From 39dc3c893b5d895ed9db9071dd47b3de7b28f2fd Mon Sep 17 00:00:00 2001
From: Tad <tad@spotco.us>
Date: Mon, 7 Aug 2017 14:24:51 -0400
Subject: Unify last 8 profiles

---
 etc/Xephyr.profile     | 32 +++++++++++++++----------------
 etc/Xvfb.profile       | 30 ++++++++++++++---------------
 etc/baloo_file.profile | 27 +++++++++++++-------------
 etc/brave.profile      | 51 ++++++++++++++++++++++----------------------------
 etc/default.profile    | 37 +++++++++++++++++++++---------------
 etc/openbox.profile    | 14 ++++++--------
 etc/server.profile     | 30 ++++++++++++++++++++---------
 etc/snap.profile       | 17 ++++++++---------
 etc/xpra.profile       | 37 ++++++++++++++++++------------------
 9 files changed, 141 insertions(+), 134 deletions(-)

diff --git a/etc/Xephyr.profile b/etc/Xephyr.profile
index 22c0202ee..db3b3858c 100644
--- a/etc/Xephyr.profile
+++ b/etc/Xephyr.profile
@@ -1,9 +1,9 @@
-# Persistent global definitions go here
-include /etc/firejail/globals.local
-
-# This file is overwritten during software install.
-# Persistent customizations should go in a .local file.
+# Firejail profile for Xephyr
+# This file is overwritten after every install/update
+# Persistent local customizations
 include /etc/firejail/Xephyr.local
+# Persistent global definitions
+include /etc/firejail/globals.local
 
 #
 # This profile will sandbox Xephyr server itself when used with firejail --x11=xephyr.
@@ -15,26 +15,26 @@ include /etc/firejail/Xephyr.local
 #
 
 
-# using a private home directory
-private
+blacklist /media
 
+whitelist /var/lib/xkb
+include /etc/firejail/whitelist-common.inc
 
 caps.drop all
 # Xephyr needs to be allowed access to the abstract Unix socket namespace.
 nogroups
 nonewprivs
 # In noroot mode, Xephyr cannot create a socket in the real /tmp/.X11-unix.
-#noroot
+# noroot
 nosound
-shell none
-seccomp
 protocol unix
+seccomp
+shell none
 
+# using a private home directory
+private
+# private-bin Xephyr,sh,xkbcomp
+# private-bin Xephyr,sh,xkbcomp,strace,bash,cat,ls
 private-dev
+# private-etc ld.so.conf,ld.so.cache,resolv.conf,host.conf,nsswitch.conf,gai.conf,hosts,hostname
 private-tmp
-#private-bin Xephyr,sh,xkbcomp,strace,bash,cat,ls
-#private-bin Xephyr,sh,xkbcomp
-#private-etc ld.so.conf,ld.so.cache,resolv.conf,host.conf,nsswitch.conf,gai.conf,hosts,hostname
-
-blacklist /media
-whitelist /var/lib/xkb
diff --git a/etc/Xvfb.profile b/etc/Xvfb.profile
index 8eba82db1..ce17a9732 100644
--- a/etc/Xvfb.profile
+++ b/etc/Xvfb.profile
@@ -1,10 +1,10 @@
-# Persistent global definitions go here
+# Firejail profile for Xvfb
+# This file is overwritten after every install/update
+# Persistent local customizations
+include /etc/firejail/Xvfb.local
+# Persistent global definitions
 include /etc/firejail/globals.local
 
-# This file is overwritten during software install.
-# Persistent customizations should go in a .local file.
-include /etc/firejail/xvfb.local
-
 #
 # This profile will sandbox Xvfb server itself when used with firejail --x11=xvfb.
 # The target program is sandboxed with its own profile. By default the this functionality
@@ -16,9 +16,10 @@ include /etc/firejail/xvfb.local
 # some Linux distributions. Also, older versions of Xpra use Xvfb.
 #
 
+blacklist /media
 
-# using a private home directory
-private
+whitelist /var/lib/xkb
+include /etc/firejail/whitelist-common.inc
 
 caps.drop all
 # Xvfb needs to be allowed access to the abstract Unix socket namespace.
@@ -27,15 +28,14 @@ nonewprivs
 # In noroot mode, Xvfb cannot create a socket in the real /tmp/.X11-unix.
 #noroot
 nosound
-shell none
-seccomp
 protocol unix
+seccomp
+shell none
 
+# using a private home directory
+private
+# private-bin Xvfb,sh,xkbcomp
+# private-bin Xvfb,sh,xkbcomp,strace,bash,cat,ls
 private-dev
-private-tmp
 private-etc ld.so.conf,ld.so.cache,resolv.conf,host.conf,nsswitch.conf,gai.conf,hosts,hostname
-#private-bin Xvfb,sh,xkbcomp,strace,bash,cat,ls
-#private-bin Xvfb,sh,xkbcomp
-
-blacklist /media
-whitelist /var/lib/xkb
+private-tmp
diff --git a/etc/baloo_file.profile b/etc/baloo_file.profile
index 2fe6d1927..9c2909b0f 100644
--- a/etc/baloo_file.profile
+++ b/etc/baloo_file.profile
@@ -1,21 +1,21 @@
-# Persistent global definitions go here
-include /etc/firejail/globals.local
-
-# This file is overwritten during software install.
-# Persistent customizations should go in a .local file.
+# Firejail profile for baloo_file
+# This file is overwritten after every install/update
+# Persistent local customizations
 include /etc/firejail/baloo_file.local
+# Persistent global definitions
+include /etc/firejail/globals.local
 
-# KDE Baloo file daemon profile
-noblacklist ${HOME}/.kde4/share/config/baloofilerc
-noblacklist ${HOME}/.kde4/share/config/baloorc
+noblacklist ${HOME}/.config/baloofilerc
 noblacklist ${HOME}/.kde/share/config/baloofilerc
 noblacklist ${HOME}/.kde/share/config/baloorc
-noblacklist ${HOME}/.config/baloofilerc
+noblacklist ${HOME}/.kde4/share/config/baloofilerc
+noblacklist ${HOME}/.kde4/share/config/baloorc
 noblacklist ${HOME}/.local/share/baloo
+
 include /etc/firejail/disable-common.inc
-include /etc/firejail/disable-programs.inc
 include /etc/firejail/disable-devel.inc
 include /etc/firejail/disable-passwdmgr.inc
+include /etc/firejail/disable-programs.inc
 
 caps.drop all
 nogroups
@@ -26,7 +26,6 @@ novideo
 protocol unix
 # Baloo makes ioprio_set system calls, which are blacklisted by default.
 seccomp.drop mount,umount2,ptrace,kexec_load,kexec_file_load,name_to_handle_at,open_by_handle_at,create_module,init_module,finit_module,delete_module,iopl,ioperm,swapon,swapoff,syslog,process_vm_readv,process_vm_writev,sysfs,_sysctl,adjtimex,clock_adjtime,lookup_dcookie,perf_event_open,fanotify_init,kcmp,add_key,request_key,keyctl,uselib,acct,modify_ldt,pivot_root,io_setup,io_destroy,io_getevents,io_submit,io_cancel,remap_file_pages,mbind,get_mempolicy,set_mempolicy,migrate_pages,move_pages,vmsplice,chroot,tuxcall,reboot,mfsservctl,get_kernel_syms,bpf,clock_settime,personality,process_vm_writev,query_module,settimeofday,stime,umount,userfaultfd,ustat,vm86,vm86old
-
 x11 xorg
 
 private-dev
@@ -37,6 +36,6 @@ noexec /tmp
 
 # Make home directory read-only and allow writing only to ~/.local/share
 # Note: Baloo will not be able to update the "first run" key in its configuration files.
-#read-only  ${HOME}
-#read-write ${HOME}/.local/share
-#noexec     ${HOME}/.local/share
+# noexec     ${HOME}/.local/share
+# read-only  ${HOME}
+# read-write ${HOME}/.local/share
diff --git a/etc/brave.profile b/etc/brave.profile
index e73dd37a2..20dbf6c52 100644
--- a/etc/brave.profile
+++ b/etc/brave.profile
@@ -1,43 +1,36 @@
-# Persistent global definitions go here
-include /etc/firejail/globals.local
-
-# This file is overwritten during software install.
-# Persistent customizations should go in a .local file.
+# Firejail profile for brave
+# This file is overwritten after every install/update
+# Persistent local customizations
 include /etc/firejail/brave.local
+# Persistent global definitions
+include /etc/firejail/globals.local
 
-# Profile for Brave browser
 noblacklist ~/.config/brave
-noblacklist ~/.pki
-
 # brave uses gpg for built-in password manager
 noblacklist ~/.gnupg
+noblacklist ~/.pki
 
 include /etc/firejail/disable-common.inc
-include /etc/firejail/disable-programs.inc
 include /etc/firejail/disable-devel.inc
-
-#caps.drop all
-netfilter
-#nonewprivs
-#noroot
-#protocol unix,inet,inet6,netlink
-#seccomp
-
-#disable-mnt
-
-whitelist ${DOWNLOADS}
+include /etc/firejail/disable-programs.inc
 
 mkdir ~/.config/brave
-whitelist ~/.config/brave
 mkdir ~/.pki
-whitelist ~/.pki
-
-# lastpass, keepass
-# for keepass we additionally need to whitelist our .kdbx password database
-whitelist ~/.keepass
-whitelist ~/.config/keepass
+whitelist ${DOWNLOADS}
 whitelist ~/.config/KeePass
-whitelist ~/.lastpass
+whitelist ~/.config/brave
+whitelist ~/.config/keepass
 whitelist ~/.config/lastpass
-
+whitelist ~/.keepass
+whitelist ~/.lastpass
+whitelist ~/.pki
 include /etc/firejail/whitelist-common.inc
+
+# caps.drop all
+netfilter
+# nonewprivs
+# noroot
+# protocol unix,inet,inet6,netlink
+# seccomp
+
+# disable-mnt
diff --git a/etc/default.profile b/etc/default.profile
index 44a9e548b..693f89ad3 100644
--- a/etc/default.profile
+++ b/etc/default.profile
@@ -1,31 +1,38 @@
-# Persistent global definitions go here
+# Firejail profile for default
+# This file is overwritten after every install/update
+# Persistent local customizations
+include /etc/firejail/default.local
+# Persistent global definitions
 include /etc/firejail/globals.local
 
-# This file is overwritten during software install.
-# Persistent customizations should go in a .local file.
-include /etc/firejail/default.local
+# generic gui profile
+# depending on your usage, you can enable some of the commands below:
 
-################################
-# Generic GUI application profile
-################################
 include /etc/firejail/disable-common.inc
-include /etc/firejail/disable-programs.inc
+# include /etc/firejail/disable-devel.inc
 include /etc/firejail/disable-passwdmgr.inc
+include /etc/firejail/disable-programs.inc
 
 caps.drop all
+# ipc-namespace
 netfilter
+# nogroups
 nonewprivs
 noroot
+# nosound
+# novideo
 protocol unix,inet,inet6
 seccomp
-
-#
-# depending on your usage, you can enable some of the commands below:
-#
-# nogroups
 # shell none
+
+# disable-mnt
+# private
 # private-bin program
-# private-etc none
 # private-dev
+# private-etc none
+# private-lib
 # private-tmp
-# nosound
+
+# memory-deny-write-execute
+# noexec ${HOME}
+# noexec /tmp
diff --git a/etc/openbox.profile b/etc/openbox.profile
index 4104e1e08..99c579c37 100644
--- a/etc/openbox.profile
+++ b/etc/openbox.profile
@@ -1,14 +1,12 @@
-# Persistent global definitions go here
+# Firejail profile for openbox
+# This file is overwritten after every install/update
+# Persistent local customizations
+include /etc/firejail/openbox.local
+# Persistent global definitions
 include /etc/firejail/globals.local
 
-# This file is overwritten during software install.
-# Persistent customizations should go in a .local file.
-include /etc/firejail/openbox.local
+# all applications started in OpenBox will run in this profile
 
-#######################################
-# OpenBox window manager profile
-# - all applications started in OpenBox will run in this profile
-#######################################
 include /etc/firejail/disable-common.inc
 
 caps.drop all
diff --git a/etc/server.profile b/etc/server.profile
index 2d79fa1c8..b0dd13f80 100644
--- a/etc/server.profile
+++ b/etc/server.profile
@@ -1,25 +1,37 @@
-# Persistent global definitions go here
-include /etc/firejail/globals.local
-
-# This file is overwritten during software install.
-# Persistent customizations should go in a .local file.
+# Firejail profile for server
+# This file is overwritten after every install/update
+# Persistent local customizations
 include /etc/firejail/server.local
+# Persistent global definitions
+include /etc/firejail/globals.local
 
 # generic server profile
 # it allows /sbin and /usr/sbin directories - this is where servers are installed
+# depending on your usage, you can enable some of the commands below:
+
+blacklist /tmp/.X11-unix
+
 noblacklist /sbin
 noblacklist /usr/sbin
+
 include /etc/firejail/disable-common.inc
-include /etc/firejail/disable-programs.inc
+# include /etc/firejail/disable-devel.inc
 include /etc/firejail/disable-passwdmgr.inc
+include /etc/firejail/disable-programs.inc
 
-blacklist /tmp/.X11-unix
-
+caps
 no3d
 nosound
 seccomp
-caps
 
+# disable-mnt
 private
+# private-bin program
 private-dev
+# private-etc none
+# private-lib
 private-tmp
+
+# memory-deny-write-execute
+# noexec ${HOME}
+# noexec /tmp
diff --git a/etc/snap.profile b/etc/snap.profile
index 8493fcbd3..38aef7c23 100644
--- a/etc/snap.profile
+++ b/etc/snap.profile
@@ -1,17 +1,16 @@
-# Persistent global definitions go here
-include /etc/firejail/globals.local
-
-# This file is overwritten during software install.
-# Persistent customizations should go in a .local file.
+# Firejail profile for snap
+# This file is overwritten after every install/update
+# Persistent local customizations
 include /etc/firejail/snap.local
+# Persistent global definitions
+include /etc/firejail/globals.local
 
-################################
 # Generic Ubuntu snap application profile
-################################
+
 include /etc/firejail/disable-common.inc
-include /etc/firejail/disable-programs.inc
 include /etc/firejail/disable-passwdmgr.inc
+include /etc/firejail/disable-programs.inc
 
-whitelist ~/snap
 whitelist ${DOWNLOADS}
+whitelist ~/snap
 include /etc/firejail/whitelist-common.inc
diff --git a/etc/xpra.profile b/etc/xpra.profile
index c8bb3ef52..ed393d70b 100644
--- a/etc/xpra.profile
+++ b/etc/xpra.profile
@@ -1,10 +1,9 @@
-# Persistent global definitions go here
-include /etc/firejail/globals.local
-
-# This file is overwritten during software install.
-# Persistent customizations should go in a .local file.
+# Firejail profile for xpra
+# This file is overwritten after every install/update
+# Persistent local customizations
 include /etc/firejail/xpra.local
-
+# Persistent global definitions
+include /etc/firejail/globals.local
 
 #
 # This profile will sandbox Xpra server itself when used with firejail --x11=xpra.
@@ -14,12 +13,15 @@ include /etc/firejail/xpra.local
 #
 # or run "sudo firecfg"
 
-# private home directory doesn't work on some distros, so we go for a regular home
-#private
+blacklist /media
+
 include /etc/firejail/disable-common.inc
-include /etc/firejail/disable-programs.inc
 include /etc/firejail/disable-devel.inc
 include /etc/firejail/disable-passwdmgr.inc
+include /etc/firejail/disable-programs.inc
+
+whitelist /var/lib/xkb
+include /etc/firejail/whitelist-common.inc
 
 caps.drop all
 # xpra needs to be allowed access to the abstract Unix socket namespace.
@@ -28,17 +30,14 @@ nonewprivs
 # In noroot mode, xpra cannot create a socket in the real /tmp/.X11-unix.
 #noroot
 nosound
-shell none
-seccomp
 protocol unix
+seccomp
+shell none
 
-
+# private home directory doesn't work on some distros, so we go for a regular home
+# private
+# older Xpra versions also use Xvfb
+# private-bin xpra,python,Xvfb,Xorg,sh,xkbcomp,xauth,dbus-launch,pactl,ldconfig,which,strace,bash,cat,ls
 private-dev
+# private-etc ld.so.conf,ld.so.cache,resolv.conf,host.conf,nsswitch.conf,gai.conf,hosts,hostname,machine-id,xpra,X11
 private-tmp
-# older Xpra versions also use Xvfb
-#private-bin xpra,python,Xvfb,Xorg,sh,xkbcomp,xauth,dbus-launch,pactl,ldconfig,which,strace,bash,cat,ls
-#private-etc ld.so.conf,ld.so.cache,resolv.conf,host.conf,nsswitch.conf,gai.conf,hosts,hostname,machine-id,xpra,X11
-
-blacklist /media
-whitelist /var/lib/xkb
-
-- 
cgit v1.2.3-70-g09d2