From 9c833ae929f64fa54c5d8aa49e4a784803b805c8 Mon Sep 17 00:00:00 2001 From: Chiraag Nataraj Date: Sat, 16 Sep 2017 13:18:26 -0400 Subject: Add 31 profiles --- etc/Viber.profile | 38 ++++++++++++++++++++++++++++++++++++++ etc/amule.profile | 33 +++++++++++++++++++++++++++++++++ etc/ardour5.profile | 36 ++++++++++++++++++++++++++++++++++++ etc/brackets.profile | 31 +++++++++++++++++++++++++++++++ etc/calligra.profile | 37 +++++++++++++++++++++++++++++++++++++ etc/calligraauthor.profile | 5 +++++ etc/calligraconverter.profile | 5 +++++ etc/calligraflow.profile | 5 +++++ etc/calligraplan.profile | 5 +++++ etc/calligraplanwork.profile | 5 +++++ etc/calligrasheets.profile | 5 +++++ etc/calligrastage.profile | 5 +++++ etc/calligrawords.profile | 5 +++++ etc/cin.profile | 32 ++++++++++++++++++++++++++++++++ etc/fetchmail.profile | 31 +++++++++++++++++++++++++++++++ etc/freecad.profile | 36 ++++++++++++++++++++++++++++++++++++ etc/freecadcmd.profile | 5 +++++ etc/google-earth.profile | 32 ++++++++++++++++++++++++++++++++ etc/imagej.profile | 34 ++++++++++++++++++++++++++++++++++ etc/kdenlive.profile | 32 ++++++++++++++++++++++++++++++++ etc/linphone.profile | 22 ++++++++++++++++++++++ etc/lmms.profile | 32 ++++++++++++++++++++++++++++++++ etc/macrofusion.profile | 28 ++++++++++++++++++++++++++++ etc/mpd.profile | 26 ++++++++++++++++++++++++++ etc/natron.profile | 34 ++++++++++++++++++++++++++++++++++ etc/ricochet.profile | 30 ++++++++++++++++++++++++++++++ etc/shotcut.profile | 28 ++++++++++++++++++++++++++++ etc/tor-browser-en.profile | 41 +++++++++++++++++++++++++++++++++++++++++ etc/tor.profile | 38 ++++++++++++++++++++++++++++++++++++++ etc/x-terminal-emulator.profile | 25 +++++++++++++++++++++++++ etc/zart.profile | 27 +++++++++++++++++++++++++++ 31 files changed, 748 insertions(+) create mode 100644 etc/Viber.profile create mode 100644 etc/amule.profile create mode 100644 etc/ardour5.profile create mode 100644 etc/brackets.profile create mode 100644 etc/calligra.profile create mode 100644 etc/calligraauthor.profile create mode 100644 etc/calligraconverter.profile create mode 100644 etc/calligraflow.profile create mode 100644 etc/calligraplan.profile create mode 100644 etc/calligraplanwork.profile create mode 100644 etc/calligrasheets.profile create mode 100644 etc/calligrastage.profile create mode 100644 etc/calligrawords.profile create mode 100644 etc/cin.profile create mode 100644 etc/fetchmail.profile create mode 100644 etc/freecad.profile create mode 100644 etc/freecadcmd.profile create mode 100644 etc/google-earth.profile create mode 100644 etc/imagej.profile create mode 100644 etc/kdenlive.profile create mode 100644 etc/linphone.profile create mode 100644 etc/lmms.profile create mode 100644 etc/macrofusion.profile create mode 100644 etc/mpd.profile create mode 100644 etc/natron.profile create mode 100644 etc/ricochet.profile create mode 100644 etc/shotcut.profile create mode 100644 etc/tor-browser-en.profile create mode 100644 etc/tor.profile create mode 100644 etc/x-terminal-emulator.profile create mode 100644 etc/zart.profile diff --git a/etc/Viber.profile b/etc/Viber.profile new file mode 100644 index 000000000..5de92f36f --- /dev/null +++ b/etc/Viber.profile @@ -0,0 +1,38 @@ +# Firejail profile for Viber +# This file is overwritten after every install/update +# Persistent local customizations +include /etc/firejail/Viber.local +# Persistent global definitions +include /etc/firejail/globals.local + + +whitelist ${DOWNLOADS} +whitelist ${HOME}/.ViberPC +whitelist /dev/dri +whitelist /dev/full +whitelist /dev/null +whitelist /dev/ptmx +whitelist /dev/pts +whitelist /dev/random +whitelist /dev/shm +whitelist /dev/snd +whitelist /dev/tty +whitelist /dev/urandom +whitelist /dev/video0 +whitelist /dev/zero +whitelist /opt/viber +include /etc/firejail/whitelist-common.inc + +caps.drop all +ipc-namespace +nogroups +noroot +seccomp +shell none + +private-bin sh,dig,awk +private-etc hosts,fonts,mailcap,resolv.conf,X11,pulse,alternatives,localtime,nsswitch.conf,ssl,proxychains.conf +private-tmp + +noexec ${HOME} +noexec /tmp diff --git a/etc/amule.profile b/etc/amule.profile new file mode 100644 index 000000000..5cd6e613e --- /dev/null +++ b/etc/amule.profile @@ -0,0 +1,33 @@ +# Firejail profile for amule +# This file is overwritten after every install/update +# Persistent local customizations +include /etc/firejail/amule.local +# Persistent global definitions +include /etc/firejail/globals.local + +blacklist /boot +blacklist /media +blacklist /mnt +blacklist /opt +blacklist /usr/local/bin +blacklist /usr/local/sbin + +whitelist ${DOWNLOADS} +whitelist ${HOME}/.aMule +whitelist ${HOME}/.gtkrc-2.0 +whitelist ${HOME}/.gtkrc.mine +whitelist ${HOME}/.themes +include /etc/firejail/whitelist-common.inc + +caps.drop all +ipc-namespace +nogroups +nonewprivs +noroot +seccomp +shell none + +private-bin amule +private-dev +private-etc fonts,hosts +private-tmp diff --git a/etc/ardour5.profile b/etc/ardour5.profile new file mode 100644 index 000000000..f17c74e2b --- /dev/null +++ b/etc/ardour5.profile @@ -0,0 +1,36 @@ +# Firejail profile for ardour5 +# This file is overwritten after every install/update +# Persistent local customizations +include /etc/firejail/ardour5.local +# Persistent global definitions +include /etc/firejail/globals.local + +blacklist /boot +blacklist /media +blacklist /mnt +blacklist /opt +blacklist /usr/local/bin + +whitelist ${DOWNLOADS} +whitelist ${HOME}/.config/ardour4 +whitelist ${HOME}/.config/ardour5 +whitelist ${HOME}/.lv2 +whitelist ${HOME}/.vst +whitelist ${HOME}/Documents +include /etc/firejail/whitelist-common.inc + +caps.drop all +ipc-namespace +net none +nogroups +noroot +seccomp +shell none + +private-bin sh,ardour5,ardour5-copy-mixer,ardour5-export,ardour5-fix_bbtppq,grep,sed,ldd,nm +private-dev +private-etc pulse,X11,alternatives,ardour4,ardour5,fonts +private-tmp + +noexec /home +noexec /tmp diff --git a/etc/brackets.profile b/etc/brackets.profile new file mode 100644 index 000000000..3c7622435 --- /dev/null +++ b/etc/brackets.profile @@ -0,0 +1,31 @@ +# Firejail profile for brackets +# This file is overwritten after every install/update +# Persistent local customizations +include /etc/firejail/brackets.local +# Persistent global definitions +include /etc/firejail/globals.local + +blacklist /boot +blacklist /media +blacklist /mnt + +whitelist ${DOWNLOADS} +whitelist ${HOME}/.config/Brackets +whitelist ${HOME}/.gtkrc-2.0 +whitelist ${HOME}/.themes +whitelist ${HOME}/Documents +whitelist /opt/brackets/ +whitelist /opt/google/ +whitelist /tmp/.X11-unix +include /etc/firejail/whitelist-common.inc + +caps.drop all +# Comment out or use --ignore=net if you want to install extensions or themes +net none +# Disable these if you use live preview (until I figure out a workaround) +# Doing so should be relatively safe since there is no network access +noroot +seccomp + +private-bin bash,brackets,readlink,dirname,google-chrome,cat +private-dev diff --git a/etc/calligra.profile b/etc/calligra.profile new file mode 100644 index 000000000..260097560 --- /dev/null +++ b/etc/calligra.profile @@ -0,0 +1,37 @@ +# Firejail profile for calligra +# This file is overwritten after every install/update +# Persistent local customizations +include /etc/firejail/calligra.local +# Persistent global definitions +include /etc/firejail/globals.local + +blacklist /boot +blacklist /media +blacklist /mnt +blacklist /opt + +whitelist ${DOWNLOADS} +whitelist ${HOME}/.config/Trolltech.conf +whitelist ${HOME}/.gtkrc-2.0 +whitelist ${HOME}/.kde +whitelist ${HOME}/.themes +whitelist ${HOME}/Documents +whitelist /tmp/.X11-unix +# DBus is forced to use an ordinary unix socket +whitelist /tmp/dbus_session_socket +include /etc/firejail/whitelist-common.inc + +caps.drop all +ipc-namespace +net none +nogroups +noroot +seccomp +shell none + +private-bin calligra,calligraauthor,calligraconverter,calligraflow,calligraplan,calligraplanwork,calligrasheets,calligrastage,calligrawords,dbus-launch +private-dev +private-etc fonts,passwd,alternatives,X11 + +noexec /home +noexec /tmp diff --git a/etc/calligraauthor.profile b/etc/calligraauthor.profile new file mode 100644 index 000000000..2b005c5c9 --- /dev/null +++ b/etc/calligraauthor.profile @@ -0,0 +1,5 @@ +# Firejail profile alias for calligra +# This file is overwritten after every install/update + + +include ${HOME}/.config/firejail/calligra.profile diff --git a/etc/calligraconverter.profile b/etc/calligraconverter.profile new file mode 100644 index 000000000..2b005c5c9 --- /dev/null +++ b/etc/calligraconverter.profile @@ -0,0 +1,5 @@ +# Firejail profile alias for calligra +# This file is overwritten after every install/update + + +include ${HOME}/.config/firejail/calligra.profile diff --git a/etc/calligraflow.profile b/etc/calligraflow.profile new file mode 100644 index 000000000..2b005c5c9 --- /dev/null +++ b/etc/calligraflow.profile @@ -0,0 +1,5 @@ +# Firejail profile alias for calligra +# This file is overwritten after every install/update + + +include ${HOME}/.config/firejail/calligra.profile diff --git a/etc/calligraplan.profile b/etc/calligraplan.profile new file mode 100644 index 000000000..2b005c5c9 --- /dev/null +++ b/etc/calligraplan.profile @@ -0,0 +1,5 @@ +# Firejail profile alias for calligra +# This file is overwritten after every install/update + + +include ${HOME}/.config/firejail/calligra.profile diff --git a/etc/calligraplanwork.profile b/etc/calligraplanwork.profile new file mode 100644 index 000000000..2b005c5c9 --- /dev/null +++ b/etc/calligraplanwork.profile @@ -0,0 +1,5 @@ +# Firejail profile alias for calligra +# This file is overwritten after every install/update + + +include ${HOME}/.config/firejail/calligra.profile diff --git a/etc/calligrasheets.profile b/etc/calligrasheets.profile new file mode 100644 index 000000000..2b005c5c9 --- /dev/null +++ b/etc/calligrasheets.profile @@ -0,0 +1,5 @@ +# Firejail profile alias for calligra +# This file is overwritten after every install/update + + +include ${HOME}/.config/firejail/calligra.profile diff --git a/etc/calligrastage.profile b/etc/calligrastage.profile new file mode 100644 index 000000000..2b005c5c9 --- /dev/null +++ b/etc/calligrastage.profile @@ -0,0 +1,5 @@ +# Firejail profile alias for calligra +# This file is overwritten after every install/update + + +include ${HOME}/.config/firejail/calligra.profile diff --git a/etc/calligrawords.profile b/etc/calligrawords.profile new file mode 100644 index 000000000..2b005c5c9 --- /dev/null +++ b/etc/calligrawords.profile @@ -0,0 +1,5 @@ +# Firejail profile alias for calligra +# This file is overwritten after every install/update + + +include ${HOME}/.config/firejail/calligra.profile diff --git a/etc/cin.profile b/etc/cin.profile new file mode 100644 index 000000000..3a8a4d8de --- /dev/null +++ b/etc/cin.profile @@ -0,0 +1,32 @@ +# Firejail profile for cin +# This file is overwritten after every install/update +# Persistent local customizations +include /etc/firejail/cin.local +# Persistent global definitions +include /etc/firejail/globals.local + +blacklist /boot +blacklist /media +blacklist /mnt +blacklist /opt + +whitelist ${DOWNLOADS} +whitelist ${HOME}/.bcast5 +whitelist ${HOME}/Videos +whitelist /tmp/.X11-unix +include /etc/firejail/whitelist-common.inc + +caps.drop all +ipc-namespace +net none +nogroups +noroot +seccomp +shell none + +private-bin cin +private-dev +private-etc fonts,pulse + +noexec /home +noexec /tmp diff --git a/etc/fetchmail.profile b/etc/fetchmail.profile new file mode 100644 index 000000000..dc7f4abc3 --- /dev/null +++ b/etc/fetchmail.profile @@ -0,0 +1,31 @@ +# Firejail profile for fetchmail +# This file is overwritten after every install/update +# Persistent local customizations +include /etc/firejail/fetchmail.local +# Persistent global definitions +include /etc/firejail/globals.local + +blacklist /boot +blacklist /media +blacklist /mnt +blacklist /opt + +# Location of your fetchmailrc - I decrypt it into /tmp/fetchmailrc +# whitelist ${HOME}/.fetchmailrc.gpg +whitelist ${HOME}/.procmailrc.brown +whitelist ${HOME}/.procmailrc.gmail +whitelist ${HOME}/Mail +whitelist ${HOME}/scripts/fetchmail-real.sh +whitelist /tmp/fetchmailrc +include /etc/firejail/whitelist-common.inc + +caps.drop all +nogroups +noroot +nosound +seccomp +x11 none + +# private-bin fetchmail,procmail,bash,chmod +private-dev +# private-etc passwd,hosts,resolv.conf diff --git a/etc/freecad.profile b/etc/freecad.profile new file mode 100644 index 000000000..0467edb6d --- /dev/null +++ b/etc/freecad.profile @@ -0,0 +1,36 @@ +# Firejail profile for freecad +# This file is overwritten after every install/update +# Persistent local customizations +include /etc/firejail/freecad.local +# Persistent global definitions +include /etc/firejail/globals.local + +blacklist /boot +blacklist /media +blacklist /mnt +blacklist /opt +blacklist /usr/local/bin +blacklist /usr/local/sbin + +whitelist ${DOWNLOADS} +whitelist ${HOME}/.config/FreeCAD +whitelist ${HOME}/Documents +include /etc/firejail/whitelist-common.inc + +caps.drop all +ipc-namespace +net none +nogroups +noroot +nosound +protocol unix +seccomp +shell none + +private-bin freecad,freecadcmd +private-dev +private-etc fonts,passwd,alternatives,X11 +private-tmp + +noexec ${HOME} +noexec /tmp diff --git a/etc/freecadcmd.profile b/etc/freecadcmd.profile new file mode 100644 index 000000000..41cfd3fab --- /dev/null +++ b/etc/freecadcmd.profile @@ -0,0 +1,5 @@ +# Firejail profile alias for freecad +# This file is overwritten after every install/update + + +include ${HOME}/.config/firejail/freecad.profile diff --git a/etc/google-earth.profile b/etc/google-earth.profile new file mode 100644 index 000000000..a339402e2 --- /dev/null +++ b/etc/google-earth.profile @@ -0,0 +1,32 @@ +# Firejail profile for google-earth +# This file is overwritten after every install/update +# Persistent local customizations +include /etc/firejail/google-earth.local +# Persistent global definitions +include /etc/firejail/globals.local + +blacklist /boot +blacklist /media +blacklist /mnt + +whitelist ${HOME}/.config/Google +whitelist ${HOME}/.googleearth/Cache/ +whitelist ${HOME}/.googleearth/Temp/ +whitelist ${HOME}/.googleearth/myplaces.backup.kml +whitelist ${HOME}/.googleearth/myplaces.kml +whitelist /tmp/.X11-unix +include /etc/firejail/whitelist-common.inc + +caps.drop all +ipc-namespace +nogroups +noroot +seccomp +shell none + +private-bin google-earth,sh,grep,sed,ls,dirname +private-dev +private-etc fonts,resolv.conf,X11,alternatives,pulse + +noexec /home +noexec /tmp diff --git a/etc/imagej.profile b/etc/imagej.profile new file mode 100644 index 000000000..4404cc9a2 --- /dev/null +++ b/etc/imagej.profile @@ -0,0 +1,34 @@ +# Firejail profile for imagej +# This file is overwritten after every install/update +# Persistent local customizations +include /etc/firejail/imagej.local +# Persistent global definitions +include /etc/firejail/globals.local + +blacklist /boot +blacklist /media +blacklist /mnt +blacklist /opt +blacklist /usr/local/bin +blacklist /usr/local/sbin + +whitelist ${DOWNLOADS} +whitelist ${HOME}/.gtkrc-2.0 +whitelist ${HOME}/.gtkrc.mine +whitelist ${HOME}/.imagej +whitelist ${HOME}/.themes +whitelist ${HOME}/Pictures +include /etc/firejail/whitelist-common.inc + +caps.drop all +ipc-namespace +net none +nogroups +nonewprivs +noroot +seccomp + +private-bin imagej,bash,grep,sort,tail,tr,cut,whoami,hostname,uname,mkdir,ls,touch,free,awk,update-java-alternatives,basename,xprop,rm,ln +private-dev +# private-etc passwd,alternatives,hosts,fonts,X11 +private-tmp diff --git a/etc/kdenlive.profile b/etc/kdenlive.profile new file mode 100644 index 000000000..b982bd045 --- /dev/null +++ b/etc/kdenlive.profile @@ -0,0 +1,32 @@ +# Firejail profile for kdenlive +# This file is overwritten after every install/update +# Persistent local customizations +include /etc/firejail/kdenlive.local +# Persistent global definitions +include /etc/firejail/globals.local + +blacklist /boot +blacklist /media +blacklist /mnt +blacklist /opt + +# Apparently these break kdenlive for some people - they work for me though? +# whitelist ${DOWNLOADS} +# whitelist ${HOME}/.config/ +# whitelist ${HOME}/Videos +# whitelist ${HOME}/kdenlive +whitelist /tmp/.X11-unix +# DBus is forced to use an ordinary unix socket +whitelist /tmp/dbus_session_socket +include /etc/firejail/whitelist-common.inc + +caps.drop all +net none +nogroups +noroot +seccomp +shell none + +private-bin kdenlive,kdenlive_render,dbus-launch,melt,ffmpeg,ffplay,ffprobe,dvdauthor,genisoimage,vlc,xine,kdeinit5,kshell5,kdeinit5_shutdown,kdeinit5_wrapper,kdeinit4,kshell4,kdeinit4_shutdown,kdeinit4_wrapper +private-dev +private-etc fonts,alternatives,X11,pulse,passwd diff --git a/etc/linphone.profile b/etc/linphone.profile new file mode 100644 index 000000000..850fcb320 --- /dev/null +++ b/etc/linphone.profile @@ -0,0 +1,22 @@ +# Firejail profile for linphone +# This file is overwritten after every install/update +# Persistent local customizations +include /etc/firejail/linphone.local +# Persistent global definitions +include /etc/firejail/globals.local + +blacklist /boot +blacklist /media +blacklist /mnt +blacklist /opt + +whitelist ${HOME}/.gtkrc-2.0 +whitelist ${HOME}/.gtkrc.mine +whitelist ${HOME}/.linphone-history.db +whitelist ${HOME}/.linphonerc +whitelist ${HOME}/Downloads +include /etc/firejail/whitelist-common.inc + +caps.drop all +noroot +seccomp diff --git a/etc/lmms.profile b/etc/lmms.profile new file mode 100644 index 000000000..8ac039cc0 --- /dev/null +++ b/etc/lmms.profile @@ -0,0 +1,32 @@ +# Firejail profile for lmms +# This file is overwritten after every install/update +# Persistent local customizations +include /etc/firejail/lmms.local +# Persistent global definitions +include /etc/firejail/globals.local + +blacklist /boot +blacklist /media +blacklist /mnt +blacklist /opt + +whitelist ${DOWNLOADS} +whitelist ${HOME}/.lmmsrc.xml +whitelist ${HOME}/Music +whitelist ${HOME}/lmms +whitelist /tmp/.X11-unix +include /etc/firejail/whitelist-common.inc + +caps.drop all +ipc-namespace +net none +nogroups +noroot +seccomp +shell none + +private-dev +private-etc fonts,pulse + +noexec /home +noexec /tmp diff --git a/etc/macrofusion.profile b/etc/macrofusion.profile new file mode 100644 index 000000000..287a5ea85 --- /dev/null +++ b/etc/macrofusion.profile @@ -0,0 +1,28 @@ +# Firejail profile for macrofusion +# This file is overwritten after every install/update +# Persistent local customizations +include /etc/firejail/macrofusion.local +# Persistent global definitions +include /etc/firejail/globals.local + + +whitelist ${DOWNLOADS} +whitelist ${HOME}/.config/gtk-3.0 +whitelist ${HOME}/.config/mfusion +whitelist ${HOME}/.themes +whitelist ${HOME}/Pictures +include /etc/firejail/whitelist-common.inc + +caps.drop all +ipc-namespace +net none +nogroups +nonewprivs +noroot +seccomp +shell none + +private-bin python3,macrofusion,env,enfuse,exiftool,align_image_stack +private-dev +private-etc fonts +private-tmp diff --git a/etc/mpd.profile b/etc/mpd.profile new file mode 100644 index 000000000..44baab7e9 --- /dev/null +++ b/etc/mpd.profile @@ -0,0 +1,26 @@ +# Firejail profile for mpd +# This file is overwritten after every install/update +# Persistent local customizations +include /etc/firejail/mpd.local +# Persistent global definitions +include /etc/firejail/globals.local + +blacklist /boot +blacklist /media +blacklist /mnt +blacklist /opt + +whitelist ${HOME}/.config/pulse/ +whitelist ${HOME}/.mpdconf +whitelist ${HOME}/.pulse/ +whitelist ${HOME}/Music +whitelist ${HOME}/mpd +include /etc/firejail/whitelist-common.inc + +caps.drop all +noroot +seccomp + +private-bin mpd,bash +private-dev +read-only ${HOME}/Music/ diff --git a/etc/natron.profile b/etc/natron.profile new file mode 100644 index 000000000..6101d1331 --- /dev/null +++ b/etc/natron.profile @@ -0,0 +1,34 @@ +# Firejail profile for natron +# This file is overwritten after every install/update +# Persistent local customizations +include /etc/firejail/natron.local +# Persistent global definitions +include /etc/firejail/globals.local + +# Contributed by triceratops1 (https://github.com/triceratops1) + +blacklist /boot +blacklist /media +blacklist /mnt +blacklist /usr/local/bin +blacklist /usr/local/sbin + +whitelist ${DOWNLOADS} +whitelist ${HOME}/.Natron +whitelist ${HOME}/.cache/INRIA/Natron/ +whitelist ${HOME}/.config/INRIA/ +whitelist ${HOME}/.gtkrc-2.0 +whitelist ${HOME}/.themes +whitelist ${HOME}/Videos +whitelist /opt/natron/ +whitelist /tmp/.X11-unix/ +include /etc/firejail/whitelist-common.inc + +ipc-namespace +shell none + +private-bin natron +private-etc fonts,X11,pulse + +noexec ${HOME} +noexec /tmp diff --git a/etc/ricochet.profile b/etc/ricochet.profile new file mode 100644 index 000000000..47b16b30e --- /dev/null +++ b/etc/ricochet.profile @@ -0,0 +1,30 @@ +# Firejail profile for ricochet +# This file is overwritten after every install/update +# Persistent local customizations +include /etc/firejail/ricochet.local +# Persistent global definitions +include /etc/firejail/globals.local + +blacklist /boot +blacklist /media +blacklist /mnt +blacklist /opt + +whitelist ${DOWNLOADS} +whitelist ${HOME}/.local/share/Ricochet +whitelist /tmp/.X11-unix +include /etc/firejail/whitelist-common.inc + +caps.drop all +ipc-namespace +nogroups +noroot +seccomp +shell none + +private-bin ricochet,tor +private-dev +private-etc fonts,tor,X11,alternatives + +noexec /home +noexec /tmp diff --git a/etc/shotcut.profile b/etc/shotcut.profile new file mode 100644 index 000000000..2bf3cc2e0 --- /dev/null +++ b/etc/shotcut.profile @@ -0,0 +1,28 @@ +# Firejail profile for shotcut +# This file is overwritten after every install/update +# Persistent local customizations +include /etc/firejail/shotcut.local +# Persistent global definitions +include /etc/firejail/globals.local + +blacklist /usr/local/bin + +whitelist ${DOWNLOADS} +whitelist ${HOME}/.config/Meltytech +whitelist ${HOME}/Videos +whitelist /tmp/.X11-unix +include /etc/firejail/whitelist-common.inc + +caps.drop all +net none +nogroups +noroot +seccomp +shell none + +private-bin shotcut,melt,qmelt,nice +private-dev +private-etc X11,alternatives,pulse,fonts + +noexec ${HOME} +noexec /tmp diff --git a/etc/tor-browser-en.profile b/etc/tor-browser-en.profile new file mode 100644 index 000000000..1f0b61c75 --- /dev/null +++ b/etc/tor-browser-en.profile @@ -0,0 +1,41 @@ +# Firejail profile for tor-browser-en +# This file is overwritten after every install/update +# Persistent local customizations +include /etc/firejail/tor-browser-en.local +# Persistent global definitions +include /etc/firejail/globals.local + +blacklist /boot +blacklist /media +blacklist /mnt +blacklist /opt +blacklist /usr/local/bin +blacklist /var + +whitelist ${HOME}/.tor-browser-en +whitelist /dev/dri +whitelist /dev/full +whitelist /dev/null +whitelist /dev/ptmx +whitelist /dev/pts +whitelist /dev/random +whitelist /dev/shm +whitelist /dev/snd +whitelist /dev/tty +whitelist /dev/urandom +whitelist /dev/video0 +whitelist /dev/zero +include /etc/firejail/whitelist-common.inc + +caps.drop all +noroot +seccomp +shell none + +private-bin bash,grep,sed,tail,tor-browser-en,env,id,readlink,dirname,test,mkdir,ln,sed,cp,rm,getconf,file,expr +# FIXME: Spoof D-Bus machine id (tor-browser segfaults when it is missing!) +# https://github.com/netblue30/firejail/issues/955 +private-etc X11,pulse,machine-id +private-tmp + +noexec /tmp diff --git a/etc/tor.profile b/etc/tor.profile new file mode 100644 index 000000000..2e2172cad --- /dev/null +++ b/etc/tor.profile @@ -0,0 +1,38 @@ +# Firejail profile for tor +# This file is overwritten after every install/update +# Persistent local customizations +include /etc/firejail/tor.local +# Persistent global definitions +include /etc/firejail/globals.local + +# How to use: +# Create a script called anything (e.g. mytor) +# with the following contents: +# #!/bin/bash +# TORCMD="tor --defaults-torrc /usr/share/tor/tor-service-defaults-torrc -f /etc/tor/torrc --RunAsDaemon 1" +# sudo -b daemon -f -d -- firejail --profile=/home//.config/firejail/tor.profile $TORCMD + +# You'll also likely want to disable the system service (if it exists) +# Run mytor (or whatever you called the script above) whenever you want to start tor + +blacklist /boot +blacklist /media +blacklist /mnt +blacklist /opt + +caps.keep setuid,setgid,net_bind_service,dac_read_search +ipc-namespace +no3d +nogroups +nonewprivs +nosound +seccomp +shell none +writable-var +x11 none + +private +private-bin tor,bash +private-dev +private-etc tor,passwd +private-tmp diff --git a/etc/x-terminal-emulator.profile b/etc/x-terminal-emulator.profile new file mode 100644 index 000000000..eb4c58480 --- /dev/null +++ b/etc/x-terminal-emulator.profile @@ -0,0 +1,25 @@ +# Firejail profile for x-terminal-emulator +# This file is overwritten after every install/update +# Persistent local customizations +include /etc/firejail/x-terminal-emulator.local +# Persistent global definitions +include /etc/firejail/globals.local + + +whitelist /tmp/.X11-unix/X470 +whitelist /tmp/fcitx-socket-:0 +whitelist /tmp/user/1000/ +include /etc/firejail/whitelist-common.inc + +caps.drop all +env DISPLAY=:470 +ipc-namespace +net none +netfilter +nogroups +noroot +seccomp + +private-dev + +noexec /tmp diff --git a/etc/zart.profile b/etc/zart.profile new file mode 100644 index 000000000..654679174 --- /dev/null +++ b/etc/zart.profile @@ -0,0 +1,27 @@ +# Firejail profile for zart +# This file is overwritten after every install/update +# Persistent local customizations +include /etc/firejail/zart.local +# Persistent global definitions +include /etc/firejail/globals.local + +# Contributed by triceratops1 (https://github.com/triceratops1) + +whitelist ${DOWNLOADS} +whitelist ${HOME}/Videos +whitelist /tmp/.X11-unix +include /etc/firejail/whitelist-common.inc + +caps.drop all +ipc-namespace +net none +noroot +seccomp +shell none + +private-bin zart,ffmpeg,melt,ffprobe,ffplay +private-dev +private-etc fonts,X11 + +noexec ${HOME} +noexec /tmp -- cgit v1.2.3-70-g09d2