From 5b841b615dcec9bd93168f3061be68dbdb35e708 Mon Sep 17 00:00:00 2001 From: smitsohu Date: Wed, 4 Apr 2018 14:31:28 +0200 Subject: fix a0502dc5144185b6d346e92944e3359a833d2378, various enhancements --- etc/basilisk.profile | 50 ++++++------------------------------------------ etc/dex2jar.profile | 6 ------ etc/disable-common.inc | 3 +++ etc/disable-programs.inc | 2 ++ etc/display.profile | 6 ------ etc/kate.profile | 2 +- etc/kmail.profile | 1 + etc/knotes.profile | 11 ++--------- etc/palemoon.profile | 1 + 9 files changed, 16 insertions(+), 66 deletions(-) diff --git a/etc/basilisk.profile b/etc/basilisk.profile index c13be364b..ac7f30c04 100644 --- a/etc/basilisk.profile +++ b/etc/basilisk.profile @@ -8,54 +8,16 @@ include /etc/firejail/globals.local noblacklist ${HOME}/.cache/moonchild productions/basilisk noblacklist ${HOME}/.moonchild productions/basilisk -include /etc/firejail/disable-common.inc -include /etc/firejail/disable-devel.inc -include /etc/firejail/disable-interpreters.inc -include /etc/firejail/disable-programs.inc - -# These are uncommented in the Firefox profile. If you run into trouble you may -# want to uncomment (some of) them. -#whitelist ${HOME}/dwhelper -#whitelist ${HOME}/.zotero -#whitelist ${HOME}/.vimperatorrc -#whitelist ${HOME}/.vimperator -#whitelist ${HOME}/.pentadactylrc -#whitelist ${HOME}/.pentadactyl -#whitelist ${HOME}/.keysnail.js -#whitelist ${HOME}/.config/gnome-mplayer -#whitelist ${HOME}/.cache/gnome-mplayer/plugin -#whitelist ${HOME}/.pki -#whitelist ${HOME}/.lastpass - -# For silverlight -#whitelist ${HOME}/.wine-pipelight -#whitelist ${HOME}/.wine-pipelight64 -#whitelist ${HOME}/.config/pipelight-widevine -#whitelist ${HOME}/.config/pipelight-silverlight5.1 - mkdir ${HOME}/.cache/moonchild productions/basilisk mkdir ${HOME}/.moonchild productions whitelist ${DOWNLOADS} whitelist ${HOME}/.cache/moonchild productions/basilisk whitelist ${HOME}/.moonchild productions -include /etc/firejail/whitelist-common.inc - -caps.drop all -netfilter -nodvd -nogroups -nonewprivs -noroot -notv -protocol unix,inet,inet6,netlink -seccomp -shell none -tracelog -# private-bin basilisk -# private-dev (disabled for now as it will interfere with webcam use in basilisk) -# private-etc passwd,group,hostname,hosts,localtime,nsswitch.conf,resolv.conf,gtk-2.0,pango,fonts,iceweasel,firefox,adobe,mime.types,mailcap,asound.conf,pulse -# private-opt basilisk -private-tmp +#private-bin basilisk +# private-etc must first be enabled in firefox-common.profile +#private-etc basilisk +#private-opt basilisk -disable-mnt +# Redirect +include /etc/firejail/firefox-common.profile diff --git a/etc/dex2jar.profile b/etc/dex2jar.profile index f01675186..0634c0eaf 100644 --- a/etc/dex2jar.profile +++ b/etc/dex2jar.profile @@ -12,12 +12,6 @@ noblacklist /usr/lib/java noblacklist /etc/java noblacklist /usr/share/java -# Allow access to java -noblacklist ${PATH}/java -noblacklist /usr/lib/java -noblacklist /etc/java -noblacklist /usr/share/java - include /etc/firejail/disable-common.inc include /etc/firejail/disable-devel.inc include /etc/firejail/disable-interpreters.inc diff --git a/etc/disable-common.inc b/etc/disable-common.inc index 0f605b933..c5c434186 100644 --- a/etc/disable-common.inc +++ b/etc/disable-common.inc @@ -48,6 +48,7 @@ read-only ${HOME}/.Xauthority # KDE config blacklist ${HOME}/.config/khotkeysrc blacklist ${HOME}/.config/krunnerrc +blacklist ${HOME}/.config/kscreenlockerrc blacklist ${HOME}/.config/ksslcertificatemanager blacklist ${HOME}/.config/kwinrc blacklist ${HOME}/.config/kwinrulesrc @@ -59,6 +60,7 @@ blacklist ${HOME}/.kde/share/apps/plasma blacklist ${HOME}/.kde/share/apps/solid blacklist ${HOME}/.kde/share/config/khotkeysrc blacklist ${HOME}/.kde/share/config/krunnerrc +blacklist ${HOME}/.kde/share/config/kscreensaverrc blacklist ${HOME}/.kde/share/config/ksslcertificatemanager blacklist ${HOME}/.kde/share/config/kwinrc blacklist ${HOME}/.kde/share/config/kwinrulesrc @@ -68,6 +70,7 @@ blacklist ${HOME}/.kde4/share/apps/plasma blacklist ${HOME}/.kde4/share/apps/solid blacklist ${HOME}/.kde4/share/config/khotkeysrc blacklist ${HOME}/.kde4/share/config/krunnerrc +blacklist ${HOME}/.kde4/share/config/kscreensaverrc blacklist ${HOME}/.kde4/share/config/ksslcertificatemanager blacklist ${HOME}/.kde4/share/config/kwinrc blacklist ${HOME}/.kde4/share/config/kwinrulesrc diff --git a/etc/disable-programs.inc b/etc/disable-programs.inc index c40935e15..38b66f175 100644 --- a/etc/disable-programs.inc +++ b/etc/disable-programs.inc @@ -48,6 +48,7 @@ blacklist ${HOME}/.config/Cryptocat blacklist ${HOME}/.config/Franz blacklist ${HOME}/.config/FreeCAD blacklist ${HOME}/.config/Fritzing +blacklist ${HOME}/.config/GIMP blacklist ${HOME}/.config/Gitter blacklist ${HOME}/.config/Google blacklist ${HOME}/.config/Google Play Music Desktop Player @@ -149,6 +150,7 @@ blacklist ${HOME}/.config/kdenliverc blacklist ${HOME}/.config/kgetrc blacklist ${HOME}/.config/klipperrc blacklist ${HOME}/.config/kmail2rc +blacklist ${HOME}/.config/kmailsearchindexingrc blacklist ${HOME}/.config/kritarc blacklist ${HOME}/.config/kwriterc blacklist ${HOME}/.config/kdeconnect diff --git a/etc/display.profile b/etc/display.profile index ca776a5d1..01196f5ac 100644 --- a/etc/display.profile +++ b/etc/display.profile @@ -11,12 +11,6 @@ noblacklist ${PATH}/python3* noblacklist /usr/lib/python2* noblacklist /usr/lib/python3* -# Allow python (blacklisted by disable-interpreters.inc) -noblacklist ${PATH}/python2* -noblacklist ${PATH}/python3* -noblacklist /usr/lib/python2* -noblacklist /usr/lib/python3* - include /etc/firejail/disable-common.inc include /etc/firejail/disable-devel.inc include /etc/firejail/disable-interpreters.inc diff --git a/etc/kate.profile b/etc/kate.profile index 7408ee0ef..240bdb62a 100644 --- a/etc/kate.profile +++ b/etc/kate.profile @@ -15,7 +15,7 @@ noblacklist ${HOME}/.local/share/kate include /etc/firejail/disable-common.inc # include /etc/firejail/disable-devel.inc -include /etc/firejail/disable-interpreters.inc +# include /etc/firejail/disable-interpreters.inc include /etc/firejail/disable-passwdmgr.inc include /etc/firejail/disable-programs.inc diff --git a/etc/kmail.profile b/etc/kmail.profile index 748780218..202faeb16 100644 --- a/etc/kmail.profile +++ b/etc/kmail.profile @@ -15,6 +15,7 @@ noblacklist ${HOME}/.config/baloorc noblacklist ${HOME}/.config/emaildefaults noblacklist ${HOME}/.config/emailidentities noblacklist ${HOME}/.config/kmail2rc +noblacklist ${HOME}/.config/kmailsearchindexingrc noblacklist ${HOME}/.config/mailtransports noblacklist ${HOME}/.config/specialmailcollectionsrc noblacklist ${HOME}/.gnupg diff --git a/etc/knotes.profile b/etc/knotes.profile index 35e2699bd..4bbbd332d 100644 --- a/etc/knotes.profile +++ b/etc/knotes.profile @@ -5,15 +5,8 @@ include /etc/firejail/knotes.local # Persistent global definitions include /etc/firejail/globals.local -noblacklist ${HOME}/.config/akonadi* -noblacklist ${HOME}/.config/knotesrc -noblacklist ${HOME}/.local/share/akonadi/* - -include /etc/firejail/disable-common.inc -include /etc/firejail/disable-devel.inc -include /etc/firejail/disable-interpreters.inc -include /etc/firejail/disable-passwdmgr.inc -include /etc/firejail/disable-programs.inc +# knotes has problems launching akonadi in debian and ubuntu. +# one solution is to have akonadi already running when knotes is started noblacklist ${HOME}/.config/knotesrc noblacklist ${HOME}/.local/share/knotes diff --git a/etc/palemoon.profile b/etc/palemoon.profile index ff7087e55..c59ef9126 100644 --- a/etc/palemoon.profile +++ b/etc/palemoon.profile @@ -10,6 +10,7 @@ noblacklist ${HOME}/.moonchild productions/pale moon mkdir ${HOME}/.cache/moonchild productions/pale moon mkdir ${HOME}/.moonchild productions +whitelist ${DOWNLOADS} whitelist ${HOME}/.cache/moonchild productions/pale moon whitelist ${HOME}/.moonchild productions -- cgit v1.2.3-54-g00ecf