aboutsummaryrefslogtreecommitdiffstats
path: root/etc
diff options
context:
space:
mode:
Diffstat (limited to 'etc')
-rw-r--r--etc/discord-common.profile1
-rw-r--r--etc/evince-previewer.profile3
-rw-r--r--etc/evince-thumbnailer.profile3
-rw-r--r--etc/evince.profile9
-rw-r--r--etc/gconf-editor.profile45
-rw-r--r--etc/gconf-merge-schema.profile12
-rw-r--r--etc/gconf-merge-tree.profile12
-rw-r--r--etc/gconf.profile57
-rw-r--r--etc/gconfpkg.profile12
-rw-r--r--etc/gconftool-2.profile12
-rw-r--r--etc/geekbench.profile5
-rw-r--r--etc/gpicview.profile2
-rw-r--r--etc/gsettings-data-convert.profile12
-rw-r--r--etc/gsettings-schema-convert.profile12
-rw-r--r--etc/hardinfo.profile38
-rw-r--r--etc/pavucontrol.profile3
-rw-r--r--etc/spectre-meltdown-checker.profile2
-rw-r--r--etc/sqlitebrowser.profile12
-rw-r--r--etc/sysprof-cli.profile2
-rw-r--r--etc/sysprof.profile2
20 files changed, 155 insertions, 101 deletions
diff --git a/etc/discord-common.profile b/etc/discord-common.profile
index c453d77d0..44b42aefa 100644
--- a/etc/discord-common.profile
+++ b/etc/discord-common.profile
@@ -32,5 +32,4 @@ private-dev
32private-etc alternatives,fonts,machine-id,localtime,ld.so.cache,ca-certificates,ssl,pki,crypto-policies,resolv.conf 32private-etc alternatives,fonts,machine-id,localtime,ld.so.cache,ca-certificates,ssl,pki,crypto-policies,resolv.conf
33private-tmp 33private-tmp
34 34
35noexec ${HOME}
36noexec /tmp 35noexec /tmp
diff --git a/etc/evince-previewer.profile b/etc/evince-previewer.profile
index e43bb2da8..bd1ea6aa9 100644
--- a/etc/evince-previewer.profile
+++ b/etc/evince-previewer.profile
@@ -3,7 +3,8 @@
3# Persistent local customizations 3# Persistent local customizations
4include evince-previewer.local 4include evince-previewer.local
5# Persistent global definitions 5# Persistent global definitions
6include globals.local 6# added by included profile
7#include globals.local
7 8
8 9
9# Redirect 10# Redirect
diff --git a/etc/evince-thumbnailer.profile b/etc/evince-thumbnailer.profile
index 4036e1ecb..d11d4e1e1 100644
--- a/etc/evince-thumbnailer.profile
+++ b/etc/evince-thumbnailer.profile
@@ -3,7 +3,8 @@
3# Persistent local customizations 3# Persistent local customizations
4include evince-thumbnailer.local 4include evince-thumbnailer.local
5# Persistent global definitions 5# Persistent global definitions
6include globals.local 6# added by included profile
7#include globals.local
7 8
8 9
9# Redirect 10# Redirect
diff --git a/etc/evince.profile b/etc/evince.profile
index e9b530ece..c10e3b04f 100644
--- a/etc/evince.profile
+++ b/etc/evince.profile
@@ -20,7 +20,7 @@ include whitelist-var-common.inc
20 20
21caps.drop all 21caps.drop all
22machine-id 22machine-id
23# net none breaks AppArmor on Ubuntu systems 23# net none - breaks AppArmor on Ubuntu systems
24netfilter 24netfilter
25no3d 25no3d
26nodbus 26nodbus
@@ -38,13 +38,12 @@ shell none
38tracelog 38tracelog
39 39
40private-bin evince,evince-previewer,evince-thumbnailer 40private-bin evince,evince-previewer,evince-thumbnailer
41private-cache
41private-dev 42private-dev
42private-etc alternatives,fonts,machine-id 43private-etc alternatives,fonts,group,machine-id,passwd
43
44private-lib evince,gdk-pixbuf-2.*,gio,gvfs/libgvfscommon.so,libdjvulibre.so.*,libgconf-2.so.*,libpoppler-glib.so.*,librsvg-2.so.*,gconv 44private-lib evince,gdk-pixbuf-2.*,gio,gvfs/libgvfscommon.so,libdjvulibre.so.*,libgconf-2.so.*,libpoppler-glib.so.*,librsvg-2.so.*,gconv
45
46private-tmp 45private-tmp
47 46
48#memory-deny-write-execute - breaks application on Archlinux, issue 1803 47# memory-deny-write-execute - might break application (https://github.com/netblue30/firejail/issues/1803)
49noexec ${HOME} 48noexec ${HOME}
50noexec /tmp 49noexec /tmp
diff --git a/etc/gconf-editor.profile b/etc/gconf-editor.profile
index 20cc5c36f..e9756f8af 100644
--- a/etc/gconf-editor.profile
+++ b/etc/gconf-editor.profile
@@ -4,46 +4,9 @@
4# Persistent local customizations 4# Persistent local customizations
5include gconf-editor.local 5include gconf-editor.local
6# Persistent global definitions 6# Persistent global definitions
7include globals.local 7# added by included profile
8#include globals.local
8 9
9noblacklist ${HOME}/.config/gconf
10 10
11include disable-common.inc 11# Redirect
12include disable-devel.inc 12include gconf.profile
13include disable-interpreters.inc
14include disable-passwdmgr.inc
15include disable-programs.inc
16include disable-xdg.inc
17
18whitelist ${HOME}/.config/gconf
19include whitelist-common.inc
20
21apparmor
22caps.drop all
23machine-id
24net none
25no3d
26nodvd
27nogroups
28nonewprivs
29noroot
30nosound
31notv
32nou2f
33novideo
34protocol unix
35seccomp
36shell none
37tracelog
38
39disable-mnt
40private-bin gconf-editor
41private-cache
42private-dev
43private-etc alternatives,fonts
44private-lib
45private-tmp
46
47memory-deny-write-execute
48noexec ${HOME}
49noexec /tmp
diff --git a/etc/gconf-merge-schema.profile b/etc/gconf-merge-schema.profile
new file mode 100644
index 000000000..411b7b815
--- /dev/null
+++ b/etc/gconf-merge-schema.profile
@@ -0,0 +1,12 @@
1# Firejail profile for gconf-merge-schema
2# Description: An obsolete configuration database system (CLI utility)
3# This file is overwritten after every install/update
4# Persistent local customizations
5include gconf-merge-schema.local
6# Persistent global definitions
7# added by included profile
8#include globals.local
9
10
11# Redirect
12include gconf.profile
diff --git a/etc/gconf-merge-tree.profile b/etc/gconf-merge-tree.profile
new file mode 100644
index 000000000..66a4226ca
--- /dev/null
+++ b/etc/gconf-merge-tree.profile
@@ -0,0 +1,12 @@
1# Firejail profile for gconf-merge-tree
2# Description: An obsolete configuration database system (CLI utility)
3# This file is overwritten after every install/update
4# Persistent local customizations
5include gconf-merge-tree.local
6# Persistent global definitions
7# added by included profile
8#include globals.local
9
10
11# Redirect
12include gconf.profile
diff --git a/etc/gconf.profile b/etc/gconf.profile
new file mode 100644
index 000000000..94af21833
--- /dev/null
+++ b/etc/gconf.profile
@@ -0,0 +1,57 @@
1# Firejail profile for gconf
2# Description: An obsolete configuration database system
3# This file is overwritten after every install/update
4# Persistent local customizations
5include gconf.local
6# Persistent global definitions
7include globals.local
8
9noblacklist ${HOME}/.config/gconf
10
11# Allow python2 (blacklisted by disable-interpreters.inc)
12noblacklist ${PATH}/python2*
13#noblacklist ${PATH}/python3*
14noblacklist /usr/lib/python2*
15#noblacklist /usr/lib/python3*
16
17include disable-common.inc
18include disable-devel.inc
19include disable-interpreters.inc
20include disable-passwdmgr.inc
21include disable-programs.inc
22include disable-xdg.inc
23
24mkdir ${HOME}/.config/gconf
25whitelist ${HOME}/.config/gconf
26include whitelist-common.inc
27
28apparmor
29caps.drop all
30ipc-namespace
31machine-id
32net none
33no3d
34nodvd
35nogroups
36nonewprivs
37noroot
38nosound
39notv
40nou2f
41novideo
42protocol unix
43seccomp
44shell none
45tracelog
46
47disable-mnt
48private-bin gconf-editor,gconf-merge-*,gconfpkg,gconftool-2,gsettings-*-convert,python2*
49private-cache
50private-dev
51private-etc alternatives,fonts,gconf
52private-lib libpython*,python2*
53private-tmp
54
55memory-deny-write-execute
56noexec ${HOME}
57noexec /tmp
diff --git a/etc/gconfpkg.profile b/etc/gconfpkg.profile
new file mode 100644
index 000000000..1793ce072
--- /dev/null
+++ b/etc/gconfpkg.profile
@@ -0,0 +1,12 @@
1# Firejail profile for gconfpkg
2# Description: An obsolete configuration database system (CLI utility)
3# This file is overwritten after every install/update
4# Persistent local customizations
5include gconfpkg.local
6# Persistent global definitions
7# added by included profile
8#include globals.local
9
10
11# Redirect
12include gconf.profile
diff --git a/etc/gconftool-2.profile b/etc/gconftool-2.profile
new file mode 100644
index 000000000..59a2242a7
--- /dev/null
+++ b/etc/gconftool-2.profile
@@ -0,0 +1,12 @@
1# Firejail profile for gconftool-2
2# Description: An obsolete configuration database system (CLI utility)
3# This file is overwritten after every install/update
4# Persistent local customizations
5include gconftool-2.local
6# Persistent global definitions
7# added by included profile
8#include globals.local
9
10
11# Redirect
12include gconf.profile
diff --git a/etc/geekbench.profile b/etc/geekbench.profile
index c6e45b7d0..425fb7bb5 100644
--- a/etc/geekbench.profile
+++ b/etc/geekbench.profile
@@ -13,7 +13,7 @@ include disable-passwdmgr.inc
13include disable-programs.inc 13include disable-programs.inc
14include disable-xdg.inc 14include disable-xdg.inc
15 15
16inclue whitelist-var-common.inc 16include whitelist-var-common.inc
17 17
18apparmor 18apparmor
19caps.drop all 19caps.drop all
@@ -40,7 +40,7 @@ disable-mnt
40private-bin bash,geekbenc*,sh 40private-bin bash,geekbenc*,sh
41private-cache 41private-cache
42private-dev 42private-dev
43private-etc alternatives,groups,passwd,lsb-release 43private-etc alternatives,group,passwd,lsb-release
44private-lib libstdc++.so.* 44private-lib libstdc++.so.*
45private-opt none 45private-opt none
46private-tmp 46private-tmp
@@ -49,5 +49,4 @@ private-tmp
49noexec ${HOME} 49noexec ${HOME}
50noexec /tmp 50noexec /tmp
51 51
52# never write anything
53read-only ${HOME} 52read-only ${HOME}
diff --git a/etc/gpicview.profile b/etc/gpicview.profile
index c43475615..4c66e3772 100644
--- a/etc/gpicview.profile
+++ b/etc/gpicview.profile
@@ -38,7 +38,7 @@ tracelog
38private-bin gpicview 38private-bin gpicview
39private-cache 39private-cache
40private-dev 40private-dev
41private-etc alternatives,fonts,groups,passwd 41private-etc alternatives,fonts,group,passwd
42private-lib 42private-lib
43private-tmp 43private-tmp
44 44
diff --git a/etc/gsettings-data-convert.profile b/etc/gsettings-data-convert.profile
new file mode 100644
index 000000000..21a232440
--- /dev/null
+++ b/etc/gsettings-data-convert.profile
@@ -0,0 +1,12 @@
1# Firejail profile for gsettings-data-convert
2# Description: An obsolete configuration database system (CLI utility)
3# This file is overwritten after every install/update
4# Persistent local customizations
5include gsettings-data-convert.local
6# Persistent global definitions
7# added by included profile
8#include globals.local
9
10
11# Redirect
12include gconf.profile
diff --git a/etc/gsettings-schema-convert.profile b/etc/gsettings-schema-convert.profile
new file mode 100644
index 000000000..2dbf4fb44
--- /dev/null
+++ b/etc/gsettings-schema-convert.profile
@@ -0,0 +1,12 @@
1# Firejail profile for gsettings-schema-convert
2# Description: An obsolete configuration database system (CLI utility)
3# This file is overwritten after every install/update
4# Persistent local customizations
5include gsettings-schema-convert.local
6# Persistent global definitions
7# added by included profile
8#include globals.local
9
10
11# Redirect
12include gconf.profile
diff --git a/etc/hardinfo.profile b/etc/hardinfo.profile
deleted file mode 100644
index 6be3044b4..000000000
--- a/etc/hardinfo.profile
+++ /dev/null
@@ -1,38 +0,0 @@
1# Firejail profile for hardinfo
2# Description: A system information and benchmark tool
3# This file is overwritten after every install/update
4# Persistent local customizations
5include hardinfo.local
6# Persistent global definitions
7include globals.local
8
9include disable-common.inc
10include disable-devel.inc
11include disable-passwdmgr.inc
12include disable-programs.inc
13include disable-xdg.inc
14
15apparmor
16caps.drop all
17machine-id
18ipc-namespace
19netfilter
20nodbus
21nodvd
22nogroups
23nonewprivs
24noroot
25nosound
26nou2f
27protocol unix,inet,inet6
28seccomp
29shell none
30
31disable-mnt
32private-cache
33private-dev
34private-tmp
35
36# memory-deny-write-execute - Breaks on Arch
37noexec ${HOME}
38noexec /tmp
diff --git a/etc/pavucontrol.profile b/etc/pavucontrol.profile
index 159846a28..6bda9e7d3 100644
--- a/etc/pavucontrol.profile
+++ b/etc/pavucontrol.profile
@@ -15,9 +15,6 @@ include disable-passwdmgr.inc
15include disable-programs.inc 15include disable-programs.inc
16include disable-xdg.inc 16include disable-xdg.inc
17 17
18mkfile ${HOME}/.config/pavucontrol.ini
19whitelist ${HOME}/.config/pavucontrol.ini
20include whitelist-common.inc
21include whitelist-var-common.inc 18include whitelist-var-common.inc
22 19
23apparmor 20apparmor
diff --git a/etc/spectre-meltdown-checker.profile b/etc/spectre-meltdown-checker.profile
index 350f10632..b43047401 100644
--- a/etc/spectre-meltdown-checker.profile
+++ b/etc/spectre-meltdown-checker.profile
@@ -44,7 +44,7 @@ shell none
44 44
45disable-mnt 45disable-mnt
46private 46private
47private-bin awk,bzip2,cat,coreos-install,cpucontrol,cut,dd,dmesg,dnf,echo,grep,gunzip,gz,gzip,head,id,kldload,kldstat,liblz4-tool,lzop,mktemp,modinfo,modprobe,mount,nm,objdump,od,perl,printf,readelf,rm,sed,seq,sh,sort,spectre-meltdown-checker,spectre-meltdown-checker.sh,stat,strings,sysctl,tail,test,toolbox,tr,uname,which,xz-utils 47private-bin awk,bzip2,cat,coreos-install,cpucontrol,cut,dd,dirname,dmesg,dnf,echo,grep,gunzip,gz,gzip,head,id,kldload,kldstat,liblz4-tool,lzop,mktemp,modinfo,modprobe,mount,nm,objdump,od,perl,printf,readelf,rm,sed,seq,sh,sort,spectre-meltdown-checker,spectre-meltdown-checker.sh,stat,strings,sysctl,tail,test,toolbox,tr,uname,which,xz-utils
48private-cache 48private-cache
49private-tmp 49private-tmp
50 50
diff --git a/etc/sqlitebrowser.profile b/etc/sqlitebrowser.profile
index 6bdd437cd..8122079e1 100644
--- a/etc/sqlitebrowser.profile
+++ b/etc/sqlitebrowser.profile
@@ -18,10 +18,11 @@ include disable-xdg.inc
18 18
19include whitelist-var-common.inc 19include whitelist-var-common.inc
20 20
21apparmor
21caps.drop all 22caps.drop all
22net none 23ipc-namespace
23no3d 24netfilter
24nodbus 25# nodbus - breaks proxy creation
25nodvd 26nodvd
26nogroups 27nogroups
27nonewprivs 28nonewprivs
@@ -30,15 +31,16 @@ nosound
30notv 31notv
31nou2f 32nou2f
32novideo 33novideo
33protocol unix 34protocol unix,inet,inet6,netlink
34seccomp 35seccomp
35shell none 36shell none
36 37
37private-bin sqlitebrowser 38private-bin sqlitebrowser
38private-cache 39private-cache
39private-dev 40private-dev
41private-etc alternatives,ca-certificates,crypto-policies,fonts,group,machine-id,passwd,pki,ssl
40private-tmp 42private-tmp
41 43
42# memory-deny-write-execute - breaks on Arch 44memory-deny-write-execute
43noexec ${HOME} 45noexec ${HOME}
44noexec /tmp 46noexec /tmp
diff --git a/etc/sysprof-cli.profile b/etc/sysprof-cli.profile
index 28d279d77..62672b22b 100644
--- a/etc/sysprof-cli.profile
+++ b/etc/sysprof-cli.profile
@@ -13,6 +13,8 @@ nodbus
13private-bin sysprof-cli 13private-bin sysprof-cli
14private-lib 14private-lib
15 15
16memory-deny-write-execute
17
16 18
17# Redirect 19# Redirect
18include sysprof.profile 20include sysprof.profile
diff --git a/etc/sysprof.profile b/etc/sysprof.profile
index a3135d001..eedf4c4b4 100644
--- a/etc/sysprof.profile
+++ b/etc/sysprof.profile
@@ -42,6 +42,6 @@ private-etc alternatives,fonts,ld.so.cache,machine-id,ssl
42#private-lib gdk-pixbuf-2.*,gio,gtk3,gvfs/libgvfscommon.so,libgconf-2.so.*,librsvg-2.so.*,libsysprof-2.so,libsysprof-ui-2.so 42#private-lib gdk-pixbuf-2.*,gio,gtk3,gvfs/libgvfscommon.so,libgconf-2.so.*,librsvg-2.so.*,libsysprof-2.so,libsysprof-ui-2.so
43private-tmp 43private-tmp
44 44
45memory-deny-write-execute 45# memory-deny-write-execute - Breaks GUI on Arch
46noexec ${HOME} 46noexec ${HOME}
47noexec /tmp 47noexec /tmp
generated by cgit v1.2.3-54-g00ecf (git 2.45.2) at 2024-08-02 07:00:00 +0000