From bc257b6a4cdd0d335d744a0e70d06cef0c81ea26 Mon Sep 17 00:00:00 2001 From: netblue30 Date: Mon, 24 Apr 2017 20:39:23 -0400 Subject: added akregator, kcalc and ktorrent profiles --- README.md | 2 +- etc/akregator.profile | 30 ++++ etc/disable-programs.inc | 4 + etc/kcalc.profile | 29 ++++ etc/ktorrent.profile | 30 ++++ platform/debian/conffiles | 3 + src/firecfg/firecfg.config | 356 +++++++++++++++++++++------------------------ 7 files changed, 264 insertions(+), 190 deletions(-) create mode 100644 etc/akregator.profile create mode 100644 etc/kcalc.profile create mode 100644 etc/ktorrent.profile diff --git a/README.md b/README.md index 5a0be0a7b..06f7c1c6f 100644 --- a/README.md +++ b/README.md @@ -196,4 +196,4 @@ simple-scan, skanlite, ssh-agent, tracker, transmission-cli, transmission-show, xed, pluma, Cryptocat, Bless, Gnome 2048, Gnome Calculator, Gnome Contacts, JD-GUI, Lollypop, MultiMC5, PDFSam, Pithos, Xonotic, wireshark, keepassx2, QupZilla, FossaMail, Uzbl browser, xmms, iridium browser, Kino, Thunar, Geeqie, Engrampa, Scribus, mousepad, gpicview, keepassxc, cvlc, MediathekView, baloo_file, -Nylas, dino, BibleTime, viewnior, Kodi, viking, youtube-dl, meld, Arduino +Nylas, dino, BibleTime, viewnior, Kodi, viking, youtube-dl, meld, Arduino, akregator, kcalc, ktorrent diff --git a/etc/akregator.profile b/etc/akregator.profile new file mode 100644 index 000000000..c99153450 --- /dev/null +++ b/etc/akregator.profile @@ -0,0 +1,30 @@ +# This file is overwritten during software install. +# Persistent customizations should go in a .local file. +include /etc/firejail/akregator.local + +################################ +# Generic GUI application profile +################################ +noblacklist ${HOME}/.config/akregatorrc +noblacklist ${HOME}/.local/share/akregator +include /etc/firejail/disable-common.inc +include /etc/firejail/disable-programs.inc +include /etc/firejail/disable-passwdmgr.inc + +caps.drop all +netfilter +nonewprivs +noroot +protocol unix,inet,inet6 +seccomp + +# +# depending on you usage, you can enable some of the commands below: +# +# nogroups +# shell none +# private-bin program +# private-etc none +# private-dev +# private-tmp + diff --git a/etc/disable-programs.inc b/etc/disable-programs.inc index 32adac298..fbe614b0d 100644 --- a/etc/disable-programs.inc +++ b/etc/disable-programs.inc @@ -21,6 +21,7 @@ blacklist ${HOME}/.bcast5 blacklist ${HOME}/.bibletime blacklist ${HOME}/.claws-mail blacklist ${HOME}/.config/0ad +blacklist ${HOME}/.config/akregatorrc blacklist ${HOME}/.config/Atom blacklist ${HOME}/.config/Audaciousrc blacklist ${HOME}/.config/Brackets @@ -179,6 +180,7 @@ blacklist ${HOME}/.kde4/share/config/konqsidebartngrc blacklist ${HOME}/.kde4/share/config/konquerorrc blacklist ${HOME}/.kde4/share/config/okularpartrc blacklist ${HOME}/.kde4/share/config/okularrc +blacklist ${HOME}/.kde4/share/config/ktorrentrc blacklist ${HOME}/.kde/share/apps/gwenview blacklist ${HOME}/.kde/share/apps/kcookiejar blacklist ${HOME}/.kde/share/apps/khtml @@ -196,6 +198,7 @@ blacklist ${HOME}/.kde/share/config/konqsidebartngrc blacklist ${HOME}/.kde/share/config/konquerorrc blacklist ${HOME}/.kde/share/config/okularpartrc blacklist ${HOME}/.kde/share/config/okularrc +blacklist ${HOME}/.kde/share/config/ktorrentrc blacklist ${HOME}/.killingfloor blacklist ${HOME}/.kino-history blacklist ${HOME}/.kinorc @@ -207,6 +210,7 @@ blacklist ${HOME}/.local/.share/maps-places.json blacklist ${HOME}/.local/lib/python2.7/site-packages blacklist ${HOME}/.local/share/0ad blacklist ${HOME}/.local/share/3909/PapersPlease +blacklist ${HOME}/.local/share/akregator blacklist ${HOME}/.local/share/Empathy blacklist ${HOME}/.local/share/Mumble blacklist ${HOME}/.local/share/QuiteRss diff --git a/etc/kcalc.profile b/etc/kcalc.profile new file mode 100644 index 000000000..88f84fdf6 --- /dev/null +++ b/etc/kcalc.profile @@ -0,0 +1,29 @@ +# This file is overwritten during software install. +# Persistent customizations should go in a .local file. +include /etc/firejail/kcalc.local + +################################ +# Generic GUI application profile +################################ +include /etc/firejail/disable-common.inc +include /etc/firejail/disable-programs.inc +include /etc/firejail/disable-passwdmgr.inc + +caps.drop all +netfilter +nonewprivs +noroot +protocol unix,inet,inet6 +seccomp + +# +# depending on you usage, you can enable some of the commands below: +# +private +nogroups +shell none +# private-bin program +# private-etc none +private-dev +private-tmp + diff --git a/etc/ktorrent.profile b/etc/ktorrent.profile new file mode 100644 index 000000000..f1a5d995d --- /dev/null +++ b/etc/ktorrent.profile @@ -0,0 +1,30 @@ +# This file is overwritten during software install. +# Persistent customizations should go in a .local file. +include /etc/firejail/ktorrent.local + +################################ +# Generic GUI application profile +################################ +blacklist ${HOME}/.kde/share/config/ktorrentrc +blacklist ${HOME}/.kde4/share/config/ktorrentrc +include /etc/firejail/disable-common.inc +include /etc/firejail/disable-programs.inc +include /etc/firejail/disable-passwdmgr.inc + +caps.drop all +netfilter +nonewprivs +noroot +protocol unix,inet,inet6 +seccomp + +# +# depending on you usage, you can enable some of the commands below: +# +nogroups +shell none +# private-bin program +# private-etc none +private-dev +# private-tmp + diff --git a/platform/debian/conffiles b/platform/debian/conffiles index 011f52657..4169184df 100644 --- a/platform/debian/conffiles +++ b/platform/debian/conffiles @@ -268,3 +268,6 @@ /etc/firejail/engrampa.profile /etc/firejail/scribus.profile /etc/firejail/mediathekview.profile +/etc/firejail/akregator.profile +/etc/firejail/kcalc.profile +/etc/firejail/ktorrent.profile diff --git a/src/firecfg/firecfg.config b/src/firecfg/firecfg.config index 21c9ceec1..2569c36ef 100644 --- a/src/firecfg/firecfg.config +++ b/src/firecfg/firecfg.config @@ -1,245 +1,223 @@ # /usr/lib/firejail/firecfg.config - firecfg utility configuration file -# This is the list of programs handled by firecfg utility +# This is the list of programs in alfabetical order handled by firecfg utility # - -# astronomy -gpredict -stellarium - -# bittorrent/ftp -deluge -dropbox -filezilla -qbittorrent -rtorrent -transmission-gtk -transmission-qt -transmission-cli -transmission-show -uget-gtk -youtube-dl - -# browsers/email -abrowser -brave -chromium -chromium-browser -claws-mail -conkeror -cyberfox -firefox -firefox-esr -flashpeak-slimjet -epiphany -dillo -google-chrome -google-chrome-beta -google-chrome-stable -google-chrome-unstable -iceweasel -icecat -icedove -inox -iridium -iridium-browser -kmail -midori -mutt -netsurf -nylas -opera-beta -opera -palemoon -qutebrowser -start-tor-browser -seamonkey -seamonkey-bin -thunderbird -vivaldi -vivaldi-beta -vivaldi-stable -evolution -elinks -lynx -w3m - -# chat/messaging -bitlbee -corebird -# Cryptocat is added but commented since isn't installed to a */bin... keep an eye on this -dino -empathy -gajim -gitter -hexchat -jitsi -konversation -mumble -pidgin -polari -psi-plus -qtox -quassel -skype -skypeforlinux -slack -telegram -weechat -weechat-curses -wire -xchat - -# dns -dnscrypt-proxy -dnsmasq -unbound - -# emulators/compatibility layers -mupen64plus -wine -dosbox -virtualbox -qemu-launcher -#qemu-system-x86_64 - -# games 0ad -gnome-2048 -gnome-chess -hedgewars -multimc5 -steam -wesnot -warzone2100 -xonotic-glx -xonotic-sdl - -# Media +abrowser +akregator amarok +arduino +ark +atom +atom-beta +atool +atril audacious audacity +aweather +baloo_file +bibletime +bitlbee bleachbit +bless brasero +brave +cherrytree +chromium +chromium-browser +claws-mail clementine cmus +conkeror +corebird +# Cryptocat is added but commented since isn't installed to a */bin... keep an eye on this cvlc +cyberfox deadbeef +deluge +dillo +dino display +dnscrypt-proxy +dnsmasq dolphin +dosbox dragon +dropbox +elinks +empathy +eog +eom +epiphany +evince +evolution exiftool +fbreader feh +file-roller +filezilla +firefox +firefox-esr +flashpeak-slimjet +flowblade +gajim +gedit geeqie +gimp +gitter gjs +gnome-2048 gnome-books +gnome-calculator +gnome-chess gnome-clocks -gnome-photos gnome-documents gnome-maps gnome-mplayer gnome-music +gnome-photos +gnome-weather goobox +google-chrome +google-chrome-beta +google-chrome-stable +google-chrome-unstable google-play-music-desktop-player gpicview -img2txt -k3b -kodi -lollypop -mediainfo -mediathekview -mpv -nautilus -parole -pithos -rhythmbox -simple-scan -skanlite -spotify -totem -viewnior -vlc -xfburn -xmms -xplayer -xviewer -eom - -# news readers -quiterss - -# office -atril -cherrytree -evince -fbreader -gedit -gimp +gpredict gthumb gwenview +hedgewars +hexchat highlight +icecat +icedove +iceweasel +img2txt inkscape +inox +iridium +iridium-browser +jd-gui +jitsi +k3b kate +kcalc +keepass +keepass2 +keepassx +keepassx2 +keepassxc +kmail +kodi +konversation +ktorrent libreoffice localc lodraw loffice lofromtemplate loimpress +lollypop lomath loweb lowriter luminance-hdr -mupdf -pdfsam -qpdfview -scribus -soffice -synfigstudio -Mathematica +lynx mathematica +Mathematica +mediainfo +mediathekview +meld +midori +mousepad +mpv +multimc5 +mumble +mupdf +mupen64plus +mutt +nautilus +netsurf +nylas odt2txt okular +openshot +opera +opera-beta +palemoon +parole +pdfsam pdftotext +pidgin +pithos pix -xpdf -xreader -zathura -openshot -flowblade -eog - -# other -arduino -atom -atom-beta -baloo_file -bless -bibletime -gnome-calculator -jd-gui -keepass -keepass2 -keepassx -keepassx2 -keepassxc -meld -mousepad pluma +polari +psi-plus +qbittorrent +qemu-launcher +#qemu-system-x86_64 +qpdfview +qtox +quassel +quiterss +qutebrowser ranger +rhythmbox +rtorrent +scribus +seamonkey +seamonkey-bin +simple-scan +skanlite +skype +skypeforlinux +slack +soffice +spectacle +spotify ssh -Thunar +start-tor-browser +steam +stellarium +synfigstudio +telegram thunar +Thunar +thunderbird +totem tracker +transmission-cli +transmission-gtk +transmission-qt +transmission-show +uget-gtk +unbound +viewnior viking +virtualbox +vivaldi +vivaldi-beta +vivaldi-stable +vlc +w3m +warzone2100 +weechat +weechat-curses +wesnot +wine +wire wireshark -xiphos +xchat xed - -# weather/climate -aweather -gnome-weather - -# compressing tools -ark -atool -file-roller +xfburn +xiphos +xmms +xonotic-glx +xonotic-sdl +xpdf +xplayer +xreader +xviewer +youtube-dl +zathura -- cgit v1.2.3-54-g00ecf