From 55938d07a58d29ceb893e4554a4ddf3c41810fc9 Mon Sep 17 00:00:00 2001 From: smitsohu Date: Sun, 22 Oct 2017 11:34:51 +0200 Subject: disable non-abstract session bus address systematically blacklist /run/user/*/bus in all profiles with 'net none'. targets distros like Fedora --- etc/7z.profile | 1 + etc/apktool.profile | 1 + etc/ardour5.profile | 1 + etc/atom.profile | 4 +++- etc/audacity.profile | 2 ++ etc/baobab.profile | 1 + etc/bleachbit.profile | 1 + etc/bless.profile | 2 ++ etc/bluefish.profile | 1 + etc/calligra.profile | 2 ++ etc/catfish.profile | 4 ++++ etc/cin.profile | 2 ++ etc/clamav.profile | 1 + etc/cpio.profile | 1 + etc/dex2jar.profile | 1 + etc/dia.profile | 2 ++ etc/display.profile | 1 + etc/ebook-viewer.profile | 1 + etc/engrampa.profile | 1 + etc/eog.profile | 2 ++ etc/eom.profile | 2 ++ etc/etr.profile | 2 ++ etc/evince.profile | 2 ++ etc/exiftool.profile | 1 + etc/feh.profile | 1 + etc/ffmpeg.profile | 2 ++ etc/file-roller.profile | 1 + etc/file.profile | 1 + etc/freecad.profile | 1 + etc/frozen-bubble.profile | 2 ++ etc/galculator.profile | 2 ++ etc/gedit.profile | 1 + etc/gimp.profile | 2 ++ etc/gpicview.profile | 2 ++ etc/gzip.profile | 1 + etc/hashcat.profile | 2 ++ etc/highlight.profile | 1 + etc/hugin.profile | 2 ++ etc/imagej.profile | 1 + etc/img2txt.profile | 1 + etc/jd-gui.profile | 2 ++ etc/kdenlive.profile | 1 + etc/keepassx.profile | 2 ++ etc/keepassxc.profile | 2 ++ etc/krita.profile | 1 + etc/less.profile | 1 + etc/lmms.profile | 1 + etc/macrofusion.profile | 1 + etc/mate-calc.profile | 2 ++ etc/mediainfo.profile | 1 + etc/meld.profile | 2 ++ etc/mupdf.profile | 1 + etc/mupen64plus.profile | 2 ++ etc/natron.profile | 4 ++-- etc/odt2txt.profile | 1 + etc/open-invaders.profile | 2 ++ etc/pcmanfm.profile | 2 ++ etc/pdfmod.profile | 1 + etc/pdfsam.profile | 2 ++ etc/pdftotext.profile | 1 + etc/peek.profile | 2 ++ etc/pingus.profile | 2 ++ etc/pinta.profile | 1 + etc/pluma.profile | 2 ++ etc/ranger.profile | 2 ++ etc/scribus.profile | 2 ++ etc/sdat2img.profile | 1 + etc/shotcut.profile | 1 + etc/simutrans.profile | 2 ++ etc/skanlite.profile | 1 + etc/soundconverter.profile | 1 + etc/sqlitebrowser.profile | 2 ++ etc/strings.profile | 1 + etc/supertux2.profile | 2 ++ etc/synfigstudio.profile | 2 ++ etc/tar.profile | 1 + etc/terasology.profile | 1 + etc/transmission-show.profile | 2 ++ etc/uefitool.profile | 1 + etc/unrar.profile | 1 + etc/unzip.profile | 1 + etc/uudeview.profile | 1 + etc/viewnior.profile | 1 + etc/x-terminal-emulator.profile | 1 + etc/xcalc.profile | 1 + etc/xed.profile | 2 ++ etc/xpdf.profile | 2 ++ etc/xviewer.profile | 2 ++ etc/xzdec.profile | 1 + etc/zart.profile | 1 + etc/zathura.profile | 2 ++ 91 files changed, 136 insertions(+), 3 deletions(-) diff --git a/etc/7z.profile b/etc/7z.profile index ea67bbe19..ededacbbe 100644 --- a/etc/7z.profile +++ b/etc/7z.profile @@ -6,6 +6,7 @@ include /etc/firejail/7z.local # Persistent global definitions include /etc/firejail/globals.local +blacklist /run/user/*/bus blacklist /tmp/.X11-unix ignore noroot diff --git a/etc/apktool.profile b/etc/apktool.profile index 13c8f3311..bbf91c264 100644 --- a/etc/apktool.profile +++ b/etc/apktool.profile @@ -6,6 +6,7 @@ include /etc/firejail/apktool.local # Persistent global definitions include /etc/firejail/globals.local +blacklist /run/user/*/bus include /etc/firejail/disable-common.inc include /etc/firejail/disable-passwdmgr.inc diff --git a/etc/ardour5.profile b/etc/ardour5.profile index 69b3dde46..1f2228544 100644 --- a/etc/ardour5.profile +++ b/etc/ardour5.profile @@ -5,6 +5,7 @@ include /etc/firejail/ardour5.local # Persistent global definitions include /etc/firejail/globals.local +blacklist /run/user/*/bus noblacklist ${HOME}/.config/ardour4 noblacklist ${HOME}/.config/ardour5 diff --git a/etc/atom.profile b/etc/atom.profile index db3cbc687..dc8db46dc 100644 --- a/etc/atom.profile +++ b/etc/atom.profile @@ -5,6 +5,8 @@ include /etc/firejail/atom.local # Persistent global definitions include /etc/firejail/globals.local +# blacklist /run/user/*/bus + noblacklist ~/.atom noblacklist ~/.config/Atom @@ -13,6 +15,7 @@ include /etc/firejail/disable-passwdmgr.inc include /etc/firejail/disable-programs.inc caps.drop all +# net none netfilter nodvd nogroups @@ -23,7 +26,6 @@ notv novideo protocol unix,inet,inet6,netlink seccomp -# net none shell none private-dev diff --git a/etc/audacity.profile b/etc/audacity.profile index 88aea243e..52e32badb 100644 --- a/etc/audacity.profile +++ b/etc/audacity.profile @@ -5,6 +5,8 @@ include /etc/firejail/audacity.local # Persistent global definitions include /etc/firejail/globals.local +blacklist /run/user/*/bus + noblacklist ~/.audacity-data include /etc/firejail/disable-common.inc diff --git a/etc/baobab.profile b/etc/baobab.profile index ef733632d..52f8af82e 100644 --- a/etc/baobab.profile +++ b/etc/baobab.profile @@ -5,6 +5,7 @@ include /etc/firejail/baobab.local # Persistent global definitions include /etc/firejail/globals.local +blacklist /run/user/*/bus include /etc/firejail/disable-common.inc include /etc/firejail/disable-devel.inc diff --git a/etc/bleachbit.profile b/etc/bleachbit.profile index f3498e9b9..e066a606d 100644 --- a/etc/bleachbit.profile +++ b/etc/bleachbit.profile @@ -5,6 +5,7 @@ include /etc/firejail/bleachbit.local # Persistent global definitions include /etc/firejail/globals.local +blacklist /run/user/*/bus include /etc/firejail/disable-common.inc include /etc/firejail/disable-devel.inc diff --git a/etc/bless.profile b/etc/bless.profile index e4d2f0730..37d1e856f 100644 --- a/etc/bless.profile +++ b/etc/bless.profile @@ -5,6 +5,8 @@ include /etc/firejail/bless.local # Persistent global definitions include /etc/firejail/globals.local +blacklist /run/user/*/bus + noblacklist ${HOME}/.config/bless include /etc/firejail/disable-common.inc diff --git a/etc/bluefish.profile b/etc/bluefish.profile index 052d03425..66ba0168b 100644 --- a/etc/bluefish.profile +++ b/etc/bluefish.profile @@ -5,6 +5,7 @@ include /etc/firejail/bluefish.local # Persistent global definitions include /etc/firejail/globals.local +blacklist /run/user/*/bus include /etc/firejail/disable-common.inc include /etc/firejail/disable-devel.inc diff --git a/etc/calligra.profile b/etc/calligra.profile index d2b76d22c..a57694752 100644 --- a/etc/calligra.profile +++ b/etc/calligra.profile @@ -5,6 +5,8 @@ include /etc/firejail/calligra.local # Persistent global definitions include /etc/firejail/globals.local +blacklist /run/user/*/bus + include /etc/firejail/disable-common.inc include /etc/firejail/disable-devel.inc include /etc/firejail/disable-passwdmgr.inc diff --git a/etc/catfish.profile b/etc/catfish.profile index 45aa6c35c..139951680 100644 --- a/etc/catfish.profile +++ b/etc/catfish.profile @@ -7,7 +7,11 @@ include /etc/firejail/globals.local # We can't blacklist much since catfish # is for finding files/content + +blacklist /run/user/*/bus + noblacklist ~/.config/catfish + include /etc/firejail/disable-common.inc # include /etc/firejail/disable-devel.inc include /etc/firejail/disable-passwdmgr.inc diff --git a/etc/cin.profile b/etc/cin.profile index 6b3e3888b..d114e50b1 100644 --- a/etc/cin.profile +++ b/etc/cin.profile @@ -5,6 +5,8 @@ include /etc/firejail/cin.local # Persistent global definitions include /etc/firejail/globals.local +blacklist /run/user/*/bus + noblacklist ${HOME}/.bcast5 include /etc/firejail/disable-common.inc diff --git a/etc/clamav.profile b/etc/clamav.profile index a5aacc1d5..c3a0132d0 100644 --- a/etc/clamav.profile +++ b/etc/clamav.profile @@ -6,6 +6,7 @@ include /etc/firejail/clamav.local # Persistent global definitions include /etc/firejail/globals.local +blacklist /run/user/*/bus caps.drop all ipc-namespace diff --git a/etc/cpio.profile b/etc/cpio.profile index 7f4bc4a84..caee6570e 100644 --- a/etc/cpio.profile +++ b/etc/cpio.profile @@ -6,6 +6,7 @@ include /etc/firejail/cpio.local # Persistent global definitions include /etc/firejail/globals.local +blacklist /run/user/*/bus blacklist /tmp/.X11-unix noblacklist /sbin diff --git a/etc/dex2jar.profile b/etc/dex2jar.profile index 5261bb865..f89e17239 100644 --- a/etc/dex2jar.profile +++ b/etc/dex2jar.profile @@ -6,6 +6,7 @@ include /etc/firejail/dex2jar.local # Persistent global definitions include /etc/firejail/globals.local +blacklist /run/user/*/bus include /etc/firejail/disable-common.inc include /etc/firejail/disable-devel.inc diff --git a/etc/dia.profile b/etc/dia.profile index 800c3bbf1..bf3c384ab 100644 --- a/etc/dia.profile +++ b/etc/dia.profile @@ -5,6 +5,8 @@ include /etc/firejail/dia.local # Persistent global definitions include /etc/firejail/globals.local +blacklist /run/user/*/bus + noblacklist ~/.dia include /etc/firejail/disable-common.inc diff --git a/etc/display.profile b/etc/display.profile index d44733e30..41512a0cb 100644 --- a/etc/display.profile +++ b/etc/display.profile @@ -5,6 +5,7 @@ include /etc/firejail/display.local # Persistent global definitions include /etc/firejail/globals.local +blacklist /run/user/*/bus include /etc/firejail/disable-common.inc include /etc/firejail/disable-devel.inc diff --git a/etc/ebook-viewer.profile b/etc/ebook-viewer.profile index 11499aba0..9f7e1382b 100644 --- a/etc/ebook-viewer.profile +++ b/etc/ebook-viewer.profile @@ -1,6 +1,7 @@ # Firejail profile alias for calibre # This file is overwritten after every install/update +blacklist /run/user/*/bus net none diff --git a/etc/engrampa.profile b/etc/engrampa.profile index c198adba9..ae61f1d93 100644 --- a/etc/engrampa.profile +++ b/etc/engrampa.profile @@ -5,6 +5,7 @@ include /etc/firejail/engrampa.local # Persistent global definitions include /etc/firejail/globals.local +# blacklist /run/user/*/bus - makes settings immutable include /etc/firejail/disable-common.inc include /etc/firejail/disable-devel.inc diff --git a/etc/eog.profile b/etc/eog.profile index 112ec7c98..c07268e14 100644 --- a/etc/eog.profile +++ b/etc/eog.profile @@ -5,6 +5,8 @@ include /etc/firejail/eog.local # Persistent global definitions include /etc/firejail/globals.local +# blacklist /run/user/*/bus - makes settings immutable + noblacklist ~/.Steam noblacklist ~/.config/eog noblacklist ~/.local/share/Trash diff --git a/etc/eom.profile b/etc/eom.profile index af7ded91a..5e0008ab3 100644 --- a/etc/eom.profile +++ b/etc/eom.profile @@ -5,6 +5,8 @@ include /etc/firejail/eom.local # Persistent global definitions include /etc/firejail/globals.local +# blacklist /run/user/*/bus - makes settings immutable + noblacklist ~/.Steam noblacklist ~/.config/mate/eom noblacklist ~/.local/share/Trash diff --git a/etc/etr.profile b/etc/etr.profile index 2438793a8..579aa570a 100644 --- a/etc/etr.profile +++ b/etc/etr.profile @@ -5,6 +5,8 @@ include /etc/firejail/etr.local # Persistent global definitions include /etc/firejail/globals.local +blacklist /run/user/*/bus + noblacklist ~/.etr include /etc/firejail/disable-common.inc diff --git a/etc/evince.profile b/etc/evince.profile index 516661126..acca8878f 100644 --- a/etc/evince.profile +++ b/etc/evince.profile @@ -5,6 +5,8 @@ include /etc/firejail/evince.local # Persistent global definitions include /etc/firejail/globals.local +# blacklist /run/user/*/bus + noblacklist ~/.config/evince include /etc/firejail/disable-common.inc diff --git a/etc/exiftool.profile b/etc/exiftool.profile index 75e5be1b9..18d1e3c81 100644 --- a/etc/exiftool.profile +++ b/etc/exiftool.profile @@ -6,6 +6,7 @@ include /etc/firejail/exiftool.local # Persistent global definitions include /etc/firejail/globals.local +blacklist /run/user/*/bus blacklist /tmp/.X11-unix noblacklist /usr/bin/perl diff --git a/etc/feh.profile b/etc/feh.profile index 7935b1354..1320434f1 100644 --- a/etc/feh.profile +++ b/etc/feh.profile @@ -5,6 +5,7 @@ include /etc/firejail/feh.local # Persistent global definitions include /etc/firejail/globals.local +blacklist /run/user/*/bus include /etc/firejail/disable-common.inc include /etc/firejail/disable-devel.inc diff --git a/etc/ffmpeg.profile b/etc/ffmpeg.profile index 5db39cf61..acea1e834 100644 --- a/etc/ffmpeg.profile +++ b/etc/ffmpeg.profile @@ -6,6 +6,8 @@ include /etc/firejail/ffmpeg.local # Persistent global definitions include /etc/firejail/globals.local +blacklist /run/user/*/bus + include /etc/firejail/disable-common.inc include /etc/firejail/disable-devel.inc include /etc/firejail/disable-passwdmgr.inc diff --git a/etc/file-roller.profile b/etc/file-roller.profile index 01e689b9d..98b7aad42 100644 --- a/etc/file-roller.profile +++ b/etc/file-roller.profile @@ -5,6 +5,7 @@ include /etc/firejail/file-roller.local # Persistent global definitions include /etc/firejail/globals.local +# blacklist /run/user/*/bus - makes settings immutable include /etc/firejail/disable-common.inc include /etc/firejail/disable-devel.inc diff --git a/etc/file.profile b/etc/file.profile index 2316b8e9b..041bf5ae5 100644 --- a/etc/file.profile +++ b/etc/file.profile @@ -6,6 +6,7 @@ include /etc/firejail/file.local # Persistent global definitions include /etc/firejail/globals.local +blacklist /run/user/*/bus blacklist /tmp/.X11-unix include /etc/firejail/disable-common.inc diff --git a/etc/freecad.profile b/etc/freecad.profile index 4fde66839..bac502a5f 100644 --- a/etc/freecad.profile +++ b/etc/freecad.profile @@ -5,6 +5,7 @@ include /etc/firejail/freecad.local # Persistent global definitions include /etc/firejail/globals.local +blacklist /run/user/*/bus noblacklist ${HOME}/.config/FreeCAD diff --git a/etc/frozen-bubble.profile b/etc/frozen-bubble.profile index 858917c75..0480faf6f 100644 --- a/etc/frozen-bubble.profile +++ b/etc/frozen-bubble.profile @@ -5,6 +5,8 @@ include /etc/firejail/frozen-bubble.local # Persistent global definitions include /etc/firejail/globals.local +blacklist /run/user/*/bus + noblacklist ~/.frozen-bubble include /etc/firejail/disable-common.inc diff --git a/etc/galculator.profile b/etc/galculator.profile index 777bbdf6b..fdb9e3f1d 100644 --- a/etc/galculator.profile +++ b/etc/galculator.profile @@ -5,6 +5,8 @@ include /etc/firejail/galculator.local # Persistent global definitions include /etc/firejail/globals.local +blacklist /run/user/*/bus + noblacklist ~/.config/galculator include /etc/firejail/disable-common.inc diff --git a/etc/gedit.profile b/etc/gedit.profile index 4ff3a94db..c383a5675 100644 --- a/etc/gedit.profile +++ b/etc/gedit.profile @@ -5,6 +5,7 @@ include /etc/firejail/gedit.local # Persistent global definitions include /etc/firejail/globals.local +# blacklist /run/user/*/bus - makes settings immutable noblacklist ${HOME}/.config/enchant noblacklist ${HOME}/.config/gedit diff --git a/etc/gimp.profile b/etc/gimp.profile index 292c2aac9..b398813f6 100644 --- a/etc/gimp.profile +++ b/etc/gimp.profile @@ -5,6 +5,8 @@ include /etc/firejail/gimp.local # Persistent global definitions include /etc/firejail/globals.local +blacklist /run/user/*/bus + noblacklist ${HOME}/.gimp* include /etc/firejail/disable-common.inc diff --git a/etc/gpicview.profile b/etc/gpicview.profile index b37af2843..5ed447ac4 100644 --- a/etc/gpicview.profile +++ b/etc/gpicview.profile @@ -5,6 +5,8 @@ include /etc/firejail/gpicview.local # Persistent global definitions include /etc/firejail/globals.local +blacklist /run/user/*/bus + noblacklist ~/.config/gpicview include /etc/firejail/disable-common.inc diff --git a/etc/gzip.profile b/etc/gzip.profile index 0f04953d8..5187bb9f0 100644 --- a/etc/gzip.profile +++ b/etc/gzip.profile @@ -6,6 +6,7 @@ include /etc/firejail/gzip.local # Persistent global definitions include /etc/firejail/globals.local +blacklist /run/user/*/bus blacklist /tmp/.X11-unix ignore noroot diff --git a/etc/hashcat.profile b/etc/hashcat.profile index 5f08d7cb8..ad1aae523 100644 --- a/etc/hashcat.profile +++ b/etc/hashcat.profile @@ -6,6 +6,8 @@ include /etc/firejail/hashcat.local # Persistent global definitions include /etc/firejail/globals.local +blacklist /run/user/*/bus + noblacklist ${HOME}/.hashcat noblacklist /usr/include diff --git a/etc/highlight.profile b/etc/highlight.profile index d3cacc581..a7c667ce1 100644 --- a/etc/highlight.profile +++ b/etc/highlight.profile @@ -5,6 +5,7 @@ include /etc/firejail/highlight.local # Persistent global definitions include /etc/firejail/globals.local +blacklist /run/user/*/bus blacklist /tmp/.X11-unix include /etc/firejail/disable-common.inc diff --git a/etc/hugin.profile b/etc/hugin.profile index 64b6e0c69..bff074b74 100644 --- a/etc/hugin.profile +++ b/etc/hugin.profile @@ -5,6 +5,8 @@ include /etc/firejail/hugin.local # Persistent global definitions include /etc/firejail/globals.local +blacklist /run/user/*/bus + noblacklist ${HOME}/.hugin include /etc/firejail/disable-common.inc diff --git a/etc/imagej.profile b/etc/imagej.profile index 88a56c706..058da2805 100644 --- a/etc/imagej.profile +++ b/etc/imagej.profile @@ -5,6 +5,7 @@ include /etc/firejail/imagej.local # Persistent global definitions include /etc/firejail/globals.local +blacklist /run/user/*/bus noblacklist ${HOME}/.imagej diff --git a/etc/img2txt.profile b/etc/img2txt.profile index 943350484..5a19a75f1 100644 --- a/etc/img2txt.profile +++ b/etc/img2txt.profile @@ -5,6 +5,7 @@ include /etc/firejail/img2txt.local # Persistent global definitions include /etc/firejail/globals.local +blacklist /run/user/*/bus include /etc/firejail/disable-common.inc include /etc/firejail/disable-devel.inc diff --git a/etc/jd-gui.profile b/etc/jd-gui.profile index 5cb1e1828..bf461b93d 100644 --- a/etc/jd-gui.profile +++ b/etc/jd-gui.profile @@ -5,6 +5,8 @@ include /etc/firejail/jd-gui.local # Persistent global definitions include /etc/firejail/globals.local +blacklist /run/user/*/bus + noblacklist ${HOME}/.config/jd-gui.cfg noblacklist ${HOME}/.java diff --git a/etc/kdenlive.profile b/etc/kdenlive.profile index 10c2909a0..e42e5920a 100644 --- a/etc/kdenlive.profile +++ b/etc/kdenlive.profile @@ -5,6 +5,7 @@ include /etc/firejail/kdenlive.local # Persistent global definitions include /etc/firejail/globals.local +blacklist /run/user/*/bus include /etc/firejail/disable-common.inc include /etc/firejail/disable-devel.inc diff --git a/etc/keepassx.profile b/etc/keepassx.profile index 27ca408f5..f7b0bd5d1 100644 --- a/etc/keepassx.profile +++ b/etc/keepassx.profile @@ -5,6 +5,8 @@ include /etc/firejail/keepassx.local # Persistent global definitions include /etc/firejail/globals.local +blacklist /run/user/*/bus + noblacklist ${HOME}/*.kdb noblacklist ${HOME}/*.kdbx noblacklist ${HOME}/.config/keepassx diff --git a/etc/keepassxc.profile b/etc/keepassxc.profile index a8c6d65f5..f0c173d9c 100644 --- a/etc/keepassxc.profile +++ b/etc/keepassxc.profile @@ -5,6 +5,8 @@ include /etc/firejail/keepassxc.local # Persistent global definitions include /etc/firejail/globals.local +blacklist /run/user/*/bus + noblacklist ${HOME}/*.kdb noblacklist ${HOME}/*.kdbx noblacklist ${HOME}/.config/keepassxc diff --git a/etc/krita.profile b/etc/krita.profile index e91f5b242..ac723f303 100644 --- a/etc/krita.profile +++ b/etc/krita.profile @@ -5,6 +5,7 @@ include /etc/firejail/krita.local # Persistent global definitions include /etc/firejail/globals.local +blacklist /run/user/*/bus include /etc/firejail/disable-common.inc include /etc/firejail/disable-devel.inc diff --git a/etc/less.profile b/etc/less.profile index 0935f8945..3546649af 100644 --- a/etc/less.profile +++ b/etc/less.profile @@ -6,6 +6,7 @@ include /etc/firejail/less.local # Persistent global definitions include /etc/firejail/globals.local +blacklist /run/user/*/bus blacklist /tmp/.X11-unix ignore noroot diff --git a/etc/lmms.profile b/etc/lmms.profile index 29ed235c6..b2bacb246 100644 --- a/etc/lmms.profile +++ b/etc/lmms.profile @@ -5,6 +5,7 @@ include /etc/firejail/lmms.local # Persistent global definitions include /etc/firejail/globals.local +blacklist /run/user/*/bus noblacklist ${HOME}/.lmmsrc.xml diff --git a/etc/macrofusion.profile b/etc/macrofusion.profile index 506fdd549..f8c5c34ca 100644 --- a/etc/macrofusion.profile +++ b/etc/macrofusion.profile @@ -5,6 +5,7 @@ include /etc/firejail/macrofusion.local # Persistent global definitions include /etc/firejail/globals.local +blacklist /run/user/*/bus noblacklist ${HOME}/.config/mfusion diff --git a/etc/mate-calc.profile b/etc/mate-calc.profile index 39117b718..be5dac206 100644 --- a/etc/mate-calc.profile +++ b/etc/mate-calc.profile @@ -5,6 +5,8 @@ include /etc/firejail/mate-calc.local # Persistent global definitions include /etc/firejail/globals.local +blacklist /run/user/*/bus + noblacklist ${HOME}/.config/mate-calc include /etc/firejail/disable-common.inc diff --git a/etc/mediainfo.profile b/etc/mediainfo.profile index e502269f7..de9297174 100644 --- a/etc/mediainfo.profile +++ b/etc/mediainfo.profile @@ -5,6 +5,7 @@ include /etc/firejail/mediainfo.local # Persistent global definitions include /etc/firejail/globals.local +blacklist /run/user/*/bus blacklist /tmp/.X11-unix include /etc/firejail/disable-common.inc diff --git a/etc/meld.profile b/etc/meld.profile index 5043f2496..1a451ff57 100644 --- a/etc/meld.profile +++ b/etc/meld.profile @@ -5,6 +5,8 @@ include /etc/firejail/meld.local # Persistent global definitions include /etc/firejail/globals.local +blacklist /run/user/*/bus + noblacklist ${HOME}/.local/share/meld include /etc/firejail/disable-common.inc diff --git a/etc/mupdf.profile b/etc/mupdf.profile index a25cc352f..a3955b298 100644 --- a/etc/mupdf.profile +++ b/etc/mupdf.profile @@ -5,6 +5,7 @@ include /etc/firejail/mupdf.local # Persistent global definitions include /etc/firejail/globals.local +blacklist /run/user/*/bus include /etc/firejail/disable-common.inc include /etc/firejail/disable-devel.inc diff --git a/etc/mupen64plus.profile b/etc/mupen64plus.profile index 4937df51f..e05babc91 100644 --- a/etc/mupen64plus.profile +++ b/etc/mupen64plus.profile @@ -5,6 +5,8 @@ include /etc/firejail/mupen64plus.local # Persistent global definitions include /etc/firejail/globals.local +blacklist /run/user/*/bus + noblacklist ${HOME}/.config/mupen64plus noblacklist ${HOME}/.local/share/mupen64plus diff --git a/etc/natron.profile b/etc/natron.profile index b76649605..413ea53f9 100644 --- a/etc/natron.profile +++ b/etc/natron.profile @@ -5,6 +5,7 @@ include /etc/firejail/natron.local # Persistent global definitions include /etc/firejail/globals.local +blacklist /run/user/*/bus noblacklist ${HOME}/.Natron noblacklist ${HOME}/.cache/INRIA/Natron @@ -17,7 +18,7 @@ include /etc/firejail/disable-passwdmgr.inc include /etc/firejail/disable-programs.inc caps.drop all -netfilter +net none nodvd nogroups nonewprivs @@ -26,7 +27,6 @@ notv protocol unix,inet,inet6 seccomp shell none -net none private-bin natron,Natron,NatronRenderer diff --git a/etc/odt2txt.profile b/etc/odt2txt.profile index e8c2d54c7..b6d4a63b5 100644 --- a/etc/odt2txt.profile +++ b/etc/odt2txt.profile @@ -5,6 +5,7 @@ include /etc/firejail/odt2txt.local # Persistent global definitions include /etc/firejail/globals.local +blacklist /run/user/*/bus blacklist /tmp/.X11-unix include /etc/firejail/disable-common.inc diff --git a/etc/open-invaders.profile b/etc/open-invaders.profile index 998d57f62..20a9b2227 100644 --- a/etc/open-invaders.profile +++ b/etc/open-invaders.profile @@ -5,6 +5,8 @@ include /etc/firejail/open-invaders.local # Persistent global definitions include /etc/firejail/globals.local +blacklist /run/user/*/bus + noblacklist ~/.openinvaders include /etc/firejail/disable-common.inc diff --git a/etc/pcmanfm.profile b/etc/pcmanfm.profile index 6c8dd4319..7d2121710 100644 --- a/etc/pcmanfm.profile +++ b/etc/pcmanfm.profile @@ -5,6 +5,8 @@ include /etc/firejail/pcmanfm.local # Persistent global definitions include /etc/firejail/globals.local +# blacklist /run/user/*/bus + noblacklist ${HOME}/.local/share/Trash noblacklist ~/.config/libfm noblacklist ~/.config/pcmanfm diff --git a/etc/pdfmod.profile b/etc/pdfmod.profile index 8489e79a6..059d6660b 100644 --- a/etc/pdfmod.profile +++ b/etc/pdfmod.profile @@ -5,6 +5,7 @@ include /etc/firejail/pdfmod.local # Persistent global definitions include /etc/firejail/globals.local +blacklist /run/user/*/bus noblacklist ${HOME}/.cache/pdfmod noblacklist ${HOME}/.config/pdfmod diff --git a/etc/pdfsam.profile b/etc/pdfsam.profile index fd52fb9ee..3611de8a0 100644 --- a/etc/pdfsam.profile +++ b/etc/pdfsam.profile @@ -5,6 +5,8 @@ include /etc/firejail/pdfsam.local # Persistent global definitions include /etc/firejail/globals.local +blacklist /run/user/*/bus + noblacklist ${HOME}/.java include /etc/firejail/disable-common.inc diff --git a/etc/pdftotext.profile b/etc/pdftotext.profile index 0c6bf9cde..9e4f7d4f2 100644 --- a/etc/pdftotext.profile +++ b/etc/pdftotext.profile @@ -5,6 +5,7 @@ include /etc/firejail/pdftotext.local # Persistent global definitions include /etc/firejail/globals.local +blacklist /run/user/*/bus blacklist /tmp/.X11-unix include /etc/firejail/disable-common.inc diff --git a/etc/peek.profile b/etc/peek.profile index 13c0c72e0..01db4fa08 100644 --- a/etc/peek.profile +++ b/etc/peek.profile @@ -5,6 +5,8 @@ include /etc/firejail/peek.local # Persistent global definitions include /etc/firejail/globals.local +blacklist /run/user/*/bus + noblacklist ${HOME}/.cache/peek include /etc/firejail/disable-common.inc diff --git a/etc/pingus.profile b/etc/pingus.profile index 68d5a98ad..c491a2669 100644 --- a/etc/pingus.profile +++ b/etc/pingus.profile @@ -5,6 +5,8 @@ include /etc/firejail/pingus.local # Persistent global definitions include /etc/firejail/globals.local +blacklist /run/user/*/bus + noblacklist ~/.pingus include /etc/firejail/disable-common.inc diff --git a/etc/pinta.profile b/etc/pinta.profile index cb6e05d35..4a8815a73 100644 --- a/etc/pinta.profile +++ b/etc/pinta.profile @@ -5,6 +5,7 @@ include /etc/firejail/pinta.local # Persistent global definitions include /etc/firejail/globals.local +blacklist /run/user/*/bus noblacklist ${HOME}/.config/Pinta diff --git a/etc/pluma.profile b/etc/pluma.profile index 3fa6d3494..b50e3cbaf 100644 --- a/etc/pluma.profile +++ b/etc/pluma.profile @@ -5,6 +5,8 @@ include /etc/firejail/pluma.local # Persistent global definitions include /etc/firejail/globals.local +# blacklist /run/user/*/bus - makes settings immutable + noblacklist ${HOME}/.config/pluma include /etc/firejail/disable-common.inc diff --git a/etc/ranger.profile b/etc/ranger.profile index 9be19c4b1..0dac16424 100644 --- a/etc/ranger.profile +++ b/etc/ranger.profile @@ -5,6 +5,8 @@ include /etc/firejail/ranger.local # Persistent global definitions include /etc/firejail/globals.local +blacklist /run/user/*/bus + # noblacklist /usr/bin/cpan* noblacklist /usr/bin/perl noblacklist /usr/lib/perl* diff --git a/etc/scribus.profile b/etc/scribus.profile index e07caffe5..e49d484ed 100644 --- a/etc/scribus.profile +++ b/etc/scribus.profile @@ -5,6 +5,8 @@ include /etc/firejail/scribus.local # Persistent global definitions include /etc/firejail/globals.local +blacklist /run/user/*/bus + # Support for PDF readers comes with Scribus 1.5 and higher noblacklist ~/.config/okularpartrc noblacklist ~/.config/okularrc diff --git a/etc/sdat2img.profile b/etc/sdat2img.profile index 62a056a30..bc94ae2a0 100644 --- a/etc/sdat2img.profile +++ b/etc/sdat2img.profile @@ -6,6 +6,7 @@ include /etc/firejail/sdat2img.local # Persistent global definitions include /etc/firejail/globals.local +blacklist /run/user/*/bus include /etc/firejail/disable-common.inc include /etc/firejail/disable-devel.inc diff --git a/etc/shotcut.profile b/etc/shotcut.profile index 4e8b1da05..3f2cc3d33 100644 --- a/etc/shotcut.profile +++ b/etc/shotcut.profile @@ -5,6 +5,7 @@ include /etc/firejail/shotcut.local # Persistent global definitions include /etc/firejail/globals.local +blacklist /run/user/*/bus noblacklist ${HOME}/.config/Meltytech diff --git a/etc/simutrans.profile b/etc/simutrans.profile index fda5204e2..1cbd9756c 100644 --- a/etc/simutrans.profile +++ b/etc/simutrans.profile @@ -5,6 +5,8 @@ include /etc/firejail/simutrans.local # Persistent global definitions include /etc/firejail/globals.local +blacklist /run/user/*/bus + noblacklist ~/.simutrans include /etc/firejail/disable-common.inc diff --git a/etc/skanlite.profile b/etc/skanlite.profile index 1a53cc71c..61627f5d8 100644 --- a/etc/skanlite.profile +++ b/etc/skanlite.profile @@ -5,6 +5,7 @@ include /etc/firejail/skanlite.local # Persistent global definitions include /etc/firejail/globals.local +# blacklist /run/user/*/bus include /etc/firejail/disable-common.inc include /etc/firejail/disable-devel.inc diff --git a/etc/soundconverter.profile b/etc/soundconverter.profile index 5d7129b5a..c27fb3819 100644 --- a/etc/soundconverter.profile +++ b/etc/soundconverter.profile @@ -5,6 +5,7 @@ include /etc/firejail/soundconverter.local # Persistent global definitions include /etc/firejail/globals.local +blacklist /run/user/*/bus include /etc/firejail/disable-common.inc include /etc/firejail/disable-devel.inc diff --git a/etc/sqlitebrowser.profile b/etc/sqlitebrowser.profile index 65e8073c9..933d55b79 100644 --- a/etc/sqlitebrowser.profile +++ b/etc/sqlitebrowser.profile @@ -5,6 +5,8 @@ include /etc/firejail/sqlitebrowser.local # Persistent global definitions include /etc/firejail/globals.local +blacklist /run/user/*/bus + noblacklist ${HOME}/.config/sqlitebrowser include /etc/firejail/disable-common.inc diff --git a/etc/strings.profile b/etc/strings.profile index 83561cae5..09273f35d 100644 --- a/etc/strings.profile +++ b/etc/strings.profile @@ -6,6 +6,7 @@ include /etc/firejail/strings.local # Persistent global definitions include /etc/firejail/globals.local +blacklist /run/user/*/bus blacklist /tmp/.X11-unix ignore noroot diff --git a/etc/supertux2.profile b/etc/supertux2.profile index ff55e1c40..120f0a043 100644 --- a/etc/supertux2.profile +++ b/etc/supertux2.profile @@ -5,6 +5,8 @@ include /etc/firejail/supertux2.local # Persistent global definitions include /etc/firejail/globals.local +blacklist /run/user/*/bus + noblacklist ~/.local/share/supertux2 include /etc/firejail/disable-common.inc diff --git a/etc/synfigstudio.profile b/etc/synfigstudio.profile index 2617c0e51..415a42cf5 100644 --- a/etc/synfigstudio.profile +++ b/etc/synfigstudio.profile @@ -5,6 +5,8 @@ include /etc/firejail/synfigstudio.local # Persistent global definitions include /etc/firejail/globals.local +blacklist /run/user/*/bus + noblacklist ${HOME}/.config/synfig noblacklist ${HOME}/.synfig diff --git a/etc/tar.profile b/etc/tar.profile index 92ddaa2f3..bd7973abf 100644 --- a/etc/tar.profile +++ b/etc/tar.profile @@ -6,6 +6,7 @@ include /etc/firejail/tar.local # Persistent global definitions include /etc/firejail/globals.local +blacklist /run/user/*/bus blacklist /tmp/.X11-unix hostname tar diff --git a/etc/terasology.profile b/etc/terasology.profile index ca580c0d0..02a7baeb7 100644 --- a/etc/terasology.profile +++ b/etc/terasology.profile @@ -5,6 +5,7 @@ include /etc/firejail/default.local # Persistent global definitions include /etc/firejail/globals.local +blacklist /run/user/*/bus noblacklist ${HOME}/.java noblacklist ${HOME}/.local/share/terasology diff --git a/etc/transmission-show.profile b/etc/transmission-show.profile index 0b09bffcb..86cbebc82 100644 --- a/etc/transmission-show.profile +++ b/etc/transmission-show.profile @@ -5,6 +5,8 @@ include /etc/firejail/transmission-show.local # Persistent global definitions include /etc/firejail/globals.local +blacklist /run/user/*/bus + noblacklist ${HOME}/.cache/transmission noblacklist ${HOME}/.config/transmission diff --git a/etc/uefitool.profile b/etc/uefitool.profile index 138f69aa8..6cff5249c 100644 --- a/etc/uefitool.profile +++ b/etc/uefitool.profile @@ -5,6 +5,7 @@ include /etc/firejail/uefitool.local # Persistent global definitions include /etc/firejail/globals.local +blacklist /run/user/*/bus include /etc/firejail/disable-common.inc include /etc/firejail/disable-devel.inc diff --git a/etc/unrar.profile b/etc/unrar.profile index 12559a721..f7e25d5d7 100644 --- a/etc/unrar.profile +++ b/etc/unrar.profile @@ -6,6 +6,7 @@ include /etc/firejail/unrar.local # Persistent global definitions include /etc/firejail/globals.local +blacklist /run/user/*/bus blacklist /tmp/.X11-unix hostname unrar diff --git a/etc/unzip.profile b/etc/unzip.profile index 9828fa9b4..fe16c670d 100644 --- a/etc/unzip.profile +++ b/etc/unzip.profile @@ -6,6 +6,7 @@ include /etc/firejail/unzip.local # Persistent global definitions include /etc/firejail/globals.local +blacklist /run/user/*/bus blacklist /tmp/.X11-unix hostname unzip diff --git a/etc/uudeview.profile b/etc/uudeview.profile index b30cbaa2a..f7699552d 100644 --- a/etc/uudeview.profile +++ b/etc/uudeview.profile @@ -6,6 +6,7 @@ include /etc/firejail/uudeview.local # Persistent global definitions include /etc/firejail/globals.local +blacklist /run/user/*/bus hostname uudeview ignore noroot diff --git a/etc/viewnior.profile b/etc/viewnior.profile index af4a2d655..92d59e732 100644 --- a/etc/viewnior.profile +++ b/etc/viewnior.profile @@ -5,6 +5,7 @@ include /etc/firejail/viewnior.local # Persistent global definitions include /etc/firejail/globals.local +blacklist /run/user/*/bus blacklist ~/.Xauthority blacklist ~/.bashrc diff --git a/etc/x-terminal-emulator.profile b/etc/x-terminal-emulator.profile index 1395b81c9..67707ffb8 100644 --- a/etc/x-terminal-emulator.profile +++ b/etc/x-terminal-emulator.profile @@ -5,6 +5,7 @@ include /etc/firejail/x-terminal-emulator.local # Persistent global definitions include /etc/firejail/globals.local +blacklist /run/user/*/bus caps.drop all ipc-namespace diff --git a/etc/xcalc.profile b/etc/xcalc.profile index cfe6937e3..467f96003 100644 --- a/etc/xcalc.profile +++ b/etc/xcalc.profile @@ -5,6 +5,7 @@ include /etc/firejail/xcalc.local # Persistent global definitions include /etc/firejail/globals.local +blacklist /run/user/*/bus include /etc/firejail/disable-common.inc include /etc/firejail/disable-devel.inc diff --git a/etc/xed.profile b/etc/xed.profile index b80d02948..e4ab673e8 100644 --- a/etc/xed.profile +++ b/etc/xed.profile @@ -5,6 +5,8 @@ include /etc/firejail/xed.local # Persistent global definitions include /etc/firejail/globals.local +# blacklist /run/user/*/bus - makes settings immutable + noblacklist ${HOME}/.config/xed include /etc/firejail/disable-common.inc diff --git a/etc/xpdf.profile b/etc/xpdf.profile index 8caba5cc5..8b7774225 100644 --- a/etc/xpdf.profile +++ b/etc/xpdf.profile @@ -5,6 +5,8 @@ include /etc/firejail/xpdf.local # Persistent global definitions include /etc/firejail/globals.local +blacklist /run/user/*/bus + noblacklist ${HOME}/.xpdfrc include /etc/firejail/disable-common.inc diff --git a/etc/xviewer.profile b/etc/xviewer.profile index 985b82c79..5c624c384 100644 --- a/etc/xviewer.profile +++ b/etc/xviewer.profile @@ -5,6 +5,8 @@ include /etc/firejail/xviewer.local # Persistent global definitions include /etc/firejail/globals.local +# blacklist /run/user/*/bus - makes settings immutable + noblacklist ~/.Steam noblacklist ~/.config/xviewer noblacklist ~/.local/share/Trash diff --git a/etc/xzdec.profile b/etc/xzdec.profile index d5c4ac6f0..1136a6535 100644 --- a/etc/xzdec.profile +++ b/etc/xzdec.profile @@ -6,6 +6,7 @@ include /etc/firejail/xzdec.local # Persistent global definitions include /etc/firejail/globals.local +blacklist /run/user/*/bus blacklist /tmp/.X11-unix ignore noroot diff --git a/etc/zart.profile b/etc/zart.profile index 6e136d0c9..e9fd9b3bd 100644 --- a/etc/zart.profile +++ b/etc/zart.profile @@ -5,6 +5,7 @@ include /etc/firejail/zart.local # Persistent global definitions include /etc/firejail/globals.local +blacklist /run/user/*/bus include /etc/firejail/disable-common.inc include /etc/firejail/disable-devel.inc diff --git a/etc/zathura.profile b/etc/zathura.profile index 0036a3521..ad64371e8 100644 --- a/etc/zathura.profile +++ b/etc/zathura.profile @@ -5,6 +5,8 @@ include /etc/firejail/zathura.local # Persistent global definitions include /etc/firejail/globals.local +blacklist /run/user/*/bus + noblacklist ~/.config/zathura noblacklist ~/.local/share/zathura -- cgit v1.2.3-54-g00ecf