From 0dba38435ef92ccc01cc9ff23b69df55489ec983 Mon Sep 17 00:00:00 2001 From: Tad Date: Wed, 5 Jul 2017 09:40:54 -0400 Subject: Harden profiles - Added 'disable-devel.conf' to many profiles - Added 'disable-mnt' to many profiles - Added 'noexec' to many profiles - Removed 'netfilter' and 'net none' from profiles with 'protocol unix' - Cleaned up profiles using defaults --- etc/0ad.profile | 3 +++ etc/2048-qt.profile | 25 ++++++++++---------- etc/Thunar.profile | 12 ++-------- etc/Xephyr.profile | 1 - etc/Xvfb.profile | 1 - etc/akregator.profile | 26 +++++++++++---------- etc/ark.profile | 1 - etc/atool.profile | 2 -- etc/audacity.profile | 2 -- etc/bitlbee.profile | 10 ++++++++ etc/bleachbit.profile | 2 -- etc/blender.profile | 18 ++++++-------- etc/bless.profile | 2 -- etc/brasero.profile | 1 - etc/caja.profile | 1 - etc/catfish.profile | 1 - etc/cherrytree.profile | 12 +++++++++- etc/clipit.profile | 24 +++++++++---------- etc/darktable.profile | 19 ++++++++------- etc/dia.profile | 19 ++++++++------- etc/display.profile | 2 -- etc/dolphin.profile | 1 - etc/dropbox.profile | 25 ++++++++++++++------ etc/enchant.profile | 1 - etc/engrampa.profile | 1 - etc/eog.profile | 2 -- etc/evince.profile | 2 -- etc/exiftool.profile | 2 -- etc/feh.profile | 2 -- etc/file-roller.profile | 2 -- etc/file.profile | 2 -- etc/flowblade.profile | 10 ++++++++ etc/fontforge.profile | 19 ++++++++------- etc/franz.profile | 26 ++++++++++++++------- etc/galculator.profile | 1 - etc/geany.profile | 12 ++++------ etc/gedit.profile | 2 -- etc/gimp.profile | 2 -- etc/globaltime.profile | 19 ++++++++------- etc/gnome-books.profile | 1 - etc/gnome-calculator.profile | 1 + etc/gnome-documents.profile | 1 - etc/gnome-music.profile | 1 - etc/gnome-photos.profile | 1 - etc/goobox.profile | 1 - etc/google-play-music-desktop-player.profile | 20 ++++++++++++---- etc/gpicview.profile | 1 - etc/gucharmap.profile | 33 +++++++++++++------------- etc/handbrake.profile | 19 +++++++-------- etc/highlight.profile | 2 -- etc/hugin.profile | 20 ++++++++-------- etc/img2txt.profile | 2 -- etc/inkscape.profile | 10 ++++---- etc/jd-gui.profile | 2 -- etc/kate.profile | 1 - etc/kcalc.profile | 25 ++++++++++---------- etc/keepassx.profile | 1 - etc/keepassx2.profile | 1 - etc/keepassxc.profile | 2 -- etc/kino.profile | 27 ++++++++++----------- etc/knotes.profile | 1 - etc/ktorrent.profile | 22 ++++++++--------- etc/kwrite.profile | 1 - etc/leafpad.profile | 26 ++++++++++----------- etc/liferea.profile | 20 +++++++++++++++- etc/luminance-hdr.profile | 10 ++++---- etc/lximage-qt.profile | 27 ++++++++++----------- etc/lxmusic.profile | 26 ++++++++++----------- etc/mate-calc.profile | 28 +++++++++++----------- etc/mate-color-select.profile | 35 ++++++++++++++-------------- etc/mate-dictionary.profile | 25 +++++++++++--------- etc/mediainfo.profile | 4 +--- etc/meld.profile | 2 -- etc/mousepad.profile | 1 - etc/mupdf.profile | 2 -- etc/nautilus.profile | 2 -- etc/nemo.profile | 16 +++++-------- etc/odt2txt.profile | 2 -- etc/okular.profile | 1 - etc/openshot.profile | 12 +++++++++- etc/orage.profile | 24 ++++++++++--------- etc/pcmanfm.profile | 13 ++--------- etc/pdfsam.profile | 2 -- etc/pdftotext.profile | 2 -- etc/peek.profile | 1 - etc/psi-plus.profile | 16 ++++++++++++- etc/qemu-launcher.profile | 2 ++ etc/qemu-system-x86_64.profile | 2 ++ etc/qlipper.profile | 28 +++++++++++----------- etc/ranger.profile | 4 ---- etc/ristretto.profile | 23 +++++++++--------- etc/skype.profile | 5 ++++ etc/skypeforlinux.profile | 8 ++++++- etc/synfigstudio.profile | 15 ++++++++---- etc/tracker.profile | 1 - etc/transmission-show.profile | 2 -- etc/viewnior.profile | 1 - etc/vym.profile | 23 +++++++++--------- etc/xfburn.profile | 1 - etc/xfce4-dict.profile | 21 ++++++++++------- etc/xfce4-notes.profile | 25 +++++++++++--------- etc/xonotic.profile | 1 + etc/xpdf.profile | 14 ++++++++--- etc/xpra.profile | 1 - etc/zathura.profile | 2 -- 105 files changed, 519 insertions(+), 468 deletions(-) diff --git a/etc/0ad.profile b/etc/0ad.profile index a564d0a09..9f33af806 100644 --- a/etc/0ad.profile +++ b/etc/0ad.profile @@ -38,3 +38,6 @@ tracelog private-dev private-tmp disable-mnt + +noexec ${HOME} +noexec /tmp diff --git a/etc/2048-qt.profile b/etc/2048-qt.profile index 0dc54e675..c53cfef9d 100644 --- a/etc/2048-qt.profile +++ b/etc/2048-qt.profile @@ -7,24 +7,25 @@ include /etc/firejail/2048-qt.local noblacklist ~/.config/xiaoyong noblacklist ~/.config/2048-qt + include /etc/firejail/disable-common.inc +include /etc/firejail/disable-devel.inc include /etc/firejail/disable-programs.inc include /etc/firejail/disable-passwdmgr.inc caps.drop all -netfilter +#ipc-namespace +nogroups nonewprivs noroot -protocol unix,inet,inet6 +novideo +protocol unix seccomp - -# -# depending on your usage, you can enable some of the commands below: -# -nogroups shell none -# private-bin program -# private-etc none -# private-dev -# private-tmp -nosound + +private-dev +private-tmp +disable-mnt + +noexec ${HOME} +noexec /tmp diff --git a/etc/Thunar.profile b/etc/Thunar.profile index ed8a37add..e62ce4e2d 100644 --- a/etc/Thunar.profile +++ b/etc/Thunar.profile @@ -16,20 +16,12 @@ include /etc/firejail/disable-devel.inc include /etc/firejail/disable-passwdmgr.inc caps.drop all -netfilter -nogroups +no3d nonewprivs noroot nosound +novideo protocol unix seccomp shell none tracelog - -# -# depending on your usage, you can enable some of the commands below: -# -# private-bin program -# private-etc none -# private-dev -# private-tmp diff --git a/etc/Xephyr.profile b/etc/Xephyr.profile index 4b14b8ad2..22c0202ee 100644 --- a/etc/Xephyr.profile +++ b/etc/Xephyr.profile @@ -21,7 +21,6 @@ private caps.drop all # Xephyr needs to be allowed access to the abstract Unix socket namespace. -#net none nogroups nonewprivs # In noroot mode, Xephyr cannot create a socket in the real /tmp/.X11-unix. diff --git a/etc/Xvfb.profile b/etc/Xvfb.profile index 46f06871c..8eba82db1 100644 --- a/etc/Xvfb.profile +++ b/etc/Xvfb.profile @@ -22,7 +22,6 @@ private caps.drop all # Xvfb needs to be allowed access to the abstract Unix socket namespace. -#net none nogroups nonewprivs # In noroot mode, Xvfb cannot create a socket in the real /tmp/.X11-unix. diff --git a/etc/akregator.profile b/etc/akregator.profile index 10279890e..ed79f0e94 100644 --- a/etc/akregator.profile +++ b/etc/akregator.profile @@ -5,28 +5,30 @@ include /etc/firejail/globals.local # Persistent customizations should go in a .local file. include /etc/firejail/akregator.local -################################ -# Generic GUI application profile -################################ noblacklist ${HOME}/.config/akregatorrc noblacklist ${HOME}/.local/share/akregator + include /etc/firejail/disable-common.inc +include /etc/firejail/disable-devel.inc include /etc/firejail/disable-programs.inc include /etc/firejail/disable-passwdmgr.inc caps.drop all +#ipc-namespace netfilter +no3d +nogroups nonewprivs noroot +#nosound +novideo protocol unix,inet,inet6 seccomp +shell none + +private-dev +private-tmp +disable-mnt -# -# depending on your usage, you can enable some of the commands below: -# -# nogroups -# shell none -# private-bin program -# private-etc none -# private-dev -# private-tmp +noexec ${HOME} +noexec /tmp diff --git a/etc/ark.profile b/etc/ark.profile index 007748ed1..7aaa0bc5a 100644 --- a/etc/ark.profile +++ b/etc/ark.profile @@ -14,7 +14,6 @@ include /etc/firejail/disable-devel.inc include /etc/firejail/disable-passwdmgr.inc caps.drop all -netfilter nogroups nonewprivs noroot diff --git a/etc/atool.profile b/etc/atool.profile index a66b4b1c5..b21c5855f 100644 --- a/etc/atool.profile +++ b/etc/atool.profile @@ -19,8 +19,6 @@ nosound novideo protocol unix seccomp -netfilter -net none no3d shell none tracelog diff --git a/etc/audacity.profile b/etc/audacity.profile index 5b38d84e8..8cea3b18d 100644 --- a/etc/audacity.profile +++ b/etc/audacity.profile @@ -15,8 +15,6 @@ include /etc/firejail/disable-programs.inc caps.drop all #ipc-namespace -net none -netfilter no3d nogroups nonewprivs diff --git a/etc/bitlbee.profile b/etc/bitlbee.profile index 055be09a1..2ecc0c425 100644 --- a/etc/bitlbee.profile +++ b/etc/bitlbee.profile @@ -9,13 +9,23 @@ include /etc/firejail/bitlbee.local noblacklist /sbin noblacklist /usr/sbin include /etc/firejail/disable-common.inc +include /etc/firejail/disable-devel.inc +include /etc/firejail/disable-passwdmgr.inc include /etc/firejail/disable-programs.inc netfilter +no3d nonewprivs private private-dev protocol unix,inet,inet6 seccomp nosound +novideo read-write /var/lib/bitlbee + +private-dev +private-tmp +disable-mnt + +noexec /tmp diff --git a/etc/bleachbit.profile b/etc/bleachbit.profile index 345dd119a..9d8ec1733 100644 --- a/etc/bleachbit.profile +++ b/etc/bleachbit.profile @@ -13,8 +13,6 @@ include /etc/firejail/disable-passwdmgr.inc caps.drop all #ipc-namespace -net none -netfilter no3d nogroups nonewprivs diff --git a/etc/blender.profile b/etc/blender.profile index 6ee874ad0..b9757913d 100644 --- a/etc/blender.profile +++ b/etc/blender.profile @@ -7,25 +7,21 @@ include /etc/firejail/blender.local noblacklist ~/.config/blender include /etc/firejail/disable-common.inc +include /etc/firejail/disable-devel.inc include /etc/firejail/disable-programs.inc include /etc/firejail/disable-passwdmgr.inc caps.drop all netfilter +nogroups nonewprivs noroot protocol unix,inet,inet6,netlink seccomp - -# -# depending on your usage, you can enable some of the commands below: -# -nogroups shell none -# private-bin program -# private-etc none -# private-dev -# private-tmp -# blender uses the sound system -# nosound +private-dev +private-tmp + +noexec ${HOME} +noexec /tmp diff --git a/etc/bless.profile b/etc/bless.profile index c9ccfc02e..41712850e 100644 --- a/etc/bless.profile +++ b/etc/bless.profile @@ -21,8 +21,6 @@ include /etc/firejail/disable-devel.inc #Options caps.drop all #ipc-namespace -net none -netfilter no3d nogroups nonewprivs diff --git a/etc/brasero.profile b/etc/brasero.profile index d013e0b8e..1d6856b73 100644 --- a/etc/brasero.profile +++ b/etc/brasero.profile @@ -15,7 +15,6 @@ include /etc/firejail/disable-passwdmgr.inc caps.drop all #ipc-namespace -net none nogroups nonewprivs noroot diff --git a/etc/caja.profile b/etc/caja.profile index 3a098379b..e6f38dfa9 100644 --- a/etc/caja.profile +++ b/etc/caja.profile @@ -26,7 +26,6 @@ nonewprivs noroot protocol unix seccomp -netfilter shell none tracelog diff --git a/etc/catfish.profile b/etc/catfish.profile index 0deaca1b5..5612d4486 100644 --- a/etc/catfish.profile +++ b/etc/catfish.profile @@ -13,7 +13,6 @@ noblacklist ~/.config/catfish include /etc/firejail/disable-devel.inc caps.drop all -net none no3d nogroups nonewprivs diff --git a/etc/cherrytree.profile b/etc/cherrytree.profile index 0ac71ca3c..b1acd78f2 100644 --- a/etc/cherrytree.profile +++ b/etc/cherrytree.profile @@ -9,18 +9,28 @@ include /etc/firejail/cherrytree.local noblacklist /usr/bin/python2* noblacklist /usr/lib/python3* noblacklist ${HOME}/.config/cherrytree + include /etc/firejail/disable-common.inc include /etc/firejail/disable-programs.inc include /etc/firejail/disable-devel.inc include /etc/firejail/disable-passwdmgr.inc caps.drop all +#ipc-namespace netfilter +no3d nogroups nonewprivs noroot nosound novideo -seccomp protocol unix,inet,inet6,netlink +seccomp +shell none tracelog + +private-dev +private-tmp + +noexec ${HOME} +noexec /tmp diff --git a/etc/clipit.profile b/etc/clipit.profile index b671b253b..7b1c584ac 100644 --- a/etc/clipit.profile +++ b/etc/clipit.profile @@ -8,26 +8,24 @@ include /etc/firejail/clipit.local noblacklist ${HOME}/.local/share/clipit noblacklist ${HOME}/.config/clipit include /etc/firejail/disable-common.inc +include /etc/firejail/disable-devel.inc include /etc/firejail/disable-programs.inc include /etc/firejail/disable-passwdmgr.inc caps.drop all -netfilter +no3d +nogroups nonewprivs noroot +nosound novideo -protocol unix,inet,inet6 +protocol unix seccomp +shell none +private-dev +private-tmp +disable-mnt - -# -# depending on your usage, you can enable some of the commands below: -# -nogroups -shell none -# private-bin program -# private-etc none -# private-dev -# private-tmp -nosound +noexec ${HOME} +noexec /tmp diff --git a/etc/darktable.profile b/etc/darktable.profile index 29630a746..eca2ae6c5 100644 --- a/etc/darktable.profile +++ b/etc/darktable.profile @@ -8,23 +8,24 @@ include /etc/firejail/darktable.local noblacklist ~/.cache/darktable noblacklist ~/.config/darktable include /etc/firejail/disable-common.inc +include /etc/firejail/disable-devel.inc include /etc/firejail/disable-programs.inc include /etc/firejail/disable-passwdmgr.inc caps.drop all +#ipc-namespace netfilter +nogroups nonewprivs noroot +nosound +novideo protocol unix,inet,inet6 seccomp - -# -# depending on your usage, you can enable some of the commands below: -# -# nogroups shell none -# private-bin program -# private-etc none -# private-dev + +private-dev private-tmp -nosound + +noexec ${HOME} +noexec /tmp diff --git a/etc/dia.profile b/etc/dia.profile index 4e009afd7..67cd2ca63 100644 --- a/etc/dia.profile +++ b/etc/dia.profile @@ -7,23 +7,24 @@ include /etc/firejail/dia.local noblacklist ~/.dia include /etc/firejail/disable-common.inc +include /etc/firejail/disable-devel.inc include /etc/firejail/disable-programs.inc include /etc/firejail/disable-passwdmgr.inc caps.drop all -netfilter +no3d +nogroups nonewprivs noroot +nosound novideo -protocol unix,inet,inet6 +protocol unix seccomp - -# -# depending on your usage, you can enable some of the commands below: -# -nogroups shell none -# private-bin program -# private-etc none + private-dev private-tmp +disable-mnt + +noexec ${HOME} +noexec /tmp diff --git a/etc/display.profile b/etc/display.profile index 7cde8bd54..c9744b001 100644 --- a/etc/display.profile +++ b/etc/display.profile @@ -14,8 +14,6 @@ include /etc/firejail/disable-passwdmgr.inc caps.drop all seccomp protocol unix -netfilter -net none nonewprivs noroot nogroups diff --git a/etc/dolphin.profile b/etc/dolphin.profile index 0085fb004..5ba8dd497 100644 --- a/etc/dolphin.profile +++ b/etc/dolphin.profile @@ -22,7 +22,6 @@ include /etc/firejail/disable-devel.inc include /etc/firejail/disable-passwdmgr.inc caps.drop all -netfilter nogroups nonewprivs noroot diff --git a/etc/dropbox.profile b/etc/dropbox.profile index f1d7fad82..2319b337b 100644 --- a/etc/dropbox.profile +++ b/etc/dropbox.profile @@ -9,16 +9,10 @@ include /etc/firejail/dropbox.local noblacklist ~/.config/autostart noblacklist ~/.dropbox-dist include /etc/firejail/disable-common.inc +include /etc/firejail/disable-devel.inc include /etc/firejail/disable-programs.inc include /etc/firejail/disable-passwdmgr.inc -caps -nonewprivs -noroot -novideo -protocol unix,inet,inet6 -seccomp - mkdir ~/Dropbox whitelist ~/Dropbox mkdir ~/.dropbox @@ -28,3 +22,20 @@ whitelist ~/.dropbox-dist mkfile ~/.config/autostart/dropbox.desktop whitelist ~/.config/autostart/dropbox.desktop + +caps.drop all +netfilter +no3d +nogroups +nonewprivs +noroot +nosound +novideo +protocol unix,inet,inet6 +seccomp +shell none + +private-dev +private-tmp + +noexec /tmp diff --git a/etc/enchant.profile b/etc/enchant.profile index 9e2dee045..97fb82da3 100644 --- a/etc/enchant.profile +++ b/etc/enchant.profile @@ -20,7 +20,6 @@ noroot nosound protocol unix seccomp -netfilter shell none tracelog diff --git a/etc/engrampa.profile b/etc/engrampa.profile index 081a5f6b0..a786a702c 100644 --- a/etc/engrampa.profile +++ b/etc/engrampa.profile @@ -19,7 +19,6 @@ nosound novideo protocol unix seccomp -netfilter shell none tracelog diff --git a/etc/eog.profile b/etc/eog.profile index 3abaaacef..7c21b241e 100644 --- a/etc/eog.profile +++ b/etc/eog.profile @@ -18,8 +18,6 @@ include /etc/firejail/disable-passwdmgr.inc caps.drop all #ipc-namespace -net none -netfilter no3d nogroups nonewprivs diff --git a/etc/evince.profile b/etc/evince.profile index 6719244da..2173c7422 100644 --- a/etc/evince.profile +++ b/etc/evince.profile @@ -15,8 +15,6 @@ include /etc/firejail/disable-passwdmgr.inc caps.drop all #ipc-namespace -netfilter -#net none - creates some problems on some distributions no3d nogroups nonewprivs diff --git a/etc/exiftool.profile b/etc/exiftool.profile index aba484718..9b0759dfe 100644 --- a/etc/exiftool.profile +++ b/etc/exiftool.profile @@ -23,8 +23,6 @@ noroot nosound protocol unix seccomp -netfilter -net none no3d shell none tracelog diff --git a/etc/feh.profile b/etc/feh.profile index f71999155..e41a4ad94 100644 --- a/etc/feh.profile +++ b/etc/feh.profile @@ -12,8 +12,6 @@ include /etc/firejail/disable-devel.inc include /etc/firejail/disable-passwdmgr.inc caps.drop all -netfilter -net none nogroups nonewprivs noroot diff --git a/etc/file-roller.profile b/etc/file-roller.profile index 72d00b4ce..920a60159 100644 --- a/etc/file-roller.profile +++ b/etc/file-roller.profile @@ -13,8 +13,6 @@ include /etc/firejail/disable-passwdmgr.inc caps.drop all #ipc-namespace -net none -netfilter no3d nogroups nonewprivs diff --git a/etc/file.profile b/etc/file.profile index 915bf1088..ffdaf9f47 100644 --- a/etc/file.profile +++ b/etc/file.profile @@ -13,8 +13,6 @@ include /etc/firejail/disable-passwdmgr.inc caps.drop all hostname file -netfilter -net none no3d nogroups nonewprivs diff --git a/etc/flowblade.profile b/etc/flowblade.profile index 7f29a8719..f8d45424f 100644 --- a/etc/flowblade.profile +++ b/etc/flowblade.profile @@ -8,13 +8,23 @@ include /etc/firejail/flowblade.local # FlowBlade profile noblacklist ${HOME}/.flowblade noblacklist ${HOME}/.config/flowblade + include /etc/firejail/disable-common.inc +include /etc/firejail/disable-devel.inc include /etc/firejail/disable-programs.inc include /etc/firejail/disable-passwdmgr.inc caps.drop all netfilter +nogroups nonewprivs noroot protocol unix,inet,inet6,netlink seccomp +shell none + +private-dev +private-tmp + +noexec ${HOME} +noexec /tmp diff --git a/etc/fontforge.profile b/etc/fontforge.profile index 967a617e2..2b3d0f258 100644 --- a/etc/fontforge.profile +++ b/etc/fontforge.profile @@ -6,23 +6,24 @@ include /etc/firejail/globals.local include /etc/firejail/fontforge.local noblacklist ${HOME}/.FontForge + include /etc/firejail/disable-common.inc +include /etc/firejail/disable-devel.inc include /etc/firejail/disable-programs.inc include /etc/firejail/disable-passwdmgr.inc caps.drop all -netfilter +nogroups nonewprivs noroot -protocol unix,inet,inet6 +nosound +novideo +protocol unix seccomp - -# -# depending on your usage, you can enable some of the commands below: -# -nogroups shell none -# private-bin program -# private-etc none + private-dev private-tmp + +noexec ${HOME} +noexec /tmp diff --git a/etc/franz.profile b/etc/franz.profile index c68b47d80..859c6ed9b 100644 --- a/etc/franz.profile +++ b/etc/franz.profile @@ -13,14 +13,6 @@ include /etc/firejail/disable-common.inc include /etc/firejail/disable-programs.inc include /etc/firejail/disable-devel.inc -caps.drop all -netfilter -nonewprivs -noroot -protocol unix,inet,inet6,netlink -seccomp -#tracelog - whitelist ${DOWNLOADS} mkdir ~/.config/Franz whitelist ~/.config/Franz @@ -30,3 +22,21 @@ mkdir ~/.pki whitelist ~/.pki include /etc/firejail/whitelist-common.inc + +caps.drop all +#ipc-namespace +netfilter +nogroups +nonewprivs +noroot +protocol unix,inet,inet6,netlink +seccomp +shell none +tracelog + +private-dev +private-tmp +disable-mnt + +noexec ${HOME} +noexec /tmp diff --git a/etc/galculator.profile b/etc/galculator.profile index 897946e7a..c346a382d 100644 --- a/etc/galculator.profile +++ b/etc/galculator.profile @@ -17,7 +17,6 @@ mkdir ~/.config/galculator whitelist ~/.config/galculator caps.drop all -net none nogroups nonewprivs noroot diff --git a/etc/geany.profile b/etc/geany.profile index 7e0c6d2ad..083e9423f 100644 --- a/etc/geany.profile +++ b/etc/geany.profile @@ -12,17 +12,15 @@ include /etc/firejail/disable-passwdmgr.inc caps.drop all netfilter +no3d +nogroups nonewprivs noroot +nosound +novideo protocol unix,inet,inet6 seccomp - -# -# depending on your usage, you can enable some of the commands below: -# -nogroups shell none -# private-bin program -# private-etc none + private-dev private-tmp diff --git a/etc/gedit.profile b/etc/gedit.profile index d871a9bed..c1bdacf44 100644 --- a/etc/gedit.profile +++ b/etc/gedit.profile @@ -18,8 +18,6 @@ include /etc/firejail/disable-passwdmgr.inc caps.drop all #ipc-namespace -netfilter -net none no3d nogroups nonewprivs diff --git a/etc/gimp.profile b/etc/gimp.profile index da521aa6c..7d2738adf 100644 --- a/etc/gimp.profile +++ b/etc/gimp.profile @@ -12,8 +12,6 @@ include /etc/firejail/disable-programs.inc include /etc/firejail/disable-passwdmgr.inc caps.drop all -netfilter -net none nogroups nonewprivs noroot diff --git a/etc/globaltime.profile b/etc/globaltime.profile index 5662dba69..b9b2c008d 100644 --- a/etc/globaltime.profile +++ b/etc/globaltime.profile @@ -7,22 +7,25 @@ include /etc/firejail/globaltime.local noblacklist ${HOME}/.config/globaltime include /etc/firejail/disable-common.inc +include /etc/firejail/disable-devel.inc include /etc/firejail/disable-programs.inc include /etc/firejail/disable-passwdmgr.inc caps.drop all netfilter +no3d +nogroups nonewprivs noroot +nosound +novideo protocol unix,inet,inet6 seccomp - -# -# depending on your usage, you can enable some of the commands below: -# -nogroups shell none -# private-bin program -# private-etc none + private-dev -# private-tmp +private-tmp +disable-mnt + +noexec ${HOME} +noexec /tmp diff --git a/etc/gnome-books.profile b/etc/gnome-books.profile index af6da6cd4..6258b1f77 100644 --- a/etc/gnome-books.profile +++ b/etc/gnome-books.profile @@ -24,7 +24,6 @@ nosound novideo protocol unix seccomp -netfilter shell none tracelog diff --git a/etc/gnome-calculator.profile b/etc/gnome-calculator.profile index e64f62b70..90749be8c 100644 --- a/etc/gnome-calculator.profile +++ b/etc/gnome-calculator.profile @@ -30,6 +30,7 @@ protocol unix,inet,inet6 seccomp shell none +private private-bin gnome-calculator private-dev #private-etc fonts diff --git a/etc/gnome-documents.profile b/etc/gnome-documents.profile index 5d2a90b64..ec5914e37 100644 --- a/etc/gnome-documents.profile +++ b/etc/gnome-documents.profile @@ -25,7 +25,6 @@ nosound novideo protocol unix seccomp -netfilter shell none tracelog diff --git a/etc/gnome-music.profile b/etc/gnome-music.profile index abdb6bfb5..d571aff88 100644 --- a/etc/gnome-music.profile +++ b/etc/gnome-music.profile @@ -21,7 +21,6 @@ noroot novideo protocol unix seccomp -netfilter shell none tracelog diff --git a/etc/gnome-photos.profile b/etc/gnome-photos.profile index 93823d0f4..158311711 100644 --- a/etc/gnome-photos.profile +++ b/etc/gnome-photos.profile @@ -23,7 +23,6 @@ noroot nosound protocol unix seccomp -netfilter shell none tracelog diff --git a/etc/goobox.profile b/etc/goobox.profile index 0ba059365..c670d5ec7 100644 --- a/etc/goobox.profile +++ b/etc/goobox.profile @@ -17,7 +17,6 @@ nonewprivs noroot protocol unix seccomp -netfilter shell none tracelog diff --git a/etc/google-play-music-desktop-player.profile b/etc/google-play-music-desktop-player.profile index ed6b11002..c373cc34c 100644 --- a/etc/google-play-music-desktop-player.profile +++ b/etc/google-play-music-desktop-player.profile @@ -13,13 +13,25 @@ include /etc/firejail/disable-programs.inc include /etc/firejail/disable-devel.inc include /etc/firejail/disable-passwdmgr.inc +#whitelist ~/.pulse +#whitelist ~/.config/pulse +whitelist ~/.config/Google Play Music Desktop Player + caps.drop all +#ipc-namespace +netfilter +no3d +nogroups nonewprivs noroot -netfilter +novideo protocol unix,inet,inet6,netlink seccomp +shell none -#whitelist ~/.pulse -#whitelist ~/.config/pulse -whitelist ~/.config/Google Play Music Desktop Player +private-dev +private-tmp +disable-mnt + +noexec ${HOME} +noexec /tmp diff --git a/etc/gpicview.profile b/etc/gpicview.profile index f457f0590..d1dee8914 100644 --- a/etc/gpicview.profile +++ b/etc/gpicview.profile @@ -14,7 +14,6 @@ include /etc/firejail/disable-devel.inc include /etc/firejail/disable-passwdmgr.inc caps.drop all -net none nogroups nonewprivs noroot diff --git a/etc/gucharmap.profile b/etc/gucharmap.profile index 929888e88..bc5d7dddf 100644 --- a/etc/gucharmap.profile +++ b/etc/gucharmap.profile @@ -5,25 +5,26 @@ include /etc/firejail/globals.local # Persistent customizations should go in a .local file. include /etc/firejail/gucharmap.local -private -#include /etc/firejail/disable-common.inc -#include /etc/firejail/disable-programs.inc -#include /etc/firejail/disable-passwdmgr.inc +include /etc/firejail/disable-common.inc +include /etc/firejail/disable-devel.inc +include /etc/firejail/disable-passwdmgr.inc +include /etc/firejail/disable-programs.inc caps.drop all -netfilter +no3d +nogroups nonewprivs noroot -protocol unix,inet,inet6 +nosound +novideo +protocol unix seccomp - -# -# depending on your usage, you can enable some of the commands below: -# -nogroups shell none -# private-bin program -# private-etc none -# private-dev -# private-tmp -nosound + +private +private-dev +private-tmp +disable-mnt + +noexec ${HOME} +noexec /tmp diff --git a/etc/handbrake.profile b/etc/handbrake.profile index 0f3f32250..ccff63708 100644 --- a/etc/handbrake.profile +++ b/etc/handbrake.profile @@ -7,24 +7,23 @@ include /etc/firejail/handbrake.local noblacklist ~/.config/ghb include /etc/firejail/disable-common.inc +include /etc/firejail/disable-devel.inc include /etc/firejail/disable-programs.inc include /etc/firejail/disable-passwdmgr.inc caps.drop all netfilter +nogroups nonewprivs noroot -# netlink required! +nosound +novideo protocol unix,inet,inet6,netlink seccomp - -# -# depending on your usage, you can enable some of the commands below: -# -nogroups shell none -# private-bin program -# private-etc none -#private-dev + +private-dev private-tmp -nosound + +noexec ${HOME} +noexec /tmp diff --git a/etc/highlight.profile b/etc/highlight.profile index 58e7f89f5..327c77696 100644 --- a/etc/highlight.profile +++ b/etc/highlight.profile @@ -18,8 +18,6 @@ noroot nosound protocol unix seccomp -netfilter -net none no3d shell none tracelog diff --git a/etc/hugin.profile b/etc/hugin.profile index 97a9cb1fd..5d2891321 100644 --- a/etc/hugin.profile +++ b/etc/hugin.profile @@ -6,24 +6,24 @@ include /etc/firejail/globals.local include /etc/firejail/hugin.local noblacklist ${HOME}/.hugin + include /etc/firejail/disable-common.inc +include /etc/firejail/disable-devel.inc include /etc/firejail/disable-programs.inc include /etc/firejail/disable-passwdmgr.inc caps.drop all -netfilter +nogroups nonewprivs noroot -protocol unix,inet,inet6 +nosound +novideo +protocol unix seccomp - -# -# depending on your usage, you can enable some of the commands below: -# -nogroups shell none -# private-bin program -# private-etc none + private-dev private-tmp -nosound + +noexec ${HOME} +noexec /tmp diff --git a/etc/img2txt.profile b/etc/img2txt.profile index 00d172f55..1ac5e1fb0 100644 --- a/etc/img2txt.profile +++ b/etc/img2txt.profile @@ -18,8 +18,6 @@ noroot nosound protocol unix seccomp -netfilter -net none shell none tracelog diff --git a/etc/inkscape.profile b/etc/inkscape.profile index 0a9d409b9..450e819b9 100644 --- a/etc/inkscape.profile +++ b/etc/inkscape.profile @@ -8,20 +8,22 @@ include /etc/firejail/inkscape.local # inkscape noblacklist ${HOME}/.inkscape include /etc/firejail/disable-common.inc +include /etc/firejail/disable-devel.inc include /etc/firejail/disable-programs.inc include /etc/firejail/disable-passwdmgr.inc caps.drop all -netfilter nogroups nonewprivs noroot nosound +novideo protocol unix seccomp - -noexec ${HOME} -noexec /tmp +shell none private-dev private-tmp + +noexec ${HOME} +noexec /tmp diff --git a/etc/jd-gui.profile b/etc/jd-gui.profile index 32b43cdf1..56cf43104 100644 --- a/etc/jd-gui.profile +++ b/etc/jd-gui.profile @@ -21,8 +21,6 @@ include /etc/firejail/disable-devel.inc #Options caps.drop all #ipc-namespace -net none -netfilter no3d nogroups nonewprivs diff --git a/etc/kate.profile b/etc/kate.profile index 832f3614f..c4178a776 100644 --- a/etc/kate.profile +++ b/etc/kate.profile @@ -25,7 +25,6 @@ noroot nosound protocol unix seccomp -netfilter shell none tracelog diff --git a/etc/kcalc.profile b/etc/kcalc.profile index 0ea5dbcb3..24d7daa89 100644 --- a/etc/kcalc.profile +++ b/etc/kcalc.profile @@ -5,27 +5,26 @@ include /etc/firejail/globals.local # Persistent customizations should go in a .local file. include /etc/firejail/kcalc.local -################################ -# Generic GUI application profile -################################ include /etc/firejail/disable-common.inc -include /etc/firejail/disable-programs.inc +include /etc/firejail/disable-devel.inc include /etc/firejail/disable-passwdmgr.inc +include /etc/firejail/disable-programs.inc caps.drop all -netfilter +no3d +nogroups nonewprivs noroot -protocol unix,inet,inet6 +nosound +novideo +protocol unix seccomp +shell none -# -# depending on your usage, you can enable some of the commands below: -# private -nogroups -shell none -# private-bin program -# private-etc none private-dev private-tmp +disable-mnt + +noexec ${HOME} +noexec /tmp diff --git a/etc/keepassx.profile b/etc/keepassx.profile index 34e260f8f..64fe62fb6 100644 --- a/etc/keepassx.profile +++ b/etc/keepassx.profile @@ -18,7 +18,6 @@ include /etc/firejail/disable-passwdmgr.inc caps.drop all machine-id -net none no3d nogroups nonewprivs diff --git a/etc/keepassx2.profile b/etc/keepassx2.profile index 0536866fb..fee04b6fb 100644 --- a/etc/keepassx2.profile +++ b/etc/keepassx2.profile @@ -17,7 +17,6 @@ include /etc/firejail/disable-devel.inc include /etc/firejail/disable-passwdmgr.inc caps.drop all -net none no3d nogroups nonewprivs diff --git a/etc/keepassxc.profile b/etc/keepassxc.profile index 4a5503944..4e4c305f0 100644 --- a/etc/keepassxc.profile +++ b/etc/keepassxc.profile @@ -16,10 +16,8 @@ include /etc/firejail/disable-programs.inc include /etc/firejail/disable-devel.inc include /etc/firejail/disable-passwdmgr.inc -# To use KeePassHTTP, comment out `net none` caps.drop all #ipc-namespace -net none no3d nogroups nonewprivs diff --git a/etc/kino.profile b/etc/kino.profile index b37569340..73b1e060b 100644 --- a/etc/kino.profile +++ b/etc/kino.profile @@ -5,28 +5,25 @@ include /etc/firejail/globals.local # Persistent customizations should go in a .local file. include /etc/firejail/kino.local -################################ -# Generic GUI application profile -################################ noblacklist ~/.kinorc noblacklist ~/.kino-history + include /etc/firejail/disable-common.inc -include /etc/firejail/disable-programs.inc +include /etc/firejail/disable-devel.inc include /etc/firejail/disable-passwdmgr.inc +include /etc/firejail/disable-programs.inc caps.drop all -netfilter +nogroups nonewprivs noroot -protocol unix,inet,inet6 +novideo +protocol unix seccomp +shell none + +private-dev +private-tmp -# -# depending on your usage, you can enable some of the commands below: -# -# nogroups -# shell none -# private-bin program -# private-etc none -# private-dev -# private-tmp +noexec ${HOME} +noexec /tmp diff --git a/etc/knotes.profile b/etc/knotes.profile index e7da44215..6a1233db0 100644 --- a/etc/knotes.profile +++ b/etc/knotes.profile @@ -20,7 +20,6 @@ noroot nosound protocol unix seccomp -netfilter shell none tracelog diff --git a/etc/ktorrent.profile b/etc/ktorrent.profile index 59c2827cd..c19f1c5ef 100644 --- a/etc/ktorrent.profile +++ b/etc/ktorrent.profile @@ -5,16 +5,15 @@ include /etc/firejail/globals.local # Persistent customizations should go in a .local file. include /etc/firejail/ktorrent.local -################################ -# Generic GUI application profile -################################ noblacklist ~/.config/ktorrentrc noblacklist ~/.local/share/ktorrent noblacklist ~/.kde/share/config/ktorrentrc noblacklist ~/.kde4/share/config/ktorrentrc noblacklist ~/.kde/share/apps/ktorrent noblacklist ~/.kde4/share/apps/ktorrent + include /etc/firejail/disable-common.inc +include /etc/firejail/disable-devel.inc include /etc/firejail/disable-programs.inc include /etc/firejail/disable-passwdmgr.inc @@ -36,17 +35,18 @@ include /etc/firejail/whitelist-common.inc caps.drop all netfilter +no3d +nogroups nonewprivs noroot +nosound +novideo protocol unix,inet,inet6 seccomp - -# -# depending on your usage, you can enable some of the commands below: -# -nogroups shell none -# private-bin program -# private-etc none + private-dev -# private-tmp +private-tmp + +noexec ${HOME} +noexec /tmp diff --git a/etc/kwrite.profile b/etc/kwrite.profile index 1c4d09f67..342427090 100644 --- a/etc/kwrite.profile +++ b/etc/kwrite.profile @@ -25,7 +25,6 @@ noroot #nosound - KWrite is using ALSA! protocol unix seccomp -netfilter shell none tracelog diff --git a/etc/leafpad.profile b/etc/leafpad.profile index 5ae025d6d..7403a13ab 100644 --- a/etc/leafpad.profile +++ b/etc/leafpad.profile @@ -6,24 +6,24 @@ include /etc/firejail/globals.local include /etc/firejail/leafpad.local noblacklist ${HOME}/.config/leafpad + include /etc/firejail/disable-common.inc -include /etc/firejail/disable-programs.inc +include /etc/firejail/disable-devel.inc include /etc/firejail/disable-passwdmgr.inc +include /etc/firejail/disable-programs.inc caps.drop all -netfilter +no3d +nogroups nonewprivs noroot -protocol unix,inet,inet6 +nosound +novideo +protocol unix seccomp - -# -# depending on your usage, you can enable some of the commands below: -# -nogroups shell none -# private-bin program -# private-etc none -# private-dev -# private-tmp -nosound + +private-dev + +noexec ${HOME} +noexec /tmp diff --git a/etc/liferea.profile b/etc/liferea.profile index 92b3b8f88..f11137cdd 100644 --- a/etc/liferea.profile +++ b/etc/liferea.profile @@ -20,10 +20,28 @@ noblacklist ~/.cache/liferea mkdir ~/.cache/liferea whitelist ~/.cache/liferea +include /etc/firejail/disable-common.inc +include /etc/firejail/disable-devel.inc +include /etc/firejail/disable-passwdmgr.inc +include /etc/firejail/disable-programs.inc include /etc/firejail/whitelist-common.inc -include /etc/firejail/default.profile +caps.drop all +#ipc-namespace +netfilter +#no3d nogroups +nonewprivs +noroot +#nosound +novideo +protocol unix,inet,inet6 +seccomp shell none + private-dev private-tmp +disable-mnt + +noexec ${HOME} +noexec /tmp diff --git a/etc/luminance-hdr.profile b/etc/luminance-hdr.profile index 6ee118f76..0b8742e49 100644 --- a/etc/luminance-hdr.profile +++ b/etc/luminance-hdr.profile @@ -7,24 +7,26 @@ include /etc/firejail/luminance-hdr.local # luminance-hdr noblacklist ${HOME}/.config/Luminance + include /etc/firejail/disable-common.inc +include /etc/firejail/disable-devel.inc include /etc/firejail/disable-programs.inc include /etc/firejail/disable-passwdmgr.inc caps.drop all #ipc-namespace -netfilter nogroups nonewprivs noroot nosound +novideo protocol unix seccomp shell none tracelog -noexec ${HOME} -noexec /tmp - private-tmp private-dev + +noexec ${HOME} +noexec /tmp diff --git a/etc/lximage-qt.profile b/etc/lximage-qt.profile index 28e674ebf..9e8bac878 100644 --- a/etc/lximage-qt.profile +++ b/etc/lximage-qt.profile @@ -6,24 +6,25 @@ include /etc/firejail/globals.local include /etc/firejail/lximage-qt.local noblacklist .config/lximage-qt + include /etc/firejail/disable-common.inc -include /etc/firejail/disable-programs.inc +include /etc/firejail/disable-devel.inc include /etc/firejail/disable-passwdmgr.inc +include /etc/firejail/disable-programs.inc caps.drop all -netfilter +no3d +nogroups nonewprivs noroot -protocol unix,inet,inet6 +nosound +novideo +protocol unix seccomp - -# -# depending on your usage, you can enable some of the commands below: -# -nogroups shell none -# private-bin program -# private-etc none -# private-dev -# private-tmp -nosound + +private-dev +private-tmp + +noexec ${HOME} +noexec /tmp diff --git a/etc/lxmusic.profile b/etc/lxmusic.profile index fd5136578..49057d0ab 100644 --- a/etc/lxmusic.profile +++ b/etc/lxmusic.profile @@ -7,24 +7,24 @@ include /etc/firejail/lxmusic.local noblacklist ~/.cache/xmms2 noblacklist ~/.config/xmms2 + include /etc/firejail/disable-common.inc -include /etc/firejail/disable-programs.inc +include /etc/firejail/disable-devel.inc include /etc/firejail/disable-passwdmgr.inc +include /etc/firejail/disable-programs.inc caps.drop all -netfilter +no3d +nogroups nonewprivs noroot -protocol unix,inet,inet6 +novideo +protocol unix seccomp - -# -# depending on your usage, you can enable some of the commands below: -# -nogroups shell none -# private-bin program -# private-etc none -# private-dev -# private-tmp -# nosound + +private-dev +private-tmp + +noexec ${HOME} +noexec /tmp diff --git a/etc/mate-calc.profile b/etc/mate-calc.profile index 76593df0b..75b51f96d 100644 --- a/etc/mate-calc.profile +++ b/etc/mate-calc.profile @@ -6,24 +6,26 @@ include /etc/firejail/globals.local include /etc/firejail/mate-calc.local noblacklist ${HOME}/.config/mate-calc + include /etc/firejail/disable-common.inc -include /etc/firejail/disable-programs.inc +include /etc/firejail/disable-devel.inc include /etc/firejail/disable-passwdmgr.inc +include /etc/firejail/disable-programs.inc caps.drop all -netfilter +no3d +nogroups nonewprivs noroot -protocol unix,inet,inet6 +nosound +novideo +protocol unix seccomp - -# -# depending on your usage, you can enable some of the commands below: -# -nogroups shell none -# private-bin program -# private-etc none -# private-dev -# private-tmp -nosound + +private-dev +private-tmp +disable-mnt + +noexec ${HOME} +noexec /tmp diff --git a/etc/mate-color-select.profile b/etc/mate-color-select.profile index 6db3dd624..b9b445ac6 100644 --- a/etc/mate-color-select.profile +++ b/etc/mate-color-select.profile @@ -3,27 +3,28 @@ include /etc/firejail/globals.local # This file is overwritten during software install. # Persistent customizations should go in a .local file. -include /etc/firejail/default.local +include /etc/firejail/mate-color-select.local -private -#include /etc/firejail/disable-common.inc -#include /etc/firejail/disable-programs.inc -#include /etc/firejail/disable-passwdmgr.inc +include /etc/firejail/disable-common.inc +include /etc/firejail/disable-devel.inc +include /etc/firejail/disable-passwdmgr.inc +include /etc/firejail/disable-programs.inc caps.drop all -netfilter +no3d +nogroups nonewprivs noroot -protocol unix,inet,inet6 +nosound +novideo +protocol unix seccomp - -# -# depending on your usage, you can enable some of the commands below: -# -nogroups shell none -# private-bin program -# private-etc none -# private-dev -# private-tmp -nosound + +private +private-dev +private-tmp +disable-mnt + +noexec ${HOME} +noexec /tmp diff --git a/etc/mate-dictionary.profile b/etc/mate-dictionary.profile index fc4c1c425..4fe0795d2 100644 --- a/etc/mate-dictionary.profile +++ b/etc/mate-dictionary.profile @@ -6,24 +6,27 @@ include /etc/firejail/globals.local include /etc/firejail/mate-dictionary.local noblacklist ${HOME}/.config/mate/mate-dictionary + include /etc/firejail/disable-common.inc -include /etc/firejail/disable-programs.inc +include /etc/firejail/disable-devel.inc include /etc/firejail/disable-passwdmgr.inc +include /etc/firejail/disable-programs.inc caps.drop all netfilter +no3d +nogroups nonewprivs noroot +nosound +novideo protocol unix,inet,inet6 seccomp - -# -# depending on your usage, you can enable some of the commands below: -# -nogroups shell none -# private-bin program -# private-etc none -# private-dev -# private-tmp -nosound + +private-dev +private-tmp +disable-mnt + +noexec ${HOME} +noexec /tmp diff --git a/etc/mediainfo.profile b/etc/mediainfo.profile index 59cb080d3..c6e95cc5c 100644 --- a/etc/mediainfo.profile +++ b/etc/mediainfo.profile @@ -12,15 +12,13 @@ include /etc/firejail/disable-devel.inc include /etc/firejail/disable-passwdmgr.inc caps.drop all -nogroups nonewprivs +nogroups noroot nosound no3d protocol unix seccomp -netfilter -net none shell none tracelog diff --git a/etc/meld.profile b/etc/meld.profile index bc4cd8356..535745e6f 100644 --- a/etc/meld.profile +++ b/etc/meld.profile @@ -15,8 +15,6 @@ include /etc/firejail/disable-programs.inc caps.drop all #ipc-namespace -net none -netfilter no3d nogroups nonewprivs diff --git a/etc/mousepad.profile b/etc/mousepad.profile index c3e85d55f..fc788fea6 100644 --- a/etc/mousepad.profile +++ b/etc/mousepad.profile @@ -14,7 +14,6 @@ include /etc/firejail/disable-devel.inc include /etc/firejail/disable-passwdmgr.inc caps.drop all -netfilter nogroups nonewprivs noroot diff --git a/etc/mupdf.profile b/etc/mupdf.profile index e6652e688..39b801e1a 100644 --- a/etc/mupdf.profile +++ b/etc/mupdf.profile @@ -18,8 +18,6 @@ noroot nosound protocol unix seccomp -netfilter -net none shell none tracelog diff --git a/etc/nautilus.profile b/etc/nautilus.profile index ef3203eb5..71d2b2192 100644 --- a/etc/nautilus.profile +++ b/etc/nautilus.profile @@ -22,12 +22,10 @@ include /etc/firejail/disable-devel.inc include /etc/firejail/disable-passwdmgr.inc caps.drop all -nogroups nonewprivs noroot protocol unix seccomp -netfilter shell none tracelog diff --git a/etc/nemo.profile b/etc/nemo.profile index 1d9124d19..d4bb0d5ff 100644 --- a/etc/nemo.profile +++ b/etc/nemo.profile @@ -16,18 +16,14 @@ include /etc/firejail/disable-devel.inc caps.drop all netfilter +no3d nonewprivs noroot +nosound +novideo protocol unix,inet,inet6 seccomp - -# -# depending on your usage, you can enable some of the commands below: -# -nogroups shell none -# private-bin program -# private-etc none -# private-dev -# private-tmp -# nosound + +noexec ${HOME} +noexec /tmp diff --git a/etc/odt2txt.profile b/etc/odt2txt.profile index abec7dde2..58440e50f 100644 --- a/etc/odt2txt.profile +++ b/etc/odt2txt.profile @@ -18,8 +18,6 @@ noroot nosound protocol unix seccomp -netfilter -net none no3d shell none tracelog diff --git a/etc/okular.profile b/etc/okular.profile index 982f524fa..351083582 100644 --- a/etc/okular.profile +++ b/etc/okular.profile @@ -21,7 +21,6 @@ include /etc/firejail/disable-devel.inc include /etc/firejail/disable-passwdmgr.inc caps.drop all -netfilter nonewprivs nogroups noroot diff --git a/etc/openshot.profile b/etc/openshot.profile index bc4ccc46a..25c803512 100644 --- a/etc/openshot.profile +++ b/etc/openshot.profile @@ -8,13 +8,23 @@ include /etc/firejail/openshot.local # OpenShot profile noblacklist ${HOME}/.openshot noblacklist ${HOME}/.openshot_qt + include /etc/firejail/disable-common.inc -include /etc/firejail/disable-programs.inc +include /etc/firejail/disable-devel.inc include /etc/firejail/disable-passwdmgr.inc +include /etc/firejail/disable-programs.inc caps.drop all netfilter +nogroups nonewprivs noroot protocol unix,inet,inet6,netlink seccomp +shell none + +private-dev +private-tmp + +noexec ${HOME} +noexec /tmp diff --git a/etc/orage.profile b/etc/orage.profile index ea577f873..ee96076eb 100644 --- a/etc/orage.profile +++ b/etc/orage.profile @@ -7,24 +7,26 @@ include /etc/firejail/orage.local noblacklist ${HOME}/.config/orage noblacklist ${HOME}/.local/share/orage + include /etc/firejail/disable-common.inc -include /etc/firejail/disable-programs.inc +include /etc/firejail/disable-devel.inc include /etc/firejail/disable-passwdmgr.inc +include /etc/firejail/disable-programs.inc caps.drop all -netfilter +no3d +nogroups nonewprivs noroot -protocol unix,inet,inet6 +nosound +novideo +protocol unix seccomp - -# -# depending on your usage, you can enable some of the commands below: -# -nogroups shell none -# private-bin program -# private-etc none + private-dev -# private-tmp +private-tmp +disable-mnt +noexec ${HOME} +noexec /tmp diff --git a/etc/pcmanfm.profile b/etc/pcmanfm.profile index 68d002f2d..67ab7f9e6 100644 --- a/etc/pcmanfm.profile +++ b/etc/pcmanfm.profile @@ -15,21 +15,12 @@ include /etc/firejail/disable-devel.inc include /etc/firejail/disable-passwdmgr.inc caps.drop all -netfilter -nogroups +no3d nonewprivs noroot nosound +novideo protocol unix seccomp shell none tracelog - -# -# depending on your usage, you can enable some of the commands below: -# -# private-bin program -# private-etc none -# private-dev -# private-tmp - diff --git a/etc/pdfsam.profile b/etc/pdfsam.profile index b46ac9294..4adb01c3f 100644 --- a/etc/pdfsam.profile +++ b/etc/pdfsam.profile @@ -19,8 +19,6 @@ include /etc/firejail/disable-devel.inc #Options caps.drop all #ipc-namespace -net none -netfilter no3d nogroups nonewprivs diff --git a/etc/pdftotext.profile b/etc/pdftotext.profile index a6b2b2f78..882b10678 100644 --- a/etc/pdftotext.profile +++ b/etc/pdftotext.profile @@ -18,8 +18,6 @@ noroot nosound protocol unix seccomp -netfilter -net none no3d shell none tracelog diff --git a/etc/peek.profile b/etc/peek.profile index bac3e0a99..cf60452d3 100644 --- a/etc/peek.profile +++ b/etc/peek.profile @@ -14,7 +14,6 @@ include /etc/firejail/disable-passwdmgr.inc include /etc/firejail/disable-programs.inc caps.drop all -net none no3d nogroups nonewprivs diff --git a/etc/psi-plus.profile b/etc/psi-plus.profile index e3ffad9a1..9500731fe 100644 --- a/etc/psi-plus.profile +++ b/etc/psi-plus.profile @@ -8,7 +8,9 @@ include /etc/firejail/psi-plus.local # Firejail profile for Psi+ noblacklist ${HOME}/.config/psi+ noblacklist ${HOME}/.local/share/psi+ + include /etc/firejail/disable-common.inc +include /etc/firejail/disable-devel.inc include /etc/firejail/disable-programs.inc include /etc/firejail/disable-passwdmgr.inc @@ -20,10 +22,22 @@ whitelist ~/.local/share/psi+ mkdir ~/.cache/psi+ whitelist ~/.cache/psi+ +include /etc/firejail/whitelist-common.inc + caps.drop all netfilter +no3d +nogroups +nonewprivs noroot +novideo protocol unix,inet,inet6 seccomp +shell none -include /etc/firejail/whitelist-common.inc +private-dev +private-tmp +disable-mnt + +noexec ${HOME} +noexec /tmp diff --git a/etc/qemu-launcher.profile b/etc/qemu-launcher.profile index bc92e50ea..f6458de86 100644 --- a/etc/qemu-launcher.profile +++ b/etc/qemu-launcher.profile @@ -23,3 +23,5 @@ shell none tracelog private-tmp + +noexec /tmp diff --git a/etc/qemu-system-x86_64.profile b/etc/qemu-system-x86_64.profile index 907de5e8f..fdfd7ab72 100644 --- a/etc/qemu-system-x86_64.profile +++ b/etc/qemu-system-x86_64.profile @@ -21,3 +21,5 @@ shell none tracelog private-tmp + +noexec /tmp diff --git a/etc/qlipper.profile b/etc/qlipper.profile index a5ef53112..6989acb7a 100644 --- a/etc/qlipper.profile +++ b/etc/qlipper.profile @@ -6,26 +6,26 @@ include /etc/firejail/globals.local include /etc/firejail/qlipper.local noblacklist ${HOME}/.config/Qlipper + include /etc/firejail/disable-common.inc -include /etc/firejail/disable-programs.inc +include /etc/firejail/disable-devel.inc include /etc/firejail/disable-passwdmgr.inc +include /etc/firejail/disable-programs.inc caps.drop all -netfilter +no3d +nogroups nonewprivs noroot -protocol unix,inet,inet6 +nosound +novideo +protocol unix seccomp +shell none +private-dev +private-tmp +disable-mnt - -# -# depending on your usage, you can enable some of the commands below: -# -nogroups -shell none -# private-bin program -# private-etc none -# private-dev -# private-tmp -nosound +noexec ${HOME} +noexec /tmp diff --git a/etc/ranger.profile b/etc/ranger.profile index 7103f821d..55e43d13b 100644 --- a/etc/ranger.profile +++ b/etc/ranger.profile @@ -18,14 +18,10 @@ include /etc/firejail/disable-devel.inc include /etc/firejail/disable-passwdmgr.inc caps.drop all -netfilter -net none -nogroups nonewprivs noroot protocol unix seccomp nosound -private-tmp private-dev diff --git a/etc/ristretto.profile b/etc/ristretto.profile index ca4b1a64d..5c72f9eb8 100644 --- a/etc/ristretto.profile +++ b/etc/ristretto.profile @@ -10,22 +10,23 @@ noblacklist ~/.Steam noblacklist ~/.steam include /etc/firejail/disable-common.inc -include /etc/firejail/disable-programs.inc +include /etc/firejail/disable-devel.inc include /etc/firejail/disable-passwdmgr.inc +include /etc/firejail/disable-programs.inc caps.drop all -netfilter +no3d +nogroups nonewprivs noroot -protocol unix,inet,inet6 +nosound +novideo +protocol unix seccomp - -# -# depending on your usage, you can enable some of the commands below: -# -nogroups shell none -# private-bin program -# private-etc none + private-dev -# private-tmp +private-tmp + +noexec ${HOME} +noexec /tmp diff --git a/etc/skype.profile b/etc/skype.profile index 8b97c7152..7c7a4eb17 100644 --- a/etc/skype.profile +++ b/etc/skype.profile @@ -7,17 +7,22 @@ include /etc/firejail/skype.local # Skype profile noblacklist ${HOME}/.Skype + include /etc/firejail/disable-common.inc +include /etc/firejail/disable-devel.inc include /etc/firejail/disable-programs.inc include /etc/firejail/disable-devel.inc caps.drop all netfilter +nogroups nonewprivs noroot protocol unix,inet,inet6 seccomp +shell none +private-dev private-tmp disable-mnt diff --git a/etc/skypeforlinux.profile b/etc/skypeforlinux.profile index 71bc1b9a6..a2f693945 100644 --- a/etc/skypeforlinux.profile +++ b/etc/skypeforlinux.profile @@ -7,16 +7,22 @@ include /etc/firejail/skypeforlinux.local # skypeforlinux profile noblacklist ${HOME}/.config/skypeforlinux + include /etc/firejail/disable-common.inc +include /etc/firejail/disable-devel.inc include /etc/firejail/disable-programs.inc include /etc/firejail/disable-passwdmgr.inc caps.drop all netfilter +nogroups +nonewprivs noroot -seccomp protocol unix,inet,inet6,netlink +seccomp +shell none +private-dev private-tmp disable-mnt diff --git a/etc/synfigstudio.profile b/etc/synfigstudio.profile index ffabdef76..c714fc70a 100644 --- a/etc/synfigstudio.profile +++ b/etc/synfigstudio.profile @@ -8,19 +8,24 @@ include /etc/firejail/synfigstudio.local # synfigstudio noblacklist ${HOME}/.config/synfig noblacklist ${HOME}/.synfig + include /etc/firejail/disable-common.inc -include /etc/firejail/disable-programs.inc +include /etc/firejail/disable-devel.inc include /etc/firejail/disable-passwdmgr.inc +include /etc/firejail/disable-programs.inc caps.drop all -netfilter +nogroups nonewprivs noroot +nosound +novideo protocol unix seccomp - -noexec ${HOME} -noexec /tmp +shell none private-dev private-tmp + +noexec ${HOME} +noexec /tmp diff --git a/etc/tracker.profile b/etc/tracker.profile index f2c91be86..d7b68ea5c 100644 --- a/etc/tracker.profile +++ b/etc/tracker.profile @@ -22,7 +22,6 @@ nosound no3d protocol unix seccomp -netfilter shell none tracelog diff --git a/etc/transmission-show.profile b/etc/transmission-show.profile index 8d1e1eac2..2447edc35 100644 --- a/etc/transmission-show.profile +++ b/etc/transmission-show.profile @@ -15,8 +15,6 @@ include /etc/firejail/disable-devel.inc include /etc/firejail/disable-passwdmgr.inc caps.drop all -netfilter -net none nonewprivs noroot nosound diff --git a/etc/viewnior.profile b/etc/viewnior.profile index 20f738d42..3b2b54264 100644 --- a/etc/viewnior.profile +++ b/etc/viewnior.profile @@ -19,7 +19,6 @@ blacklist ~/.bashrc blacklist ~/.Xauthority caps.drop all -net none nogroups nonewprivs noroot diff --git a/etc/vym.profile b/etc/vym.profile index 4139ea901..13fa08d4f 100644 --- a/etc/vym.profile +++ b/etc/vym.profile @@ -6,25 +6,26 @@ include /etc/firejail/globals.local include /etc/firejail/vym.local noblacklist ./.config/InSilmaril + include /etc/firejail/disable-common.inc -include /etc/firejail/disable-programs.inc +include /etc/firejail/disable-devel.inc include /etc/firejail/disable-passwdmgr.inc +include /etc/firejail/disable-programs.inc caps.drop all -netfilter +no3d +nogroups nonewprivs noroot -# no network connectivity +nosound +novideo protocol unix seccomp - -# -# depending on your usage, you can enable some of the commands below: -# -nogroups shell none -# private-bin vym -# private-etc none + private-dev private-tmp -nosound +disable-mnt + +noexec ${HOME} +noexec /tmp diff --git a/etc/xfburn.profile b/etc/xfburn.profile index 7a6d620cf..aaef6bb60 100644 --- a/etc/xfburn.profile +++ b/etc/xfburn.profile @@ -20,7 +20,6 @@ noroot nosound protocol unix seccomp -netfilter shell none tracelog diff --git a/etc/xfce4-dict.profile b/etc/xfce4-dict.profile index 4e466352d..08ae17a55 100644 --- a/etc/xfce4-dict.profile +++ b/etc/xfce4-dict.profile @@ -6,24 +6,27 @@ include /etc/firejail/globals.local include /etc/firejail/xfce4-dict.local noblacklist ${HOME}/.config/xfce4-dict + include /etc/firejail/disable-common.inc -include /etc/firejail/disable-programs.inc +include /etc/firejail/disable-devel.inc include /etc/firejail/disable-passwdmgr.inc +include /etc/firejail/disable-programs.inc caps.drop all netfilter +no3d +nogroups nonewprivs noroot +nosound +novideo protocol unix,inet,inet6 seccomp - -# -# depending on your usage, you can enable some of the commands below: -# -nogroups shell none -# private-bin program -# private-etc none + private-dev -# private-tmp +private-tmp +disable-mnt +noexec ${HOME} +noexec /tmp diff --git a/etc/xfce4-notes.profile b/etc/xfce4-notes.profile index 737bb0a23..544225920 100644 --- a/etc/xfce4-notes.profile +++ b/etc/xfce4-notes.profile @@ -8,23 +8,26 @@ include /etc/firejail/xfce4-notes.local noblacklist ${HOME}/.config/xfce4/xfce4-notes.rc noblacklist ${HOME}/.config/xfce4/xfce4-notes.gtkrc noblacklist ${HOME}/.local/share/notes + include /etc/firejail/disable-common.inc -include /etc/firejail/disable-programs.inc +include /etc/firejail/disable-devel.inc include /etc/firejail/disable-passwdmgr.inc +include /etc/firejail/disable-programs.inc caps.drop all -netfilter +no3d +nogroups nonewprivs noroot -protocol unix,inet,inet6 +nosound +novideo +protocol unix seccomp - -# -# depending on your usage, you can enable some of the commands below: -# -nogroups shell none -# private-bin program -# private-etc none + private-dev -# private-tmp +private-tmp +disable-mnt + +noexec ${HOME} +noexec /tmp diff --git a/etc/xonotic.profile b/etc/xonotic.profile index 611c7b379..957636124 100644 --- a/etc/xonotic.profile +++ b/etc/xonotic.profile @@ -30,6 +30,7 @@ netfilter nogroups nonewprivs noroot +novideo protocol unix,inet,inet6 seccomp shell none diff --git a/etc/xpdf.profile b/etc/xpdf.profile index 5b3018ce8..1f2344e21 100644 --- a/etc/xpdf.profile +++ b/etc/xpdf.profile @@ -9,17 +9,25 @@ include /etc/firejail/xpdf.local # xpdf application profile ################################ noblacklist ${HOME}/.xpdfrc + include /etc/firejail/disable-common.inc -include /etc/firejail/disable-programs.inc +include /etc/firejail/disable-devel.inc include /etc/firejail/disable-passwdmgr.inc +include /etc/firejail/disable-programs.inc caps.drop all -net none +no3d +nogroups nonewprivs noroot +nosound +novideo protocol unix -shell none seccomp +shell none private-dev private-tmp + +noexec ${HOME} +noexec /tmp diff --git a/etc/xpra.profile b/etc/xpra.profile index a41ee2613..c8bb3ef52 100644 --- a/etc/xpra.profile +++ b/etc/xpra.profile @@ -23,7 +23,6 @@ include /etc/firejail/disable-passwdmgr.inc caps.drop all # xpra needs to be allowed access to the abstract Unix socket namespace. -#net none nogroups nonewprivs # In noroot mode, xpra cannot create a socket in the real /tmp/.X11-unix. diff --git a/etc/zathura.profile b/etc/zathura.profile index 18afe3bfa..53e905e9c 100644 --- a/etc/zathura.profile +++ b/etc/zathura.profile @@ -14,8 +14,6 @@ include /etc/firejail/disable-devel.inc include /etc/firejail/disable-passwdmgr.inc caps.drop all -netfilter -net none nogroups nonewprivs noroot -- cgit v1.2.3-54-g00ecf