From 2e1b94c4251e6a841672f3df96e3d503d380ef1b Mon Sep 17 00:00:00 2001 From: Fred-Barclay Date: Sun, 10 Jul 2016 00:00:11 +1000 Subject: private-bin conversion --- etc/audacity.profile | 11 +++++++---- etc/aweather.profile | 19 ++++++++++--------- etc/gitter.profile | 7 ++++++- etc/gpredict.profile | 19 ++++++++++--------- etc/palemoon.profile | 24 ++++++++++++------------ etc/rhythmbox.profile | 6 ++++++ etc/spotify.profile | 5 +++++ etc/stellarium.profile | 23 ++++++++++++----------- etc/warzone2100.profile | 11 ++++++++--- etc/xplayer.profile | 5 +++++ etc/xviewer.profile | 11 ++++++++--- 11 files changed, 89 insertions(+), 52 deletions(-) diff --git a/etc/audacity.profile b/etc/audacity.profile index 8971ce1a2..162201cb8 100644 --- a/etc/audacity.profile +++ b/etc/audacity.profile @@ -7,10 +7,13 @@ include /etc/firejail/disable-passwdmgr.inc include /etc/firejail/disable-programs.inc caps.drop all -netfilter nonewprivs -noroot nogroups -#private-bin audacity -protocol unix,inet,inet6 +noroot +protocol unix seccomp +shell none +tracelog + +private-bin audacity +private-dev diff --git a/etc/aweather.profile b/etc/aweather.profile index dd508e736..d617fb701 100644 --- a/etc/aweather.profile +++ b/etc/aweather.profile @@ -1,24 +1,25 @@ # Firejail profile for aweather. - -# Noblacklist noblacklist ~/.config/aweather - -# Include include /etc/firejail/disable-common.inc include /etc/firejail/disable-devel.inc include /etc/firejail/disable-passwdmgr.inc include /etc/firejail/disable-programs.inc -# Call these options +# Whitelist +mkdir ~/.config +mkdir ~/.config/aweather +whitelist ~/.config/aweather + caps.drop all netfilter nonewprivs +nogroups noroot +nosound protocol unix,inet,inet6,netlink seccomp +shell none tracelog -# Whitelist -mkdir ~/.config -mkdir ~/.config/aweather -whitelist ~/.config/aweather +private-bin aweather +private-dev diff --git a/etc/gitter.profile b/etc/gitter.profile index 0c2bd1353..2882c59a6 100644 --- a/etc/gitter.profile +++ b/etc/gitter.profile @@ -1,6 +1,5 @@ # Firejail profile for Gitter noblacklist ~/.config/Gitter - include /etc/firejail/disable-common.inc include /etc/firejail/disable-passwdmgr.inc include /etc/firejail/disable-programs.inc @@ -8,6 +7,12 @@ include /etc/firejail/disable-devel.inc caps.drop all netfilter +nonewprivs +nogroups noroot protocol unix,inet,inet6,netlink seccomp +shell none + +private-bin gitter +private-dev diff --git a/etc/gpredict.profile b/etc/gpredict.profile index ba9fce37b..02bb4d24d 100644 --- a/etc/gpredict.profile +++ b/etc/gpredict.profile @@ -1,24 +1,25 @@ # Firejail profile for gpredict. - -# Noblacklist noblacklist ~/.config/Gpredict - -# Include include /etc/firejail/disable-common.inc include /etc/firejail/disable-devel.inc include /etc/firejail/disable-passwdmgr.inc include /etc/firejail/disable-programs.inc -# Call these options +# Whitelist +mkdir ~/.config +mkdir ~/.config/Gpredict +whitelist ~/.config/Gpredict + caps.drop all netfilter nonewprivs +nogroups noroot +nosound protocol unix,inet,inet6,netlink seccomp +shell none tracelog -# Whitelist -mkdir ~/.config -mkdir ~/.config/Gpredict -whitelist ~/.config/Gpredict +private-bin gpredict +private-dev diff --git a/etc/palemoon.profile b/etc/palemoon.profile index a74954ddb..302c20d7d 100644 --- a/etc/palemoon.profile +++ b/etc/palemoon.profile @@ -1,31 +1,30 @@ # Firejail profile for Pale Moon - -# Noblacklists noblacklist ~/.moonchild productions/pale moon noblacklist ~/.cache/moonchild productions/pale moon - -# Included profiles include /etc/firejail/disable-common.inc include /etc/firejail/disable-programs.inc include /etc/firejail/disable-devel.inc include /etc/firejail/whitelist-common.inc -# Options +whitelist ${DOWNLOADS} +mkdir ~/.moonchild productions +whitelist ~/.moonchild productions +mkdir ~/.cache +mkdir ~/.cache/moonchild productions +mkdir ~/.cache/moonchild productions/pale moon +whitelist ~/.cache/moonchild productions/pale moon + caps.drop all netfilter +nogroups nonewprivs noroot protocol unix,inet,inet6,netlink seccomp +shell none tracelog -whitelist ${DOWNLOADS} -mkdir ~/.moonchild productions -whitelist ~/.moonchild productions -mkdir ~/.cache -mkdir ~/.cache/moonchild productions -mkdir ~/.cache/moonchild productions/pale moon -whitelist ~/.cache/moonchild productions/pale moon +private-bin palemoon # These are uncommented in the Firefox profile. If you run into trouble you may # want to uncomment (some of) them. @@ -56,3 +55,4 @@ whitelist ~/.config/lastpass # experimental features #private-etc passwd,group,hostname,hosts,localtime,nsswitch.conf,resolv.conf,gtk-2.0,pango,fonts,iceweasel,firefox,adobe,mime.types,mailcap,asound.conf,pulse +#private-dev (disabled for now as it will interfere with webcam use in palemoon) diff --git a/etc/rhythmbox.profile b/etc/rhythmbox.profile index 0782a653d..9f087ea1d 100644 --- a/etc/rhythmbox.profile +++ b/etc/rhythmbox.profile @@ -5,8 +5,14 @@ include /etc/firejail/disable-devel.inc include /etc/firejail/disable-passwdmgr.inc caps.drop all +nogroups netfilter nonewprivs noroot protocol unix,inet,inet6 seccomp +shell none +tracelog + +private-bin rhythmbox +private-dev diff --git a/etc/spotify.profile b/etc/spotify.profile index 9ba25b818..ca575970b 100644 --- a/etc/spotify.profile +++ b/etc/spotify.profile @@ -24,7 +24,12 @@ include /etc/firejail/whitelist-common.inc caps.drop all netfilter +nogroups nonewprivs noroot protocol unix,inet,inet6,netlink seccomp +shell none + +private-bin spotify +private-dev diff --git a/etc/stellarium.profile b/etc/stellarium.profile index 148ec949d..d0c1326b3 100644 --- a/etc/stellarium.profile +++ b/etc/stellarium.profile @@ -1,28 +1,29 @@ # Firejail profile for Stellarium. - -# Noblacklist noblacklist ~/.stellarium noblacklist ~/.config/stellarium - -# Include include /etc/firejail/disable-common.inc include /etc/firejail/disable-devel.inc include /etc/firejail/disable-passwdmgr.inc include /etc/firejail/disable-programs.inc -# Call these options +# Whitelist +mkdir ~/.stellarium +whitelist ~/.stellarium +mkdir ~/.config +mkdir ~/.config/stellarium +whitelist ~/.config/stellarium + caps.drop all netfilter +nogroups nonewprivs noroot +nosound protocol unix,inet,inet6,netlink seccomp +shell none tracelog -# Whitelist -mkdir ~/.stellarium -whitelist ~/.stellarium +private-bin stellarium +private-dev -mkdir ~/.config -mkdir ~/.config/stellarium -whitelist ~/.config/stellarium diff --git a/etc/warzone2100.profile b/etc/warzone2100.profile index ceeaca012..ff37e2800 100644 --- a/etc/warzone2100.profile +++ b/etc/warzone2100.profile @@ -6,15 +6,20 @@ include /etc/firejail/disable-devel.inc include /etc/firejail/disable-passwdmgr.inc include /etc/firejail/disable-programs.inc +# Whitelist +mkdir ~/.warzone2100-3.1 +whitelist ~/.warzone2100-3.1 + # Call these options caps.drop all netfilter +nogroups nonewprivs noroot protocol unix,inet,inet6,netlink seccomp +shell none tracelog -# Whitelist -mkdir ~/.warzone2100-3.1 -whitelist ~/.warzone2100-3.1 +private-bin warzone2100 +private-dev diff --git a/etc/xplayer.profile b/etc/xplayer.profile index cd9cbed45..a46b2fa06 100644 --- a/etc/xplayer.profile +++ b/etc/xplayer.profile @@ -10,7 +10,12 @@ include /etc/firejail/disable-passwdmgr.inc caps.drop all netfilter nonewprivs +nogroups noroot protocol unix,inet,inet6 seccomp +shell none tracelog + +private-bin xplayer,xplayer-audio-preview,xplayer-video-thumbnailer +private-dev diff --git a/etc/xviewer.profile b/etc/xviewer.profile index 51949526d..7a4ae4858 100644 --- a/etc/xviewer.profile +++ b/etc/xviewer.profile @@ -6,9 +6,14 @@ include /etc/firejail/disable-devel.inc include /etc/firejail/disable-passwdmgr.inc caps.drop all -netfilter -noroot nonewprivs -protocol unix,inet,inet6 +nogroups +noroot +nosound +protocol unix seccomp +shell none tracelog + +private-dev +private-bin xviewer -- cgit v1.2.3-54-g00ecf