile
@@ -0,0 +1,2 @@
1# Telegram IRC profile
2include /etc/firejail/telegram.profile
diff --git a/etc/abrowser.profile b/etc/abrowser.profile
new file mode 100644
index 000000000..65247e7d3
--- /dev/null
+++ b/etc/abrowser.profile
@@ -0,0 +1,52 @@
1# Firejail profile for Abrowser
2
3noblacklist ~/.mozilla
4noblacklist ~/.cache/mozilla
5include /etc/firejail/disable-common.inc
6include /etc/firejail/disable-programs.inc
7include /etc/firejail/disable-devel.inc
8
9caps.drop all
10netfilter
11nonewprivs
12noroot
13protocol unix,inet,inet6,netlink
14seccomp
15tracelog
16
17whitelist ${DOWNLOADS}
18mkdir ~/.mozilla
19whitelist ~/.mozilla
20mkdir ~/.cache
21mkdir ~/.cache/mozilla
22mkdir ~/.cache/mozilla/abrowser
23whitelist ~/.cache/mozilla/abrowser
24whitelist ~/dwhelper
25whitelist ~/.zotero
26whitelist ~/.vimperatorrc
27whitelist ~/.vimperator
28whitelist ~/.pentadactylrc
29whitelist ~/.pentadactyl
30whitelist ~/.keysnail.js
31whitelist ~/.config/gnome-mplayer
32whitelist ~/.cache/gnome-mplayer/plugin
33whitelist ~/.pki
34
35# lastpass, keepassx
36whitelist ~/.keepassx
37whitelist ~/.config/keepassx
38whitelist ~/keepassx.kdbx
39whitelist ~/.lastpass
40whitelist ~/.config/lastpass
41
42
43#silverlight
44whitelist ~/.wine-pipelight
45whitelist ~/.wine-pipelight64
46whitelist ~/.config/pipelight-widevine
47whitelist ~/.config/pipelight-silverlight5.1
48
49include /etc/firejail/whitelist-common.inc
50
51# experimental features
52#private-etc passwd,group,hostname,hosts,localtime,nsswitch.conf,resolv.conf,gtk-2.0,pango,fonts,iceweasel,firefox,adobe,mime.types,mailcap,asound.conf,pulse
diff --git a/etc/atom-beta.profile b/etc/atom-beta.profile
new file mode 100644
index 000000000..3c753e86c
--- /dev/null
+++ b/etc/atom-beta.profile
@@ -0,0 +1,19 @@
1# Firjail profile for Atom Beta.
2noblacklist ~/.atom
3noblacklist ~/.config/Atom
4
5include /etc/firejail/disable-common.inc
6include /etc/firejail/disable-programs.inc
7include /etc/firejail/disable-passwdmgr.inc
8
9caps.drop all
10netfilter
11nonewprivs
12nogroups
13noroot
14seccomp
15shell none
16
17private-dev
18nosound
19
diff --git a/etc/atom.profile b/etc/atom.profile
new file mode 100644
index 000000000..8304cd379
--- /dev/null
+++ b/etc/atom.profile
@@ -0,0 +1,18 @@
1# Firjail profile for Atom.
2noblacklist ~/.atom
3noblacklist ~/.config/Atom
4
5include /etc/firejail/disable-common.inc
6include /etc/firejail/disable-programs.inc
7include /etc/firejail/disable-passwdmgr.inc
8
9caps.drop all
10netfilter
11nonewprivs
12nogroups
13noroot
14seccomp
15shell none
16
17private-dev
18nosound
diff --git a/etc/atril.profile b/etc/atril.profile
index d87781c7d..bfe731bec 100644
--- a/etc/atril.profile
+++ b/etc/atril.profile
@@ -1,7 +1,20 @@
1# Atril profile 1# Atril profile
2noblacklist ~/.config/atril
3noblacklist ~/.local/share
4include /etc/firejail/disable-common.inc
5include /etc/firejail/disable-programs.inc
2include /etc/firejail/disable-devel.inc 6include /etc/firejail/disable-devel.inc
3include /etc/firejail/generic.profile 7include /etc/firejail/disable-passwdmgr.inc
4blacklist ${HOME}/.wine
5 8
9caps.drop all
10nonewprivs
11nogroups
12noroot
13nosound
14protocol unix
15seccomp
16shell none
6tracelog 17tracelog
7 18
19private-bin atril, atril-previewer, atril-thumbnailer
20private-dev
diff --git a/etc/audacious.profile b/etc/audacious.profile
index b9ce11c0e..e5275213c 100644
--- a/etc/audacious.profile
+++ b/etc/audacious.profile
@@ -1,16 +1,11 @@
1# Audacious media player profile 1# Audacious media player profile
2include /etc/firejail/disable-mgmt.inc
3include /etc/firejail/disable-secret.inc
4include /etc/firejail/disable-common.inc 2include /etc/firejail/disable-common.inc
3include /etc/firejail/disable-programs.inc
5include /etc/firejail/disable-devel.inc 4include /etc/firejail/disable-devel.inc
6include /etc/firejail/disable-terminals.inc 5include /etc/firejail/disable-passwdmgr.inc
7blacklist ${HOME}/.pki/nssdb 6
8blacklist ${HOME}/.lastpass
9blacklist ${HOME}/.keepassx
10blacklist ${HOME}/.password-store
11blacklist ${HOME}/.wine
12caps.drop all 7caps.drop all
13seccomp 8nonewprivs
14protocol unix,inet,inet6
15noroot 9noroot
16 10protocol unix,inet,inet6
11seccomp
diff --git a/etc/audacity.profile b/etc/audacity.profile
new file mode 100644
index 000000000..162201cb8
--- /dev/null
+++ b/etc/audacity.profile
@@ -0,0 +1,19 @@
1# Audacity profile
2noblacklist ~/.audacity-data
3
4include /etc/firejail/disable-common.inc
5include /etc/firejail/disable-devel.inc
6include /etc/firejail/disable-passwdmgr.inc
7include /etc/firejail/disable-programs.inc
8
9caps.drop all
10nonewprivs
11nogroups
12noroot
13protocol unix
14seccomp
15shell none
16tracelog
17
18private-bin audacity
19private-dev
diff --git a/etc/aweather.profile b/etc/aweather.profile
new file mode 100644
index 000000000..d617fb701
--- /dev/null
+++ b/etc/aweather.profile
@@ -0,0 +1,25 @@
1# Firejail profile for aweather.
2noblacklist ~/.config/aweather
3include /etc/firejail/disable-common.inc
4include /etc/firejail/disable-devel.inc
5include /etc/firejail/disable-passwdmgr.inc
6include /etc/firejail/disable-programs.inc
7
8# Whitelist
9mkdir ~/.config
10mkdir ~/.config/aweather
11whitelist ~/.config/aweather
12
13caps.drop all
14netfilter
15nonewprivs
16nogroups
17noroot
18nosound
19protocol unix,inet,inet6,netlink
20seccomp
21shell none
22tracelog
23
24private-bin aweather
25private-dev
diff --git a/etc/bitlbee.profile b/etc/bitlbee.profile
index ca9e87818..87d2e843a 100644
--- a/etc/bitlbee.profile
+++ b/etc/bitlbee.profile
@@ -1,11 +1,14 @@
1# BitlBee instant messaging profile 1# BitlBee instant messaging profile
2noblacklist /sbin 2noblacklist /sbin
3noblacklist /usr/sbin 3noblacklist /usr/sbin
4include /etc/firejail/disable-mgmt.inc
5include /etc/firejail/disable-common.inc 4include /etc/firejail/disable-common.inc
6include /etc/firejail/disable-terminals.inc 5include /etc/firejail/disable-programs.inc
7protocol unix,inet,inet6 6
7netfilter
8nonewprivs
8private 9private
9private-dev 10private-dev
11protocol unix,inet,inet6
10seccomp 12seccomp
11netfilter 13nosound
14read-write /var/lib/bitlbee
diff --git a/etc/brave.profile b/etc/brave.profile
new file mode 100644
index 000000000..4c42e9faa
--- /dev/null
+++ b/etc/brave.profile
@@ -0,0 +1,19 @@
1# Profile for Brave browser
2
3noblacklist ~/.config/brave
4include /etc/firejail/disable-common.inc
5include /etc/firejail/disable-programs.inc
6include /etc/firejail/disable-devel.inc
7
8caps.drop all
9netfilter
10nonewprivs
11noroot
12protocol unix,inet,inet6,netlink
13seccomp
14
15whitelist ${DOWNLOADS}
16
17mkdir ~/.config
18mkdir ~/.config/brave
19whitelist ~/.config/brave
diff --git a/etc/cherrytree.profile b/etc/cherrytree.profile
index d1e1c71d9..7b6238d98 100644
--- a/etc/cherrytree.profile
+++ b/etc/cherrytree.profile
@@ -1,8 +1,10 @@
1# cherrytree note taking application 1# cherrytree note taking application
2include /etc/firejail/disable-mgmt.inc 2noblacklist /usr/bin/python2*
3include /etc/firejail/disable-secret.inc 3noblacklist /usr/lib/python3*
4include /etc/firejail/disable-common.inc 4include /etc/firejail/disable-common.inc
5include /etc/firejail/disable-programs.inc
5include /etc/firejail/disable-devel.inc 6include /etc/firejail/disable-devel.inc
7include /etc/firejail/disable-passwdmgr.inc
6 8
7whitelist ${HOME}/cherrytree 9whitelist ${HOME}/cherrytree
8mkdir ~/.config 10mkdir ~/.config
@@ -11,11 +13,23 @@ whitelist ${HOME}/.config/cherrytree/
11mkdir ~/.local 13mkdir ~/.local
12mkdir ~/.local/share 14mkdir ~/.local/share
13whitelist ${HOME}/.local/share/ 15whitelist ${HOME}/.local/share/
16
14caps.drop all 17caps.drop all
18netfilter
19nonewprivs
20noroot
21nosound
15seccomp 22seccomp
16protocol unix,inet,inet6,netlink 23protocol unix,inet,inet6,netlink
17netfilter
18tracelog 24tracelog
19noroot 25
20include /etc/firejail/whitelist-common.inc 26include /etc/firejail/whitelist-common.inc
21nosound 27
28# no private-bin support for various reasons:
29#10:25:34 exec 11249 (root) NEW SANDBOX: /usr/bin/firejail /usr/bin/cherrytree
30#10:25:34 exec 11252 (netblue) /bin/bash -c "/usr/bin/cherrytree"
31#10:25:34 exec 11252 (netblue) /usr/bin/python /usr/bin/cherrytree
32#10:25:34 exec 11253 (netblue) sh -c /sbin/ldconfig -p 2>/dev/null
33#10:25:34 exec 11255 (netblue) sh -c if type gcc >/dev/null 2>&1; then CC=gcc; elif type cc >/dev/null 2>&1; then CC=cc;else exit 10; fi;LANG=C LC_ALL=C $CC -Wl,-t -o /tmp/tmpiYr44S 2>&1 -llibc
34# it requires acces to browser to show the online help
35# it doesn't play nicely with expect
diff --git a/etc/chromium.profile b/etc/chromium.profile
index b58931b8d..7cf2853ca 100644
--- a/etc/chromium.profile
+++ b/etc/chromium.profile
@@ -1,11 +1,8 @@
1# Chromium browser profile 1# Chromium browser profile
2noblacklist ~/.config/chromium 2noblacklist ~/.config/chromium
3noblacklist ~/.cache/chromium 3noblacklist ~/.cache/chromium
4noblacklist ~/keepassx.kdbx
5include /etc/firejail/disable-mgmt.inc
6include /etc/firejail/disable-secret.inc
7include /etc/firejail/disable-common.inc 4include /etc/firejail/disable-common.inc
8include /etc/firejail/disable-terminals.inc 5include /etc/firejail/disable-programs.inc
9 6
10# chromium is distributed with a perl script on Arch 7# chromium is distributed with a perl script on Arch
11# include /etc/firejail/disable-devel.inc 8# include /etc/firejail/disable-devel.inc
diff --git a/etc/clementine.profile b/etc/clementine.profile
index 21b5a58ab..5ce085358 100644
--- a/etc/clementine.profile
+++ b/etc/clementine.profile
@@ -1,16 +1,11 @@
1# Clementine media player profile 1# Clementine media player profile
2include /etc/firejail/disable-mgmt.inc
3include /etc/firejail/disable-secret.inc
4include /etc/firejail/disable-common.inc 2include /etc/firejail/disable-common.inc
5include /etc/firejail/disable-terminals.inc 3include /etc/firejail/disable-programs.inc
6include /etc/firejail/disable-devel.inc 4include /etc/firejail/disable-devel.inc
7include /etc/firejail/disable-terminals.inc 5include /etc/firejail/disable-passwdmgr.inc
8blacklist ${HOME}/.pki/nssdb 6
9blacklist ${HOME}/.lastpass
10blacklist ${HOME}/.keepassx
11blacklist ${HOME}/.password-store
12blacklist ${HOME}/.wine
13caps.drop all 7caps.drop all
14seccomp 8nonewprivs
15protocol unix,inet,inet6
16noroot 9noroot
10protocol unix,inet,inet6
11seccomp
diff --git a/etc/cmus.profile b/etc/cmus.profile
new file mode 100644
index 000000000..2e2a6940c
--- /dev/null
+++ b/etc/cmus.profile
@@ -0,0 +1,18 @@
1# cmus profile
2noblacklist ${HOME}/.config/cmus
3
4include /etc/firejail/disable-common.inc
5include /etc/firejail/disable-programs.inc
6include /etc/firejail/disable-devel.inc
7include /etc/firejail/disable-passwdmgr.inc
8
9caps.drop all
10netfilter
11nonewprivs
12noroot
13protocol unix,inet,inet6
14seccomp
15
16private-bin cmus
17private-etc group
18shell none
diff --git a/etc/conkeror.profile b/etc/conkeror.profile
index 2d6323d3b..e82eeec4c 100644
--- a/etc/conkeror.profile
+++ b/etc/conkeror.profile
@@ -1,14 +1,15 @@
1# Firejail profile for Conkeror web browser profile 1# Firejail profile for Conkeror web browser profile
2noblacklist ${HOME}/.conkeror.mozdev.org 2noblacklist ${HOME}/.conkeror.mozdev.org
3include /etc/firejail/disable-mgmt.inc
4include /etc/firejail/disable-secret.inc
5include /etc/firejail/disable-common.inc 3include /etc/firejail/disable-common.inc
6include /etc/firejail/disable-terminals.inc 4include /etc/firejail/disable-programs.inc
5
7caps.drop all 6caps.drop all
8seccomp
9protocol unix,inet,inet6
10netfilter 7netfilter
8nonewprivs
11noroot 9noroot
10protocol unix,inet,inet6
11seccomp
12
12whitelist ~/.conkeror.mozdev.org 13whitelist ~/.conkeror.mozdev.org
13whitelist ~/Downloads 14whitelist ~/Downloads
14whitelist ~/dwhelper 15whitelist ~/dwhelper
@@ -20,6 +21,4 @@ whitelist ~/.vimperator
20whitelist ~/.pentadactylrc 21whitelist ~/.pentadactylrc
21whitelist ~/.pentadactyl 22whitelist ~/.pentadactyl
22whitelist ~/.conkerorrc 23whitelist ~/.conkerorrc
23
24# common
25include /etc/firejail/whitelist-common.inc 24include /etc/firejail/whitelist-common.inc
diff --git a/etc/corebird.profile b/etc/corebird.profile
new file mode 100644
index 000000000..077ae30d0
--- /dev/null
+++ b/etc/corebird.profile
@@ -0,0 +1,12 @@
1# Firejail corebird profile
2
3include /etc/firejail/disable-common.inc
4include /etc/firejail/disable-programs.inc
5include /etc/firejail/disable-devel.inc
6include /etc/firejail/disable-passwdmgr.inc
7
8caps.drop all
9netfilter
10noroot
11protocol unix,inet,inet6
12seccomp
diff --git a/etc/cpio.profile b/etc/cpio.profile
new file mode 100644
index 000000000..b4d232496
--- /dev/null
+++ b/etc/cpio.profile
@@ -0,0 +1,22 @@
1# cpio profile
2# /sbin and /usr/sbin are visible inside the sandbox
3# /boot is not visible and /var is heavily modified
4
5noblacklist /sbin
6noblacklist /usr/sbin
7include /etc/firejail/disable-common.inc
8include /etc/firejail/disable-programs.inc
9include /etc/firejail/disable-passwdmgr.inc
10
11private-dev
12private-tmp
13seccomp
14caps.drop all
15net none
16shell none
17tracelog
18net none
19nosound
20
21
22
diff --git a/etc/cyberfox.profile b/etc/cyberfox.profile
new file mode 100644
index 000000000..afa77d1d4
--- /dev/null
+++ b/etc/cyberfox.profile
@@ -0,0 +1,51 @@
1# Firejail profile for Cyberfox (based on Mozilla Firefox)
2
3noblacklist ~/.8pecxstudios
4noblacklist ~/.cache/8pecxstudios
5include /etc/firejail/disable-common.inc
6include /etc/firejail/disable-programs.inc
7include /etc/firejail/disable-devel.inc
8
9caps.drop all
10netfilter
11nonewprivs
12noroot
13protocol unix,inet,inet6,netlink
14seccomp
15tracelog
16
17whitelist ${DOWNLOADS}
18mkdir ~/.8pecxstudios
19whitelist ~/.8pecxstudios
20mkdir ~/.cache
21mkdir ~/.cache/8pecxstudios
22whitelist ~/.cache/8pecxstudios
23whitelist ~/dwhelper
24whitelist ~/.zotero
25whitelist ~/.vimperatorrc
26whitelist ~/.vimperator
27whitelist ~/.pentadactylrc
28whitelist ~/.pentadactyl
29whitelist ~/.keysnail.js
30whitelist ~/.config/gnome-mplayer
31whitelist ~/.cache/gnome-mplayer/plugin
32whitelist ~/.pki
33
34# lastpass, keepassx
35whitelist ~/.keepassx
36whitelist ~/.config/keepassx
37whitelist ~/keepassx.kdbx
38whitelist ~/.lastpass
39whitelist ~/.config/lastpass
40
41
42#silverlight
43whitelist ~/.wine-pipelight
44whitelist ~/.wine-pipelight64
45whitelist ~/.config/pipelight-widevine
46whitelist ~/.config/pipelight-silverlight5.1
47
48include /etc/firejail/whitelist-common.inc
49
50# experimental features
51#private-etc passwd,group,hostname,hosts,localtime,nsswitch.conf,resolv.conf,gtk-2.0,pango,fonts,iceweasel,firefox,adobe,mime.types,mailcap,asound.conf,pulse
diff --git a/etc/deadbeef.profile b/etc/deadbeef.profile
index ec9fcd0f0..04abd0a92 100644
--- a/etc/deadbeef.profile
+++ b/etc/deadbeef.profile
@@ -1,16 +1,13 @@
1# DeaDBeeF media player profile 1# DeaDBeeF media player profile
2include /etc/firejail/disable-mgmt.inc 2noblacklist ${HOME}/.config/deadbeef
3include /etc/firejail/disable-secret.inc 3
4include /etc/firejail/disable-common.inc 4include /etc/firejail/disable-common.inc
5include /etc/firejail/disable-programs.inc
5include /etc/firejail/disable-devel.inc 6include /etc/firejail/disable-devel.inc
6include /etc/firejail/disable-terminals.inc 7include /etc/firejail/disable-passwdmgr.inc
7blacklist ${HOME}/.pki/nssdb 8
8blacklist ${HOME}/.lastpass
9blacklist ${HOME}/.keepassx
10blacklist ${HOME}/.password-store
11blacklist ${HOME}/.wine
12caps.drop all 9caps.drop all
13seccomp 10nonewprivs
14protocol unix,inet,inet6
15noroot 11noroot
16 12protocol unix,inet,inet6
13seccomp
diff --git a/etc/default.profile b/etc/default.profile
new file mode 100644
index 000000000..a2de72695
--- /dev/null
+++ b/etc/default.profile
@@ -0,0 +1,15 @@
1################################
2# Generic GUI application profile
3################################
4include /etc/firejail/disable-common.inc
5include /etc/firejail/disable-programs.inc
6include /etc/firejail/disable-passwdmgr.inc
7
8#blacklist ${HOME}/.wine
9
10caps.drop all
11netfilter
12nonewprivs
13noroot
14protocol unix,inet,inet6
15seccomp
diff --git a/etc/deluge.profile b/etc/deluge.profile
index bcd754952..8fde9acf9 100644
--- a/etc/deluge.profile
+++ b/etc/deluge.profile
@@ -1,19 +1,21 @@
1# deluge bittorernt client profile 1# deluge bittorrernt client profile
2include /etc/firejail/disable-mgmt.inc
3include /etc/firejail/disable-secret.inc
4include /etc/firejail/disable-common.inc 2include /etc/firejail/disable-common.inc
5include /etc/firejail/disable-devel.inc 3include /etc/firejail/disable-programs.inc
6include /etc/firejail/disable-terminals.inc 4# deluge is using python on Debian
7blacklist ${HOME}/.pki/nssdb 5#include /etc/firejail/disable-devel.inc
8blacklist ${HOME}/.lastpass 6include /etc/firejail/disable-passwdmgr.inc
9blacklist ${HOME}/.keepassx 7
10blacklist ${HOME}/.password-store
11blacklist ${HOME}/.wine
12caps.drop all 8caps.drop all
13seccomp
14protocol unix,inet,inet6
15netfilter 9netfilter
10nonewprivs
16noroot 11noroot
17nosound 12nosound
13protocol unix,inet,inet6
14seccomp
18 15
16shell none
17private-bin deluge,sh,python,uname
18whitelist /tmp/.X11-unix
19private-dev
20nosound
19 21
diff --git a/etc/dillo.profile b/etc/dillo.profile
new file mode 100644
index 000000000..2ddd363cb
--- /dev/null
+++ b/etc/dillo.profile
@@ -0,0 +1,23 @@
1# Firejail profile for Dillo web browser
2
3noblacklist ~/.dillo
4include /etc/firejail/disable-common.inc
5include /etc/firejail/disable-programs.inc
6include /etc/firejail/disable-devel.inc
7include /etc/firejail/disable-passwdmgr.inc
8
9caps.drop all
10netfilter
11nonewprivs
12noroot
13protocol unix,inet,inet6
14seccomp
15tracelog
16
17whitelist ${DOWNLOADS}
18mkdir ~/.dillo
19whitelist ~/.dillo
20mkdir ~/.fltk
21whitelist ~/.fltk
22
23include /etc/firejail/whitelist-common.inc
diff --git a/etc/disable-common.inc b/etc/disable-common.inc
index 88ce42976..d18ee0287 100644
--- a/etc/disable-common.inc
+++ b/etc/disable-common.inc
@@ -1,53 +1,10 @@
1# various programs
2blacklist ${HOME}/.config/vlc
3
4# History files in $HOME 1# History files in $HOME
5blacklist-nolog ${HOME}/.history 2blacklist-nolog ${HOME}/.history
6blacklist-nolog ${HOME}/.*_history 3blacklist-nolog ${HOME}/.*_history
7 4blacklist ${HOME}/.local/share/systemd
8# HTTP / FTP / Mail
9blacklist-nolog ${HOME}/.adobe 5blacklist-nolog ${HOME}/.adobe
10blacklist-nolog ${HOME}/.macromedia 6blacklist-nolog ${HOME}/.macromedia
11blacklist ${HOME}/.icedove 7read-only ${HOME}/.local/share/applications
12blacklist ${HOME}/.thunderbird
13blacklist ${HOME}/.sylpheed-2.0
14blacklist ${HOME}/.config/midori
15
16blacklist ${HOME}/.mozilla
17blacklist ${HOME}/.config/chromium
18blacklist ${HOME}/.config/google-chrome
19blacklist ${HOME}/.config/google-chrome-beta
20blacklist ${HOME}/.config/google-chrome-unstable
21blacklist ${HOME}/.config/opera
22blacklist ${HOME}/.config/opera-beta
23blacklist ~/.config/vivaldi
24
25blacklist ${HOME}/.filezilla
26blacklist ${HOME}/.config/filezilla
27blacklist ${HOME}/.local/share/systemd
28
29# Instant Messaging
30blacklist ${HOME}/.config/hexchat
31blacklist ${HOME}/.mcabber
32blacklist ${HOME}/.purple
33blacklist ${HOME}/.config/psi+
34blacklist ${HOME}/.retroshare
35blacklist ${HOME}/.weechat
36blacklist ${HOME}/.config/xchat
37blacklist ${HOME}/.Skype
38
39# Cryptocoins
40blacklist ${HOME}/.*coin
41blacklist ${HOME}/.electrum*
42blacklist ${HOME}/wallet.dat
43
44# VNC
45blacklist ${HOME}/.remmina
46
47# Other
48blacklist ${HOME}/.tconn
49blacklist ${HOME}/.FBReader
50blacklist ${HOME}/.wine
51 8
52# X11 session autostart 9# X11 session autostart
53blacklist ${HOME}/.xinitrc 10blacklist ${HOME}/.xinitrc
@@ -63,16 +20,21 @@ blacklist ${HOME}/.config/lxsession/LXDE/autostart
63blacklist ${HOME}/.fluxbox/startup 20blacklist ${HOME}/.fluxbox/startup
64blacklist ${HOME}/.config/openbox/autostart 21blacklist ${HOME}/.config/openbox/autostart
65blacklist ${HOME}/.config/openbox/environment 22blacklist ${HOME}/.config/openbox/environment
23blacklist ${HOME}/.gnomerc
24blacklist /etc/X11/Xsession.d/
66 25
67# VirtualBox 26# VirtualBox
68blacklist ${HOME}/.VirtualBox 27blacklist ${HOME}/.VirtualBox
69blacklist ${HOME}/VirtualBox VMs 28blacklist ${HOME}/VirtualBox VMs
70blacklist ${HOME}/.config/VirtualBox 29blacklist ${HOME}/.config/VirtualBox
71 30
72# git, subversion 31# VeraCrypt
73blacklist ${HOME}/.subversion 32blacklist ${PATH}/veracrypt
74blacklist ${HOME}/.gitconfig 33blacklist ${PATH}/veracrypt-uninstall.sh
75blacklist ${HOME}/.git-credential-cache 34blacklist /usr/share/veracrypt
35blacklist /usr/share/applications/veracrypt.*
36blacklist /usr/share/pixmaps/veracrypt.*
37blacklist ${HOME}/.VeraCrypt
76 38
77# var 39# var
78blacklist /var/spool/cron 40blacklist /var/spool/cron
@@ -98,11 +60,15 @@ read-only ${HOME}/.xserverrc
98read-only ${HOME}/.profile 60read-only ${HOME}/.profile
99 61
100# Shell startup files 62# Shell startup files
63read-only ${HOME}/.antigen
101read-only ${HOME}/.bash_login 64read-only ${HOME}/.bash_login
102read-only ${HOME}/.bashrc 65read-only ${HOME}/.bashrc
103read-only ${HOME}/.bash_profile 66read-only ${HOME}/.bash_profile
104read-only ${HOME}/.bash_logout 67read-only ${HOME}/.bash_logout
68read-only ${HOME}/.zsh.d
69read-only ${HOME}/.zshenv
105read-only ${HOME}/.zshrc 70read-only ${HOME}/.zshrc
71read-only ${HOME}/.zshrc.local
106read-only ${HOME}/.zlogin 72read-only ${HOME}/.zlogin
107read-only ${HOME}/.zprofile 73read-only ${HOME}/.zprofile
108read-only ${HOME}/.zlogout 74read-only ${HOME}/.zlogout
@@ -110,8 +76,12 @@ read-only ${HOME}/.zsh_files
110read-only ${HOME}/.tcshrc 76read-only ${HOME}/.tcshrc
111read-only ${HOME}/.cshrc 77read-only ${HOME}/.cshrc
112read-only ${HOME}/.csh_files 78read-only ${HOME}/.csh_files
79read-only ${HOME}/.profile
113 80
114# Initialization files that allow arbitrary command execution 81# Initialization files that allow arbitrary command execution
82read-only ${HOME}/.caffrc
83read-only ${HOME}/.dotfiles
84read-only ${HOME}/dotfiles
115read-only ${HOME}/.mailcap 85read-only ${HOME}/.mailcap
116read-only ${HOME}/.exrc 86read-only ${HOME}/.exrc
117read-only ${HOME}/_exrc 87read-only ${HOME}/_exrc
@@ -121,22 +91,80 @@ read-only ${HOME}/.gvimrc
121read-only ${HOME}/_gvimrc 91read-only ${HOME}/_gvimrc
122read-only ${HOME}/.vim 92read-only ${HOME}/.vim
123read-only ${HOME}/.emacs 93read-only ${HOME}/.emacs
94read-only ${HOME}/.emacs.d
95read-only ${HOME}/.nano
124read-only ${HOME}/.tmux.conf 96read-only ${HOME}/.tmux.conf
125read-only ${HOME}/.iscreenrc 97read-only ${HOME}/.iscreenrc
126read-only ${HOME}/.muttrc 98read-only ${HOME}/.muttrc
127read-only ${HOME}/.mutt/muttrc 99read-only ${HOME}/.mutt/muttrc
100read-only ${HOME}/.msmtprc
101read-only ${HOME}/.reportbugrc
128read-only ${HOME}/.xmonad 102read-only ${HOME}/.xmonad
129read-only ${HOME}/.xscreensaver 103read-only ${HOME}/.xscreensaver
130 104
131# The user ~/bin directory can override commands such as ls 105# The user ~/bin directory can override commands such as ls
132read-only ${HOME}/bin 106read-only ${HOME}/bin
133 107
134# cache 108# top secret
135blacklist ~/.cache/mozilla 109blacklist ${HOME}/.ssh
136blacklist ~/.cache/chromium 110blacklist ${HOME}/.cert
137blacklist ~/.cache/google-chrome 111blacklist ${HOME}/.gnome2/keyrings
138blacklist ~/.cache/google-chrome-beta 112blacklist ${HOME}/.kde4/share/apps/kwallet
139blacklist ~/.cache/google-chrome-unstable 113blacklist ${HOME}/.kde/share/apps/kwallet
140blacklist ~/.cache/opera 114blacklist ${HOME}/.local/share/kwalletd
141blacklist ~/.cache/opera-beta 115blacklist ${HOME}/.config/keybase
142blacklist ~/.cache/vivaldi 116blacklist ${HOME}/.netrc
117blacklist ${HOME}/.gnupg
118blacklist ${HOME}/.caff
119blacklist ${HOME}/.smbcredentials
120blacklist ${HOME}/*.kdbx
121blacklist ${HOME}/*.kdb
122blacklist ${HOME}/*.key
123blacklist /etc/shadow
124blacklist /etc/gshadow
125blacklist /etc/passwd-
126blacklist /etc/group-
127blacklist /etc/shadow-
128blacklist /etc/gshadow-
129blacklist /etc/passwd+
130blacklist /etc/group+
131blacklist /etc/shadow+
132blacklist /etc/gshadow+
133blacklist /etc/ssh
134blacklist /var/backup
135
136# system management
137blacklist ${PATH}/umount
138blacklist ${PATH}/mount
139blacklist ${PATH}/fusermount
140blacklist ${PATH}/su
141blacklist ${PATH}/sudo
142blacklist ${PATH}/xinput
143blacklist ${PATH}/evtest
144blacklist ${PATH}/xev
145blacklist ${PATH}/strace
146blacklist ${PATH}/nc
147blacklist ${PATH}/ncat
148
149# system directories
150blacklist /sbin
151blacklist /usr/sbin
152blacklist /usr/local/sbin
153
154# prevent lxterminal connecting to an existing lxterminal session
155blacklist /tmp/.lxterminal-socket*
156
157# disable terminals running as server
158blacklist ${PATH}/gnome-terminal
159blacklist ${PATH}/gnome-terminal.wrapper
160blacklist ${PATH}/xfce4-terminal
161blacklist ${PATH}/xfce4-terminal.wrapper
162blacklist ${PATH}/mate-terminal
163blacklist ${PATH}/mate-terminal.wrapper
164blacklist ${PATH}/lilyterm
165blacklist ${PATH}/pantheon-terminal
166blacklist ${PATH}/roxterm
167blacklist ${PATH}/roxterm-config
168blacklist ${PATH}/terminix
169blacklist ${PATH}/urxvtc
170blacklist ${PATH}/urxvtcd
diff --git a/etc/disable-devel.inc b/etc/disable-devel.inc
index 65b31ba9b..963cf6da0 100644
--- a/etc/disable-devel.inc
+++ b/etc/disable-devel.inc
@@ -2,13 +2,20 @@
2 2
3# GCC 3# GCC
4blacklist /usr/include 4blacklist /usr/include
5blacklist /usr/lib/gcc
5blacklist /usr/bin/gcc* 6blacklist /usr/bin/gcc*
6blacklist /usr/bin/cpp* 7blacklist /usr/bin/cpp*
7blacklist /usr/bin/c9* 8blacklist /usr/bin/c9*
8blacklist /usr/bin/c8* 9blacklist /usr/bin/c8*
9blacklist /usr/bin/c++* 10blacklist /usr/bin/c++*
11blacklist /usr/bin/as
10blacklist /usr/bin/ld 12blacklist /usr/bin/ld
11blacklist /usr/bin/gdb 13blacklist /usr/bin/gdb
14blacklist /usr/bin/g++*
15blacklist /usr/bin/x86_64-linux-gnu-g++*
16blacklist /usr/bin/x86_64-linux-gnu-gcc*
17blacklist /usr/bin/x86_64-unknown-linux-gnu-g++*
18blacklist /usr/bin/x86_64-unknown-linux-gnu-gcc*
12 19
13# clang/llvm 20# clang/llvm
14blacklist /usr/bin/clang* 21blacklist /usr/bin/clang*
@@ -16,6 +23,11 @@ blacklist /usr/bin/llvm*
16blacklist /usb/bin/lldb* 23blacklist /usb/bin/lldb*
17blacklist /usr/lib/llvm* 24blacklist /usr/lib/llvm*
18 25
26# tcc - Tiny C Compiler
27blacklist /usr/bin/tcc
28blacklist /usr/bin/x86_64-tcc
29blacklist /usr/lib/tcc
30
19# Valgrind 31# Valgrind
20blacklist /usr/bin/valgrind* 32blacklist /usr/bin/valgrind*
21blacklist /usr/lib/valgrind 33blacklist /usr/lib/valgrind
@@ -34,3 +46,18 @@ blacklist /usr/lib/php*
34# Ruby 46# Ruby
35blacklist /usr/bin/ruby 47blacklist /usr/bin/ruby
36blacklist /usr/lib/ruby 48blacklist /usr/lib/ruby
49
50# Programs using python: deluge, firefox addons, filezilla, cherrytree, xchat, hexchat, libreoffice
51# Python 2
52#blacklist /usr/bin/python2*
53#blacklist /usr/lib/python2*
54#blacklist /usr/local/lib/python2*
55#blacklist /usr/include/python2*
56#blacklist /usr/share/python2*
57#
58# Python 3
59#blacklist /usr/bin/python3*
60#blacklist /usr/lib/python3*
61#blacklist /usr/local/lib/python3*
62#blacklist /usr/share/python3*
63#blacklist /usr/include/python3*
diff --git a/etc/disable-mgmt.inc b/etc/disable-mgmt.inc
deleted file mode 100644
index 0a11d6728..000000000
--- a/etc/disable-mgmt.inc
+++ /dev/null
@@ -1,17 +0,0 @@
1# system directories
2blacklist /sbin
3blacklist /usr/sbin
4blacklist /usr/local/sbin
5
6# system management
7blacklist ${PATH}/umount
8blacklist ${PATH}/mount
9blacklist ${PATH}/fusermount
10blacklist ${PATH}/su
11blacklist ${PATH}/sudo
12blacklist ${PATH}/xinput
13blacklist ${PATH}/evtest
14blacklist ${PATH}/xev
15blacklist ${PATH}/strace
16blacklist ${PATH}/nc
17blacklist ${PATH}/ncat
diff --git a/etc/disable-passwdmgr.inc b/etc/disable-passwdmgr.inc
new file mode 100644
index 000000000..6db9073ab
--- /dev/null
+++ b/etc/disable-passwdmgr.inc
@@ -0,0 +1,7 @@
1blacklist ${HOME}/.pki/nssdb
2blacklist ${HOME}/.lastpass
3blacklist ${HOME}/.keepassx
4blacklist ${HOME}/.password-store
5blacklist ${HOME}/keepassx.kdbx
6blacklist ${HOME}/.config/keepassx
7
diff --git a/etc/disable-programs.inc b/etc/disable-programs.inc
new file mode 100644
index 000000000..0f155351d
--- /dev/null
+++ b/etc/disable-programs.inc
@@ -0,0 +1,129 @@
1# various programs
2blacklist ${HOME}/.Atom
3blacklist ${HOME}/.remmina
4blacklist ${HOME}/.tconn
5blacklist ${HOME}/.FBReader
6blacklist ${HOME}/.wine
7blacklist ${HOME}/.Mathematica
8blacklist ${HOME}/.Wolfram Research
9blacklist ${HOME}/.stellarium
10blacklist ${HOME}/.config/Atom
11blacklist ${HOME}/.config/gthumb
12blacklist ${HOME}/.config/mupen64plus
13blacklist ${HOME}/.config/transmission
14blacklist ${HOME}/.config/uGet
15blacklist ${HOME}/.config/Gpredict
16blacklist ${HOME}/.config/aweather
17blacklist ${HOME}/.config/stellarium
18blacklist ${HOME}/.config/atril
19blacklist ${HOME}/.config/xreader
20blacklist ${HOME}/.config/xviewer
21blacklist ${HOME}/.config/libreoffice
22blacklist ${HOME}/.config/pix
23blacklist ${HOME}/.config/mate/eom
24blacklist ${HOME}/.kde/share/apps/okular
25blacklist ${HOME}/.kde/share/config/okularrc
26blacklist ${HOME}/.kde/share/config/okularpartrc
27blacklist ${HOME}/.kde/share/apps/gwenview
28blacklist ${HOME}/.kde/share/config/gwenviewrc
29
30# Media players
31blacklist ${HOME}/.config/cmus
32blacklist ${HOME}/.config/deadbeef
33blacklist ${HOME}/.config/spotify
34blacklist ${HOME}/.config/vlc
35blacklist ${HOME}/.config/mpv
36blacklist ${HOME}/.config/totem
37blacklist ${HOME}/.config/xplayer
38blacklist ${HOME}/.audacity-data
39
40# HTTP / FTP / Mail
41blacklist ${HOME}/.icedove
42blacklist ${HOME}/.thunderbird
43blacklist ${HOME}/.sylpheed-2.0
44blacklist ${HOME}/.config/midori
45blacklist ${HOME}/.mozilla
46blacklist ${HOME}/.config/chromium
47blacklist ${HOME}/.config/google-chrome
48blacklist ${HOME}/.config/google-chrome-beta
49blacklist ${HOME}/.config/google-chrome-unstable
50blacklist ${HOME}/.config/opera
51blacklist ${HOME}/.config/opera-beta
52blacklist ${HOME}/.opera
53blacklist ${HOME}/.config/vivaldi
54blacklist ${HOME}/.filezilla
55blacklist ${HOME}/.config/filezilla
56blacklist ${HOME}/.dillo
57blacklist ${HOME}/.conkeror.mozdev.org
58blacklist ${HOME}/.config/epiphany
59blacklist ${HOME}/.config/slimjet
60blacklist ${HOME}/.config/qutebrowser
61blacklist ${HOME}/.8pecxstudios
62blacklist ${HOME}/.config/brave
63
64# Instant Messaging
65blacklist ${HOME}/.config/hexchat
66blacklist ${HOME}/.mcabber
67blacklist ${HOME}/.mcabberrc
68blacklist ${HOME}/.purple
69blacklist ${HOME}/.config/psi+
70blacklist ${HOME}/.retroshare
71blacklist ${HOME}/.weechat
72blacklist ${HOME}/.config/xchat
73blacklist ${HOME}/.Skype
74blacklist ${HOME}/.config/tox
75blacklist ${HOME}/.TelegramDesktop
76blacklist ${HOME}/.config/Gitter
77blacklist ${HOME}/.config/Franz
78blacklist ${HOME}/.jitsi
79
80# Games
81blacklist ${HOME}/.hedgewars
82blacklist ${HOME}/.steam
83blacklist ${HOME}/.config/wesnoth
84blacklist ${HOME}/.config/0ad
85blacklist ${HOME}/.warzone2100-3.1
86
87# Cryptocoins
88blacklist ${HOME}/.*coin
89blacklist ${HOME}/.electrum*
90blacklist ${HOME}/wallet.dat
91
92# git, subversion
93blacklist ${HOME}/.subversion
94blacklist ${HOME}/.gitconfig
95blacklist ${HOME}/.git-credential-cache
96
97# cache
98blacklist ${HOME}/.cache/mozilla
99blacklist ${HOME}/.cache/chromium
100blacklist ${HOME}/.cache/google-chrome
101blacklist ${HOME}/.cache/google-chrome-beta
102blacklist ${HOME}/.cache/google-chrome-unstable
103blacklist ${HOME}/.cache/opera
104blacklist ${HOME}/.cache/opera-beta
105blacklist ${HOME}/.cache/vivaldi
106blacklist ${HOME}/.cache/epiphany
107blacklist ${HOME}/.cache/slimjet
108blacklist ${HOME}/.cache/qutebrowser
109blacklist ${HOME}/.cache/spotify
110blacklist ${HOME}/.cache/thunderbird
111blacklist ${HOME}/.cache/icedove
112blacklist ${HOME}/.cache/transmission
113blacklist ${HOME}/.cache/wesnoth
114blacklist ${HOME}/.cache/0ad
115blacklist ${HOME}/.cache/8pecxstudios
116blacklist ${HOME}/.cache/xreader
117blacklist ${HOME}/.cache/Franz
118
119# share
120blacklist ${HOME}/.local/share/epiphany
121blacklist ${HOME}/.local/share/mupen64plus
122blacklist ${HOME}/.local/share/spotify
123blacklist ${HOME}/.local/share/steam
124blacklist ${HOME}/.local/share/wesnoth
125blacklist ${HOME}/.local/share/0ad
126blacklist ${HOME}/.local/share/xplayer
127blacklist ${HOME}/.local/share/totem
128blacklist ${HOME}/.local/share/psi+
129blacklist ${HOME}/.local/share/pix
diff --git a/etc/disable-secret.inc b/etc/disable-secret.inc
deleted file mode 100644
index 7d29cda31..000000000
--- a/etc/disable-secret.inc
+++ /dev/null
@@ -1,23 +0,0 @@
1# HOME directory
2blacklist ${HOME}/.ssh
3blacklist ${HOME}/.gnome2/keyrings
4blacklist ${HOME}/kde4/share/apps/kwallet
5blacklist ${HOME}/kde/share/apps/kwallet
6blacklist ${HOME}/.local/share/kwalletd
7blacklist ${HOME}/.netrc
8blacklist ${HOME}/.gnupg
9blacklist ${HOME}/*.kdbx
10blacklist ${HOME}/*.kdb
11blacklist ${HOME}/*.key
12blacklist /etc/shadow
13blacklist /etc/gshadow
14blacklist /etc/passwd-
15blacklist /etc/group-
16blacklist /etc/shadow-
17blacklist /etc/gshadow-
18blacklist /etc/passwd+
19blacklist /etc/group+
20blacklist /etc/shadow+
21blacklist /etc/gshadow+
22blacklist /etc/ssh
23blacklist /var/backup
diff --git a/etc/disable-terminals.inc b/etc/disable-terminals.inc
deleted file mode 100644
index 9631e7f62..000000000
--- a/etc/disable-terminals.inc
+++ /dev/null
@@ -1,6 +0,0 @@
1# disable terminals running as server
2blacklist ${PATH}/lxterminal
3blacklist ${PATH}/gnome-terminal
4blacklist ${PATH}/gnome-terminal.wrapper
5blacklist ${PATH}/xfce4-terminal
6blacklist ${PATH}/xfce4-terminal.wrapper
diff --git a/etc/dnscrypt-proxy.profile b/etc/dnscrypt-proxy.profile
index 0bc7ac78e..90c244e03 100644
--- a/etc/dnscrypt-proxy.profile
+++ b/etc/dnscrypt-proxy.profile
@@ -1,12 +1,13 @@
1# security profile for dnscrypt-proxy 1# security profile for dnscrypt-proxy
2noblacklist /sbin 2noblacklist /sbin
3noblacklist /usr/sbin 3noblacklist /usr/sbin
4include /etc/firejail/disable-mgmt.inc
5include /etc/firejail/disable-common.inc 4include /etc/firejail/disable-common.inc
5include /etc/firejail/disable-programs.inc
6include /etc/firejail/disable-devel.inc 6include /etc/firejail/disable-devel.inc
7include /etc/firejail/disable-secret.inc 7include /etc/firejail/disable-passwdmgr.inc
8include /etc/firejail/disable-terminals.inc 8
9private 9private
10private-dev 10private-dev
11nosound
11seccomp.drop mount,umount2,ptrace,kexec_load,kexec_file_load,open_by_handle_at,init_module,finit_module,delete_module,iopl,ioperm,swapon,swapoff,syslog,process_vm_readv,process_vm_writev,sysfs,_sysctl,adjtimex,clock_adjtime,lookup_dcookie,perf_event_open,fanotify_init,kcmp,add_key,request_key,keyctl,uselib,acct,modify_ldt,pivot_root,io_setup,io_destroy,io_getevents,io_submit,io_cancel,remap_file_pages,mbind,get_mempolicy,set_mempolicy,migrate_pages,move_pages,vmsplice,perf_event_open 12seccomp.drop mount,umount2,ptrace,kexec_load,kexec_file_load,open_by_handle_at,init_module,finit_module,delete_module,iopl,ioperm,swapon,swapoff,syslog,process_vm_readv,process_vm_writev,sysfs,_sysctl,adjtimex,clock_adjtime,lookup_dcookie,perf_event_open,fanotify_init,kcmp,add_key,request_key,keyctl,uselib,acct,modify_ldt,pivot_root,io_setup,io_destroy,io_getevents,io_submit,io_cancel,remap_file_pages,mbind,get_mempolicy,set_mempolicy,migrate_pages,move_pages,vmsplice,perf_event_open
12 13
diff --git a/etc/dnsmasq.profile b/etc/dnsmasq.profile
new file mode 100644
index 000000000..1c01d44e4
--- /dev/null
+++ b/etc/dnsmasq.profile
@@ -0,0 +1,16 @@
1# dnsmasq profile
2noblacklist /sbin
3noblacklist /usr/sbin
4include /etc/firejail/disable-common.inc
5include /etc/firejail/disable-programs.inc
6include /etc/firejail/disable-passwdmgr.inc
7include /etc/firejail/disable-devel.inc
8
9caps
10netfilter
11nonewprivs
12private
13private-dev
14nosound
15protocol unix,inet,inet6,netlink
16seccomp
diff --git a/etc/dropbox.profile b/etc/dropbox.profile
index 9d2c612de..71e019f8c 100644
--- a/etc/dropbox.profile
+++ b/etc/dropbox.profile
@@ -1,15 +1,22 @@
1# dropbox profile 1# dropbox profile
2include /etc/firejail/disable-mgmt.inc 2noblacklist ~/.config/autostart
3include /etc/firejail/disable-secret.inc
4include /etc/firejail/disable-common.inc 3include /etc/firejail/disable-common.inc
5include /etc/firejail/disable-terminals.inc 4include /etc/firejail/disable-programs.inc
6blacklist ${HOME}/.pki/nssdb 5include /etc/firejail/disable-passwdmgr.inc
7blacklist ${HOME}/.lastpass 6
8blacklist ${HOME}/.keepassx
9blacklist ${HOME}/.password-store
10blacklist ${HOME}/.wine
11caps 7caps
12seccomp 8nonewprivs
13protocol unix,inet,inet6
14noroot 9noroot
10protocol unix,inet,inet6
11seccomp
12
13mkdir ~/Dropbox
14whitelist ~/Dropbox
15mkdir ~/.dropbox
16whitelist ~/.dropbox
17mkdir ~/.dropbox-dist
18whitelist ~/.dropbox-dist
15 19
20mkdir ~/.config/autostart
21mkfile ~/.config/autostart/dropbox.desktop
22whitelist ~/.config/autostart/dropbox.desktop
diff --git a/etc/empathy.profile b/etc/empathy.profile
index adaf03e23..371100814 100644
--- a/etc/empathy.profile
+++ b/etc/empathy.profile
@@ -1,12 +1,10 @@
1# Empathy instant messaging profile 1# Empathy instant messaging profile
2include /etc/firejail/disable-mgmt.inc
3include /etc/firejail/disable-secret.inc
4include /etc/firejail/disable-common.inc 2include /etc/firejail/disable-common.inc
3include /etc/firejail/disable-programs.inc
5include /etc/firejail/disable-devel.inc 4include /etc/firejail/disable-devel.inc
6include /etc/firejail/disable-terminals.inc 5
7blacklist ${HOME}/.wine
8caps.drop all 6caps.drop all
9seccomp
10protocol unix,inet,inet6
11netfilter 7netfilter
12 8nonewprivs
9protocol unix,inet,inet6
10seccomp
diff --git a/etc/eom.profile b/etc/eom.profile
new file mode 100644
index 000000000..81d993e96
--- /dev/null
+++ b/etc/eom.profile
@@ -0,0 +1,20 @@
1# Firejail profile for Eye of Mate (eom)
2noblacklist ~/.config/mate/eom
3
4include /etc/firejail/disable-common.inc
5include /etc/firejail/disable-programs.inc
6include /etc/firejail/disable-devel.inc
7include /etc/firejail/disable-passwdmgr.inc
8
9caps.drop all
10nogroups
11nonewprivs
12noroot
13nosound
14protocol unix
15seccomp
16shell none
17tracelog
18
19private-bin eom
20private-dev
diff --git a/etc/epiphany.profile b/etc/epiphany.profile
index c7031da71..57191429a 100644
--- a/etc/epiphany.profile
+++ b/etc/epiphany.profile
@@ -1,9 +1,12 @@
1# Epiphany browser profile 1# Epiphany browser profile
2include /etc/firejail/disable-mgmt.inc 2noblacklist ${HOME}/.config/epiphany
3include /etc/firejail/disable-secret.inc 3noblacklist ${HOME}/.cache/epiphany
4noblacklist ${HOME}/.local/share/epiphany
5
4include /etc/firejail/disable-common.inc 6include /etc/firejail/disable-common.inc
7include /etc/firejail/disable-programs.inc
5include /etc/firejail/disable-devel.inc 8include /etc/firejail/disable-devel.inc
6include /etc/firejail/disable-terminals.inc 9
7whitelist ${DOWNLOADS} 10whitelist ${DOWNLOADS}
8mkdir ${HOME}/.local 11mkdir ${HOME}/.local
9mkdir ${HOME}/.local/share 12mkdir ${HOME}/.local/share
@@ -16,8 +19,9 @@ mkdir ${HOME}/.cache
16mkdir ${HOME}/.cache/epiphany 19mkdir ${HOME}/.cache/epiphany
17whitelist ${HOME}/.cache/epiphany 20whitelist ${HOME}/.cache/epiphany
18include /etc/firejail/whitelist-common.inc 21include /etc/firejail/whitelist-common.inc
22
19caps.drop all 23caps.drop all
20seccomp
21protocol unix,inet,inet6
22netfilter 24netfilter
23 25nonewprivs
26protocol unix,inet,inet6
27seccomp
diff --git a/etc/evince.profile b/etc/evince.profile
index 81878462b..530ce959a 100644
--- a/etc/evince.profile
+++ b/etc/evince.profile
@@ -1,17 +1,18 @@
1# evince pdf reader profile 1# evince pdf reader profile
2include /etc/firejail/disable-mgmt.inc
3include /etc/firejail/disable-secret.inc
4include /etc/firejail/disable-common.inc 2include /etc/firejail/disable-common.inc
3include /etc/firejail/disable-programs.inc
5include /etc/firejail/disable-devel.inc 4include /etc/firejail/disable-devel.inc
6include /etc/firejail/disable-terminals.inc 5include /etc/firejail/disable-passwdmgr.inc
7blacklist ${HOME}/.pki/nssdb 6
8blacklist ${HOME}/.lastpass
9blacklist ${HOME}/.keepassx
10blacklist ${HOME}/.password-store
11blacklist ${HOME}/.wine
12caps.drop all 7caps.drop all
13seccomp 8nonewprivs
14protocol unix,inet,inet6 9nogroups
15noroot 10noroot
16nosound 11nosound
12protocol unix
13seccomp
17 14
15shell none
16private-bin evince,evince-previewer,evince-thumbnailer
17whitelist /tmp/.X11-unix
18private-dev
diff --git a/etc/fbreader.profile b/etc/fbreader.profile
index 4ed942138..de31ce8de 100644
--- a/etc/fbreader.profile
+++ b/etc/fbreader.profile
@@ -1,19 +1,21 @@
1# fbreader ebook reader profile 1# fbreader ebook reader profile
2noblacklist ${HOME}/.FBReader 2noblacklist ${HOME}/.FBReader
3include /etc/firejail/disable-mgmt.inc 3
4include /etc/firejail/disable-secret.inc
5include /etc/firejail/disable-common.inc 4include /etc/firejail/disable-common.inc
5include /etc/firejail/disable-programs.inc
6include /etc/firejail/disable-devel.inc 6include /etc/firejail/disable-devel.inc
7include /etc/firejail/disable-terminals.inc 7include /etc/firejail/disable-passwdmgr.inc
8blacklist ${HOME}/.pki/nssdb 8
9blacklist ${HOME}/.lastpass
10blacklist ${HOME}/.keepassx
11blacklist ${HOME}/.password-store
12blacklist ${HOME}/.wine
13caps.drop all 9caps.drop all
14seccomp
15protocol unix,inet,inet6
16netfilter 10netfilter
11nonewprivs
17noroot 12noroot
18nosound 13nosound
14protocol unix,inet,inet6
15seccomp
19 16
17shell none
18private-bin fbreader,FBReader
19whitelist /tmp/.X11-unix
20private-dev
21nosound
diff --git a/etc/filezilla.profile b/etc/filezilla.profile
index 0eabf9a88..551c17a78 100644
--- a/etc/filezilla.profile
+++ b/etc/filezilla.profile
@@ -1,18 +1,22 @@
1# FileZilla ftp profile 1# FileZilla ftp profile
2noblacklist ${HOME}/.filezilla 2noblacklist ${HOME}/.filezilla
3noblacklist ${HOME}/.config/filezilla 3noblacklist ${HOME}/.config/filezilla
4include /etc/firejail/disable-mgmt.inc 4
5include /etc/firejail/disable-secret.inc
6include /etc/firejail/disable-common.inc 5include /etc/firejail/disable-common.inc
6include /etc/firejail/disable-programs.inc
7include /etc/firejail/disable-devel.inc 7include /etc/firejail/disable-devel.inc
8include /etc/firejail/disable-terminals.inc 8
9blacklist ${HOME}/.wine
10caps.drop all 9caps.drop all
11seccomp
12protocol unix,inet,inet6
13noroot
14netfilter 10netfilter
11nonewprivs
12noroot
15nosound 13nosound
14protocol unix,inet,inet6
15seccomp
16 16
17 17shell none
18private-bin filezilla,uname,sh,python,lsb_release,fzputtygen,fzsftp
19whitelist /tmp/.X11-unix
20private-dev
21nosound
18 22
diff --git a/etc/firefox-esr.profile b/etc/firefox-esr.profile
new file mode 100644
index 000000000..d2fde9a3f
--- /dev/null
+++ b/etc/firefox-esr.profile
@@ -0,0 +1,2 @@
1# Firejail profile for Mozilla Firefox ESR
2include /etc/firejail/firefox.profile
diff --git a/etc/firefox.profile b/etc/firefox.profile
index b06dfa6da..2cc4d3cd8 100644
--- a/etc/firefox.profile
+++ b/etc/firefox.profile
@@ -2,19 +2,17 @@
2 2
3noblacklist ~/.mozilla 3noblacklist ~/.mozilla
4noblacklist ~/.cache/mozilla 4noblacklist ~/.cache/mozilla
5noblacklist ~/keepassx.kdbx
6include /etc/firejail/disable-mgmt.inc
7include /etc/firejail/disable-secret.inc
8include /etc/firejail/disable-common.inc 5include /etc/firejail/disable-common.inc
6include /etc/firejail/disable-programs.inc
9include /etc/firejail/disable-devel.inc 7include /etc/firejail/disable-devel.inc
10include /etc/firejail/disable-terminals.inc
11 8
12caps.drop all 9caps.drop all
13seccomp
14protocol unix,inet,inet6,netlink
15netfilter 10netfilter
16tracelog 11nonewprivs
17noroot 12noroot
13protocol unix,inet,inet6,netlink
14seccomp
15tracelog
18 16
19whitelist ${DOWNLOADS} 17whitelist ${DOWNLOADS}
20mkdir ~/.mozilla 18mkdir ~/.mozilla
@@ -43,14 +41,12 @@ whitelist ~/.config/lastpass
43 41
44 42
45#silverlight 43#silverlight
46whitelist ~/.wine-pipelight 44whitelist ~/.wine-pipelight
47whitelist ~/.wine-pipelight64 45whitelist ~/.wine-pipelight64
48whitelist ~/.config/pipelight-widevine 46whitelist ~/.config/pipelight-widevine
49whitelist ~/.config/pipelight-silverlight5.1 47whitelist ~/.config/pipelight-silverlight5.1
50 48
51include /etc/firejail/whitelist-common.inc 49include /etc/firejail/whitelist-common.inc
52 50
53# experimental features 51# experimental features
54#private-etc passwd,group,hostname,hosts,localtime,nsswitch.conf,resolv.conf,gtk-2.0,pango,fonts,iceweasel,firefox,adobe,mime.types,mailcap,asound.conf,pulse 52#private-etc passwd,group,hostname,hosts,localtime,nsswitch.conf,resolv.conf,gtk-2.0,pango,fonts,iceweasel,firefox,adobe,mime.types,mailcap,asound.conf,pulse
55
56
diff --git a/etc/firejail.config b/etc/firejail.config
index 19525c942..20c4d7a5f 100644
--- a/etc/firejail.config
+++ b/etc/firejail.config
@@ -3,28 +3,59 @@
3# Most features are enabled by default. Use 'yes' or 'no' as configuration 3# Most features are enabled by default. Use 'yes' or 'no' as configuration
4# values. 4# values.
5 5
6# Enable or disable seccomp support, default enabled. 6# Enable or disable bind support, default enabled.
7# seccomp yes 7# bind yes
8 8
9# Enable or disable chroot support, default enabled. 9# Enable or disable chroot support, default enabled.
10# chroot yes 10# chroot yes
11 11
12# Enable or disable bind support, default enabled. 12# Enable or disable file transfer support, default enabled.
13# bind yes 13# file-transfer yes
14
15# Force use of nonewprivs. This mitigates the possibility of
16# a user abusing firejail's features to trick a privileged (suid
17# or file capabilities) process into loading code or configuration
18# that is partially under their control. Default disabled
19# force-nonewprivs no
14 20
15# Enable or disable networking features, default enabled. 21# Enable or disable networking features, default enabled.
16# network yes 22# network yes
17 23
18# Enable or disable restricted network support, default disabled. If enabled, 24# Enable or disable restricted network support, default disabled. If enabled,
19# networking features (network yes) above should also be enabled. 25# networking features should also be enabled (network yes).
26# Restricted networking grants access to --interface, --net=ethXXX and
27# --netfilter only to root user. Regular users are only allowed --net=none.
20# restricted-network no 28# restricted-network no
21 29
30# Change default netfilter configuration. When using --netfilter option without
31# a file argument, the default filter is hardcoded (see man 1 firejail). This
32# configuration entry allows the user to change the default by specifying
33# a file containing the filter configuration. The filter file format is the
34# format of iptables-save and iptable-restore commands. Example:
35# netfilter-default /etc/iptables.iptables.rules
36
37# Enable or disable seccomp support, default enabled.
38# seccomp yes
39
22# Enable or disable user namespace support, default enabled. 40# Enable or disable user namespace support, default enabled.
23# userns yes 41# userns yes
24 42
43# Enable or disable whitelisting support, default enabled.
44# whitelist yes
45
25# Enable or disable X11 sandboxing support, default enabled. 46# Enable or disable X11 sandboxing support, default enabled.
26# x11 yes 47# x11 yes
27 48
28# Enable or disable file transfer support, default enabled. 49# Screen size for --x11=xephyr, default 800x600. Run /usr/bin/xrandr for
29# file-transfer yes 50# a full list of resolutions available on your specific setup.
51# xephyr-screen 640x480
52# xephyr-screen 800x600
53# xephyr-screen 1024x768
54# xephyr-screen 1280x1024
55
56# Firejail window title in Xephyr, default enabled.
57# xephyr-window-title yes
30 58
59# Xephyr command extra parameters. None by default, and the declaration is commented out.
60# xephyr-extra-params -keybd ephyr,,,xkbmodel=evdev
61# xephyr-extra-params -grayscale
diff --git a/etc/flashpeak-slimjet.profile b/etc/flashpeak-slimjet.profile
new file mode 100644
index 000000000..f248c385a
--- /dev/null
+++ b/etc/flashpeak-slimjet.profile
@@ -0,0 +1,41 @@
1# SlimJet browser profile
2# This is a whitelisted profile, the internal browser sandbox
3# is disabled because it requires sudo password. The command
4# to run it is as follows:
5#
6# firejail flashpeak-slimjet --no-sandbox
7#
8noblacklist ~/.config/slimjet
9noblacklist ~/.cache/slimjet
10include /etc/firejail/disable-common.inc
11include /etc/firejail/disable-programs.inc
12
13# chromium is distributed with a perl script on Arch
14# include /etc/firejail/disable-devel.inc
15#
16
17caps.drop all
18netfilter
19nonewprivs
20noroot
21protocol unix,inet,inet6,netlink
22seccomp
23
24whitelist ${DOWNLOADS}
25mkdir ~/.config
26mkdir ~/.config/slimjet
27whitelist ~/.config/slimjet
28mkdir ~/.cache
29mkdir ~/.cache/slimjet
30whitelist ~/.cache/slimjet
31mkdir ~/.pki
32whitelist ~/.pki
33
34# lastpass, keepassx
35whitelist ~/.keepassx
36whitelist ~/.config/keepassx
37whitelist ~/keepassx.kdbx
38whitelist ~/.lastpass
39whitelist ~/.config/lastpass
40
41include /etc/firejail/whitelist-common.inc
diff --git a/etc/franz.profile b/etc/franz.profile
new file mode 100644
index 000000000..fc4a665de
--- /dev/null
+++ b/etc/franz.profile
@@ -0,0 +1,26 @@
1# Franz profile
2noblacklist ~/.config/Franz
3noblacklist ~/.cache/Franz
4include /etc/firejail/disable-common.inc
5include /etc/firejail/disable-programs.inc
6include /etc/firejail/disable-devel.inc
7
8caps.drop all
9seccomp
10protocol unix,inet,inet6,netlink
11netfilter
12#tracelog
13nonewprivs
14noroot
15
16whitelist ${DOWNLOADS}
17mkdir ~/.config
18mkdir ~/.config/Franz
19whitelist ~/.config/Franz
20mkdir ~/.cache
21mkdir ~/.cache/Franz
22whitelist ~/.cache/Franz
23mkdir ~/.pki
24whitelist ~/.pki
25
26include /etc/firejail/whitelist-common.inc
diff --git a/etc/generic.profile b/etc/generic.profile
deleted file mode 100644
index 5618a555e..000000000
--- a/etc/generic.profile
+++ /dev/null
@@ -1,17 +0,0 @@
1################################
2# Generic GUI application profile
3################################
4include /etc/firejail/disable-mgmt.inc
5include /etc/firejail/disable-secret.inc
6include /etc/firejail/disable-common.inc
7include /etc/firejail/disable-terminals.inc
8blacklist ${HOME}/.pki/nssdb
9blacklist ${HOME}/.lastpass
10blacklist ${HOME}/.keepassx
11blacklist ${HOME}/.password-store
12caps.drop all
13seccomp
14protocol unix,inet,inet6
15netfilter
16noroot
17
diff --git a/etc/gitter.profile b/etc/gitter.profile
new file mode 100644
index 000000000..2882c59a6
--- /dev/null
+++ b/etc/gitter.profile
@@ -0,0 +1,18 @@
1# Firejail profile for Gitter
2noblacklist ~/.config/Gitter
3include /etc/firejail/disable-common.inc
4include /etc/firejail/disable-passwdmgr.inc
5include /etc/firejail/disable-programs.inc
6include /etc/firejail/disable-devel.inc
7
8caps.drop all
9netfilter
10nonewprivs
11nogroups
12noroot
13protocol unix,inet,inet6,netlink
14seccomp
15shell none
16
17private-bin gitter
18private-dev
diff --git a/etc/gnome-mplayer.profile b/etc/gnome-mplayer.profile
index 8062c859a..1caea177d 100644
--- a/etc/gnome-mplayer.profile
+++ b/etc/gnome-mplayer.profile
@@ -1,15 +1,14 @@
1# GNOME MPlayer profile 1# GNOME MPlayer profile
2include /etc/firejail/disable-mgmt.inc
3include /etc/firejail/disable-secret.inc
4include /etc/firejail/disable-common.inc 2include /etc/firejail/disable-common.inc
3include /etc/firejail/disable-programs.inc
5include /etc/firejail/disable-devel.inc 4include /etc/firejail/disable-devel.inc
6include /etc/firejail/disable-terminals.inc 5include /etc/firejail/disable-passwdmgr.inc
7blacklist ${HOME}/.pki/nssdb 6
8blacklist ${HOME}/.lastpass
9blacklist ${HOME}/.keepassx
10blacklist ${HOME}/.password-store
11blacklist ${HOME}/.wine
12caps.drop all 7caps.drop all
13seccomp 8nonewprivs
14protocol unix,inet,inet6
15noroot 9noroot
10protocol unix,inet,inet6
11seccomp
12
13shell none
14private-bin gnome-mplayer
diff --git a/etc/google-chrome-beta.profile b/etc/google-chrome-beta.profile
index 3396585eb..11f9f9e33 100644
--- a/etc/google-chrome-beta.profile
+++ b/etc/google-chrome-beta.profile
@@ -1,11 +1,8 @@
1# Google Chrome beta browser profile 1# Google Chrome beta browser profile
2noblacklist ~/.config/google-chrome-beta 2noblacklist ~/.config/google-chrome-beta
3noblacklist ~/.cache/google-chrome-beta 3noblacklist ~/.cache/google-chrome-beta
4noblacklist ~/keepassx.kdbx
5include /etc/firejail/disable-mgmt.inc
6include /etc/firejail/disable-secret.inc
7include /etc/firejail/disable-common.inc 4include /etc/firejail/disable-common.inc
8include /etc/firejail/disable-terminals.inc 5include /etc/firejail/disable-programs.inc
9 6
10# chromium is distributed with a perl script on Arch 7# chromium is distributed with a perl script on Arch
11# include /etc/firejail/disable-devel.inc 8# include /etc/firejail/disable-devel.inc
diff --git a/etc/google-chrome-unstable.profile b/etc/google-chrome-unstable.profile
index ed4332862..f253e5a90 100644
--- a/etc/google-chrome-unstable.profile
+++ b/etc/google-chrome-unstable.profile
@@ -1,11 +1,8 @@
1# Google Chrome unstable browser profile 1# Google Chrome unstable browser profile
2noblacklist ~/.config/google-chrome-unstable 2noblacklist ~/.config/google-chrome-unstable
3noblacklist ~/.cache/google-chrome-unstable 3noblacklist ~/.cache/google-chrome-unstable
4noblacklist ~/keepassx.kdbx
5include /etc/firejail/disable-mgmt.inc
6include /etc/firejail/disable-secret.inc
7include /etc/firejail/disable-common.inc 4include /etc/firejail/disable-common.inc
8include /etc/firejail/disable-terminals.inc 5include /etc/firejail/disable-programs.inc
9 6
10# chromium is distributed with a perl script on Arch 7# chromium is distributed with a perl script on Arch
11# include /etc/firejail/disable-devel.inc 8# include /etc/firejail/disable-devel.inc
diff --git a/etc/google-chrome.profile b/etc/google-chrome.profile
index 985af38eb..5e168aae5 100644
--- a/etc/google-chrome.profile
+++ b/etc/google-chrome.profile
@@ -1,11 +1,8 @@
1# Google Chrome browser profile 1# Google Chrome browser profile
2noblacklist ~/.config/google-chrome 2noblacklist ~/.config/google-chrome
3noblacklist ~/.cache/google-chrome 3noblacklist ~/.cache/google-chrome
4noblacklist ~/keepassx.kdbx
5include /etc/firejail/disable-mgmt.inc
6include /etc/firejail/disable-secret.inc
7include /etc/firejail/disable-common.inc 4include /etc/firejail/disable-common.inc
8include /etc/firejail/disable-terminals.inc 5include /etc/firejail/disable-programs.inc
9 6
10# chromium is distributed with a perl script on Arch 7# chromium is distributed with a perl script on Arch
11# include /etc/firejail/disable-devel.inc 8# include /etc/firejail/disable-devel.inc
diff --git a/etc/google-play-music-desktop-player.profile b/etc/google-play-music-desktop-player.profile
new file mode 100644
index 000000000..b4cf8d9ac
--- /dev/null
+++ b/etc/google-play-music-desktop-player.profile
@@ -0,0 +1,18 @@
1# Google Play Music desktop player profile
2noblacklist ~/.config/Google Play Music Desktop Player
3
4include /etc/firejail/disable-common.inc
5include /etc/firejail/disable-programs.inc
6include /etc/firejail/disable-devel.inc
7include /etc/firejail/disable-passwdmgr.inc
8
9caps.drop all
10nonewprivs
11noroot
12netfilter
13protocol unix,inet,inet6,netlink
14seccomp
15
16#whitelist ~/.pulse
17#whitelist ~/.config/pulse
18whitelist ~/.config/Google Play Music Desktop Player
diff --git a/etc/gpredict.profile b/etc/gpredict.profile
new file mode 100644
index 000000000..02bb4d24d
--- /dev/null
+++ b/etc/gpredict.profile
@@ -0,0 +1,25 @@
1# Firejail profile for gpredict.
2noblacklist ~/.config/Gpredict
3include /etc/firejail/disable-common.inc
4include /etc/firejail/disable-devel.inc
5include /etc/firejail/disable-passwdmgr.inc
6include /etc/firejail/disable-programs.inc
7
8# Whitelist
9mkdir ~/.config
10mkdir ~/.config/Gpredict
11whitelist ~/.config/Gpredict
12
13caps.drop all
14netfilter
15nonewprivs
16nogroups
17noroot
18nosound
19protocol unix,inet,inet6,netlink
20seccomp
21shell none
22tracelog
23
24private-bin gpredict
25private-dev
diff --git a/etc/gthumb.profile b/etc/gthumb.profile
new file mode 100644
index 000000000..3c02576aa
--- /dev/null
+++ b/etc/gthumb.profile
@@ -0,0 +1,21 @@
1# gthumb profile
2noblacklist ${HOME}/.config/gthumb
3
4include /etc/firejail/disable-common.inc
5include /etc/firejail/disable-programs.inc
6include /etc/firejail/disable-devel.inc
7include /etc/firejail/disable-passwdmgr.inc
8
9caps.drop all
10nonewprivs
11nogroups
12noroot
13nosound
14protocol unix
15seccomp
16shell none
17tracelog
18
19private-bin gthumb
20whitelist /tmp/.X11-unix
21private-dev
diff --git a/etc/gwenview.profile b/etc/gwenview.profile
new file mode 100644
index 000000000..67f10c4e1
--- /dev/null
+++ b/etc/gwenview.profile
@@ -0,0 +1,21 @@
1# KDE gwenview profile
2noblacklist ~/.kde/share/apps/gwenview
3noblacklist ~/.kde/share/config/gwenviewrc
4include /etc/firejail/disable-common.inc
5include /etc/firejail/disable-programs.inc
6include /etc/firejail/disable-devel.inc
7include /etc/firejail/disable-passwdmgr.inc
8
9caps.drop all
10nonewprivs
11noroot
12nogroups
13private-dev
14protocol unix
15seccomp
16nosound
17
18#Experimental:
19#shell none
20#private-bin gwenview
21#private-etc X11
diff --git a/etc/gzip.profile b/etc/gzip.profile
new file mode 100644
index 000000000..cc19e7608
--- /dev/null
+++ b/etc/gzip.profile
@@ -0,0 +1,8 @@
1# gzip profile
2include /etc/firejail/default.profile
3tracelog
4net none
5shell none
6private-dev
7private-tmp
8nosound
diff --git a/etc/hedgewars.profile b/etc/hedgewars.profile
index ab0e067c7..c5d863bd5 100644
--- a/etc/hedgewars.profile
+++ b/etc/hedgewars.profile
@@ -1,18 +1,18 @@
1# whitelist profile for Hedgewars (game) 1# whitelist profile for Hedgewars (game)
2noblacklist ${HOME}/.hedgewars
2 3
3include /etc/firejail/disable-common.inc 4include /etc/firejail/disable-common.inc
5include /etc/firejail/disable-programs.inc
4include /etc/firejail/disable-devel.inc 6include /etc/firejail/disable-devel.inc
5include /etc/firejail/disable-mgmt.inc 7include /etc/firejail/disable-passwdmgr.inc
6include /etc/firejail/disable-secret.inc
7include /etc/firejail/disable-terminals.inc
8 8
9caps.drop all 9caps.drop all
10nonewprivs
10noroot 11noroot
11private-dev 12private-dev
12whitelist /tmp/.X11-unix
13seccomp 13seccomp
14tracelog 14tracelog
15netfilter
16 15
17mkdir ~/.hedgewars 16mkdir ~/.hedgewars
18whitelist ~/.hedgewars 17whitelist ~/.hedgewars
18include /etc/firejail/whitelist-common.inc
diff --git a/etc/hexchat.profile b/etc/hexchat.profile
index 8f9e71b44..4e829c379 100644
--- a/etc/hexchat.profile
+++ b/etc/hexchat.profile
@@ -1,11 +1,21 @@
1# HexChat instant messaging profile 1# HexChat instant messaging profile
2noblacklist ${HOME}/.config/hexchat 2noblacklist ${HOME}/.config/hexchat
3include /etc/firejail/disable-mgmt.inc 3noblacklist /usr/lib/python2*
4include /etc/firejail/disable-secret.inc 4noblacklist /usr/lib/python3*
5include /etc/firejail/disable-common.inc 5include /etc/firejail/disable-common.inc
6include /etc/firejail/disable-programs.inc
6include /etc/firejail/disable-devel.inc 7include /etc/firejail/disable-devel.inc
7include /etc/firejail/disable-terminals.inc 8
8caps.drop all 9caps.drop all
9seccomp 10nonewprivs
10protocol unix,inet,inet6
11noroot 11noroot
12netfilter
13protocol unix,inet,inet6
14seccomp
15
16mkdir ~/.config
17mkdir ~/.config/hexchat
18whitelist ~/.config/hexchat
19include /etc/firejail/whitelist-common.inc
20
21# private-bin requires perl, python, etc.
diff --git a/etc/icedove.profile b/etc/icedove.profile
index 057e0c9ef..e9a63c8dd 100644
--- a/etc/icedove.profile
+++ b/etc/icedove.profile
@@ -1,3 +1,19 @@
1# Firejail profile for Mozilla Thunderbird (Icedove in Debian) 1# Firejail profile for Mozilla Thunderbird (Icedove in Debian Stable)
2include /etc/firejail/thunderbird.profile 2# Users have icedove set to open a browser by clicking a link in an email
3# We are not allowed to blacklist browser-specific directories
4
5noblacklist ~/.gnupg
6mkdir ~/.gnupg
7whitelist ~/.gnupg
8
9noblacklist ~/.icedove
10mkdir ~/.icedove
11whitelist ~/.icedove
12
13noblacklist ~/.cache/icedove
14mkdir ~/.cache
15mkdir ~/.cache/icedove
16whitelist ~/.cache/icedove
17
18include /etc/firejail/firefox.profile
3 19
diff --git a/etc/jitsi.profile b/etc/jitsi.profile
new file mode 100644
index 000000000..8baf1ad94
--- /dev/null
+++ b/etc/jitsi.profile
@@ -0,0 +1,16 @@
1# Firejail profile for jitsi
2noblacklist ~/.jitsi
3include /etc/firejail/disable-common.inc
4include /etc/firejail/disable-devel.inc
5include /etc/firejail/disable-passwdmgr.inc
6include /etc/firejail/disable-programs.inc
7
8caps.drop all
9nonewprivs
10nogroups
11noroot
12protocol unix,inet,inet6
13seccomp
14shell none
15tracelog
16
diff --git a/etc/kmail.profile b/etc/kmail.profile
index ca29675a0..44a53e258 100644
--- a/etc/kmail.profile
+++ b/etc/kmail.profile
@@ -1,20 +1,15 @@
1# kmail profile 1# kmail profile
2noblacklist ${HOME}/.gnupg 2noblacklist ${HOME}/.gnupg
3include /etc/firejail/disable-mgmt.inc 3
4include /etc/firejail/disable-secret.inc
5include /etc/firejail/disable-common.inc 4include /etc/firejail/disable-common.inc
5include /etc/firejail/disable-programs.inc
6include /etc/firejail/disable-devel.inc 6include /etc/firejail/disable-devel.inc
7include /etc/firejail/disable-terminals.inc 7include /etc/firejail/disable-passwdmgr.inc
8blacklist ${HOME}/.pki/nssdb 8
9blacklist ${HOME}/.lastpass
10blacklist ${HOME}/.keepassx
11blacklist ${HOME}/.password-store
12blacklist ${HOME}/.wine
13caps.drop all 9caps.drop all
14seccomp
15protocol unix,inet,inet6,netlink
16netfilter 10netfilter
11nonewprivs
17noroot 12noroot
13protocol unix,inet,inet6,netlink
14seccomp
18tracelog 15tracelog
19
20
diff --git a/etc/konversation.profile b/etc/konversation.profile
new file mode 100644
index 000000000..190061618
--- /dev/null
+++ b/etc/konversation.profile
@@ -0,0 +1,12 @@
1# Firejail konversation profile
2
3include /etc/firejail/disable-common.inc
4include /etc/firejail/disable-programs.inc
5include /etc/firejail/disable-devel.inc
6include /etc/firejail/disable-passwdmgr.inc
7
8caps.drop all
9netfilter
10noroot
11seccomp
12protocol unix,inet,inet6
diff --git a/etc/less.profile b/etc/less.profile
new file mode 100644
index 000000000..0c43111d7
--- /dev/null
+++ b/etc/less.profile
@@ -0,0 +1,8 @@
1# less profile
2include /etc/firejail/default.profile
3tracelog
4net none
5shell none
6private-dev
7private-tmp
8nosound
diff --git a/etc/libreoffice.profile b/etc/libreoffice.profile
new file mode 100644
index 000000000..77a00ebef
--- /dev/null
+++ b/etc/libreoffice.profile
@@ -0,0 +1,19 @@
1# Firejail profile for LibreOffice
2noblacklist ~/.config/libreoffice
3include /etc/firejail/disable-common.inc
4include /etc/firejail/disable-programs.inc
5include /etc/firejail/disable-devel.inc
6include /etc/firejail/disable-passwdmgr.inc
7
8caps.drop all
9netfilter
10nonewprivs
11noroot
12protocol unix,inet,inet6,netlink
13seccomp
14tracelog
15
16private-dev
17whitelist /tmp/.X11-unix/
18nosound
19
diff --git a/etc/localc.profile b/etc/localc.profile
new file mode 100644
index 000000000..fecd08822
--- /dev/null
+++ b/etc/localc.profile
@@ -0,0 +1,5 @@
1################################
2# LibreOffice profile
3################################
4include /etc/firejail/libreoffice.profile
5
diff --git a/etc/lodraw.profile b/etc/lodraw.profile
new file mode 100644
index 000000000..fecd08822
--- /dev/null
+++ b/etc/lodraw.profile
@@ -0,0 +1,5 @@
1################################
2# LibreOffice profile
3################################
4include /etc/firejail/libreoffice.profile
5
diff --git a/etc/loffice.profile b/etc/loffice.profile
new file mode 100644
index 000000000..fecd08822
--- /dev/null
+++ b/etc/loffice.profile
@@ -0,0 +1,5 @@
1################################
2# LibreOffice profile
3################################
4include /etc/firejail/libreoffice.profile
5
diff --git a/etc/lofromtemplate.profile b/etc/lofromtemplate.profile
new file mode 100644
index 000000000..fecd08822
--- /dev/null
+++ b/etc/lofromtemplate.profile
@@ -0,0 +1,5 @@
1################################
2# LibreOffice profile
3################################
4include /etc/firejail/libreoffice.profile
5
diff --git a/etc/login.users b/etc/login.users
index 5d5969091..bc6ac4b09 100644
--- a/etc/login.users
+++ b/etc/login.users
@@ -7,7 +7,7 @@
7# 7#
8# For example: 8# For example:
9# 9#
10# netblue:--debug --net=none 10# netblue:--net=none --protocol=unix
11# 11#
12# The extra arguments are inserted into program command line if firejail 12# The extra arguments are inserted into program command line if firejail
13# was started as a login shell. 13# was started as a login shell.
diff --git a/etc/loimpress.profile b/etc/loimpress.profile
new file mode 100644
index 000000000..fecd08822
--- /dev/null
+++ b/etc/loimpress.profile
@@ -0,0 +1,5 @@
1################################
2# LibreOffice profile
3################################
4include /etc/firejail/libreoffice.profile
5
diff --git a/etc/lomath.profile b/etc/lomath.profile
new file mode 100644
index 000000000..fecd08822
--- /dev/null
+++ b/etc/lomath.profile
@@ -0,0 +1,5 @@
1################################
2# LibreOffice profile
3################################
4include /etc/firejail/libreoffice.profile
5
diff --git a/etc/loweb.profile b/etc/loweb.profile
new file mode 100644
index 000000000..fecd08822
--- /dev/null
+++ b/etc/loweb.profile
@@ -0,0 +1,5 @@
1################################
2# LibreOffice profile
3################################
4include /etc/firejail/libreoffice.profile
5
diff --git a/etc/lowriter.profile b/etc/lowriter.profile
new file mode 100644
index 000000000..fecd08822
--- /dev/null
+++ b/etc/lowriter.profile
@@ -0,0 +1,5 @@
1################################
2# LibreOffice profile
3################################
4include /etc/firejail/libreoffice.profile
5
diff --git a/etc/lxterminal.profile b/etc/lxterminal.profile
index a614a8dbf..d1d0b8a0d 100644
--- a/etc/lxterminal.profile
+++ b/etc/lxterminal.profile
@@ -1,19 +1,11 @@
1# lxterminal (LXDE) profile 1# lxterminal (LXDE) profile
2 2
3include /etc/firejail/disable-mgmt.inc
4include /etc/firejail/disable-secret.inc
5include /etc/firejail/disable-common.inc 3include /etc/firejail/disable-common.inc
6blacklist ${HOME}/.pki/nssdb 4include /etc/firejail/disable-programs.inc
7blacklist ${HOME}/.lastpass 5include /etc/firejail/disable-passwdmgr.inc
8blacklist ${HOME}/.keepassx 6
9blacklist ${HOME}/.password-store
10caps.drop all 7caps.drop all
11seccomp
12protocol unix,inet,inet6
13netfilter 8netfilter
14 9protocol unix,inet,inet6
10seccomp
15#noroot - somehow this breaks on Debian Jessie! 11#noroot - somehow this breaks on Debian Jessie!
16
17# lxterminal is a single-instence program
18# blacklist any existing lxterminal socket in order to force a second process instance
19blacklist /tmp/.lxterminal-socket*
diff --git a/etc/mcabber.profile b/etc/mcabber.profile
new file mode 100644
index 000000000..48b46dba0
--- /dev/null
+++ b/etc/mcabber.profile
@@ -0,0 +1,21 @@
1# mcabber profile
2noblacklist ${HOME}/.mcabber
3noblacklist ${HOME}/.mcabberrc
4
5include /etc/firejail/disable-common.inc
6include /etc/firejail/disable-programs.inc
7include /etc/firejail/disable-devel.inc
8include /etc/firejail/disable-passwdmgr.inc
9
10caps.drop all
11netfilter
12nonewprivs
13noroot
14protocol inet,inet6
15seccomp
16
17private-bin mcabber
18private-etc null
19private-dev
20shell none
21nosound
diff --git a/etc/midori.profile b/etc/midori.profile
index e46a6baa2..046c45d94 100644
--- a/etc/midori.profile
+++ b/etc/midori.profile
@@ -1,12 +1,13 @@
1# Midori browser profile 1# Midori browser profile
2noblacklist ${HOME}/.config/midori 2noblacklist ${HOME}/.config/midori
3include /etc/firejail/disable-mgmt.inc
4include /etc/firejail/disable-secret.inc
5include /etc/firejail/disable-common.inc 3include /etc/firejail/disable-common.inc
4include /etc/firejail/disable-programs.inc
6include /etc/firejail/disable-devel.inc 5include /etc/firejail/disable-devel.inc
7include /etc/firejail/disable-terminals.inc 6
8caps.drop all 7caps.drop all
9seccomp
10protocol unix,inet,inet6
11netfilter 8netfilter
9nonewprivs
10# noroot - noroot break midori on Ubuntu 14.04
11protocol unix,inet,inet6
12seccomp
12 13
diff --git a/etc/mpv.profile b/etc/mpv.profile
new file mode 100644
index 000000000..80f8de54a
--- /dev/null
+++ b/etc/mpv.profile
@@ -0,0 +1,18 @@
1# mpv media player profile
2noblacklist ${HOME}/.config/mpv
3
4include /etc/firejail/disable-common.inc
5include /etc/firejail/disable-programs.inc
6include /etc/firejail/disable-devel.inc
7include /etc/firejail/disable-passwdmgr.inc
8
9caps.drop all
10netfilter
11nonewprivs
12noroot
13protocol unix,inet,inet6
14seccomp
15
16# to test
17shell none
18private-bin mpv,youtube-dl,python2.7
diff --git a/etc/mupen64plus.profile b/etc/mupen64plus.profile
index 239ab3a80..d4b442df8 100644
--- a/etc/mupen64plus.profile
+++ b/etc/mupen64plus.profile
@@ -1,10 +1,13 @@
1# mupen64plus profile 1# mupen64plus profile
2# manually whitelist ROM files 2# manually whitelist ROM files
3include /etc/firejail/disable-mgmt.inc 3noblacklist ${HOME}/.config/mupen64plus
4include /etc/firejail/disable-secret.inc 4noblacklist ${HOME}/.local/share/mupen64plus
5
5include /etc/firejail/disable-common.inc 6include /etc/firejail/disable-common.inc
7include /etc/firejail/disable-programs.inc
6include /etc/firejail/disable-devel.inc 8include /etc/firejail/disable-devel.inc
7include /etc/firejail/disable-terminals.inc 9include /etc/firejail/disable-passwdmgr.inc
10
8mkdir ${HOME}/.local 11mkdir ${HOME}/.local
9mkdir ${HOME}/.local/share 12mkdir ${HOME}/.local/share
10mkdir ${HOME}/.local/share/mupen64plus 13mkdir ${HOME}/.local/share/mupen64plus
@@ -12,7 +15,9 @@ whitelist ${HOME}/.local/share/mupen64plus/
12mkdir ${HOME}/.config 15mkdir ${HOME}/.config
13mkdir ${HOME}/.config/mupen64plus 16mkdir ${HOME}/.config/mupen64plus
14whitelist ${HOME}/.config/mupen64plus/ 17whitelist ${HOME}/.config/mupen64plus/
15noroot 18
16caps.drop all 19caps.drop all
17seccomp
18net none 20net none
21nonewprivs
22noroot
23seccomp
diff --git a/etc/netsurf.profile b/etc/netsurf.profile
new file mode 100644
index 000000000..3de6be238
--- /dev/null
+++ b/etc/netsurf.profile
@@ -0,0 +1,32 @@
1# Firejail profile for Mozilla Firefox (Iceweasel in Debian)
2
3noblacklist ~/.config/netsurf
4noblacklist ~/.cache/netsurf
5include /etc/firejail/disable-common.inc
6include /etc/firejail/disable-programs.inc
7include /etc/firejail/disable-devel.inc
8
9caps.drop all
10netfilter
11nonewprivs
12noroot
13protocol unix,inet,inet6,netlink
14seccomp
15tracelog
16
17whitelist ${DOWNLOADS}
18mkdir ~/.config
19mkdir ~/.config/netsurf
20whitelist ~/.config/netsurf
21mkdir ~/.cache
22mkdir ~/.cache/netsurf
23whitelist ~/.cache/netsurf
24
25# lastpass, keepassx
26whitelist ~/.keepassx
27whitelist ~/.config/keepassx
28whitelist ~/keepassx.kdbx
29whitelist ~/.lastpass
30whitelist ~/.config/lastpass
31
32include /etc/firejail/whitelist-common.inc
diff --git a/etc/nolocal.net b/etc/nolocal.net
index 9c0c6e125..9fa785450 100644
--- a/etc/nolocal.net
+++ b/etc/nolocal.net
@@ -4,7 +4,8 @@
4:OUTPUT ACCEPT [0:0] 4:OUTPUT ACCEPT [0:0]
5 5
6################################################################### 6###################################################################
7# Client filter rejecting local network traffic, with the exception of DNS traffic 7# Client filter rejecting local network traffic, with the exception of
8# DNS traffic
8# 9#
9# Usage: 10# Usage:
10# firejail --net=eth0 --netfilter=/etc/firejail/nolocal.net firefox 11# firejail --net=eth0 --netfilter=/etc/firejail/nolocal.net firefox
diff --git a/etc/okular.profile b/etc/okular.profile
new file mode 100644
index 000000000..c9c342b15
--- /dev/null
+++ b/etc/okular.profile
@@ -0,0 +1,23 @@
1# KDE okular profile
2noblacklist ~/.kde/share/apps/okular
3noblacklist ~/.kde/share/config/okularrc
4noblacklist ~/.kde/share/config/okularpartrc
5include /etc/firejail/disable-common.inc
6include /etc/firejail/disable-programs.inc
7include /etc/firejail/disable-devel.inc
8include /etc/firejail/disable-passwdmgr.inc
9
10caps.drop all
11nonewprivs
12nogroups
13noroot
14private-dev
15protocol unix
16seccomp
17nosound
18
19#Experimental:
20#net none
21#shell none
22#private-bin okular,kbuildsycoca4,kbuildsycoca5
23#private-etc X11
diff --git a/etc/openbox.profile b/etc/openbox.profile
new file mode 100644
index 000000000..f812768a1
--- /dev/null
+++ b/etc/openbox.profile
@@ -0,0 +1,11 @@
1#######################################
2# OpenBox window manager profile
3# - all applications started in OpenBox will run in this profile
4#######################################
5include /etc/firejail/disable-common.inc
6
7caps.drop all
8netfilter
9noroot
10protocol unix,inet,inet6
11seccomp
diff --git a/etc/opera-beta.profile b/etc/opera-beta.profile
index 91eb10787..3d6edb286 100644
--- a/etc/opera-beta.profile
+++ b/etc/opera-beta.profile
@@ -1,12 +1,9 @@
1# Opera-beta browser profile 1# Opera-beta browser profile
2noblacklist ~/.config/opera-beta 2noblacklist ~/.config/opera-beta
3noblacklist ~/.cache/opera-beta 3noblacklist ~/.cache/opera-beta
4noblacklist ~/keepassx.kdbx
5include /etc/firejail/disable-mgmt.inc
6include /etc/firejail/disable-secret.inc
7include /etc/firejail/disable-common.inc 4include /etc/firejail/disable-common.inc
5include /etc/firejail/disable-programs.inc
8include /etc/firejail/disable-devel.inc 6include /etc/firejail/disable-devel.inc
9include /etc/firejail/disable-terminals.inc
10 7
11netfilter 8netfilter
12 9
diff --git a/etc/opera.profile b/etc/opera.profile
index 08bbd5a06..ff00eb349 100644
--- a/etc/opera.profile
+++ b/etc/opera.profile
@@ -1,12 +1,10 @@
1# Opera browser profile 1# Opera browser profile
2noblacklist ~/.config/opera 2noblacklist ~/.config/opera
3noblacklist ~/.cache/opera 3noblacklist ~/.cache/opera
4noblacklist ~/keepassx.kdbx 4noblacklist ~/.opera
5include /etc/firejail/disable-mgmt.inc
6include /etc/firejail/disable-secret.inc
7include /etc/firejail/disable-common.inc 5include /etc/firejail/disable-common.inc
6include /etc/firejail/disable-programs.inc
8include /etc/firejail/disable-devel.inc 7include /etc/firejail/disable-devel.inc
9include /etc/firejail/disable-terminals.inc
10 8
11netfilter 9netfilter
12 10
@@ -17,6 +15,8 @@ whitelist ~/.config/opera
17mkdir ~/.cache 15mkdir ~/.cache
18mkdir ~/.cache/opera 16mkdir ~/.cache/opera
19whitelist ~/.cache/opera 17whitelist ~/.cache/opera
18mkdir ~/.opera
19whitelist ~/.opera
20mkdir ~/.pki 20mkdir ~/.pki
21whitelist ~/.pki 21whitelist ~/.pki
22include /etc/firejail/whitelist-common.inc 22include /etc/firejail/whitelist-common.inc
diff --git a/etc/palemoon.profile b/etc/palemoon.profile
new file mode 100644
index 000000000..302c20d7d
--- /dev/null
+++ b/etc/palemoon.profile
@@ -0,0 +1,58 @@
1# Firejail profile for Pale Moon
2noblacklist ~/.moonchild productions/pale moon
3noblacklist ~/.cache/moonchild productions/pale moon
4include /etc/firejail/disable-common.inc
5include /etc/firejail/disable-programs.inc
6include /etc/firejail/disable-devel.inc
7include /etc/firejail/whitelist-common.inc
8
9whitelist ${DOWNLOADS}
10mkdir ~/.moonchild productions
11whitelist ~/.moonchild productions
12mkdir ~/.cache
13mkdir ~/.cache/moonchild productions
14mkdir ~/.cache/moonchild productions/pale moon
15whitelist ~/.cache/moonchild productions/pale moon
16
17caps.drop all
18netfilter
19nogroups
20nonewprivs
21noroot
22protocol unix,inet,inet6,netlink
23seccomp
24shell none
25tracelog
26
27private-bin palemoon
28
29# These are uncommented in the Firefox profile. If you run into trouble you may
30# want to uncomment (some of) them.
31#whitelist ~/dwhelper
32#whitelist ~/.zotero
33#whitelist ~/.vimperatorrc
34#whitelist ~/.vimperator
35#whitelist ~/.pentadactylrc
36#whitelist ~/.pentadactyl
37#whitelist ~/.keysnail.js
38#whitelist ~/.config/gnome-mplayer
39#whitelist ~/.cache/gnome-mplayer/plugin
40#whitelist ~/.pki
41
42# For silverlight
43#whitelist ~/.wine-pipelight
44#whitelist ~/.wine-pipelight64
45#whitelist ~/.config/pipelight-widevine
46#whitelist ~/.config/pipelight-silverlight5.1
47
48
49# lastpass, keepassx
50whitelist ~/.keepassx
51whitelist ~/.config/keepassx
52whitelist ~/keepassx.kdbx
53whitelist ~/.lastpass
54whitelist ~/.config/lastpass
55
56# experimental features
57#private-etc passwd,group,hostname,hosts,localtime,nsswitch.conf,resolv.conf,gtk-2.0,pango,fonts,iceweasel,firefox,adobe,mime.types,mailcap,asound.conf,pulse
58#private-dev (disabled for now as it will interfere with webcam use in palemoon)
diff --git a/etc/parole.profile b/etc/parole.profile
index fd49bcf07..1440a9ef7 100644
--- a/etc/parole.profile
+++ b/etc/parole.profile
@@ -1,18 +1,16 @@
1# Profile for Parole, the default XFCE4 media player 1# Profile for Parole, the default XFCE4 media player
2include /etc/firejail/disable-mgmt.inc
3include /etc/firejail/disable-secret.inc
4include /etc/firejail/disable-common.inc 2include /etc/firejail/disable-common.inc
3include /etc/firejail/disable-programs.inc
5include /etc/firejail/disable-devel.inc 4include /etc/firejail/disable-devel.inc
6include /etc/firejail/disable-terminals.inc 5include /etc/firejail/disable-passwdmgr.inc
6
7private-etc passwd,group,fonts 7private-etc passwd,group,fonts
8private-bin parole,dbus-launch 8private-bin parole,dbus-launch
9blacklist ${HOME}/.pki/nssdb 9
10blacklist ${HOME}/.lastpass
11blacklist ${HOME}/.keepassx
12blacklist ${HOME}/.password-store
13caps.drop all 10caps.drop all
14seccomp
15protocol unix,inet,inet6
16netfilter 11netfilter
12nonewprivs
17noroot 13noroot
14protocol unix,inet,inet6
15seccomp
18shell none 16shell none
diff --git a/etc/pidgin.profile b/etc/pidgin.profile
index 54bedccc8..3df2cafa6 100644
--- a/etc/pidgin.profile
+++ b/etc/pidgin.profile
@@ -1,12 +1,20 @@
1# Pidgin profile 1# Pidgin profile
2noblacklist ${HOME}/.purple 2noblacklist ${HOME}/.purple
3include /etc/firejail/disable-mgmt.inc 3
4include /etc/firejail/disable-secret.inc
5include /etc/firejail/disable-common.inc 4include /etc/firejail/disable-common.inc
6include /etc/firejail/disable-devel.inc 5include /etc/firejail/disable-devel.inc
7include /etc/firejail/disable-terminals.inc 6include /etc/firejail/disable-passwdmgr.inc
8blacklist ${HOME}/.wine 7include /etc/firejail/disable-programs.inc
8
9caps.drop all 9caps.drop all
10seccomp 10netfilter
11protocol unix,inet,inet6 11nonewprivs
12nogroups
12noroot 13noroot
14protocol unix,inet,inet6
15seccomp
16shell none
17tracelog
18
19private-bin pidgin
20private-dev
diff --git a/etc/pix.profile b/etc/pix.profile
new file mode 100644
index 000000000..80c05fd09
--- /dev/null
+++ b/etc/pix.profile
@@ -0,0 +1,23 @@
1# Firejail profile for pix
2noblacklist ${HOME}/.config/pix
3noblacklist ${HOME}/.local/share/pix
4
5include /etc/firejail/disable-common.inc
6include /etc/firejail/disable-programs.inc
7include /etc/firejail/disable-devel.inc
8include /etc/firejail/disable-passwdmgr.inc
9
10caps.drop all
11nonewprivs
12nogroups
13noroot
14nosound
15protocol unix
16seccomp
17shell none
18tracelog
19
20private-bin pix
21whitelist /tmp/.X11-unix
22private-dev
23
diff --git a/etc/polari.profile b/etc/polari.profile
index 26d5ff27b..366883c83 100644
--- a/etc/polari.profile
+++ b/etc/polari.profile
@@ -1,9 +1,8 @@
1# Polari IRC profile 1# Polari IRC profile
2include /etc/firejail/disable-mgmt.inc
3include /etc/firejail/disable-secret.inc
4include /etc/firejail/disable-common.inc 2include /etc/firejail/disable-common.inc
3include /etc/firejail/disable-programs.inc
5include /etc/firejail/disable-devel.inc 4include /etc/firejail/disable-devel.inc
6include /etc/firejail/disable-terminals.inc 5
7mkdir ${HOME}/.local 6mkdir ${HOME}/.local
8mkdir ${HOME}/.local/share/ 7mkdir ${HOME}/.local/share/
9mkdir ${HOME}/.local/share/Empathy 8mkdir ${HOME}/.local/share/Empathy
@@ -21,9 +20,10 @@ whitelist ${HOME}/.cache/telepathy
21mkdir ${HOME}/.purple 20mkdir ${HOME}/.purple
22whitelist ${HOME}/.purple 21whitelist ${HOME}/.purple
23include /etc/firejail/whitelist-common.inc 22include /etc/firejail/whitelist-common.inc
23
24caps.drop all 24caps.drop all
25seccomp
26protocol unix,inet,inet6
27noroot
28netfilter 25netfilter
29 26nonewprivs
27noroot
28protocol unix,inet,inet6
29seccomp
diff --git a/etc/psi-plus.profile b/etc/psi-plus.profile
new file mode 100644
index 000000000..9380237be
--- /dev/null
+++ b/etc/psi-plus.profile
@@ -0,0 +1,27 @@
1# Firejail profile for Psi+
2
3noblacklist ${HOME}/.config/psi+
4noblacklist ${HOME}/.local/share/psi+
5include /etc/firejail/disable-common.inc
6include /etc/firejail/disable-programs.inc
7include /etc/firejail/disable-passwdmgr.inc
8
9whitelist ${DOWNLOADS}
10mkdir ~/.config
11mkdir ~/.config/psi+
12whitelist ~/.config/psi+
13mkdir ~/.local
14mkdir ~/.local/share
15mkdir ~/.local/share/psi+
16whitelist ~/.local/share/psi+
17mkdir ~/.cache
18mkdir ~/.cache/psi+
19whitelist ~/.cache/psi+
20
21include /etc/firejail/whitelist-common.inc
22
23caps.drop all
24netfilter
25noroot
26protocol unix,inet,inet6
27seccomp
diff --git a/etc/qbittorrent.profile b/etc/qbittorrent.profile
index f067aaa99..138b6db55 100644
--- a/etc/qbittorrent.profile
+++ b/etc/qbittorrent.profile
@@ -1,19 +1,20 @@
1# qbittorrent bittorrent profile 1# qbittorrent bittorrent profile
2include /etc/firejail/disable-mgmt.inc
3include /etc/firejail/disable-secret.inc
4include /etc/firejail/disable-common.inc 2include /etc/firejail/disable-common.inc
3include /etc/firejail/disable-programs.inc
5include /etc/firejail/disable-devel.inc 4include /etc/firejail/disable-devel.inc
6include /etc/firejail/disable-terminals.inc 5include /etc/firejail/disable-passwdmgr.inc
7blacklist ${HOME}/.pki/nssdb 6
8blacklist ${HOME}/.lastpass
9blacklist ${HOME}/.keepassx
10blacklist ${HOME}/.password-store
11blacklist ${HOME}/.wine
12caps.drop all 7caps.drop all
13seccomp
14protocol unix,inet,inet6
15netfilter 8netfilter
9nonewprivs
16noroot 10noroot
17nosound 11nosound
12protocol unix,inet,inet6
13seccomp
18 14
19 15# there are some problems with "Open destination folder", see bug #536
16#shell none
17#private-bin qbittorrent
18whitelist /tmp/.X11-unix
19private-dev
20nosound
diff --git a/etc/qtox.profile b/etc/qtox.profile
new file mode 100644
index 000000000..0cac18573
--- /dev/null
+++ b/etc/qtox.profile
@@ -0,0 +1,22 @@
1# qTox instant messaging profile
2noblacklist ${HOME}/.config/tox
3include /etc/firejail/disable-common.inc
4include /etc/firejail/disable-programs.inc
5include /etc/firejail/disable-devel.inc
6include /etc/firejail/disable-passwdmgr.inc
7
8mkdir ${HOME}/.config/tox
9whitelist ${HOME}/.config/tox
10whitelist ${DOWNLOADS}
11
12caps.drop all
13netfilter
14nonewprivs
15nogroups
16noroot
17protocol unix,inet,inet6
18seccomp
19shell none
20tracelog
21
22private-bin qtox
diff --git a/etc/quassel.profile b/etc/quassel.profile
index bc8c76915..f92dfeb9f 100644
--- a/etc/quassel.profile
+++ b/etc/quassel.profile
@@ -1,13 +1,11 @@
1# Quassel IRC profile 1# Quassel IRC profile
2include /etc/firejail/disable-mgmt.inc
3include /etc/firejail/disable-secret.inc
4include /etc/firejail/disable-common.inc 2include /etc/firejail/disable-common.inc
3include /etc/firejail/disable-programs.inc
5include /etc/firejail/disable-devel.inc 4include /etc/firejail/disable-devel.inc
6include /etc/firejail/disable-terminals.inc 5
7blacklist ${HOME}/.wine
8caps.drop all 6caps.drop all
9seccomp 7nonewprivs
10protocol unix,inet,inet6
11noroot 8noroot
12netfilter 9netfilter
13 10protocol unix,inet,inet6
11seccomp
diff --git a/etc/quiterss.profile b/etc/quiterss.profile
new file mode 100644
index 000000000..f2b9959f6
--- /dev/null
+++ b/etc/quiterss.profile
@@ -0,0 +1,32 @@
1include /etc/firejail/disable-common.inc
2include /etc/firejail/disable-programs.inc
3include /etc/firejail/disable-passwdmgr.inc
4include /etc/firejail/disable-devel.inc
5
6whitelist ${HOME}/quiterssfeeds.opml
7mkdir ~/.config
8mkdir ~/.config/QuiteRss
9whitelist ${HOME}/.config/QuiteRss/
10whitelist ${HOME}/.config/QuiteRssrc
11mkdir ~/.local
12mkdir ~/.local/share
13whitelist ${HOME}/.local/share/
14mkdir ~/.cache
15mkdir ~/.cache/QuiteRss
16whitelist ${HOME}/.cache/QuiteRss
17
18caps.drop all
19netfilter
20nonewprivs
21nogroups
22noroot
23private-bin quiterss
24private-dev
25nosound
26#private-etc X11,ssl
27protocol unix,inet,inet6
28seccomp
29shell none
30tracelog
31
32include /etc/firejail/whitelist-common.inc
diff --git a/etc/qutebrowser.profile b/etc/qutebrowser.profile
new file mode 100644
index 000000000..b590f0ef1
--- /dev/null
+++ b/etc/qutebrowser.profile
@@ -0,0 +1,23 @@
1# Firejail profile for Qutebrowser (Qt5-Webkit+Python) browser
2
3noblacklist ~/.config/qutebrowser
4noblacklist ~/.cache/qutebrowser
5include /etc/firejail/disable-common.inc
6include /etc/firejail/disable-programs.inc
7include /etc/firejail/disable-devel.inc
8
9caps.drop all
10netfilter
11nonewprivs
12noroot
13protocol unix,inet,inet6,netlink
14seccomp
15tracelog
16
17whitelist ${DOWNLOADS}
18mkdir ~/.config/qutebrowser
19whitelist ~/.config/qutebrowser
20mkdir ~/.cache
21mkdir ~/.cache/qutebrowser
22whitelist ~/.cache/qutebrowser
23include /etc/firejail/whitelist-common.inc
diff --git a/etc/rhythmbox.profile b/etc/rhythmbox.profile
index a1a20a863..9f087ea1d 100644
--- a/etc/rhythmbox.profile
+++ b/etc/rhythmbox.profile
@@ -1,17 +1,18 @@
1# Rhythmbox media player profile 1# Rhythmbox media player profile
2include /etc/firejail/disable-mgmt.inc
3include /etc/firejail/disable-secret.inc
4include /etc/firejail/disable-common.inc 2include /etc/firejail/disable-common.inc
3include /etc/firejail/disable-programs.inc
5include /etc/firejail/disable-devel.inc 4include /etc/firejail/disable-devel.inc
6include /etc/firejail/disable-terminals.inc 5include /etc/firejail/disable-passwdmgr.inc
7blacklist ${HOME}/.pki/nssdb 6
8blacklist ${HOME}/.lastpass
9blacklist ${HOME}/.keepassx
10blacklist ${HOME}/.password-store
11blacklist ${HOME}/.wine
12caps.drop all 7caps.drop all
13seccomp 8nogroups
14protocol unix,inet,inet6
15noroot
16netfilter 9netfilter
10nonewprivs
11noroot
12protocol unix,inet,inet6
13seccomp
14shell none
15tracelog
17 16
17private-bin rhythmbox
18private-dev
diff --git a/etc/rtorrent.profile b/etc/rtorrent.profile
index 6041052af..15df2c374 100644
--- a/etc/rtorrent.profile
+++ b/etc/rtorrent.profile
@@ -1,12 +1,19 @@
1# rtorrent bittorrent profile 1# rtorrent bittorrent profile
2include /etc/firejail/disable-mgmt.inc
3include /etc/firejail/disable-secret.inc
4include /etc/firejail/disable-common.inc 2include /etc/firejail/disable-common.inc
3include /etc/firejail/disable-programs.inc
5include /etc/firejail/disable-devel.inc 4include /etc/firejail/disable-devel.inc
6include /etc/firejail/disable-terminals.inc 5include /etc/firejail/disable-passwdmgr.inc
6
7caps.drop all 7caps.drop all
8seccomp
9protocol unix,inet,inet6
10netfilter 8netfilter
9nonewprivs
11noroot 10noroot
12nosound 11nosound
12protocol unix,inet,inet6
13seccomp
14
15shell none
16private-bin rtorrent
17whitelist /tmp/.X11-unix
18private-dev
19nosound
diff --git a/etc/seamonkey.profile b/etc/seamonkey.profile
index b896af97a..9ce4164c1 100644
--- a/etc/seamonkey.profile
+++ b/etc/seamonkey.profile
@@ -1,19 +1,17 @@
1# Firejail profile for Seamoneky based off Mozilla Firefox 1# Firejail profile for Seamoneky based off Mozilla Firefox
2noblacklist ~/.mozilla 2noblacklist ~/.mozilla
3noblacklist ~/.cache/mozilla 3noblacklist ~/.cache/mozilla
4noblacklist ~/keepassx.kdbx
5include /etc/firejail/disable-mgmt.inc
6include /etc/firejail/disable-secret.inc
7include /etc/firejail/disable-common.inc 4include /etc/firejail/disable-common.inc
5include /etc/firejail/disable-programs.inc
8include /etc/firejail/disable-devel.inc 6include /etc/firejail/disable-devel.inc
9include /etc/firejail/disable-terminals.inc
10 7
11caps.drop all 8caps.drop all
12seccomp
13protocol unix,inet,inet6,netlink
14netfilter 9netfilter
15tracelog 10nonewprivs
16noroot 11noroot
12protocol unix,inet,inet6,netlink
13seccomp
14tracelog
17 15
18whitelist ${DOWNLOADS} 16whitelist ${DOWNLOADS}
19mkdir ~/.mozilla 17mkdir ~/.mozilla
@@ -44,13 +42,10 @@ whitelist ~/.lastpass
44whitelist ~/.config/lastpass 42whitelist ~/.config/lastpass
45 43
46#silverlight 44#silverlight
47whitelist ~/.wine-pipelight 45whitelist ~/.wine-pipelight
48whitelist ~/.wine-pipelight64 46whitelist ~/.wine-pipelight64
49whitelist ~/.config/pipelight-widevine 47whitelist ~/.config/pipelight-widevine
50whitelist ~/.config/pipelight-silverlight5.1 48whitelist ~/.config/pipelight-silverlight5.1
51 49
52
53
54# experimental features 50# experimental features
55#private-etc passwd,group,hostname,hosts,localtime,nsswitch.conf,resolv.conf,gtk-2.0,pango,fonts,iceweasel,firefox,adobe,mime.types,mailcap,asound.conf,pulse 51#private-etc passwd,group,hostname,hosts,localtime,nsswitch.conf,resolv.conf,gtk-2.0,pango,fonts,iceweasel,firefox,adobe,mime.types,mailcap,asound.conf,pulse
56
diff --git a/etc/server.profile b/etc/server.profile
index 5471aed91..88331d951 100644
--- a/etc/server.profile
+++ b/etc/server.profile
@@ -2,9 +2,13 @@
2# it allows /sbin and /usr/sbin directories - this is where servers are installed 2# it allows /sbin and /usr/sbin directories - this is where servers are installed
3noblacklist /sbin 3noblacklist /sbin
4noblacklist /usr/sbin 4noblacklist /usr/sbin
5include /etc/firejail/disable-mgmt.inc 5include /etc/firejail/disable-common.inc
6include /etc/firejail/disable-programs.inc
7include /etc/firejail/disable-passwdmgr.inc
8
6private 9private
7private-dev 10private-dev
11nosound
8private-tmp 12private-tmp
9seccomp 13seccomp
10 14
diff --git a/etc/skype.profile b/etc/skype.profile
index a33cc339d..9cbcd5117 100644
--- a/etc/skype.profile
+++ b/etc/skype.profile
@@ -1,12 +1,12 @@
1# Skype profile 1# Skype profile
2noblacklist ${HOME}/.Skype 2noblacklist ${HOME}/.Skype
3include /etc/firejail/disable-mgmt.inc
4include /etc/firejail/disable-secret.inc
5include /etc/firejail/disable-common.inc 3include /etc/firejail/disable-common.inc
4include /etc/firejail/disable-programs.inc
6include /etc/firejail/disable-devel.inc 5include /etc/firejail/disable-devel.inc
7include /etc/firejail/disable-terminals.inc 6
8caps.drop all 7caps.drop all
9netfilter 8netfilter
9nonewprivs
10noroot 10noroot
11seccomp
12protocol unix,inet,inet6 11protocol unix,inet,inet6
12seccomp
diff --git a/etc/snap.profile b/etc/snap.profile
new file mode 100644
index 000000000..270fdf1a5
--- /dev/null
+++ b/etc/snap.profile
@@ -0,0 +1,14 @@
1################################
2# Generic Ubuntu snap application profile
3################################
4include /etc/firejail/disable-common.inc
5include /etc/firejail/disable-programs.inc
6include /etc/firejail/disable-passwdmgr.inc
7
8whitelist ~/snap
9whitelist ${DOWNLOADS}
10include /etc/firejail/whitelist-common.inc
11
12caps.keep chown,sys_admin
13
14
diff --git a/etc/soffice.profile b/etc/soffice.profile
new file mode 100644
index 000000000..fecd08822
--- /dev/null
+++ b/etc/soffice.profile
@@ -0,0 +1,5 @@
1################################
2# LibreOffice profile
3################################
4include /etc/firejail/libreoffice.profile
5
diff --git a/etc/spotify.profile b/etc/spotify.profile
index 1986a513c..ca575970b 100644
--- a/etc/spotify.profile
+++ b/etc/spotify.profile
@@ -1,11 +1,14 @@
1# Spotify media player profile 1# Spotify media player profile
2include /etc/firejail/disable-mgmt.inc 2noblacklist ${HOME}/.config/spotify
3include /etc/firejail/disable-secret.inc 3noblacklist ${HOME}/.cache/spotify
4noblacklist ${HOME}/.local/share/spotify
4include /etc/firejail/disable-common.inc 5include /etc/firejail/disable-common.inc
6include /etc/firejail/disable-programs.inc
5include /etc/firejail/disable-devel.inc 7include /etc/firejail/disable-devel.inc
8include /etc/firejail/disable-passwdmgr.inc
6 9
7# Whitelist the folders needed by Spotify - This is more restrictive 10# Whitelist the folders needed by Spotify - This is more restrictive
8# than a blacklist though, but this is all spotify requires for 11# than a blacklist though, but this is all spotify requires for
9# streaming audio 12# streaming audio
10mkdir ${HOME}/.config 13mkdir ${HOME}/.config
11mkdir ${HOME}/.config/spotify 14mkdir ${HOME}/.config/spotify
@@ -20,8 +23,13 @@ whitelist ${HOME}/.cache/spotify
20include /etc/firejail/whitelist-common.inc 23include /etc/firejail/whitelist-common.inc
21 24
22caps.drop all 25caps.drop all
23seccomp
24protocol unix,inet,inet6,netlink
25netfilter 26netfilter
27nogroups
28nonewprivs
26noroot 29noroot
30protocol unix,inet,inet6,netlink
31seccomp
32shell none
27 33
34private-bin spotify
35private-dev
diff --git a/etc/ssh.profile b/etc/ssh.profile
new file mode 100644
index 000000000..a6d52c5a5
--- /dev/null
+++ b/etc/ssh.profile
@@ -0,0 +1,13 @@
1# ssh client
2noblacklist ~/.ssh
3
4include /etc/firejail/disable-common.inc
5include /etc/firejail/disable-programs.inc
6include /etc/firejail/disable-passwdmgr.inc
7
8caps.drop all
9netfilter
10nonewprivs
11noroot
12protocol unix,inet,inet6
13seccomp
diff --git a/etc/steam.profile b/etc/steam.profile
index dc17c7a0f..b15a54be9 100644
--- a/etc/steam.profile
+++ b/etc/steam.profile
@@ -1,13 +1,14 @@
1# Steam profile (applies to games/apps launched from Steam as well) 1# Steam profile (applies to games/apps launched from Steam as well)
2noblacklist ${HOME}/.steam 2noblacklist ${HOME}/.steam
3noblacklist ${HOME}/.local/share/steam 3noblacklist ${HOME}/.local/share/steam
4include /etc/firejail/disable-mgmt.inc
5include /etc/firejail/disable-secret.inc
6include /etc/firejail/disable-common.inc 4include /etc/firejail/disable-common.inc
5include /etc/firejail/disable-programs.inc
7include /etc/firejail/disable-devel.inc 6include /etc/firejail/disable-devel.inc
8include /etc/firejail/disable-terminals.inc 7include /etc/firejail/disable-passwdmgr.inc
8
9caps.drop all 9caps.drop all
10netfilter 10netfilter
11nonewprivs
11noroot 12noroot
12seccomp
13protocol unix,inet,inet6 13protocol unix,inet,inet6
14seccomp
diff --git a/etc/stellarium.profile b/etc/stellarium.profile
new file mode 100644
index 000000000..d0c1326b3
--- /dev/null
+++ b/etc/stellarium.profile
@@ -0,0 +1,29 @@
1# Firejail profile for Stellarium.
2noblacklist ~/.stellarium
3noblacklist ~/.config/stellarium
4include /etc/firejail/disable-common.inc
5include /etc/firejail/disable-devel.inc
6include /etc/firejail/disable-passwdmgr.inc
7include /etc/firejail/disable-programs.inc
8
9# Whitelist
10mkdir ~/.stellarium
11whitelist ~/.stellarium
12mkdir ~/.config
13mkdir ~/.config/stellarium
14whitelist ~/.config/stellarium
15
16caps.drop all
17netfilter
18nogroups
19nonewprivs
20noroot
21nosound
22protocol unix,inet,inet6,netlink
23seccomp
24shell none
25tracelog
26
27private-bin stellarium
28private-dev
29
diff --git a/etc/strings.profile b/etc/strings.profile
new file mode 100644
index 000000000..881edf4ad
--- /dev/null
+++ b/etc/strings.profile
@@ -0,0 +1,8 @@
1# strings profile
2include /etc/firejail/default.profile
3tracelog
4net none
5shell none
6private-dev
7private-tmp
8nosound
diff --git a/etc/telegram.profile b/etc/telegram.profile
index 94167675c..8e91e426b 100644
--- a/etc/telegram.profile
+++ b/etc/telegram.profile
@@ -1,17 +1,13 @@
1# Telegram IRC profile 1# Telegram IRC profile
2noblacklist ${HOME}/.TelegramDesktop 2noblacklist ${HOME}/.TelegramDesktop
3include /etc/firejail/disable-mgmt.inc
4include /etc/firejail/disable-secret.inc
5include /etc/firejail/disable-common.inc 3include /etc/firejail/disable-common.inc
4include /etc/firejail/disable-programs.inc
6include /etc/firejail/disable-devel.inc 5include /etc/firejail/disable-devel.inc
7include /etc/firejail/disable-terminals.inc
8 6
9caps.drop all 7caps.drop all
10seccomp
11protocol unix,inet,inet6
12noroot
13netfilter 8netfilter
9nonewprivs
10noroot
11protocol unix,inet,inet6
12seccomp
14 13
15whitelist ~/Downloads/Telegram Desktop
16mkdir ${HOME}/.TelegramDesktop
17whitelist ~/.TelegramDesktop
diff --git a/etc/thunderbird.profile b/etc/thunderbird.profile
index f608f5467..7882367b9 100644
--- a/etc/thunderbird.profile
+++ b/etc/thunderbird.profile
@@ -1,26 +1,19 @@
1# Firejail profile for Mozilla Thunderbird (Icedove in Debian) 1# Firejail profile for Mozilla Thunderbird
2noblacklist ${HOME}/.gnupg
3include /etc/firejail/disable-mgmt.inc
4include /etc/firejail/disable-secret.inc
5include /etc/firejail/disable-devel.inc
6
7# Users have thunderbird set to open a browser by clicking a link in an email 2# Users have thunderbird set to open a browser by clicking a link in an email
8# We are not allowed to blacklist browser-specific directories 3# We are not allowed to blacklist browser-specific directories
9#include /etc/firejail/disable-common.inc thunderbird icedove
10blacklist ${HOME}/.adobe
11blacklist ${HOME}/.macromedia
12blacklist ${HOME}/.filezilla
13blacklist ${HOME}/.config/filezilla
14blacklist ${HOME}/.purple
15blacklist ${HOME}/.config/psi+
16blacklist ${HOME}/.remmina
17blacklist ${HOME}/.tconn
18 4
5noblacklist ~/.gnupg
6mkdir ~/.gnupg
7whitelist ~/.gnupg
8
9noblacklist ~/.thunderbird
10mkdir ~/.thunderbird
11whitelist ~/.thunderbird
12
13noblacklist ~/.cache/thunderbird
14mkdir ~/.cache
15mkdir ~/.cache/thunderbird
16whitelist ~/.cache/thunderbird
19 17
20caps.drop all 18include /etc/firejail/firefox.profile
21seccomp
22protocol unix,inet,inet6
23netfilter
24tracelog
25noroot
26 19
diff --git a/etc/totem.profile b/etc/totem.profile
index f2485a2d0..252b46979 100644
--- a/etc/totem.profile
+++ b/etc/totem.profile
@@ -1,16 +1,15 @@
1# Totem media player profile 1# Totem media player profile
2include /etc/firejail/disable-mgmt.inc 2noblacklist ~/.config/totem
3include /etc/firejail/disable-secret.inc 3noblacklist ~/.local/share/totem
4
4include /etc/firejail/disable-common.inc 5include /etc/firejail/disable-common.inc
6include /etc/firejail/disable-programs.inc
5include /etc/firejail/disable-devel.inc 7include /etc/firejail/disable-devel.inc
6include /etc/firejail/disable-terminals.inc 8include /etc/firejail/disable-passwdmgr.inc
7blacklist ${HOME}/.pki/nssdb 9
8blacklist ${HOME}/.lastpass
9blacklist ${HOME}/.keepassx
10blacklist ${HOME}/.password-store
11blacklist ${HOME}/.wine
12caps.drop all 10caps.drop all
13seccomp 11nonewprivs
14protocol unix,inet,inet6
15noroot 12noroot
16netfilter 13netfilter
14protocol unix,inet,inet6
15seccomp
diff --git a/etc/transmission-gtk.profile b/etc/transmission-gtk.profile
index 18356a91e..fa5c3b22b 100644
--- a/etc/transmission-gtk.profile
+++ b/etc/transmission-gtk.profile
@@ -1,22 +1,23 @@
1# transmission-gtk profile 1# transmission-gtk bittorrent profile
2include /etc/firejail/disable-mgmt.inc 2noblacklist ${HOME}/.config/transmission
3include /etc/firejail/disable-secret.inc 3noblacklist ${HOME}/.cache/transmission
4
4include /etc/firejail/disable-common.inc 5include /etc/firejail/disable-common.inc
6include /etc/firejail/disable-programs.inc
5include /etc/firejail/disable-devel.inc 7include /etc/firejail/disable-devel.inc
6include /etc/firejail/disable-terminals.inc 8include /etc/firejail/disable-passwdmgr.inc
7blacklist ${HOME}/.pki/nssdb 9
8blacklist ${HOME}/.lastpass
9blacklist ${HOME}/.keepassx
10blacklist ${HOME}/.password-store
11blacklist ${HOME}/.wine
12caps.drop all 10caps.drop all
13seccomp
14protocol unix,inet,inet6
15netfilter 11netfilter
12nonewprivs
16noroot 13noroot
17tracelog
18nosound 14nosound
15protocol unix,inet,inet6
16seccomp
17tracelog
19 18
20 19shell none
21 20private-bin transmission-gtk
21whitelist /tmp/.X11-unix
22private-dev
22 23
diff --git a/etc/transmission-qt.profile b/etc/transmission-qt.profile
index cd07f35c7..754211a63 100644
--- a/etc/transmission-qt.profile
+++ b/etc/transmission-qt.profile
@@ -1,20 +1,22 @@
1# transmission-qt profile 1# transmission-qt bittorrent profile
2include /etc/firejail/disable-mgmt.inc 2noblacklist ${HOME}/.config/transmission
3include /etc/firejail/disable-secret.inc 3noblacklist ${HOME}/.cache/transmission
4
4include /etc/firejail/disable-common.inc 5include /etc/firejail/disable-common.inc
6include /etc/firejail/disable-programs.inc
5include /etc/firejail/disable-devel.inc 7include /etc/firejail/disable-devel.inc
6include /etc/firejail/disable-terminals.inc 8include /etc/firejail/disable-passwdmgr.inc
7blacklist ${HOME}/.pki/nssdb 9
8blacklist ${HOME}/.lastpass
9blacklist ${HOME}/.keepassx
10blacklist ${HOME}/.password-store
11blacklist ${HOME}/.wine
12caps.drop all 10caps.drop all
13seccomp
14protocol unix,inet,inet6
15netfilter 11netfilter
12nonewprivs
16noroot 13noroot
17tracelog
18nosound 14nosound
15protocol unix,inet,inet6
16seccomp
17tracelog
19 18
20 19shell none
20private-bin transmission-qt
21whitelist /tmp/.X11-unix
22private-dev
diff --git a/etc/uget-gtk.profile b/etc/uget-gtk.profile
index 3b27c00ba..269f8f0fd 100644
--- a/etc/uget-gtk.profile
+++ b/etc/uget-gtk.profile
@@ -1,16 +1,26 @@
1# uGet profile 1# uGet profile
2include /etc/firejail/disable-mgmt.inc 2noblacklist ${HOME}/.config/uGet
3include /etc/firejail/disable-secret.inc 3
4include /etc/firejail/disable-common.inc 4include /etc/firejail/disable-common.inc
5include /etc/firejail/disable-programs.inc
5include /etc/firejail/disable-devel.inc 6include /etc/firejail/disable-devel.inc
6include /etc/firejail/disable-terminals.inc 7
7caps.drop all 8caps.drop all
8seccomp
9protocol unix,inet,inet6
10netfilter 9netfilter
10nonewprivs
11noroot 11noroot
12protocol unix,inet,inet6
13seccomp
14
12whitelist ${DOWNLOADS} 15whitelist ${DOWNLOADS}
13mkdir ~/.config 16mkdir ~/.config
14mkdir ~/.config/uGet 17mkdir ~/.config/uGet
15whitelist ~/.config/uGet 18whitelist ~/.config/uGet
16include /etc/firejail/whitelist-common.inc 19include /etc/firejail/whitelist-common.inc
20
21shell none
22private-bin uget-gtk
23whitelist /tmp/.X11-unix
24private-dev
25nosound
26
diff --git a/etc/unbound.profile b/etc/unbound.profile
index c4f009159..5e2cb5f65 100644
--- a/etc/unbound.profile
+++ b/etc/unbound.profile
@@ -1,12 +1,13 @@
1# security profile for unbound (https://unbound.net) 1# security profile for unbound (https://unbound.net)
2noblacklist /sbin 2noblacklist /sbin
3noblacklist /usr/sbin 3noblacklist /usr/sbin
4include /etc/firejail/disable-mgmt.inc
5include /etc/firejail/disable-common.inc 4include /etc/firejail/disable-common.inc
5include /etc/firejail/disable-programs.inc
6include /etc/firejail/disable-devel.inc 6include /etc/firejail/disable-devel.inc
7include /etc/firejail/disable-secret.inc 7include /etc/firejail/disable-passwdmgr.inc
8include /etc/firejail/disable-terminals.inc 8
9private 9private
10private-dev 10private-dev
11nosound
11seccomp.drop mount,umount2,ptrace,kexec_load,kexec_file_load,open_by_handle_at,init_module,finit_module,delete_module,iopl,ioperm,swapon,swapoff,syslog,process_vm_readv,process_vm_writev,sysfs,_sysctl,adjtimex,clock_adjtime,lookup_dcookie,perf_event_open,fanotify_init,kcmp,add_key,request_key,keyctl,uselib,acct,modify_ldt,pivot_root,io_setup,io_destroy,io_getevents,io_submit,io_cancel,remap_file_pages,mbind,get_mempolicy,set_mempolicy,migrate_pages,move_pages,vmsplice,perf_event_open 12seccomp.drop mount,umount2,ptrace,kexec_load,kexec_file_load,open_by_handle_at,init_module,finit_module,delete_module,iopl,ioperm,swapon,swapoff,syslog,process_vm_readv,process_vm_writev,sysfs,_sysctl,adjtimex,clock_adjtime,lookup_dcookie,perf_event_open,fanotify_init,kcmp,add_key,request_key,keyctl,uselib,acct,modify_ldt,pivot_root,io_setup,io_destroy,io_getevents,io_submit,io_cancel,remap_file_pages,mbind,get_mempolicy,set_mempolicy,migrate_pages,move_pages,vmsplice,perf_event_open
12 13
diff --git a/etc/uudeview.profile b/etc/uudeview.profile
new file mode 100644
index 000000000..8218ac959
--- /dev/null
+++ b/etc/uudeview.profile
@@ -0,0 +1,13 @@
1# uudeview profile
2# the default profile will disable root user, enable seccomp filter etc.
3include /etc/firejail/default.profile
4
5tracelog
6net none
7shell none
8private-bin uudeview
9private-dev
10private-tmp
11private-etc nonexisting_fakefile_for_empty_etc
12hostname uudeview
13nosound
diff --git a/etc/vivaldi.profile b/etc/vivaldi.profile
index daab0b81a..2049d2bd9 100644
--- a/etc/vivaldi.profile
+++ b/etc/vivaldi.profile
@@ -1,14 +1,12 @@
1# Vivaldi browser profile 1# Vivaldi browser profile
2noblacklist ~/.config/vivaldi 2noblacklist ~/.config/vivaldi
3noblacklist ~/.cache/vivaldi 3noblacklist ~/.cache/vivaldi
4noblacklist ~/keepassx.kdbx
5include /etc/firejail/disable-mgmt.inc
6include /etc/firejail/disable-secret.inc
7include /etc/firejail/disable-common.inc 4include /etc/firejail/disable-common.inc
5include /etc/firejail/disable-programs.inc
8include /etc/firejail/disable-devel.inc 6include /etc/firejail/disable-devel.inc
9include /etc/firejail/disable-terminals.inc
10 7
11netfilter 8netfilter
9nonewprivs
12 10
13whitelist ${DOWNLOADS} 11whitelist ${DOWNLOADS}
14mkdir ~/.config 12mkdir ~/.config
diff --git a/etc/vlc.profile b/etc/vlc.profile
index adcfbb119..1a6e5a151 100644
--- a/etc/vlc.profile
+++ b/etc/vlc.profile
@@ -1,17 +1,19 @@
1# VLC media player profile 1# VLC media player profile
2noblacklist ${HOME}/.config/vlc 2noblacklist ${HOME}/.config/vlc
3include /etc/firejail/disable-mgmt.inc 3
4include /etc/firejail/disable-secret.inc
5include /etc/firejail/disable-common.inc 4include /etc/firejail/disable-common.inc
5include /etc/firejail/disable-programs.inc
6include /etc/firejail/disable-devel.inc 6include /etc/firejail/disable-devel.inc
7include /etc/firejail/disable-terminals.inc 7include /etc/firejail/disable-passwdmgr.inc
8blacklist ${HOME}/.pki/nssdb 8
9blacklist ${HOME}/.lastpass
10blacklist ${HOME}/.keepassx
11blacklist ${HOME}/.password-store
12blacklist ${HOME}/.wine
13caps.drop all 9caps.drop all
14seccomp
15protocol unix,inet,inet6
16noroot
17netfilter 10netfilter
11nonewprivs
12noroot
13protocol unix,inet,inet6
14seccomp
15
16
17# to test
18shell none
19private-bin vlc,cvlc,nvlc,rvlc,qvlc,svlc
diff --git a/etc/warzone2100.profile b/etc/warzone2100.profile
new file mode 100644
index 000000000..ff37e2800
--- /dev/null
+++ b/etc/warzone2100.profile
@@ -0,0 +1,25 @@
1# Firejail profile for warzone2100
2# Currently supports warzone2100-3.1
3noblacklist ~/.warzone2100-3.1
4include /etc/firejail/disable-common.inc
5include /etc/firejail/disable-devel.inc
6include /etc/firejail/disable-passwdmgr.inc
7include /etc/firejail/disable-programs.inc
8
9# Whitelist
10mkdir ~/.warzone2100-3.1
11whitelist ~/.warzone2100-3.1
12
13# Call these options
14caps.drop all
15netfilter
16nogroups
17nonewprivs
18noroot
19protocol unix,inet,inet6,netlink
20seccomp
21shell none
22tracelog
23
24private-bin warzone2100
25private-dev
diff --git a/etc/weechat.profile b/etc/weechat.profile
index 3fbce62ca..410061278 100644
--- a/etc/weechat.profile
+++ b/etc/weechat.profile
@@ -1,12 +1,15 @@
1# Weechat IRC profile 1# Weechat IRC profile
2noblacklist ${HOME}/.weechat 2noblacklist ${HOME}/.weechat
3include /etc/firejail/disable-mgmt.inc
4include /etc/firejail/disable-common.inc 3include /etc/firejail/disable-common.inc
5include /etc/firejail/disable-secret.inc 4include /etc/firejail/disable-programs.inc
6include /etc/firejail/disable-terminals.inc 5
7caps.drop all 6caps.drop all
8seccomp
9protocol unix,inet,inet6
10netfilter 7netfilter
8nonewprivs
11noroot 9noroot
12netfilter 10protocol unix,inet,inet6
11seccomp
12
13# no private-bin support for various reasons:
14# Plugins loaded: alias, aspell, charset, exec, fifo, guile, irc,
15# logger, lua, perl, python, relay, ruby, script, tcl, trigger, xferloading plugins \ No newline at end of file
diff --git a/etc/wesnoth.profile b/etc/wesnoth.profile
index a5b6127df..cd0c6406f 100644
--- a/etc/wesnoth.profile
+++ b/etc/wesnoth.profile
@@ -1,15 +1,18 @@
1# Whitelist-based profile for "Battle for Wesnoth" (game). 1# Whitelist-based profile for "Battle for Wesnoth" (game).
2noblacklist ${HOME}/.config/wesnoth
3noblacklist ${HOME}/.cache/wesnoth
4noblacklist ${HOME}/.local/share/wesnoth
2 5
3include /etc/firejail/disable-common.inc 6include /etc/firejail/disable-common.inc
7include /etc/firejail/disable-programs.inc
4include /etc/firejail/disable-devel.inc 8include /etc/firejail/disable-devel.inc
5include /etc/firejail/disable-mgmt.inc 9include /etc/firejail/disable-passwdmgr.inc
6include /etc/firejail/disable-secret.inc
7include /etc/firejail/disable-terminals.inc
8 10
9caps.drop all 11caps.drop all
10seccomp 12nonewprivs
11protocol unix,inet,inet6
12noroot 13noroot
14protocol unix,inet,inet6
15seccomp
13 16
14private-dev 17private-dev
15 18
diff --git a/etc/whitelist-common.inc b/etc/whitelist-common.inc
index 9d5ef3d96..b3a1a1d30 100644
--- a/etc/whitelist-common.inc
+++ b/etc/whitelist-common.inc
@@ -1,5 +1,6 @@
1# common whitelist for all profiles 1# common whitelist for all profiles
2 2
3whitelist ~/.XCompose
3whitelist ~/.config/mimeapps.list 4whitelist ~/.config/mimeapps.list
4whitelist ~/.icons 5whitelist ~/.icons
5whitelist ~/.config/user-dirs.dirs 6whitelist ~/.config/user-dirs.dirs
diff --git a/etc/wine.profile b/etc/wine.profile
index ae1f5d1b6..18e5346af 100644
--- a/etc/wine.profile
+++ b/etc/wine.profile
@@ -2,12 +2,13 @@
2noblacklist ${HOME}/.steam 2noblacklist ${HOME}/.steam
3noblacklist ${HOME}/.local/share/steam 3noblacklist ${HOME}/.local/share/steam
4noblacklist ${HOME}/.wine 4noblacklist ${HOME}/.wine
5include /etc/firejail/disable-mgmt.inc 5
6include /etc/firejail/disable-secret.inc
7include /etc/firejail/disable-common.inc 6include /etc/firejail/disable-common.inc
7include /etc/firejail/disable-programs.inc
8include /etc/firejail/disable-devel.inc 8include /etc/firejail/disable-devel.inc
9include /etc/firejail/disable-terminals.inc 9
10caps.drop all 10caps.drop all
11netfilter 11netfilter
12nonewprivs
12noroot 13noroot
13seccomp 14seccomp
diff --git a/etc/xchat.profile b/etc/xchat.profile
index e2dcadc0e..1f2865cab 100644
--- a/etc/xchat.profile
+++ b/etc/xchat.profile
@@ -1,12 +1,14 @@
1# XChat IRC profile 1# XChat IRC profile
2noblacklist ${HOME}/.config/xchat 2noblacklist ${HOME}/.config/xchat
3include /etc/firejail/disable-mgmt.inc 3
4include /etc/firejail/disable-secret.inc
5include /etc/firejail/disable-common.inc 4include /etc/firejail/disable-common.inc
5include /etc/firejail/disable-programs.inc
6include /etc/firejail/disable-devel.inc 6include /etc/firejail/disable-devel.inc
7include /etc/firejail/disable-terminals.inc 7
8blacklist ${HOME}/.wine
9caps.drop all 8caps.drop all
10seccomp 9nonewprivs
11protocol unix,inet,inet6
12noroot 10noroot
11protocol unix,inet,inet6
12seccomp
13
14# private-bin requires perl, python, etc.
diff --git a/etc/xplayer.profile b/etc/xplayer.profile
new file mode 100644
index 000000000..a46b2fa06
--- /dev/null
+++ b/etc/xplayer.profile
@@ -0,0 +1,21 @@
1# Xplayer profile
2noblacklist ~/.config/xplayer
3noblacklist ~/.local/share/xplayer
4
5include /etc/firejail/disable-common.inc
6include /etc/firejail/disable-programs.inc
7include /etc/firejail/disable-devel.inc
8include /etc/firejail/disable-passwdmgr.inc
9
10caps.drop all
11netfilter
12nonewprivs
13nogroups
14noroot
15protocol unix,inet,inet6
16seccomp
17shell none
18tracelog
19
20private-bin xplayer,xplayer-audio-preview,xplayer-video-thumbnailer
21private-dev
diff --git a/etc/xreader.profile b/etc/xreader.profile
new file mode 100644
index 000000000..ac7d34022
--- /dev/null
+++ b/etc/xreader.profile
@@ -0,0 +1,22 @@
1# Xreader profile
2noblacklist ~/.config/xreader
3noblacklist ~/.cache/xreader
4noblacklist ~/.local/share
5
6include /etc/firejail/disable-common.inc
7include /etc/firejail/disable-programs.inc
8include /etc/firejail/disable-devel.inc
9include /etc/firejail/disable-passwdmgr.inc
10
11caps.drop all
12nogroups
13nonewprivs
14noroot
15nosound
16protocol unix
17seccomp
18shell none
19tracelog
20
21private-bin xreader, xreader-previewer, xreader-thumbnailer
22private-dev
diff --git a/etc/xviewer.profile b/etc/xviewer.profile
new file mode 100644
index 000000000..7a4ae4858
--- /dev/null
+++ b/etc/xviewer.profile
@@ -0,0 +1,19 @@
1noblacklist ~/.config/xviewer
2
3include /etc/firejail/disable-common.inc
4include /etc/firejail/disable-programs.inc
5include /etc/firejail/disable-devel.inc
6include /etc/firejail/disable-passwdmgr.inc
7
8caps.drop all
9nonewprivs
10nogroups
11noroot
12nosound
13protocol unix
14seccomp
15shell none
16tracelog
17
18private-dev
19private-bin xviewer
diff --git a/etc/xz.profile b/etc/xz.profile
new file mode 100644
index 000000000..709585acd
--- /dev/null
+++ b/etc/xz.profile
@@ -0,0 +1,2 @@
1# xz profile
2include /etc/firejail/cpio.profile
diff --git a/etc/xzdec.profile b/etc/xzdec.profile
new file mode 100644
index 000000000..ddf2061bf
--- /dev/null
+++ b/etc/xzdec.profile
@@ -0,0 +1,8 @@
1# xzdec profile
2include /etc/firejail/default.profile
3tracelog
4net none
5shell none
6private-dev
7private-tmp
8nosound
generated by cgit v1.2.3-54-g00ecf (git 2.45.2) at 2024-06-29 08:31:35 +0000