From 9e3ba319be6b9546d7e8f450ca419ee2f3f4040b Mon Sep 17 00:00:00 2001 From: Tad Date: Mon, 7 Aug 2017 01:22:08 -0400 Subject: Unify all profiles --- etc/0ad.profile | 24 ++++--- etc/2048-qt.profile | 17 +++-- etc/7z.profile | 25 ++++--- etc/Cryptocat.profile | 13 ++-- etc/Cyberfox.profile | 9 +-- etc/FossaMail.profile | 8 +-- etc/Mathematica.profile | 23 ++++--- etc/Telegram.profile | 8 +-- etc/Thunar.profile | 15 ++--- etc/VirtualBox.profile | 7 +- etc/Wire.profile | 9 +-- etc/abrowser.profile | 66 +++++++++---------- etc/akregator.profile | 19 +++--- etc/amarok.profile | 22 ++++--- etc/android-studio.profile | 18 ++--- etc/apktool.profile | 10 +-- etc/arduino.profile | 18 +++-- etc/ark.profile | 19 +++--- etc/arm.profile | 14 ++-- etc/atom-beta.profile | 13 ++-- etc/atom.profile | 13 ++-- etc/atool.profile | 19 +++--- etc/atril.profile | 14 ++-- etc/audacious.profile | 16 ++--- etc/audacity.profile | 12 ++-- etc/aweather.profile | 14 ++-- etc/baobab.profile | 12 ++-- etc/bibletime.profile | 21 +++--- etc/bitlbee.profile | 24 +++---- etc/bleachbit.profile | 15 ++--- etc/blender.profile | 13 ++-- etc/bless.profile | 22 ++----- etc/brasero.profile | 14 ++-- etc/caja.profile | 27 ++++---- etc/calibre.profile | 19 +++--- etc/catfish.profile | 23 +++---- etc/cherrytree.profile | 19 +++--- etc/chromium-browser.profile | 8 +-- etc/chromium.profile | 40 ++++++------ etc/claws-mail.profile | 17 +++-- etc/clementine.profile | 16 +++-- etc/clipit.profile | 17 ++--- etc/cmus.profile | 15 ++--- etc/conkeror.profile | 38 +++++------ etc/corebird.profile | 12 ++-- etc/cpio.profile | 31 +++++---- etc/cryptocat.profile | 7 +- etc/curl.profile | 17 +++-- etc/cvlc.profile | 19 +++--- etc/cyberfox.profile | 90 ++++++++++++------------- etc/darktable.profile | 14 ++-- etc/deadbeef.profile | 14 ++-- etc/deluge.profile | 25 +++---- etc/dex2jar.profile | 10 +-- etc/dia.profile | 15 +++-- etc/digikam.profile | 31 +++++---- etc/dillo.profile | 29 ++++---- etc/dino.profile | 18 +++-- etc/display.profile | 16 ++--- etc/dnscrypt-proxy.profile | 21 +++--- etc/dnsmasq.profile | 22 +++---- etc/dolphin.profile | 29 ++++---- etc/dosbox.profile | 13 ++-- etc/dragon.profile | 19 +++--- etc/dropbox.profile | 24 +++---- etc/ebook-viewer.profile | 11 ++-- etc/electron.profile | 11 +++- etc/elinks.profile | 19 +++--- etc/emacs.profile | 16 ++--- etc/empathy.profile | 14 ++-- etc/enchant.profile | 15 ++--- etc/engrampa.profile | 14 ++-- etc/eog.profile | 18 +++-- etc/eom.profile | 17 +++-- etc/epiphany.profile | 25 ++++--- etc/etr.profile | 41 +++++------- etc/evince.profile | 18 ++--- etc/evolution.profile | 25 ++++--- etc/exiftool.profile | 21 +++--- etc/fbreader.profile | 15 ++--- etc/feh.profile | 12 ++-- etc/file-roller.profile | 15 ++--- etc/file.profile | 21 +++--- etc/filezilla.profile | 15 ++--- etc/firefox-esr.profile | 10 +-- etc/firefox.profile | 98 +++++++++++++--------------- etc/flashpeak-slimjet.profile | 46 ++++++------- etc/flowblade.profile | 15 ++--- etc/fontforge.profile | 12 ++-- etc/fossamail.profile | 26 ++++---- etc/franz.profile | 32 ++++----- etc/frozen-bubble.profile | 38 +++++------ etc/gajim.profile | 50 +++++++------- etc/galculator.profile | 14 ++-- etc/geany.profile | 13 ++-- etc/geary.profile | 35 +++++----- etc/gedit.profile | 22 +++---- etc/geeqie.profile | 27 ++++---- etc/ghb.profile | 11 ++-- etc/gimp-2.8.profile | 7 +- etc/gimp.profile | 26 ++++---- etc/git.profile | 25 ++++--- etc/gitg.profile | 13 ++-- etc/gitter.profile | 14 ++-- etc/gjs.profile | 27 ++++---- etc/globaltime.profile | 15 +++-- etc/gnome-2048.profile | 28 ++++---- etc/gnome-books.profile | 22 +++---- etc/gnome-calculator.profile | 28 ++++---- etc/gnome-chess.profile | 15 ++--- etc/gnome-clocks.profile | 18 ++--- etc/gnome-contacts.profile | 22 +++---- etc/gnome-documents.profile | 21 +++--- etc/gnome-font-viewer.profile | 17 +++-- etc/gnome-maps.profile | 25 +++---- etc/gnome-mplayer.profile | 13 ++-- etc/gnome-music.profile | 16 ++--- etc/gnome-photos.profile | 21 +++--- etc/gnome-twitch.profile | 13 ++-- etc/gnome-weather.profile | 24 +++---- etc/goobox.profile | 14 ++-- etc/google-chrome-beta.profile | 35 +++++----- etc/google-chrome-stable.profile | 8 +-- etc/google-chrome-unstable.profile | 35 +++++----- etc/google-chrome.profile | 35 +++++----- etc/google-play-music-desktop-player.profile | 23 +++---- etc/gpa.profile | 15 ++--- etc/gpg-agent.profile | 19 +++--- etc/gpg.profile | 19 +++--- etc/gpicview.profile | 13 ++-- etc/gpredict.profile | 22 +++---- etc/gtar.profile | 9 +-- etc/gthumb.profile | 13 ++-- etc/guayadeque.profile | 14 ++-- etc/gucharmap.profile | 11 ++-- etc/gwenview.profile | 29 ++++---- etc/gzip.profile | 17 +++-- etc/handbrake-gtk.profile | 11 ++-- etc/handbrake.profile | 13 ++-- etc/hashcat.profile | 11 ++-- etc/hedgewars.profile | 23 ++++--- etc/hexchat.profile | 35 +++++----- etc/highlight.profile | 19 +++--- etc/hugin.profile | 12 ++-- etc/icecat.profile | 66 +++++++++---------- etc/icedove.profile | 34 +++++----- etc/iceweasel.profile | 10 +-- etc/idea.sh.profile | 20 +++--- etc/img2txt.profile | 18 ++--- etc/inkscape.profile | 17 +++-- etc/inox.profile | 27 ++++---- etc/iridium-browser.profile | 8 +-- etc/iridium.profile | 35 +++++----- etc/jd-gui.profile | 21 ++---- etc/jitsi.profile | 14 ++-- etc/k3b.profile | 24 +++---- etc/kate.profile | 21 +++--- etc/kcalc.profile | 11 ++-- etc/keepass.profile | 24 ++++--- etc/keepass2.profile | 8 +-- etc/keepassx.profile | 19 +++--- etc/keepassx2.profile | 17 +++-- etc/keepassxc.profile | 18 +++-- etc/kino.profile | 12 ++-- etc/kmail.profile | 13 ++-- etc/knotes.profile | 17 +++-- etc/kodi.profile | 18 ++--- etc/konversation.profile | 14 ++-- etc/ktorrent.profile | 37 +++++------ etc/kwrite.profile | 25 +++---- etc/leafpad.profile | 10 +-- etc/less.profile | 17 +++-- etc/libreoffice.profile | 20 +++--- etc/liferea.profile | 39 +++++------ etc/localc.profile | 10 +-- etc/lodraw.profile | 10 +-- etc/loffice.profile | 10 +-- etc/lofromtemplate.profile | 10 +-- etc/loimpress.profile | 10 +-- etc/lollypop.profile | 22 ++----- etc/lomath.profile | 10 +-- etc/loweb.profile | 10 +-- etc/lowriter.profile | 10 +-- etc/luminance-hdr.profile | 19 +++--- etc/lximage-qt.profile | 10 +-- etc/lxmusic.profile | 10 +-- etc/lxterminal.profile | 16 +++-- etc/lynx.profile | 21 +++--- etc/mate-calc.profile | 12 ++-- etc/mate-calculator.profile | 11 ++-- etc/mate-color-select.profile | 11 ++-- etc/mate-dictionary.profile | 12 ++-- etc/mathematica.profile | 8 +-- etc/mcabber.profile | 19 +++--- etc/mediainfo.profile | 21 +++--- etc/mediathekview.profile | 22 +++---- etc/meld.profile | 12 ++-- etc/midori.profile | 43 ++++++------ etc/mousepad.profile | 13 ++-- etc/mplayer.profile | 20 +++--- etc/mpv.profile | 20 +++--- etc/multimc5.profile | 31 ++++----- etc/mumble.profile | 19 +++--- etc/mupdf.profile | 24 ++++--- etc/mupen64plus.profile | 22 ++++--- etc/mutt.profile | 51 +++++++-------- etc/nautilus.profile | 27 ++++---- etc/nemo.profile | 14 ++-- etc/netsurf.profile | 31 +++++---- etc/nylas.profile | 15 ++--- etc/obs.profile | 11 ++-- etc/odt2txt.profile | 20 +++--- etc/okular.profile | 30 ++++----- etc/open-invaders.profile | 41 +++++------- etc/openshot.profile | 11 ++-- etc/opera-beta.profile | 26 ++++---- etc/opera.profile | 28 ++++---- etc/orage.profile | 12 ++-- etc/palemoon.profile | 69 ++++++++++---------- etc/parole.profile | 18 ++--- etc/pcmanfm.profile | 16 ++--- etc/pdfsam.profile | 20 ++---- etc/pdftotext.profile | 19 +++--- etc/peek.profile | 13 ++-- etc/picard.profile | 11 ++-- etc/pidgin.profile | 11 ++-- etc/pingus.profile | 41 +++++------- etc/pithos.profile | 23 +++---- etc/pix.profile | 13 ++-- etc/pluma.profile | 13 ++-- etc/polari.profile | 30 ++++----- etc/psi-plus.profile | 24 ++++--- etc/qbittorrent.profile | 37 ++++++----- etc/qemu-launcher.profile | 13 ++-- etc/qemu-system-x86_64.profile | 12 ++-- etc/qlipper.profile | 12 ++-- etc/qpdfview.profile | 15 ++--- etc/qtox.profile | 31 ++++----- etc/quassel.profile | 14 ++-- etc/quiterss.profile | 31 +++++---- etc/qupzilla.profile | 33 +++++----- etc/qutebrowser.profile | 34 +++++----- etc/rambox.profile | 32 ++++----- etc/ranger.profile | 21 +++--- etc/remmina.profile | 13 ++-- etc/rhythmbox.profile | 16 +++-- etc/riot-web.profile | 10 ++- etc/ristretto.profile | 10 +-- etc/rtorrent.profile | 14 ++-- etc/scribus.profile | 36 +++++----- etc/sdat2img.profile | 12 ++-- etc/seamonkey-bin.profile | 8 +-- etc/seamonkey.profile | 65 +++++++++--------- etc/silentarmy.profile | 15 ++--- etc/simple-scan.profile | 21 +++--- etc/simutrans.profile | 41 +++++------- etc/skanlite.profile | 20 +++--- etc/skype.profile | 15 ++--- etc/skypeforlinux.profile | 15 ++--- etc/slack.profile | 27 ++++---- etc/smplayer.profile | 20 +++--- etc/soffice.profile | 10 +-- etc/soundconverter.profile | 10 +-- etc/spotify.profile | 48 +++++++------- etc/sqlitebrowser.profile | 11 ++-- etc/ssh-agent.profile | 22 ++++--- etc/ssh.profile | 22 ++++--- etc/start-tor-browser.profile | 12 ++-- etc/steam.profile | 37 +++++------ etc/stellarium.profile | 22 +++---- etc/strings.profile | 17 ++--- etc/supertux2.profile | 41 +++++------- etc/synfigstudio.profile | 14 ++-- etc/tar.profile | 21 +++--- etc/telegram-desktop.profile | 8 +-- etc/telegram.profile | 16 ++--- etc/thunar.profile | 7 +- etc/thunderbird.profile | 45 +++++++------ etc/totem.profile | 16 ++--- etc/tracker.profile | 25 ++++--- etc/transmission-cli.profile | 19 +++--- etc/transmission-gtk.profile | 21 +++--- etc/transmission-qt.profile | 21 +++--- etc/transmission-show.profile | 17 +++-- etc/truecraft.profile | 13 ++-- etc/uget-gtk.profile | 23 ++++--- etc/unbound.profile | 21 +++--- etc/unknown-horizons.profile | 39 +++++------ etc/unrar.profile | 17 +++-- etc/unzip.profile | 16 ++--- etc/uudeview.profile | 17 +++-- etc/uzbl-browser.profile | 40 +++++------- etc/viewnior.profile | 19 +++--- etc/viking.profile | 17 ++--- etc/vim.profile | 15 ++--- etc/virtualbox.profile | 31 ++++----- etc/vivaldi-beta.profile | 8 +-- etc/vivaldi-stable.profile | 7 +- etc/vivaldi.profile | 30 ++++----- etc/vlc.profile | 20 +++--- etc/vym.profile | 12 ++-- etc/w3m.profile | 21 +++--- etc/warzone2100.profile | 24 +++---- etc/waterfox.profile | 94 +++++++++++++------------- etc/weechat-curses.profile | 8 +-- etc/weechat.profile | 15 +++-- etc/wesnoth.profile | 31 +++++---- etc/wget.profile | 17 +++-- etc/wine.profile | 15 ++--- etc/wire.profile | 20 +++--- etc/wireshark-gtk.profile | 7 +- etc/wireshark-qt.profile | 7 +- etc/wireshark.profile | 36 +++++----- etc/xchat.profile | 13 ++-- etc/xed.profile | 13 ++-- etc/xfburn.profile | 15 ++--- etc/xfce4-dict.profile | 12 ++-- etc/xfce4-notes.profile | 14 ++-- etc/xiphos.profile | 22 +++---- etc/xmms.profile | 15 ++--- etc/xonotic-glx.profile | 11 +--- etc/xonotic-sdl.profile | 11 +--- etc/xonotic.profile | 25 +++---- etc/xpdf.profile | 13 ++-- etc/xplayer.profile | 13 ++-- etc/xreader.profile | 15 ++--- etc/xviewer.profile | 19 +++--- etc/xz.profile | 9 +-- etc/xzdec.profile | 17 +++-- etc/youtube-dl.profile | 15 ++--- etc/zathura.profile | 19 +++--- etc/zoom.profile | 19 +++--- 332 files changed, 3177 insertions(+), 3586 deletions(-) diff --git a/etc/0ad.profile b/etc/0ad.profile index 9f33af806..af6e32947 100644 --- a/etc/0ad.profile +++ b/etc/0ad.profile @@ -1,28 +1,26 @@ -# Persistent global definitions go here -include /etc/firejail/globals.local - -# This file is overwritten during software install. -# Persistent customizations should go in a .local file. +# Firejail profile for 0ad +# This file is overwritten after every install/update +# Persistent local customizations include /etc/firejail/0ad.local +# Persistent global definitions +include /etc/firejail/globals.local -# Firejail profile for 0ad. noblacklist ~/.cache/0ad noblacklist ~/.config/0ad noblacklist ~/.local/share/0ad + include /etc/firejail/disable-common.inc include /etc/firejail/disable-devel.inc include /etc/firejail/disable-passwdmgr.inc include /etc/firejail/disable-programs.inc -# Whitelists +mkdir ~/.cache/0ad mkdir ~/.config/0ad -whitelist ~/.config/0ad - mkdir ~/.local/share/0ad -whitelist ~/.local/share/0ad - -mkdir ~/.cache/0ad whitelist ~/.cache/0ad +whitelist ~/.config/0ad +whitelist ~/.local/share/0ad +include /etc/firejail/whitelist-common.inc caps.drop all netfilter @@ -35,9 +33,9 @@ seccomp shell none tracelog +disable-mnt private-dev private-tmp -disable-mnt noexec ${HOME} noexec /tmp diff --git a/etc/2048-qt.profile b/etc/2048-qt.profile index 2f3efe743..d8c402d34 100644 --- a/etc/2048-qt.profile +++ b/etc/2048-qt.profile @@ -1,20 +1,19 @@ -# Persistent global definitions go here -include /etc/firejail/globals.local - -# This file is overwritten during software install. -# Persistent customizations should go in a .local file. +# Firejail profile for 2048-qt +# This file is overwritten after every install/update +# Persistent local customizations include /etc/firejail/2048-qt.local +# Persistent global definitions +include /etc/firejail/globals.local -noblacklist ~/.config/xiaoyong noblacklist ~/.config/2048-qt +noblacklist ~/.config/xiaoyong include /etc/firejail/disable-common.inc include /etc/firejail/disable-devel.inc -include /etc/firejail/disable-programs.inc include /etc/firejail/disable-passwdmgr.inc +include /etc/firejail/disable-programs.inc caps.drop all -#ipc-namespace netfilter nogroups nonewprivs @@ -25,9 +24,9 @@ protocol unix seccomp shell none +disable-mnt private-dev private-tmp -disable-mnt noexec ${HOME} noexec /tmp diff --git a/etc/7z.profile b/etc/7z.profile index c7c857dc8..5e2b76f18 100644 --- a/etc/7z.profile +++ b/etc/7z.profile @@ -1,23 +1,22 @@ +# Firejail profile for 7z +# This file is overwritten after every install/update quiet -# Persistent global definitions go here -include /etc/firejail/globals.local - -# This file is overwritten during software install. -# Persistent customizations should go in a .local file. +# Persistent local customizations include /etc/firejail/7z.local - -# 7zip crompression tool profile -ignore noroot - -include /etc/firejail/default.profile +# Persistent global definitions +include /etc/firejail/globals.local blacklist /tmp/.X11-unix -tracelog +ignore noroot net none +no3d +nosound nosound novideo shell none +tracelog + private-dev -nosound -no3d + +include /etc/firejail/default.profile diff --git a/etc/Cryptocat.profile b/etc/Cryptocat.profile index 7ee918bbe..dc45a32b7 100644 --- a/etc/Cryptocat.profile +++ b/etc/Cryptocat.profile @@ -1,17 +1,16 @@ -# Persistent global definitions go here -include /etc/firejail/globals.local - -# This file is overwritten during software install. -# Persistent customizations should go in a .local file. +# Firejail profile for Cryptocat +# This file is overwritten after every install/update +# Persistent local customizations include /etc/firejail/Cryptocat.local +# Persistent global definitions +include /etc/firejail/globals.local -# Firejail profile for Cryptocat noblacklist ${HOME}/.config/Cryptocat include /etc/firejail/disable-common.inc -include /etc/firejail/disable-programs.inc include /etc/firejail/disable-devel.inc include /etc/firejail/disable-passwdmgr.inc +include /etc/firejail/disable-programs.inc caps.drop all netfilter diff --git a/etc/Cyberfox.profile b/etc/Cyberfox.profile index f188545d1..4d0f7cac8 100644 --- a/etc/Cyberfox.profile +++ b/etc/Cyberfox.profile @@ -1,10 +1,5 @@ -# Persistent global definitions go here -include /etc/firejail/globals.local +# Firejail profile alias for cyberfox +# This file is overwritten after every install/update -# This file is overwritten during software install. -# Persistent customizations should go in a .local file. -include /etc/firejail/Cyberfox.local - -# Firejail profile for Cyberfox (based on Mozilla Firefox) include /etc/firejail/cyberfox.profile diff --git a/etc/FossaMail.profile b/etc/FossaMail.profile index 6f5cd8cf0..3b8c093ef 100644 --- a/etc/FossaMail.profile +++ b/etc/FossaMail.profile @@ -1,9 +1,5 @@ -# Persistent global definitions go here -include /etc/firejail/globals.local +# Firejail profile alias for fossamail +# This file is overwritten after every install/update -# This file is overwritten during software install. -# Persistent customizations should go in a .local file. -include /etc/firejail/FossaMail.local -# Firejail profile for FossaMail include /etc/firejail/fossamail.profile diff --git a/etc/Mathematica.profile b/etc/Mathematica.profile index e634a5d60..8f6e33f7b 100644 --- a/etc/Mathematica.profile +++ b/etc/Mathematica.profile @@ -1,26 +1,25 @@ -# Persistent global definitions go here -include /etc/firejail/globals.local - -# This file is overwritten during software install. -# Persistent customizations should go in a .local file. +# Firejail profile for Mathematica +# This file is overwritten after every install/update +# Persistent local customizations include /etc/firejail/Mathematica.local +# Persistent global definitions +include /etc/firejail/globals.local -# Mathematica profile noblacklist ${HOME}/.Mathematica noblacklist ${HOME}/.Wolfram Research +include /etc/firejail/disable-common.inc +include /etc/firejail/disable-devel.inc +include /etc/firejail/disable-passwdmgr.inc +include /etc/firejail/disable-programs.inc + mkdir ~/.Mathematica -whitelist ~/.Mathematica mkdir ~/.Wolfram Research +whitelist ~/.Mathematica whitelist ~/.Wolfram Research whitelist ~/Documents/Wolfram Mathematica include /etc/firejail/whitelist-common.inc -include /etc/firejail/disable-common.inc -include /etc/firejail/disable-programs.inc -include /etc/firejail/disable-devel.inc -include /etc/firejail/disable-passwdmgr.inc - caps.drop all nonewprivs noroot diff --git a/etc/Telegram.profile b/etc/Telegram.profile index 7b44a62f1..844595b3f 100644 --- a/etc/Telegram.profile +++ b/etc/Telegram.profile @@ -1,9 +1,5 @@ -# Persistent global definitions go here -include /etc/firejail/globals.local +# Firejail profile alias for telegram +# This file is overwritten after every install/update -# This file is overwritten during software install. -# Persistent customizations should go in a .local file. -include /etc/firejail/Telegram.local -# Telegram profile include /etc/firejail/telegram.profile diff --git a/etc/Thunar.profile b/etc/Thunar.profile index 30db6f023..7bb66240e 100644 --- a/etc/Thunar.profile +++ b/etc/Thunar.profile @@ -1,19 +1,18 @@ -# Persistent global definitions go here -include /etc/firejail/globals.local - -# This file is overwritten during software install. -# Persistent customizations should go in a .local file. +# Firejail profile for Thunar +# This file is overwritten after every install/update +# Persistent local customizations include /etc/firejail/Thunar.local +# Persistent global definitions +include /etc/firejail/globals.local -# Firejail profile for thunar +noblacklist ${HOME}/.local/share/Trash noblacklist ~/.config/Thunar noblacklist ~/.config/xfce4/xfconf/xfce-perchannel-xml/thunar.xml -noblacklist ${HOME}/.local/share/Trash include /etc/firejail/disable-common.inc -#include /etc/firejail/disable-programs.inc include /etc/firejail/disable-devel.inc include /etc/firejail/disable-passwdmgr.inc +# include /etc/firejail/disable-programs.inc caps.drop all netfilter diff --git a/etc/VirtualBox.profile b/etc/VirtualBox.profile index af5ee529b..706a3611b 100644 --- a/etc/VirtualBox.profile +++ b/etc/VirtualBox.profile @@ -1,8 +1,5 @@ -# Persistent global definitions go here -include /etc/firejail/globals.local +# Firejail profile alias for virtualbox +# This file is overwritten after every install/update -# This file is overwritten during software install. -# Persistent customizations should go in a .local file. -include /etc/firejail/VirtualBox.local include /etc/firejail/virtualbox.profile diff --git a/etc/Wire.profile b/etc/Wire.profile index 3c8c02b52..a2c0f0099 100644 --- a/etc/Wire.profile +++ b/etc/Wire.profile @@ -1,10 +1,5 @@ -# Persistent global definitions go here -include /etc/firejail/globals.local +# Firejail profile alias for wire +# This file is overwritten after every install/update -# This file is overwritten during software install. -# Persistent customizations should go in a .local file. -include /etc/firejail/Wire.local - -# wire messenger profile include /etc/firejail/wire.profile diff --git a/etc/abrowser.profile b/etc/abrowser.profile index f4470b327..a7fbb63d9 100644 --- a/etc/abrowser.profile +++ b/etc/abrowser.profile @@ -1,50 +1,46 @@ -# Persistent global definitions go here -include /etc/firejail/globals.local - -# This file is overwritten during software install. -# Persistent customizations should go in a .local file. +# Firejail profile for abrowser +# This file is overwritten after every install/update +# Persistent local customizations include /etc/firejail/abrowser.local +# Persistent global definitions +include /etc/firejail/globals.local -# Firejail profile for Abrowser -noblacklist ~/.mozilla noblacklist ~/.cache/mozilla +noblacklist ~/.mozilla noblacklist ~/.pki + include /etc/firejail/disable-common.inc -include /etc/firejail/disable-programs.inc include /etc/firejail/disable-devel.inc +include /etc/firejail/disable-programs.inc -caps.drop all -netfilter -nonewprivs -noroot -protocol unix,inet,inet6,netlink -seccomp -tracelog - -whitelist ${DOWNLOADS} -mkdir ~/.mozilla -whitelist ~/.mozilla mkdir ~/.cache/mozilla/abrowser +mkdir ~/.mozilla +whitelist ${DOWNLOADS} +whitelist ~/.cache/gnome-mplayer/plugin whitelist ~/.cache/mozilla/abrowser -whitelist ~/dwhelper -whitelist ~/.zotero -whitelist ~/.vimperatorrc -whitelist ~/.vimperator -whitelist ~/.pentadactylrc -whitelist ~/.pentadactyl -whitelist ~/.keysnail.js whitelist ~/.config/gnome-mplayer -whitelist ~/.cache/gnome-mplayer/plugin -whitelist ~/.pki +whitelist ~/.config/pipelight-silverlight5.1 +whitelist ~/.config/pipelight-widevine +whitelist ~/.keysnail.js whitelist ~/.lastpass - -# silverlight +whitelist ~/.mozilla +whitelist ~/.pentadactyl +whitelist ~/.pentadactylrc +whitelist ~/.pki +whitelist ~/.vimperator +whitelist ~/.vimperatorrc whitelist ~/.wine-pipelight whitelist ~/.wine-pipelight64 -whitelist ~/.config/pipelight-widevine -whitelist ~/.config/pipelight-silverlight5.1 - +whitelist ~/.zotero +whitelist ~/dwhelper include /etc/firejail/whitelist-common.inc -# experimental features -#private-etc passwd,group,hostname,hosts,localtime,nsswitch.conf,resolv.conf,gtk-2.0,pango,fonts,iceweasel,firefox,adobe,mime.types,mailcap,asound.conf,pulse +caps.drop all +netfilter +nonewprivs +noroot +protocol unix,inet,inet6,netlink +seccomp +tracelog + +# private-etc passwd,group,hostname,hosts,localtime,nsswitch.conf,resolv.conf,gtk-2.0,pango,fonts,iceweasel,firefox,adobe,mime.types,mailcap,asound.conf,pulse diff --git a/etc/akregator.profile b/etc/akregator.profile index ed79f0e94..77868dac7 100644 --- a/etc/akregator.profile +++ b/etc/akregator.profile @@ -1,34 +1,35 @@ -# Persistent global definitions go here -include /etc/firejail/globals.local - -# This file is overwritten during software install. -# Persistent customizations should go in a .local file. +# Firejail profile for akregator +# This file is overwritten after every install/update +# Persistent local customizations include /etc/firejail/akregator.local +# Persistent global definitions +include /etc/firejail/globals.local noblacklist ${HOME}/.config/akregatorrc noblacklist ${HOME}/.local/share/akregator include /etc/firejail/disable-common.inc include /etc/firejail/disable-devel.inc -include /etc/firejail/disable-programs.inc include /etc/firejail/disable-passwdmgr.inc +include /etc/firejail/disable-programs.inc caps.drop all -#ipc-namespace netfilter no3d nogroups nonewprivs noroot -#nosound novideo protocol unix,inet,inet6 seccomp shell none +disable-mnt private-dev private-tmp -disable-mnt noexec ${HOME} noexec /tmp + +# CLOBBERED COMMENTS +# nosound diff --git a/etc/amarok.profile b/etc/amarok.profile index d521b35b8..69f41bb1b 100644 --- a/etc/amarok.profile +++ b/etc/amarok.profile @@ -1,26 +1,28 @@ -# Persistent global definitions go here +# Firejail profile for amarok +# This file is overwritten after every install/update +# Persistent local customizations +include /etc/firejail/amarok.local +# Persistent global definitions include /etc/firejail/globals.local -# This file is overwritten during software install. -# Persistent customizations should go in a .local file. -include /etc/firejail/amarok.local -# amarok profile include /etc/firejail/disable-common.inc -include /etc/firejail/disable-programs.inc include /etc/firejail/disable-devel.inc include /etc/firejail/disable-passwdmgr.inc +include /etc/firejail/disable-programs.inc caps.drop all netfilter nogroups nonewprivs noroot -shell none -#seccomp protocol unix,inet,inet6 +shell none -#private-bin amarok +# private-bin amarok private-dev +# private-etc none private-tmp -#private-etc none + +# CLOBBERED COMMENTS +# seccomp diff --git a/etc/android-studio.profile b/etc/android-studio.profile index 68a3cdc85..86e19f838 100644 --- a/etc/android-studio.profile +++ b/etc/android-studio.profile @@ -1,11 +1,9 @@ -# Persistent global definitions go here -include /etc/firejail/globals.local - -# This file is overwritten during software install. -# Persistent customizations should go in a .local file. +# Firejail profile for android-studio +# This file is overwritten after every install/update +# Persistent local customizations include /etc/firejail/android-studio.local - -# Firejail profile for Android Studio +# Persistent global definitions +include /etc/firejail/globals.local noblacklist ${HOME}/.AndroidStudio* noblacklist ${HOME}/.android @@ -25,13 +23,15 @@ netfilter nogroups nonewprivs noroot -#nosound novideo protocol unix,inet,inet6 seccomp shell none private-dev -#private-tmp +# private-tmp noexec /tmp + +# CLOBBERED COMMENTS +# nosound diff --git a/etc/apktool.profile b/etc/apktool.profile index d0905e253..e057e4c0f 100644 --- a/etc/apktool.profile +++ b/etc/apktool.profile @@ -1,12 +1,12 @@ +# Firejail profile for apktool +# This file is overwritten after every install/update quiet -# Persistent global definitions go here +# Persistent local customizations +include /etc/firejail/apktool.local +# Persistent global definitions include /etc/firejail/globals.local -# This file is overwritten during software install. -# Persistent customizations should go in a .local file. -include /etc/firejail/apktool.local -# Firejail profile for apktool include /etc/firejail/disable-common.inc include /etc/firejail/disable-passwdmgr.inc include /etc/firejail/disable-programs.inc diff --git a/etc/arduino.profile b/etc/arduino.profile index ff605501d..2734e59a4 100644 --- a/etc/arduino.profile +++ b/etc/arduino.profile @@ -1,22 +1,20 @@ -# Persistent global definitions go here -include /etc/firejail/globals.local - -# This file is overwritten during software install. -# Persistent customizations should go in a .local file. +# Firejail profile for arduino +# This file is overwritten after every install/update +# Persistent local customizations include /etc/firejail/arduino.local +# Persistent global definitions +include /etc/firejail/globals.local -# Firejail profile for arduino noblacklist ${HOME}/.arduino15 -noblacklist ${HOME}/Arduino noblacklist ${HOME}/.java +noblacklist ${HOME}/Arduino include /etc/firejail/disable-common.inc -include /etc/firejail/disable-programs.inc -include /etc/firejail/disable-passwdmgr.inc include /etc/firejail/disable-devel.inc +include /etc/firejail/disable-passwdmgr.inc +include /etc/firejail/disable-programs.inc caps.drop all -#ipc-namespace netfilter no3d nogroups diff --git a/etc/ark.profile b/etc/ark.profile index 007748ed1..7c8574973 100644 --- a/etc/ark.profile +++ b/etc/ark.profile @@ -1,17 +1,16 @@ -# Persistent global definitions go here -include /etc/firejail/globals.local - -# This file is overwritten during software install. -# Persistent customizations should go in a .local file. +# Firejail profile for ark +# This file is overwritten after every install/update +# Persistent local customizations include /etc/firejail/ark.local +# Persistent global definitions +include /etc/firejail/globals.local -# ark profile noblacklist ~/.config/arkrc include /etc/firejail/disable-common.inc -include /etc/firejail/disable-programs.inc include /etc/firejail/disable-devel.inc include /etc/firejail/disable-passwdmgr.inc +include /etc/firejail/disable-programs.inc caps.drop all netfilter @@ -19,11 +18,11 @@ nogroups nonewprivs noroot nosound -shell none -seccomp protocol unix +seccomp +shell none # private-bin private-dev -private-tmp # private-etc +private-tmp diff --git a/etc/arm.profile b/etc/arm.profile index 3000c35d7..5686c3301 100644 --- a/etc/arm.profile +++ b/etc/arm.profile @@ -1,11 +1,9 @@ -# Persistent global definitions go here -include /etc/firejail/globals.local - -# This file is overwritten during software install. -# Persistent customizations should go in a .local file. -include /etc/firejail/arm.local - # Firejail profile for arm +# This file is overwritten after every install/update +# Persistent local customizations +include /etc/firejail/arm.local +# Persistent global definitions +include /etc/firejail/globals.local noblacklist ${HOME}/.arm @@ -33,7 +31,7 @@ shell none tracelog disable-mnt -#private-bin arm,tor,sh,python2,python2.7,ps,lsof,ldconfig +# private-bin arm,tor,sh,python2,python2.7,ps,lsof,ldconfig private-dev private-etc tor,passwd private-tmp diff --git a/etc/atom-beta.profile b/etc/atom-beta.profile index 367aa5672..acce287c7 100644 --- a/etc/atom-beta.profile +++ b/etc/atom-beta.profile @@ -1,17 +1,16 @@ -# Persistent global definitions go here -include /etc/firejail/globals.local - -# This file is overwritten during software install. -# Persistent customizations should go in a .local file. +# Firejail profile for atom-beta +# This file is overwritten after every install/update +# Persistent local customizations include /etc/firejail/atom-beta.local +# Persistent global definitions +include /etc/firejail/globals.local -# Firejail profile for Atom Beta. noblacklist ~/.atom noblacklist ~/.config/Atom include /etc/firejail/disable-common.inc -include /etc/firejail/disable-programs.inc include /etc/firejail/disable-passwdmgr.inc +include /etc/firejail/disable-programs.inc caps.drop all netfilter diff --git a/etc/atom.profile b/etc/atom.profile index 726682617..0b763997e 100644 --- a/etc/atom.profile +++ b/etc/atom.profile @@ -1,17 +1,16 @@ -# Persistent global definitions go here -include /etc/firejail/globals.local - -# This file is overwritten during software install. -# Persistent customizations should go in a .local file. +# Firejail profile for atom +# This file is overwritten after every install/update +# Persistent local customizations include /etc/firejail/atom.local +# Persistent global definitions +include /etc/firejail/globals.local -# Firejail profile for Atom. noblacklist ~/.atom noblacklist ~/.config/Atom include /etc/firejail/disable-common.inc -include /etc/firejail/disable-programs.inc include /etc/firejail/disable-passwdmgr.inc +include /etc/firejail/disable-programs.inc caps.drop all netfilter diff --git a/etc/atool.profile b/etc/atool.profile index 49637aa21..a1da26076 100644 --- a/etc/atool.profile +++ b/etc/atool.profile @@ -1,18 +1,20 @@ -# Persistent global definitions go here +# Firejail profile for atool +# This file is overwritten after every install/update +# Persistent local customizations +include /etc/firejail/atool.local +# Persistent global definitions include /etc/firejail/globals.local -# This file is overwritten during software install. -# Persistent customizations should go in a .local file. -include /etc/firejail/atool.local +blacklist /tmp/.X11-unix -# atool profile include /etc/firejail/disable-common.inc -include /etc/firejail/disable-programs.inc # include /etc/firejail/disable-devel.inc include /etc/firejail/disable-passwdmgr.inc +include /etc/firejail/disable-programs.inc caps.drop all netfilter +no3d nogroups nonewprivs noroot @@ -20,13 +22,10 @@ nosound novideo protocol unix seccomp -no3d shell none tracelog -blacklist /tmp/.X11-unix - # private-bin atool -private-tmp private-dev private-etc none +private-tmp diff --git a/etc/atril.profile b/etc/atril.profile index 0abad494a..5cac339ca 100644 --- a/etc/atril.profile +++ b/etc/atril.profile @@ -1,17 +1,17 @@ -# Persistent global definitions go here -include /etc/firejail/globals.local - -# This file is overwritten during software install. -# Persistent customizations should go in a .local file. +# Firejail profile for atril +# This file is overwritten after every install/update +# Persistent local customizations include /etc/firejail/atril.local +# Persistent global definitions +include /etc/firejail/globals.local -# Atril profile noblacklist ~/.config/atril noblacklist ~/.local/share + include /etc/firejail/disable-common.inc -include /etc/firejail/disable-programs.inc include /etc/firejail/disable-devel.inc include /etc/firejail/disable-passwdmgr.inc +include /etc/firejail/disable-programs.inc caps.drop all nogroups diff --git a/etc/audacious.profile b/etc/audacious.profile index a8379eb65..15bf6c013 100644 --- a/etc/audacious.profile +++ b/etc/audacious.profile @@ -1,17 +1,17 @@ -# Persistent global definitions go here -include /etc/firejail/globals.local - -# This file is overwritten during software install. -# Persistent customizations should go in a .local file. +# Firejail profile for audacious +# This file is overwritten after every install/update +# Persistent local customizations include /etc/firejail/audacious.local +# Persistent global definitions +include /etc/firejail/globals.local -# Audacious media player profile -noblacklist ~/.config/audacious noblacklist ~/.config/Audaciousrc +noblacklist ~/.config/audacious + include /etc/firejail/disable-common.inc -include /etc/firejail/disable-programs.inc include /etc/firejail/disable-devel.inc include /etc/firejail/disable-passwdmgr.inc +include /etc/firejail/disable-programs.inc caps.drop all netfilter diff --git a/etc/audacity.profile b/etc/audacity.profile index 7c2072960..0f88886e7 100644 --- a/etc/audacity.profile +++ b/etc/audacity.profile @@ -1,11 +1,10 @@ -# Persistent global definitions go here -include /etc/firejail/globals.local - -# This file is overwritten during software install. -# Persistent customizations should go in a .local file. +# Firejail profile for audacity +# This file is overwritten after every install/update +# Persistent local customizations include /etc/firejail/audacity.local +# Persistent global definitions +include /etc/firejail/globals.local -# Audacity profile noblacklist ~/.audacity-data include /etc/firejail/disable-common.inc @@ -14,7 +13,6 @@ include /etc/firejail/disable-passwdmgr.inc include /etc/firejail/disable-programs.inc caps.drop all -#ipc-namespace net none no3d nogroups diff --git a/etc/aweather.profile b/etc/aweather.profile index 9d8e336cd..9068c39c7 100644 --- a/etc/aweather.profile +++ b/etc/aweather.profile @@ -1,20 +1,20 @@ -# Persistent global definitions go here -include /etc/firejail/globals.local - -# This file is overwritten during software install. -# Persistent customizations should go in a .local file. +# Firejail profile for aweather +# This file is overwritten after every install/update +# Persistent local customizations include /etc/firejail/aweather.local +# Persistent global definitions +include /etc/firejail/globals.local -# Firejail profile for aweather. noblacklist ~/.config/aweather + include /etc/firejail/disable-common.inc include /etc/firejail/disable-devel.inc include /etc/firejail/disable-passwdmgr.inc include /etc/firejail/disable-programs.inc -# Whitelist mkdir ~/.config/aweather whitelist ~/.config/aweather +include /etc/firejail/whitelist-common.inc caps.drop all netfilter diff --git a/etc/baobab.profile b/etc/baobab.profile index 887e271e3..1336a220c 100644 --- a/etc/baobab.profile +++ b/etc/baobab.profile @@ -1,15 +1,15 @@ -# Persistent global definitions go here +# Firejail profile for baobab +# This file is overwritten after every install/update +# Persistent local customizations +include /etc/firejail/baobab.local +# Persistent global definitions include /etc/firejail/globals.local -# This file is overwritten during software install. -# Persistent customizations should go in a .local file. -include /etc/firejail/baobab.local -# Firejail profile for Baobab include /etc/firejail/disable-common.inc include /etc/firejail/disable-devel.inc include /etc/firejail/disable-passwdmgr.inc -#include /etc/firejail/disable-programs.inc +# include /etc/firejail/disable-programs.inc caps.drop all net none diff --git a/etc/bibletime.profile b/etc/bibletime.profile index 2162151a1..d59c8e05c 100644 --- a/etc/bibletime.profile +++ b/etc/bibletime.profile @@ -1,11 +1,13 @@ -# Persistent global definitions go here +# Firejail profile for bibletime +# This file is overwritten after every install/update +# Persistent local customizations +include /etc/firejail/bibletime.local +# Persistent global definitions include /etc/firejail/globals.local -# This file is overwritten during software install. -# Persistent customizations should go in a .local file. -include /etc/firejail/bibletime.local +blacklist ~/.Xauthority +blacklist ~/.bashrc -# Firejail profile for BibleTime noblacklist ~/.bibletime noblacklist ~/.config/qt5ct noblacklist ~/.sword @@ -15,13 +17,10 @@ include /etc/firejail/disable-devel.inc include /etc/firejail/disable-passwdmgr.inc include /etc/firejail/disable-programs.inc -blacklist ~/.bashrc -blacklist ~/.Xauthority - whitelist ${HOME}/.bibletime whitelist ${HOME}/.config/qt5ct whitelist ${HOME}/.sword - +include /etc/firejail/whitelist-common.inc caps.drop all netfilter @@ -35,7 +34,7 @@ seccomp shell none tracelog -#private-bin bibletime,qt5ct -private-etc fonts,resolv.conf,sword,sword.conf,passwd +# private-bin bibletime,qt5ct private-dev +private-etc fonts,resolv.conf,sword,sword.conf,passwd private-tmp diff --git a/etc/bitlbee.profile b/etc/bitlbee.profile index 2ecc0c425..9c32cca44 100644 --- a/etc/bitlbee.profile +++ b/etc/bitlbee.profile @@ -1,13 +1,13 @@ -# Persistent global definitions go here -include /etc/firejail/globals.local - -# This file is overwritten during software install. -# Persistent customizations should go in a .local file. +# Firejail profile for bitlbee +# This file is overwritten after every install/update +# Persistent local customizations include /etc/firejail/bitlbee.local +# Persistent global definitions +include /etc/firejail/globals.local -# BitlBee instant messaging profile noblacklist /sbin noblacklist /usr/sbin + include /etc/firejail/disable-common.inc include /etc/firejail/disable-devel.inc include /etc/firejail/disable-passwdmgr.inc @@ -16,16 +16,16 @@ include /etc/firejail/disable-programs.inc netfilter no3d nonewprivs -private -private-dev -protocol unix,inet,inet6 -seccomp nosound novideo -read-write /var/lib/bitlbee +protocol unix,inet,inet6 +seccomp +disable-mnt +private +private-dev private-dev private-tmp -disable-mnt +read-write /var/lib/bitlbee noexec /tmp diff --git a/etc/bleachbit.profile b/etc/bleachbit.profile index f2553cd9c..dab328163 100644 --- a/etc/bleachbit.profile +++ b/etc/bleachbit.profile @@ -1,18 +1,17 @@ -# Persistent global definitions go here +# Firejail profile for bleachbit +# This file is overwritten after every install/update +# Persistent local customizations +include /etc/firejail/bleachbit.local +# Persistent global definitions include /etc/firejail/globals.local -# This file is overwritten during software install. -# Persistent customizations should go in a .local file. -include /etc/firejail/bleachbit.local -# bleachbit profile include /etc/firejail/disable-common.inc -# include /etc/firejail/disable-programs.inc include /etc/firejail/disable-devel.inc include /etc/firejail/disable-passwdmgr.inc +# include /etc/firejail/disable-programs.inc caps.drop all -#ipc-namespace net none no3d nogroups @@ -26,8 +25,8 @@ shell none # private-bin # private-dev -# private-tmp # private-etc +# private-tmp memory-deny-write-execute noexec ${HOME} diff --git a/etc/blender.profile b/etc/blender.profile index b9757913d..f4c566c0d 100644 --- a/etc/blender.profile +++ b/etc/blender.profile @@ -1,15 +1,16 @@ -# Persistent global definitions go here -include /etc/firejail/globals.local - -# This file is overwritten during software install. -# Persistent customizations should go in a .local file. +# Firejail profile for blender +# This file is overwritten after every install/update +# Persistent local customizations include /etc/firejail/blender.local +# Persistent global definitions +include /etc/firejail/globals.local noblacklist ~/.config/blender + include /etc/firejail/disable-common.inc include /etc/firejail/disable-devel.inc -include /etc/firejail/disable-programs.inc include /etc/firejail/disable-passwdmgr.inc +include /etc/firejail/disable-programs.inc caps.drop all netfilter diff --git a/etc/bless.profile b/etc/bless.profile index 25881fa3d..6c6558b1c 100644 --- a/etc/bless.profile +++ b/etc/bless.profile @@ -1,26 +1,18 @@ -# Persistent global definitions go here -include /etc/firejail/globals.local - -# This file is overwritten during software install. -# Persistent customizations should go in a .local file. +# Firejail profile for bless +# This file is overwritten after every install/update +# Persistent local customizations include /etc/firejail/bless.local +# Persistent global definitions +include /etc/firejail/globals.local -# -#Profile for bless -# - -#No Blacklist Paths noblacklist ${HOME}/.config/bless -#Blacklist Paths include /etc/firejail/disable-common.inc -include /etc/firejail/disable-programs.inc -include /etc/firejail/disable-passwdmgr.inc include /etc/firejail/disable-devel.inc +include /etc/firejail/disable-passwdmgr.inc +include /etc/firejail/disable-programs.inc -#Options caps.drop all -#ipc-namespace net none no3d nogroups diff --git a/etc/brasero.profile b/etc/brasero.profile index cafb9f39a..ee7fe8efa 100644 --- a/etc/brasero.profile +++ b/etc/brasero.profile @@ -1,20 +1,18 @@ -# Persistent global definitions go here -include /etc/firejail/globals.local - -# This file is overwritten during software install. -# Persistent customizations should go in a .local file. +# Firejail profile for brasero +# This file is overwritten after every install/update +# Persistent local customizations include /etc/firejail/brasero.local +# Persistent global definitions +include /etc/firejail/globals.local -# brasero profile noblacklist ~/.config/brasero include /etc/firejail/disable-common.inc -include /etc/firejail/disable-programs.inc include /etc/firejail/disable-devel.inc include /etc/firejail/disable-passwdmgr.inc +include /etc/firejail/disable-programs.inc caps.drop all -#ipc-namespace nogroups nonewprivs noroot diff --git a/etc/caja.profile b/etc/caja.profile index a724e76b1..adbcc09b9 100644 --- a/etc/caja.profile +++ b/etc/caja.profile @@ -1,24 +1,18 @@ -# Persistent global definitions go here -include /etc/firejail/globals.local - -# This file is overwritten during software install. -# Persistent customizations should go in a .local file. +# Firejail profile for caja +# This file is overwritten after every install/update +# Persistent local customizations include /etc/firejail/caja.local - -# Caja profile for Firejail - -# Caja is started by systemd on most systems. Therefore it is not firejailed by default. Since there -# is already a caja process running on MATE desktops firejail will have no effect. +# Persistent global definitions +include /etc/firejail/globals.local noblacklist ~/.config/caja -noblacklist ~/.local/share/caja-python noblacklist ~/.local/share/Trash +noblacklist ~/.local/share/caja-python include /etc/firejail/disable-common.inc -# caja needs to be able to start arbitrary applications so we cannot blacklist their files -#include /etc/firejail/disable-programs.inc include /etc/firejail/disable-devel.inc include /etc/firejail/disable-passwdmgr.inc +# include /etc/firejail/disable-programs.inc caps.drop all netfilter @@ -31,6 +25,11 @@ shell none tracelog # private-bin caja -# private-tmp # private-dev # private-etc fonts +# private-tmp + +# CLOBBERED COMMENTS +# Caja is started by systemd on most systems. Therefore it is not firejailed by default. Since there +# caja needs to be able to start arbitrary applications so we cannot blacklist their files +# is already a caja process running on MATE desktops firejail will have no effect. diff --git a/etc/calibre.profile b/etc/calibre.profile index b75e0c276..726a33db8 100644 --- a/etc/calibre.profile +++ b/etc/calibre.profile @@ -1,20 +1,19 @@ -# Persistent global definitions go here -include /etc/firejail/globals.local - -# This file is overwritten during software install. -# Persistent customizations should go in a .local file. +# Firejail profile for calibre +# This file is overwritten after every install/update +# Persistent local customizations include /etc/firejail/calibre.local +# Persistent global definitions +include /etc/firejail/globals.local -noblacklist ~/.config/calibre noblacklist ~/.cache/calibre +noblacklist ~/.config/calibre include /etc/firejail/disable-common.inc -include /etc/firejail/disable-programs.inc -#include /etc/firejail/disable-devel.inc +# include /etc/firejail/disable-devel.inc include /etc/firejail/disable-passwdmgr.inc +include /etc/firejail/disable-programs.inc caps.drop all -#ipc-namespace netfilter no3d nogroups @@ -27,7 +26,7 @@ seccomp shell none tracelog -#private-bin +# private-bin private-dev private-tmp diff --git a/etc/catfish.profile b/etc/catfish.profile index 0deaca1b5..9fef3dc83 100644 --- a/etc/catfish.profile +++ b/etc/catfish.profile @@ -1,15 +1,12 @@ -# Persistent global definitions go here -include /etc/firejail/globals.local - -# This file is overwritten during software install. -# Persistent customizations should go in a .local file. +# Firejail profile for catfish +# This file is overwritten after every install/update +# Persistent local customizations include /etc/firejail/catfish.local +# Persistent global definitions +include /etc/firejail/globals.local -# Firejail profile for catfish noblacklist ~/.config/catfish -# We can't blacklist much since catfish -# is for finding files/content include /etc/firejail/disable-devel.inc caps.drop all @@ -25,8 +22,12 @@ seccomp shell none tracelog +# private-bin bash,catfish,env,locate,ls,mlocate,python,python2,python2.7,python3,python3.5,python3.5m,python3m +# private-dev +# private-tmp + +# CLOBBERED COMMENTS # These options work but are disabled in case +# We can't blacklist much since catfish # a users wants to search in these directories. -#private-bin bash,catfish,env,locate,ls,mlocate,python,python2,python2.7,python3,python3.5,python3.5m,python3m -#private-dev -#private-tmp +# is for finding files/content diff --git a/etc/cherrytree.profile b/etc/cherrytree.profile index b1acd78f2..8aa11a0e6 100644 --- a/etc/cherrytree.profile +++ b/etc/cherrytree.profile @@ -1,22 +1,20 @@ -# Persistent global definitions go here -include /etc/firejail/globals.local - -# This file is overwritten during software install. -# Persistent customizations should go in a .local file. +# Firejail profile for cherrytree +# This file is overwritten after every install/update +# Persistent local customizations include /etc/firejail/cherrytree.local +# Persistent global definitions +include /etc/firejail/globals.local -# cherrytree note taking application +noblacklist ${HOME}/.config/cherrytree noblacklist /usr/bin/python2* noblacklist /usr/lib/python3* -noblacklist ${HOME}/.config/cherrytree include /etc/firejail/disable-common.inc -include /etc/firejail/disable-programs.inc include /etc/firejail/disable-devel.inc include /etc/firejail/disable-passwdmgr.inc +include /etc/firejail/disable-programs.inc caps.drop all -#ipc-namespace netfilter no3d nogroups @@ -34,3 +32,6 @@ private-tmp noexec ${HOME} noexec /tmp + +# CLOBBERED COMMENTS +# cherrytree note taking application diff --git a/etc/chromium-browser.profile b/etc/chromium-browser.profile index 652976016..dcafbaaa9 100644 --- a/etc/chromium-browser.profile +++ b/etc/chromium-browser.profile @@ -1,9 +1,5 @@ -# Persistent global definitions go here -include /etc/firejail/globals.local +# Firejail profile alias for chromium +# This file is overwritten after every install/update -# This file is overwritten during software install. -# Persistent customizations should go in a .local file. -include /etc/firejail/chromium-browser.local -# Chromium browser profile include /etc/firejail/chromium.profile diff --git a/etc/chromium.profile b/etc/chromium.profile index 8266770d7..97149d4d4 100644 --- a/etc/chromium.profile +++ b/etc/chromium.profile @@ -1,41 +1,41 @@ -# Persistent global definitions go here -include /etc/firejail/globals.local - -# This file is overwritten during software install. -# Persistent customizations should go in a .local file. +# Firejail profile for chromium +# This file is overwritten after every install/update +# Persistent local customizations include /etc/firejail/chromium.local +# Persistent global definitions +include /etc/firejail/globals.local -# Chromium browser profile -noblacklist ~/.config/chromium noblacklist ~/.cache/chromium -noblacklist ~/.pki -# specific to Arch +noblacklist ~/.config/chromium noblacklist ~/.config/chromium-flags.conf +noblacklist ~/.pki + include /etc/firejail/disable-common.inc -include /etc/firejail/disable-programs.inc -# chromium is distributed with a perl script on Arch # include /etc/firejail/disable-devel.inc +include /etc/firejail/disable-programs.inc -whitelist ${DOWNLOADS} -mkdir ~/.config/chromium -whitelist ~/.config/chromium mkdir ~/.cache/chromium -whitelist ~/.cache/chromium +mkdir ~/.config/chromium mkdir ~/.pki -whitelist ~/.pki +whitelist ${DOWNLOADS} +whitelist ~/.cache/chromium +whitelist ~/.config/chromium whitelist ~/.config/chromium-flags.conf - +whitelist ~/.pki include /etc/firejail/whitelist-common.inc caps.keep sys_chroot,sys_admin -#ipc-namespace netfilter nogroups shell none private-dev -#private-tmp - problems with multiple browser sessions -#disable-mnt +# private-tmp - problems with multiple browser sessions noexec ${HOME} noexec /tmp + +# CLOBBERED COMMENTS +# chromium is distributed with a perl script on Arch +# disable-mnt +# specific to Arch diff --git a/etc/claws-mail.profile b/etc/claws-mail.profile index c626e7b74..730e27e33 100644 --- a/etc/claws-mail.profile +++ b/etc/claws-mail.profile @@ -1,25 +1,24 @@ -# Persistent global definitions go here -include /etc/firejail/globals.local - -# This file is overwritten during software install. -# Persistent customizations should go in a .local file. +# Firejail profile for claws-mail +# This file is overwritten after every install/update +# Persistent local customizations include /etc/firejail/claws-mail.local +# Persistent global definitions +include /etc/firejail/globals.local -# claws-mail profile noblacklist ~/.claws-mail -noblacklist ~/.signature noblacklist ~/.gnupg +noblacklist ~/.signature include /etc/firejail/disable-common.inc -include /etc/firejail/disable-programs.inc include /etc/firejail/disable-devel.inc include /etc/firejail/disable-passwdmgr.inc +include /etc/firejail/disable-programs.inc caps.drop all netfilter +nogroups nonewprivs noroot -nogroups nosound protocol unix,inet,inet6 seccomp diff --git a/etc/clementine.profile b/etc/clementine.profile index ccacc632d..a69be26df 100644 --- a/etc/clementine.profile +++ b/etc/clementine.profile @@ -1,20 +1,22 @@ -# Persistent global definitions go here +# Firejail profile for clementine +# This file is overwritten after every install/update +# Persistent local customizations +include /etc/firejail/clementine.local +# Persistent global definitions include /etc/firejail/globals.local -# This file is overwritten during software install. -# Persistent customizations should go in a .local file. -include /etc/firejail/clementine.local -# Clementine media player profile include /etc/firejail/disable-common.inc -include /etc/firejail/disable-programs.inc include /etc/firejail/disable-devel.inc include /etc/firejail/disable-passwdmgr.inc +include /etc/firejail/disable-programs.inc caps.drop all nonewprivs noroot novideo protocol unix,inet,inet6 -# Clementine makes ioprio_set system calls, which are blacklisted by default. seccomp.drop mount,umount2,ptrace,kexec_load,kexec_file_load,name_to_handle_at,open_by_handle_at,create_module,init_module,finit_module,delete_module,iopl,ioperm,swapon,swapoff,syslog,process_vm_readv,process_vm_writev,sysfs,_sysctl,adjtimex,clock_adjtime,lookup_dcookie,perf_event_open,fanotify_init,kcmp,add_key,request_key,keyctl,uselib,acct,modify_ldt,pivot_root,io_setup,io_destroy,io_getevents,io_submit,io_cancel,remap_file_pages,mbind,get_mempolicy,set_mempolicy,migrate_pages,move_pages,vmsplice,chroot,tuxcall,reboot,mfsservctl,get_kernel_syms,bpf,clock_settime,personality,process_vm_writev,query_module,settimeofday,stime,umount,userfaultfd,ustat,vm86,vm86old + +# CLOBBERED COMMENTS +# Clementine makes ioprio_set system calls, which are blacklisted by default. diff --git a/etc/clipit.profile b/etc/clipit.profile index b44041cbf..444943061 100644 --- a/etc/clipit.profile +++ b/etc/clipit.profile @@ -1,16 +1,17 @@ -# Persistent global definitions go here -include /etc/firejail/globals.local - -# This file is overwritten during software install. -# Persistent customizations should go in a .local file. +# Firejail profile for clipit +# This file is overwritten after every install/update +# Persistent local customizations include /etc/firejail/clipit.local +# Persistent global definitions +include /etc/firejail/globals.local -noblacklist ${HOME}/.local/share/clipit noblacklist ${HOME}/.config/clipit +noblacklist ${HOME}/.local/share/clipit + include /etc/firejail/disable-common.inc include /etc/firejail/disable-devel.inc -include /etc/firejail/disable-programs.inc include /etc/firejail/disable-passwdmgr.inc +include /etc/firejail/disable-programs.inc caps.drop all netfilter @@ -24,9 +25,9 @@ protocol unix seccomp shell none +disable-mnt private-dev private-tmp -disable-mnt noexec ${HOME} noexec /tmp diff --git a/etc/cmus.profile b/etc/cmus.profile index 399e81160..fc6476267 100644 --- a/etc/cmus.profile +++ b/etc/cmus.profile @@ -1,17 +1,16 @@ -# Persistent global definitions go here -include /etc/firejail/globals.local - -# This file is overwritten during software install. -# Persistent customizations should go in a .local file. +# Firejail profile for cmus +# This file is overwritten after every install/update +# Persistent local customizations include /etc/firejail/cmus.local +# Persistent global definitions +include /etc/firejail/globals.local -# cmus profile noblacklist ${HOME}/.config/cmus include /etc/firejail/disable-common.inc -include /etc/firejail/disable-programs.inc include /etc/firejail/disable-devel.inc include /etc/firejail/disable-passwdmgr.inc +include /etc/firejail/disable-programs.inc caps.drop all netfilter @@ -19,7 +18,7 @@ nonewprivs noroot protocol unix,inet,inet6 seccomp +shell none private-bin cmus private-etc group -shell none diff --git a/etc/conkeror.profile b/etc/conkeror.profile index ccff4317d..b4cd3369a 100644 --- a/etc/conkeror.profile +++ b/etc/conkeror.profile @@ -1,31 +1,31 @@ -# Persistent global definitions go here -include /etc/firejail/globals.local - -# This file is overwritten during software install. -# Persistent customizations should go in a .local file. +# Firejail profile for conkeror +# This file is overwritten after every install/update +# Persistent local customizations include /etc/firejail/conkeror.local +# Persistent global definitions +include /etc/firejail/globals.local -# Firejail profile for Conkeror web browser profile noblacklist ${HOME}/.conkeror.mozdev.org + include /etc/firejail/disable-common.inc include /etc/firejail/disable-programs.inc +whitelist ~/.conkeror.mozdev.org +whitelist ~/.conkerorrc +whitelist ~/.gtkrc-2.0 +whitelist ~/.lastpass +whitelist ~/.pentadactyl +whitelist ~/.pentadactylrc +whitelist ~/.vimperator +whitelist ~/.vimperatorrc +whitelist ~/.zotero +whitelist ~/Downloads +whitelist ~/dwhelper +include /etc/firejail/whitelist-common.inc + caps.drop all netfilter nonewprivs noroot protocol unix,inet,inet6 seccomp - -whitelist ~/.conkeror.mozdev.org -whitelist ~/Downloads -whitelist ~/dwhelper -whitelist ~/.zotero -whitelist ~/.lastpass -whitelist ~/.gtkrc-2.0 -whitelist ~/.vimperatorrc -whitelist ~/.vimperator -whitelist ~/.pentadactylrc -whitelist ~/.pentadactyl -whitelist ~/.conkerorrc -include /etc/firejail/whitelist-common.inc diff --git a/etc/corebird.profile b/etc/corebird.profile index 9ecfb36a5..62941164f 100644 --- a/etc/corebird.profile +++ b/etc/corebird.profile @@ -1,15 +1,15 @@ -# Persistent global definitions go here +# Firejail profile for corebird +# This file is overwritten after every install/update +# Persistent local customizations +include /etc/firejail/corebird.local +# Persistent global definitions include /etc/firejail/globals.local -# This file is overwritten during software install. -# Persistent customizations should go in a .local file. -include /etc/firejail/corebird.local -# Firejail corebird profile include /etc/firejail/disable-common.inc -include /etc/firejail/disable-programs.inc include /etc/firejail/disable-devel.inc include /etc/firejail/disable-passwdmgr.inc +include /etc/firejail/disable-programs.inc caps.drop all netfilter diff --git a/etc/cpio.profile b/etc/cpio.profile index fe1dc0408..cd9b9ad7c 100644 --- a/etc/cpio.profile +++ b/etc/cpio.profile @@ -1,28 +1,31 @@ +# Firejail profile for cpio +# This file is overwritten after every install/update quiet -# Persistent global definitions go here +# Persistent local customizations +include /etc/firejail/cpio.local +# Persistent global definitions include /etc/firejail/globals.local -# This file is overwritten during software install. -# Persistent customizations should go in a .local file. -include /etc/firejail/cpio.local +blacklist /tmp/.X11-unix -# cpio profile -# /sbin and /usr/sbin are visible inside the sandbox -# /boot is not visible and /var is heavily modified noblacklist /sbin noblacklist /usr/sbin + include /etc/firejail/disable-common.inc -include /etc/firejail/disable-programs.inc include /etc/firejail/disable-passwdmgr.inc +include /etc/firejail/disable-programs.inc -private-dev -seccomp caps.drop all net none -shell none -tracelog net none -nosound no3d +nosound +seccomp +shell none +tracelog -blacklist /tmp/.X11-unix +private-dev + +# CLOBBERED COMMENTS +# /boot is not visible and /var is heavily modified +# /sbin and /usr/sbin are visible inside the sandbox diff --git a/etc/cryptocat.profile b/etc/cryptocat.profile index 1f6366a3d..021ce32d4 100644 --- a/etc/cryptocat.profile +++ b/etc/cryptocat.profile @@ -1,8 +1,5 @@ -# Persistent global definitions go here -include /etc/firejail/globals.local +# Firejail profile alias for Cryptocat +# This file is overwritten after every install/update -# This file is overwritten during software install. -# Persistent customizations should go in a .local file. -include /etc/firejail/cryptocat.local include /etc/Cryptocat.profile diff --git a/etc/curl.profile b/etc/curl.profile index 58b5f050a..34874d270 100644 --- a/etc/curl.profile +++ b/etc/curl.profile @@ -1,19 +1,20 @@ +# Firejail profile for curl +# This file is overwritten after every install/update quiet -# Persistent global definitions go here +# Persistent local customizations +include /etc/firejail/curl.local +# Persistent global definitions include /etc/firejail/globals.local -# This file is overwritten during software install. -# Persistent customizations should go in a .local file. -include /etc/firejail/curl.local +blacklist /tmp/.X11-unix -# curl profile noblacklist ~/.curlrc + include /etc/firejail/disable-common.inc -include /etc/firejail/disable-programs.inc include /etc/firejail/disable-passwdmgr.inc +include /etc/firejail/disable-programs.inc caps.drop all -#ipc-namespace netfilter no3d nogroups @@ -24,8 +25,6 @@ protocol unix,inet,inet6 seccomp shell none -blacklist /tmp/.X11-unix - # private-bin curl private-dev # private-etc resolv.conf diff --git a/etc/cvlc.profile b/etc/cvlc.profile index 921d505a9..0b63151a8 100644 --- a/etc/cvlc.profile +++ b/etc/cvlc.profile @@ -1,17 +1,16 @@ -# Persistent global definitions go here +# Firejail profile for cvlc +# This file is overwritten after every install/update +# Persistent local customizations +include /etc/firejail/cvlc.local +# Persistent global definitions include /etc/firejail/globals.local -# This file is overwritten during software install. -# Persistent customizations should go in a .local file. -include /etc/firejail/vlc.local - -# Firejail profile for CVLC noblacklist ${HOME}/.config/vlc include /etc/firejail/disable-common.inc -include /etc/firejail/disable-programs.inc include /etc/firejail/disable-devel.inc include /etc/firejail/disable-passwdmgr.inc +include /etc/firejail/disable-programs.inc caps.drop all netfilter @@ -23,9 +22,11 @@ seccomp shell none tracelog -# clvc doesn't like private-bin -#private-bin vlc,cvlc,nvlc,rvlc,qvlc,svlc +# private-bin vlc,cvlc,nvlc,rvlc,qvlc,svlc private-dev private-tmp memory-deny-write-execute + +# CLOBBERED COMMENTS +# clvc doesn't like private-bin diff --git a/etc/cyberfox.profile b/etc/cyberfox.profile index 45fc00d6f..3c18ef002 100644 --- a/etc/cyberfox.profile +++ b/etc/cyberfox.profile @@ -1,75 +1,69 @@ -# Persistent global definitions go here -include /etc/firejail/globals.local - -# This file is overwritten during software install. -# Persistent customizations should go in a .local file. +# Firejail profile for cyberfox +# This file is overwritten after every install/update +# Persistent local customizations include /etc/firejail/cyberfox.local +# Persistent global definitions +include /etc/firejail/globals.local -# Firejail profile for Cyberfox (based on Mozilla Firefox) noblacklist ~/.8pecxstudios noblacklist ~/.cache/8pecxstudios +noblacklist ~/.config/okularpartrc +noblacklist ~/.config/okularrc noblacklist ~/.config/qpdfview -noblacklist ~/.local/share/qpdfview -noblacklist ~/.kde4/share/apps/okular noblacklist ~/.kde/share/apps/okular +noblacklist ~/.kde4/share/apps/okular noblacklist ~/.local/share/okular -noblacklist ~/.config/okularpartrc -noblacklist ~/.config/okularrc +noblacklist ~/.local/share/qpdfview noblacklist ~/.pki include /etc/firejail/disable-common.inc -include /etc/firejail/disable-programs.inc include /etc/firejail/disable-devel.inc +include /etc/firejail/disable-programs.inc -caps.drop all -# ipc-namespace crashes cyberfox on some setups -netfilter -nogroups -nonewprivs -noroot -protocol unix,inet,inet6,netlink -seccomp -shell none -tracelog - -whitelist ${DOWNLOADS} mkdir ~/.8pecxstudios -whitelist ~/.8pecxstudios mkdir ~/.cache/8pecxstudios +mkdir ~/.pki +whitelist ${DOWNLOADS} +whitelist ~/.8pecxstudios whitelist ~/.cache/8pecxstudios -whitelist ~/dwhelper -whitelist ~/.zotero -whitelist ~/.vimperatorrc -whitelist ~/.vimperator -whitelist ~/.pentadactylrc -whitelist ~/.pentadactyl -whitelist ~/.keysnail.js -whitelist ~/.config/gnome-mplayer whitelist ~/.cache/gnome-mplayer/plugin -mkdir ~/.pki -whitelist ~/.pki -whitelist ~/.lastpass -whitelist ~/.config/qpdfview -whitelist ~/.local/share/qpdfview -whitelist ~/.config/okularrc +whitelist ~/.config/gnome-mplayer whitelist ~/.config/okularpartrc -whitelist ~/.kde4/share/apps/okular +whitelist ~/.config/okularrc +whitelist ~/.config/pipelight-silverlight5.1 +whitelist ~/.config/pipelight-widevine +whitelist ~/.config/qpdfview whitelist ~/.kde/share/apps/okular +whitelist ~/.kde4/share/apps/okular +whitelist ~/.keysnail.js +whitelist ~/.lastpass whitelist ~/.local/share/okular - -# silverlight +whitelist ~/.local/share/qpdfview +whitelist ~/.pentadactyl +whitelist ~/.pentadactylrc +whitelist ~/.pki +whitelist ~/.vimperator +whitelist ~/.vimperatorrc whitelist ~/.wine-pipelight whitelist ~/.wine-pipelight64 -whitelist ~/.config/pipelight-widevine -whitelist ~/.config/pipelight-silverlight5.1 - +whitelist ~/.zotero +whitelist ~/dwhelper include /etc/firejail/whitelist-common.inc -# experimental features -#private-bin cyberfox,which,sh,dbus-launch,dbus-send,env -#private-etc passwd,group,hostname,hosts,localtime,nsswitch.conf,resolv.conf,xdg,gtk-2.0,gtk-3.0,X11,pango,fonts,cyberfox,mime.types,mailcap,asound.conf,pulse -# private-dev might prevent video calls going out +caps.drop all +netfilter +nogroups +nonewprivs +noroot +protocol unix,inet,inet6,netlink +seccomp +shell none +tracelog + +# private-bin cyberfox,which,sh,dbus-launch,dbus-send,env private-dev +# private-dev might prevent video calls going out +# private-etc passwd,group,hostname,hosts,localtime,nsswitch.conf,resolv.conf,xdg,gtk-2.0,gtk-3.0,X11,pango,fonts,cyberfox,mime.types,mailcap,asound.conf,pulse private-tmp noexec ${HOME} diff --git a/etc/darktable.profile b/etc/darktable.profile index eca2ae6c5..47d4710ad 100644 --- a/etc/darktable.profile +++ b/etc/darktable.profile @@ -1,19 +1,19 @@ -# Persistent global definitions go here -include /etc/firejail/globals.local - -# This file is overwritten during software install. -# Persistent customizations should go in a .local file. +# Firejail profile for darktable +# This file is overwritten after every install/update +# Persistent local customizations include /etc/firejail/darktable.local +# Persistent global definitions +include /etc/firejail/globals.local noblacklist ~/.cache/darktable noblacklist ~/.config/darktable + include /etc/firejail/disable-common.inc include /etc/firejail/disable-devel.inc -include /etc/firejail/disable-programs.inc include /etc/firejail/disable-passwdmgr.inc +include /etc/firejail/disable-programs.inc caps.drop all -#ipc-namespace netfilter nogroups nonewprivs diff --git a/etc/deadbeef.profile b/etc/deadbeef.profile index 486df1d99..905920d42 100644 --- a/etc/deadbeef.profile +++ b/etc/deadbeef.profile @@ -1,20 +1,18 @@ -# Persistent global definitions go here -include /etc/firejail/globals.local - -# This file is overwritten during software install. -# Persistent customizations should go in a .local file. +# Firejail profile for deadbeef +# This file is overwritten after every install/update +# Persistent local customizations include /etc/firejail/deadbeef.local +# Persistent global definitions +include /etc/firejail/globals.local -# DeaDBeeF media player profile noblacklist ${HOME}/.config/deadbeef include /etc/firejail/disable-common.inc -include /etc/firejail/disable-programs.inc include /etc/firejail/disable-devel.inc include /etc/firejail/disable-passwdmgr.inc +include /etc/firejail/disable-programs.inc caps.drop all -#ipc-namespace netfilter no3d nogroups diff --git a/etc/deluge.profile b/etc/deluge.profile index 4e7d90e53..ed115b024 100644 --- a/etc/deluge.profile +++ b/etc/deluge.profile @@ -1,22 +1,20 @@ -# Persistent global definitions go here -include /etc/firejail/globals.local - -# This file is overwritten during software install. -# Persistent customizations should go in a .local file. +# Firejail profile for deluge +# This file is overwritten after every install/update +# Persistent local customizations include /etc/firejail/deluge.local +# Persistent global definitions +include /etc/firejail/globals.local -# deluge bittorrent client profile noblacklist ${HOME}/.config/deluge include /etc/firejail/disable-common.inc -include /etc/firejail/disable-programs.inc -# deluge is using python on Debian -#include /etc/firejail/disable-devel.inc +# include /etc/firejail/disable-devel.inc include /etc/firejail/disable-passwdmgr.inc +include /etc/firejail/disable-programs.inc mkdir ${HOME}/.config/deluge -whitelist ${HOME}/.config/deluge whitelist ${DOWNLOADS} +whitelist ${HOME}/.config/deluge include /etc/firejail/whitelist-common.inc caps.drop all @@ -27,8 +25,11 @@ nosound novideo protocol unix,inet,inet6 seccomp - shell none -#private-bin deluge,sh,python,uname + +# private-bin deluge,sh,python,uname private-dev private-tmp + +# CLOBBERED COMMENTS +# deluge is using python on Debian diff --git a/etc/dex2jar.profile b/etc/dex2jar.profile index 6d3aaa224..5e971a5d4 100644 --- a/etc/dex2jar.profile +++ b/etc/dex2jar.profile @@ -1,12 +1,12 @@ +# Firejail profile for dex2jar +# This file is overwritten after every install/update quiet -# Persistent global definitions go here +# Persistent local customizations +include /etc/firejail/dex2jar.local +# Persistent global definitions include /etc/firejail/globals.local -# This file is overwritten during software install. -# Persistent customizations should go in a .local file. -include /etc/firejail/dex2jar.local -# Firejail profile for dex2jar include /etc/firejail/disable-common.inc include /etc/firejail/disable-devel.inc include /etc/firejail/disable-passwdmgr.inc diff --git a/etc/dia.profile b/etc/dia.profile index 71d8a249b..2072314cb 100644 --- a/etc/dia.profile +++ b/etc/dia.profile @@ -1,15 +1,16 @@ -# Persistent global definitions go here -include /etc/firejail/globals.local - -# This file is overwritten during software install. -# Persistent customizations should go in a .local file. +# Firejail profile for dia +# This file is overwritten after every install/update +# Persistent local customizations include /etc/firejail/dia.local +# Persistent global definitions +include /etc/firejail/globals.local noblacklist ~/.dia + include /etc/firejail/disable-common.inc include /etc/firejail/disable-devel.inc -include /etc/firejail/disable-programs.inc include /etc/firejail/disable-passwdmgr.inc +include /etc/firejail/disable-programs.inc caps.drop all netfilter @@ -23,9 +24,9 @@ protocol unix seccomp shell none +disable-mnt private-dev private-tmp -disable-mnt noexec ${HOME} noexec /tmp diff --git a/etc/digikam.profile b/etc/digikam.profile index d81d00ed3..0ff437608 100644 --- a/etc/digikam.profile +++ b/etc/digikam.profile @@ -1,36 +1,35 @@ -# Persistent global definitions go here -include /etc/firejail/globals.local - -# This file is overwritten during software install. -# Persistent customizations should go in a .local file. +# Firejail profile for digikam +# This file is overwritten after every install/update +# Persistent local customizations include /etc/firejail/digikam.local +# Persistent global definitions +include /etc/firejail/globals.local -noblacklist ${HOME}/.kde4/share/apps/digikam -noblacklist ${HOME}/.kde/share/apps/digikam noblacklist ${HOME}/.config/digikamrc +noblacklist ${HOME}/.kde/share/apps/digikam +noblacklist ${HOME}/.kde4/share/apps/digikam include /etc/firejail/disable-common.inc -include /etc/firejail/disable-programs.inc -include /etc/firejail/disable-passwdmgr.inc include /etc/firejail/disable-devel.inc +include /etc/firejail/disable-passwdmgr.inc +include /etc/firejail/disable-programs.inc caps.drop all netfilter +nogroups nonewprivs noroot protocol unix,inet,inet6,netlink - -# This is a seccomp whitelist profile for Debian jessie, Kubuntu 17.04. -# Uncomment seccomp.keep line and try it out. By default only the regular seccomp blacklist profile is enabled. -#seccomp.keep fallocate,getrusage,openat,access,arch_prctl,bind,brk,chdir,chmod,clock_getres,clone,close,connect,dup2,dup3,eventfd2,execve,fadvise64,fcntl,fdatasync,flock,fstat,fstatfs,ftruncate,futex,getcwd,getdents,getegid,geteuid,getgid,getpeername,getpgrp,getpid,getppid,getrandom,getresgid,getresuid,getrlimit,getsockname,getsockopt,gettid,getuid,inotify_add_watch,inotify_init,inotify_init1,inotify_rm_watch,ioctl,lseek,lstat,madvise,mbind,memfd_create,mkdir,mmap,mprotect,msync,munmap,nanosleep,open,pipe,pipe2,poll,ppoll,prctl,pread64,pwrite64,read,readlink,readlinkat,recvfrom,recvmsg,rename,rt_sigaction,rt_sigprocmask,rt_sigreturn,sched_getaffinity,sched_getparam,sched_get_priority_max,sched_get_priority_min,sched_getscheduler,sched_setscheduler,sched_yield,sendmsg,sendto,setgid,setresgid,setresuid,set_robust_list,setsid,setsockopt,set_tid_address,setuid,shmat,shmctl,shmdt,shmget,shutdown,socket,stat,statfs,sysinfo,timerfd_create,umask,uname,unlink,wait4,waitid,write,writev,fchmod,fchown,unshare,exit,exit_group seccomp - -nogroups shell none + # private-bin program -# private-etc none # private-dev - prevents libdc1394 loading; this lib is used to connect to a camera device +# private-etc none private-tmp noexec ${HOME} noexec /tmp + +# CLOBBERED COMMENTS +# seccomp.keep fallocate,getrusage,openat,access,arch_prctl,bind,brk,chdir,chmod,clock_getres,clone,close,connect,dup2,dup3,eventfd2,execve,fadvise64,fcntl,fdatasync,flock,fstat,fstatfs,ftruncate,futex,getcwd,getdents,getegid,geteuid,getgid,getpeername,getpgrp,getpid,getppid,getrandom,getresgid,getresuid,getrlimit,getsockname,getsockopt,gettid,getuid,inotify_add_watch,inotify_init,inotify_init1,inotify_rm_watch,ioctl,lseek,lstat,madvise,mbind,memfd_create,mkdir,mmap,mprotect,msync,munmap,nanosleep,open,pipe,pipe2,poll,ppoll,prctl,pread64,pwrite64,read,readlink,readlinkat,recvfrom,recvmsg,rename,rt_sigaction,rt_sigprocmask,rt_sigreturn,sched_getaffinity,sched_getparam,sched_get_priority_max,sched_get_priority_min,sched_getscheduler,sched_setscheduler,sched_yield,sendmsg,sendto,setgid,setresgid,setresuid,set_robust_list,setsid,setsockopt,set_tid_address,setuid,shmat,shmctl,shmdt,shmget,shutdown,socket,stat,statfs,sysinfo,timerfd_create,umask,uname,unlink,wait4,waitid,write,writev,fchmod,fchown,unshare,exit,exit_group diff --git a/etc/dillo.profile b/etc/dillo.profile index e11a6f13b..4601be8dc 100644 --- a/etc/dillo.profile +++ b/etc/dillo.profile @@ -1,16 +1,23 @@ -# Persistent global definitions go here -include /etc/firejail/globals.local - -# This file is overwritten during software install. -# Persistent customizations should go in a .local file. +# Firejail profile for dillo +# This file is overwritten after every install/update +# Persistent local customizations include /etc/firejail/dillo.local +# Persistent global definitions +include /etc/firejail/globals.local -# Firejail profile for Dillo web browser noblacklist ~/.dillo + include /etc/firejail/disable-common.inc -include /etc/firejail/disable-programs.inc include /etc/firejail/disable-devel.inc include /etc/firejail/disable-passwdmgr.inc +include /etc/firejail/disable-programs.inc + +mkdir ~/.dillo +mkdir ~/.fltk +whitelist ${DOWNLOADS} +whitelist ~/.dillo +whitelist ~/.fltk +include /etc/firejail/whitelist-common.inc caps.drop all netfilter @@ -19,11 +26,3 @@ noroot protocol unix,inet,inet6 seccomp tracelog - -whitelist ${DOWNLOADS} -mkdir ~/.dillo -whitelist ~/.dillo -mkdir ~/.fltk -whitelist ~/.fltk - -include /etc/firejail/whitelist-common.inc diff --git a/etc/dino.profile b/etc/dino.profile index 94563fa1d..0501cd408 100644 --- a/etc/dino.profile +++ b/etc/dino.profile @@ -1,11 +1,10 @@ -# Persistent global definitions go here -include /etc/firejail/globals.local - -# This file is overwritten during software install. -# Persistent customizations should go in a .local file. +# Firejail profile for dino +# This file is overwritten after every install/update +# Persistent local customizations include /etc/firejail/dino.local +# Persistent global definitions +include /etc/firejail/globals.local -# Firejail profile for Dino noblacklist ${HOME}/.local/share/dino include /etc/firejail/disable-common.inc @@ -13,13 +12,12 @@ include /etc/firejail/disable-devel.inc include /etc/firejail/disable-passwdmgr.inc include /etc/firejail/disable-programs.inc -whitelist ${HOME}/Downloads mkdir ${HOME}/.local/share/dino whitelist ${HOME}/.local/share/dino +whitelist ${HOME}/Downloads include /etc/firejail/whitelist-common.inc caps.drop all -#ipc-namespace netfilter no3d nogroups @@ -31,11 +29,11 @@ protocol unix,inet,inet6 seccomp shell none +disable-mnt private-bin dino -#private-etc fonts #breaks server connection private-dev +# private-etc fonts # breaks server connection private-tmp -disable-mnt noexec ${HOME} noexec /tmp diff --git a/etc/display.profile b/etc/display.profile index c2c46cba3..ff5d3d2b9 100644 --- a/etc/display.profile +++ b/etc/display.profile @@ -1,20 +1,20 @@ -# Persistent global definitions go here +# Firejail profile for display +# This file is overwritten after every install/update +# Persistent local customizations +include /etc/firejail/display.local +# Persistent global definitions include /etc/firejail/globals.local -# This file is overwritten during software install. -# Persistent customizations should go in a .local file. -include /etc/firejail/display.local -# display (ImageMagick tool) image viewer profile include /etc/firejail/disable-common.inc -include /etc/firejail/disable-programs.inc include /etc/firejail/disable-devel.inc include /etc/firejail/disable-passwdmgr.inc +include /etc/firejail/disable-programs.inc caps.drop all net none -nonewprivs nogroups +nonewprivs noroot nosound protocol unix @@ -23,6 +23,6 @@ shell none x11 xorg private-bin display -private-tmp private-dev private-etc none +private-tmp diff --git a/etc/dnscrypt-proxy.profile b/etc/dnscrypt-proxy.profile index 81199a22d..075b7ea15 100644 --- a/etc/dnscrypt-proxy.profile +++ b/etc/dnscrypt-proxy.profile @@ -1,20 +1,21 @@ -# Persistent global definitions go here -include /etc/firejail/globals.local - -# This file is overwritten during software install. -# Persistent customizations should go in a .local file. +# Firejail profile for dnscrypt-proxy +# This file is overwritten after every install/update +# Persistent local customizations include /etc/firejail/dnscrypt-proxy.local +# Persistent global definitions +include /etc/firejail/globals.local -# security profile for dnscrypt-proxy noblacklist /sbin noblacklist /usr/sbin + include /etc/firejail/disable-common.inc -include /etc/firejail/disable-programs.inc include /etc/firejail/disable-devel.inc include /etc/firejail/disable-passwdmgr.inc +include /etc/firejail/disable-programs.inc -private -private-dev -nosound no3d +nosound seccomp.drop mount,umount2,ptrace,kexec_load,kexec_file_load,open_by_handle_at,init_module,finit_module,delete_module,iopl,ioperm,swapon,swapoff,syslog,process_vm_readv,process_vm_writev,sysfs,_sysctl,adjtimex,clock_adjtime,lookup_dcookie,perf_event_open,fanotify_init,kcmp,add_key,request_key,keyctl,uselib,acct,modify_ldt,pivot_root,io_setup,io_destroy,io_getevents,io_submit,io_cancel,remap_file_pages,mbind,get_mempolicy,set_mempolicy,migrate_pages,move_pages,vmsplice,perf_event_open + +private +private-dev diff --git a/etc/dnsmasq.profile b/etc/dnsmasq.profile index 797f093a1..834805af9 100644 --- a/etc/dnsmasq.profile +++ b/etc/dnsmasq.profile @@ -1,26 +1,26 @@ -# Persistent global definitions go here -include /etc/firejail/globals.local - -# This file is overwritten during software install. -# Persistent customizations should go in a .local file. +# Firejail profile for dnsmasq +# This file is overwritten after every install/update +# Persistent local customizations include /etc/firejail/dnsmasq.local +# Persistent global definitions +include /etc/firejail/globals.local -# dnsmasq profile noblacklist /sbin noblacklist /usr/sbin + include /etc/firejail/disable-common.inc -include /etc/firejail/disable-programs.inc -include /etc/firejail/disable-passwdmgr.inc include /etc/firejail/disable-devel.inc +include /etc/firejail/disable-passwdmgr.inc +include /etc/firejail/disable-programs.inc caps netfilter +no3d nonewprivs -private -private-dev nosound -no3d protocol unix,inet,inet6,netlink seccomp disable-mnt +private +private-dev diff --git a/etc/dolphin.profile b/etc/dolphin.profile index aac358d38..5760f6811 100644 --- a/etc/dolphin.profile +++ b/etc/dolphin.profile @@ -1,34 +1,33 @@ -# Persistent global definitions go here -include /etc/firejail/globals.local - -# This file is overwritten during software install. -# Persistent customizations should go in a .local file. +# Firejail profile for dolphin +# This file is overwritten after every install/update +# Persistent local customizations include /etc/firejail/dolphin.local +# Persistent global definitions +include /etc/firejail/globals.local -# dolphin profile - -# warning: firejail is currently not effectively constraining dolphin since used services are started by kdeinit5 - +noblacklist ${HOME}/.local/share/Trash noblacklist ~/.config/dolphinrc noblacklist ~/.local/share/dolphin -noblacklist ${HOME}/.local/share/Trash include /etc/firejail/disable-common.inc -# dolphin needs to be able to start arbitrary applications so we cannot blacklist their files -#include /etc/firejail/disable-programs.inc include /etc/firejail/disable-devel.inc include /etc/firejail/disable-passwdmgr.inc +# include /etc/firejail/disable-programs.inc caps.drop all netfilter nogroups nonewprivs noroot -shell none -seccomp protocol unix +seccomp +shell none # private-bin # private-dev -# private-tmp # private-etc +# private-tmp + +# CLOBBERED COMMENTS +# dolphin needs to be able to start arbitrary applications so we cannot blacklist their files +# warning: firejail is currently not effectively constraining dolphin since used services are started by kdeinit5 diff --git a/etc/dosbox.profile b/etc/dosbox.profile index ed4e5f345..ff8e26bf9 100644 --- a/etc/dosbox.profile +++ b/etc/dosbox.profile @@ -1,17 +1,16 @@ -# Persistent global definitions go here -include /etc/firejail/globals.local - -# This file is overwritten during software install. -# Persistent customizations should go in a .local file. +# Firejail profile for dosbox +# This file is overwritten after every install/update +# Persistent local customizations include /etc/firejail/dosbox.local +# Persistent global definitions +include /etc/firejail/globals.local -# Firejail profile for dosbox noblacklist ~/.dosbox include /etc/firejail/disable-common.inc -include /etc/firejail/disable-programs.inc include /etc/firejail/disable-devel.inc include /etc/firejail/disable-passwdmgr.inc +include /etc/firejail/disable-programs.inc caps.drop all netfilter diff --git a/etc/dragon.profile b/etc/dragon.profile index 47d2c593a..e8d82363b 100644 --- a/etc/dragon.profile +++ b/etc/dragon.profile @@ -1,17 +1,16 @@ -# Persistent global definitions go here -include /etc/firejail/globals.local - -# This file is overwritten during software install. -# Persistent customizations should go in a .local file. +# Firejail profile for dragon +# This file is overwritten after every install/update +# Persistent local customizations include /etc/firejail/dragon.local +# Persistent global definitions +include /etc/firejail/globals.local -# dragon player profile noblacklist ~/.config/dragonplayerrc include /etc/firejail/disable-common.inc -include /etc/firejail/disable-programs.inc include /etc/firejail/disable-devel.inc include /etc/firejail/disable-passwdmgr.inc +include /etc/firejail/disable-programs.inc caps.drop all netfilter @@ -19,14 +18,14 @@ nogroups nonewprivs noroot novideo -shell none -seccomp protocol unix,inet,inet6 +seccomp +shell none private-bin dragon private-dev -private-tmp # private-etc +private-tmp noexec ${HOME} noexec /tmp diff --git a/etc/dropbox.profile b/etc/dropbox.profile index 2319b337b..564a4054d 100644 --- a/etc/dropbox.profile +++ b/etc/dropbox.profile @@ -1,27 +1,27 @@ -# Persistent global definitions go here -include /etc/firejail/globals.local - -# This file is overwritten during software install. -# Persistent customizations should go in a .local file. +# Firejail profile for dropbox +# This file is overwritten after every install/update +# Persistent local customizations include /etc/firejail/dropbox.local +# Persistent global definitions +include /etc/firejail/globals.local -# dropbox profile noblacklist ~/.config/autostart noblacklist ~/.dropbox-dist + include /etc/firejail/disable-common.inc include /etc/firejail/disable-devel.inc -include /etc/firejail/disable-programs.inc include /etc/firejail/disable-passwdmgr.inc +include /etc/firejail/disable-programs.inc -mkdir ~/Dropbox -whitelist ~/Dropbox mkdir ~/.dropbox -whitelist ~/.dropbox mkdir ~/.dropbox-dist -whitelist ~/.dropbox-dist - +mkdir ~/Dropbox mkfile ~/.config/autostart/dropbox.desktop whitelist ~/.config/autostart/dropbox.desktop +whitelist ~/.dropbox +whitelist ~/.dropbox-dist +whitelist ~/Dropbox +include /etc/firejail/whitelist-common.inc caps.drop all netfilter diff --git a/etc/ebook-viewer.profile b/etc/ebook-viewer.profile index ba28e3550..1e8e7bb6c 100644 --- a/etc/ebook-viewer.profile +++ b/etc/ebook-viewer.profile @@ -1,10 +1,7 @@ -# Persistent global definitions go here -include /etc/firejail/globals.local +# Firejail profile alias for calibre +# This file is overwritten after every install/update -# This file is overwritten during software install. -# Persistent customizations should go in a .local file. -include /etc/firejail/ebook-viewer.local -# Firejail profile for ebook-viewer (Calibre) -include /etc/firejail/calibre.profile net none + +include /etc/firejail/calibre.profile diff --git a/etc/electron.profile b/etc/electron.profile index efaecf029..0377ac073 100644 --- a/etc/electron.profile +++ b/etc/electron.profile @@ -1,7 +1,14 @@ -# Generic Firejail profile for Electron applications. +# Firejail profile for electron +# This file is overwritten after every install/update +# Persistent local customizations +include /etc/firejail/electron.local +# Persistent global definitions +include /etc/firejail/globals.local + + include /etc/firejail/disable-common.inc -include /etc/firejail/disable-programs.inc include /etc/firejail/disable-passwdmgr.inc +include /etc/firejail/disable-programs.inc caps.drop all netfilter diff --git a/etc/elinks.profile b/etc/elinks.profile index 597e43fb8..bd2c090a6 100644 --- a/etc/elinks.profile +++ b/etc/elinks.profile @@ -1,19 +1,21 @@ -# Persistent global definitions go here +# Firejail profile for elinks +# This file is overwritten after every install/update +# Persistent local customizations +include /etc/firejail/elinks.local +# Persistent global definitions include /etc/firejail/globals.local -# This file is overwritten during software install. -# Persistent customizations should go in a .local file. -include /etc/firejail/elinks.local +blacklist /tmp/.X11-unix -# elinks profile noblacklist ~/.elinks include /etc/firejail/disable-common.inc -include /etc/firejail/disable-programs.inc include /etc/firejail/disable-devel.inc include /etc/firejail/disable-passwdmgr.inc +include /etc/firejail/disable-programs.inc caps.drop all +netfilter no3d nogroups nonewprivs @@ -22,13 +24,10 @@ nosound novideo protocol unix,inet,inet6 seccomp -netfilter shell none tracelog -blacklist /tmp/.X11-unix - # private-bin elinks -private-tmp private-dev # private-etc none +private-tmp diff --git a/etc/emacs.profile b/etc/emacs.profile index 4f9d27215..db823c029 100644 --- a/etc/emacs.profile +++ b/etc/emacs.profile @@ -1,23 +1,21 @@ -# Persistent global definitions go here -include /etc/firejail/globals.local - -# This file is overwritten during software install. -# Persistent customizations should go in a .local file. +# Firejail profile for emacs +# This file is overwritten after every install/update +# Persistent local customizations include /etc/firejail/emacs.local +# Persistent global definitions +include /etc/firejail/globals.local -# emacs profile noblacklist ~/.emacs noblacklist ~/.emacs.d include /etc/firejail/disable-common.inc -include /etc/firejail/disable-programs.inc include /etc/firejail/disable-passwdmgr.inc - +include /etc/firejail/disable-programs.inc caps.drop all netfilter +nogroups nonewprivs noroot -nogroups protocol unix,inet,inet6 seccomp diff --git a/etc/empathy.profile b/etc/empathy.profile index 415f752bf..5eb8d6868 100644 --- a/etc/empathy.profile +++ b/etc/empathy.profile @@ -1,19 +1,19 @@ -# Persistent global definitions go here +# Firejail profile for empathy +# This file is overwritten after every install/update +# Persistent local customizations +include /etc/firejail/empathy.local +# Persistent global definitions include /etc/firejail/globals.local -# This file is overwritten during software install. -# Persistent customizations should go in a .local file. -include /etc/firejail/empathy.local -# Empathy instant messaging profile include /etc/firejail/disable-common.inc -include /etc/firejail/disable-programs.inc include /etc/firejail/disable-devel.inc +include /etc/firejail/disable-programs.inc caps.drop all netfilter -nonewprivs nogroups +nonewprivs noroot protocol unix,inet,inet6 seccomp diff --git a/etc/enchant.profile b/etc/enchant.profile index 554ed5e28..5b0d190fa 100644 --- a/etc/enchant.profile +++ b/etc/enchant.profile @@ -1,17 +1,16 @@ -# Persistent global definitions go here -include /etc/firejail/globals.local - -# This file is overwritten during software install. -# Persistent customizations should go in a .local file. +# Firejail profile for enchant +# This file is overwritten after every install/update +# Persistent local customizations include /etc/firejail/enchant.local +# Persistent global definitions +include /etc/firejail/globals.local -# enchant profile noblacklist ~/.config/enchant include /etc/firejail/disable-common.inc -include /etc/firejail/disable-programs.inc include /etc/firejail/disable-devel.inc include /etc/firejail/disable-passwdmgr.inc +include /etc/firejail/disable-programs.inc caps.drop all netfilter @@ -25,6 +24,6 @@ shell none tracelog # private-bin enchant -# private-tmp # private-dev # private-etc fonts +# private-tmp diff --git a/etc/engrampa.profile b/etc/engrampa.profile index 605643472..b6d8e501f 100644 --- a/etc/engrampa.profile +++ b/etc/engrampa.profile @@ -1,15 +1,15 @@ -# Persistent global definitions go here +# Firejail profile for engrampa +# This file is overwritten after every install/update +# Persistent local customizations +include /etc/firejail/engrampa.local +# Persistent global definitions include /etc/firejail/globals.local -# This file is overwritten during software install. -# Persistent customizations should go in a .local file. -include /etc/firejail/engrampa.local -# engrampa profile include /etc/firejail/disable-common.inc -include /etc/firejail/disable-programs.inc include /etc/firejail/disable-devel.inc include /etc/firejail/disable-passwdmgr.inc +include /etc/firejail/disable-programs.inc caps.drop all netfilter @@ -24,6 +24,6 @@ shell none tracelog # private-bin engrampa -# private-tmp private-dev # private-etc fonts +# private-tmp diff --git a/etc/eog.profile b/etc/eog.profile index e272a1935..452bb1a36 100644 --- a/etc/eog.profile +++ b/etc/eog.profile @@ -1,23 +1,21 @@ -# Persistent global definitions go here -include /etc/firejail/globals.local - -# This file is overwritten during software install. -# Persistent customizations should go in a .local file. +# Firejail profile for eog +# This file is overwritten after every install/update +# Persistent local customizations include /etc/firejail/eog.local +# Persistent global definitions +include /etc/firejail/globals.local -# eog (gnome image viewer) profile -noblacklist ~/.config/eog noblacklist ~/.Steam -noblacklist ~/.steam +noblacklist ~/.config/eog noblacklist ~/.local/share/Trash +noblacklist ~/.steam include /etc/firejail/disable-common.inc -include /etc/firejail/disable-programs.inc include /etc/firejail/disable-devel.inc include /etc/firejail/disable-passwdmgr.inc +include /etc/firejail/disable-programs.inc caps.drop all -#ipc-namespace net none no3d nogroups diff --git a/etc/eom.profile b/etc/eom.profile index 28cb525c1..75a9e6764 100644 --- a/etc/eom.profile +++ b/etc/eom.profile @@ -1,20 +1,19 @@ -# Persistent global definitions go here -include /etc/firejail/globals.local - -# This file is overwritten during software install. -# Persistent customizations should go in a .local file. +# Firejail profile for eom +# This file is overwritten after every install/update +# Persistent local customizations include /etc/firejail/eom.local +# Persistent global definitions +include /etc/firejail/globals.local -# Firejail profile for Eye of Mate (eom) -noblacklist ~/.config/mate/eom noblacklist ~/.Steam -noblacklist ~/.steam +noblacklist ~/.config/mate/eom noblacklist ~/.local/share/Trash +noblacklist ~/.steam include /etc/firejail/disable-common.inc -include /etc/firejail/disable-programs.inc include /etc/firejail/disable-devel.inc include /etc/firejail/disable-passwdmgr.inc +include /etc/firejail/disable-programs.inc caps.drop all nogroups diff --git a/etc/epiphany.profile b/etc/epiphany.profile index 90e07def9..86fddace0 100644 --- a/etc/epiphany.profile +++ b/etc/epiphany.profile @@ -1,26 +1,25 @@ -# Persistent global definitions go here -include /etc/firejail/globals.local - -# This file is overwritten during software install. -# Persistent customizations should go in a .local file. +# Firejail profile for epiphany +# This file is overwritten after every install/update +# Persistent local customizations include /etc/firejail/epiphany.local +# Persistent global definitions +include /etc/firejail/globals.local -# Epiphany browser profile +noblacklist ${HOME}/.cache/epiphany noblacklist ${HOME}/.config/epiphany noblacklist ${HOME}/.local/share/epiphany -noblacklist ${HOME}/.cache/epiphany include /etc/firejail/disable-common.inc -include /etc/firejail/disable-programs.inc include /etc/firejail/disable-devel.inc +include /etc/firejail/disable-programs.inc -whitelist ${DOWNLOADS} -mkdir ${HOME}/.local/share/epiphany -whitelist ${HOME}/.local/share/epiphany -mkdir ${HOME}/.config/epiphany -whitelist ${HOME}/.config/epiphany mkdir ${HOME}/.cache/epiphany +mkdir ${HOME}/.config/epiphany +mkdir ${HOME}/.local/share/epiphany +whitelist ${DOWNLOADS} whitelist ${HOME}/.cache/epiphany +whitelist ${HOME}/.config/epiphany +whitelist ${HOME}/.local/share/epiphany include /etc/firejail/whitelist-common.inc caps.drop all diff --git a/etc/etr.profile b/etc/etr.profile index d7b747995..6ed9a274d 100644 --- a/etc/etr.profile +++ b/etc/etr.profile @@ -1,41 +1,34 @@ -# Persistent global definitions go here +# Firejail profile for etr +# This file is overwritten after every install/update +# Persistent local customizations +include /etc/firejail/etr.local +# Persistent global definitions include /etc/firejail/globals.local -# This file is overwritten during software install. -# Persistent customizations should go in a .local file. -include /etc/firejail/etr.local +noblacklist ~/.etr -################################ -# Extreme Tux Racer profile -################################ +include /etc/firejail/disable-common.inc +include /etc/firejail/disable-passwdmgr.inc +include /etc/firejail/disable-programs.inc -noblacklist ~/.etr mkdir ~/.etr whitelist ~/.etr include /etc/firejail/whitelist-common.inc -include /etc/firejail/disable-common.inc -include /etc/firejail/disable-programs.inc -include /etc/firejail/disable-passwdmgr.inc - caps.drop all +net none +nogroups nonewprivs noroot protocol unix,netlink seccomp - -# -# depending on your usage, you can enable some of the commands below: -# -net none -nogroups shell none -#private-bin etr -# private-etc none + +# private-bin etr private-dev +# private-etc none private-tmp -# nosound - - - +# CLOBBERED COMMENTS +# depending on your usage, you can enable some of the commands below: +# nosound diff --git a/etc/evince.profile b/etc/evince.profile index 9f1ebbf76..e58cef336 100644 --- a/etc/evince.profile +++ b/etc/evince.profile @@ -1,20 +1,18 @@ -# Persistent global definitions go here -include /etc/firejail/globals.local - -# This file is overwritten during software install. -# Persistent customizations should go in a .local file. +# Firejail profile for evince +# This file is overwritten after every install/update +# Persistent local customizations include /etc/firejail/evince.local +# Persistent global definitions +include /etc/firejail/globals.local -# evince pdf reader profile noblacklist ~/.config/evince include /etc/firejail/disable-common.inc -include /etc/firejail/disable-programs.inc include /etc/firejail/disable-devel.inc include /etc/firejail/disable-passwdmgr.inc +include /etc/firejail/disable-programs.inc caps.drop all -#ipc-namespace netfilter no3d nogroups @@ -30,9 +28,11 @@ tracelog private-bin evince,evince-previewer,evince-thumbnailer private-dev private-etc fonts -# evince needs access to /tmp/mozilla* to work in firefox # private-tmp memory-deny-write-execute noexec ${HOME} noexec /tmp + +# CLOBBERED COMMENTS +# evince needs access to /tmp/mozilla* to work in firefox diff --git a/etc/evolution.profile b/etc/evolution.profile index ee8e02e8f..d41ef965a 100644 --- a/etc/evolution.profile +++ b/etc/evolution.profile @@ -1,29 +1,26 @@ -# Persistent global definitions go here -include /etc/firejail/globals.local - -# This file is overwritten during software install. -# Persistent customizations should go in a .local file. +# Firejail profile for evolution +# This file is overwritten after every install/update +# Persistent local customizations include /etc/firejail/evolution.local +# Persistent global definitions +include /etc/firejail/globals.local -# evolution profile +noblacklist /var/mail +noblacklist /var/spool/mail +noblacklist ~/.bogofilter +noblacklist ~/.cache/evolution noblacklist ~/.config/evolution +noblacklist ~/.gnupg noblacklist ~/.local/share/evolution -noblacklist ~/.cache/evolution noblacklist ~/.pki noblacklist ~/.pki/nssdb -noblacklist ~/.gnupg -noblacklist ~/.bogofilter - -noblacklist /var/spool/mail -noblacklist /var/mail include /etc/firejail/disable-common.inc -include /etc/firejail/disable-programs.inc include /etc/firejail/disable-devel.inc include /etc/firejail/disable-passwdmgr.inc +include /etc/firejail/disable-programs.inc caps.drop all -#ipc-namespace netfilter no3d nogroups diff --git a/etc/exiftool.profile b/etc/exiftool.profile index e69a6206e..3637fc989 100644 --- a/etc/exiftool.profile +++ b/etc/exiftool.profile @@ -1,36 +1,35 @@ +# Firejail profile for exiftool +# This file is overwritten after every install/update quiet -# Persistent global definitions go here +# Persistent local customizations +include /etc/firejail/exiftool.local +# Persistent global definitions include /etc/firejail/globals.local -# This file is overwritten during software install. -# Persistent customizations should go in a .local file. -include /etc/firejail/exiftool.local +blacklist /tmp/.X11-unix -# exiftool profile noblacklist /usr/bin/perl -noblacklist /usr/share/perl* noblacklist /usr/lib/perl* +noblacklist /usr/share/perl* include /etc/firejail/disable-common.inc -include /etc/firejail/disable-programs.inc include /etc/firejail/disable-devel.inc include /etc/firejail/disable-passwdmgr.inc +include /etc/firejail/disable-programs.inc caps.drop all net none +no3d nogroups nonewprivs noroot nosound protocol unix seccomp -no3d shell none tracelog -blacklist /tmp/.X11-unix - # private-bin exiftool,perl -private-tmp private-dev private-etc none +private-tmp diff --git a/etc/fbreader.profile b/etc/fbreader.profile index 41edbb50b..663ee3bbb 100644 --- a/etc/fbreader.profile +++ b/etc/fbreader.profile @@ -1,17 +1,16 @@ -# Persistent global definitions go here -include /etc/firejail/globals.local - -# This file is overwritten during software install. -# Persistent customizations should go in a .local file. +# Firejail profile for fbreader +# This file is overwritten after every install/update +# Persistent local customizations include /etc/firejail/fbreader.local +# Persistent global definitions +include /etc/firejail/globals.local -# fbreader ebook reader profile noblacklist ${HOME}/.FBReader include /etc/firejail/disable-common.inc -include /etc/firejail/disable-programs.inc include /etc/firejail/disable-devel.inc include /etc/firejail/disable-passwdmgr.inc +include /etc/firejail/disable-programs.inc caps.drop all netfilter @@ -20,8 +19,8 @@ noroot nosound protocol unix,inet,inet6 seccomp - shell none + private-bin fbreader,FBReader private-dev private-tmp diff --git a/etc/feh.profile b/etc/feh.profile index 8f40a0c3e..1e0d7acc7 100644 --- a/etc/feh.profile +++ b/etc/feh.profile @@ -1,15 +1,15 @@ -# Persistent global definitions go here +# Firejail profile for feh +# This file is overwritten after every install/update +# Persistent local customizations +include /etc/firejail/feh.local +# Persistent global definitions include /etc/firejail/globals.local -# This file is overwritten during software install. -# Persistent customizations should go in a .local file. -include /etc/firejail/feh.local -# feh image viewer profile include /etc/firejail/disable-common.inc -include /etc/firejail/disable-programs.inc include /etc/firejail/disable-devel.inc include /etc/firejail/disable-passwdmgr.inc +include /etc/firejail/disable-programs.inc caps.drop all net none diff --git a/etc/file-roller.profile b/etc/file-roller.profile index 15d8d36c6..173bb344f 100644 --- a/etc/file-roller.profile +++ b/etc/file-roller.profile @@ -1,18 +1,17 @@ -# Persistent global definitions go here +# Firejail profile for file-roller +# This file is overwritten after every install/update +# Persistent local customizations +include /etc/firejail/file-roller.local +# Persistent global definitions include /etc/firejail/globals.local -# This file is overwritten during software install. -# Persistent customizations should go in a .local file. -include /etc/firejail/file-roller.local -# file-roller profile include /etc/firejail/disable-common.inc -include /etc/firejail/disable-programs.inc include /etc/firejail/disable-devel.inc include /etc/firejail/disable-passwdmgr.inc +include /etc/firejail/disable-programs.inc caps.drop all -#ipc-namespace net none no3d nogroups @@ -26,9 +25,9 @@ shell none tracelog # private-bin file-roller -# private-tmp private-dev # private-etc fonts +# private-tmp memory-deny-write-execute noexec ${HOME} diff --git a/etc/file.profile b/etc/file.profile index 51e35007f..6e8280c3b 100644 --- a/etc/file.profile +++ b/etc/file.profile @@ -1,15 +1,16 @@ +# Firejail profile for file +# This file is overwritten after every install/update quiet -# Persistent global definitions go here +# Persistent local customizations +include /etc/firejail/file.local +# Persistent global definitions include /etc/firejail/globals.local -# This file is overwritten during software install. -# Persistent customizations should go in a .local file. -include /etc/firejail/file.local +blacklist /tmp/.X11-unix -# file profile include /etc/firejail/disable-common.inc -include /etc/firejail/disable-programs.inc include /etc/firejail/disable-passwdmgr.inc +include /etc/firejail/disable-programs.inc caps.drop all hostname file @@ -17,7 +18,6 @@ net none no3d nogroups nonewprivs -#noroot nosound protocol unix seccomp @@ -25,8 +25,9 @@ shell none tracelog x11 none -blacklist /tmp/.X11-unix - -private-dev private-bin file +private-dev private-etc magic.mgc,magic,localtime + +# CLOBBERED COMMENTS +# noroot diff --git a/etc/filezilla.profile b/etc/filezilla.profile index 3cc6fd601..c349a9e94 100644 --- a/etc/filezilla.profile +++ b/etc/filezilla.profile @@ -1,17 +1,16 @@ -# Persistent global definitions go here -include /etc/firejail/globals.local - -# This file is overwritten during software install. -# Persistent customizations should go in a .local file. +# Firejail profile for filezilla +# This file is overwritten after every install/update +# Persistent local customizations include /etc/firejail/filezilla.local +# Persistent global definitions +include /etc/firejail/globals.local -# FileZilla ftp profile -noblacklist ${HOME}/.filezilla noblacklist ${HOME}/.config/filezilla +noblacklist ${HOME}/.filezilla include /etc/firejail/disable-common.inc -include /etc/firejail/disable-programs.inc include /etc/firejail/disable-devel.inc +include /etc/firejail/disable-programs.inc caps.drop all netfilter diff --git a/etc/firefox-esr.profile b/etc/firefox-esr.profile index 33d4a87ad..f3400b1e1 100644 --- a/etc/firefox-esr.profile +++ b/etc/firefox-esr.profile @@ -1,9 +1,9 @@ -# Persistent global definitions go here +# Firejail profile for firefox-esr +# This file is overwritten after every install/update +# Persistent local customizations +include /etc/firejail/firefox-esr.local +# Persistent global definitions include /etc/firejail/globals.local -# This file is overwritten during software install. -# Persistent customizations should go in a .local file. -include /etc/firejail/firefox-esr.local -# Firejail profile for Mozilla Firefox ESR include /etc/firejail/firefox.profile diff --git a/etc/firefox.profile b/etc/firefox.profile index aff6e8334..8d48a4704 100644 --- a/etc/firefox.profile +++ b/etc/firefox.profile @@ -1,77 +1,73 @@ -# Persistent global definitions go here -include /etc/firejail/globals.local - -# This file is overwritten during software install. -# Persistent customizations should go in a .local file. +# Firejail profile for firefox +# This file is overwritten after every install/update +# Persistent local customizations include /etc/firejail/firefox.local +# Persistent global definitions +include /etc/firejail/globals.local -# Firejail profile for Mozilla Firefox (Iceweasel in Debian) -noblacklist ~/.mozilla noblacklist ~/.cache/mozilla +noblacklist ~/.config/okularpartrc +noblacklist ~/.config/okularrc noblacklist ~/.config/qpdfview -noblacklist ~/.local/share/qpdfview -noblacklist ~/.kde4/share/apps/okular noblacklist ~/.kde/share/apps/okular +noblacklist ~/.kde4/share/apps/okular noblacklist ~/.local/share/okular -noblacklist ~/.config/okularpartrc -noblacklist ~/.config/okularrc +noblacklist ~/.local/share/qpdfview +noblacklist ~/.mozilla noblacklist ~/.pki include /etc/firejail/disable-common.inc -include /etc/firejail/disable-programs.inc include /etc/firejail/disable-devel.inc +include /etc/firejail/disable-programs.inc -caps.drop all -# ipc-namespace crashes firefox on some setups -netfilter -nogroups -nonewprivs -noroot -protocol unix,inet,inet6,netlink -seccomp -shell none -tracelog - -whitelist ${DOWNLOADS} -mkdir ~/.mozilla -whitelist ~/.mozilla mkdir ~/.cache/mozilla/firefox +mkdir ~/.mozilla +mkdir ~/.pki +whitelist ${DOWNLOADS} +whitelist ~/.cache/gnome-mplayer/plugin whitelist ~/.cache/mozilla/firefox -whitelist ~/dwhelper -whitelist ~/.zotero -whitelist ~/.vimperatorrc -whitelist ~/.vimperator -whitelist ~/.pentadactylrc -whitelist ~/.pentadactyl -whitelist ~/.keysnail.js whitelist ~/.config/gnome-mplayer -whitelist ~/.cache/gnome-mplayer/plugin -mkdir ~/.pki -whitelist ~/.pki -whitelist ~/.lastpass -whitelist ~/.config/qpdfview -whitelist ~/.local/share/qpdfview -whitelist ~/.config/okularrc whitelist ~/.config/okularpartrc -whitelist ~/.kde4/share/apps/okular +whitelist ~/.config/okularrc +whitelist ~/.config/pipelight-silverlight5.1 +whitelist ~/.config/pipelight-widevine +whitelist ~/.config/qpdfview whitelist ~/.kde/share/apps/okular +whitelist ~/.kde4/share/apps/okular +whitelist ~/.keysnail.js +whitelist ~/.lastpass whitelist ~/.local/share/okular - -# silverlight +whitelist ~/.local/share/qpdfview +whitelist ~/.mozilla +whitelist ~/.pentadactyl +whitelist ~/.pentadactylrc +whitelist ~/.pki +whitelist ~/.vimperator +whitelist ~/.vimperatorrc whitelist ~/.wine-pipelight whitelist ~/.wine-pipelight64 -whitelist ~/.config/pipelight-widevine -whitelist ~/.config/pipelight-silverlight5.1 - +whitelist ~/.zotero +whitelist ~/dwhelper include /etc/firejail/whitelist-common.inc -# experimental features -#private-bin firefox,which,sh,dbus-launch,dbus-send,env -#private-etc passwd,group,hostname,hosts,localtime,nsswitch.conf,resolv.conf,xdg,gtk-2.0,gtk-3.0,X11,pango,fonts,firefox,mime.types,mailcap,asound.conf,pulse -# private-dev might prevent video calls going out +caps.drop all +netfilter +nogroups +nonewprivs +noroot +protocol unix,inet,inet6,netlink +seccomp +shell none +tracelog + +# private-bin firefox,which,sh,dbus-launch,dbus-send,env private-dev +# private-dev might prevent video calls going out +# private-etc passwd,group,hostname,hosts,localtime,nsswitch.conf,resolv.conf,xdg,gtk-2.0,gtk-3.0,X11,pango,fonts,firefox,mime.types,mailcap,asound.conf,pulse private-tmp -#disable-mnt noexec ${HOME} noexec /tmp + +# CLOBBERED COMMENTS +# disable-mnt diff --git a/etc/flashpeak-slimjet.profile b/etc/flashpeak-slimjet.profile index b9bf493b6..b3aa80f85 100644 --- a/etc/flashpeak-slimjet.profile +++ b/etc/flashpeak-slimjet.profile @@ -1,26 +1,26 @@ -# Persistent global definitions go here -include /etc/firejail/globals.local - -# This file is overwritten during software install. -# Persistent customizations should go in a .local file. +# Firejail profile for flashpeak-slimjet +# This file is overwritten after every install/update +# Persistent local customizations include /etc/firejail/flashpeak-slimjet.local +# Persistent global definitions +include /etc/firejail/globals.local -# SlimJet browser profile -# This is a whitelisted profile, the internal browser sandbox -# is disabled because it requires sudo password. The command -# to run it is as follows: -# -# firejail flashpeak-slimjet --no-sandbox -# -noblacklist ~/.config/slimjet noblacklist ~/.cache/slimjet +noblacklist ~/.config/slimjet noblacklist ~/.pki + include /etc/firejail/disable-common.inc +# include /etc/firejail/disable-devel.inc include /etc/firejail/disable-programs.inc -# chromium is distributed with a perl script on Arch -# include /etc/firejail/disable-devel.inc -# +mkdir ~/.cache/slimjet +mkdir ~/.config/slimjet +mkdir ~/.pki +whitelist ${DOWNLOADS} +whitelist ~/.cache/slimjet +whitelist ~/.config/slimjet +whitelist ~/.pki +include /etc/firejail/whitelist-common.inc caps.drop all netfilter @@ -29,12 +29,8 @@ noroot protocol unix,inet,inet6,netlink seccomp -whitelist ${DOWNLOADS} -mkdir ~/.config/slimjet -whitelist ~/.config/slimjet -mkdir ~/.cache/slimjet -whitelist ~/.cache/slimjet -mkdir ~/.pki -whitelist ~/.pki - -include /etc/firejail/whitelist-common.inc +# CLOBBERED COMMENTS +# firejail flashpeak-slimjet --no-sandbox +# chromium is distributed with a perl script on Arch +# is disabled because it requires sudo password. The command +# to run it is as follows: diff --git a/etc/flowblade.profile b/etc/flowblade.profile index f8d45424f..b5cc8160b 100644 --- a/etc/flowblade.profile +++ b/etc/flowblade.profile @@ -1,18 +1,17 @@ -# Persistent global definitions go here -include /etc/firejail/globals.local - -# This file is overwritten during software install. -# Persistent customizations should go in a .local file. +# Firejail profile for flowblade +# This file is overwritten after every install/update +# Persistent local customizations include /etc/firejail/flowblade.local +# Persistent global definitions +include /etc/firejail/globals.local -# FlowBlade profile -noblacklist ${HOME}/.flowblade noblacklist ${HOME}/.config/flowblade +noblacklist ${HOME}/.flowblade include /etc/firejail/disable-common.inc include /etc/firejail/disable-devel.inc -include /etc/firejail/disable-programs.inc include /etc/firejail/disable-passwdmgr.inc +include /etc/firejail/disable-programs.inc caps.drop all netfilter diff --git a/etc/fontforge.profile b/etc/fontforge.profile index e8e3df62b..4b43602b8 100644 --- a/etc/fontforge.profile +++ b/etc/fontforge.profile @@ -1,16 +1,16 @@ -# Persistent global definitions go here -include /etc/firejail/globals.local - -# This file is overwritten during software install. -# Persistent customizations should go in a .local file. +# Firejail profile for fontforge +# This file is overwritten after every install/update +# Persistent local customizations include /etc/firejail/fontforge.local +# Persistent global definitions +include /etc/firejail/globals.local noblacklist ${HOME}/.FontForge include /etc/firejail/disable-common.inc include /etc/firejail/disable-devel.inc -include /etc/firejail/disable-programs.inc include /etc/firejail/disable-passwdmgr.inc +include /etc/firejail/disable-programs.inc caps.drop all netfilter diff --git a/etc/fossamail.profile b/etc/fossamail.profile index 43968cf7a..d49027917 100644 --- a/etc/fossamail.profile +++ b/etc/fossamail.profile @@ -1,22 +1,20 @@ -# Persistent global definitions go here -include /etc/firejail/globals.local - -# This file is overwritten during software install. -# Persistent customizations should go in a .local file. +# Firejail profile for fossamail +# This file is overwritten after every install/update +# Persistent local customizations include /etc/firejail/fossamail.local +# Persistent global definitions +include /etc/firejail/globals.local -# Firejail profile for FossaMail - -noblacklist ~/.gnupg -mkdir ~/.gnupg -whitelist ~/.gnupg - +noblacklist ~/.cache/fossamail noblacklist ~/.fossamail -mkdir ~/.fossamail -whitelist ~/.fossamail +noblacklist ~/.gnupg -noblacklist ~/.cache/fossamail mkdir ~/.cache/fossamail +mkdir ~/.fossamail +mkdir ~/.gnupg whitelist ~/.cache/fossamail +whitelist ~/.fossamail +whitelist ~/.gnupg +include /etc/firejail/whitelist-common.inc include /etc/firejail/firefox.profile diff --git a/etc/franz.profile b/etc/franz.profile index c5e019947..486326fe0 100644 --- a/etc/franz.profile +++ b/etc/franz.profile @@ -1,30 +1,28 @@ -# Persistent global definitions go here -include /etc/firejail/globals.local - -# This file is overwritten during software install. -# Persistent customizations should go in a .local file. +# Firejail profile for franz +# This file is overwritten after every install/update +# Persistent local customizations include /etc/firejail/franz.local +# Persistent global definitions +include /etc/firejail/globals.local -# Franz profile -noblacklist ~/.config/Franz noblacklist ~/.cache/Franz +noblacklist ~/.config/Franz noblacklist ~/.pki + include /etc/firejail/disable-common.inc -include /etc/firejail/disable-programs.inc include /etc/firejail/disable-devel.inc +include /etc/firejail/disable-programs.inc -whitelist ${DOWNLOADS} -mkdir ~/.config/Franz -whitelist ~/.config/Franz mkdir ~/.cache/Franz -whitelist ~/.cache/Franz +mkdir ~/.config/Franz mkdir ~/.pki +whitelist ${DOWNLOADS} +whitelist ~/.cache/Franz +whitelist ~/.config/Franz whitelist ~/.pki - include /etc/firejail/whitelist-common.inc caps.drop all -#ipc-namespace netfilter nogroups nonewprivs @@ -32,11 +30,13 @@ noroot protocol unix,inet,inet6,netlink seccomp shell none -#tracelog +disable-mnt private-dev private-tmp -disable-mnt noexec ${HOME} noexec /tmp + +# CLOBBERED COMMENTS +# tracelog diff --git a/etc/frozen-bubble.profile b/etc/frozen-bubble.profile index 52f8e5b3e..dc8ad3e08 100644 --- a/etc/frozen-bubble.profile +++ b/etc/frozen-bubble.profile @@ -1,38 +1,34 @@ -# Persistent global definitions go here +# Firejail profile for frozen-bubble +# This file is overwritten after every install/update +# Persistent local customizations +include /etc/firejail/frozen-bubble.local +# Persistent global definitions include /etc/firejail/globals.local -# This file is overwritten during software install. -# Persistent customizations should go in a .local file. -include /etc/firejail/frozen-bubble.local +noblacklist ~/.frozen-bubble -################################ -# Frozen Bubble profile -################################ +include /etc/firejail/disable-common.inc +include /etc/firejail/disable-passwdmgr.inc +include /etc/firejail/disable-programs.inc -noblacklist ~/.frozen-bubble mkdir ~/.frozen-bubble whitelist ~/.frozen-bubble include /etc/firejail/whitelist-common.inc -include /etc/firejail/disable-common.inc -include /etc/firejail/disable-programs.inc -include /etc/firejail/disable-passwdmgr.inc - caps.drop all +net none +nogroups nonewprivs noroot protocol unix,netlink seccomp - -# -# depending on your usage, you can enable some of the commands below: -# -net none -nogroups shell none -#private-bin frozen-bubble -# private-etc none + +# private-bin frozen-bubble private-dev +# private-etc none private-tmp -# nosound +# CLOBBERED COMMENTS +# depending on your usage, you can enable some of the commands below: +# nosound diff --git a/etc/gajim.profile b/etc/gajim.profile index a3deb2c73..d8ca7424c 100644 --- a/etc/gajim.profile +++ b/etc/gajim.profile @@ -1,34 +1,30 @@ -# Persistent global definitions go here -include /etc/firejail/globals.local - -# This file is overwritten during software install. -# Persistent customizations should go in a .local file. +# Firejail profile for gajim +# This file is overwritten after every install/update +# Persistent local customizations include /etc/firejail/gajim.local +# Persistent global definitions +include /etc/firejail/globals.local -# Firejail profile for Gajim -noblacklist ${HOME}/.local/share/gajim -noblacklist ${HOME}/.config/gajim noblacklist ${HOME}/.cache/gajim +noblacklist ${HOME}/.config/gajim +noblacklist ${HOME}/.local/share/gajim + +include /etc/firejail/disable-common.inc +include /etc/firejail/disable-devel.inc +include /etc/firejail/disable-passwdmgr.inc +include /etc/firejail/disable-programs.inc mkdir ${HOME}/.cache/gajim -mkdir ${HOME}/.local/share/gajim mkdir ${HOME}/.config/gajim -mkdir ${HOME}/Downloads - -# Allow the local python 2.7 site packages, in case any plugins are using these mkdir ${HOME}/.local/lib/python2.7/site-packages/ -whitelist ${HOME}/.local/lib/python2.7/site-packages/ -read-only ${HOME}/.local/lib/python2.7/site-packages/ - +mkdir ${HOME}/.local/share/gajim +mkdir ${HOME}/Downloads whitelist ${HOME}/.cache/gajim -whitelist ${HOME}/.local/share/gajim whitelist ${HOME}/.config/gajim +whitelist ${HOME}/.local/lib/python2.7/site-packages/ +whitelist ${HOME}/.local/share/gajim whitelist ${HOME}/Downloads - -include /etc/firejail/disable-common.inc -include /etc/firejail/disable-passwdmgr.inc -include /etc/firejail/disable-programs.inc -include /etc/firejail/disable-devel.inc +include /etc/firejail/whitelist-common.inc caps.drop all netfilter @@ -39,8 +35,12 @@ protocol unix,inet,inet6 seccomp shell none -#private-bin python2.7 gajim -#private-etc fonts -private-dev -#private-tmp disable-mnt +# private-bin python2.7 gajim +private-dev +# private-etc fonts +# private-tmp +read-only ${HOME}/.local/lib/python2.7/site-packages/ + +# CLOBBERED COMMENTS +# Allow the local python 2.7 site packages, in case any plugins are using these diff --git a/etc/galculator.profile b/etc/galculator.profile index 897946e7a..48ecccd59 100644 --- a/etc/galculator.profile +++ b/etc/galculator.profile @@ -1,20 +1,20 @@ -# Persistent global definitions go here +# Firejail profile for galculator +# This file is overwritten after every install/update +# Persistent local customizations +include /etc/firejail/galculator.local +# Persistent global definitions include /etc/firejail/globals.local -# This file is overwritten during software install. -# Persistent customizations should go in a .local file. -include /etc/firejail/firejail.local - -# Firejail profile for XYZ noblacklist ~/.config/galculator include /etc/firejail/disable-common.inc -include /etc/firejail/disable-programs.inc include /etc/firejail/disable-devel.inc include /etc/firejail/disable-passwdmgr.inc +include /etc/firejail/disable-programs.inc mkdir ~/.config/galculator whitelist ~/.config/galculator +include /etc/firejail/whitelist-common.inc caps.drop all net none diff --git a/etc/geany.profile b/etc/geany.profile index 083e9423f..9ec334fc0 100644 --- a/etc/geany.profile +++ b/etc/geany.profile @@ -1,14 +1,15 @@ -# Persistent global definitions go here -include /etc/firejail/globals.local - -# This file is overwritten during software install. -# Persistent customizations should go in a .local file. +# Firejail profile for geany +# This file is overwritten after every install/update +# Persistent local customizations include /etc/firejail/geany.local +# Persistent global definitions +include /etc/firejail/globals.local noblacklist ${HOME}/.config/geany + include /etc/firejail/disable-common.inc -include /etc/firejail/disable-programs.inc include /etc/firejail/disable-passwdmgr.inc +include /etc/firejail/disable-programs.inc caps.drop all netfilter diff --git a/etc/geary.profile b/etc/geary.profile index f655f0efe..5833e51cf 100644 --- a/etc/geary.profile +++ b/etc/geary.profile @@ -1,28 +1,29 @@ -# Persistent global definitions go here -include /etc/firejail/globals.local - -# This file is overwritten during software install. -# Persistent customizations should go in a .local file. +# Firejail profile for geary +# This file is overwritten after every install/update +# Persistent local customizations include /etc/firejail/geary.local - -# Firejail profile for Gnome Geary -# Users have Geary set to open a browser by clicking a link in an email -# We are not allowed to blacklist browser-specific directories +# Persistent global definitions +include /etc/firejail/globals.local noblacklist ~/.gnupg -mkdir ~/.gnupg -whitelist ~/.gnupg - noblacklist ~/.local/share/geary + +mkdir ~/.gnupg mkdir ~/.local/share/geary +whitelist ~/.config/mimeapps.list +whitelist ~/.gnupg +whitelist ~/.local/share/applications whitelist ~/.local/share/geary +include /etc/firejail/whitelist-common.inc + +ignore private-tmp -whitelist ~/.config/mimeapps.list read-only ~/.config/mimeapps.list -whitelist ~/.local/share/applications read-only ~/.local/share/applications -# allow browsers -ignore private-tmp include /etc/firejail/firefox.profile -#include /etc/firejail/chromium.profile - chromium runs as suid! + +# CLOBBERED COMMENTS +# Users have Geary set to open a browser by clicking a link in an email +# We are not allowed to blacklist browser-specific directories +# allow browsers diff --git a/etc/gedit.profile b/etc/gedit.profile index 3e78d939e..2fd7f20fe 100644 --- a/etc/gedit.profile +++ b/etc/gedit.profile @@ -1,23 +1,18 @@ -# Persistent global definitions go here -include /etc/firejail/globals.local - -# This file is overwritten during software install. -# Persistent customizations should go in a .local file. +# Firejail profile for gedit +# This file is overwritten after every install/update +# Persistent local customizations include /etc/firejail/gedit.local - -# gedit profile - -# when gedit is started via gnome-shell, firejail is not applied because systemd will start it +# Persistent global definitions +include /etc/firejail/globals.local noblacklist ~/.config/gedit include /etc/firejail/disable-common.inc -include /etc/firejail/disable-programs.inc -#include /etc/firejail/disable-devel.inc +# include /etc/firejail/disable-devel.inc include /etc/firejail/disable-passwdmgr.inc +include /etc/firejail/disable-programs.inc caps.drop all -#ipc-namespace net none no3d nogroups @@ -36,3 +31,6 @@ private-tmp noexec ${HOME} noexec /tmp + +# CLOBBERED COMMENTS +# when gedit is started via gnome-shell, firejail is not applied because systemd will start it diff --git a/etc/geeqie.profile b/etc/geeqie.profile index 194b76674..9434d49b8 100644 --- a/etc/geeqie.profile +++ b/etc/geeqie.profile @@ -1,30 +1,31 @@ -# Persistent global definitions go here -include /etc/firejail/globals.local - -# This file is overwritten during software install. -# Persistent customizations should go in a .local file. +# Firejail profile for geeqie +# This file is overwritten after every install/update +# Persistent local customizations include /etc/firejail/geeqie.local +# Persistent global definitions +include /etc/firejail/globals.local -# Firejail profile for Geeqie +noblacklist ~/.cache/geeqie noblacklist ~/.config/geeqie noblacklist ~/.local/share/geeqie -noblacklist ~/.cache/geeqie + include /etc/firejail/disable-common.inc -include /etc/firejail/disable-programs.inc include /etc/firejail/disable-devel.inc include /etc/firejail/disable-passwdmgr.inc +include /etc/firejail/disable-programs.inc caps.drop all nogroups nonewprivs noroot +nosound protocol unix seccomp -nosound +shell none +# private-bin geeqie private-dev +# private-etc X11 -#Experimental: -shell none -#private-bin geeqie -#private-etc X11 +# CLOBBERED COMMENTS +# Experimental: diff --git a/etc/ghb.profile b/etc/ghb.profile index 2068c3136..80291223c 100644 --- a/etc/ghb.profile +++ b/etc/ghb.profile @@ -1,9 +1,8 @@ -# Persistent global definitions go here -include /etc/firejail/globals.local +# Firejail profile alias for handbrake +# This file is overwritten after every install/update -# This file is overwritten during software install. -# Persistent customizations should go in a .local file. -include /etc/firejail/ghb.local -# HandBrake include /etc/firejail/handbrake.profile + +# CLOBBERED COMMENTS +# HandBrake diff --git a/etc/gimp-2.8.profile b/etc/gimp-2.8.profile index ce6cee7a5..5228078d9 100644 --- a/etc/gimp-2.8.profile +++ b/etc/gimp-2.8.profile @@ -1,8 +1,5 @@ -# Persistent global definitions go here -include /etc/firejail/globals.local +# Firejail profile alias for gimp +# This file is overwritten after every install/update -# This file is overwritten during software install. -# Persistent customizations should go in a .local file. -include /etc/firejail/gimp-2.8.local include /etc/firejail/gimp.profile diff --git a/etc/gimp.profile b/etc/gimp.profile index 0fe462912..e63d10d35 100644 --- a/etc/gimp.profile +++ b/etc/gimp.profile @@ -1,15 +1,15 @@ -# Persistent global definitions go here -include /etc/firejail/globals.local - -# This file is overwritten during software install. -# Persistent customizations should go in a .local file. +# Firejail profile for gimp +# This file is overwritten after every install/update +# Persistent local customizations include /etc/firejail/gimp.local +# Persistent global definitions +include /etc/firejail/globals.local -# gimp noblacklist ${HOME}/.gimp* + include /etc/firejail/disable-common.inc -include /etc/firejail/disable-programs.inc include /etc/firejail/disable-passwdmgr.inc +include /etc/firejail/disable-programs.inc caps.drop all net none @@ -21,11 +21,13 @@ protocol unix seccomp shell none -# gimp plugins are installed by the user in ~/.gimp-2.8/plug-ins/ directory -# if you are not using external plugins, you can enable noexec statement below -# noexec ${HOME} +private-dev +private-tmp noexec /tmp -private-dev -private-tmp +# CLOBBERED COMMENTS +# gimp +# gimp plugins are installed by the user in ~/.gimp-2.8/plug-ins/ directory +# if you are not using external plugins, you can enable noexec statement below +# noexec ${HOME} diff --git a/etc/git.profile b/etc/git.profile index 5fa3ef95e..a565f3b5a 100644 --- a/etc/git.profile +++ b/etc/git.profile @@ -1,35 +1,34 @@ +# Firejail profile for git +# This file is overwritten after every install/update quiet -# Persistent global definitions go here +# Persistent local customizations +include /etc/firejail/git.local +# Persistent global definitions include /etc/firejail/globals.local -# This file is overwritten during software install. -# Persistent customizations should go in a .local file. -include /etc/firejail/git.local +blacklist /tmp/.X11-unix -# git profile -noblacklist ~/.gitconfig -noblacklist ~/.ssh -noblacklist ~/.gnupg noblacklist ~/.emacs noblacklist ~/.emacs.d -noblacklist ~/.viminfo +noblacklist ~/.gitconfig +noblacklist ~/.gnupg +noblacklist ~/.ssh noblacklist ~/.vim +noblacklist ~/.viminfo include /etc/firejail/disable-common.inc -include /etc/firejail/disable-programs.inc include /etc/firejail/disable-passwdmgr.inc +include /etc/firejail/disable-programs.inc caps.drop all netfilter +no3d nogroups nonewprivs noroot nosound -no3d protocol unix,inet,inet6 seccomp shell none -blacklist /tmp/.X11-unix - private-dev diff --git a/etc/gitg.profile b/etc/gitg.profile index 427cbe92c..a66ef1f92 100644 --- a/etc/gitg.profile +++ b/etc/gitg.profile @@ -1,14 +1,13 @@ -# Persistent global definitions go here -include /etc/firejail/globals.local - -# This file is overwritten during software install. -# Persistent customizations should go in a .local file. +# Firejail profile for gitg +# This file is overwritten after every install/update +# Persistent local customizations include /etc/firejail/gitg.local +# Persistent global definitions +include /etc/firejail/globals.local -# Firejail profile for gitg noblacklist ${HOME}/.gitconfig -noblacklist ${HOME}/.ssh noblacklist ${HOME}/.local/share/gitg +noblacklist ${HOME}/.ssh include /etc/firejail/disable-common.inc include /etc/firejail/disable-devel.inc diff --git a/etc/gitter.profile b/etc/gitter.profile index d85b4f660..1864044d8 100644 --- a/etc/gitter.profile +++ b/etc/gitter.profile @@ -1,16 +1,16 @@ -# Persistent global definitions go here -include /etc/firejail/globals.local - -# This file is overwritten during software install. -# Persistent customizations should go in a .local file. +# Firejail profile for gitter +# This file is overwritten after every install/update +# Persistent local customizations include /etc/firejail/gitter.local +# Persistent global definitions +include /etc/firejail/globals.local -# Firejail profile for Gitter noblacklist ~/.config/Gitter + include /etc/firejail/disable-common.inc +include /etc/firejail/disable-devel.inc include /etc/firejail/disable-passwdmgr.inc include /etc/firejail/disable-programs.inc -include /etc/firejail/disable-devel.inc caps.drop all netfilter diff --git a/etc/gjs.profile b/etc/gjs.profile index f1def3f16..443dccfea 100644 --- a/etc/gjs.profile +++ b/etc/gjs.profile @@ -1,35 +1,34 @@ -# Persistent global definitions go here -include /etc/firejail/globals.local - -# This file is overwritten during software install. -# Persistent customizations should go in a .local file. +# Firejail profile for gjs +# This file is overwritten after every install/update +# Persistent local customizations include /etc/firejail/gjs.local +# Persistent global definitions +include /etc/firejail/globals.local -# gjs (gnome javascript bindings) profile - -# when gjs apps are started via gnome-shell, firejail is not applied because systemd will start them - +noblacklist ~/.cache/libgweather +noblacklist ~/.cache/org.gnome.Books noblacklist ~/.config/libreoffice noblacklist ~/.local/share/gnome-photos -noblacklist ~/.cache/org.gnome.Books -noblacklist ~/.cache/libgweather include /etc/firejail/disable-common.inc -include /etc/firejail/disable-programs.inc include /etc/firejail/disable-devel.inc include /etc/firejail/disable-passwdmgr.inc +include /etc/firejail/disable-programs.inc caps.drop all +netfilter nogroups nonewprivs noroot protocol unix,inet,inet6 seccomp -netfilter shell none tracelog # private-bin gjs,gnome-books,gnome-documents,gnome-photos,gnome-maps,gnome-weather -private-tmp private-dev # private-etc fonts +private-tmp + +# CLOBBERED COMMENTS +# when gjs apps are started via gnome-shell, firejail is not applied because systemd will start them diff --git a/etc/globaltime.profile b/etc/globaltime.profile index b9b2c008d..726619f26 100644 --- a/etc/globaltime.profile +++ b/etc/globaltime.profile @@ -1,15 +1,16 @@ -# Persistent global definitions go here -include /etc/firejail/globals.local - -# This file is overwritten during software install. -# Persistent customizations should go in a .local file. +# Firejail profile for globaltime +# This file is overwritten after every install/update +# Persistent local customizations include /etc/firejail/globaltime.local +# Persistent global definitions +include /etc/firejail/globals.local noblacklist ${HOME}/.config/globaltime + include /etc/firejail/disable-common.inc include /etc/firejail/disable-devel.inc -include /etc/firejail/disable-programs.inc include /etc/firejail/disable-passwdmgr.inc +include /etc/firejail/disable-programs.inc caps.drop all netfilter @@ -23,9 +24,9 @@ protocol unix,inet,inet6 seccomp shell none +disable-mnt private-dev private-tmp -disable-mnt noexec ${HOME} noexec /tmp diff --git a/etc/gnome-2048.profile b/etc/gnome-2048.profile index 5e0dfc2a1..480c6a35f 100644 --- a/etc/gnome-2048.profile +++ b/etc/gnome-2048.profile @@ -1,42 +1,36 @@ -# Persistent global definitions go here -include /etc/firejail/globals.local - -# This file is overwritten during software install. -# Persistent customizations should go in a .local file. +# Firejail profile for gnome-2048 +# This file is overwritten after every install/update +# Persistent local customizations include /etc/firejail/gnome-2048.local +# Persistent global definitions +include /etc/firejail/globals.local -# -#Profile for gnome-2048 -# - -#No Blacklist Paths noblacklist ${HOME}/.local/share/gnome-2048 -#Blacklist Paths include /etc/firejail/disable-common.inc -include /etc/firejail/disable-programs.inc -include /etc/firejail/disable-passwdmgr.inc include /etc/firejail/disable-devel.inc +include /etc/firejail/disable-passwdmgr.inc +include /etc/firejail/disable-programs.inc -#Whitelist Paths mkdir ${HOME}/.local/share/gnome-2048 whitelist ${HOME}/.local/share/gnome-2048 include /etc/firejail/whitelist-common.inc -#Options caps.drop all netfilter no3d nonewprivs noroot -#nosound novideo protocol unix,inet,inet6 seccomp +disable-mnt private-dev private-tmp -disable-mnt noexec ${HOME} noexec /tmp + +# CLOBBERED COMMENTS +# nosound diff --git a/etc/gnome-books.profile b/etc/gnome-books.profile index e36294930..e934b48a5 100644 --- a/etc/gnome-books.profile +++ b/etc/gnome-books.profile @@ -1,19 +1,16 @@ -# Persistent global definitions go here -include /etc/firejail/globals.local - -# This file is overwritten during software install. -# Persistent customizations should go in a .local file. +# Firejail profile for gnome-books +# This file is overwritten after every install/update +# Persistent local customizations include /etc/firejail/gnome-books.local +# Persistent global definitions +include /etc/firejail/globals.local -# gnome-books profile - -# when gjs apps are started via gnome-shell, firejail is not applied because systemd will start them noblacklist ~/.cache/org.gnome.Books include /etc/firejail/disable-common.inc -include /etc/firejail/disable-programs.inc include /etc/firejail/disable-devel.inc include /etc/firejail/disable-passwdmgr.inc +include /etc/firejail/disable-programs.inc caps.drop all netfilter @@ -29,9 +26,12 @@ shell none tracelog # private-bin gjs gnome-books -private-tmp private-dev -#private-etc fonts +# private-etc fonts +private-tmp noexec ${HOME} noexec /tmp + +# CLOBBERED COMMENTS +# when gjs apps are started via gnome-shell, firejail is not applied because systemd will start them diff --git a/etc/gnome-calculator.profile b/etc/gnome-calculator.profile index 40328e5c3..2e949271b 100644 --- a/etc/gnome-calculator.profile +++ b/etc/gnome-calculator.profile @@ -1,26 +1,19 @@ -# Persistent global definitions go here -include /etc/firejail/globals.local - -# This file is overwritten during software install. -# Persistent customizations should go in a .local file. +# Firejail profile for gnome-calculator +# This file is overwritten after every install/update +# Persistent local customizations include /etc/firejail/gnome-calculator.local +# Persistent global definitions +include /etc/firejail/globals.local -# -#Profile for gnome-calculator -# -#Blacklist Paths include /etc/firejail/disable-common.inc -include /etc/firejail/disable-programs.inc -include /etc/firejail/disable-passwdmgr.inc include /etc/firejail/disable-devel.inc - +include /etc/firejail/disable-passwdmgr.inc +include /etc/firejail/disable-programs.inc include /etc/firejail/whitelist-common.inc -#Options caps.drop all netfilter -#net none no3d nogroups nonewprivs @@ -30,13 +23,16 @@ protocol unix,inet,inet6 seccomp shell none +disable-mnt private private-bin gnome-calculator private-dev -#private-etc fonts +# private-etc fonts private-tmp -disable-mnt memory-deny-write-execute noexec ${HOME} noexec /tmp + +# CLOBBERED COMMENTS +# net none diff --git a/etc/gnome-chess.profile b/etc/gnome-chess.profile index 8c098d592..8fd6a2eca 100644 --- a/etc/gnome-chess.profile +++ b/etc/gnome-chess.profile @@ -1,17 +1,16 @@ -# Persistent global definitions go here -include /etc/firejail/globals.local - -# This file is overwritten during software install. -# Persistent customizations should go in a .local file. +# Firejail profile for gnome-chess +# This file is overwritten after every install/update +# Persistent local customizations include /etc/firejail/gnome-chess.local +# Persistent global definitions +include /etc/firejail/globals.local -# Firejail profile for gnome-chess noblacklist ~/.local/share/gnome-chess include /etc/firejail/disable-common.inc include /etc/firejail/disable-devel.inc -include /etc/firejail/disable-programs.inc include /etc/firejail/disable-passwdmgr.inc +include /etc/firejail/disable-programs.inc caps.drop all no3d @@ -25,11 +24,11 @@ seccomp shell none tracelog +disable-mnt private-bin fairymax,gnome-chess,hoichess private-dev private-etc fonts,gnome-chess private-tmp -disable-mnt noexec ${HOME} noexec /tmp diff --git a/etc/gnome-clocks.profile b/etc/gnome-clocks.profile index 129bd6e71..e20cbd9fe 100644 --- a/etc/gnome-clocks.profile +++ b/etc/gnome-clocks.profile @@ -1,17 +1,18 @@ -# Persistent global definitions go here +# Firejail profile for gnome-clocks +# This file is overwritten after every install/update +# Persistent local customizations +include /etc/firejail/gnome-clocks.local +# Persistent global definitions include /etc/firejail/globals.local -# This file is overwritten during software install. -# Persistent customizations should go in a .local file. -include /etc/firejail/gnome-clocks.local -# gnome-clocks profile include /etc/firejail/disable-common.inc -include /etc/firejail/disable-programs.inc include /etc/firejail/disable-devel.inc include /etc/firejail/disable-passwdmgr.inc +include /etc/firejail/disable-programs.inc caps.drop all +netfilter no3d nogroups nonewprivs @@ -19,15 +20,14 @@ noroot novideo protocol unix,inet,inet6 seccomp -netfilter shell none tracelog +disable-mnt # private-bin gnome-clocks -private-tmp private-dev # private-etc fonts -disable-mnt +private-tmp noexec ${HOME} noexec /tmp diff --git a/etc/gnome-contacts.profile b/etc/gnome-contacts.profile index 9164f6360..1be74bfd3 100644 --- a/etc/gnome-contacts.profile +++ b/etc/gnome-contacts.profile @@ -1,23 +1,17 @@ -# Persistent global definitions go here -include /etc/firejail/globals.local - -# This file is overwritten during software install. -# Persistent customizations should go in a .local file. +# Firejail profile for gnome-contacts +# This file is overwritten after every install/update +# Persistent local customizations include /etc/firejail/gnome-contacts.local +# Persistent global definitions +include /etc/firejail/globals.local -# -#Profile for gnome-contacts -# -#Blacklist Paths include /etc/firejail/disable-common.inc -include /etc/firejail/disable-programs.inc -include /etc/firejail/disable-passwdmgr.inc include /etc/firejail/disable-devel.inc - +include /etc/firejail/disable-passwdmgr.inc +include /etc/firejail/disable-programs.inc include /etc/firejail/whitelist-common.inc -#Options caps.drop all netfilter no3d @@ -28,9 +22,9 @@ novideo protocol unix,inet,inet6 seccomp +disable-mnt private-dev private-tmp -disable-mnt noexec ${HOME} noexec /tmp diff --git a/etc/gnome-documents.profile b/etc/gnome-documents.profile index 2d70bf7ef..2c77c32ae 100644 --- a/etc/gnome-documents.profile +++ b/etc/gnome-documents.profile @@ -1,20 +1,16 @@ -# Persistent global definitions go here -include /etc/firejail/globals.local - -# This file is overwritten during software install. -# Persistent customizations should go in a .local file. +# Firejail profile for gnome-documents +# This file is overwritten after every install/update +# Persistent local customizations include /etc/firejail/gnome-documents.local - -# gnome-documents profile - -# when gjs apps are started via gnome-shell, firejail is not applied because systemd will start them +# Persistent global definitions +include /etc/firejail/globals.local noblacklist ~/.config/libreoffice include /etc/firejail/disable-common.inc -include /etc/firejail/disable-programs.inc include /etc/firejail/disable-devel.inc include /etc/firejail/disable-passwdmgr.inc +include /etc/firejail/disable-programs.inc caps.drop all netfilter @@ -29,8 +25,11 @@ seccomp shell none tracelog -private-tmp private-dev +private-tmp noexec ${HOME} noexec /tmp + +# CLOBBERED COMMENTS +# when gjs apps are started via gnome-shell, firejail is not applied because systemd will start them diff --git a/etc/gnome-font-viewer.profile b/etc/gnome-font-viewer.profile index 605dafc62..f122f066a 100644 --- a/etc/gnome-font-viewer.profile +++ b/etc/gnome-font-viewer.profile @@ -1,17 +1,16 @@ -# Persistent global definitions go here +# Firejail profile for gnome-font-viewer +# This file is overwritten after every install/update +# Persistent local customizations +include /etc/firejail/gnome-font-viewer.local +# Persistent global definitions include /etc/firejail/globals.local -# This file is overwritten during software install. -# Persistent customizations should go in a .local file. -include /etc/firejail/gnome-font-viewer.local -#Blacklist Paths include /etc/firejail/disable-common.inc -include /etc/firejail/disable-programs.inc -include /etc/firejail/disable-passwdmgr.inc include /etc/firejail/disable-devel.inc +include /etc/firejail/disable-passwdmgr.inc +include /etc/firejail/disable-programs.inc -#Options caps.drop all netfilter no3d @@ -22,9 +21,9 @@ novideo protocol unix,inet,inet6 seccomp +disable-mnt private-dev private-tmp -disable-mnt noexec ${HOME} noexec /tmp diff --git a/etc/gnome-maps.profile b/etc/gnome-maps.profile index 8c7310fa9..79ea783a6 100644 --- a/etc/gnome-maps.profile +++ b/etc/gnome-maps.profile @@ -1,20 +1,19 @@ -# Persistent global definitions go here -include /etc/firejail/globals.local - -# This file is overwritten during software install. -# Persistent customizations should go in a .local file. +# Firejail profile for gnome-maps +# This file is overwritten after every install/update +# Persistent local customizations include /etc/firejail/gnome-maps.local +# Persistent global definitions +include /etc/firejail/globals.local -# gnome-maps profile - -# when gjs apps are started via gnome-shell, firejail is not applied because systemd will start them noblacklist ${HOME}/.cache/champlain + include /etc/firejail/disable-common.inc -include /etc/firejail/disable-programs.inc include /etc/firejail/disable-devel.inc include /etc/firejail/disable-passwdmgr.inc +include /etc/firejail/disable-programs.inc caps.drop all +netfilter nogroups nonewprivs noroot @@ -22,15 +21,17 @@ nosound novideo protocol unix,inet,inet6 seccomp -netfilter shell none tracelog +disable-mnt # private-bin gjs gnome-maps -private-tmp private-dev # private-etc fonts -disable-mnt +private-tmp noexec ${HOME} noexec /tmp + +# CLOBBERED COMMENTS +# when gjs apps are started via gnome-shell, firejail is not applied because systemd will start them diff --git a/etc/gnome-mplayer.profile b/etc/gnome-mplayer.profile index 51b3279f3..d63cc4500 100644 --- a/etc/gnome-mplayer.profile +++ b/etc/gnome-mplayer.profile @@ -1,15 +1,15 @@ -# Persistent global definitions go here +# Firejail profile for gnome-mplayer +# This file is overwritten after every install/update +# Persistent local customizations +include /etc/firejail/gnome-mplayer.local +# Persistent global definitions include /etc/firejail/globals.local -# This file is overwritten during software install. -# Persistent customizations should go in a .local file. -include /etc/firejail/gnome-mplayer.local -# GNOME MPlayer profile include /etc/firejail/disable-common.inc -include /etc/firejail/disable-programs.inc include /etc/firejail/disable-devel.inc include /etc/firejail/disable-passwdmgr.inc +include /etc/firejail/disable-programs.inc caps.drop all nogroups @@ -23,6 +23,5 @@ shell none private-dev private-tmp - noexec ${HOME} noexec /tmp diff --git a/etc/gnome-music.profile b/etc/gnome-music.profile index 8b569e563..9d7b878cd 100644 --- a/etc/gnome-music.profile +++ b/etc/gnome-music.profile @@ -1,17 +1,16 @@ -# Persistent global definitions go here -include /etc/firejail/globals.local - -# This file is overwritten during software install. -# Persistent customizations should go in a .local file. +# Firejail profile for gnome-music +# This file is overwritten after every install/update +# Persistent local customizations include /etc/firejail/gnome-music.local +# Persistent global definitions +include /etc/firejail/globals.local -# gnome-music profile noblacklist ~/.local/share/gnome-music include /etc/firejail/disable-common.inc -include /etc/firejail/disable-programs.inc include /etc/firejail/disable-devel.inc include /etc/firejail/disable-passwdmgr.inc +include /etc/firejail/disable-programs.inc caps.drop all netfilter @@ -26,10 +25,9 @@ shell none tracelog # private-bin gnome-music,python3 -private-tmp private-dev # private-etc fonts - +private-tmp noexec ${HOME} noexec /tmp diff --git a/etc/gnome-photos.profile b/etc/gnome-photos.profile index ed9dc0a03..bb13672f4 100644 --- a/etc/gnome-photos.profile +++ b/etc/gnome-photos.profile @@ -1,20 +1,16 @@ -# Persistent global definitions go here -include /etc/firejail/globals.local - -# This file is overwritten during software install. -# Persistent customizations should go in a .local file. +# Firejail profile for gnome-photos +# This file is overwritten after every install/update +# Persistent local customizations include /etc/firejail/gnome-photos.local - -# gnome-photos profile - -# when gjs apps are started via gnome-shell, firejail is not applied because systemd will start them +# Persistent global definitions +include /etc/firejail/globals.local noblacklist ~/.local/share/gnome-photos include /etc/firejail/disable-common.inc -include /etc/firejail/disable-programs.inc include /etc/firejail/disable-devel.inc include /etc/firejail/disable-passwdmgr.inc +include /etc/firejail/disable-programs.inc caps.drop all netfilter @@ -28,9 +24,12 @@ shell none tracelog # private-bin gjs gnome-photos -private-tmp private-dev # private-etc fonts +private-tmp noexec ${HOME} noexec /tmp + +# CLOBBERED COMMENTS +# when gjs apps are started via gnome-shell, firejail is not applied because systemd will start them diff --git a/etc/gnome-twitch.profile b/etc/gnome-twitch.profile index 7c215df5d..9ef09a87b 100644 --- a/etc/gnome-twitch.profile +++ b/etc/gnome-twitch.profile @@ -1,11 +1,10 @@ -# Persistent global definitions go here -include /etc/firejail/globals.local - -# This file is overwritten during software install. -# Persistent customizations should go in a .local file. +# Firejail profile for gnome-twitch +# This file is overwritten after every install/update +# Persistent local customizations include /etc/firejail/gnome-twitch.local +# Persistent global definitions +include /etc/firejail/globals.local -# Firejail profile for Gnome Twitch noblacklist ${HOME}/.cache/gnome-twitch noblacklist ${HOME}/.local/share/gnome-twitch @@ -15,8 +14,8 @@ include /etc/firejail/disable-passwdmgr.inc include /etc/firejail/disable-programs.inc mkdir ${HOME}/.cache/gnome-twitch -whitelist ${HOME}/.cache/gnome-twitch mkdir ${HOME}/.local/share/gnome-twitch +whitelist ${HOME}/.cache/gnome-twitch whitelist ${HOME}/.local/share/gnome-twitch include /etc/firejail/whitelist-common.inc diff --git a/etc/gnome-weather.profile b/etc/gnome-weather.profile index 815fba7ca..77538ad6e 100644 --- a/etc/gnome-weather.profile +++ b/etc/gnome-weather.profile @@ -1,21 +1,19 @@ -# Persistent global definitions go here -include /etc/firejail/globals.local - -# This file is overwritten during software install. -# Persistent customizations should go in a .local file. +# Firejail profile for gnome-weather +# This file is overwritten after every install/update +# Persistent local customizations include /etc/firejail/gnome-weather.local +# Persistent global definitions +include /etc/firejail/globals.local -# gnome-weather profile - -# when gjs apps are started via gnome-shell, firejail is not applied because systemd will start them noblacklist ~/.cache/libgweather include /etc/firejail/disable-common.inc -include /etc/firejail/disable-programs.inc include /etc/firejail/disable-devel.inc include /etc/firejail/disable-passwdmgr.inc +include /etc/firejail/disable-programs.inc caps.drop all +netfilter no3d nogroups nonewprivs @@ -24,15 +22,17 @@ nosound novideo protocol unix,inet,inet6 seccomp -netfilter shell none tracelog +disable-mnt # private-bin gjs gnome-weather -private-tmp private-dev # private-etc fonts -disable-mnt +private-tmp noexec ${HOME} noexec /tmp + +# CLOBBERED COMMENTS +# when gjs apps are started via gnome-shell, firejail is not applied because systemd will start them diff --git a/etc/goobox.profile b/etc/goobox.profile index 129d17ae7..45715f9ce 100644 --- a/etc/goobox.profile +++ b/etc/goobox.profile @@ -1,15 +1,15 @@ -# Persistent global definitions go here +# Firejail profile for goobox +# This file is overwritten after every install/update +# Persistent local customizations +include /etc/firejail/goobox.local +# Persistent global definitions include /etc/firejail/globals.local -# This file is overwritten during software install. -# Persistent customizations should go in a .local file. -include /etc/firejail/goobox.local -# goobox profile include /etc/firejail/disable-common.inc -include /etc/firejail/disable-programs.inc include /etc/firejail/disable-devel.inc include /etc/firejail/disable-passwdmgr.inc +include /etc/firejail/disable-programs.inc caps.drop all netfilter @@ -22,6 +22,6 @@ shell none tracelog # private-bin goobox -# private-tmp # private-dev # private-etc fonts +# private-tmp diff --git a/etc/google-chrome-beta.profile b/etc/google-chrome-beta.profile index 22a2e8f88..53220997a 100644 --- a/etc/google-chrome-beta.profile +++ b/etc/google-chrome-beta.profile @@ -1,39 +1,38 @@ -# Persistent global definitions go here -include /etc/firejail/globals.local - -# This file is overwritten during software install. -# Persistent customizations should go in a .local file. +# Firejail profile for google-chrome-beta +# This file is overwritten after every install/update +# Persistent local customizations include /etc/firejail/google-chrome-beta.local +# Persistent global definitions +include /etc/firejail/globals.local -# Google Chrome beta browser profile -noblacklist ~/.config/google-chrome-beta noblacklist ~/.cache/google-chrome-beta +noblacklist ~/.config/google-chrome-beta noblacklist ~/.pki -include /etc/firejail/disable-common.inc -include /etc/firejail/disable-programs.inc -# chromium is distributed with a perl script on Arch +include /etc/firejail/disable-common.inc # include /etc/firejail/disable-devel.inc -# +include /etc/firejail/disable-programs.inc -whitelist ${DOWNLOADS} -mkdir ~/.config/google-chrome-beta -whitelist ~/.config/google-chrome-beta mkdir ~/.cache/google-chrome-beta -whitelist ~/.cache/google-chrome-beta +mkdir ~/.config/google-chrome-beta mkdir ~/.pki +whitelist ${DOWNLOADS} +whitelist ~/.cache/google-chrome-beta +whitelist ~/.config/google-chrome-beta whitelist ~/.pki include /etc/firejail/whitelist-common.inc caps.keep sys_chroot,sys_admin -#ipc-namespace netfilter nogroups shell none private-dev -#private-tmp - problems with multiple browser sessions -#disable-mnt +# private-tmp - problems with multiple browser sessions noexec ${HOME} noexec /tmp + +# CLOBBERED COMMENTS +# chromium is distributed with a perl script on Arch +# disable-mnt diff --git a/etc/google-chrome-stable.profile b/etc/google-chrome-stable.profile index 776cc06e0..df4bd001f 100644 --- a/etc/google-chrome-stable.profile +++ b/etc/google-chrome-stable.profile @@ -1,9 +1,5 @@ -# Persistent global definitions go here -include /etc/firejail/globals.local +# Firejail profile alias for google-chrome +# This file is overwritten after every install/update -# This file is overwritten during software install. -# Persistent customizations should go in a .local file. -include /etc/firejail/google-chrome-stable.local -# Google Chrome browser profile include /etc/firejail/google-chrome.profile diff --git a/etc/google-chrome-unstable.profile b/etc/google-chrome-unstable.profile index 0675d7b49..6f4ec9101 100644 --- a/etc/google-chrome-unstable.profile +++ b/etc/google-chrome-unstable.profile @@ -1,39 +1,38 @@ -# Persistent global definitions go here -include /etc/firejail/globals.local - -# This file is overwritten during software install. -# Persistent customizations should go in a .local file. +# Firejail profile for google-chrome-unstable +# This file is overwritten after every install/update +# Persistent local customizations include /etc/firejail/google-chrome-unstable.local +# Persistent global definitions +include /etc/firejail/globals.local -# Google Chrome unstable browser profile -noblacklist ~/.config/google-chrome-unstable noblacklist ~/.cache/google-chrome-unstable +noblacklist ~/.config/google-chrome-unstable noblacklist ~/.pki -include /etc/firejail/disable-common.inc -include /etc/firejail/disable-programs.inc -# chromium is distributed with a perl script on Arch +include /etc/firejail/disable-common.inc # include /etc/firejail/disable-devel.inc -# +include /etc/firejail/disable-programs.inc -whitelist ${DOWNLOADS} -mkdir ~/.config/google-chrome-unstable -whitelist ~/.config/google-chrome-unstable mkdir ~/.cache/google-chrome-unstable -whitelist ~/.cache/google-chrome-unstable +mkdir ~/.config/google-chrome-unstable mkdir ~/.pki +whitelist ${DOWNLOADS} +whitelist ~/.cache/google-chrome-unstable +whitelist ~/.config/google-chrome-unstable whitelist ~/.pki include /etc/firejail/whitelist-common.inc caps.keep sys_chroot,sys_admin -#ipc-namespace netfilter nogroups shell none private-dev -#private-tmp - problems with multiple browser sessions -#disable-mnt +# private-tmp - problems with multiple browser sessions noexec ${HOME} noexec /tmp + +# CLOBBERED COMMENTS +# chromium is distributed with a perl script on Arch +# disable-mnt diff --git a/etc/google-chrome.profile b/etc/google-chrome.profile index e6fceadec..84fdcdd21 100644 --- a/etc/google-chrome.profile +++ b/etc/google-chrome.profile @@ -1,39 +1,38 @@ -# Persistent global definitions go here -include /etc/firejail/globals.local - -# This file is overwritten during software install. -# Persistent customizations should go in a .local file. +# Firejail profile for google-chrome +# This file is overwritten after every install/update +# Persistent local customizations include /etc/firejail/google-chrome.local +# Persistent global definitions +include /etc/firejail/globals.local -# Google Chrome browser profile -noblacklist ~/.config/google-chrome noblacklist ~/.cache/google-chrome +noblacklist ~/.config/google-chrome noblacklist ~/.pki -include /etc/firejail/disable-common.inc -include /etc/firejail/disable-programs.inc -# chromium is distributed with a perl script on Arch +include /etc/firejail/disable-common.inc # include /etc/firejail/disable-devel.inc -# +include /etc/firejail/disable-programs.inc -whitelist ${DOWNLOADS} -mkdir ~/.config/google-chrome -whitelist ~/.config/google-chrome mkdir ~/.cache/google-chrome -whitelist ~/.cache/google-chrome +mkdir ~/.config/google-chrome mkdir ~/.pki +whitelist ${DOWNLOADS} +whitelist ~/.cache/google-chrome +whitelist ~/.config/google-chrome whitelist ~/.pki include /etc/firejail/whitelist-common.inc caps.keep sys_chroot,sys_admin -#ipc-namespace netfilter nogroups shell none private-dev -#private-tmp - problems with multiple browser sessions -#disable-mnt +# private-tmp - problems with multiple browser sessions noexec ${HOME} noexec /tmp + +# CLOBBERED COMMENTS +# chromium is distributed with a perl script on Arch +# disable-mnt diff --git a/etc/google-play-music-desktop-player.profile b/etc/google-play-music-desktop-player.profile index c373cc34c..e326c8083 100644 --- a/etc/google-play-music-desktop-player.profile +++ b/etc/google-play-music-desktop-player.profile @@ -1,24 +1,21 @@ -# Persistent global definitions go here -include /etc/firejail/globals.local - -# This file is overwritten during software install. -# Persistent customizations should go in a .local file. +# Firejail profile for google-play-music-desktop-player +# This file is overwritten after every install/update +# Persistent local customizations include /etc/firejail/google-play-music-desktop-player.local +# Persistent global definitions +include /etc/firejail/globals.local -# Google Play Music desktop player profile noblacklist ~/.config/Google Play Music Desktop Player include /etc/firejail/disable-common.inc -include /etc/firejail/disable-programs.inc include /etc/firejail/disable-devel.inc include /etc/firejail/disable-passwdmgr.inc +include /etc/firejail/disable-programs.inc -#whitelist ~/.pulse -#whitelist ~/.config/pulse whitelist ~/.config/Google Play Music Desktop Player +include /etc/firejail/whitelist-common.inc caps.drop all -#ipc-namespace netfilter no3d nogroups @@ -29,9 +26,13 @@ protocol unix,inet,inet6,netlink seccomp shell none +disable-mnt private-dev private-tmp -disable-mnt noexec ${HOME} noexec /tmp + +# CLOBBERED COMMENTS +# whitelist ~/.config/pulse +# whitelist ~/.pulse diff --git a/etc/gpa.profile b/etc/gpa.profile index 9230c8b3a..9ffb3abd3 100644 --- a/etc/gpa.profile +++ b/etc/gpa.profile @@ -1,26 +1,25 @@ -# Persistent global definitions go here -include /etc/firejail/globals.local - -# This file is overwritten during software install. -# Persistent customizations should go in a .local file. +# Firejail profile for gpa +# This file is overwritten after every install/update +# Persistent local customizations include /etc/firejail/gpa.local +# Persistent global definitions +include /etc/firejail/globals.local -# gpa profile noblacklist ~/.gnupg include /etc/firejail/disable-common.inc -include /etc/firejail/disable-programs.inc include /etc/firejail/disable-devel.inc include /etc/firejail/disable-passwdmgr.inc +include /etc/firejail/disable-programs.inc caps.drop all +netfilter nogroups nonewprivs noroot nosound protocol unix,inet,inet6 seccomp -netfilter shell none tracelog diff --git a/etc/gpg-agent.profile b/etc/gpg-agent.profile index 7c1a05c6f..0592bd113 100644 --- a/etc/gpg-agent.profile +++ b/etc/gpg-agent.profile @@ -1,31 +1,30 @@ -# Persistent global definitions go here +# Firejail profile for gpg-agent +# This file is overwritten after every install/update +# Persistent local customizations +include /etc/firejail/gpg-agent.local +# Persistent global definitions include /etc/firejail/globals.local -# This file is overwritten during software install. -# Persistent customizations should go in a .local file. -include /etc/firejail/gpg-agent.local +blacklist /tmp/.X11-unix -# gpg-agent profile noblacklist ~/.gnupg include /etc/firejail/disable-common.inc -include /etc/firejail/disable-programs.inc include /etc/firejail/disable-devel.inc include /etc/firejail/disable-passwdmgr.inc +include /etc/firejail/disable-programs.inc caps.drop all +netfilter +no3d nogroups nonewprivs noroot nosound protocol unix,inet,inet6 seccomp -netfilter -no3d shell none tracelog -blacklist /tmp/.X11-unix - # private-bin gpg-agent,gpg private-dev diff --git a/etc/gpg.profile b/etc/gpg.profile index 9ecc0a753..2d745b435 100644 --- a/etc/gpg.profile +++ b/etc/gpg.profile @@ -1,31 +1,30 @@ -# Persistent global definitions go here +# Firejail profile for gpg +# This file is overwritten after every install/update +# Persistent local customizations +include /etc/firejail/gpg.local +# Persistent global definitions include /etc/firejail/globals.local -# This file is overwritten during software install. -# Persistent customizations should go in a .local file. -include /etc/firejail/gpg.local +blacklist /tmp/.X11-unix -# gpg profile noblacklist ~/.gnupg include /etc/firejail/disable-common.inc -include /etc/firejail/disable-programs.inc include /etc/firejail/disable-devel.inc include /etc/firejail/disable-passwdmgr.inc +include /etc/firejail/disable-programs.inc caps.drop all +netfilter +no3d nogroups nonewprivs noroot nosound protocol unix,inet,inet6 seccomp -netfilter -no3d shell none tracelog -blacklist /tmp/.X11-unix - # private-bin gpg,gpg-agent private-dev diff --git a/etc/gpicview.profile b/etc/gpicview.profile index f457f0590..f9c56b7ad 100644 --- a/etc/gpicview.profile +++ b/etc/gpicview.profile @@ -1,17 +1,16 @@ -# Persistent global definitions go here -include /etc/firejail/globals.local - -# This file is overwritten during software install. -# Persistent customizations should go in a .local file. +# Firejail profile for gpicview +# This file is overwritten after every install/update +# Persistent local customizations include /etc/firejail/gpicview.local +# Persistent global definitions +include /etc/firejail/globals.local -# Firejail profile for GPicView noblacklist ~/.config/gpicview include /etc/firejail/disable-common.inc -include /etc/firejail/disable-programs.inc include /etc/firejail/disable-devel.inc include /etc/firejail/disable-passwdmgr.inc +include /etc/firejail/disable-programs.inc caps.drop all net none diff --git a/etc/gpredict.profile b/etc/gpredict.profile index 0abf60314..475f3deef 100644 --- a/etc/gpredict.profile +++ b/etc/gpredict.profile @@ -1,19 +1,19 @@ -# Persistent global definitions go here -include /etc/firejail/globals.local - -# This file is overwritten during software install. -# Persistent customizations should go in a .local file. +# Firejail profile for gpredict +# This file is overwritten after every install/update +# Persistent local customizations include /etc/firejail/gpredict.local +# Persistent global definitions +include /etc/firejail/globals.local -# Firejail profile for gpredict. noblacklist ~/.config/Gpredict + include /etc/firejail/disable-common.inc include /etc/firejail/disable-devel.inc include /etc/firejail/disable-passwdmgr.inc include /etc/firejail/disable-programs.inc -# Whitelist whitelist ~/.config/Gpredict +include /etc/firejail/whitelist-common.inc caps.drop all netfilter @@ -26,10 +26,10 @@ seccomp shell none tracelog -noexec ${HOME} -noexec /tmp - private-bin gpredict -private-etc fonts,resolv.conf private-dev +private-etc fonts,resolv.conf private-tmp + +noexec ${HOME} +noexec /tmp diff --git a/etc/gtar.profile b/etc/gtar.profile index 9a4325082..9d28393bf 100644 --- a/etc/gtar.profile +++ b/etc/gtar.profile @@ -1,10 +1,5 @@ -quiet -# Persistent global definitions go here -include /etc/firejail/globals.local +# Firejail profile alias for tar +# This file is overwritten after every install/update -# This file is overwritten during software install. -# Persistent customizations should go in a .local file. -include /etc/firejail/gtar.local -# gtar profile include /etc/firejail/tar.profile diff --git a/etc/gthumb.profile b/etc/gthumb.profile index 75d341d99..2e1503970 100644 --- a/etc/gthumb.profile +++ b/etc/gthumb.profile @@ -1,19 +1,18 @@ -# Persistent global definitions go here -include /etc/firejail/globals.local - -# This file is overwritten during software install. -# Persistent customizations should go in a .local file. +# Firejail profile for gthumb +# This file is overwritten after every install/update +# Persistent local customizations include /etc/firejail/gthumb.local +# Persistent global definitions +include /etc/firejail/globals.local -# gthumb profile noblacklist ${HOME}/.config/gthumb noblacklist ~/.Steam noblacklist ~/.steam include /etc/firejail/disable-common.inc -include /etc/firejail/disable-programs.inc include /etc/firejail/disable-devel.inc include /etc/firejail/disable-passwdmgr.inc +include /etc/firejail/disable-programs.inc caps.drop all nogroups diff --git a/etc/guayadeque.profile b/etc/guayadeque.profile index 86f3d7838..22adb9e65 100644 --- a/etc/guayadeque.profile +++ b/etc/guayadeque.profile @@ -1,16 +1,16 @@ -# Persistent global definitions go here -include /etc/firejail/globals.local - -# This file is overwritten during software install. -# Persistent customizations should go in a .local file. +# Firejail profile for guayadeque +# This file is overwritten after every install/update +# Persistent local customizations include /etc/firejail/guayadeque.local +# Persistent global definitions +include /etc/firejail/globals.local noblacklist ${HOME}/.guayadeque include /etc/firejail/disable-common.inc -include /etc/firejail/disable-programs.inc -include /etc/firejail/disable-passwdmgr.inc include /etc/firejail/disable-devel.inc +include /etc/firejail/disable-passwdmgr.inc +include /etc/firejail/disable-programs.inc caps.drop all netfilter diff --git a/etc/gucharmap.profile b/etc/gucharmap.profile index 4d6237067..96bf783c4 100644 --- a/etc/gucharmap.profile +++ b/etc/gucharmap.profile @@ -1,9 +1,10 @@ -# Persistent global definitions go here +# Firejail profile for gucharmap +# This file is overwritten after every install/update +# Persistent local customizations +include /etc/firejail/gucharmap.local +# Persistent global definitions include /etc/firejail/globals.local -# This file is overwritten during software install. -# Persistent customizations should go in a .local file. -include /etc/firejail/gucharmap.local include /etc/firejail/disable-common.inc include /etc/firejail/disable-devel.inc @@ -22,10 +23,10 @@ protocol unix seccomp shell none +disable-mnt private private-dev private-tmp -disable-mnt noexec ${HOME} noexec /tmp diff --git a/etc/gwenview.profile b/etc/gwenview.profile index fffc3e3e9..19d83866e 100644 --- a/etc/gwenview.profile +++ b/etc/gwenview.profile @@ -1,23 +1,23 @@ -# Persistent global definitions go here -include /etc/firejail/globals.local - -# This file is overwritten during software install. -# Persistent customizations should go in a .local file. +# Firejail profile for gwenview +# This file is overwritten after every install/update +# Persistent local customizations include /etc/firejail/gwenview.local +# Persistent global definitions +include /etc/firejail/globals.local -# KDE gwenview profile -noblacklist ~/.kde4/share/apps/gwenview -noblacklist ~/.kde4/share/config/gwenviewrc -noblacklist ~/.kde/share/apps/gwenview -noblacklist ~/.kde/share/config/gwenviewrc noblacklist ~/.config/gwenviewrc noblacklist ~/.config/org.kde.gwenviewrc +noblacklist ~/.kde/share/apps/gwenview +noblacklist ~/.kde/share/config/gwenviewrc +noblacklist ~/.kde4/share/apps/gwenview +noblacklist ~/.kde4/share/config/gwenviewrc noblacklist ~/.local/share/gwenview noblacklist ~/.local/share/org.kde.gwenview + include /etc/firejail/disable-common.inc -include /etc/firejail/disable-programs.inc include /etc/firejail/disable-devel.inc include /etc/firejail/disable-passwdmgr.inc +include /etc/firejail/disable-programs.inc caps.drop all nogroups @@ -30,9 +30,10 @@ tracelog private-bin gwenview,kbuildsycoca4,gimp,gimp-2.8 private-dev - -# Experimental: -#private-etc X11 +# private-etc X11 noexec ${HOME} noexec /tmp + +# CLOBBERED COMMENTS +# Experimental: diff --git a/etc/gzip.profile b/etc/gzip.profile index 5a2a5d26e..13960eda0 100644 --- a/etc/gzip.profile +++ b/etc/gzip.profile @@ -1,17 +1,14 @@ +# Firejail profile for gzip +# This file is overwritten after every install/update quiet -# Persistent global definitions go here -include /etc/firejail/globals.local - -# This file is overwritten during software install. -# Persistent customizations should go in a .local file. +# Persistent local customizations include /etc/firejail/gzip.local - -# gzip profile -ignore noroot -include /etc/firejail/default.profile +# Persistent global definitions +include /etc/firejail/globals.local blacklist /tmp/.X11-unix +ignore noroot net none no3d nosound @@ -19,3 +16,5 @@ shell none tracelog private-dev + +include /etc/firejail/default.profile diff --git a/etc/handbrake-gtk.profile b/etc/handbrake-gtk.profile index a162352de..80291223c 100644 --- a/etc/handbrake-gtk.profile +++ b/etc/handbrake-gtk.profile @@ -1,9 +1,8 @@ -# Persistent global definitions go here -include /etc/firejail/globals.local +# Firejail profile alias for handbrake +# This file is overwritten after every install/update -# This file is overwritten during software install. -# Persistent customizations should go in a .local file. -include /etc/firejail/handbrake-gtk.local -# HandBrake include /etc/firejail/handbrake.profile + +# CLOBBERED COMMENTS +# HandBrake diff --git a/etc/handbrake.profile b/etc/handbrake.profile index ccff63708..2b33051e2 100644 --- a/etc/handbrake.profile +++ b/etc/handbrake.profile @@ -1,15 +1,16 @@ -# Persistent global definitions go here -include /etc/firejail/globals.local - -# This file is overwritten during software install. -# Persistent customizations should go in a .local file. +# Firejail profile for handbrake +# This file is overwritten after every install/update +# Persistent local customizations include /etc/firejail/handbrake.local +# Persistent global definitions +include /etc/firejail/globals.local noblacklist ~/.config/ghb + include /etc/firejail/disable-common.inc include /etc/firejail/disable-devel.inc -include /etc/firejail/disable-programs.inc include /etc/firejail/disable-passwdmgr.inc +include /etc/firejail/disable-programs.inc caps.drop all netfilter diff --git a/etc/hashcat.profile b/etc/hashcat.profile index 1e9540f87..662b8a06c 100644 --- a/etc/hashcat.profile +++ b/etc/hashcat.profile @@ -1,12 +1,11 @@ +# Firejail profile for hashcat +# This file is overwritten after every install/update quiet -# Persistent global definitions go here -include /etc/firejail/globals.local - -# This file is overwritten during software install. -# Persistent customizations should go in a .local file. +# Persistent local customizations include /etc/firejail/hashcat.local +# Persistent global definitions +include /etc/firejail/globals.local -# Firejail profile for Hashcat noblacklist ${HOME}/.hashcat include /etc/firejail/disable-common.inc diff --git a/etc/hedgewars.profile b/etc/hedgewars.profile index a5c23d0aa..b6dc1f945 100644 --- a/etc/hedgewars.profile +++ b/etc/hedgewars.profile @@ -1,17 +1,20 @@ -# Persistent global definitions go here -include /etc/firejail/globals.local - -# This file is overwritten during software install. -# Persistent customizations should go in a .local file. +# Firejail profile for hedgewars +# This file is overwritten after every install/update +# Persistent local customizations include /etc/firejail/hedgewars.local +# Persistent global definitions +include /etc/firejail/globals.local -# whitelist profile for Hedgewars (game) noblacklist ${HOME}/.hedgewars include /etc/firejail/disable-common.inc -include /etc/firejail/disable-programs.inc include /etc/firejail/disable-devel.inc include /etc/firejail/disable-passwdmgr.inc +include /etc/firejail/disable-programs.inc + +mkdir ~/.hedgewars +whitelist ~/.hedgewars +include /etc/firejail/whitelist-common.inc caps.drop all netfilter @@ -21,10 +24,6 @@ noroot seccomp tracelog +disable-mnt private-dev private-tmp -disable-mnt - -mkdir ~/.hedgewars -whitelist ~/.hedgewars -include /etc/firejail/whitelist-common.inc diff --git a/etc/hexchat.profile b/etc/hexchat.profile index 36ddb9e89..f070937ef 100644 --- a/etc/hexchat.profile +++ b/etc/hexchat.profile @@ -1,21 +1,21 @@ -# Persistent global definitions go here -include /etc/firejail/globals.local - -# This file is overwritten during software install. -# Persistent customizations should go in a .local file. +# Firejail profile for hexchat +# This file is overwritten after every install/update +# Persistent local customizations include /etc/firejail/hexchat.local +# Persistent global definitions +include /etc/firejail/globals.local -# HexChat instant messaging profile -# Currently in testing (may not work for all users) noblacklist ${HOME}/.config/hexchat -#noblacklist /usr/lib/python2* -#noblacklist /usr/lib/python3* + include /etc/firejail/disable-common.inc -include /etc/firejail/disable-programs.inc include /etc/firejail/disable-devel.inc +include /etc/firejail/disable-programs.inc + +mkdir ~/.config/hexchat +whitelist ~/.config/hexchat +include /etc/firejail/whitelist-common.inc caps.drop all -#ipc-namespace netfilter no3d nogroups @@ -28,15 +28,16 @@ seccomp shell none tracelog -mkdir ~/.config/hexchat -whitelist ~/.config/hexchat -include /etc/firejail/whitelist-common.inc - +disable-mnt private-bin hexchat -#debug note: private-bin requires perl, python, etc on some systems private-dev private-tmp -disable-mnt noexec ${HOME} noexec /tmp + +# CLOBBERED COMMENTS +# Currently in testing (may not work for all users) +# debug note: private-bin requires perl, python, etc on some systems +# noblacklist /usr/lib/python2* +# noblacklist /usr/lib/python3* diff --git a/etc/highlight.profile b/etc/highlight.profile index fefbcc55d..c314d34cb 100644 --- a/etc/highlight.profile +++ b/etc/highlight.profile @@ -1,31 +1,30 @@ -# Persistent global definitions go here +# Firejail profile for highlight +# This file is overwritten after every install/update +# Persistent local customizations +include /etc/firejail/highlight.local +# Persistent global definitions include /etc/firejail/globals.local -# This file is overwritten during software install. -# Persistent customizations should go in a .local file. -include /etc/firejail/highlight.local +blacklist /tmp/.X11-unix -# highlight profile include /etc/firejail/disable-common.inc -include /etc/firejail/disable-programs.inc include /etc/firejail/disable-devel.inc include /etc/firejail/disable-passwdmgr.inc +include /etc/firejail/disable-programs.inc caps.drop all net none +no3d nogroups nonewprivs noroot nosound protocol unix seccomp -no3d shell none tracelog -blacklist /tmp/.X11-unix - private-bin highlight +private-dev # private-etc none private-tmp -private-dev diff --git a/etc/hugin.profile b/etc/hugin.profile index 26e696f0d..8eb7410ff 100644 --- a/etc/hugin.profile +++ b/etc/hugin.profile @@ -1,16 +1,16 @@ -# Persistent global definitions go here -include /etc/firejail/globals.local - -# This file is overwritten during software install. -# Persistent customizations should go in a .local file. +# Firejail profile for hugin +# This file is overwritten after every install/update +# Persistent local customizations include /etc/firejail/hugin.local +# Persistent global definitions +include /etc/firejail/globals.local noblacklist ${HOME}/.hugin include /etc/firejail/disable-common.inc include /etc/firejail/disable-devel.inc -include /etc/firejail/disable-programs.inc include /etc/firejail/disable-passwdmgr.inc +include /etc/firejail/disable-programs.inc caps.drop all netfilter diff --git a/etc/icecat.profile b/etc/icecat.profile index 600263a2a..b8b267dff 100644 --- a/etc/icecat.profile +++ b/etc/icecat.profile @@ -1,53 +1,49 @@ -# Persistent global definitions go here -include /etc/firejail/globals.local - -# This file is overwritten during software install. -# Persistent customizations should go in a .local file. +# Firejail profile for icecat +# This file is overwritten after every install/update +# Persistent local customizations include /etc/firejail/icecat.local +# Persistent global definitions +include /etc/firejail/globals.local -# Firejail profile for GNU Icecat -noblacklist ~/.mozilla noblacklist ~/.cache/mozilla +noblacklist ~/.mozilla noblacklist ~/.pki + include /etc/firejail/disable-common.inc -include /etc/firejail/disable-programs.inc include /etc/firejail/disable-devel.inc +include /etc/firejail/disable-programs.inc -caps.drop all -netfilter -nonewprivs -noroot -protocol unix,inet,inet6,netlink -seccomp -tracelog - -whitelist ${DOWNLOADS} -mkdir ~/.mozilla -whitelist ~/.mozilla mkdir ~/.cache/mozilla/icecat +mkdir ~/.mozilla +whitelist ${DOWNLOADS} +whitelist ~/.cache/gnome-mplayer/plugin whitelist ~/.cache/mozilla/icecat -whitelist ~/dwhelper -whitelist ~/.zotero -whitelist ~/.vimperatorrc -whitelist ~/.vimperator -whitelist ~/.pentadactylrc -whitelist ~/.pentadactyl -whitelist ~/.keysnail.js whitelist ~/.config/gnome-mplayer -whitelist ~/.cache/gnome-mplayer/plugin -whitelist ~/.pki +whitelist ~/.config/pipelight-silverlight5.1 +whitelist ~/.config/pipelight-widevine +whitelist ~/.keysnail.js whitelist ~/.lastpass - -# silverlight +whitelist ~/.mozilla +whitelist ~/.pentadactyl +whitelist ~/.pentadactylrc +whitelist ~/.pki +whitelist ~/.vimperator +whitelist ~/.vimperatorrc whitelist ~/.wine-pipelight whitelist ~/.wine-pipelight64 -whitelist ~/.config/pipelight-widevine -whitelist ~/.config/pipelight-silverlight5.1 - +whitelist ~/.zotero +whitelist ~/dwhelper include /etc/firejail/whitelist-common.inc -# experimental features -#private-etc passwd,group,hostname,hosts,localtime,nsswitch.conf,resolv.conf,gtk-2.0,pango,fonts,iceweasel,firefox,adobe,mime.types,mailcap,asound.conf,pulse +caps.drop all +netfilter +nonewprivs +noroot +protocol unix,inet,inet6,netlink +seccomp +tracelog + +# private-etc passwd,group,hostname,hosts,localtime,nsswitch.conf,resolv.conf,gtk-2.0,pango,fonts,iceweasel,firefox,adobe,mime.types,mailcap,asound.conf,pulse noexec ${HOME} noexec /tmp diff --git a/etc/icedove.profile b/etc/icedove.profile index a3192c491..8cb4ec1ea 100644 --- a/etc/icedove.profile +++ b/etc/icedove.profile @@ -1,27 +1,27 @@ -# Persistent global definitions go here -include /etc/firejail/globals.local - -# This file is overwritten during software install. -# Persistent customizations should go in a .local file. +# Firejail profile for icedove +# This file is overwritten after every install/update +# Persistent local customizations include /etc/firejail/icedove.local +# Persistent global definitions +include /etc/firejail/globals.local -# Firejail profile for Mozilla Thunderbird (Icedove in Debian Stable) -# Users have icedove set to open a browser by clicking a link in an email -# We are not allowed to blacklist browser-specific directories - +noblacklist ~/.cache/icedove noblacklist ~/.gnupg -mkdir ~/.gnupg -whitelist ~/.gnupg - noblacklist ~/.icedove -mkdir ~/.icedove -whitelist ~/.icedove -noblacklist ~/.cache/icedove mkdir ~/.cache/icedove +mkdir ~/.gnupg +mkdir ~/.icedove whitelist ~/.cache/icedove +whitelist ~/.gnupg +whitelist ~/.icedove +include /etc/firejail/whitelist-common.inc -# allow browsers ignore private-tmp + include /etc/firejail/firefox.profile -#include /etc/firejail/chromium.profile - chromium runs as suid! + +# CLOBBERED COMMENTS +# Users have icedove set to open a browser by clicking a link in an email +# We are not allowed to blacklist browser-specific directories +# allow browsers diff --git a/etc/iceweasel.profile b/etc/iceweasel.profile index 5558e317d..62671cb67 100644 --- a/etc/iceweasel.profile +++ b/etc/iceweasel.profile @@ -1,9 +1,9 @@ -# Persistent global definitions go here +# Firejail profile for iceweasel +# This file is overwritten after every install/update +# Persistent local customizations +include /etc/firejail/iceweasel.local +# Persistent global definitions include /etc/firejail/globals.local -# This file is overwritten during software install. -# Persistent customizations should go in a .local file. -include /etc/firejail/iceweasel.local -# Firejail profile for Mozilla Firefox (Iceweasel in Debian) include /etc/firejail/firefox.profile diff --git a/etc/idea.sh.profile b/etc/idea.sh.profile index 771131262..2ca4cba69 100644 --- a/etc/idea.sh.profile +++ b/etc/idea.sh.profile @@ -1,16 +1,14 @@ -# Persistent global definitions go here -include /etc/firejail/globals.local - -# This file is overwritten during software install. -# Persistent customizations should go in a .local file. +# Firejail profile for idea.sh +# This file is overwritten after every install/update +# Persistent local customizations include /etc/firejail/idea.sh.local +# Persistent global definitions +include /etc/firejail/globals.local -# Firejail profile for IntelliJ IDEA Community Edition - +noblacklist ${HOME}/.IdeaIC* noblacklist ${HOME}/.android noblacklist ${HOME}/.gitconfig noblacklist ${HOME}/.gradle -noblacklist ${HOME}/.IdeaIC* noblacklist ${HOME}/.java noblacklist ${HOME}/.local/share/JetBrains noblacklist ${HOME}/.ssh @@ -25,13 +23,15 @@ netfilter nogroups nonewprivs noroot -#nosound novideo protocol unix,inet,inet6 seccomp shell none private-dev -#private-tmp +# private-tmp noexec /tmp + +# CLOBBERED COMMENTS +# nosound diff --git a/etc/img2txt.profile b/etc/img2txt.profile index 2ea359e72..5117e887b 100644 --- a/etc/img2txt.profile +++ b/etc/img2txt.profile @@ -1,15 +1,15 @@ -# Persistent global definitions go here +# Firejail profile for img2txt +# This file is overwritten after every install/update +# Persistent local customizations +include /etc/firejail/img2txt.local +# Persistent global definitions include /etc/firejail/globals.local -# This file is overwritten during software install. -# Persistent customizations should go in a .local file. -include /etc/firejail/img2txt.local -# img2txt profile include /etc/firejail/disable-common.inc -include /etc/firejail/disable-programs.inc include /etc/firejail/disable-devel.inc include /etc/firejail/disable-passwdmgr.inc +include /etc/firejail/disable-programs.inc caps.drop all net none @@ -22,7 +22,7 @@ seccomp shell none tracelog -#private-bin img2txt -private-tmp +# private-bin img2txt private-dev -#private-etc none +# private-etc none +private-tmp diff --git a/etc/inkscape.profile b/etc/inkscape.profile index af1be565b..cde845907 100644 --- a/etc/inkscape.profile +++ b/etc/inkscape.profile @@ -1,16 +1,16 @@ -# Persistent global definitions go here -include /etc/firejail/globals.local - -# This file is overwritten during software install. -# Persistent customizations should go in a .local file. +# Firejail profile for inkscape +# This file is overwritten after every install/update +# Persistent local customizations include /etc/firejail/inkscape.local +# Persistent global definitions +include /etc/firejail/globals.local -# inkscape noblacklist ${HOME}/.inkscape + include /etc/firejail/disable-common.inc include /etc/firejail/disable-devel.inc -include /etc/firejail/disable-programs.inc include /etc/firejail/disable-passwdmgr.inc +include /etc/firejail/disable-programs.inc caps.drop all netfilter @@ -28,3 +28,6 @@ private-tmp noexec ${HOME} noexec /tmp + +# CLOBBERED COMMENTS +# inkscape diff --git a/etc/inox.profile b/etc/inox.profile index 49adf141b..98a1ea6a9 100644 --- a/etc/inox.profile +++ b/etc/inox.profile @@ -1,25 +1,24 @@ -# Persistent global definitions go here -include /etc/firejail/globals.local - -# This file is overwritten during software install. -# Persistent customizations should go in a .local file. +# Firejail profile for inox +# This file is overwritten after every install/update +# Persistent local customizations include /etc/firejail/inox.local +# Persistent global definitions +include /etc/firejail/globals.local -# Inox browser profile -noblacklist ~/.config/inox noblacklist ~/.cache/inox +noblacklist ~/.config/inox noblacklist ~/.pki + include /etc/firejail/disable-common.inc include /etc/firejail/disable-programs.inc -netfilter - -whitelist ${DOWNLOADS} -mkdir ~/.config/inox -whitelist ~/.config/inox mkdir ~/.cache/inox -whitelist ~/.cache/inox +mkdir ~/.config/inox mkdir ~/.pki +whitelist ${DOWNLOADS} +whitelist ~/.cache/inox +whitelist ~/.config/inox whitelist ~/.pki - include /etc/firejail/whitelist-common.inc + +netfilter diff --git a/etc/iridium-browser.profile b/etc/iridium-browser.profile index 5b035dd79..9e1a4fcc2 100644 --- a/etc/iridium-browser.profile +++ b/etc/iridium-browser.profile @@ -1,9 +1,5 @@ -# Persistent global definitions go here -include /etc/firejail/globals.local +# Firejail profile alias for iridium +# This file is overwritten after every install/update -# This file is overwritten during software install. -# Persistent customizations should go in a .local file. -include /etc/firejail/iridium-browser.local include /etc/firejail/iridium.profile - diff --git a/etc/iridium.profile b/etc/iridium.profile index 0dd6695bf..03fae05dc 100644 --- a/etc/iridium.profile +++ b/etc/iridium.profile @@ -1,28 +1,27 @@ -# Persistent global definitions go here -include /etc/firejail/globals.local - -# This file is overwritten during software install. -# Persistent customizations should go in a .local file. +# Firejail profile for iridium +# This file is overwritten after every install/update +# Persistent local customizations include /etc/firejail/iridium.local +# Persistent global definitions +include /etc/firejail/globals.local -# Iridium browser profile -noblacklist ~/.config/iridium noblacklist ~/.cache/iridium -include /etc/firejail/disable-common.inc -include /etc/firejail/disable-programs.inc +noblacklist ~/.config/iridium -# chromium/iridium is distributed with a perl script on Arch +include /etc/firejail/disable-common.inc # include /etc/firejail/disable-devel.inc -# - -netfilter +include /etc/firejail/disable-programs.inc -whitelist ${DOWNLOADS} -mkdir ~/.config/iridium -whitelist ~/.config/iridium mkdir ~/.cache/iridium -whitelist ~/.cache/iridium +mkdir ~/.config/iridium mkdir ~/.pki +whitelist ${DOWNLOADS} +whitelist ~/.cache/iridium +whitelist ~/.config/iridium whitelist ~/.pki - include /etc/firejail/whitelist-common.inc + +netfilter + +# CLOBBERED COMMENTS +# chromium/iridium is distributed with a perl script on Arch diff --git a/etc/jd-gui.profile b/etc/jd-gui.profile index 9cb845b50..96d4a57ce 100644 --- a/etc/jd-gui.profile +++ b/etc/jd-gui.profile @@ -1,26 +1,19 @@ -# Persistent global definitions go here -include /etc/firejail/globals.local - -# This file is overwritten during software install. -# Persistent customizations should go in a .local file. +# Firejail profile for jd-gui +# This file is overwritten after every install/update +# Persistent local customizations include /etc/firejail/jd-gui.local - -# -#Profile for jd-gui -# +# Persistent global definitions +include /etc/firejail/globals.local noblacklist ${HOME}/.config/jd-gui.cfg noblacklist ${HOME}/.java -#Blacklist Paths include /etc/firejail/disable-common.inc -include /etc/firejail/disable-programs.inc -include /etc/firejail/disable-passwdmgr.inc include /etc/firejail/disable-devel.inc +include /etc/firejail/disable-passwdmgr.inc +include /etc/firejail/disable-programs.inc -#Options caps.drop all -#ipc-namespace net none no3d nogroups diff --git a/etc/jitsi.profile b/etc/jitsi.profile index 59459b5e9..72f9b5f5b 100644 --- a/etc/jitsi.profile +++ b/etc/jitsi.profile @@ -1,12 +1,12 @@ -# Persistent global definitions go here -include /etc/firejail/globals.local - -# This file is overwritten during software install. -# Persistent customizations should go in a .local file. +# Firejail profile for jitsi +# This file is overwritten after every install/update +# Persistent local customizations include /etc/firejail/jitsi.local +# Persistent global definitions +include /etc/firejail/globals.local -# Firejail profile for jitsi noblacklist ~/.jitsi + include /etc/firejail/disable-common.inc include /etc/firejail/disable-devel.inc include /etc/firejail/disable-passwdmgr.inc @@ -21,5 +21,5 @@ seccomp shell none tracelog -private-tmp disable-mnt +private-tmp diff --git a/etc/k3b.profile b/etc/k3b.profile index 8c2d60107..c2aed68c9 100644 --- a/etc/k3b.profile +++ b/etc/k3b.profile @@ -1,29 +1,29 @@ -# Persistent global definitions go here -include /etc/firejail/globals.local - -# This file is overwritten during software install. -# Persistent customizations should go in a .local file. +# Firejail profile for k3b +# This file is overwritten after every install/update +# Persistent local customizations include /etc/firejail/k3b.local +# Persistent global definitions +include /etc/firejail/globals.local -# k3b profile -noblacklist ~/.kde4/share/config/k3brc -noblacklist ~/.kde/share/config/k3brc noblacklist ~/.config/k3brc +noblacklist ~/.kde/share/config/k3brc +noblacklist ~/.kde4/share/config/k3brc + include /etc/firejail/disable-common.inc -include /etc/firejail/disable-programs.inc include /etc/firejail/disable-devel.inc include /etc/firejail/disable-passwdmgr.inc +include /etc/firejail/disable-programs.inc caps.drop all no3d nonewprivs noroot nosound -shell none -seccomp protocol unix +seccomp +shell none tracelog # private-bin -# private-tmp # private-etc +# private-tmp diff --git a/etc/kate.profile b/etc/kate.profile index 97372f752..12d9127b4 100644 --- a/etc/kate.profile +++ b/etc/kate.profile @@ -1,22 +1,21 @@ -# Persistent global definitions go here -include /etc/firejail/globals.local - -# This file is overwritten during software install. -# Persistent customizations should go in a .local file. +# Firejail profile for kate +# This file is overwritten after every install/update +# Persistent local customizations include /etc/firejail/kate.local +# Persistent global definitions +include /etc/firejail/globals.local -# kate profile -noblacklist ~/.local/share/kate -noblacklist ~/.config/katerc noblacklist ~/.config/katepartrc +noblacklist ~/.config/katerc noblacklist ~/.config/kateschemarc noblacklist ~/.config/katesyntaxhighlightingrc noblacklist ~/.config/katevirc +noblacklist ~/.local/share/kate include /etc/firejail/disable-common.inc -include /etc/firejail/disable-programs.inc -#include /etc/firejail/disable-devel.inc +# include /etc/firejail/disable-devel.inc include /etc/firejail/disable-passwdmgr.inc +include /etc/firejail/disable-programs.inc caps.drop all netfilter @@ -30,6 +29,6 @@ shell none tracelog # private-bin kate -private-tmp private-dev # private-etc fonts +private-tmp diff --git a/etc/kcalc.profile b/etc/kcalc.profile index 1d425cf47..ac4e11195 100644 --- a/etc/kcalc.profile +++ b/etc/kcalc.profile @@ -1,9 +1,10 @@ -# Persistent global definitions go here +# Firejail profile for kcalc +# This file is overwritten after every install/update +# Persistent local customizations +include /etc/firejail/kcalc.local +# Persistent global definitions include /etc/firejail/globals.local -# This file is overwritten during software install. -# Persistent customizations should go in a .local file. -include /etc/firejail/kcalc.local include /etc/firejail/disable-common.inc include /etc/firejail/disable-devel.inc @@ -22,10 +23,10 @@ protocol unix seccomp shell none +disable-mnt private private-dev private-tmp -disable-mnt noexec ${HOME} noexec /tmp diff --git a/etc/keepass.profile b/etc/keepass.profile index 48574f3dc..543bc01eb 100644 --- a/etc/keepass.profile +++ b/etc/keepass.profile @@ -1,26 +1,24 @@ -# Persistent global definitions go here -include /etc/firejail/globals.local - -# This file is overwritten during software install. -# Persistent customizations should go in a .local file. +# Firejail profile for keepass +# This file is overwritten after every install/update +# Persistent local customizations include /etc/firejail/keepass.local +# Persistent global definitions +include /etc/firejail/globals.local -# keepass password manager profile -noblacklist ${HOME}/.keepass -noblacklist ${HOME}/.config/keepass +noblacklist ${HOME}/*.kdb +noblacklist ${HOME}/*.kdbx noblacklist ${HOME}/.config/KeePass -noblacklist ${HOME}/.local/share/keepass +noblacklist ${HOME}/.config/keepass +noblacklist ${HOME}/.keepass noblacklist ${HOME}/.local/share/KeePass -noblacklist ${HOME}/*.kdbx -noblacklist ${HOME}/*.kdb +noblacklist ${HOME}/.local/share/keepass include /etc/firejail/disable-common.inc -include /etc/firejail/disable-programs.inc include /etc/firejail/disable-devel.inc include /etc/firejail/disable-passwdmgr.inc +include /etc/firejail/disable-programs.inc caps.drop all -#ipc-namespace netfilter no3d nogroups diff --git a/etc/keepass2.profile b/etc/keepass2.profile index 6ac601fc0..7d2881099 100644 --- a/etc/keepass2.profile +++ b/etc/keepass2.profile @@ -1,9 +1,5 @@ -# Persistent global definitions go here -include /etc/firejail/globals.local +# Firejail profile alias for keepass +# This file is overwritten after every install/update -# This file is overwritten during software install. -# Persistent customizations should go in a .local file. -include /etc/firejail/keepass2.local -# keepass password manager profile include /etc/firejail/keepass.profile diff --git a/etc/keepassx.profile b/etc/keepassx.profile index 34e260f8f..892dd7053 100644 --- a/etc/keepassx.profile +++ b/etc/keepassx.profile @@ -1,20 +1,19 @@ -# Persistent global definitions go here -include /etc/firejail/globals.local - -# This file is overwritten during software install. -# Persistent customizations should go in a .local file. +# Firejail profile for keepassx +# This file is overwritten after every install/update +# Persistent local customizations include /etc/firejail/keepassx.local +# Persistent global definitions +include /etc/firejail/globals.local -# keepassx password manager profile +noblacklist ${HOME}/*.kdb +noblacklist ${HOME}/*.kdbx noblacklist ${HOME}/.config/keepassx noblacklist ${HOME}/.keepassx -noblacklist ${HOME}/*.kdbx -noblacklist ${HOME}/*.kdb include /etc/firejail/disable-common.inc -include /etc/firejail/disable-programs.inc include /etc/firejail/disable-devel.inc include /etc/firejail/disable-passwdmgr.inc +include /etc/firejail/disable-programs.inc caps.drop all machine-id @@ -30,8 +29,8 @@ shell none tracelog private-bin keepassx,keepassx2 -private-etc fonts,machine-id private-dev +private-etc fonts,machine-id private-tmp noexec ${HOME} diff --git a/etc/keepassx2.profile b/etc/keepassx2.profile index 0536866fb..ab56e0317 100644 --- a/etc/keepassx2.profile +++ b/etc/keepassx2.profile @@ -1,20 +1,19 @@ -# Persistent global definitions go here -include /etc/firejail/globals.local - -# This file is overwritten during software install. -# Persistent customizations should go in a .local file. +# Firejail profile for keepassx2 +# This file is overwritten after every install/update +# Persistent local customizations include /etc/firejail/keepassx2.local +# Persistent global definitions +include /etc/firejail/globals.local -# keepassx password manager profile +noblacklist ${HOME}/*.kdb +noblacklist ${HOME}/*.kdbx noblacklist ${HOME}/.config/keepassx noblacklist ${HOME}/.keepassx -noblacklist ${HOME}/*.kdbx -noblacklist ${HOME}/*.kdb include /etc/firejail/disable-common.inc -include /etc/firejail/disable-programs.inc include /etc/firejail/disable-devel.inc include /etc/firejail/disable-passwdmgr.inc +include /etc/firejail/disable-programs.inc caps.drop all net none diff --git a/etc/keepassxc.profile b/etc/keepassxc.profile index 3ab4115e6..c8a494361 100644 --- a/etc/keepassxc.profile +++ b/etc/keepassxc.profile @@ -1,23 +1,21 @@ -# Persistent global definitions go here -include /etc/firejail/globals.local - -# This file is overwritten during software install. -# Persistent customizations should go in a .local file. +# Firejail profile for keepassxc +# This file is overwritten after every install/update +# Persistent local customizations include /etc/firejail/keepassxc.local +# Persistent global definitions +include /etc/firejail/globals.local -# Firejail profile for KeepassXC +noblacklist ${HOME}/*.kdb +noblacklist ${HOME}/*.kdbx noblacklist ${HOME}/.config/keepassxc noblacklist ${HOME}/.keepassxc -noblacklist ${HOME}/*.kdbx -noblacklist ${HOME}/*.kdb include /etc/firejail/disable-common.inc -include /etc/firejail/disable-programs.inc include /etc/firejail/disable-devel.inc include /etc/firejail/disable-passwdmgr.inc +include /etc/firejail/disable-programs.inc caps.drop all -#ipc-namespace net none no3d nogroups diff --git a/etc/kino.profile b/etc/kino.profile index bb37d56ab..c64f2d599 100644 --- a/etc/kino.profile +++ b/etc/kino.profile @@ -1,12 +1,12 @@ -# Persistent global definitions go here -include /etc/firejail/globals.local - -# This file is overwritten during software install. -# Persistent customizations should go in a .local file. +# Firejail profile for kino +# This file is overwritten after every install/update +# Persistent local customizations include /etc/firejail/kino.local +# Persistent global definitions +include /etc/firejail/globals.local -noblacklist ~/.kinorc noblacklist ~/.kino-history +noblacklist ~/.kinorc include /etc/firejail/disable-common.inc include /etc/firejail/disable-devel.inc diff --git a/etc/kmail.profile b/etc/kmail.profile index 38fbf6bc3..876e80cbb 100644 --- a/etc/kmail.profile +++ b/etc/kmail.profile @@ -1,17 +1,16 @@ -# Persistent global definitions go here -include /etc/firejail/globals.local - -# This file is overwritten during software install. -# Persistent customizations should go in a .local file. +# Firejail profile for kmail +# This file is overwritten after every install/update +# Persistent local customizations include /etc/firejail/kmail.local +# Persistent global definitions +include /etc/firejail/globals.local -# kmail profile noblacklist ${HOME}/.gnupg include /etc/firejail/disable-common.inc -include /etc/firejail/disable-programs.inc include /etc/firejail/disable-devel.inc include /etc/firejail/disable-passwdmgr.inc +include /etc/firejail/disable-programs.inc caps.drop all netfilter diff --git a/etc/knotes.profile b/etc/knotes.profile index b1883112c..26b607257 100644 --- a/etc/knotes.profile +++ b/etc/knotes.profile @@ -1,17 +1,16 @@ -# Persistent global definitions go here -include /etc/firejail/globals.local - -# This file is overwritten during software install. -# Persistent customizations should go in a .local file. +# Firejail profile for knotes +# This file is overwritten after every install/update +# Persistent local customizations include /etc/firejail/knotes.local +# Persistent global definitions +include /etc/firejail/globals.local -# kate profile noblacklist ~/.config/knotesrc include /etc/firejail/disable-common.inc -include /etc/firejail/disable-programs.inc -#include /etc/firejail/disable-devel.inc +# include /etc/firejail/disable-devel.inc include /etc/firejail/disable-passwdmgr.inc +include /etc/firejail/disable-programs.inc caps.drop all netfilter @@ -25,6 +24,6 @@ shell none tracelog # private-bin kate -private-tmp private-dev # private-etc fonts +private-tmp diff --git a/etc/kodi.profile b/etc/kodi.profile index ea4020232..f3eb6867f 100644 --- a/etc/kodi.profile +++ b/etc/kodi.profile @@ -1,25 +1,22 @@ -# Persistent global definitions go here -include /etc/firejail/globals.local - -# This file is overwritten during software install. -# Persistent customizations should go in a .local file. +# Firejail profile for kodi +# This file is overwritten after every install/update +# Persistent local customizations include /etc/firejail/kodi.local +# Persistent global definitions +include /etc/firejail/globals.local -# Firejail profile for kodi noblacklist ${HOME}/.kodi include /etc/firejail/disable-common.inc +include /etc/firejail/disable-devel.inc include /etc/firejail/disable-passwdmgr.inc include /etc/firejail/disable-programs.inc -include /etc/firejail/disable-devel.inc caps.drop all -#ipc-namespace netfilter nogroups nonewprivs noroot -#novideo protocol unix,inet,inet6,netlink seccomp shell none @@ -30,3 +27,6 @@ private-tmp noexec ${HOME} noexec /tmp + +# CLOBBERED COMMENTS +# novideo diff --git a/etc/konversation.profile b/etc/konversation.profile index 51382df28..d1c78afbe 100644 --- a/etc/konversation.profile +++ b/etc/konversation.profile @@ -1,21 +1,21 @@ -# Persistent global definitions go here +# Firejail profile for konversation +# This file is overwritten after every install/update +# Persistent local customizations +include /etc/firejail/konversation.local +# Persistent global definitions include /etc/firejail/globals.local -# This file is overwritten during software install. -# Persistent customizations should go in a .local file. -include /etc/firejail/konversation.local -# Firejail konversation profile include /etc/firejail/disable-common.inc -include /etc/firejail/disable-programs.inc include /etc/firejail/disable-devel.inc include /etc/firejail/disable-passwdmgr.inc +include /etc/firejail/disable-programs.inc caps.drop all netfilter nogroups noroot -seccomp protocol unix,inet,inet6 +seccomp private-tmp diff --git a/etc/ktorrent.profile b/etc/ktorrent.profile index c19f1c5ef..8e396a464 100644 --- a/etc/ktorrent.profile +++ b/etc/ktorrent.profile @@ -1,38 +1,37 @@ -# Persistent global definitions go here -include /etc/firejail/globals.local - -# This file is overwritten during software install. -# Persistent customizations should go in a .local file. +# Firejail profile for ktorrent +# This file is overwritten after every install/update +# Persistent local customizations include /etc/firejail/ktorrent.local +# Persistent global definitions +include /etc/firejail/globals.local noblacklist ~/.config/ktorrentrc -noblacklist ~/.local/share/ktorrent -noblacklist ~/.kde/share/config/ktorrentrc -noblacklist ~/.kde4/share/config/ktorrentrc noblacklist ~/.kde/share/apps/ktorrent +noblacklist ~/.kde/share/config/ktorrentrc noblacklist ~/.kde4/share/apps/ktorrent +noblacklist ~/.kde4/share/config/ktorrentrc +noblacklist ~/.local/share/ktorrent include /etc/firejail/disable-common.inc include /etc/firejail/disable-devel.inc -include /etc/firejail/disable-programs.inc include /etc/firejail/disable-passwdmgr.inc +include /etc/firejail/disable-programs.inc -mkfile ~/.config/ktorrentrc -whitelist ~/.config/ktorrentrc -mkdir ~/.local/share/ktorrent -whitelist ~/.local/share/ktorrent +mkdir ~/.kde/share/apps/ktorrent mkdir ~/.kde/share/config/ktorrentrc -whitelist ~/.kde/share/config/ktorrentrc +mkdir ~/.kde4/share/apps/ktorrent mkdir ~/.kde4/share/config/ktorrentrc -whitelist ~/.kde4/share/config/ktorrentrc -mkdir ~/.kde/share/apps/ktorrent +mkdir ~/.local/share/ktorrent +mkfile ~/.config/ktorrentrc +whitelist ${DOWNLOADS} +whitelist ~/.config/ktorrentrc whitelist ~/.kde/share/apps/ktorrent -mkdir ~/.kde4/share/apps/ktorrent +whitelist ~/.kde/share/config/ktorrentrc whitelist ~/.kde4/share/apps/ktorrent -whitelist ${DOWNLOADS} +whitelist ~/.kde4/share/config/ktorrentrc +whitelist ~/.local/share/ktorrent include /etc/firejail/whitelist-common.inc - caps.drop all netfilter no3d diff --git a/etc/kwrite.profile b/etc/kwrite.profile index 7ac881f6a..3b3045e07 100644 --- a/etc/kwrite.profile +++ b/etc/kwrite.profile @@ -1,35 +1,36 @@ -# Persistent global definitions go here -include /etc/firejail/globals.local - -# This file is overwritten during software install. -# Persistent customizations should go in a .local file. +# Firejail profile for kwrite +# This file is overwritten after every install/update +# Persistent local customizations include /etc/firejail/kwrite.local +# Persistent global definitions +include /etc/firejail/globals.local -# kate profile -noblacklist ~/.local/share/kwrite -noblacklist ~/.config/katerc noblacklist ~/.config/katepartrc +noblacklist ~/.config/katerc noblacklist ~/.config/kateschemarc noblacklist ~/.config/katesyntaxhighlightingrc noblacklist ~/.config/katevirc +noblacklist ~/.local/share/kwrite include /etc/firejail/disable-common.inc -include /etc/firejail/disable-programs.inc -#include /etc/firejail/disable-devel.inc +# include /etc/firejail/disable-devel.inc include /etc/firejail/disable-passwdmgr.inc +include /etc/firejail/disable-programs.inc caps.drop all netfilter nogroups nonewprivs noroot -#nosound - KWrite is using ALSA! protocol unix seccomp shell none tracelog # private-bin kwrite -private-tmp private-dev # private-etc fonts +private-tmp + +# CLOBBERED COMMENTS +# nosound - KWrite is using ALSA! diff --git a/etc/leafpad.profile b/etc/leafpad.profile index fc2cc7e09..de44a6771 100644 --- a/etc/leafpad.profile +++ b/etc/leafpad.profile @@ -1,9 +1,9 @@ -# Persistent global definitions go here -include /etc/firejail/globals.local - -# This file is overwritten during software install. -# Persistent customizations should go in a .local file. +# Firejail profile for leafpad +# This file is overwritten after every install/update +# Persistent local customizations include /etc/firejail/leafpad.local +# Persistent global definitions +include /etc/firejail/globals.local noblacklist ${HOME}/.config/leafpad diff --git a/etc/less.profile b/etc/less.profile index f8c26879e..fe8a8fa24 100644 --- a/etc/less.profile +++ b/etc/less.profile @@ -1,15 +1,14 @@ +# Firejail profile for less +# This file is overwritten after every install/update quiet -# Persistent global definitions go here +# Persistent local customizations +include /etc/firejail/less.local +# Persistent global definitions include /etc/firejail/globals.local -# This file is overwritten during software install. -# Persistent customizations should go in a .local file. -include /etc/firejail/less.local +blacklist /tmp/.X11-unix -# less profile ignore noroot -include /etc/firejail/default.profile - net none no3d nosound @@ -17,10 +16,10 @@ novideo shell none tracelog -blacklist /tmp/.X11-unix - private-dev memory-deny-write-execute noexec ${HOME} noexec /tmp + +include /etc/firejail/default.profile diff --git a/etc/libreoffice.profile b/etc/libreoffice.profile index fe5861e4a..e2c8d0878 100644 --- a/etc/libreoffice.profile +++ b/etc/libreoffice.profile @@ -1,18 +1,18 @@ -# Persistent global definitions go here -include /etc/firejail/globals.local - -# This file is overwritten during software install. -# Persistent customizations should go in a .local file. +# Firejail profile for libreoffice +# This file is overwritten after every install/update +# Persistent local customizations include /etc/firejail/libreoffice.local +# Persistent global definitions +include /etc/firejail/globals.local -# Firejail profile for LibreOffice -noblacklist ~/.config/libreoffice noblacklist ${HOME}/.java noblacklist /usr/local/sbin +noblacklist ~/.config/libreoffice + include /etc/firejail/disable-common.inc -include /etc/firejail/disable-programs.inc include /etc/firejail/disable-devel.inc include /etc/firejail/disable-passwdmgr.inc +include /etc/firejail/disable-programs.inc caps.drop all netfilter @@ -25,7 +25,9 @@ shell none tracelog private-dev -# whitelist /tmp/.X11-unix/ noexec ${HOME} noexec /tmp + +# CLOBBERED COMMENTS +# whitelist /tmp/.X11-unix/ diff --git a/etc/liferea.profile b/etc/liferea.profile index f11137cdd..a0dd1a1ff 100644 --- a/etc/liferea.profile +++ b/etc/liferea.profile @@ -1,47 +1,44 @@ -# Persistent global definitions go here -include /etc/firejail/global.local - -# This file is overwritten during software install. -# Persistent customizations should go in a .local file. +# Firejail profile for liferea +# This file is overwritten after every install/update +# Persistent local customizations include /etc/firejail/liferea.local +# Persistent global definitions +include /etc/firejail/globals.local -####################### -# profile for Liferea # -####################### +noblacklist ~/.cache/liferea noblacklist ~/.config/liferea -mkdir ~/.config/liferea -whitelist ~/.config/liferea - noblacklist ~/.local/share/liferea -mkdir ~/.local/share/liferea -whitelist ~/.local/share/liferea - -noblacklist ~/.cache/liferea -mkdir ~/.cache/liferea -whitelist ~/.cache/liferea include /etc/firejail/disable-common.inc include /etc/firejail/disable-devel.inc include /etc/firejail/disable-passwdmgr.inc include /etc/firejail/disable-programs.inc + +mkdir ~/.cache/liferea +mkdir ~/.config/liferea +mkdir ~/.local/share/liferea +whitelist ~/.cache/liferea +whitelist ~/.config/liferea +whitelist ~/.local/share/liferea include /etc/firejail/whitelist-common.inc caps.drop all -#ipc-namespace netfilter -#no3d nogroups nonewprivs noroot -#nosound novideo protocol unix,inet,inet6 seccomp shell none +disable-mnt private-dev private-tmp -disable-mnt noexec ${HOME} noexec /tmp + +# CLOBBERED COMMENTS +# no3d +# nosound diff --git a/etc/localc.profile b/etc/localc.profile index 35ff153cd..c30bb5550 100644 --- a/etc/localc.profile +++ b/etc/localc.profile @@ -1,11 +1,5 @@ -# Persistent global definitions go here -include /etc/firejail/globals.local +# Firejail profile alias for libreoffice +# This file is overwritten after every install/update -# This file is overwritten during software install. -# Persistent customizations should go in a .local file. -include /etc/firejail/localc.local -################################ -# LibreOffice profile -################################ include /etc/firejail/libreoffice.profile diff --git a/etc/lodraw.profile b/etc/lodraw.profile index af8234b9b..c30bb5550 100644 --- a/etc/lodraw.profile +++ b/etc/lodraw.profile @@ -1,11 +1,5 @@ -# Persistent global definitions go here -include /etc/firejail/globals.local +# Firejail profile alias for libreoffice +# This file is overwritten after every install/update -# This file is overwritten during software install. -# Persistent customizations should go in a .local file. -include /etc/firejail/lodraw.local -################################ -# LibreOffice profile -################################ include /etc/firejail/libreoffice.profile diff --git a/etc/loffice.profile b/etc/loffice.profile index ad6b28fb6..c30bb5550 100644 --- a/etc/loffice.profile +++ b/etc/loffice.profile @@ -1,11 +1,5 @@ -# Persistent global definitions go here -include /etc/firejail/globals.local +# Firejail profile alias for libreoffice +# This file is overwritten after every install/update -# This file is overwritten during software install. -# Persistent customizations should go in a .local file. -include /etc/firejail/loffice.local -################################ -# LibreOffice profile -################################ include /etc/firejail/libreoffice.profile diff --git a/etc/lofromtemplate.profile b/etc/lofromtemplate.profile index 4a729bd71..c30bb5550 100644 --- a/etc/lofromtemplate.profile +++ b/etc/lofromtemplate.profile @@ -1,11 +1,5 @@ -# Persistent global definitions go here -include /etc/firejail/globals.local +# Firejail profile alias for libreoffice +# This file is overwritten after every install/update -# This file is overwritten during software install. -# Persistent customizations should go in a .local file. -include /etc/firejail/lofromtemplate.local -################################ -# LibreOffice profile -################################ include /etc/firejail/libreoffice.profile diff --git a/etc/loimpress.profile b/etc/loimpress.profile index f8da5da18..c30bb5550 100644 --- a/etc/loimpress.profile +++ b/etc/loimpress.profile @@ -1,11 +1,5 @@ -# Persistent global definitions go here -include /etc/firejail/globals.local +# Firejail profile alias for libreoffice +# This file is overwritten after every install/update -# This file is overwritten during software install. -# Persistent customizations should go in a .local file. -include /etc/firejail/loimpress.local -################################ -# LibreOffice profile -################################ include /etc/firejail/libreoffice.profile diff --git a/etc/lollypop.profile b/etc/lollypop.profile index 4be7721e3..22004d95e 100644 --- a/etc/lollypop.profile +++ b/etc/lollypop.profile @@ -1,26 +1,18 @@ -# Persistent global definitions go here -include /etc/firejail/globals.local - -# This file is overwritten during software install. -# Persistent customizations should go in a .local file. +# Firejail profile for lollypop +# This file is overwritten after every install/update +# Persistent local customizations include /etc/firejail/lollypop.local +# Persistent global definitions +include /etc/firejail/globals.local -# -#Profile for lollypop -# - -#No Blacklist Paths noblacklist ${HOME}/.local/share/lollypop -#Blacklist Paths include /etc/firejail/disable-common.inc -include /etc/firejail/disable-programs.inc -include /etc/firejail/disable-passwdmgr.inc include /etc/firejail/disable-devel.inc +include /etc/firejail/disable-passwdmgr.inc +include /etc/firejail/disable-programs.inc -#Options caps.drop all -#ipc-namespace netfilter no3d nogroups diff --git a/etc/lomath.profile b/etc/lomath.profile index 7ebdf9fe9..c30bb5550 100644 --- a/etc/lomath.profile +++ b/etc/lomath.profile @@ -1,11 +1,5 @@ -# Persistent global definitions go here -include /etc/firejail/globals.local +# Firejail profile alias for libreoffice +# This file is overwritten after every install/update -# This file is overwritten during software install. -# Persistent customizations should go in a .local file. -include /etc/firejail/lomath.local -################################ -# LibreOffice profile -################################ include /etc/firejail/libreoffice.profile diff --git a/etc/loweb.profile b/etc/loweb.profile index b504d0a86..c30bb5550 100644 --- a/etc/loweb.profile +++ b/etc/loweb.profile @@ -1,11 +1,5 @@ -# Persistent global definitions go here -include /etc/firejail/globals.local +# Firejail profile alias for libreoffice +# This file is overwritten after every install/update -# This file is overwritten during software install. -# Persistent customizations should go in a .local file. -include /etc/firejail/loweb.local -################################ -# LibreOffice profile -################################ include /etc/firejail/libreoffice.profile diff --git a/etc/lowriter.profile b/etc/lowriter.profile index 567cf91ec..c30bb5550 100644 --- a/etc/lowriter.profile +++ b/etc/lowriter.profile @@ -1,11 +1,5 @@ -# Persistent global definitions go here -include /etc/firejail/globals.local +# Firejail profile alias for libreoffice +# This file is overwritten after every install/update -# This file is overwritten during software install. -# Persistent customizations should go in a .local file. -include /etc/firejail/lowriter.local -################################ -# LibreOffice profile -################################ include /etc/firejail/libreoffice.profile diff --git a/etc/luminance-hdr.profile b/etc/luminance-hdr.profile index f73c83cbd..961fca905 100644 --- a/etc/luminance-hdr.profile +++ b/etc/luminance-hdr.profile @@ -1,20 +1,18 @@ -# Persistent global definitions go here -include /etc/firejail/globals.local - -# This file is overwritten during software install. -# Persistent customizations should go in a .local file. +# Firejail profile for luminance-hdr +# This file is overwritten after every install/update +# Persistent local customizations include /etc/firejail/luminance-hdr.local +# Persistent global definitions +include /etc/firejail/globals.local -# luminance-hdr noblacklist ${HOME}/.config/Luminance include /etc/firejail/disable-common.inc include /etc/firejail/disable-devel.inc -include /etc/firejail/disable-programs.inc include /etc/firejail/disable-passwdmgr.inc +include /etc/firejail/disable-programs.inc caps.drop all -#ipc-namespace netfilter nogroups nonewprivs @@ -26,8 +24,11 @@ seccomp shell none tracelog -private-tmp private-dev +private-tmp noexec ${HOME} noexec /tmp + +# CLOBBERED COMMENTS +# luminance-hdr diff --git a/etc/lximage-qt.profile b/etc/lximage-qt.profile index 42996af04..f0eda6fbe 100644 --- a/etc/lximage-qt.profile +++ b/etc/lximage-qt.profile @@ -1,9 +1,9 @@ -# Persistent global definitions go here -include /etc/firejail/globals.local - -# This file is overwritten during software install. -# Persistent customizations should go in a .local file. +# Firejail profile for lximage-qt +# This file is overwritten after every install/update +# Persistent local customizations include /etc/firejail/lximage-qt.local +# Persistent global definitions +include /etc/firejail/globals.local noblacklist .config/lximage-qt diff --git a/etc/lxmusic.profile b/etc/lxmusic.profile index eac72c6db..230ceaafb 100644 --- a/etc/lxmusic.profile +++ b/etc/lxmusic.profile @@ -1,9 +1,9 @@ -# Persistent global definitions go here -include /etc/firejail/globals.local - -# This file is overwritten during software install. -# Persistent customizations should go in a .local file. +# Firejail profile for lxmusic +# This file is overwritten after every install/update +# Persistent local customizations include /etc/firejail/lxmusic.local +# Persistent global definitions +include /etc/firejail/globals.local noblacklist ~/.cache/xmms2 noblacklist ~/.config/xmms2 diff --git a/etc/lxterminal.profile b/etc/lxterminal.profile index 08293647e..22ecbaa6f 100644 --- a/etc/lxterminal.profile +++ b/etc/lxterminal.profile @@ -1,17 +1,19 @@ -# Persistent global definitions go here +# Firejail profile for lxterminal +# This file is overwritten after every install/update +# Persistent local customizations +include /etc/firejail/lxterminal.local +# Persistent global definitions include /etc/firejail/globals.local -# This file is overwritten during software install. -# Persistent customizations should go in a .local file. -include /etc/firejail/lxterminal.local -# lxterminal (LXDE) profile include /etc/firejail/disable-common.inc -include /etc/firejail/disable-programs.inc include /etc/firejail/disable-passwdmgr.inc +include /etc/firejail/disable-programs.inc caps.drop all netfilter protocol unix,inet,inet6 seccomp -#noroot - somehow this breaks on Debian Jessie! + +# CLOBBERED COMMENTS +# noroot - somehow this breaks on Debian Jessie! diff --git a/etc/lynx.profile b/etc/lynx.profile index f7e83649a..8ff1f88b3 100644 --- a/etc/lynx.profile +++ b/etc/lynx.profile @@ -1,31 +1,30 @@ -# Persistent global definitions go here +# Firejail profile for lynx +# This file is overwritten after every install/update +# Persistent local customizations +include /etc/firejail/lynx.local +# Persistent global definitions include /etc/firejail/globals.local -# This file is overwritten during software install. -# Persistent customizations should go in a .local file. -include /etc/firejail/lynx.local +blacklist /tmp/.X11-unix -# lynx profile include /etc/firejail/disable-common.inc -include /etc/firejail/disable-programs.inc include /etc/firejail/disable-devel.inc include /etc/firejail/disable-passwdmgr.inc +include /etc/firejail/disable-programs.inc caps.drop all +netfilter +no3d nogroups nonewprivs noroot nosound -no3d protocol unix,inet,inet6 seccomp -netfilter shell none tracelog -blacklist /tmp/.X11-unix - # private-bin lynx -private-tmp private-dev # private-etc none +private-tmp diff --git a/etc/mate-calc.profile b/etc/mate-calc.profile index e083e8b88..220807447 100644 --- a/etc/mate-calc.profile +++ b/etc/mate-calc.profile @@ -1,9 +1,9 @@ -# Persistent global definitions go here -include /etc/firejail/globals.local - -# This file is overwritten during software install. -# Persistent customizations should go in a .local file. +# Firejail profile for mate-calc +# This file is overwritten after every install/update +# Persistent local customizations include /etc/firejail/mate-calc.local +# Persistent global definitions +include /etc/firejail/globals.local noblacklist ${HOME}/.config/mate-calc @@ -24,9 +24,9 @@ protocol unix seccomp shell none +disable-mnt private-dev private-tmp -disable-mnt noexec ${HOME} noexec /tmp diff --git a/etc/mate-calculator.profile b/etc/mate-calculator.profile index acc687b81..155ccfe7e 100644 --- a/etc/mate-calculator.profile +++ b/etc/mate-calculator.profile @@ -1,8 +1,7 @@ -# Persistent global definitions go here -include /etc/firejail/globals.local - -# This file is overwritten during software install. -# Persistent customizations should go in a .local file. +# Firejail profile for mate-calculator +# This file is overwritten after every install/update +# Persistent local customizations include /etc/firejail/mate-calculator.local +# Persistent global definitions +include /etc/firejail/globals.local -#include /etc/firejail/mate-calc.profile diff --git a/etc/mate-color-select.profile b/etc/mate-color-select.profile index 74fe4bd69..42456d1f6 100644 --- a/etc/mate-color-select.profile +++ b/etc/mate-color-select.profile @@ -1,9 +1,10 @@ -# Persistent global definitions go here +# Firejail profile for mate-color-select +# This file is overwritten after every install/update +# Persistent local customizations +include /etc/firejail/mate-color-select.local +# Persistent global definitions include /etc/firejail/globals.local -# This file is overwritten during software install. -# Persistent customizations should go in a .local file. -include /etc/firejail/mate-color-select.local include /etc/firejail/disable-common.inc include /etc/firejail/disable-devel.inc @@ -22,10 +23,10 @@ protocol unix seccomp shell none +disable-mnt private private-dev private-tmp -disable-mnt noexec ${HOME} noexec /tmp diff --git a/etc/mate-dictionary.profile b/etc/mate-dictionary.profile index 4fe0795d2..bc148fba3 100644 --- a/etc/mate-dictionary.profile +++ b/etc/mate-dictionary.profile @@ -1,9 +1,9 @@ -# Persistent global definitions go here -include /etc/firejail/globals.local - -# This file is overwritten during software install. -# Persistent customizations should go in a .local file. +# Firejail profile for mate-dictionary +# This file is overwritten after every install/update +# Persistent local customizations include /etc/firejail/mate-dictionary.local +# Persistent global definitions +include /etc/firejail/globals.local noblacklist ${HOME}/.config/mate/mate-dictionary @@ -24,9 +24,9 @@ protocol unix,inet,inet6 seccomp shell none +disable-mnt private-dev private-tmp -disable-mnt noexec ${HOME} noexec /tmp diff --git a/etc/mathematica.profile b/etc/mathematica.profile index b44d0407d..64cae12dd 100644 --- a/etc/mathematica.profile +++ b/etc/mathematica.profile @@ -1,9 +1,5 @@ -# Persistent global definitions go here -include /etc/firejail/globals.local +# Firejail profile alias for Mathematica +# This file is overwritten after every install/update -# This file is overwritten during software install. -# Persistent customizations should go in a .local file. -include /etc/firejail/mathematica.local -# Mathematica profile include /etc/firejail/Mathematica.profile diff --git a/etc/mcabber.profile b/etc/mcabber.profile index 603b5f5a0..8563201ac 100644 --- a/etc/mcabber.profile +++ b/etc/mcabber.profile @@ -1,28 +1,27 @@ -# Persistent global definitions go here -include /etc/firejail/globals.local - -# This file is overwritten during software install. -# Persistent customizations should go in a .local file. +# Firejail profile for mcabber +# This file is overwritten after every install/update +# Persistent local customizations include /etc/firejail/mcabber.local +# Persistent global definitions +include /etc/firejail/globals.local -# mcabber profile noblacklist ${HOME}/.mcabber noblacklist ${HOME}/.mcabberrc include /etc/firejail/disable-common.inc -include /etc/firejail/disable-programs.inc include /etc/firejail/disable-devel.inc include /etc/firejail/disable-passwdmgr.inc +include /etc/firejail/disable-programs.inc caps.drop all netfilter nonewprivs noroot +nosound protocol inet,inet6 seccomp +shell none private-bin mcabber -private-etc null private-dev -shell none -nosound +private-etc null diff --git a/etc/mediainfo.profile b/etc/mediainfo.profile index 8758d66b9..4a2e9246e 100644 --- a/etc/mediainfo.profile +++ b/etc/mediainfo.profile @@ -1,31 +1,30 @@ -# Persistent global definitions go here +# Firejail profile for mediainfo +# This file is overwritten after every install/update +# Persistent local customizations +include /etc/firejail/mediainfo.local +# Persistent global definitions include /etc/firejail/globals.local -# This file is overwritten during software install. -# Persistent customizations should go in a .local file. -include /etc/firejail/mediainfo.local +blacklist /tmp/.X11-unix -# mediainfo profile include /etc/firejail/disable-common.inc -include /etc/firejail/disable-programs.inc include /etc/firejail/disable-devel.inc include /etc/firejail/disable-passwdmgr.inc +include /etc/firejail/disable-programs.inc caps.drop all net none -nonewprivs +no3d nogroups +nonewprivs noroot nosound -no3d protocol unix seccomp shell none tracelog -blacklist /tmp/.X11-unix - private-bin mediainfo -private-tmp private-dev private-etc none +private-tmp diff --git a/etc/mediathekview.profile b/etc/mediathekview.profile index 8bf4eda13..5e980909b 100644 --- a/etc/mediathekview.profile +++ b/etc/mediathekview.profile @@ -1,17 +1,17 @@ -# Persistent global definitions go here -include /etc/firejail/globals.local - -# This file is overwritten during software install. -# Persistent customizations should go in a .local file. +# Firejail profile for mediathekview +# This file is overwritten after every install/update +# Persistent local customizations include /etc/firejail/mediathekview.local +# Persistent global definitions +include /etc/firejail/globals.local -# MediathekView profile -noblacklist ~/.mediathek3 noblacklist ~/.config/vlc +noblacklist ~/.mediathek3 + include /etc/firejail/disable-common.inc -include /etc/firejail/disable-programs.inc include /etc/firejail/disable-devel.inc include /etc/firejail/disable-passwdmgr.inc +include /etc/firejail/disable-programs.inc caps.drop all netfilter @@ -21,8 +21,8 @@ protocol unix,inet,inet6 seccomp tracelog -noexec ${HOME} -noexec /tmp - private-dev private-tmp + +noexec ${HOME} +noexec /tmp diff --git a/etc/meld.profile b/etc/meld.profile index 503f6d07c..4aeca3771 100644 --- a/etc/meld.profile +++ b/etc/meld.profile @@ -1,11 +1,10 @@ -# Persistent global definitions go here -include /etc/firejail/globals.local - -# This file is overwritten during software install. -# Persistent customizations should go in a .local file. +# Firejail profile for meld +# This file is overwritten after every install/update +# Persistent local customizations include /etc/firejail/meld.local +# Persistent global definitions +include /etc/firejail/globals.local -# Firejail profile for meld noblacklist ${HOME}/.local/share/meld include /etc/firejail/disable-common.inc @@ -14,7 +13,6 @@ include /etc/firejail/disable-passwdmgr.inc include /etc/firejail/disable-programs.inc caps.drop all -#ipc-namespace net none no3d nogroups diff --git a/etc/midori.profile b/etc/midori.profile index 8a02fb738..f3a219f52 100644 --- a/etc/midori.profile +++ b/etc/midori.profile @@ -1,49 +1,44 @@ -# Persistent global definitions go here -include /etc/firejail/globals.local - -# This file is overwritten during software install. -# Persistent customizations should go in a .local file. +# Firejail profile for midori +# This file is overwritten after every install/update +# Persistent local customizations include /etc/firejail/midori.local +# Persistent global definitions +include /etc/firejail/globals.local -# Midori profile noblacklist ~/.config/midori noblacklist ~/.local/share/midori noblacklist ~/.local/share/webkit noblacklist ~/.local/share/webkitgtk noblacklist ~/.pki + include /etc/firejail/disable-common.inc -include /etc/firejail/disable-programs.inc include /etc/firejail/disable-devel.inc - -mkdir ~/.config/midori -whitelist ~/.config/midori +include /etc/firejail/disable-programs.inc mkdir ~/.cache/midori -whitelist ~/.cache/midori - +mkdir ~/.config/midori mkdir ~/.local/share/midori -whitelist ~/.local/share/midori - mkdir ~/.local/share/webkit -whitelist ~/.local/share/webkit - mkdir ~/.local/share/webkitgtk -whitelist ~/.local/share/webkitgtk - +mkdir ~/.pki whitelist ${DOWNLOADS} -whitelist ~/.config/gnome-mplayer whitelist ~/.cache/gnome-mplayer/plugin -mkdir ~/.pki -whitelist ~/.pki +whitelist ~/.cache/midori +whitelist ~/.config/gnome-mplayer +whitelist ~/.config/midori whitelist ~/.lastpass - +whitelist ~/.local/share/midori +whitelist ~/.local/share/webkit +whitelist ~/.local/share/webkitgtk +whitelist ~/.pki +include /etc/firejail/whitelist-common.inc caps.drop all netfilter nonewprivs -# noroot - porblems on Ubuntu 14.04 protocol unix,inet,inet6,netlink seccomp tracelog - +# CLOBBERED COMMENTS +# noroot - porblems on Ubuntu 14.04 diff --git a/etc/mousepad.profile b/etc/mousepad.profile index c3e85d55f..5a54afb5b 100644 --- a/etc/mousepad.profile +++ b/etc/mousepad.profile @@ -1,17 +1,16 @@ -# Persistent global definitions go here -include /etc/firejail/globals.local - -# This file is overwritten during software install. -# Persistent customizations should go in a .local file. +# Firejail profile for mousepad +# This file is overwritten after every install/update +# Persistent local customizations include /etc/firejail/mousepad.local +# Persistent global definitions +include /etc/firejail/globals.local -# Firejail profile for mousepad noblacklist ~/.config/Mousepad include /etc/firejail/disable-common.inc -include /etc/firejail/disable-programs.inc include /etc/firejail/disable-devel.inc include /etc/firejail/disable-passwdmgr.inc +include /etc/firejail/disable-programs.inc caps.drop all netfilter diff --git a/etc/mplayer.profile b/etc/mplayer.profile index 879223e1a..25bcef47a 100644 --- a/etc/mplayer.profile +++ b/etc/mplayer.profile @@ -1,31 +1,31 @@ -# Persistent global definitions go here -include /etc/firejail/globals.local - -# This file is overwritten during software install. -# Persistent customizations should go in a .local file. +# Firejail profile for mplayer +# This file is overwritten after every install/update +# Persistent local customizations include /etc/firejail/mplayer.local +# Persistent global definitions +include /etc/firejail/globals.local -# mplayer profile noblacklist ${HOME}/.mplayer include /etc/firejail/disable-common.inc -include /etc/firejail/disable-programs.inc include /etc/firejail/disable-devel.inc include /etc/firejail/disable-passwdmgr.inc +include /etc/firejail/disable-programs.inc caps.drop all -#ipc-namespace netfilter -# nogroups nonewprivs noroot protocol unix,inet,inet6,netlink seccomp shell none +private-bin mplayer private-dev private-tmp -private-bin mplayer noexec ${HOME} noexec /tmp + +# CLOBBERED COMMENTS +# nogroups diff --git a/etc/mpv.profile b/etc/mpv.profile index 0cda3e4e1..7c1e5ea27 100644 --- a/etc/mpv.profile +++ b/etc/mpv.profile @@ -1,18 +1,17 @@ -# Persistent global definitions go here -include /etc/firejail/globals.local - -# This file is overwritten during software install. -# Persistent customizations should go in a .local file. +# Firejail profile for mpv +# This file is overwritten after every install/update +# Persistent local customizations include /etc/firejail/mpv.local +# Persistent global definitions +include /etc/firejail/globals.local -# mpv media player profile noblacklist ${HOME}/.config/mpv noblacklist ${HOME}/.netrc include /etc/firejail/disable-common.inc -include /etc/firejail/disable-programs.inc include /etc/firejail/disable-devel.inc include /etc/firejail/disable-passwdmgr.inc +include /etc/firejail/disable-programs.inc caps.drop all netfilter @@ -21,10 +20,11 @@ nonewprivs noroot protocol unix,inet,inet6 seccomp +shell none tracelog -# to test -# ipc-namespace -shell none private-bin mpv,youtube-dl,python,python2.7,python3.6,env private-dev + +# CLOBBERED COMMENTS +# to test diff --git a/etc/multimc5.profile b/etc/multimc5.profile index 6b0696064..882f17485 100644 --- a/etc/multimc5.profile +++ b/etc/multimc5.profile @@ -1,47 +1,40 @@ -# Persistent global definitions go here -include /etc/firejail/globals.local - -# This file is overwritten during software install. -# Persistent customizations should go in a .local file. +# Firejail profile for multimc5 +# This file is overwritten after every install/update +# Persistent local customizations include /etc/firejail/multimc5.local +# Persistent global definitions +include /etc/firejail/globals.local -# -#Profile for multimc5 -# - -#No Blacklist Paths noblacklist ${HOME}/.java noblacklist ${HOME}/.local/share/multimc5 noblacklist ${HOME}/.multimc5 -#Blacklist Paths include /etc/firejail/disable-common.inc -include /etc/firejail/disable-programs.inc -include /etc/firejail/disable-passwdmgr.inc include /etc/firejail/disable-devel.inc +include /etc/firejail/disable-passwdmgr.inc +include /etc/firejail/disable-programs.inc -#Whitelist Paths mkdir ${HOME}/.local/share/multimc5 -whitelist ${HOME}/.local/share/multimc5 mkdir ${HOME}/.multimc5 +whitelist ${HOME}/.local/share/multimc5 whitelist ${HOME}/.multimc5 include /etc/firejail/whitelist-common.inc -#Options caps.drop all -#ipc-namespace netfilter nogroups nonewprivs noroot novideo protocol unix,inet,inet6 -#seccomp shell none +disable-mnt private-dev private-tmp -disable-mnt noexec ${HOME} noexec /tmp + +# CLOBBERED COMMENTS +# seccomp diff --git a/etc/mumble.profile b/etc/mumble.profile index a2104957d..048b31b81 100644 --- a/etc/mumble.profile +++ b/etc/mumble.profile @@ -1,17 +1,17 @@ -# Persistent global definitions go here -include /etc/firejail/globals.local - -# This file is overwritten during software install. -# Persistent customizations should go in a .local file. +# Firejail profile for mumble +# This file is overwritten after every install/update +# Persistent local customizations include /etc/firejail/mumble.local +# Persistent global definitions +include /etc/firejail/globals.local -# mumble profile noblacklist ${HOME}/.config/Mumble noblacklist ${HOME}/.local/share/data/Mumble + include /etc/firejail/disable-common.inc -include /etc/firejail/disable-programs.inc include /etc/firejail/disable-devel.inc include /etc/firejail/disable-passwdmgr.inc +include /etc/firejail/disable-programs.inc mkdir ${HOME}/.config/Mumble mkdir ${HOME}/.local/share/data/Mumble @@ -20,20 +20,19 @@ whitelist ${HOME}/.local/share/data/Mumble include /etc/firejail/whitelist-common.inc caps.drop all -#ipc-namespace netfilter no3d -nonewprivs nogroups +nonewprivs noroot protocol unix,inet,inet6 seccomp shell none tracelog +disable-mnt private-bin mumble private-tmp -disable-mnt memory-deny-write-execute noexec ${HOME} diff --git a/etc/mupdf.profile b/etc/mupdf.profile index ca61edfdd..a55a01206 100644 --- a/etc/mupdf.profile +++ b/etc/mupdf.profile @@ -1,15 +1,15 @@ -# Persistent global definitions go here +# Firejail profile for mupdf +# This file is overwritten after every install/update +# Persistent local customizations +include /etc/firejail/mupdf.local +# Persistent global definitions include /etc/firejail/globals.local -# This file is overwritten during software install. -# Persistent customizations should go in a .local file. -include /etc/firejail/mupdf.local -# mupdf reader profile include /etc/firejail/disable-common.inc -include /etc/firejail/disable-programs.inc include /etc/firejail/disable-devel.inc include /etc/firejail/disable-passwdmgr.inc +include /etc/firejail/disable-programs.inc caps.drop all net none @@ -22,15 +22,13 @@ seccomp shell none tracelog -private-tmp +# private-bin mupdf,sh,tempfile,rm private-dev private-etc fonts - -# mupdf will never write anything +private-tmp read-only ${HOME} -# +# CLOBBERED COMMENTS # Experimental: -# -#seccomp.keep access,arch_prctl,brk,clone,close,connect,execve,exit_group,fchmod,fchown,fcntl,fstat,futex,getcwd,getpeername,getrlimit,getsockname,getsockopt,lseek,lstat,mlock,mmap,mprotect,mremap,munmap,nanosleep,open,poll,prctl,read,recvfrom,recvmsg,restart_syscall,rt_sigaction,rt_sigprocmask,select,sendmsg,set_robust_list,set_tid_address,setresgid,setresuid,shmat,shmctl,shmget,shutdown,socket,stat,sysinfo,uname,unshare,wait4,write,writev -# private-bin mupdf,sh,tempfile,rm +# mupdf will never write anything +# seccomp.keep access,arch_prctl,brk,clone,close,connect,execve,exit_group,fchmod,fchown,fcntl,fstat,futex,getcwd,getpeername,getrlimit,getsockname,getsockopt,lseek,lstat,mlock,mmap,mprotect,mremap,munmap,nanosleep,open,poll,prctl,read,recvfrom,recvmsg,restart_syscall,rt_sigaction,rt_sigprocmask,select,sendmsg,set_robust_list,set_tid_address,setresgid,setresuid,shmat,shmctl,shmget,shutdown,socket,stat,sysinfo,uname,unshare,wait4,write,writev diff --git a/etc/mupen64plus.profile b/etc/mupen64plus.profile index 5705eb645..9c3bfe658 100644 --- a/etc/mupen64plus.profile +++ b/etc/mupen64plus.profile @@ -1,27 +1,29 @@ -# Persistent global definitions go here -include /etc/firejail/globals.local - -# This file is overwritten during software install. -# Persistent customizations should go in a .local file. +# Firejail profile for mupen64plus +# This file is overwritten after every install/update +# Persistent local customizations include /etc/firejail/mupen64plus.local +# Persistent global definitions +include /etc/firejail/globals.local -# mupen64plus profile -# manually whitelist ROM files noblacklist ${HOME}/.config/mupen64plus noblacklist ${HOME}/.local/share/mupen64plus include /etc/firejail/disable-common.inc -include /etc/firejail/disable-programs.inc include /etc/firejail/disable-devel.inc include /etc/firejail/disable-passwdmgr.inc +include /etc/firejail/disable-programs.inc -mkdir ${HOME}/.local/share/mupen64plus -whitelist ${HOME}/.local/share/mupen64plus/ mkdir ${HOME}/.config/mupen64plus +mkdir ${HOME}/.local/share/mupen64plus whitelist ${HOME}/.config/mupen64plus/ +whitelist ${HOME}/.local/share/mupen64plus/ +include /etc/firejail/whitelist-common.inc caps.drop all net none nonewprivs noroot seccomp + +# CLOBBERED COMMENTS +# manually whitelist ROM files diff --git a/etc/mutt.profile b/etc/mutt.profile index bf8323070..e2b9b38ec 100644 --- a/etc/mutt.profile +++ b/etc/mutt.profile @@ -1,50 +1,49 @@ -# Persistent global definitions go here +# Firejail profile for mutt +# This file is overwritten after every install/update +# Persistent local customizations +include /etc/firejail/mutt.local +# Persistent global definitions include /etc/firejail/globals.local -# This file is overwritten during software install. -# Persistent customizations should go in a .local file. -include /etc/firejail/mutt.local +blacklist /tmp/.X11-unix -# mutt email client profile -noblacklist ~/.muttrc -noblacklist ~/.mutt -noblacklist ~/.mutt/muttrc -noblacklist ~/.mailcap -noblacklist ~/.gnupg -noblacklist ~/.mail noblacklist ~/.Mail -noblacklist ~/mail -noblacklist ~/Mail -noblacklist ~/sent -noblacklist ~/postponed +noblacklist ~/.bogofilter noblacklist ~/.cache/mutt -noblacklist ~/.w3m noblacklist ~/.elinks -noblacklist ~/.vim -noblacklist ~/.vimrc -noblacklist ~/.viminfo noblacklist ~/.emacs noblacklist ~/.emacs.d -noblacklist ~/.signature -noblacklist ~/.bogofilter +noblacklist ~/.gnupg +noblacklist ~/.mail +noblacklist ~/.mailcap noblacklist ~/.msmtprc +noblacklist ~/.mutt +noblacklist ~/.mutt/muttrc +noblacklist ~/.muttrc +noblacklist ~/.signature +noblacklist ~/.vim +noblacklist ~/.viminfo +noblacklist ~/.vimrc +noblacklist ~/.w3m +noblacklist ~/Mail +noblacklist ~/mail +noblacklist ~/postponed +noblacklist ~/sent include /etc/firejail/disable-common.inc -include /etc/firejail/disable-programs.inc -include /etc/firejail/disable-passwdmgr.inc include /etc/firejail/disable-devel.inc +include /etc/firejail/disable-passwdmgr.inc +include /etc/firejail/disable-programs.inc caps.drop all netfilter +no3d nogroups nonewprivs noroot nosound -no3d protocol unix,inet,inet6 seccomp shell none -blacklist /tmp/.X11-unix - private-dev diff --git a/etc/nautilus.profile b/etc/nautilus.profile index 4f2f50d9f..350e7f9b6 100644 --- a/etc/nautilus.profile +++ b/etc/nautilus.profile @@ -1,25 +1,19 @@ -# Persistent global definitions go here -include /etc/firejail/globals.local - -# This file is overwritten during software install. -# Persistent customizations should go in a .local file. +# Firejail profile for nautilus +# This file is overwritten after every install/update +# Persistent local customizations include /etc/firejail/nautilus.local - -# nautilus profile - -# Nautilus is started by systemd on most systems. Therefore it is not firejailed by default. Since there -# is already a nautilus process running on gnome desktops firejail will have no effect. +# Persistent global definitions +include /etc/firejail/globals.local noblacklist ~/.config/nautilus +noblacklist ~/.local/share/Trash noblacklist ~/.local/share/nautilus noblacklist ~/.local/share/nautilus-python -noblacklist ~/.local/share/Trash include /etc/firejail/disable-common.inc -# nautilus needs to be able to start arbitrary applications so we cannot blacklist their files -#include /etc/firejail/disable-programs.inc include /etc/firejail/disable-devel.inc include /etc/firejail/disable-passwdmgr.inc +# include /etc/firejail/disable-programs.inc caps.drop all netfilter @@ -32,6 +26,11 @@ shell none tracelog # private-bin nautilus -# private-tmp # private-dev # private-etc fonts +# private-tmp + +# CLOBBERED COMMENTS +# Nautilus is started by systemd on most systems. Therefore it is not firejailed by default. Since there +# is already a nautilus process running on gnome desktops firejail will have no effect. +# nautilus needs to be able to start arbitrary applications so we cannot blacklist their files diff --git a/etc/nemo.profile b/etc/nemo.profile index 5e6f4936f..e2219825a 100644 --- a/etc/nemo.profile +++ b/etc/nemo.profile @@ -1,18 +1,18 @@ -# Persistent global definitions go here -include /etc/firejail/globals.local - -# This file is overwritten during software install. -# Persistent customizations should go in a .local file. +# Firejail profile for nemo +# This file is overwritten after every install/update +# Persistent local customizations include /etc/firejail/nemo.local +# Persistent global definitions +include /etc/firejail/globals.local noblacklist ${HOME}/.config/nemo +noblacklist ${HOME}/.local/share/Trash noblacklist ${HOME}/.local/share/nemo noblacklist ${HOME}/.local/share/nemo-python -noblacklist ${HOME}/.local/share/Trash include /etc/firejail/disable-common.inc -include /etc/firejail/disable-passwdmgr.inc include /etc/firejail/disable-devel.inc +include /etc/firejail/disable-passwdmgr.inc caps.drop all netfilter diff --git a/etc/netsurf.profile b/etc/netsurf.profile index 82cd4d59b..68df57539 100644 --- a/etc/netsurf.profile +++ b/etc/netsurf.profile @@ -1,16 +1,23 @@ -# Persistent global definitions go here -include /etc/firejail/globals.local - -# This file is overwritten during software install. -# Persistent customizations should go in a .local file. +# Firejail profile for netsurf +# This file is overwritten after every install/update +# Persistent local customizations include /etc/firejail/netsurf.local +# Persistent global definitions +include /etc/firejail/globals.local -# Firejail profile for Mozilla Firefox (Iceweasel in Debian) -noblacklist ~/.config/netsurf noblacklist ~/.cache/netsurf +noblacklist ~/.config/netsurf + include /etc/firejail/disable-common.inc -include /etc/firejail/disable-programs.inc include /etc/firejail/disable-devel.inc +include /etc/firejail/disable-programs.inc + +mkdir ~/.cache/netsurf +mkdir ~/.config/netsurf +whitelist ${DOWNLOADS} +whitelist ~/.cache/netsurf +whitelist ~/.config/netsurf +include /etc/firejail/whitelist-common.inc caps.drop all netfilter @@ -19,11 +26,3 @@ noroot protocol unix,inet,inet6,netlink seccomp tracelog - -whitelist ${DOWNLOADS} -mkdir ~/.config/netsurf -whitelist ~/.config/netsurf -mkdir ~/.cache/netsurf -whitelist ~/.cache/netsurf - -include /etc/firejail/whitelist-common.inc diff --git a/etc/nylas.profile b/etc/nylas.profile index ac2f1120a..6b6697522 100644 --- a/etc/nylas.profile +++ b/etc/nylas.profile @@ -1,22 +1,21 @@ -# Persistent global definitions go here -include /etc/firejail/globals.local - -# This file is overwritten during software install. -# Persistent customizations should go in a .local file. +# Firejail profile for nylas +# This file is overwritten after every install/update +# Persistent local customizations include /etc/firejail/nylas.local +# Persistent global definitions +include /etc/firejail/globals.local -# Firejail profile for Nylas Mail noblacklist ~/.config/Nylas Mail noblacklist ~/.nylas-mail include /etc/firejail/disable-common.inc -include /etc/firejail/disable-programs.inc include /etc/firejail/disable-devel.inc include /etc/firejail/disable-passwdmgr.inc +include /etc/firejail/disable-programs.inc +whitelist ${DOWNLOADS} whitelist ~/.config/Nylas Mail whitelist ~/.nylas-mail -whitelist ${DOWNLOADS} include /etc/firejail/whitelist-common.inc caps.drop all diff --git a/etc/obs.profile b/etc/obs.profile index 8316551f9..3dbacbf57 100644 --- a/etc/obs.profile +++ b/etc/obs.profile @@ -1,11 +1,10 @@ -# Persistent global definitions go here -include /etc/firejail/globals.local - -# This file is overwritten during software install. -# Persistent customizations should go in a .local file. +# Firejail profile for obs +# This file is overwritten after every install/update +# Persistent local customizations include /etc/firejail/obs.local +# Persistent global definitions +include /etc/firejail/globals.local -# Firejail profile for OBS Studio noblacklist ${HOME}/.config/obs-studio include /etc/firejail/disable-common.inc diff --git a/etc/odt2txt.profile b/etc/odt2txt.profile index 8cfadd9ac..06b4c16e0 100644 --- a/etc/odt2txt.profile +++ b/etc/odt2txt.profile @@ -1,33 +1,31 @@ -# Persistent global definitions go here +# Firejail profile for odt2txt +# This file is overwritten after every install/update +# Persistent local customizations +include /etc/firejail/odt2txt.local +# Persistent global definitions include /etc/firejail/globals.local -# This file is overwritten during software install. -# Persistent customizations should go in a .local file. -include /etc/firejail/odt2txt.local +blacklist /tmp/.X11-unix -# odt2txt profile include /etc/firejail/disable-common.inc -include /etc/firejail/disable-programs.inc include /etc/firejail/disable-devel.inc include /etc/firejail/disable-passwdmgr.inc +include /etc/firejail/disable-programs.inc caps.drop all net none +no3d nogroups nonewprivs noroot nosound protocol unix seccomp -no3d shell none tracelog -blacklist /tmp/.X11-unix - private-bin odt2txt -private-tmp private-dev private-etc none - +private-tmp read-only ${HOME} diff --git a/etc/okular.profile b/etc/okular.profile index 578f01915..331b625b8 100644 --- a/etc/okular.profile +++ b/etc/okular.profile @@ -1,29 +1,29 @@ -# Persistent global definitions go here -include /etc/firejail/globals.local - -# This file is overwritten during software install. -# Persistent customizations should go in a .local file. +# Firejail profile for okular +# This file is overwritten after every install/update +# Persistent local customizations include /etc/firejail/okular.local +# Persistent global definitions +include /etc/firejail/globals.local -# KDE okular profile -noblacklist ~/.kde4/share/apps/okular -noblacklist ~/.kde4/share/config/okularrc -noblacklist ~/.kde4/share/config/okularpartrc +noblacklist ~/.config/okularpartrc +noblacklist ~/.config/okularrc noblacklist ~/.kde/share/apps/okular -noblacklist ~/.kde/share/config/okularrc noblacklist ~/.kde/share/config/okularpartrc +noblacklist ~/.kde/share/config/okularrc +noblacklist ~/.kde4/share/apps/okular +noblacklist ~/.kde4/share/config/okularpartrc +noblacklist ~/.kde4/share/config/okularrc noblacklist ~/.local/share/okular -noblacklist ~/.config/okularrc -noblacklist ~/.config/okularpartrc + include /etc/firejail/disable-common.inc -include /etc/firejail/disable-programs.inc include /etc/firejail/disable-devel.inc include /etc/firejail/disable-passwdmgr.inc +include /etc/firejail/disable-programs.inc caps.drop all netfilter -nonewprivs nogroups +nonewprivs noroot nosound protocol unix @@ -32,8 +32,8 @@ shell none tracelog # private-bin okular,kbuildsycoca4,lpr -# private-etc fonts,X11 private-dev +# private-etc fonts,X11 private-tmp noexec ${HOME} diff --git a/etc/open-invaders.profile b/etc/open-invaders.profile index f95b0f5a2..e4c87e5b9 100644 --- a/etc/open-invaders.profile +++ b/etc/open-invaders.profile @@ -1,41 +1,34 @@ -# Persistent global definitions go here +# Firejail profile for open-invaders +# This file is overwritten after every install/update +# Persistent local customizations +include /etc/firejail/open-invaders.local +# Persistent global definitions include /etc/firejail/globals.local -# This file is overwritten during software install. -# Persistent customizations should go in a .local file. -include /etc/firejail/open-invaders.local +noblacklist ~/.openinvaders -################################ -# open-invaders profile -################################ +include /etc/firejail/disable-common.inc +include /etc/firejail/disable-passwdmgr.inc +include /etc/firejail/disable-programs.inc -noblacklist ~/.openinvaders mkdir ~/.openinvaders whitelist ~/.openinvaders include /etc/firejail/whitelist-common.inc -include /etc/firejail/disable-common.inc -include /etc/firejail/disable-programs.inc -include /etc/firejail/disable-passwdmgr.inc - caps.drop all +net none +nogroups nonewprivs noroot protocol unix,netlink seccomp - -# -# depending on your usage, you can enable some of the commands below: -# -net none -nogroups shell none -#private-bin open-invaders -# private-etc none + +# private-bin open-invaders private-dev +# private-etc none private-tmp -# nosound - - - +# CLOBBERED COMMENTS +# depending on your usage, you can enable some of the commands below: +# nosound diff --git a/etc/openshot.profile b/etc/openshot.profile index 25c803512..b5ace455e 100644 --- a/etc/openshot.profile +++ b/etc/openshot.profile @@ -1,11 +1,10 @@ -# Persistent global definitions go here -include /etc/firejail/globals.local - -# This file is overwritten during software install. -# Persistent customizations should go in a .local file. +# Firejail profile for openshot +# This file is overwritten after every install/update +# Persistent local customizations include /etc/firejail/openshot.local +# Persistent global definitions +include /etc/firejail/globals.local -# OpenShot profile noblacklist ${HOME}/.openshot noblacklist ${HOME}/.openshot_qt diff --git a/etc/opera-beta.profile b/etc/opera-beta.profile index 4fc2235c1..078f5a0dd 100644 --- a/etc/opera-beta.profile +++ b/etc/opera-beta.profile @@ -1,24 +1,24 @@ -# Persistent global definitions go here -include /etc/firejail/globals.local - -# This file is overwritten during software install. -# Persistent customizations should go in a .local file. +# Firejail profile for opera-beta +# This file is overwritten after every install/update +# Persistent local customizations include /etc/firejail/opera-beta.local +# Persistent global definitions +include /etc/firejail/globals.local -# Opera-beta browser profile noblacklist ~/.config/opera-beta noblacklist ~/.pki + include /etc/firejail/disable-common.inc -include /etc/firejail/disable-programs.inc include /etc/firejail/disable-devel.inc +include /etc/firejail/disable-programs.inc -netfilter - -whitelist ${DOWNLOADS} -mkdir ~/.config/opera-beta -whitelist ~/.config/opera-beta mkdir ~/.cache/opera -whitelist ~/.cache/opera +mkdir ~/.config/opera-beta mkdir ~/.pki +whitelist ${DOWNLOADS} +whitelist ~/.cache/opera +whitelist ~/.config/opera-beta whitelist ~/.pki include /etc/firejail/whitelist-common.inc + +netfilter diff --git a/etc/opera.profile b/etc/opera.profile index b6c4ab7bd..7802a124a 100644 --- a/etc/opera.profile +++ b/etc/opera.profile @@ -1,28 +1,28 @@ -# Persistent global definitions go here -include /etc/firejail/globals.local - -# This file is overwritten during software install. -# Persistent customizations should go in a .local file. +# Firejail profile for opera +# This file is overwritten after every install/update +# Persistent local customizations include /etc/firejail/opera.local +# Persistent global definitions +include /etc/firejail/globals.local -# Opera browser profile +noblacklist ~/.cache/opera noblacklist ~/.config/opera noblacklist ~/.opera -noblacklist ~/.cache/opera noblacklist ~/.pki + include /etc/firejail/disable-common.inc -include /etc/firejail/disable-programs.inc include /etc/firejail/disable-devel.inc +include /etc/firejail/disable-programs.inc -netfilter - -whitelist ${DOWNLOADS} +mkdir ~/.cache/opera mkdir ~/.config/opera -whitelist ~/.config/opera mkdir ~/.opera -mkdir ~/.cache/opera +mkdir ~/.pki +whitelist ${DOWNLOADS} whitelist ~/.cache/opera +whitelist ~/.config/opera whitelist ~/.opera -mkdir ~/.pki whitelist ~/.pki include /etc/firejail/whitelist-common.inc + +netfilter diff --git a/etc/orage.profile b/etc/orage.profile index c9977d002..132b526b4 100644 --- a/etc/orage.profile +++ b/etc/orage.profile @@ -1,9 +1,9 @@ -# Persistent global definitions go here -include /etc/firejail/globals.local - -# This file is overwritten during software install. -# Persistent customizations should go in a .local file. +# Firejail profile for orage +# This file is overwritten after every install/update +# Persistent local customizations include /etc/firejail/orage.local +# Persistent global definitions +include /etc/firejail/globals.local noblacklist ${HOME}/.config/orage noblacklist ${HOME}/.local/share/orage @@ -25,9 +25,9 @@ protocol unix seccomp shell none +disable-mnt private-dev private-tmp -disable-mnt noexec ${HOME} noexec /tmp diff --git a/etc/palemoon.profile b/etc/palemoon.profile index b3b57f931..ab72497c0 100644 --- a/etc/palemoon.profile +++ b/etc/palemoon.profile @@ -1,23 +1,23 @@ -# Persistent global definitions go here -include /etc/firejail/globals.local - -# This file is overwritten during software install. -# Persistent customizations should go in a .local file. +# Firejail profile for palemoon +# This file is overwritten after every install/update +# Persistent local customizations include /etc/firejail/palemoon.local +# Persistent global definitions +include /etc/firejail/globals.local -# Firejail profile for Pale Moon -noblacklist ~/.moonchild productions/pale moon noblacklist ~/.cache/moonchild productions/pale moon +noblacklist ~/.moonchild productions/pale moon + include /etc/firejail/disable-common.inc -include /etc/firejail/disable-programs.inc include /etc/firejail/disable-devel.inc -include /etc/firejail/whitelist-common.inc +include /etc/firejail/disable-programs.inc -whitelist ${DOWNLOADS} -mkdir ~/.moonchild productions -whitelist ~/.moonchild productions mkdir ~/.cache/moonchild productions/pale moon +mkdir ~/.moonchild productions +whitelist ${DOWNLOADS} whitelist ~/.cache/moonchild productions/pale moon +whitelist ~/.moonchild productions +include /etc/firejail/whitelist-common.inc caps.drop all netfilter @@ -29,30 +29,27 @@ seccomp shell none tracelog -#private-bin palemoon -#private-opt palemoon +# private-bin palemoon +# private-dev (disabled for now as it will interfere with webcam use in palemoon) +# private-etc passwd,group,hostname,hosts,localtime,nsswitch.conf,resolv.conf,gtk-2.0,pango,fonts,iceweasel,firefox,adobe,mime.types,mailcap,asound.conf,pulse +# private-opt palemoon private-tmp -# These are uncommented in the Firefox profile. If you run into trouble you may -# want to uncomment (some of) them. -#whitelist ~/dwhelper -#whitelist ~/.zotero -#whitelist ~/.vimperatorrc -#whitelist ~/.vimperator -#whitelist ~/.pentadactylrc -#whitelist ~/.pentadactyl -#whitelist ~/.keysnail.js -#whitelist ~/.config/gnome-mplayer -#whitelist ~/.cache/gnome-mplayer/plugin -#whitelist ~/.pki -#whitelist ~/.lastpass - +# CLOBBERED COMMENTS # For silverlight -#whitelist ~/.wine-pipelight -#whitelist ~/.wine-pipelight64 -#whitelist ~/.config/pipelight-widevine -#whitelist ~/.config/pipelight-silverlight5.1 - -# experimental features -#private-etc passwd,group,hostname,hosts,localtime,nsswitch.conf,resolv.conf,gtk-2.0,pango,fonts,iceweasel,firefox,adobe,mime.types,mailcap,asound.conf,pulse -#private-dev (disabled for now as it will interfere with webcam use in palemoon) +# want to uncomment (some of) them. +# whitelist ~/.cache/gnome-mplayer/plugin +# whitelist ~/.config/gnome-mplayer +# whitelist ~/.config/pipelight-silverlight5.1 +# whitelist ~/.config/pipelight-widevine +# whitelist ~/.keysnail.js +# whitelist ~/.lastpass +# whitelist ~/.pentadactyl +# whitelist ~/.pentadactylrc +# whitelist ~/.pki +# whitelist ~/.vimperator +# whitelist ~/.vimperatorrc +# whitelist ~/.wine-pipelight +# whitelist ~/.wine-pipelight64 +# whitelist ~/.zotero +# whitelist ~/dwhelper diff --git a/etc/parole.profile b/etc/parole.profile index e6a9d4ef5..00a12afd9 100644 --- a/etc/parole.profile +++ b/etc/parole.profile @@ -1,18 +1,15 @@ -# Persistent global definitions go here +# Firejail profile for parole +# This file is overwritten after every install/update +# Persistent local customizations +include /etc/firejail/parole.local +# Persistent global definitions include /etc/firejail/globals.local -# This file is overwritten during software install. -# Persistent customizations should go in a .local file. -include /etc/firejail/parole.local -# Profile for Parole, the default XFCE4 media player include /etc/firejail/disable-common.inc -include /etc/firejail/disable-programs.inc include /etc/firejail/disable-devel.inc include /etc/firejail/disable-passwdmgr.inc - -private-etc passwd,group,fonts -private-bin parole,dbus-launch +include /etc/firejail/disable-programs.inc caps.drop all netfilter @@ -21,3 +18,6 @@ noroot protocol unix,inet,inet6 seccomp shell none + +private-bin parole,dbus-launch +private-etc passwd,group,fonts diff --git a/etc/pcmanfm.profile b/etc/pcmanfm.profile index 654904f17..f2bc908df 100644 --- a/etc/pcmanfm.profile +++ b/etc/pcmanfm.profile @@ -1,18 +1,18 @@ -# Persistent global definitions go here -include /etc/firejail/globals.local - -# This file is overwritten during software install. -# Persistent customizations should go in a .local file. +# Firejail profile for pcmanfm +# This file is overwritten after every install/update +# Persistent local customizations include /etc/firejail/pcmanfm.local +# Persistent global definitions +include /etc/firejail/globals.local -noblacklist ~/.config/pcmanfm -noblacklist ~/.config/libfm noblacklist ${HOME}/.local/share/Trash +noblacklist ~/.config/libfm +noblacklist ~/.config/pcmanfm include /etc/firejail/disable-common.inc -#include /etc/firejail/disable-programs.inc include /etc/firejail/disable-devel.inc include /etc/firejail/disable-passwdmgr.inc +# include /etc/firejail/disable-programs.inc caps.drop all net none diff --git a/etc/pdfsam.profile b/etc/pdfsam.profile index 2465be252..0f25f1fa5 100644 --- a/etc/pdfsam.profile +++ b/etc/pdfsam.profile @@ -1,24 +1,18 @@ -# Persistent global definitions go here -include /etc/firejail/globals.local - -# This file is overwritten during software install. -# Persistent customizations should go in a .local file. +# Firejail profile for pdfsam +# This file is overwritten after every install/update +# Persistent local customizations include /etc/firejail/pdfsam.local +# Persistent global definitions +include /etc/firejail/globals.local -# -#Profile for pdfsam -# noblacklist ${HOME}/.java -#Blacklist Paths include /etc/firejail/disable-common.inc -include /etc/firejail/disable-programs.inc -include /etc/firejail/disable-passwdmgr.inc include /etc/firejail/disable-devel.inc +include /etc/firejail/disable-passwdmgr.inc +include /etc/firejail/disable-programs.inc -#Options caps.drop all -#ipc-namespace net none no3d nogroups diff --git a/etc/pdftotext.profile b/etc/pdftotext.profile index e5dab840f..89fb295dd 100644 --- a/etc/pdftotext.profile +++ b/etc/pdftotext.profile @@ -1,31 +1,30 @@ -# Persistent global definitions go here +# Firejail profile for pdftotext +# This file is overwritten after every install/update +# Persistent local customizations +include /etc/firejail/pdftotext.local +# Persistent global definitions include /etc/firejail/globals.local -# This file is overwritten during software install. -# Persistent customizations should go in a .local file. -include /etc/firejail/pdftotext.local +blacklist /tmp/.X11-unix -# pdftotext profile include /etc/firejail/disable-common.inc -include /etc/firejail/disable-programs.inc include /etc/firejail/disable-devel.inc include /etc/firejail/disable-passwdmgr.inc +include /etc/firejail/disable-programs.inc caps.drop all net none +no3d nogroups nonewprivs noroot nosound protocol unix seccomp -no3d shell none tracelog -blacklist /tmp/.X11-unix - private-bin pdftotext -private-tmp private-dev private-etc none +private-tmp diff --git a/etc/peek.profile b/etc/peek.profile index 811eb701b..2860d3663 100644 --- a/etc/peek.profile +++ b/etc/peek.profile @@ -1,11 +1,10 @@ -# Persistent global definitions go here -include /etc/firejail/globals.local - -# This file is overwritten during software install. -# Persistent customizations should go in a .local file. +# Firejail profile for peek +# This file is overwritten after every install/update +# Persistent local customizations include /etc/firejail/peek.local +# Persistent global definitions +include /etc/firejail/globals.local -# Firejail profile for Peek noblacklist ${HOME}/.cache/peek include /etc/firejail/disable-common.inc @@ -25,7 +24,7 @@ protocol unix seccomp shell none -#private-bin peek,convert,ffmpeg +# private-bin peek,convert,ffmpeg private-dev private-tmp diff --git a/etc/picard.profile b/etc/picard.profile index 0c99e6b3e..ccdbc5116 100644 --- a/etc/picard.profile +++ b/etc/picard.profile @@ -1,11 +1,10 @@ -# Persistent global definitions go here -include /etc/firejail/globals.local - -# This file is overwritten during software install. -# Persistent customizations should go in a .local file. +# Firejail profile for picard +# This file is overwritten after every install/update +# Persistent local customizations include /etc/firejail/picard.local +# Persistent global definitions +include /etc/firejail/globals.local -# Firejail profile for MusicBrainz Picard noblacklist ${HOME}/.cache/MusicBrainz noblacklist ${HOME}/.config/MusicBrainz diff --git a/etc/pidgin.profile b/etc/pidgin.profile index 5c0b5de04..7bc88a814 100644 --- a/etc/pidgin.profile +++ b/etc/pidgin.profile @@ -1,11 +1,10 @@ -# Persistent global definitions go here -include /etc/firejail/globals.local - -# This file is overwritten during software install. -# Persistent customizations should go in a .local file. +# Firejail profile for pidgin +# This file is overwritten after every install/update +# Persistent local customizations include /etc/firejail/pidgin.local +# Persistent global definitions +include /etc/firejail/globals.local -# Pidgin profile noblacklist ${HOME}/.purple include /etc/firejail/disable-common.inc diff --git a/etc/pingus.profile b/etc/pingus.profile index b3b479046..6699b7944 100644 --- a/etc/pingus.profile +++ b/etc/pingus.profile @@ -1,41 +1,34 @@ -# Persistent global definitions go here +# Firejail profile for pingus +# This file is overwritten after every install/update +# Persistent local customizations +include /etc/firejail/pingus.local +# Persistent global definitions include /etc/firejail/globals.local -# This file is overwritten during software install. -# Persistent customizations should go in a .local file. -include /etc/firejail/pingus.local +noblacklist ~/.pingus -################################ -# Pinugs profile -################################ +include /etc/firejail/disable-common.inc +include /etc/firejail/disable-passwdmgr.inc +include /etc/firejail/disable-programs.inc -noblacklist ~/.pingus mkdir ~/.pingus whitelist ~/.pingus include /etc/firejail/whitelist-common.inc -include /etc/firejail/disable-common.inc -include /etc/firejail/disable-programs.inc -include /etc/firejail/disable-passwdmgr.inc - caps.drop all +net none +nogroups nonewprivs noroot protocol unix,netlink seccomp - -# -# depending on your usage, you can enable some of the commands below: -# -net none -nogroups shell none -#private-bin pingus -# private-etc none + +# private-bin pingus private-dev +# private-etc none private-tmp -# nosound - - - +# CLOBBERED COMMENTS +# depending on your usage, you can enable some of the commands below: +# nosound diff --git a/etc/pithos.profile b/etc/pithos.profile index c08f27f17..7eea5d8c2 100644 --- a/etc/pithos.profile +++ b/etc/pithos.profile @@ -1,25 +1,18 @@ -# Persistent global definitions go here -include /etc/firejail/globals.local - -# This file is overwritten during software install. -# Persistent customizations should go in a .local file. +# Firejail profile for pithos +# This file is overwritten after every install/update +# Persistent local customizations include /etc/firejail/pithos.local +# Persistent global definitions +include /etc/firejail/globals.local -# -#Profile for pithos -# -#Blacklist Paths include /etc/firejail/disable-common.inc -include /etc/firejail/disable-programs.inc -include /etc/firejail/disable-passwdmgr.inc include /etc/firejail/disable-devel.inc - +include /etc/firejail/disable-passwdmgr.inc +include /etc/firejail/disable-programs.inc include /etc/firejail/whitelist-common.inc -#Options caps.drop all -#ipc-namespace netfilter no3d nogroups @@ -30,9 +23,9 @@ protocol unix,inet,inet6 seccomp shell none +disable-mnt private-dev private-tmp -disable-mnt noexec ${HOME} noexec /tmp diff --git a/etc/pix.profile b/etc/pix.profile index f6e3d4ae3..0d1d46fd6 100644 --- a/etc/pix.profile +++ b/etc/pix.profile @@ -1,20 +1,19 @@ -# Persistent global definitions go here -include /etc/firejail/globals.local - -# This file is overwritten during software install. -# Persistent customizations should go in a .local file. +# Firejail profile for pix +# This file is overwritten after every install/update +# Persistent local customizations include /etc/firejail/pix.local +# Persistent global definitions +include /etc/firejail/globals.local -# Firejail profile for pix noblacklist ${HOME}/.config/pix noblacklist ${HOME}/.local/share/pix noblacklist ~/.Steam noblacklist ~/.steam include /etc/firejail/disable-common.inc -include /etc/firejail/disable-programs.inc include /etc/firejail/disable-devel.inc include /etc/firejail/disable-passwdmgr.inc +include /etc/firejail/disable-programs.inc caps.drop all nogroups diff --git a/etc/pluma.profile b/etc/pluma.profile index c2a30b2c3..75bdeadc4 100644 --- a/etc/pluma.profile +++ b/etc/pluma.profile @@ -1,17 +1,16 @@ -# Persistent global definitions go here -include /etc/firejail/globals.local - -# This file is overwritten during software install. -# Persistent customizations should go in a .local file. +# Firejail profile for pluma +# This file is overwritten after every install/update +# Persistent local customizations include /etc/firejail/pluma.local +# Persistent global definitions +include /etc/firejail/globals.local -# Firejail profile for Xed noblacklist ${HOME}/.config/pluma include /etc/firejail/disable-common.inc -include /etc/firejail/disable-programs.inc include /etc/firejail/disable-devel.inc include /etc/firejail/disable-passwdmgr.inc +include /etc/firejail/disable-programs.inc caps.drop all net none diff --git a/etc/polari.profile b/etc/polari.profile index 657139b6b..e2788b7d0 100644 --- a/etc/polari.profile +++ b/etc/polari.profile @@ -1,26 +1,26 @@ -# Persistent global definitions go here +# Firejail profile for polari +# This file is overwritten after every install/update +# Persistent local customizations +include /etc/firejail/polari.local +# Persistent global definitions include /etc/firejail/globals.local -# This file is overwritten during software install. -# Persistent customizations should go in a .local file. -include /etc/firejail/polari.local -# Polari IRC profile include /etc/firejail/disable-common.inc -include /etc/firejail/disable-programs.inc include /etc/firejail/disable-devel.inc +include /etc/firejail/disable-programs.inc +mkdir ${HOME}/.cache/telepathy +mkdir ${HOME}/.config/telepathy-account-widgets mkdir ${HOME}/.local/share/Empathy -whitelist ${HOME}/.local/share/Empathy -mkdir ${HOME}/.local/share/telepathy -whitelist ${HOME}/.local/share/telepathy mkdir ${HOME}/.local/share/TpLogger -whitelist ${HOME}/.local/share/TpLogger -mkdir ${HOME}/.config/telepathy-account-widgets -whitelist ${HOME}/.config/telepathy-account-widgets -mkdir ${HOME}/.cache/telepathy -whitelist ${HOME}/.cache/telepathy +mkdir ${HOME}/.local/share/telepathy mkdir ${HOME}/.purple +whitelist ${HOME}/.cache/telepathy +whitelist ${HOME}/.config/telepathy-account-widgets +whitelist ${HOME}/.local/share/Empathy +whitelist ${HOME}/.local/share/TpLogger +whitelist ${HOME}/.local/share/telepathy whitelist ${HOME}/.purple include /etc/firejail/whitelist-common.inc @@ -36,9 +36,9 @@ seccomp shell none tracelog +disable-mnt private-dev private-tmp -disable-mnt noexec ${HOME} noexec /tmp diff --git a/etc/psi-plus.profile b/etc/psi-plus.profile index 9500731fe..27ee2500c 100644 --- a/etc/psi-plus.profile +++ b/etc/psi-plus.profile @@ -1,27 +1,25 @@ -# Persistent global definitions go here -include /etc/firejail/globals.local - -# This file is overwritten during software install. -# Persistent customizations should go in a .local file. +# Firejail profile for psi-plus +# This file is overwritten after every install/update +# Persistent local customizations include /etc/firejail/psi-plus.local +# Persistent global definitions +include /etc/firejail/globals.local -# Firejail profile for Psi+ noblacklist ${HOME}/.config/psi+ noblacklist ${HOME}/.local/share/psi+ include /etc/firejail/disable-common.inc include /etc/firejail/disable-devel.inc -include /etc/firejail/disable-programs.inc include /etc/firejail/disable-passwdmgr.inc +include /etc/firejail/disable-programs.inc -whitelist ${DOWNLOADS} +mkdir ~/.cache/psi+ mkdir ~/.config/psi+ -whitelist ~/.config/psi+ mkdir ~/.local/share/psi+ -whitelist ~/.local/share/psi+ -mkdir ~/.cache/psi+ +whitelist ${DOWNLOADS} whitelist ~/.cache/psi+ - +whitelist ~/.config/psi+ +whitelist ~/.local/share/psi+ include /etc/firejail/whitelist-common.inc caps.drop all @@ -35,9 +33,9 @@ protocol unix,inet,inet6 seccomp shell none +disable-mnt private-dev private-tmp -disable-mnt noexec ${HOME} noexec /tmp diff --git a/etc/qbittorrent.profile b/etc/qbittorrent.profile index 7ae8a22d4..5dcba0825 100644 --- a/etc/qbittorrent.profile +++ b/etc/qbittorrent.profile @@ -1,30 +1,29 @@ -# Persistent global definitions go here -include /etc/firejail/globals.local - -# This file is overwritten during software install. -# Persistent customizations should go in a .local file. +# Firejail profile for qbittorrent +# This file is overwritten after every install/update +# Persistent local customizations include /etc/firejail/qbittorrent.local +# Persistent global definitions +include /etc/firejail/globals.local -# qbittorrent bittorrent profile -noblacklist ~/.config/qt5ct +noblacklist ~/.cache/qBittorrent noblacklist ~/.config/qBittorrent noblacklist ~/.config/qBittorrentrc -noblacklist ~/.cache/qBittorrent +noblacklist ~/.config/qt5ct include /etc/firejail/disable-common.inc -include /etc/firejail/disable-programs.inc include /etc/firejail/disable-devel.inc include /etc/firejail/disable-passwdmgr.inc +include /etc/firejail/disable-programs.inc -mkdir ~/.local/share/data/qBittorrent -whitelist ~/.local/share/data/qBittorrent -whitelist ~/.config/qt5ct +mkdir ~/.cache/qBittorrent mkdir ~/.config/qBittorrent +mkdir ~/.local/share/data/qBittorrent +whitelist ${DOWNLOADS} +whitelist ~/.cache/qBittorrent whitelist ~/.config/qBittorrent whitelist ~/.config/qBittorrentrc -mkdir ~/.cache/qBittorrent -whitelist ~/.cache/qBittorrent -whitelist ${DOWNLOADS} +whitelist ~/.config/qt5ct +whitelist ~/.local/share/data/qBittorrent include /etc/firejail/whitelist-common.inc caps.drop all @@ -37,9 +36,11 @@ nosound protocol unix,inet,inet6,netlink seccomp -# there are some problems with "Open destination folder", see bug #536 -#shell none -#private-bin qbittorrent +# private-bin qbittorrent private-dev # private-etc X11,fonts,xdg,resolv.conf private-tmp + +# CLOBBERED COMMENTS +# shell none +# there are some problems with "Open destination folder", see bug # 536 diff --git a/etc/qemu-launcher.profile b/etc/qemu-launcher.profile index f6458de86..0f3235266 100644 --- a/etc/qemu-launcher.profile +++ b/etc/qemu-launcher.profile @@ -1,16 +1,15 @@ -# Persistent global definitions go here -include /etc/firejail/globals.local - -# This file is overwritten during software install. -# Persistent customizations should go in a .local file. +# Firejail profile for qemu-launcher +# This file is overwritten after every install/update +# Persistent local customizations include /etc/firejail/qemu-launcher.local +# Persistent global definitions +include /etc/firejail/globals.local -# qemu-launcher profile noblacklist ~/.qemu-launcher include /etc/firejail/disable-common.inc -include /etc/firejail/disable-programs.inc include /etc/firejail/disable-passwdmgr.inc +include /etc/firejail/disable-programs.inc caps.drop all netfilter diff --git a/etc/qemu-system-x86_64.profile b/etc/qemu-system-x86_64.profile index fdfd7ab72..b1b8e9319 100644 --- a/etc/qemu-system-x86_64.profile +++ b/etc/qemu-system-x86_64.profile @@ -1,14 +1,14 @@ -# Persistent global definitions go here +# Firejail profile for qemu-system-x86_64 +# This file is overwritten after every install/update +# Persistent local customizations +include /etc/firejail/qemu-system-x86_64.local +# Persistent global definitions include /etc/firejail/globals.local -# This file is overwritten during software install. -# Persistent customizations should go in a .local file. -include /etc/firejail/qemu-system-x86_64.local -# qemu profile include /etc/firejail/disable-common.inc -include /etc/firejail/disable-programs.inc include /etc/firejail/disable-passwdmgr.inc +include /etc/firejail/disable-programs.inc caps.drop all netfilter diff --git a/etc/qlipper.profile b/etc/qlipper.profile index d57856c1a..98c794624 100644 --- a/etc/qlipper.profile +++ b/etc/qlipper.profile @@ -1,9 +1,9 @@ -# Persistent global definitions go here -include /etc/firejail/globals.local - -# This file is overwritten during software install. -# Persistent customizations should go in a .local file. +# Firejail profile for qlipper +# This file is overwritten after every install/update +# Persistent local customizations include /etc/firejail/qlipper.local +# Persistent global definitions +include /etc/firejail/globals.local noblacklist ${HOME}/.config/Qlipper @@ -24,9 +24,9 @@ protocol unix seccomp shell none +disable-mnt private-dev private-tmp -disable-mnt noexec ${HOME} noexec /tmp diff --git a/etc/qpdfview.profile b/etc/qpdfview.profile index 97bd2b0b1..596171420 100644 --- a/etc/qpdfview.profile +++ b/etc/qpdfview.profile @@ -1,19 +1,18 @@ -# Persistent global definitions go here -include /etc/firejail/globals.local - -# This file is overwritten during software install. -# Persistent customizations should go in a .local file. +# Firejail profile for qpdfview +# This file is overwritten after every install/update +# Persistent local customizations include /etc/firejail/qpdfview.local +# Persistent global definitions +include /etc/firejail/globals.local -# qpdfview profile -noblacklist ${HOME}/.config/qt5ct noblacklist ${HOME}/.config/qpdfview +noblacklist ${HOME}/.config/qt5ct noblacklist ${HOME}/.local/share/qpdfview include /etc/firejail/disable-common.inc -include /etc/firejail/disable-programs.inc include /etc/firejail/disable-devel.inc include /etc/firejail/disable-passwdmgr.inc +include /etc/firejail/disable-programs.inc caps.drop all nogroups diff --git a/etc/qtox.profile b/etc/qtox.profile index cc2a45bb2..08cbcd332 100644 --- a/etc/qtox.profile +++ b/etc/qtox.profile @@ -1,23 +1,24 @@ -# Persistent global definitions go here -include /etc/firejail/globals.local - -# This file is overwritten during software install. -# Persistent customizations should go in a .local file. +# Firejail profile for qtox +# This file is overwritten after every install/update +# Persistent local customizations include /etc/firejail/qtox.local +# Persistent global definitions +include /etc/firejail/globals.local -# qTox instant messaging profile -noblacklist ~/.config/tox noblacklist ~/.config/qt5ct +noblacklist ~/.config/tox + include /etc/firejail/disable-common.inc -include /etc/firejail/disable-programs.inc include /etc/firejail/disable-devel.inc include /etc/firejail/disable-passwdmgr.inc +include /etc/firejail/disable-programs.inc -mkdir ${HOME}/.config/tox -whitelist ${HOME}/.config/tox mkdir ${HOME}/.config/qt5ct -whitelist ${HOME}/.config/qt5ct +mkdir ${HOME}/.config/tox whitelist ${DOWNLOADS} +whitelist ${HOME}/.config/qt5ct +whitelist ${HOME}/.config/tox +include /etc/firejail/whitelist-common.inc caps.drop all netfilter @@ -29,9 +30,9 @@ seccomp shell none tracelog -noexec ${HOME} -noexec /tmp - +disable-mnt private-bin qtox private-tmp -disable-mnt + +noexec ${HOME} +noexec /tmp diff --git a/etc/quassel.profile b/etc/quassel.profile index 6a8988941..9e9ecfce9 100644 --- a/etc/quassel.profile +++ b/etc/quassel.profile @@ -1,18 +1,18 @@ -# Persistent global definitions go here +# Firejail profile for quassel +# This file is overwritten after every install/update +# Persistent local customizations +include /etc/firejail/quassel.local +# Persistent global definitions include /etc/firejail/globals.local -# This file is overwritten during software install. -# Persistent customizations should go in a .local file. -include /etc/firejail/quassel.local -# Quassel IRC profile include /etc/firejail/disable-common.inc -include /etc/firejail/disable-programs.inc include /etc/firejail/disable-devel.inc +include /etc/firejail/disable-programs.inc caps.drop all +netfilter nonewprivs noroot -netfilter protocol unix,inet,inet6 seccomp diff --git a/etc/quiterss.profile b/etc/quiterss.profile index aa17693cd..934763a25 100644 --- a/etc/quiterss.profile +++ b/etc/quiterss.profile @@ -1,9 +1,9 @@ -# Persistent global definitions go here -include /etc/firejail/globals.local - -# This file is overwritten during software install. -# Persistent customizations should go in a .local file. +# Firejail profile for quiterss +# This file is overwritten after every install/update +# Persistent local customizations include /etc/firejail/quiterss.local +# Persistent global definitions +include /etc/firejail/globals.local noblacklist ${HOME}/.cache/QuiteRss noblacklist ${HOME}/.config/QuiteRss @@ -11,19 +11,20 @@ noblacklist ${HOME}/.config/QuiteRssrc noblacklist ${HOME}/.local/share/QuiteRss include /etc/firejail/disable-common.inc -include /etc/firejail/disable-programs.inc -include /etc/firejail/disable-passwdmgr.inc include /etc/firejail/disable-devel.inc +include /etc/firejail/disable-passwdmgr.inc +include /etc/firejail/disable-programs.inc -whitelist ${HOME}/quiterssfeeds.opml +mkdir ~/.cache/QuiteRss mkdir ~/.config/QuiteRss -whitelist ${HOME}/.config/QuiteRss/ -whitelist ${HOME}/.config/QuiteRssrc mkdir ~/.local/share/data mkdir ~/.local/share/data/QuiteRss -whitelist ${HOME}/.local/share/data/QuiteRss -mkdir ~/.cache/QuiteRss whitelist ${HOME}/.cache/QuiteRss +whitelist ${HOME}/.config/QuiteRss/ +whitelist ${HOME}/.config/QuiteRssrc +whitelist ${HOME}/.local/share/data/QuiteRss +whitelist ${HOME}/quiterssfeeds.opml +include /etc/firejail/whitelist-common.inc caps.drop all netfilter @@ -36,12 +37,10 @@ seccomp shell none tracelog +disable-mnt private-bin quiterss private-dev -#private-etc X11,ssl -disable-mnt - -include /etc/firejail/whitelist-common.inc +# private-etc X11,ssl noexec ${HOME} noexec /tmp diff --git a/etc/qupzilla.profile b/etc/qupzilla.profile index 5dfeeb281..6d0c16785 100644 --- a/etc/qupzilla.profile +++ b/etc/qupzilla.profile @@ -1,27 +1,28 @@ -# Persistent global definitions go here -include /etc/firejail/globals.local - -# This file is overwritten during software install. -# Persistent customizations should go in a .local file. +# Firejail profile for qupzilla +# This file is overwritten after every install/update +# Persistent local customizations include /etc/firejail/qupzilla.local +# Persistent global definitions +include /etc/firejail/globals.local -# Firejail profile for Qupzilla web browser -noblacklist ${HOME}/.config/qupzilla noblacklist ${HOME}/.cache/qupzilla +noblacklist ${HOME}/.config/qupzilla + include /etc/firejail/disable-common.inc include /etc/firejail/disable-devel.inc include /etc/firejail/disable-passwdmgr.inc include /etc/firejail/disable-programs.inc -caps.drop all -seccomp -protocol unix,inet,inet6,netlink -netfilter -tracelog -noroot + whitelist ${DOWNLOADS} -whitelist ~/.config/qupzilla whitelist ~/.cache/qupzilla +whitelist ~/.config/qupzilla include /etc/firejail/whitelist-common.inc -# experimental features -#private-etc passwd,group,hostname,hosts,localtime,nsswitch.conf,resolv.conf,gtk-2.0,pango,fonts,iceweasel,firefox,adobe,mime.types,mailcap,asound.conf,pulse +caps.drop all +netfilter +noroot +protocol unix,inet,inet6,netlink +seccomp +tracelog + +# private-etc passwd,group,hostname,hosts,localtime,nsswitch.conf,resolv.conf,gtk-2.0,pango,fonts,iceweasel,firefox,adobe,mime.types,mailcap,asound.conf,pulse diff --git a/etc/qutebrowser.profile b/etc/qutebrowser.profile index aec5e4ad4..9eb0c9075 100644 --- a/etc/qutebrowser.profile +++ b/etc/qutebrowser.profile @@ -1,16 +1,25 @@ -# Persistent global definitions go here -include /etc/firejail/globals.local - -# This file is overwritten during software install. -# Persistent customizations should go in a .local file. +# Firejail profile for qutebrowser +# This file is overwritten after every install/update +# Persistent local customizations include /etc/firejail/qutebrowser.local +# Persistent global definitions +include /etc/firejail/globals.local -# Firejail profile for Qutebrowser (Qt5-Webkit+Python) browser -noblacklist ~/.config/qutebrowser noblacklist ~/.cache/qutebrowser +noblacklist ~/.config/qutebrowser + include /etc/firejail/disable-common.inc -include /etc/firejail/disable-programs.inc include /etc/firejail/disable-devel.inc +include /etc/firejail/disable-programs.inc + +mkdir ~/.cache/qutebrowser +mkdir ~/.config/qutebrowser +mkdir ~/.local/share/qutebrowser +whitelist ${DOWNLOADS} +whitelist ~/.cache/qutebrowser +whitelist ~/.config/qutebrowser +whitelist ~/.local/share/qutebrowser +include /etc/firejail/whitelist-common.inc caps.drop all netfilter @@ -19,12 +28,3 @@ noroot protocol unix,inet,inet6,netlink seccomp tracelog - -whitelist ${DOWNLOADS} -mkdir ~/.config/qutebrowser -whitelist ~/.config/qutebrowser -mkdir ~/.cache/qutebrowser -whitelist ~/.cache/qutebrowser -mkdir ~/.local/share/qutebrowser -whitelist ~/.local/share/qutebrowser -include /etc/firejail/whitelist-common.inc diff --git a/etc/rambox.profile b/etc/rambox.profile index 2c70fbd13..ea88b472c 100644 --- a/etc/rambox.profile +++ b/etc/rambox.profile @@ -1,16 +1,23 @@ -#Persistent global definitions go here -include /etc/firejail/globals.local - -#This file is overwritten during software install. -#Persistent customizations should go in a .local file. +# Firejail profile for rambox +# This file is overwritten after every install/update +# Persistent local customizations include /etc/firejail/rambox.local +# Persistent global definitions +include /etc/firejail/globals.local -# Rambox profile for firejail noblacklist ~/.config/Rambox noblacklist ~/.pki + include /etc/firejail/disable-common.inc -include /etc/firejail/disable-programs.inc include /etc/firejail/disable-devel.inc +include /etc/firejail/disable-programs.inc + +mkdir ~/.config/Rambox +mkdir ~/.pki +whitelist ${DOWNLOADS} +whitelist ~/.config/Rambox +whitelist ~/.pki +include /etc/firejail/whitelist-common.inc caps.drop all netfilter @@ -19,13 +26,6 @@ nonewprivs noroot protocol unix,inet,inet6,netlink seccomp -#tracelog - -whitelist ${DOWNLOADS} -mkdir ~/.config/Rambox -whitelist ~/.config/Rambox -mkdir ~/.pki -whitelist ~/.pki - -include /etc/firejail/whitelist-common.inc +# CLOBBERED COMMENTS +# tracelog diff --git a/etc/ranger.profile b/etc/ranger.profile index ab0545aaf..3915cffb6 100644 --- a/etc/ranger.profile +++ b/etc/ranger.profile @@ -1,29 +1,30 @@ -# Persistent global definitions go here -include /etc/firejail/globals.local - -# This file is overwritten during software install. -# Persistent customizations should go in a .local file. +# Firejail profile for ranger +# This file is overwritten after every install/update +# Persistent local customizations include /etc/firejail/ranger.local +# Persistent global definitions +include /etc/firejail/globals.local -# ranger file manager profile noblacklist /usr/bin/perl -#noblacklist /usr/bin/cpan* -noblacklist /usr/share/perl* noblacklist /usr/lib/perl* +noblacklist /usr/share/perl* noblacklist ~/.config/ranger include /etc/firejail/disable-common.inc -include /etc/firejail/disable-programs.inc include /etc/firejail/disable-devel.inc include /etc/firejail/disable-passwdmgr.inc +include /etc/firejail/disable-programs.inc caps.drop all net none nogroups nonewprivs noroot +nosound protocol unix seccomp -nosound private-dev + +# CLOBBERED COMMENTS +# noblacklist /usr/bin/cpan* diff --git a/etc/remmina.profile b/etc/remmina.profile index 5aff10fe3..39b5b2acd 100644 --- a/etc/remmina.profile +++ b/etc/remmina.profile @@ -1,14 +1,13 @@ -# Persistent global definitions go here -include /etc/firejail/globals.local - -# This file is overwritten during software install. -# Persistent customizations should go in a .local file. +# Firejail profile for remmina +# This file is overwritten after every install/update +# Persistent local customizations include /etc/firejail/remmina.local +# Persistent global definitions +include /etc/firejail/globals.local -# Firejail profile for Remmina -noblacklist ${HOME}/.ssh noblacklist ${HOME}/.config/remmina noblacklist ${HOME}/.local/share/remmina +noblacklist ${HOME}/.ssh include /etc/firejail/disable-common.inc include /etc/firejail/disable-devel.inc diff --git a/etc/rhythmbox.profile b/etc/rhythmbox.profile index 930a8fed5..9f8e8fb1a 100644 --- a/etc/rhythmbox.profile +++ b/etc/rhythmbox.profile @@ -1,19 +1,18 @@ -# Persistent global definitions go here +# Firejail profile for rhythmbox +# This file is overwritten after every install/update +# Persistent local customizations +include /etc/firejail/rhythmbox.local +# Persistent global definitions include /etc/firejail/globals.local -# This file is overwritten during software install. -# Persistent customizations should go in a .local file. -include /etc/firejail/rhythmbox.local -# Rhythmbox media player profile include /etc/firejail/disable-common.inc -include /etc/firejail/disable-programs.inc include /etc/firejail/disable-devel.inc include /etc/firejail/disable-passwdmgr.inc +include /etc/firejail/disable-programs.inc caps.drop all netfilter -#no3d nogroups nonewprivs noroot @@ -29,3 +28,6 @@ private-tmp noexec ${HOME} noexec /tmp + +# CLOBBERED COMMENTS +# no3d diff --git a/etc/riot-web.profile b/etc/riot-web.profile index 4814dadf7..93f389bbc 100644 --- a/etc/riot-web.profile +++ b/etc/riot-web.profile @@ -1,5 +1,13 @@ -# Firejail profile for Riot. +# Firejail profile for riot-web +# This file is overwritten after every install/update +# Persistent local customizations +include /etc/firejail/riot-web.local +# Persistent global definitions +include /etc/firejail/globals.local + noblacklist ~/.config/Riot + whitelist ~/.config/Riot +include /etc/firejail/whitelist-common.inc include /etc/firejail/electron.profile diff --git a/etc/ristretto.profile b/etc/ristretto.profile index 3d3491658..8070254ac 100644 --- a/etc/ristretto.profile +++ b/etc/ristretto.profile @@ -1,10 +1,10 @@ -# Persistent global definitions go here +# Firejail profile for ristretto +# This file is overwritten after every install/update +# Persistent local customizations +include /etc/firejail/ristretto.local +# Persistent global definitions include /etc/firejail/globals.local -# This file is overwritten during software install. -# Persistent customizations should go in a .local file. -include /etc/firejail/risretto.local - noblacklist ${HOME}/.config/ristretto noblacklist ~/.Steam noblacklist ~/.steam diff --git a/etc/rtorrent.profile b/etc/rtorrent.profile index 93416c248..b9f9960f4 100644 --- a/etc/rtorrent.profile +++ b/etc/rtorrent.profile @@ -1,15 +1,15 @@ -# Persistent global definitions go here +# Firejail profile for rtorrent +# This file is overwritten after every install/update +# Persistent local customizations +include /etc/firejail/rtorrent.local +# Persistent global definitions include /etc/firejail/globals.local -# This file is overwritten during software install. -# Persistent customizations should go in a .local file. -include /etc/firejail/rtorrent.local -# rtorrent bittorrent profile include /etc/firejail/disable-common.inc -include /etc/firejail/disable-programs.inc include /etc/firejail/disable-devel.inc include /etc/firejail/disable-passwdmgr.inc +include /etc/firejail/disable-programs.inc caps.drop all netfilter @@ -18,8 +18,8 @@ noroot nosound protocol unix,inet,inet6 seccomp - shell none + private-bin rtorrent private-dev private-tmp diff --git a/etc/scribus.profile b/etc/scribus.profile index 5cd1768a0..73343f5da 100644 --- a/etc/scribus.profile +++ b/etc/scribus.profile @@ -1,32 +1,29 @@ -# Persistent global definitions go here -include /etc/firejail/globals.local - -# This file is overwritten during software install. -# Persistent customizations should go in a .local file. +# Firejail profile for scribus +# This file is overwritten after every install/update +# Persistent local customizations include /etc/firejail/scribus.local +# Persistent global definitions +include /etc/firejail/globals.local -# Firejail profile for Scribus -noblacklist ~/.scribus +noblacklist ~/.config/okularpartrc +noblacklist ~/.config/okularrc noblacklist ~/.config/scribus noblacklist ~/.config/scribusrc -noblacklist ~/.local/share/scribus noblacklist ~/.gimp* - -# Support for PDF readers (Scribus 1.5 and higher) -noblacklist ~/.kde4/share/apps/okular -noblacklist ~/.kde4/share/config/okularrc -noblacklist ~/.kde4/share/config/okularpartrc noblacklist ~/.kde/share/apps/okular -noblacklist ~/.kde/share/config/okularrc noblacklist ~/.kde/share/config/okularpartrc +noblacklist ~/.kde/share/config/okularrc +noblacklist ~/.kde4/share/apps/okular +noblacklist ~/.kde4/share/config/okularpartrc +noblacklist ~/.kde4/share/config/okularrc noblacklist ~/.local/share/okular -noblacklist ~/.config/okularrc -noblacklist ~/.config/okularpartrc +noblacklist ~/.local/share/scribus +noblacklist ~/.scribus include /etc/firejail/disable-common.inc -include /etc/firejail/disable-programs.inc include /etc/firejail/disable-devel.inc include /etc/firejail/disable-passwdmgr.inc +include /etc/firejail/disable-programs.inc caps.drop all nonewprivs @@ -37,4 +34,7 @@ seccomp tracelog private-dev -#private-tmp +# private-tmp + +# CLOBBERED COMMENTS +# Support for PDF readers (Scribus 1.5 and higher) diff --git a/etc/sdat2img.profile b/etc/sdat2img.profile index 855eae5b1..7311594c0 100644 --- a/etc/sdat2img.profile +++ b/etc/sdat2img.profile @@ -1,20 +1,20 @@ +# Firejail profile for sdat2img +# This file is overwritten after every install/update quiet -# Persistent global definitions go here +# Persistent local customizations +include /etc/firejail/sdat2img.local +# Persistent global definitions include /etc/firejail/globals.local -# This file is overwritten during software install. -# Persistent customizations should go in a .local file. -include /etc/firejail/sdat2img.local -# Firejail profile for sdat2img include /etc/firejail/disable-common.inc include /etc/firejail/disable-devel.inc include /etc/firejail/disable-passwdmgr.inc include /etc/firejail/disable-programs.inc caps.drop all -no3d net none +no3d nogroups nonewprivs noroot diff --git a/etc/seamonkey-bin.profile b/etc/seamonkey-bin.profile index f01810671..25e882b32 100644 --- a/etc/seamonkey-bin.profile +++ b/etc/seamonkey-bin.profile @@ -1,9 +1,5 @@ -# Persistent global definitions go here -include /etc/firejail/globals.local +# Firejail profile alias for seamonkey +# This file is overwritten after every install/update -# This file is overwritten during software install. -# Persistent customizations should go in a .local file. -include /etc/firejail/seamonkey-bin.local -# Firejail profile for Seamonkey based off Mozilla Firefox include /etc/firejail/seamonkey.profile diff --git a/etc/seamonkey.profile b/etc/seamonkey.profile index b674897a8..072a9fef5 100644 --- a/etc/seamonkey.profile +++ b/etc/seamonkey.profile @@ -1,17 +1,39 @@ -# Persistent global definitions go here -include /etc/firejail/globals.local - -# This file is overwritten during software install. -# Persistent customizations should go in a .local file. +# Firejail profile for seamonkey +# This file is overwritten after every install/update +# Persistent local customizations include /etc/firejail/seamonkey.local +# Persistent global definitions +include /etc/firejail/globals.local -# Firejail profile for Seamoneky based off Mozilla Firefox -noblacklist ~/.mozilla noblacklist ~/.cache/mozilla +noblacklist ~/.mozilla noblacklist ~/.pki + include /etc/firejail/disable-common.inc -include /etc/firejail/disable-programs.inc include /etc/firejail/disable-devel.inc +include /etc/firejail/disable-programs.inc + +mkdir ~/.cache/mozilla +mkdir ~/.mozilla +whitelist ${DOWNLOADS} +whitelist ~/.cache/gnome-mplayer/plugin +whitelist ~/.cache/mozilla +whitelist ~/.config/gnome-mplayer +whitelist ~/.config/pipelight-silverlight5.1 +whitelist ~/.config/pipelight-widevine +whitelist ~/.keysnail.js +whitelist ~/.lastpass +whitelist ~/.mozilla +whitelist ~/.pentadactyl +whitelist ~/.pentadactylrc +whitelist ~/.pki +whitelist ~/.vimperator +whitelist ~/.vimperatorrc +whitelist ~/.wine-pipelight +whitelist ~/.wine-pipelight64 +whitelist ~/.zotero +whitelist ~/dwhelper +include /etc/firejail/whitelist-common.inc caps.drop all netfilter @@ -21,29 +43,4 @@ protocol unix,inet,inet6,netlink seccomp tracelog -whitelist ${DOWNLOADS} -mkdir ~/.mozilla -whitelist ~/.mozilla -mkdir ~/.cache/mozilla -whitelist ~/.cache/mozilla -whitelist ~/dwhelper -whitelist ~/.zotero -whitelist ~/.vimperatorrc -whitelist ~/.vimperator -whitelist ~/.pentadactylrc -whitelist ~/.pentadactyl -whitelist ~/.keysnail.js -whitelist ~/.config/gnome-mplayer -whitelist ~/.cache/gnome-mplayer/plugin -whitelist ~/.pki -whitelist ~/.lastpass -include /etc/firejail/whitelist-common.inc - -# silverlight -whitelist ~/.wine-pipelight -whitelist ~/.wine-pipelight64 -whitelist ~/.config/pipelight-widevine -whitelist ~/.config/pipelight-silverlight5.1 - -# experimental features -#private-etc passwd,group,hostname,hosts,localtime,nsswitch.conf,resolv.conf,gtk-2.0,pango,fonts,iceweasel,firefox,adobe,mime.types,mailcap,asound.conf,pulse +# private-etc passwd,group,hostname,hosts,localtime,nsswitch.conf,resolv.conf,gtk-2.0,pango,fonts,iceweasel,firefox,adobe,mime.types,mailcap,asound.conf,pulse diff --git a/etc/silentarmy.profile b/etc/silentarmy.profile index bcad82b5d..d5d92670b 100644 --- a/etc/silentarmy.profile +++ b/etc/silentarmy.profile @@ -1,14 +1,13 @@ -# Persistent global definitions go here -include /etc/firejail/globals.local - -# This file is overwritten during software install. -# Persistent customizations should go in a .local file. +# Firejail profile for silentarmy +# This file is overwritten after every install/update +# Persistent local customizations include /etc/firejail/silentarmy.local +# Persistent global definitions +include /etc/firejail/globals.local -# Firejail profile for SILENTARMY include /etc/firejail/disable-common.inc -#include /etc/firejail/disable-devel.inc +# include /etc/firejail/disable-devel.inc include /etc/firejail/disable-passwdmgr.inc include /etc/firejail/disable-programs.inc @@ -25,7 +24,7 @@ shell none disable-mnt private -#private-bin silentarmy,sa-solver,python3 +# private-bin silentarmy,sa-solver,python3 private-dev private-tmp diff --git a/etc/simple-scan.profile b/etc/simple-scan.profile index 19e400d4f..d6c6886c7 100644 --- a/etc/simple-scan.profile +++ b/etc/simple-scan.profile @@ -1,30 +1,31 @@ -# Persistent global definitions go here -include /etc/firejail/globals.local - -# This file is overwritten during software install. -# Persistent customizations should go in a .local file. +# Firejail profile for simple-scan +# This file is overwritten after every install/update +# Persistent local customizations include /etc/firejail/simple-scan.local +# Persistent global definitions +include /etc/firejail/globals.local -# simple-scan profile noblacklist ~/.cache/simple-scan include /etc/firejail/disable-common.inc -include /etc/firejail/disable-programs.inc include /etc/firejail/disable-devel.inc include /etc/firejail/disable-passwdmgr.inc +include /etc/firejail/disable-programs.inc caps.drop all +netfilter nogroups nonewprivs noroot nosound protocol unix,inet,inet6 -#seccomp -netfilter shell none tracelog # private-bin simple-scan -# private-tmp # private-dev # private-etc fonts +# private-tmp + +# CLOBBERED COMMENTS +# seccomp diff --git a/etc/simutrans.profile b/etc/simutrans.profile index b1df0ba28..32c0436f8 100644 --- a/etc/simutrans.profile +++ b/etc/simutrans.profile @@ -1,41 +1,34 @@ -# Persistent global definitions go here +# Firejail profile for simutrans +# This file is overwritten after every install/update +# Persistent local customizations +include /etc/firejail/simutrans.local +# Persistent global definitions include /etc/firejail/globals.local -# This file is overwritten during software install. -# Persistent customizations should go in a .local file. -include /etc/firejail/simutrans.local +noblacklist ~/.simutrans -################################ -# simutrans profile -################################ +include /etc/firejail/disable-common.inc +include /etc/firejail/disable-passwdmgr.inc +include /etc/firejail/disable-programs.inc -noblacklist ~/.simutrans mkdir ~/.simutrans whitelist ~/.simutrans include /etc/firejail/whitelist-common.inc -include /etc/firejail/disable-common.inc -include /etc/firejail/disable-programs.inc -include /etc/firejail/disable-passwdmgr.inc - caps.drop all +net none +nogroups nonewprivs noroot protocol unix seccomp - -# -# depending on your usage, you can enable some of the commands below: -# -net none -nogroups shell none -#private-bin simutrans -# private-etc none + +# private-bin simutrans private-dev +# private-etc none private-tmp -# nosound - - - +# CLOBBERED COMMENTS +# depending on your usage, you can enable some of the commands below: +# nosound diff --git a/etc/skanlite.profile b/etc/skanlite.profile index 87698f575..f6e27a474 100644 --- a/etc/skanlite.profile +++ b/etc/skanlite.profile @@ -1,15 +1,15 @@ -# Persistent global definitions go here +# Firejail profile for skanlite +# This file is overwritten after every install/update +# Persistent local customizations +include /etc/firejail/skanlite.local +# Persistent global definitions include /etc/firejail/globals.local -# This file is overwritten during software install. -# Persistent customizations should go in a .local file. -include /etc/firejail/skanlite.local -# skanlite profile include /etc/firejail/disable-common.inc -include /etc/firejail/disable-programs.inc include /etc/firejail/disable-devel.inc include /etc/firejail/disable-passwdmgr.inc +include /etc/firejail/disable-programs.inc caps.drop all netfilter @@ -17,11 +17,13 @@ nogroups nonewprivs noroot nosound -shell none seccomp -# protocol unix,inet,inet6 +shell none # private-bin skanlite # private-dev -# private-tmp # private-etc +# private-tmp + +# CLOBBERED COMMENTS +# protocol unix,inet,inet6 diff --git a/etc/skype.profile b/etc/skype.profile index 7c7a4eb17..396563f0c 100644 --- a/etc/skype.profile +++ b/etc/skype.profile @@ -1,17 +1,16 @@ -# Persistent global definitions go here -include /etc/firejail/globals.local - -# This file is overwritten during software install. -# Persistent customizations should go in a .local file. +# Firejail profile for skype +# This file is overwritten after every install/update +# Persistent local customizations include /etc/firejail/skype.local +# Persistent global definitions +include /etc/firejail/globals.local -# Skype profile noblacklist ${HOME}/.Skype include /etc/firejail/disable-common.inc include /etc/firejail/disable-devel.inc -include /etc/firejail/disable-programs.inc include /etc/firejail/disable-devel.inc +include /etc/firejail/disable-programs.inc caps.drop all netfilter @@ -22,9 +21,9 @@ protocol unix,inet,inet6 seccomp shell none +disable-mnt private-dev private-tmp -disable-mnt noexec ${HOME} noexec /tmp diff --git a/etc/skypeforlinux.profile b/etc/skypeforlinux.profile index a2f693945..7037961f8 100644 --- a/etc/skypeforlinux.profile +++ b/etc/skypeforlinux.profile @@ -1,17 +1,16 @@ -# Persistent global definitions go here -include /etc/firejail/globals.local - -# This file is overwritten during software install. -# Persistent customizations should go in a .local file. +# Firejail profile for skypeforlinux +# This file is overwritten after every install/update +# Persistent local customizations include /etc/firejail/skypeforlinux.local +# Persistent global definitions +include /etc/firejail/globals.local -# skypeforlinux profile noblacklist ${HOME}/.config/skypeforlinux include /etc/firejail/disable-common.inc include /etc/firejail/disable-devel.inc -include /etc/firejail/disable-programs.inc include /etc/firejail/disable-passwdmgr.inc +include /etc/firejail/disable-programs.inc caps.drop all netfilter @@ -22,9 +21,9 @@ protocol unix,inet,inet6,netlink seccomp shell none +disable-mnt private-dev private-tmp -disable-mnt noexec ${HOME} noexec /tmp diff --git a/etc/slack.profile b/etc/slack.profile index a68717ea3..d2fb74af8 100644 --- a/etc/slack.profile +++ b/etc/slack.profile @@ -1,20 +1,25 @@ -# Persistent global definitions go here +# Firejail profile for slack +# This file is overwritten after every install/update +# Persistent local customizations +include /etc/firejail/slack.local +# Persistent global definitions include /etc/firejail/globals.local -# This file is overwritten during software install. -# Persistent customizations should go in a .local file. -include /etc/firejail/slack.local +blacklist /var -# Firejail profile for Slack noblacklist ${HOME}/.config/Slack noblacklist ${HOME}/Downloads include /etc/firejail/disable-common.inc -include /etc/firejail/disable-programs.inc include /etc/firejail/disable-devel.inc include /etc/firejail/disable-passwdmgr.inc +include /etc/firejail/disable-programs.inc -blacklist /var +mkdir ${HOME}/.config +mkdir ${HOME}/.config/Slack +whitelist ${HOME}/.config/Slack +whitelist ${HOME}/Downloads +include /etc/firejail/whitelist-common.inc caps.drop all name slack @@ -26,14 +31,8 @@ protocol unix,inet,inet6,netlink seccomp shell none +disable-mnt private-bin slack private-dev private-etc fonts,resolv.conf,ld.so.conf,ld.so.cache,localtime private-tmp -disable-mnt - -mkdir ${HOME}/.config -mkdir ${HOME}/.config/Slack -whitelist ${HOME}/.config/Slack -whitelist ${HOME}/Downloads -include /etc/firejail/whitelist-common.inc diff --git a/etc/smplayer.profile b/etc/smplayer.profile index 6a5c115b7..d3ff02ddf 100644 --- a/etc/smplayer.profile +++ b/etc/smplayer.profile @@ -1,32 +1,32 @@ -# Persistent global definitions go here -include /etc/firejail/globals.local - -# This file is overwritten during software install. -# Persistent customizations should go in a .local file. +# Firejail profile for smplayer +# This file is overwritten after every install/update +# Persistent local customizations include /etc/firejail/smplayer.local +# Persistent global definitions +include /etc/firejail/globals.local -# smplayer profile noblacklist ${HOME}/.config/smplayer noblacklist ${HOME}/.mplayer include /etc/firejail/disable-common.inc -include /etc/firejail/disable-programs.inc include /etc/firejail/disable-devel.inc include /etc/firejail/disable-passwdmgr.inc +include /etc/firejail/disable-programs.inc caps.drop all -#ipc-namespace netfilter -# nogroups nonewprivs noroot protocol unix,inet,inet6,netlink seccomp shell none +private-bin smplayer,mplayer private-dev private-tmp -private-bin smplayer,mplayer noexec ${HOME} noexec /tmp + +# CLOBBERED COMMENTS +# nogroups diff --git a/etc/soffice.profile b/etc/soffice.profile index 9fca8e4c9..c30bb5550 100644 --- a/etc/soffice.profile +++ b/etc/soffice.profile @@ -1,11 +1,5 @@ -# Persistent global definitions go here -include /etc/firejail/globals.local +# Firejail profile alias for libreoffice +# This file is overwritten after every install/update -# This file is overwritten during software install. -# Persistent customizations should go in a .local file. -include /etc/firejail/soffice.local -################################ -# LibreOffice profile -################################ include /etc/firejail/libreoffice.profile diff --git a/etc/soundconverter.profile b/etc/soundconverter.profile index 642612a52..12ae63cf9 100644 --- a/etc/soundconverter.profile +++ b/etc/soundconverter.profile @@ -1,11 +1,11 @@ -# Persistent global definitions go here +# Firejail profile for soundconverter +# This file is overwritten after every install/update +# Persistent local customizations +include /etc/firejail/soundconverter.local +# Persistent global definitions include /etc/firejail/globals.local -# This file is overwritten during software install. -# Persistent customizations should go in a .local file. -include /etc/firejail/soundconverter.local -# Firejail profile for Sound Converter include /etc/firejail/disable-common.inc include /etc/firejail/disable-devel.inc include /etc/firejail/disable-passwdmgr.inc diff --git a/etc/spotify.profile b/etc/spotify.profile index 07103b112..64805153c 100644 --- a/etc/spotify.profile +++ b/etc/spotify.profile @@ -1,26 +1,35 @@ -# Persistent global definitions go here +# Firejail profile for spotify +# This file is overwritten after every install/update +# Persistent local customizations +include /etc/firejail/spotify.local +# Persistent global definitions include /etc/firejail/globals.local -# This file is overwritten during software install. -# Persistent customizations should go in a .local file. -include /etc/firejail/spotify.local +blacklist ${HOME}/.bashrc +blacklist /boot +blacklist /lost+found +blacklist /opt +blacklist /root +blacklist /sbin +blacklist /srv +blacklist /sys -# Spotify media player profile -noblacklist ${HOME}/.config/spotify noblacklist ${HOME}/.cache/spotify +noblacklist ${HOME}/.config/spotify noblacklist ${HOME}/.local/share/spotify + include /etc/firejail/disable-common.inc -include /etc/firejail/disable-programs.inc include /etc/firejail/disable-devel.inc include /etc/firejail/disable-passwdmgr.inc +include /etc/firejail/disable-programs.inc -# Whitelist the folders needed by Spotify +mkdir ${HOME}/.cache/spotify mkdir ${HOME}/.config/spotify -whitelist ${HOME}/.config/spotify mkdir ${HOME}/.local/share/spotify -whitelist ${HOME}/.local/share/spotify -mkdir ${HOME}/.cache/spotify whitelist ${HOME}/.cache/spotify +whitelist ${HOME}/.config/spotify +whitelist ${HOME}/.local/share/spotify +include /etc/firejail/whitelist-common.inc caps.drop all netfilter @@ -31,20 +40,11 @@ protocol unix,inet,inet6,netlink seccomp shell none -noexec ${HOME} -noexec /tmp - +disable-mnt private-bin spotify,bash,sh,dash -private-etc fonts,machine-id,pulse,resolv.conf private-dev +private-etc fonts,machine-id,pulse,resolv.conf private-tmp -disable-mnt -blacklist ${HOME}/.bashrc -blacklist /boot -blacklist /lost+found -blacklist /opt -blacklist /root -blacklist /sbin -blacklist /srv -blacklist /sys +noexec ${HOME} +noexec /tmp diff --git a/etc/sqlitebrowser.profile b/etc/sqlitebrowser.profile index a08064d8c..ac7daa873 100644 --- a/etc/sqlitebrowser.profile +++ b/etc/sqlitebrowser.profile @@ -1,11 +1,10 @@ -# Persistent global definitions go here -include /etc/firejail/globals.local - -# This file is overwritten during software install. -# Persistent customizations should go in a .local file. +# Firejail profile for sqlitebrowser +# This file is overwritten after every install/update +# Persistent local customizations include /etc/firejail/sqlitebrowser.local +# Persistent global definitions +include /etc/firejail/globals.local -# Firejail profile for SQLiteBrowser noblacklist ${HOME}/.config/sqlitebrowser include /etc/firejail/disable-common.inc diff --git a/etc/ssh-agent.profile b/etc/ssh-agent.profile index ab47067f1..520524192 100644 --- a/etc/ssh-agent.profile +++ b/etc/ssh-agent.profile @@ -1,26 +1,28 @@ +# Firejail profile for ssh-agent +# This file is overwritten after every install/update quiet -# Persistent global definitions go here +# Persistent local customizations +include /etc/firejail/ssh-agent.local +# Persistent global definitions include /etc/firejail/globals.local -# This file is overwritten during software install. -# Persistent customizations should go in a .local file. -include /etc/firejail/ssh-agent.local +blacklist /tmp/.X11-unix -# ssh-agent -noblacklist ~/.ssh -noblacklist /tmp/ssh-* noblacklist /etc/ssh +noblacklist /tmp/ssh-* +noblacklist ~/.ssh include /etc/firejail/disable-common.inc -include /etc/firejail/disable-programs.inc include /etc/firejail/disable-passwdmgr.inc +include /etc/firejail/disable-programs.inc caps.drop all netfilter +no3d nonewprivs noroot -no3d protocol unix,inet,inet6 seccomp -blacklist /tmp/.X11-unix +# CLOBBERED COMMENTS +# ssh-agent diff --git a/etc/ssh.profile b/etc/ssh.profile index 466abdc88..0f9950a81 100644 --- a/etc/ssh.profile +++ b/etc/ssh.profile @@ -1,19 +1,18 @@ +# Firejail profile for ssh +# This file is overwritten after every install/update quiet -# Persistent global definitions go here -include /etc/firejail/globals.local - -# This file is overwritten during software install. -# Persistent customizations should go in a .local file. +# Persistent local customizations include /etc/firejail/ssh.local +# Persistent global definitions +include /etc/firejail/globals.local -# ssh client -noblacklist ~/.ssh -noblacklist /tmp/ssh-* noblacklist /etc/ssh +noblacklist /tmp/ssh-* +noblacklist ~/.ssh include /etc/firejail/disable-common.inc -include /etc/firejail/disable-programs.inc include /etc/firejail/disable-passwdmgr.inc +include /etc/firejail/disable-programs.inc caps.drop all ipc-namespace @@ -29,8 +28,11 @@ shell none tracelog private-dev -#private-tmp #Breaks when exiting +# private-tmp # Breaks when exiting memory-deny-write-execute noexec ${HOME} noexec /tmp + +# CLOBBERED COMMENTS +# ssh client diff --git a/etc/start-tor-browser.profile b/etc/start-tor-browser.profile index f15e5d8ac..26154508a 100644 --- a/etc/start-tor-browser.profile +++ b/etc/start-tor-browser.profile @@ -1,11 +1,11 @@ -# Persistent global definitions go here +# Firejail profile for start-tor-browser +# This file is overwritten after every install/update +# Persistent local customizations +include /etc/firejail/start-tor-browser.local +# Persistent global definitions include /etc/firejail/globals.local -# This file is overwritten during software install. -# Persistent customizations should go in a .local file. -include /etc/firejail/start-tor-browser.local -# Firejail profile for the Tor Brower Bundle include /etc/firejail/disable-common.inc include /etc/firejail/disable-devel.inc include /etc/firejail/disable-passwdmgr.inc @@ -22,6 +22,6 @@ shell none tracelog private-bin bash,dash,sh,grep,tail,env,gpg,id,readlink,dirname,test,mkdir,ln,sed,cp,rm,getconf -private-etc fonts private-dev +private-etc fonts private-tmp diff --git a/etc/steam.profile b/etc/steam.profile index 856824b5d..b3b62471d 100644 --- a/etc/steam.profile +++ b/etc/steam.profile @@ -1,41 +1,40 @@ -# Persistent global definitions go here -include /etc/firejail/globals.local - -# This file is overwritten during software install. -# Persistent customizations should go in a .local file. +# Firejail profile for steam +# This file is overwritten after every install/update +# Persistent local customizations include /etc/firejail/steam.local +# Persistent global definitions +include /etc/firejail/globals.local -# with >=llvm-4 mesa drivers need llvm stuff -noblacklist /usr/lib/llvm* - -# Steam profile (applies to games/apps launched from Steam as well) -noblacklist ${HOME}/.java noblacklist ${HOME}/.Steam -noblacklist ${HOME}/.steam noblacklist ${HOME}/.Steampath -noblacklist ${HOME}/.steampath noblacklist ${HOME}/.Steampid -noblacklist ${HOME}/.steampid +noblacklist ${HOME}/.java noblacklist ${HOME}/.local/share/Steam noblacklist ${HOME}/.local/share/steam +noblacklist ${HOME}/.steam +noblacklist ${HOME}/.steampath +noblacklist ${HOME}/.steampid +noblacklist /usr/lib/llvm* + include /etc/firejail/disable-common.inc -include /etc/firejail/disable-programs.inc include /etc/firejail/disable-devel.inc include /etc/firejail/disable-passwdmgr.inc +include /etc/firejail/disable-programs.inc caps.drop all -#ipc-namespace netfilter nogroups nonewprivs noroot -#novideo protocol unix,inet,inet6,netlink seccomp shell none -# tracelog disabled as it breaks integrated browser -#tracelog - private-dev private-tmp + +# CLOBBERED COMMENTS +# novideo +# tracelog +# tracelog disabled as it breaks integrated browser +# with >=llvm-4 mesa drivers need llvm stuff diff --git a/etc/stellarium.profile b/etc/stellarium.profile index 00579f8fd..768fbd082 100644 --- a/etc/stellarium.profile +++ b/etc/stellarium.profile @@ -1,23 +1,23 @@ -# Persistent global definitions go here -include /etc/firejail/globals.local - -# This file is overwritten during software install. -# Persistent customizations should go in a .local file. +# Firejail profile for stellarium +# This file is overwritten after every install/update +# Persistent local customizations include /etc/firejail/stellarium.local +# Persistent global definitions +include /etc/firejail/globals.local -# Firejail profile for Stellarium. -noblacklist ~/.stellarium noblacklist ~/.config/stellarium +noblacklist ~/.stellarium + include /etc/firejail/disable-common.inc include /etc/firejail/disable-devel.inc include /etc/firejail/disable-passwdmgr.inc include /etc/firejail/disable-programs.inc -# Whitelist -mkdir ~/.stellarium -whitelist ~/.stellarium mkdir ~/.config/stellarium +mkdir ~/.stellarium whitelist ~/.config/stellarium +whitelist ~/.stellarium +include /etc/firejail/whitelist-common.inc caps.drop all netfilter @@ -30,7 +30,7 @@ seccomp shell none tracelog +disable-mnt private-bin stellarium private-dev private-tmp -disable-mnt diff --git a/etc/strings.profile b/etc/strings.profile index a83e3a801..09957ae09 100644 --- a/etc/strings.profile +++ b/etc/strings.profile @@ -1,22 +1,23 @@ +# Firejail profile for strings +# This file is overwritten after every install/update quiet -# Persistent global definitions go here +# Persistent local customizations +include /etc/firejail/strings.local +# Persistent global definitions include /etc/firejail/globals.local -# This file is overwritten during software install. -# Persistent customizations should go in a .local file. -include /etc/firejail/strings.local +blacklist /tmp/.X11-unix -# strings profile ignore noroot -include /etc/firejail/default.profile - net none no3d nosound novideo shell none tracelog + private-dev -blacklist /tmp/.X11-unix memory-deny-write-execute + +include /etc/firejail/default.profile diff --git a/etc/supertux2.profile b/etc/supertux2.profile index 276e91b05..87ad8da7f 100644 --- a/etc/supertux2.profile +++ b/etc/supertux2.profile @@ -1,41 +1,34 @@ -# Persistent global definitions go here +# Firejail profile for supertux2 +# This file is overwritten after every install/update +# Persistent local customizations +include /etc/firejail/supertux2.local +# Persistent global definitions include /etc/firejail/globals.local -# This file is overwritten during software install. -# Persistent customizations should go in a .local file. -include /etc/firejail/supertux2.local +noblacklist ~/.local/share/supertux2 -################################ -# SuperTux profile -################################ +include /etc/firejail/disable-common.inc +include /etc/firejail/disable-passwdmgr.inc +include /etc/firejail/disable-programs.inc -noblacklist ~/.local/share/supertux2 mkdir ~/.local/share/supertux2 whitelist ~/.local/share/supertux2 include /etc/firejail/whitelist-common.inc -include /etc/firejail/disable-common.inc -include /etc/firejail/disable-programs.inc -include /etc/firejail/disable-passwdmgr.inc - caps.drop all +net none +nogroups nonewprivs noroot protocol unix,netlink seccomp - -# -# depending on your usage, you can enable some of the commands below: -# -net none -nogroups shell none -#private-bin supertux2 -# private-etc none + +# private-bin supertux2 private-dev +# private-etc none private-tmp -# nosound - - - +# CLOBBERED COMMENTS +# depending on your usage, you can enable some of the commands below: +# nosound diff --git a/etc/synfigstudio.profile b/etc/synfigstudio.profile index bcb42f624..02db74df3 100644 --- a/etc/synfigstudio.profile +++ b/etc/synfigstudio.profile @@ -1,11 +1,10 @@ -# Persistent global definitions go here -include /etc/firejail/globals.local - -# This file is overwritten during software install. -# Persistent customizations should go in a .local file. +# Firejail profile for synfigstudio +# This file is overwritten after every install/update +# Persistent local customizations include /etc/firejail/synfigstudio.local +# Persistent global definitions +include /etc/firejail/globals.local -# synfigstudio noblacklist ${HOME}/.config/synfig noblacklist ${HOME}/.synfig @@ -30,3 +29,6 @@ private-tmp noexec ${HOME} noexec /tmp + +# CLOBBERED COMMENTS +# synfigstudio diff --git a/etc/tar.profile b/etc/tar.profile index c2d089e71..c3b5aa0e6 100644 --- a/etc/tar.profile +++ b/etc/tar.profile @@ -1,25 +1,26 @@ +# Firejail profile for tar +# This file is overwritten after every install/update quiet -# Persistent global definitions go here -include /etc/firejail/globals.local - -# This file is overwritten during software install. -# Persistent customizations should go in a .local file. +# Persistent local customizations include /etc/firejail/tar.local - -# tar profile -ignore noroot -include /etc/firejail/default.profile +# Persistent global definitions +include /etc/firejail/globals.local blacklist /tmp/.X11-unix hostname tar +ignore noroot net none no3d nosound shell none tracelog -# support compressed archives private-bin sh,bash,dash,tar,gtar,compress,gzip,lzma,xz,bzip2,lbzip2,lzip,lzop private-dev private-etc passwd,group,localtime + +include /etc/firejail/default.profile + +# CLOBBERED COMMENTS +# support compressed archives diff --git a/etc/telegram-desktop.profile b/etc/telegram-desktop.profile index db5c2bdbb..844595b3f 100644 --- a/etc/telegram-desktop.profile +++ b/etc/telegram-desktop.profile @@ -1,9 +1,5 @@ -# Persistent global definitions go here -include /etc/firejail/globals.local +# Firejail profile alias for telegram +# This file is overwritten after every install/update -# This file is overwritten during software install. -# Persistent customizations should go in a .local file. -include /etc/firejail/telegram-desktop.local -# Telegram profile include /etc/firejail/telegram.profile diff --git a/etc/telegram.profile b/etc/telegram.profile index db00e8082..e40233c35 100644 --- a/etc/telegram.profile +++ b/etc/telegram.profile @@ -1,15 +1,15 @@ -# Persistent global definitions go here -include /etc/firejail/globals.local - -# This file is overwritten during software install. -# Persistent customizations should go in a .local file. +# Firejail profile for telegram +# This file is overwritten after every install/update +# Persistent local customizations include /etc/firejail/telegram.local +# Persistent global definitions +include /etc/firejail/globals.local -# Telegram profile noblacklist ${HOME}/.TelegramDesktop + include /etc/firejail/disable-common.inc -include /etc/firejail/disable-programs.inc include /etc/firejail/disable-devel.inc +include /etc/firejail/disable-programs.inc caps.drop all netfilter @@ -18,8 +18,8 @@ noroot protocol unix,inet,inet6 seccomp -private-tmp disable-mnt +private-tmp noexec ${HOME} noexec /tmp diff --git a/etc/thunar.profile b/etc/thunar.profile index d8389ebc8..044f22d29 100644 --- a/etc/thunar.profile +++ b/etc/thunar.profile @@ -1,8 +1,5 @@ -# Persistent global definitions go here -include /etc/firejail/globals.local +# Firejail profile alias for Thunar +# This file is overwritten after every install/update -# This file is overwritten during software install. -# Persistent customizations should go in a .local file. -include /etc/firejail/thunar.local include /etc/firejail/Thunar.profile diff --git a/etc/thunderbird.profile b/etc/thunderbird.profile index c693a53b3..c80f76aa8 100644 --- a/etc/thunderbird.profile +++ b/etc/thunderbird.profile @@ -1,36 +1,35 @@ -# Persistent global definitions go here -include /etc/firejail/globals.local - -# This file is overwritten during software install. -# Persistent customizations should go in a .local file. +# Firejail profile for thunderbird +# This file is overwritten after every install/update +# Persistent local customizations include /etc/firejail/thunderbird.local +# Persistent global definitions +include /etc/firejail/globals.local -# Firejail profile for Mozilla Thunderbird -# Users have thunderbird set to open a browser by clicking a link in an email -# We are not allowed to blacklist browser-specific directories - +noblacklist ~/.cache/thunderbird noblacklist ~/.gnupg -mkdir ~/.gnupg -whitelist ~/.gnupg - +noblacklist ~/.icedove noblacklist ~/.thunderbird -mkdir ~/.thunderbird -whitelist ~/.thunderbird -noblacklist ~/.icedove +mkdir ~/.cache/thunderbird +mkdir ~/.gnupg mkdir ~/.icedove +mkdir ~/.thunderbird +whitelist ~/.cache/thunderbird +whitelist ~/.config/mimeapps.list +whitelist ~/.gnupg whitelist ~/.icedove +whitelist ~/.local/share/applications +whitelist ~/.thunderbird +include /etc/firejail/whitelist-common.inc -noblacklist ~/.cache/thunderbird -mkdir ~/.cache/thunderbird -whitelist ~/.cache/thunderbird +ignore private-tmp -whitelist ~/.config/mimeapps.list read-only ~/.config/mimeapps.list -whitelist ~/.local/share/applications read-only ~/.local/share/applications -# allow browsers -ignore private-tmp include /etc/firejail/firefox.profile -#include /etc/firejail/chromium.profile - chromium runs as suid! + +# CLOBBERED COMMENTS +# Users have thunderbird set to open a browser by clicking a link in an email +# We are not allowed to blacklist browser-specific directories +# allow browsers diff --git a/etc/totem.profile b/etc/totem.profile index 7ae082760..a364e4c02 100644 --- a/etc/totem.profile +++ b/etc/totem.profile @@ -1,21 +1,19 @@ -# Persistent global definitions go here -include /etc/firejail/globals.local - -# This file is overwritten during software install. -# Persistent customizations should go in a .local file. +# Firejail profile for totem +# This file is overwritten after every install/update +# Persistent local customizations include /etc/firejail/totem.local +# Persistent global definitions +include /etc/firejail/globals.local -# Totem media player profile noblacklist ~/.config/totem noblacklist ~/.local/share/totem include /etc/firejail/disable-common.inc -include /etc/firejail/disable-programs.inc include /etc/firejail/disable-devel.inc include /etc/firejail/disable-passwdmgr.inc +include /etc/firejail/disable-programs.inc caps.drop all -#ipc-namespace netfilter nogroups nonewprivs @@ -26,7 +24,7 @@ shell none private-bin totem private-dev -#private-etc fonts +# private-etc fonts private-tmp noexec ${HOME} diff --git a/etc/tracker.profile b/etc/tracker.profile index b87bebf43..98040133c 100644 --- a/etc/tracker.profile +++ b/etc/tracker.profile @@ -1,34 +1,33 @@ -# Persistent global definitions go here -include /etc/firejail/globals.local - -# This file is overwritten during software install. -# Persistent customizations should go in a .local file. +# Firejail profile for tracker +# This file is overwritten after every install/update +# Persistent local customizations include /etc/firejail/tracker.local +# Persistent global definitions +include /etc/firejail/globals.local -# tracker profile - -# Tracker is started by systemd on most systems. Therefore it is not firejailed by default +blacklist /tmp/.X11-unix include /etc/firejail/disable-common.inc -include /etc/firejail/disable-programs.inc include /etc/firejail/disable-devel.inc include /etc/firejail/disable-passwdmgr.inc +include /etc/firejail/disable-programs.inc caps.drop all netfilter +no3d nogroups nonewprivs noroot nosound -no3d protocol unix seccomp shell none tracelog -blacklist /tmp/.X11-unix - # private-bin tracker -# private-tmp # private-dev # private-etc fonts +# private-tmp + +# CLOBBERED COMMENTS +# Tracker is started by systemd on most systems. Therefore it is not firejailed by default diff --git a/etc/transmission-cli.profile b/etc/transmission-cli.profile index 5b7e6e7c8..e8fdd81d7 100644 --- a/etc/transmission-cli.profile +++ b/etc/transmission-cli.profile @@ -1,18 +1,17 @@ -# Persistent global definitions go here -include /etc/firejail/globals.local - -# This file is overwritten during software install. -# Persistent customizations should go in a .local file. +# Firejail profile for transmission-cli +# This file is overwritten after every install/update +# Persistent local customizations include /etc/firejail/transmission-cli.local +# Persistent global definitions +include /etc/firejail/globals.local -# transmission-cli bittorrent profile -noblacklist ${HOME}/.config/transmission noblacklist ${HOME}/.cache/transmission +noblacklist ${HOME}/.config/transmission include /etc/firejail/disable-common.inc -include /etc/firejail/disable-programs.inc include /etc/firejail/disable-devel.inc include /etc/firejail/disable-passwdmgr.inc +include /etc/firejail/disable-programs.inc caps.drop all netfilter @@ -24,9 +23,9 @@ seccomp shell none tracelog -#private-bin transmission-cli -private-tmp +# private-bin transmission-cli private-dev private-etc none +private-tmp memory-deny-write-execute diff --git a/etc/transmission-gtk.profile b/etc/transmission-gtk.profile index 7f85aa69c..b3cf5213a 100644 --- a/etc/transmission-gtk.profile +++ b/etc/transmission-gtk.profile @@ -1,24 +1,23 @@ -# Persistent global definitions go here -include /etc/firejail/globals.local - -# This file is overwritten during software install. -# Persistent customizations should go in a .local file. +# Firejail profile for transmission-gtk +# This file is overwritten after every install/update +# Persistent local customizations include /etc/firejail/transmission-gtk.local +# Persistent global definitions +include /etc/firejail/globals.local -# transmission-gtk bittorrent profile -noblacklist ${HOME}/.config/transmission noblacklist ${HOME}/.cache/transmission +noblacklist ${HOME}/.config/transmission include /etc/firejail/disable-common.inc -include /etc/firejail/disable-programs.inc include /etc/firejail/disable-devel.inc include /etc/firejail/disable-passwdmgr.inc +include /etc/firejail/disable-programs.inc -mkdir ~/.config/transmission -whitelist ~/.config/transmission mkdir ~/.cache/transmission -whitelist ~/.cache/transmission +mkdir ~/.config/transmission whitelist ${DOWNLOADS} +whitelist ~/.cache/transmission +whitelist ~/.config/transmission include /etc/firejail/whitelist-common.inc caps.drop all diff --git a/etc/transmission-qt.profile b/etc/transmission-qt.profile index 70a5af575..433fb716e 100644 --- a/etc/transmission-qt.profile +++ b/etc/transmission-qt.profile @@ -1,24 +1,23 @@ -# Persistent global definitions go here -include /etc/firejail/globals.local - -# This file is overwritten during software install. -# Persistent customizations should go in a .local file. +# Firejail profile for transmission-qt +# This file is overwritten after every install/update +# Persistent local customizations include /etc/firejail/transmission-qt.local +# Persistent global definitions +include /etc/firejail/globals.local -# transmission-qt bittorrent profile -noblacklist ${HOME}/.config/transmission noblacklist ${HOME}/.cache/transmission +noblacklist ${HOME}/.config/transmission include /etc/firejail/disable-common.inc -include /etc/firejail/disable-programs.inc include /etc/firejail/disable-devel.inc include /etc/firejail/disable-passwdmgr.inc +include /etc/firejail/disable-programs.inc -mkdir ~/.config/transmission -whitelist ~/.config/transmission mkdir ~/.cache/transmission -whitelist ~/.cache/transmission +mkdir ~/.config/transmission whitelist ${DOWNLOADS} +whitelist ~/.cache/transmission +whitelist ~/.config/transmission include /etc/firejail/whitelist-common.inc caps.drop all diff --git a/etc/transmission-show.profile b/etc/transmission-show.profile index 743f9ff4f..e87ab51df 100644 --- a/etc/transmission-show.profile +++ b/etc/transmission-show.profile @@ -1,18 +1,17 @@ -# Persistent global definitions go here -include /etc/firejail/globals.local - -# This file is overwritten during software install. -# Persistent customizations should go in a .local file. +# Firejail profile for transmission-show +# This file is overwritten after every install/update +# Persistent local customizations include /etc/firejail/transmission-show.local +# Persistent global definitions +include /etc/firejail/globals.local -# transmission-show profile -noblacklist ${HOME}/.config/transmission noblacklist ${HOME}/.cache/transmission +noblacklist ${HOME}/.config/transmission include /etc/firejail/disable-common.inc -include /etc/firejail/disable-programs.inc include /etc/firejail/disable-devel.inc include /etc/firejail/disable-passwdmgr.inc +include /etc/firejail/disable-programs.inc caps.drop all net none @@ -25,6 +24,6 @@ shell none tracelog # private-bin -private-tmp private-dev private-etc none +private-tmp diff --git a/etc/truecraft.profile b/etc/truecraft.profile index 20435c30f..850845c95 100644 --- a/etc/truecraft.profile +++ b/etc/truecraft.profile @@ -1,11 +1,10 @@ -# Persistent global definitions go here -include /etc/firejail/globals.local - -# This file is overwritten during software install. -# Persistent customizations should go in a .local file. +# Firejail profile for truecraft +# This file is overwritten after every install/update +# Persistent local customizations include /etc/firejail/truecraft.local +# Persistent global definitions +include /etc/firejail/globals.local -# Firejail profile for TrueCraft noblacklist ${HOME}/.config/mono noblacklist ${HOME}/.config/truecraft @@ -15,8 +14,8 @@ include /etc/firejail/disable-passwdmgr.inc include /etc/firejail/disable-programs.inc mkdir ${HOME}/.config/mono -whitelist ${HOME}/.config/mono mkdir ${HOME}/.config/truecraft +whitelist ${HOME}/.config/mono whitelist ${HOME}/.config/truecraft include /etc/firejail/whitelist-common.inc diff --git a/etc/uget-gtk.profile b/etc/uget-gtk.profile index 5b65b8c41..775ac8a96 100644 --- a/etc/uget-gtk.profile +++ b/etc/uget-gtk.profile @@ -1,16 +1,20 @@ -# Persistent global definitions go here -include /etc/firejail/globals.local - -# This file is overwritten during software install. -# Persistent customizations should go in a .local file. +# Firejail profile for uget-gtk +# This file is overwritten after every install/update +# Persistent local customizations include /etc/firejail/uget-gtk.local +# Persistent global definitions +include /etc/firejail/globals.local -# uGet profile noblacklist ${HOME}/.config/uGet include /etc/firejail/disable-common.inc -include /etc/firejail/disable-programs.inc include /etc/firejail/disable-devel.inc +include /etc/firejail/disable-programs.inc + +mkdir ~/.config/uGet +whitelist ${DOWNLOADS} +whitelist ~/.config/uGet +include /etc/firejail/whitelist-common.inc caps.drop all netfilter @@ -24,8 +28,3 @@ shell none private-bin uget-gtk private-dev private-tmp - -whitelist ${DOWNLOADS} -mkdir ~/.config/uGet -whitelist ~/.config/uGet -include /etc/firejail/whitelist-common.inc diff --git a/etc/unbound.profile b/etc/unbound.profile index 7431ee27a..091d59c1a 100644 --- a/etc/unbound.profile +++ b/etc/unbound.profile @@ -1,20 +1,21 @@ -# Persistent global definitions go here -include /etc/firejail/globals.local - -# This file is overwritten during software install. -# Persistent customizations should go in a .local file. +# Firejail profile for unbound +# This file is overwritten after every install/update +# Persistent local customizations include /etc/firejail/unbound.local +# Persistent global definitions +include /etc/firejail/globals.local -# security profile for unbound (https://unbound.net) noblacklist /sbin noblacklist /usr/sbin + include /etc/firejail/disable-common.inc -include /etc/firejail/disable-programs.inc include /etc/firejail/disable-devel.inc include /etc/firejail/disable-passwdmgr.inc +include /etc/firejail/disable-programs.inc -private -private-dev -nosound no3d +nosound seccomp.drop mount,umount2,ptrace,kexec_load,kexec_file_load,open_by_handle_at,init_module,finit_module,delete_module,iopl,ioperm,swapon,swapoff,syslog,process_vm_readv,process_vm_writev,sysfs,_sysctl,adjtimex,clock_adjtime,lookup_dcookie,perf_event_open,fanotify_init,kcmp,add_key,request_key,keyctl,uselib,acct,modify_ldt,pivot_root,io_setup,io_destroy,io_getevents,io_submit,io_cancel,remap_file_pages,mbind,get_mempolicy,set_mempolicy,migrate_pages,move_pages,vmsplice,perf_event_open + +private +private-dev diff --git a/etc/unknown-horizons.profile b/etc/unknown-horizons.profile index c4e535070..fc24fc04d 100644 --- a/etc/unknown-horizons.profile +++ b/etc/unknown-horizons.profile @@ -1,40 +1,33 @@ -# Persistent global definitions go here +# Firejail profile for unknown-horizons +# This file is overwritten after every install/update +# Persistent local customizations +include /etc/firejail/unknown-horizons.local +# Persistent global definitions include /etc/firejail/globals.local -# This file is overwritten during software install. -# Persistent customizations should go in a .local file. -include /etc/firejail/unknown-horizons.local +noblacklist ~/.unknown-horizons -################################ -# Extreme Tux Racer profile -################################ +include /etc/firejail/disable-common.inc +include /etc/firejail/disable-passwdmgr.inc +include /etc/firejail/disable-programs.inc -noblacklist ~/.unknown-horizons mkdir ~/.unknown-horizons whitelist ~/.unknown-horizons include /etc/firejail/whitelist-common.inc -include /etc/firejail/disable-common.inc -include /etc/firejail/disable-programs.inc -include /etc/firejail/disable-passwdmgr.inc - caps.drop all +nogroups nonewprivs noroot protocol unix,netlink,inet,inet6 seccomp - -# -# depending on your usage, you can enable some of the commands below: -# -nogroups shell none -#private-bin unknown-horizons -# private-etc none + +# private-bin unknown-horizons private-dev +# private-etc none private-tmp -# nosound - - - +# CLOBBERED COMMENTS +# depending on your usage, you can enable some of the commands below: +# nosound diff --git a/etc/unrar.profile b/etc/unrar.profile index 62d6665ec..8d8fda952 100644 --- a/etc/unrar.profile +++ b/etc/unrar.profile @@ -1,18 +1,15 @@ +# Firejail profile for unrar +# This file is overwritten after every install/update quiet -# Persistent global definitions go here -include /etc/firejail/globals.local - -# This file is overwritten during software install. -# Persistent customizations should go in a .local file. +# Persistent local customizations include /etc/firejail/unrar.local - -# unrar profile -ignore noroot -include /etc/firejail/default.profile +# Persistent global definitions +include /etc/firejail/globals.local blacklist /tmp/.X11-unix hostname unrar +ignore noroot net none no3d nosound @@ -23,3 +20,5 @@ private-bin unrar private-dev private-etc passwd,group,localtime private-tmp + +include /etc/firejail/default.profile diff --git a/etc/unzip.profile b/etc/unzip.profile index 130e57ae9..6556b4f56 100644 --- a/etc/unzip.profile +++ b/etc/unzip.profile @@ -1,17 +1,15 @@ +# Firejail profile for unzip +# This file is overwritten after every install/update quiet -# Persistent global definitions go here -include /etc/firejail/globals.local - -# This file is overwritten during software install. -# Persistent customizations should go in a .local file. +# Persistent local customizations include /etc/firejail/unzip.local +# Persistent global definitions +include /etc/firejail/globals.local -# unzip profile -ignore noroot -include /etc/firejail/default.profile blacklist /tmp/.X11-unix hostname unzip +ignore noroot net none no3d nosound @@ -21,3 +19,5 @@ tracelog private-bin unzip private-dev private-etc passwd,group,localtime + +include /etc/firejail/default.profile diff --git a/etc/uudeview.profile b/etc/uudeview.profile index 46f28179b..22457bf2c 100644 --- a/etc/uudeview.profile +++ b/etc/uudeview.profile @@ -1,17 +1,14 @@ +# Firejail profile for uudeview +# This file is overwritten after every install/update quiet -# Persistent global definitions go here -include /etc/firejail/globals.local - -# This file is overwritten during software install. -# Persistent customizations should go in a .local file. +# Persistent local customizations include /etc/firejail/uudeview.local - -# uudeview profile -ignore noroot -include /etc/firejail/default.profile +# Persistent global definitions +include /etc/firejail/globals.local hostname uudeview +ignore noroot net none nosound shell none @@ -20,3 +17,5 @@ tracelog private-bin uudeview private-dev private-etc ld.so.preload + +include /etc/firejail/default.profile diff --git a/etc/uzbl-browser.profile b/etc/uzbl-browser.profile index 4ab4ce0f4..caae3659e 100644 --- a/etc/uzbl-browser.profile +++ b/etc/uzbl-browser.profile @@ -1,17 +1,27 @@ -# Persistent global definitions go here -include /etc/firejail/globals.local - -# This file is overwritten during software install. -# Persistent customizations should go in a .local file. -include /etc/firejail/uzbl-browser.local - # Firejail profile for uzbl-browser +# This file is overwritten after every install/update +# Persistent local customizations +include /etc/firejail/uzbl-browser.local +# Persistent global definitions +include /etc/firejail/globals.local noblacklist ~/.config/uzbl noblacklist ~/.gnupg + include /etc/firejail/disable-common.inc -include /etc/firejail/disable-programs.inc include /etc/firejail/disable-devel.inc +include /etc/firejail/disable-programs.inc + +mkdir ~/.config/uzbl +mkdir ~/.gnupg +mkdir ~/.local/share/uzbl +mkdir ~/.password-store +whitelist ${DOWNLOADS} +whitelist ~/.config/uzbl +whitelist ~/.gnupg +whitelist ~/.local/share/uzbl +whitelist ~/.password-store +include /etc/firejail/whitelist-common.inc caps.drop all netfilter @@ -20,17 +30,3 @@ noroot protocol unix,inet,inet6 seccomp tracelog - -mkdir ~/.config/uzbl -whitelist ~/.config/uzbl -mkdir ~/.local/share/uzbl -whitelist ~/.local/share/uzbl - -whitelist ${DOWNLOADS} - -mkdir ~/.gnupg -whitelist ~/.gnupg -mkdir ~/.password-store -whitelist ~/.password-store - -include /etc/firejail/whitelist-common.inc diff --git a/etc/viewnior.profile b/etc/viewnior.profile index 20f738d42..9235d149c 100644 --- a/etc/viewnior.profile +++ b/etc/viewnior.profile @@ -1,22 +1,21 @@ -# Persistent global definitions go here +# Firejail profile for viewnior +# This file is overwritten after every install/update +# Persistent local customizations +include /etc/firejail/viewnior.local +# Persistent global definitions include /etc/firejail/globals.local -# This file is overwritten during software install. -# Persistent customizations should go in a .local file. -include /etc/firejail/viewnior.local +blacklist ~/.Xauthority +blacklist ~/.bashrc -# Firejail profile for viewnior -noblacklist ~/.config/viewnior noblacklist ~/.Steam +noblacklist ~/.config/viewnior noblacklist ~/.steam include /etc/firejail/disable-common.inc -include /etc/firejail/disable-programs.inc include /etc/firejail/disable-devel.inc include /etc/firejail/disable-passwdmgr.inc - -blacklist ~/.bashrc -blacklist ~/.Xauthority +include /etc/firejail/disable-programs.inc caps.drop all net none diff --git a/etc/viking.profile b/etc/viking.profile index e34bdc3f7..aa26388f8 100644 --- a/etc/viking.profile +++ b/etc/viking.profile @@ -1,22 +1,19 @@ -# Persistent global definitions go here -include /etc/firejail/globals.local - -# This file is overwritten during software install. -# Persistent customizations should go in a .local file. -include /etc/firejail/viking.local - # Firejail profile for viking +# This file is overwritten after every install/update +# Persistent local customizations +include /etc/firejail/viking.local +# Persistent global definitions +include /etc/firejail/globals.local noblacklist ${HOME}/.viking noblacklist ${HOME}/.viking-maps include /etc/firejail/disable-common.inc -include /etc/firejail/disable-programs.inc -include /etc/firejail/disable-passwdmgr.inc include /etc/firejail/disable-devel.inc +include /etc/firejail/disable-passwdmgr.inc +include /etc/firejail/disable-programs.inc caps.drop all -#ipc-namespace netfilter no3d nogroups diff --git a/etc/vim.profile b/etc/vim.profile index abe86e375..815676da8 100644 --- a/etc/vim.profile +++ b/etc/vim.profile @@ -1,18 +1,17 @@ -# Persistent global definitions go here -include /etc/firejail/globals.local - -# This file is overwritten during software install. -# Persistent customizations should go in a .local file. +# Firejail profile for vim +# This file is overwritten after every install/update +# Persistent local customizations include /etc/firejail/vim.local +# Persistent global definitions +include /etc/firejail/globals.local -# vim profile noblacklist ~/.vim -noblacklist ~/.vimrc noblacklist ~/.viminfo +noblacklist ~/.vimrc include /etc/firejail/disable-common.inc -include /etc/firejail/disable-programs.inc include /etc/firejail/disable-passwdmgr.inc +include /etc/firejail/disable-programs.inc caps.drop all netfilter diff --git a/etc/virtualbox.profile b/etc/virtualbox.profile index 374c73da2..ca7987932 100644 --- a/etc/virtualbox.profile +++ b/etc/virtualbox.profile @@ -1,27 +1,28 @@ -# Persistent global definitions go here -include /etc/firejail/globals.local - -# This file is overwritten during software install. -# Persistent customizations should go in a .local file. +# Firejail profile for virtualbox +# This file is overwritten after every install/update +# Persistent local customizations include /etc/firejail/virtualbox.local +# Persistent global definitions +include /etc/firejail/globals.local -# virtualbox profile noblacklist ${HOME}/.VirtualBox -noblacklist ${HOME}/VirtualBox VMs noblacklist ${HOME}/.config/VirtualBox - -mkdir ~/VirtualBox VMs -whitelist ~/VirtualBox VMs -mkdir ~/.config/VirtualBox -whitelist ~/.config/VirtualBox - -# noblacklist /usr/bin/virtualbox +noblacklist ${HOME}/VirtualBox VMs noblacklist /usr/lib/virtualbox noblacklist /usr/lib64/virtualbox + include /etc/firejail/disable-common.inc -include /etc/firejail/disable-programs.inc include /etc/firejail/disable-passwdmgr.inc +include /etc/firejail/disable-programs.inc + +mkdir ~/.config/VirtualBox +mkdir ~/VirtualBox VMs +whitelist ~/.config/VirtualBox +whitelist ~/VirtualBox VMs include /etc/firejail/whitelist-common.inc caps.drop all netfilter + +# CLOBBERED COMMENTS +# noblacklist /usr/bin/virtualbox diff --git a/etc/vivaldi-beta.profile b/etc/vivaldi-beta.profile index f2c2f4cc0..4fa8a877c 100644 --- a/etc/vivaldi-beta.profile +++ b/etc/vivaldi-beta.profile @@ -1,9 +1,5 @@ -# Persistent global definitions go here -include /etc/firejail/globals.local +# Firejail profile alias for vivaldi +# This file is overwritten after every install/update -# This file is overwritten during software install. -# Persistent customizations should go in a .local file. -include /etc/firejail/vivaldi-beta.local -# Vivaldi Beta browser profile include /etc/firejail/vivaldi.profile diff --git a/etc/vivaldi-stable.profile b/etc/vivaldi-stable.profile index 9b2ccd4f3..4fa8a877c 100644 --- a/etc/vivaldi-stable.profile +++ b/etc/vivaldi-stable.profile @@ -1,8 +1,5 @@ -# Persistent global definitions go here -include /etc/firejail/globals.local +# Firejail profile alias for vivaldi +# This file is overwritten after every install/update -# This file is overwritten during software install. -# Persistent customizations should go in a .local file. -include /etc/firejail/vivaldi.local include /etc/firejail/vivaldi.profile diff --git a/etc/vivaldi.profile b/etc/vivaldi.profile index fab620499..1b63f1573 100644 --- a/etc/vivaldi.profile +++ b/etc/vivaldi.profile @@ -1,36 +1,34 @@ -# Persistent global definitions go here -include /etc/firejail/globals.local - -# This file is overwritten during software install. -# Persistent customizations should go in a .local file. +# Firejail profile for vivaldi +# This file is overwritten after every install/update +# Persistent local customizations include /etc/firejail/vivaldi.local +# Persistent global definitions +include /etc/firejail/globals.local -# Vivaldi browser profile noblacklist ~/.cache/vivaldi - -# Vivaldi browser profile noblacklist ~/.config/vivaldi + include /etc/firejail/disable-common.inc -include /etc/firejail/disable-programs.inc include /etc/firejail/disable-devel.inc +include /etc/firejail/disable-programs.inc - -whitelist ${DOWNLOADS} -mkdir ~/.config/vivaldi -whitelist ~/.config/vivaldi mkdir ~/.cache/vivaldi +mkdir ~/.config/vivaldi +whitelist ${DOWNLOADS} whitelist ~/.cache/vivaldi +whitelist ~/.config/vivaldi include /etc/firejail/whitelist-common.inc caps.keep sys_chroot,sys_admin -#ipc-namespace netfilter nogroups shell none private-dev -#private-tmp - problems with multiple browser sessions -#disable-mnt +# private-tmp - problems with multiple browser sessions noexec ${HOME} noexec /tmp + +# CLOBBERED COMMENTS +# disable-mnt diff --git a/etc/vlc.profile b/etc/vlc.profile index 6ae8b0d15..c95f6f048 100644 --- a/etc/vlc.profile +++ b/etc/vlc.profile @@ -1,22 +1,19 @@ -# Persistent global definitions go here -include /etc/firejail/globals.local - -# This file is overwritten during software install. -# Persistent customizations should go in a .local file. +# Firejail profile for vlc +# This file is overwritten after every install/update +# Persistent local customizations include /etc/firejail/vlc.local +# Persistent global definitions +include /etc/firejail/globals.local -# VLC media player profile noblacklist ${HOME}/.config/vlc include /etc/firejail/disable-common.inc -include /etc/firejail/disable-programs.inc include /etc/firejail/disable-devel.inc include /etc/firejail/disable-passwdmgr.inc +include /etc/firejail/disable-programs.inc caps.drop all -#ipc-namespace netfilter -# nogroups nonewprivs noroot protocol unix,inet,inet6,netlink @@ -27,6 +24,9 @@ private-bin vlc,cvlc,nvlc,rvlc,qvlc,svlc private-dev private-tmp -# memory-deny-write-execute - breaks playing videos noexec ${HOME} noexec /tmp + +# CLOBBERED COMMENTS +# memory-deny-write-execute - breaks playing videos +# nogroups diff --git a/etc/vym.profile b/etc/vym.profile index d3058fa64..f769dda16 100644 --- a/etc/vym.profile +++ b/etc/vym.profile @@ -1,9 +1,9 @@ -# Persistent global definitions go here -include /etc/firejail/globals.local - -# This file is overwritten during software install. -# Persistent customizations should go in a .local file. +# Firejail profile for vym +# This file is overwritten after every install/update +# Persistent local customizations include /etc/firejail/vym.local +# Persistent global definitions +include /etc/firejail/globals.local noblacklist ./.config/InSilmaril @@ -24,9 +24,9 @@ protocol unix seccomp shell none +disable-mnt private-dev private-tmp -disable-mnt noexec ${HOME} noexec /tmp diff --git a/etc/w3m.profile b/etc/w3m.profile index 6f7957992..fc5ee2bad 100644 --- a/etc/w3m.profile +++ b/etc/w3m.profile @@ -1,33 +1,32 @@ -# Persistent global definitions go here +# Firejail profile for w3m +# This file is overwritten after every install/update +# Persistent local customizations +include /etc/firejail/w3m.local +# Persistent global definitions include /etc/firejail/globals.local -# This file is overwritten during software install. -# Persistent customizations should go in a .local file. -include /etc/firejail/w3m.local +blacklist /tmp/.X11-unix -# w3m profile noblacklist ~/.w3m include /etc/firejail/disable-common.inc -include /etc/firejail/disable-programs.inc include /etc/firejail/disable-devel.inc include /etc/firejail/disable-passwdmgr.inc +include /etc/firejail/disable-programs.inc caps.drop all +netfilter +no3d nogroups nonewprivs noroot nosound -no3d protocol unix,inet,inet6 seccomp -netfilter shell none tracelog -blacklist /tmp/.X11-unix - # private-bin w3m -private-tmp private-dev private-etc none +private-tmp diff --git a/etc/warzone2100.profile b/etc/warzone2100.profile index 767824d8d..157fe3e81 100644 --- a/etc/warzone2100.profile +++ b/etc/warzone2100.profile @@ -1,24 +1,21 @@ -# Persistent global definitions go here -include /etc/firejail/globals.local - -# This file is overwritten during software install. -# Persistent customizations should go in a .local file. +# Firejail profile for warzone2100 +# This file is overwritten after every install/update +# Persistent local customizations include /etc/firejail/warzone2100.local +# Persistent global definitions +include /etc/firejail/globals.local -# Firejail profile for warzone2100 noblacklist ~/.warzone2100-3.* + include /etc/firejail/disable-common.inc include /etc/firejail/disable-devel.inc include /etc/firejail/disable-passwdmgr.inc include /etc/firejail/disable-programs.inc -# Whitelist -#mkdir ~/.warzone2100-3.1 whitelist ~/.warzone2100-3.1 -#mkdir ~/.warzone2100-3.2 whitelist ~/.warzone2100-3.2 +include /etc/firejail/whitelist-common.inc -# Call these options caps.drop all netfilter nogroups @@ -29,7 +26,12 @@ seccomp shell none tracelog +disable-mnt private-bin warzone2100 private-dev private-tmp -disable-mnt + +# CLOBBERED COMMENTS +# Call these options +# mkdir ~/.warzone2100-3.1 +# mkdir ~/.warzone2100-3.2 diff --git a/etc/waterfox.profile b/etc/waterfox.profile index ff2ede8f9..893d45719 100644 --- a/etc/waterfox.profile +++ b/etc/waterfox.profile @@ -1,75 +1,69 @@ -# Persistent global definitions go here -include /etc/firejail/globals.local - -# This file is overwritten during software install. -# Persistent customizations should go in a .local file. +# Firejail profile for waterfox +# This file is overwritten after every install/update +# Persistent local customizations include /etc/firejail/waterfox.local +# Persistent global definitions +include /etc/firejail/globals.local -# Firejail profile for Waterfox (based on Mozilla Firefox) -noblacklist ~/.mozilla noblacklist ~/.cache/mozilla +noblacklist ~/.config/okularpartrc +noblacklist ~/.config/okularrc noblacklist ~/.config/qpdfview -noblacklist ~/.local/share/qpdfview -noblacklist ~/.kde4/share/apps/okular noblacklist ~/.kde/share/apps/okular +noblacklist ~/.kde4/share/apps/okular noblacklist ~/.local/share/okular -noblacklist ~/.config/okularpartrc -noblacklist ~/.config/okularrc +noblacklist ~/.local/share/qpdfview +noblacklist ~/.mozilla noblacklist ~/.pki include /etc/firejail/disable-common.inc -include /etc/firejail/disable-programs.inc include /etc/firejail/disable-devel.inc +include /etc/firejail/disable-programs.inc -caps.drop all -# ipc-namespace crashes waterfox on some setups -netfilter -nogroups -nonewprivs -noroot -protocol unix,inet,inet6,netlink -seccomp -shell none -tracelog - -whitelist ${DOWNLOADS} -mkdir ~/.mozilla -whitelist ~/.mozilla mkdir ~/.cache/mozilla/firefox +mkdir ~/.mozilla +mkdir ~/.pki +whitelist ${DOWNLOADS} +whitelist ~/.cache/gnome-mplayer/plugin whitelist ~/.cache/mozilla/firefox -whitelist ~/dwhelper -whitelist ~/.zotero -whitelist ~/.vimperatorrc -whitelist ~/.vimperator -whitelist ~/.pentadactylrc -whitelist ~/.pentadactyl -whitelist ~/.keysnail.js whitelist ~/.config/gnome-mplayer -whitelist ~/.cache/gnome-mplayer/plugin -mkdir ~/.pki -whitelist ~/.pki -whitelist ~/.lastpass -whitelist ~/.config/qpdfview -whitelist ~/.local/share/qpdfview -whitelist ~/.config/okularrc whitelist ~/.config/okularpartrc -whitelist ~/.kde4/share/apps/okular +whitelist ~/.config/okularrc +whitelist ~/.config/pipelight-silverlight5.1 +whitelist ~/.config/pipelight-widevine +whitelist ~/.config/qpdfview whitelist ~/.kde/share/apps/okular +whitelist ~/.kde4/share/apps/okular +whitelist ~/.keysnail.js +whitelist ~/.lastpass whitelist ~/.local/share/okular - -# silverlight +whitelist ~/.local/share/qpdfview +whitelist ~/.mozilla +whitelist ~/.pentadactyl +whitelist ~/.pentadactylrc +whitelist ~/.pki +whitelist ~/.vimperator +whitelist ~/.vimperatorrc whitelist ~/.wine-pipelight whitelist ~/.wine-pipelight64 -whitelist ~/.config/pipelight-widevine -whitelist ~/.config/pipelight-silverlight5.1 - +whitelist ~/.zotero +whitelist ~/dwhelper include /etc/firejail/whitelist-common.inc -# experimental features -#private-bin waterfox,which,sh,dbus-launch,dbus-send,env -#private-etc passwd,group,hostname,hosts,localtime,nsswitch.conf,resolv.conf,xdg,gtk-2.0,gtk-3.0,X11,pango,fonts,waterfox,mime.types,mailcap,asound.conf,pulse -# private-dev might prevent video calls going out +caps.drop all +netfilter +nogroups +nonewprivs +noroot +protocol unix,inet,inet6,netlink +seccomp +shell none +tracelog + +# private-bin waterfox,which,sh,dbus-launch,dbus-send,env private-dev +# private-dev might prevent video calls going out +# private-etc passwd,group,hostname,hosts,localtime,nsswitch.conf,resolv.conf,xdg,gtk-2.0,gtk-3.0,X11,pango,fonts,waterfox,mime.types,mailcap,asound.conf,pulse private-tmp noexec ${HOME} diff --git a/etc/weechat-curses.profile b/etc/weechat-curses.profile index 32038f99f..2d3f6c963 100644 --- a/etc/weechat-curses.profile +++ b/etc/weechat-curses.profile @@ -1,9 +1,5 @@ -# Persistent global definitions go here -include /etc/firejail/globals.local +# Firejail profile alias for weechat +# This file is overwritten after every install/update -# This file is overwritten during software install. -# Persistent customizations should go in a .local file. -include /etc/firejail/weechat-curses.local -# Weechat IRC profile (Debian) include /etc/firejail/weechat.profile diff --git a/etc/weechat.profile b/etc/weechat.profile index 452823681..75a4dc4a7 100644 --- a/etc/weechat.profile +++ b/etc/weechat.profile @@ -1,12 +1,12 @@ -# Persistent global definitions go here -include /etc/firejail/globals.local - -# This file is overwritten during software install. -# Persistent customizations should go in a .local file. +# Firejail profile for weechat +# This file is overwritten after every install/update +# Persistent local customizations include /etc/firejail/weechat.local +# Persistent global definitions +include /etc/firejail/globals.local -# Weechat IRC profile noblacklist ${HOME}/.weechat + include /etc/firejail/disable-common.inc include /etc/firejail/disable-programs.inc @@ -17,6 +17,7 @@ noroot protocol unix,inet,inet6 seccomp -# no private-bin support for various reasons: +# CLOBBERED COMMENTS # Plugins loaded: alias, aspell, charset, exec, fifo, guile, irc, # logger, lua, perl, python, relay, ruby, script, tcl, trigger, xferloading plugins +# no private-bin support for various reasons: diff --git a/etc/wesnoth.profile b/etc/wesnoth.profile index a13f80bb6..9798e0ace 100644 --- a/etc/wesnoth.profile +++ b/etc/wesnoth.profile @@ -1,19 +1,26 @@ -# Persistent global definitions go here -include /etc/firejail/globals.local - -# This file is overwritten during software install. -# Persistent customizations should go in a .local file. +# Firejail profile for wesnoth +# This file is overwritten after every install/update +# Persistent local customizations include /etc/firejail/wesnoth.local +# Persistent global definitions +include /etc/firejail/globals.local -# Whitelist-based profile for "Battle for Wesnoth" (game). -noblacklist ${HOME}/.config/wesnoth noblacklist ${HOME}/.cache/wesnoth +noblacklist ${HOME}/.config/wesnoth noblacklist ${HOME}/.local/share/wesnoth include /etc/firejail/disable-common.inc -include /etc/firejail/disable-programs.inc include /etc/firejail/disable-devel.inc include /etc/firejail/disable-passwdmgr.inc +include /etc/firejail/disable-programs.inc + +mkdir ${HOME}/.cache/wesnoth +mkdir ${HOME}/.config/wesnoth +mkdir ${HOME}/.local/share/wesnoth +whitelist ${HOME}/.cache/wesnoth +whitelist ${HOME}/.config/wesnoth +whitelist ${HOME}/.local/share/wesnoth +include /etc/firejail/whitelist-common.inc caps.drop all nonewprivs @@ -23,11 +30,3 @@ seccomp private-dev private-tmp - -mkdir ${HOME}/.local/share/wesnoth -mkdir ${HOME}/.config/wesnoth -mkdir ${HOME}/.cache/wesnoth -whitelist ${HOME}/.local/share/wesnoth -whitelist ${HOME}/.config/wesnoth -whitelist ${HOME}/.cache/wesnoth -include /etc/firejail/whitelist-common.inc diff --git a/etc/wget.profile b/etc/wget.profile index 1b09eac26..7ab24aa8f 100644 --- a/etc/wget.profile +++ b/etc/wget.profile @@ -1,19 +1,20 @@ +# Firejail profile for wget +# This file is overwritten after every install/update quiet -# Persistent global definitions go here +# Persistent local customizations +include /etc/firejail/wget.local +# Persistent global definitions include /etc/firejail/globals.local -# This file is overwritten during software install. -# Persistent customizations should go in a .local file. -include /etc/firejail/wget.local +blacklist /tmp/.X11-unix -# wget profile noblacklist ~/.wgetrc + include /etc/firejail/disable-common.inc -include /etc/firejail/disable-programs.inc include /etc/firejail/disable-passwdmgr.inc +include /etc/firejail/disable-programs.inc caps.drop all -#ipc-namespace netfilter no3d nogroups @@ -25,8 +26,6 @@ protocol unix,inet,inet6 seccomp shell none -blacklist /tmp/.X11-unix - # private-bin wget private-dev # private-etc resolv.conf diff --git a/etc/wine.profile b/etc/wine.profile index 5ee8bae38..00eea2b7c 100644 --- a/etc/wine.profile +++ b/etc/wine.profile @@ -1,20 +1,19 @@ -# Persistent global definitions go here -include /etc/firejail/globals.local - -# This file is overwritten during software install. -# Persistent customizations should go in a .local file. +# Firejail profile for wine +# This file is overwritten after every install/update +# Persistent local customizations include /etc/firejail/wine.local +# Persistent global definitions +include /etc/firejail/globals.local -# wine profile noblacklist ${HOME}/.Steam -noblacklist ${HOME}/.steam noblacklist ${HOME}/.local/share/Steam noblacklist ${HOME}/.local/share/steam +noblacklist ${HOME}/.steam noblacklist ${HOME}/.wine include /etc/firejail/disable-common.inc -include /etc/firejail/disable-programs.inc include /etc/firejail/disable-devel.inc +include /etc/firejail/disable-programs.inc caps.drop all netfilter diff --git a/etc/wire.profile b/etc/wire.profile index 71147ebc1..f20dfe8e2 100644 --- a/etc/wire.profile +++ b/etc/wire.profile @@ -1,31 +1,31 @@ -# Persistent global definitions go here -include /etc/firejail/globals.local - -# This file is overwritten during software install. -# Persistent customizations should go in a .local file. +# Firejail profile for wire +# This file is overwritten after every install/update +# Persistent local customizations include /etc/firejail/wire.local +# Persistent global definitions +include /etc/firejail/globals.local -# wire messenger profile noblacklist ~/.config/Wire noblacklist ~/.config/wire include /etc/firejail/disable-common.inc -include /etc/firejail/disable-programs.inc include /etc/firejail/disable-devel.inc include /etc/firejail/disable-passwdmgr.inc +include /etc/firejail/disable-programs.inc caps.drop all netfilter -nonewprivs nogroups +nonewprivs noroot protocol unix,inet,inet6,netlink seccomp shell none -private-tmp -private-dev disable-mnt +private-dev +private-tmp +# CLOBBERED COMMENTS # Note: the current beta version of wire is located in /opt/Wire/wire and therefore not in PATH. # To use wire with firejail run "firejail /opt/Wire/wire" diff --git a/etc/wireshark-gtk.profile b/etc/wireshark-gtk.profile index 5cc2ae2a1..35a76a978 100644 --- a/etc/wireshark-gtk.profile +++ b/etc/wireshark-gtk.profile @@ -1,8 +1,5 @@ -# Persistent global definitions go here -include /etc/firejail/globals.local +# Firejail profile alias for wireshark +# This file is overwritten after every install/update -# This file is overwritten during software install. -# Persistent customizations should go in a .local file. -include /etc/firejail/wireshark-gtk.local include /etc/firejail/wireshark.profile diff --git a/etc/wireshark-qt.profile b/etc/wireshark-qt.profile index f6f26a6b3..35a76a978 100644 --- a/etc/wireshark-qt.profile +++ b/etc/wireshark-qt.profile @@ -1,8 +1,5 @@ -# Persistent global definitions go here -include /etc/firejail/globals.local +# Firejail profile alias for wireshark +# This file is overwritten after every install/update -# This file is overwritten during software install. -# Persistent customizations should go in a .local file. -include /etc/firejail/wireshark-qt.local include /etc/firejail/wireshark.profile diff --git a/etc/wireshark.profile b/etc/wireshark.profile index d5f3b8c4b..0c4bc8029 100644 --- a/etc/wireshark.profile +++ b/etc/wireshark.profile @@ -1,39 +1,35 @@ -# Persistent global definitions go here -include /etc/firejail/globals.local - -# This file is overwritten during software install. -# Persistent customizations should go in a .local file. +# Firejail profile for wireshark +# This file is overwritten after every install/update +# Persistent local customizations include /etc/firejail/wireshark.local +# Persistent global definitions +include /etc/firejail/globals.local -# Firejail profile for noblacklist ${HOME}/.config/wireshark include /etc/firejail/disable-common.inc -include /etc/firejail/disable-programs.inc include /etc/firejail/disable-devel.inc include /etc/firejail/disable-passwdmgr.inc +include /etc/firejail/disable-programs.inc -# -# The profile allows users to run wireshark as root -# -#caps.drop all -#noroot -#protocol unix,inet,inet6,netlink - -#ipc-namespace netfilter no3d -# nogroups - breaks unprivileged wireshark usage -# nonewprivs - breaks unprivileged wireshark usage nosound -# seccomp - breaks unprivileged wireshark usage shell none tracelog -#private-bin wireshark -# private-etc fonts,group,hosts,machine-id,passwd +# private-bin wireshark private-dev +# private-etc fonts,group,hosts,machine-id,passwd private-tmp noexec ${HOME} noexec /tmp + +# CLOBBERED COMMENTS +# caps.drop all +# nogroups - breaks unprivileged wireshark usage +# nonewprivs - breaks unprivileged wireshark usage +# noroot +# protocol unix,inet,inet6,netlink +# seccomp - breaks unprivileged wireshark usage diff --git a/etc/xchat.profile b/etc/xchat.profile index efed5c995..795e7ecd6 100644 --- a/etc/xchat.profile +++ b/etc/xchat.profile @@ -1,16 +1,15 @@ -# Persistent global definitions go here -include /etc/firejail/globals.local - -# This file is overwritten during software install. -# Persistent customizations should go in a .local file. +# Firejail profile for xchat +# This file is overwritten after every install/update +# Persistent local customizations include /etc/firejail/xchat.local +# Persistent global definitions +include /etc/firejail/globals.local -# XChat IRC profile noblacklist ${HOME}/.config/xchat include /etc/firejail/disable-common.inc -include /etc/firejail/disable-programs.inc include /etc/firejail/disable-devel.inc +include /etc/firejail/disable-programs.inc caps.drop all nonewprivs diff --git a/etc/xed.profile b/etc/xed.profile index 1b5fdd57a..17d0ad9d9 100644 --- a/etc/xed.profile +++ b/etc/xed.profile @@ -1,17 +1,16 @@ -# Persistent global definitions go here -include /etc/firejail/globals.local - -# This file is overwritten during software install. -# Persistent customizations should go in a .local file. +# Firejail profile for xed +# This file is overwritten after every install/update +# Persistent local customizations include /etc/firejail/xed.local +# Persistent global definitions +include /etc/firejail/globals.local -# Firejail profile for Xed noblacklist ${HOME}/.config/xed include /etc/firejail/disable-common.inc -include /etc/firejail/disable-programs.inc include /etc/firejail/disable-devel.inc include /etc/firejail/disable-passwdmgr.inc +include /etc/firejail/disable-programs.inc caps.drop all net none diff --git a/etc/xfburn.profile b/etc/xfburn.profile index 7bfeba2b1..dbacf6462 100644 --- a/etc/xfburn.profile +++ b/etc/xfburn.profile @@ -1,17 +1,16 @@ -# Persistent global definitions go here -include /etc/firejail/globals.local - -# This file is overwritten during software install. -# Persistent customizations should go in a .local file. +# Firejail profile for xfburn +# This file is overwritten after every install/update +# Persistent local customizations include /etc/firejail/xfburn.local +# Persistent global definitions +include /etc/firejail/globals.local -# xfburn profile noblacklist ~/.config/xfburn include /etc/firejail/disable-common.inc -include /etc/firejail/disable-programs.inc include /etc/firejail/disable-devel.inc include /etc/firejail/disable-passwdmgr.inc +include /etc/firejail/disable-programs.inc caps.drop all netfilter @@ -25,6 +24,6 @@ shell none tracelog # private-bin xfburn -# private-tmp # private-dev # private-etc fonts +# private-tmp diff --git a/etc/xfce4-dict.profile b/etc/xfce4-dict.profile index 08ae17a55..26f65ee1c 100644 --- a/etc/xfce4-dict.profile +++ b/etc/xfce4-dict.profile @@ -1,9 +1,9 @@ -# Persistent global definitions go here -include /etc/firejail/globals.local - -# This file is overwritten during software install. -# Persistent customizations should go in a .local file. +# Firejail profile for xfce4-dict +# This file is overwritten after every install/update +# Persistent local customizations include /etc/firejail/xfce4-dict.local +# Persistent global definitions +include /etc/firejail/globals.local noblacklist ${HOME}/.config/xfce4-dict @@ -24,9 +24,9 @@ protocol unix,inet,inet6 seccomp shell none +disable-mnt private-dev private-tmp -disable-mnt noexec ${HOME} noexec /tmp diff --git a/etc/xfce4-notes.profile b/etc/xfce4-notes.profile index e3215d6ea..6f026c2e7 100644 --- a/etc/xfce4-notes.profile +++ b/etc/xfce4-notes.profile @@ -1,12 +1,12 @@ -# Persistent global definitions go here -include /etc/firejail/globals.local - -# This file is overwritten during software install. -# Persistent customizations should go in a .local file. +# Firejail profile for xfce4-notes +# This file is overwritten after every install/update +# Persistent local customizations include /etc/firejail/xfce4-notes.local +# Persistent global definitions +include /etc/firejail/globals.local -noblacklist ${HOME}/.config/xfce4/xfce4-notes.rc noblacklist ${HOME}/.config/xfce4/xfce4-notes.gtkrc +noblacklist ${HOME}/.config/xfce4/xfce4-notes.rc noblacklist ${HOME}/.local/share/notes include /etc/firejail/disable-common.inc @@ -26,9 +26,9 @@ protocol unix seccomp shell none +disable-mnt private-dev private-tmp -disable-mnt noexec ${HOME} noexec /tmp diff --git a/etc/xiphos.profile b/etc/xiphos.profile index f3171cd8d..eb894d8b5 100644 --- a/etc/xiphos.profile +++ b/etc/xiphos.profile @@ -1,11 +1,13 @@ -# Persistent global definitions go here +# Firejail profile for xiphos +# This file is overwritten after every install/update +# Persistent local customizations +include /etc/firejail/xiphos.local +# Persistent global definitions include /etc/firejail/globals.local -# This file is overwritten during software install. -# Persistent customizations should go in a .local file. -include /etc/firejail/xiphos.local +blacklist ~/.Xauthority +blacklist ~/.bashrc -# Firejail profile for xiphos noblacklist ~/.sword noblacklist ~/.xiphos @@ -14,8 +16,9 @@ include /etc/firejail/disable-devel.inc include /etc/firejail/disable-passwdmgr.inc include /etc/firejail/disable-programs.inc -blacklist ~/.bashrc -blacklist ~/.Xauthority +whitelist ${HOME}/.sword +whitelist ${HOME}/.xiphos +include /etc/firejail/whitelist-common.inc caps.drop all netfilter @@ -29,9 +32,6 @@ shell none tracelog private-bin xiphos -private-etc fonts,resolv.conf,sword private-dev +private-etc fonts,resolv.conf,sword private-tmp - -whitelist ${HOME}/.sword -whitelist ${HOME}/.xiphos diff --git a/etc/xmms.profile b/etc/xmms.profile index 5b99924bc..d2cf00a36 100644 --- a/etc/xmms.profile +++ b/etc/xmms.profile @@ -1,26 +1,25 @@ -# Persistent global definitions go here -include /etc/firejail/globals.local - -# This file is overwritten during software install. -# Persistent customizations should go in a .local file. +# Firejail profile for xmms +# This file is overwritten after every install/update +# Persistent local customizations include /etc/firejail/xmms.local +# Persistent global definitions +include /etc/firejail/globals.local -# Firejail profile for XMMS noblacklist ${HOME}/.xmms include /etc/firejail/disable-common.inc -include /etc/firejail/disable-programs.inc include /etc/firejail/disable-devel.inc include /etc/firejail/disable-passwdmgr.inc +include /etc/firejail/disable-programs.inc caps.drop all netfilter +no3d nonewprivs noroot protocol unix,inet,inet6 seccomp shell none -no3d private-bin xmms private-dev diff --git a/etc/xonotic-glx.profile b/etc/xonotic-glx.profile index f5f802158..8be8b2d7b 100644 --- a/etc/xonotic-glx.profile +++ b/etc/xonotic-glx.profile @@ -1,12 +1,5 @@ -# Persistent global definitions go here -include /etc/firejail/globals.local +# Firejail profile alias for xonotic +# This file is overwritten after every install/update -# This file is overwritten during software install. -# Persistent customizations should go in a .local file. -include /etc/firejail/xonotic-glx.local - -# -#Profile for xonotic:xonotic-glx -# include /etc/firejail/xonotic.profile diff --git a/etc/xonotic-sdl.profile b/etc/xonotic-sdl.profile index 85c48151b..8be8b2d7b 100644 --- a/etc/xonotic-sdl.profile +++ b/etc/xonotic-sdl.profile @@ -1,12 +1,5 @@ -# Persistent global definitions go here -include /etc/firejail/globals.local +# Firejail profile alias for xonotic +# This file is overwritten after every install/update -# This file is overwritten during software install. -# Persistent customizations should go in a .local file. -include /etc/firejail/xonotic-sdl.local - -# -#Profile for xonotic:xonotic-sdl -# include /etc/firejail/xonotic.profile diff --git a/etc/xonotic.profile b/etc/xonotic.profile index 957636124..95a2a2dbd 100644 --- a/etc/xonotic.profile +++ b/etc/xonotic.profile @@ -1,31 +1,22 @@ -# Persistent global definitions go here -include /etc/firejail/globals.local - -# This file is overwritten during software install. -# Persistent customizations should go in a .local file. +# Firejail profile for xonotic +# This file is overwritten after every install/update +# Persistent local customizations include /etc/firejail/xonotic.local +# Persistent global definitions +include /etc/firejail/globals.local -# -#Profile for xonotic -# - -#No Blacklist Paths noblacklist ${HOME}/.xonotic -#Blacklist Paths include /etc/firejail/disable-common.inc -include /etc/firejail/disable-programs.inc -include /etc/firejail/disable-passwdmgr.inc include /etc/firejail/disable-devel.inc +include /etc/firejail/disable-passwdmgr.inc +include /etc/firejail/disable-programs.inc -#Whitelist Paths mkdir ${HOME}/.xonotic whitelist ${HOME}/.xonotic include /etc/firejail/whitelist-common.inc -#Options caps.drop all -#ipc-namespace netfilter nogroups nonewprivs @@ -35,10 +26,10 @@ protocol unix,inet,inet6 seccomp shell none +disable-mnt private-bin xonotic-sdl,xonotic-glx,blind-id private-dev private-tmp -disable-mnt noexec ${HOME} noexec /tmp diff --git a/etc/xpdf.profile b/etc/xpdf.profile index ce8cd2459..be69ebe1a 100644 --- a/etc/xpdf.profile +++ b/etc/xpdf.profile @@ -1,13 +1,10 @@ -# Persistent global definitions go here -include /etc/firejail/globals.local - -# This file is overwritten during software install. -# Persistent customizations should go in a .local file. +# Firejail profile for xpdf +# This file is overwritten after every install/update +# Persistent local customizations include /etc/firejail/xpdf.local +# Persistent global definitions +include /etc/firejail/globals.local -################################ -# xpdf application profile -################################ noblacklist ${HOME}/.xpdfrc include /etc/firejail/disable-common.inc diff --git a/etc/xplayer.profile b/etc/xplayer.profile index 0b6acf9d2..afa3deac6 100644 --- a/etc/xplayer.profile +++ b/etc/xplayer.profile @@ -1,18 +1,17 @@ -# Persistent global definitions go here -include /etc/firejail/globals.local - -# This file is overwritten during software install. -# Persistent customizations should go in a .local file. +# Firejail profile for xplayer +# This file is overwritten after every install/update +# Persistent local customizations include /etc/firejail/xplayer.local +# Persistent global definitions +include /etc/firejail/globals.local -# Xplayer profile noblacklist ~/.config/xplayer noblacklist ~/.local/share/xplayer include /etc/firejail/disable-common.inc -include /etc/firejail/disable-programs.inc include /etc/firejail/disable-devel.inc include /etc/firejail/disable-passwdmgr.inc +include /etc/firejail/disable-programs.inc caps.drop all netfilter diff --git a/etc/xreader.profile b/etc/xreader.profile index ec7488ed8..2abe569c5 100644 --- a/etc/xreader.profile +++ b/etc/xreader.profile @@ -1,19 +1,18 @@ -# Persistent global definitions go here -include /etc/firejail/globals.local - -# This file is overwritten during software install. -# Persistent customizations should go in a .local file. +# Firejail profile for xreader +# This file is overwritten after every install/update +# Persistent local customizations include /etc/firejail/xreader.local +# Persistent global definitions +include /etc/firejail/globals.local -# Xreader profile +noblacklist ~/.cache/xreader noblacklist ~/.config/xreader noblacklist ~/.local/share -noblacklist ~/.cache/xreader include /etc/firejail/disable-common.inc -include /etc/firejail/disable-programs.inc include /etc/firejail/disable-devel.inc include /etc/firejail/disable-passwdmgr.inc +include /etc/firejail/disable-programs.inc caps.drop all nogroups diff --git a/etc/xviewer.profile b/etc/xviewer.profile index 906bcb814..7c9886b29 100644 --- a/etc/xviewer.profile +++ b/etc/xviewer.profile @@ -1,20 +1,19 @@ -# Persistent global definitions go here -include /etc/firejail/globals.local - -# This file is overwritten during software install. -# Persistent customizations should go in a .local file. +# Firejail profile for xviewer +# This file is overwritten after every install/update +# Persistent local customizations include /etc/firejail/xviewer.local +# Persistent global definitions +include /etc/firejail/globals.local -# xviewer profile -noblacklist ~/.config/xviewer noblacklist ~/.Steam -noblacklist ~/.steam +noblacklist ~/.config/xviewer noblacklist ~/.local/share/Trash +noblacklist ~/.steam include /etc/firejail/disable-common.inc -include /etc/firejail/disable-programs.inc include /etc/firejail/disable-devel.inc include /etc/firejail/disable-passwdmgr.inc +include /etc/firejail/disable-programs.inc caps.drop all nogroups @@ -26,8 +25,8 @@ seccomp shell none tracelog -private-dev private-bin xviewer +private-dev private-tmp noexec ${HOME} diff --git a/etc/xz.profile b/etc/xz.profile index a3c1ab3ca..b552f59c0 100644 --- a/etc/xz.profile +++ b/etc/xz.profile @@ -1,10 +1,5 @@ -quiet -# Persistent global definitions go here -include /etc/firejail/globals.local +# Firejail profile alias for cpio +# This file is overwritten after every install/update -# This file is overwritten during software install. -# Persistent customizations should go in a .local file. -include /etc/firejail/xz.local -# xz profile include /etc/firejail/cpio.profile diff --git a/etc/xzdec.profile b/etc/xzdec.profile index 2a84bf0ee..0d5b8dda6 100644 --- a/etc/xzdec.profile +++ b/etc/xzdec.profile @@ -1,17 +1,14 @@ +# Firejail profile for xzdec +# This file is overwritten after every install/update quiet -# Persistent global definitions go here -include /etc/firejail/globals.local - -# This file is overwritten during software install. -# Persistent customizations should go in a .local file. +# Persistent local customizations include /etc/firejail/xzdec.local - -# xzdec profile -ignore noroot -include /etc/firejail/default.profile +# Persistent global definitions +include /etc/firejail/globals.local blacklist /tmp/.X11-unix +ignore noroot net none no3d nosound @@ -19,3 +16,5 @@ shell none tracelog private-dev + +include /etc/firejail/default.profile diff --git a/etc/youtube-dl.profile b/etc/youtube-dl.profile index a58617ddf..fea7284c8 100644 --- a/etc/youtube-dl.profile +++ b/etc/youtube-dl.profile @@ -1,18 +1,17 @@ +# Firejail profile for youtube-dl +# This file is overwritten after every install/update quiet -# Persistent global definitions go here -include /etc/firejail/globals.local - -# This file is overwritten during software install. -# Persistent customizations should go in a .local file. +# Persistent local customizations include /etc/firejail/youtube-dl.local +# Persistent global definitions +include /etc/firejail/globals.local -# Firejail profile for youtube-dl noblacklist ${HOME}/.netrc include /etc/firejail/disable-common.inc -include /etc/firejail/disable-programs.inc -include /etc/firejail/disable-passwdmgr.inc include /etc/firejail/disable-devel.inc +include /etc/firejail/disable-passwdmgr.inc +include /etc/firejail/disable-programs.inc caps.drop all ipc-namespace diff --git a/etc/zathura.profile b/etc/zathura.profile index 502e066c8..0552f85a9 100644 --- a/etc/zathura.profile +++ b/etc/zathura.profile @@ -1,17 +1,17 @@ -# Persistent global definitions go here -include /etc/firejail/globals.local - -# This file is overwritten during software install. -# Persistent customizations should go in a .local file. +# Firejail profile for zathura +# This file is overwritten after every install/update +# Persistent local customizations include /etc/firejail/zathura.local +# Persistent global definitions +include /etc/firejail/globals.local -# zathura document viewer profile noblacklist ~/.config/zathura noblacklist ~/.local/share/zathura + include /etc/firejail/disable-common.inc -include /etc/firejail/disable-programs.inc include /etc/firejail/disable-devel.inc include /etc/firejail/disable-passwdmgr.inc +include /etc/firejail/disable-programs.inc caps.drop all net none @@ -19,14 +19,13 @@ nogroups nonewprivs noroot nosound -shell none -seccomp protocol unix +seccomp +shell none private-bin zathura private-dev private-etc fonts private-tmp - read-only ~/ read-write ~/.local/share/zathura/ diff --git a/etc/zoom.profile b/etc/zoom.profile index bf71aa5ce..4ef756d9f 100644 --- a/etc/zoom.profile +++ b/etc/zoom.profile @@ -1,23 +1,20 @@ -# Persistent global definitions go here -include /etc/firejail/globals.local - -# This file is overwritten during software install. -# Persistent customizations should go in a .local file. +# Firejail profile for zoom +# This file is overwritten after every install/update +# Persistent local customizations include /etc/firejail/zoom.local +# Persistent global definitions +include /etc/firejail/globals.local -# Firejail profile for zoom.us noblacklist ~/.config/zoomus.conf include /etc/firejail/disable-common.inc -include /etc/firejail/disable-programs.inc include /etc/firejail/disable-devel.inc - - -# Whitelists +include /etc/firejail/disable-programs.inc mkdir ~/.zoom -whitelist ~/.zoom whitelist ~/.cache/zoom +whitelist ~/.zoom +include /etc/firejail/whitelist-common.inc caps.drop all netfilter -- cgit v1.2.3-54-g00ecf