From 0dba38435ef92ccc01cc9ff23b69df55489ec983 Mon Sep 17 00:00:00 2001 From: Tad Date: Wed, 5 Jul 2017 09:40:54 -0400 Subject: Harden profiles - Added 'disable-devel.conf' to many profiles - Added 'disable-mnt' to many profiles - Added 'noexec' to many profiles - Removed 'netfilter' and 'net none' from profiles with 'protocol unix' - Cleaned up profiles using defaults --- etc/0ad.profile | 3 +++ etc/2048-qt.profile | 25 ++++++++++---------- etc/Thunar.profile | 12 ++-------- etc/Xephyr.profile | 1 - etc/Xvfb.profile | 1 - etc/akregator.profile | 26 +++++++++++---------- etc/ark.profile | 1 - etc/atool.profile | 2 -- etc/audacity.profile | 2 -- etc/bitlbee.profile | 10 ++++++++ etc/bleachbit.profile | 2 -- etc/blender.profile | 18 ++++++-------- etc/bless.profile | 2 -- etc/brasero.profile | 1 - etc/caja.profile | 1 - etc/catfish.profile | 1 - etc/cherrytree.profile | 12 +++++++++- etc/clipit.profile | 24 +++++++++---------- etc/darktable.profile | 19 ++++++++------- etc/dia.profile | 19 ++++++++------- etc/display.profile | 2 -- etc/dolphin.profile | 1 - etc/dropbox.profile | 25 ++++++++++++++------ etc/enchant.profile | 1 - etc/engrampa.profile | 1 - etc/eog.profile | 2 -- etc/evince.profile | 2 -- etc/exiftool.profile | 2 -- etc/feh.profile | 2 -- etc/file-roller.profile | 2 -- etc/file.profile | 2 -- etc/flowblade.profile | 10 ++++++++ etc/fontforge.profile | 19 ++++++++------- etc/franz.profile | 26 ++++++++++++++------- etc/galculator.profile | 1 - etc/geany.profile | 12 ++++------ etc/gedit.profile | 2 -- etc/gimp.profile | 2 -- etc/globaltime.profile | 19 ++++++++------- etc/gnome-books.profile | 1 - etc/gnome-calculator.profile | 1 + etc/gnome-documents.profile | 1 - etc/gnome-music.profile | 1 - etc/gnome-photos.profile | 1 - etc/goobox.profile | 1 - etc/google-play-music-desktop-player.profile | 20 ++++++++++++---- etc/gpicview.profile | 1 - etc/gucharmap.profile | 33 +++++++++++++------------- etc/handbrake.profile | 19 +++++++-------- etc/highlight.profile | 2 -- etc/hugin.profile | 20 ++++++++-------- etc/img2txt.profile | 2 -- etc/inkscape.profile | 10 ++++---- etc/jd-gui.profile | 2 -- etc/kate.profile | 1 - etc/kcalc.profile | 25 ++++++++++---------- etc/keepassx.profile | 1 - etc/keepassx2.profile | 1 - etc/keepassxc.profile | 2 -- etc/kino.profile | 27 ++++++++++----------- etc/knotes.profile | 1 - etc/ktorrent.profile | 22 ++++++++--------- etc/kwrite.profile | 1 - etc/leafpad.profile | 26 ++++++++++----------- etc/liferea.profile | 20 +++++++++++++++- etc/luminance-hdr.profile | 10 ++++---- etc/lximage-qt.profile | 27 ++++++++++----------- etc/lxmusic.profile | 26 ++++++++++----------- etc/mate-calc.profile | 28 +++++++++++----------- etc/mate-color-select.profile | 35 ++++++++++++++-------------- etc/mate-dictionary.profile | 25 +++++++++++--------- etc/mediainfo.profile | 4 +--- etc/meld.profile | 2 -- etc/mousepad.profile | 1 - etc/mupdf.profile | 2 -- etc/nautilus.profile | 2 -- etc/nemo.profile | 16 +++++-------- etc/odt2txt.profile | 2 -- etc/okular.profile | 1 - etc/openshot.profile | 12 +++++++++- etc/orage.profile | 24 ++++++++++--------- etc/pcmanfm.profile | 13 ++--------- etc/pdfsam.profile | 2 -- etc/pdftotext.profile | 2 -- etc/peek.profile | 1 - etc/psi-plus.profile | 16 ++++++++++++- etc/qemu-launcher.profile | 2 ++ etc/qemu-system-x86_64.profile | 2 ++ etc/qlipper.profile | 28 +++++++++++----------- etc/ranger.profile | 4 ---- etc/ristretto.profile | 23 +++++++++--------- etc/skype.profile | 5 ++++ etc/skypeforlinux.profile | 8 ++++++- etc/synfigstudio.profile | 15 ++++++++---- etc/tracker.profile | 1 - etc/transmission-show.profile | 2 -- etc/viewnior.profile | 1 - etc/vym.profile | 23 +++++++++--------- etc/xfburn.profile | 1 - etc/xfce4-dict.profile | 21 ++++++++++------- etc/xfce4-notes.profile | 25 +++++++++++--------- etc/xonotic.profile | 1 + etc/xpdf.profile | 14 ++++++++--- etc/xpra.profile | 1 - etc/zathura.profile | 2 -- 105 files changed, 519 insertions(+), 468 deletions(-) diff --git a/etc/0ad.profile b/etc/0ad.profile index a564d0a09..9f33af806 100644 --- a/etc/0ad.profile +++ b/etc/0ad.profile @@ -38,3 +38,6 @@ tracelog private-dev private-tmp disable-mnt + +noexec ${HOME} +noexec /tmp diff --git a/etc/2048-qt.profile b/etc/2048-qt.profile index 0dc54e675..c53cfef9d 100644 --- a/etc/2048-qt.profile +++ b/etc/2048-qt.profile @@ -7,24 +7,25 @@ include /etc/firejail/2048-qt.local noblacklist ~/.config/xiaoyong noblacklist ~/.config/2048-qt + include /etc/firejail/disable-common.inc +include /etc/firejail/disable-devel.inc include /etc/firejail/disable-programs.inc include /etc/firejail/disable-passwdmgr.inc caps.drop all -netfilter +#ipc-namespace +nogroups nonewprivs noroot -protocol unix,inet,inet6 +novideo +protocol unix seccomp - -# -# depending on your usage, you can enable some of the commands below: -# -nogroups shell none -# private-bin program -# private-etc none -# private-dev -# private-tmp -nosound + +private-dev +private-tmp +disable-mnt + +noexec ${HOME} +noexec /tmp diff --git a/etc/Thunar.profile b/etc/Thunar.profile index ed8a37add..e62ce4e2d 100644 --- a/etc/Thunar.profile +++ b/etc/Thunar.profile @@ -16,20 +16,12 @@ include /etc/firejail/disable-devel.inc include /etc/firejail/disable-passwdmgr.inc caps.drop all -netfilter -nogroups +no3d nonewprivs noroot nosound +novideo protocol unix seccomp shell none tracelog - -# -# depending on your usage, you can enable some of the commands below: -# -# private-bin program -# private-etc none -# private-dev -# private-tmp diff --git a/etc/Xephyr.profile b/etc/Xephyr.profile index 4b14b8ad2..22c0202ee 100644 --- a/etc/Xephyr.profile +++ b/etc/Xephyr.profile @@ -21,7 +21,6 @@ private caps.drop all # Xephyr needs to be allowed access to the abstract Unix socket namespace. -#net none nogroups nonewprivs # In noroot mode, Xephyr cannot create a socket in the real /tmp/.X11-unix. diff --git a/etc/Xvfb.profile b/etc/Xvfb.profile index 46f06871c..8eba82db1 100644 --- a/etc/Xvfb.profile +++ b/etc/Xvfb.profile @@ -22,7 +22,6 @@ private caps.drop all # Xvfb needs to be allowed access to the abstract Unix socket namespace. -#net none nogroups nonewprivs # In noroot mode, Xvfb cannot create a socket in the real /tmp/.X11-unix. diff --git a/etc/akregator.profile b/etc/akregator.profile index 10279890e..ed79f0e94 100644 --- a/etc/akregator.profile +++ b/etc/akregator.profile @@ -5,28 +5,30 @@ include /etc/firejail/globals.local # Persistent customizations should go in a .local file. include /etc/firejail/akregator.local -################################ -# Generic GUI application profile -################################ noblacklist ${HOME}/.config/akregatorrc noblacklist ${HOME}/.local/share/akregator + include /etc/firejail/disable-common.inc +include /etc/firejail/disable-devel.inc include /etc/firejail/disable-programs.inc include /etc/firejail/disable-passwdmgr.inc caps.drop all +#ipc-namespace netfilter +no3d +nogroups nonewprivs noroot +#nosound +novideo protocol unix,inet,inet6 seccomp +shell none + +private-dev +private-tmp +disable-mnt -# -# depending on your usage, you can enable some of the commands below: -# -# nogroups -# shell none -# private-bin program -# private-etc none -# private-dev -# private-tmp +noexec ${HOME} +noexec /tmp diff --git a/etc/ark.profile b/etc/ark.profile index 007748ed1..7aaa0bc5a 100644 --- a/etc/ark.profile +++ b/etc/ark.profile @@ -14,7 +14,6 @@ include /etc/firejail/disable-devel.inc include /etc/firejail/disable-passwdmgr.inc caps.drop all -netfilter nogroups nonewprivs noroot diff --git a/etc/atool.profile b/etc/atool.profile index a66b4b1c5..b21c5855f 100644 --- a/etc/atool.profile +++ b/etc/atool.profile @@ -19,8 +19,6 @@ nosound novideo protocol unix seccomp -netfilter -net none no3d shell none tracelog diff --git a/etc/audacity.profile b/etc/audacity.profile index 5b38d84e8..8cea3b18d 100644 --- a/etc/audacity.profile +++ b/etc/audacity.profile @@ -15,8 +15,6 @@ include /etc/firejail/disable-programs.inc caps.drop all #ipc-namespace -net none -netfilter no3d nogroups nonewprivs diff --git a/etc/bitlbee.profile b/etc/bitlbee.profile index 055be09a1..2ecc0c425 100644 --- a/etc/bitlbee.profile +++ b/etc/bitlbee.profile @@ -9,13 +9,23 @@ include /etc/firejail/bitlbee.local noblacklist /sbin noblacklist /usr/sbin include /etc/firejail/disable-common.inc +include /etc/firejail/disable-devel.inc +include /etc/firejail/disable-passwdmgr.inc include /etc/firejail/disable-programs.inc netfilter +no3d nonewprivs private private-dev protocol unix,inet,inet6 seccomp nosound +novideo read-write /var/lib/bitlbee + +private-dev +private-tmp +disable-mnt + +noexec /tmp diff --git a/etc/bleachbit.profile b/etc/bleachbit.profile index 345dd119a..9d8ec1733 100644 --- a/etc/bleachbit.profile +++ b/etc/bleachbit.profile @@ -13,8 +13,6 @@ include /etc/firejail/disable-passwdmgr.inc caps.drop all #ipc-namespace -net none -netfilter no3d nogroups nonewprivs diff --git a/etc/blender.profile b/etc/blender.profile index 6ee874ad0..b9757913d 100644 --- a/etc/blender.profile +++ b/etc/blender.profile @@ -7,25 +7,21 @@ include /etc/firejail/blender.local noblacklist ~/.config/blender include /etc/firejail/disable-common.inc +include /etc/firejail/disable-devel.inc include /etc/firejail/disable-programs.inc include /etc/firejail/disable-passwdmgr.inc caps.drop all netfilter +nogroups nonewprivs noroot protocol unix,inet,inet6,netlink seccomp - -# -# depending on your usage, you can enable some of the commands below: -# -nogroups shell none -# private-bin program -# private-etc none -# private-dev -# private-tmp -# blender uses the sound system -# nosound +private-dev +private-tmp + +noexec ${HOME} +noexec /tmp diff --git a/etc/bless.profile b/etc/bless.profile index c9ccfc02e..41712850e 100644 --- a/etc/bless.profile +++ b/etc/bless.profile @@ -21,8 +21,6 @@ include /etc/firejail/disable-devel.inc #Options caps.drop all #ipc-namespace -net none -netfilter no3d nogroups nonewprivs diff --git a/etc/brasero.profile b/etc/brasero.profile index d013e0b8e..1d6856b73 100644 --- a/etc/brasero.profile +++ b/etc/brasero.profile @@ -15,7 +15,6 @@ include /etc/firejail/disable-passwdmgr.inc caps.drop all #ipc-namespace -net none nogroups nonewprivs noroot diff --git a/etc/caja.profile b/etc/caja.profile index 3a098379b..e6f38dfa9 100644 --- a/etc/caja.profile +++ b/etc/caja.profile @@ -26,7 +26,6 @@ nonewprivs noroot protocol unix seccomp -netfilter shell none tracelog diff --git a/etc/catfish.profile b/etc/catfish.profile index 0deaca1b5..5612d4486 100644 --- a/etc/catfish.profile +++ b/etc/catfish.profile @@ -13,7 +13,6 @@ noblacklist ~/.config/catfish include /etc/firejail/disable-devel.inc caps.drop all -net none no3d nogroups nonewprivs diff --git a/etc/cherrytree.profile b/etc/cherrytree.profile index 0ac71ca3c..b1acd78f2 100644 --- a/etc/cherrytree.profile +++ b/etc/cherrytree.profile @@ -9,18 +9,28 @@ include /etc/firejail/cherrytree.local noblacklist /usr/bin/python2* noblacklist /usr/lib/python3* noblacklist ${HOME}/.config/cherrytree + include /etc/firejail/disable-common.inc include /etc/firejail/disable-programs.inc include /etc/firejail/disable-devel.inc include /etc/firejail/disable-passwdmgr.inc caps.drop all +#ipc-namespace netfilter +no3d nogroups nonewprivs noroot nosound novideo -seccomp protocol unix,inet,inet6,netlink +seccomp +shell none tracelog + +private-dev +private-tmp + +noexec ${HOME} +noexec /tmp diff --git a/etc/clipit.profile b/etc/clipit.profile index b671b253b..7b1c584ac 100644 --- a/etc/clipit.profile +++ b/etc/clipit.profile @@ -8,26 +8,24 @@ include /etc/firejail/clipit.local noblacklist ${HOME}/.local/share/clipit noblacklist ${HOME}/.config/clipit include /etc/firejail/disable-common.inc +include /etc/firejail/disable-devel.inc include /etc/firejail/disable-programs.inc include /etc/firejail/disable-passwdmgr.inc caps.drop all -netfilter +no3d +nogroups nonewprivs noroot +nosound novideo -protocol unix,inet,inet6 +protocol unix seccomp +shell none +private-dev +private-tmp +disable-mnt - -# -# depending on your usage, you can enable some of the commands below: -# -nogroups -shell none -# private-bin program -# private-etc none -# private-dev -# private-tmp -nosound +noexec ${HOME} +noexec /tmp diff --git a/etc/darktable.profile b/etc/darktable.profile index 29630a746..eca2ae6c5 100644 --- a/etc/darktable.profile +++ b/etc/darktable.profile @@ -8,23 +8,24 @@ include /etc/firejail/darktable.local noblacklist ~/.cache/darktable noblacklist ~/.config/darktable include /etc/firejail/disable-common.inc +include /etc/firejail/disable-devel.inc include /etc/firejail/disable-programs.inc include /etc/firejail/disable-passwdmgr.inc caps.drop all +#ipc-namespace netfilter +nogroups nonewprivs noroot +nosound +novideo protocol unix,inet,inet6 seccomp - -# -# depending on your usage, you can enable some of the commands below: -# -# nogroups shell none -# private-bin program -# private-etc none -# private-dev + +private-dev private-tmp -nosound + +noexec ${HOME} +noexec /tmp diff --git a/etc/dia.profile b/etc/dia.profile index 4e009afd7..67cd2ca63 100644 --- a/etc/dia.profile +++ b/etc/dia.profile @@ -7,23 +7,24 @@ include /etc/firejail/dia.local noblacklist ~/.dia include /etc/firejail/disable-common.inc +include /etc/firejail/disable-devel.inc include /etc/firejail/disable-programs.inc include /etc/firejail/disable-passwdmgr.inc caps.drop all -netfilter +no3d +nogroups nonewprivs noroot +nosound novideo -protocol unix,inet,inet6 +protocol unix seccomp - -# -# depending on your usage, you can enable some of the commands below: -# -nogroups shell none -# private-bin program -# private-etc none + private-dev private-tmp +disable-mnt + +noexec ${HOME} +noexec /tmp diff --git a/etc/display.profile b/etc/display.profile index 7cde8bd54..c9744b001 100644 --- a/etc/display.profile +++ b/etc/display.profile @@ -14,8 +14,6 @@ include /etc/firejail/disable-passwdmgr.inc caps.drop all seccomp protocol unix -netfilter -net none nonewprivs noroot nogroups diff --git a/etc/dolphin.profile b/etc/dolphin.profile index 0085fb004..5ba8dd497 100644 --- a/etc/dolphin.profile +++ b/etc/dolphin.profile @@ -22,7 +22,6 @@ include /etc/firejail/disable-devel.inc include /etc/firejail/disable-passwdmgr.inc caps.drop all -netfilter nogroups nonewprivs noroot diff --git a/etc/dropbox.profile b/etc/dropbox.profile index f1d7fad82..2319b337b 100644 --- a/etc/dropbox.profile +++ b/etc/dropbox.profile @@ -9,16 +9,10 @@ include /etc/firejail/dropbox.local noblacklist ~/.config/autostart noblacklist ~/.dropbox-dist include /etc/firejail/disable-common.inc +include /etc/firejail/disable-devel.inc include /etc/firejail/disable-programs.inc include /etc/firejail/disable-passwdmgr.inc -caps -nonewprivs -noroot -novideo -protocol unix,inet,inet6 -seccomp - mkdir ~/Dropbox whitelist ~/Dropbox mkdir ~/.dropbox @@ -28,3 +22,20 @@ whitelist ~/.dropbox-dist mkfile ~/.config/autostart/dropbox.desktop whitelist ~/.config/autostart/dropbox.desktop + +caps.drop all +netfilter +no3d +nogroups +nonewprivs +noroot +nosound +novideo +protocol unix,inet,inet6 +seccomp +shell none + +private-dev +private-tmp + +noexec /tmp diff --git a/etc/enchant.profile b/etc/enchant.profile index 9e2dee045..97fb82da3 100644 --- a/etc/enchant.profile +++ b/etc/enchant.profile @@ -20,7 +20,6 @@ noroot nosound protocol unix seccomp -netfilter shell none tracelog diff --git a/etc/engrampa.profile b/etc/engrampa.profile index 081a5f6b0..a786a702c 100644 --- a/etc/engrampa.profile +++ b/etc/engrampa.profile @@ -19,7 +19,6 @@ nosound novideo protocol unix seccomp -netfilter shell none tracelog diff --git a/etc/eog.profile b/etc/eog.profile index 3abaaacef..7c21b241e 100644 --- a/etc/eog.profile +++ b/etc/eog.profile @@ -18,8 +18,6 @@ include /etc/firejail/disable-passwdmgr.inc caps.drop all #ipc-namespace -net none -netfilter no3d nogroups nonewprivs diff --git a/etc/evince.profile b/etc/evince.profile index 6719244da..2173c7422 100644 --- a/etc/evince.profile +++ b/etc/evince.profile @@ -15,8 +15,6 @@ include /etc/firejail/disable-passwdmgr.inc caps.drop all #ipc-namespace -netfilter -#net none - creates some problems on some distributions no3d nogroups nonewprivs diff --git a/etc/exiftool.profile b/etc/exiftool.profile index aba484718..9b0759dfe 100644 --- a/etc/exiftool.profile +++ b/etc/exiftool.profile @@ -23,8 +23,6 @@ noroot nosound protocol unix seccomp -netfilter -net none no3d shell none tracelog diff --git a/etc/feh.profile b/etc/feh.profile index f71999155..e41a4ad94 100644 --- a/etc/feh.profile +++ b/etc/feh.profile @@ -12,8 +12,6 @@ include /etc/firejail/disable-devel.inc include /etc/firejail/disable-passwdmgr.inc caps.drop all -netfilter -net none nogroups nonewprivs noroot diff --git a/etc/file-roller.profile b/etc/file-roller.profile index 72d00b4ce..920a60159 100644 --- a/etc/file-roller.profile +++ b/etc/file-roller.profile @@ -13,8 +13,6 @@ include /etc/firejail/disable-passwdmgr.inc caps.drop all #ipc-namespace -net none -netfilter no3d nogroups nonewprivs diff --git a/etc/file.profile b/etc/file.profile index 915bf1088..ffdaf9f47 100644 --- a/etc/file.profile +++ b/etc/file.profile @@ -13,8 +13,6 @@ include /etc/firejail/disable-passwdmgr.inc caps.drop all hostname file -netfilter -net none no3d nogroups nonewprivs diff --git a/etc/flowblade.profile b/etc/flowblade.profile index 7f29a8719..f8d45424f 100644 --- a/etc/flowblade.profile +++ b/etc/flowblade.profile @@ -8,13 +8,23 @@ include /etc/firejail/flowblade.local # FlowBlade profile noblacklist ${HOME}/.flowblade noblacklist ${HOME}/.config/flowblade + include /etc/firejail/disable-common.inc +include /etc/firejail/disable-devel.inc include /etc/firejail/disable-programs.inc include /etc/firejail/disable-passwdmgr.inc caps.drop all netfilter +nogroups nonewprivs noroot protocol unix,inet,inet6,netlink seccomp +shell none + +private-dev +private-tmp + +noexec ${HOME} +noexec /tmp diff --git a/etc/fontforge.profile b/etc/fontforge.profile index 967a617e2..2b3d0f258 100644 --- a/etc/fontforge.profile +++ b/etc/fontforge.profile @@ -6,23 +6,24 @@ include /etc/firejail/globals.local include /etc/firejail/fontforge.local noblacklist ${HOME}/.FontForge + include /etc/firejail/disable-common.inc +include /etc/firejail/disable-devel.inc include /etc/firejail/disable-programs.inc include /etc/firejail/disable-passwdmgr.inc caps.drop all -netfilter +nogroups nonewprivs noroot -protocol unix,inet,inet6 +nosound +novideo +protocol unix seccomp - -# -# depending on your usage, you can enable some of the commands below: -# -nogroups shell none -# private-bin program -# private-etc none + private-dev private-tmp + +noexec ${HOME} +noexec /tmp diff --git a/etc/franz.profile b/etc/franz.profile index c68b47d80..859c6ed9b 100644 --- a/etc/franz.profile +++ b/etc/franz.profile @@ -13,14 +13,6 @@ include /etc/firejail/disable-common.inc include /etc/firejail/disable-programs.inc include /etc/firejail/disable-devel.inc -caps.drop all -netfilter -nonewprivs -noroot -protocol unix,inet,inet6,netlink -seccomp -#tracelog - whitelist ${DOWNLOADS} mkdir ~/.config/Franz whitelist ~/.config/Franz @@ -30,3 +22,21 @@ mkdir ~/.pki whitelist ~/.pki include /etc/firejail/whitelist-common.inc + +caps.drop all +#ipc-namespace +netfilter +nogroups +nonewprivs +noroot +protocol unix,inet,inet6,netlink +seccomp +shell none +tracelog + +private-dev +private-tmp +disable-mnt + +noexec ${HOME} +noexec /tmp diff --git a/etc/galculator.profile b/etc/galculator.profile index 897946e7a..c346a382d 100644 --- a/etc/galculator.profile +++ b/etc/galculator.profile @@ -17,7 +17,6 @@ mkdir ~/.config/galculator whitelist ~/.config/galculator caps.drop all -net none nogroups nonewprivs noroot diff --git a/etc/geany.profile b/etc/geany.profile index 7e0c6d2ad..083e9423f 100644 --- a/etc/geany.profile +++ b/etc/geany.profile @@ -12,17 +12,15 @@ include /etc/firejail/disable-passwdmgr.inc caps.drop all netfilter +no3d +nogroups nonewprivs noroot +nosound +novideo protocol unix,inet,inet6 seccomp - -# -# depending on your usage, you can enable some of the commands below: -# -nogroups shell none -# private-bin program -# private-etc none + private-dev private-tmp diff --git a/etc/gedit.profile b/etc/gedit.profile index d871a9bed..c1bdacf44 100644 --- a/etc/gedit.profile +++ b/etc/gedit.profile @@ -18,8 +18,6 @@ include /etc/firejail/disable-passwdmgr.inc caps.drop all #ipc-namespace -netfilter -net none no3d nogroups nonewprivs diff --git a/etc/gimp.profile b/etc/gimp.profile index da521aa6c..7d2738adf 100644 --- a/etc/gimp.profile +++ b/etc/gimp.profile @@ -12,8 +12,6 @@ include /etc/firejail/disable-programs.inc include /etc/firejail/disable-passwdmgr.inc caps.drop all -netfilter -net none nogroups nonewprivs noroot diff --git a/etc/globaltime.profile b/etc/globaltime.profile index 5662dba69..b9b2c008d 100644 --- a/etc/globaltime.profile +++ b/etc/globaltime.profile @@ -7,22 +7,25 @@ include /etc/firejail/globaltime.local noblacklist ${HOME}/.config/globaltime include /etc/firejail/disable-common.inc +include /etc/firejail/disable-devel.inc include /etc/firejail/disable-programs.inc include /etc/firejail/disable-passwdmgr.inc caps.drop all netfilter +no3d +nogroups nonewprivs noroot +nosound +novideo protocol unix,inet,inet6 seccomp - -# -# depending on your usage, you can enable some of the commands below: -# -nogroups shell none -# private-bin program -# private-etc none + private-dev -# private-tmp +private-tmp +disable-mnt + +noexec ${HOME} +noexec /tmp diff --git a/etc/gnome-books.profile b/etc/gnome-books.profile index af6da6cd4..6258b1f77 100644 --- a/etc/gnome-books.profile +++ b/etc/gnome-books.profile @@ -24,7 +24,6 @@ nosound novideo protocol unix seccomp -netfilter shell none tracelog diff --git a/etc/gnome-calculator.profile b/etc/gnome-calculator.profile index e64f62b70..90749be8c 100644 --- a/etc/gnome-calculator.profile +++ b/etc/gnome-calculator.profile @@ -30,6 +30,7 @@ protocol unix,inet,inet6 seccomp shell none +private private-bin gnome-calculator private-dev #private-etc fonts diff --git a/etc/gnome-documents.profile b/etc/gnome-documents.profile index 5d2a90b64..ec5914e37 100644 --- a/etc/gnome-documents.profile +++ b/etc/gnome-documents.profile @@ -25,7 +25,6 @@ nosound novideo protocol unix seccomp -netfilter shell none tracelog diff --git a/etc/gnome-music.profile b/etc/gnome-music.profile index abdb6bfb5..d571aff88 100644 --- a/etc/gnome-music.profile +++ b/etc/gnome-music.profile @@ -21,7 +21,6 @@ noroot novideo protocol unix seccomp -netfilter shell none tracelog diff --git a/etc/gnome-photos.profile b/etc/gnome-photos.profile index 93823d0f4..158311711 100644 --- a/etc/gnome-photos.profile +++ b/etc/gnome-photos.profile @@ -23,7 +23,6 @@ noroot nosound protocol unix seccomp -netfilter shell none tracelog diff --git a/etc/goobox.profile b/etc/goobox.profile index 0ba059365..c670d5ec7 100644 --- a/etc/goobox.profile +++ b/etc/goobox.profile @@ -17,7 +17,6 @@ nonewprivs noroot protocol unix seccomp -netfilter shell none tracelog diff --git a/etc/google-play-music-desktop-player.profile b/etc/google-play-music-desktop-player.profile index ed6b11002..c373cc34c 100644 --- a/etc/google-play-music-desktop-player.profile +++ b/etc/google-play-music-desktop-player.profile @@ -13,13 +13,25 @@ include /etc/firejail/disable-programs.inc include /etc/firejail/disable-devel.inc include /etc/firejail/disable-passwdmgr.inc +#whitelist ~/.pulse +#whitelist ~/.config/pulse +whitelist ~/.config/Google Play Music Desktop Player + caps.drop all +#ipc-namespace +netfilter +no3d +nogroups nonewprivs noroot -netfilter +novideo protocol unix,inet,inet6,netlink seccomp +shell none -#whitelist ~/.pulse -#whitelist ~/.config/pulse -whitelist ~/.config/Google Play Music Desktop Player +private-dev +private-tmp +disable-mnt + +noexec ${HOME} +noexec /tmp diff --git a/etc/gpicview.profile b/etc/gpicview.profile index f457f0590..d1dee8914 100644 --- a/etc/gpicview.profile +++ b/etc/gpicview.profile @@ -14,7 +14,6 @@ include /etc/firejail/disable-devel.inc include /etc/firejail/disable-passwdmgr.inc caps.drop all -net none nogroups nonewprivs noroot diff --git a/etc/gucharmap.profile b/etc/gucharmap.profile index 929888e88..bc5d7dddf 100644 --- a/etc/gucharmap.profile +++ b/etc/gucharmap.profile @@ -5,25 +5,26 @@ include /etc/firejail/globals.local # Persistent customizations should go in a .local file. include /etc/firejail/gucharmap.local -private -#include /etc/firejail/disable-common.inc -#include /etc/firejail/disable-programs.inc -#include /etc/firejail/disable-passwdmgr.inc +include /etc/firejail/disable-common.inc +include /etc/firejail/disable-devel.inc +include /etc/firejail/disable-passwdmgr.inc +include /etc/firejail/disable-programs.inc caps.drop all -netfilter +no3d +nogroups nonewprivs noroot -protocol unix,inet,inet6 +nosound +novideo +protocol unix seccomp - -# -# depending on your usage, you can enable some of the commands below: -# -nogroups shell none -# private-bin program -# private-etc none -# private-dev -# private-tmp -nosound + +private +private-dev +private-tmp +disable-mnt + +noexec ${HOME} +noexec /tmp diff --git a/etc/handbrake.profile b/etc/handbrake.profile index 0f3f32250..ccff63708 100644 --- a/etc/handbrake.profile +++ b/etc/handbrake.profile @@ -7,24 +7,23 @@ include /etc/firejail/handbrake.local noblacklist ~/.config/ghb include /etc/firejail/disable-common.inc +include /etc/firejail/disable-devel.inc include /etc/firejail/disable-programs.inc include /etc/firejail/disable-passwdmgr.inc caps.drop all netfilter +nogroups nonewprivs noroot -# netlink required! +nosound +novideo protocol unix,inet,inet6,netlink seccomp - -# -# depending on your usage, you can enable some of the commands below: -# -nogroups shell none -# private-bin program -# private-etc none -#private-dev + +private-dev private-tmp -nosound + +noexec ${HOME} +noexec /tmp diff --git a/etc/highlight.profile b/etc/highlight.profile index 58e7f89f5..327c77696 100644 --- a/etc/highlight.profile +++ b/etc/highlight.profile @@ -18,8 +18,6 @@ noroot nosound protocol unix seccomp -netfilter -net none no3d shell none tracelog diff --git a/etc/hugin.profile b/etc/hugin.profile index 97a9cb1fd..5d2891321 100644 --- a/etc/hugin.profile +++ b/etc/hugin.profile @@ -6,24 +6,24 @@ include /etc/firejail/globals.local include /etc/firejail/hugin.local noblacklist ${HOME}/.hugin + include /etc/firejail/disable-common.inc +include /etc/firejail/disable-devel.inc include /etc/firejail/disable-programs.inc include /etc/firejail/disable-passwdmgr.inc caps.drop all -netfilter +nogroups nonewprivs noroot -protocol unix,inet,inet6 +nosound +novideo +protocol unix seccomp - -# -# depending on your usage, you can enable some of the commands below: -# -nogroups shell none -# private-bin program -# private-etc none + private-dev private-tmp -nosound + +noexec ${HOME} +noexec /tmp diff --git a/etc/img2txt.profile b/etc/img2txt.profile index 00d172f55..1ac5e1fb0 100644 --- a/etc/img2txt.profile +++ b/etc/img2txt.profile @@ -18,8 +18,6 @@ noroot nosound protocol unix seccomp -netfilter -net none shell none tracelog diff --git a/etc/inkscape.profile b/etc/inkscape.profile index 0a9d409b9..450e819b9 100644 --- a/etc/inkscape.profile +++ b/etc/inkscape.profile @@ -8,20 +8,22 @@ include /etc/firejail/inkscape.local # inkscape noblacklist ${HOME}/.inkscape include /etc/firejail/disable-common.inc +include /etc/firejail/disable-devel.inc include /etc/firejail/disable-programs.inc include /etc/firejail/disable-passwdmgr.inc caps.drop all -netfilter nogroups nonewprivs noroot nosound +novideo protocol unix seccomp - -noexec ${HOME} -noexec /tmp +shell none private-dev private-tmp + +noexec ${HOME} +noexec /tmp diff --git a/etc/jd-gui.profile b/etc/jd-gui.profile index 32b43cdf1..56cf43104 100644 --- a/etc/jd-gui.profile +++ b/etc/jd-gui.profile @@ -21,8 +21,6 @@ include /etc/firejail/disable-devel.inc #Options caps.drop all #ipc-namespace -net none -netfilter no3d nogroups nonewprivs diff --git a/etc/kate.profile b/etc/kate.profile index 832f3614f..c4178a776 100644 --- a/etc/kate.profile +++ b/etc/kate.profile @@ -25,7 +25,6 @@ noroot nosound protocol unix seccomp -netfilter shell none tracelog diff --git a/etc/kcalc.profile b/etc/kcalc.profile index 0ea5dbcb3..24d7daa89 100644 --- a/etc/kcalc.profile +++ b/etc/kcalc.profile @@ -5,27 +5,26 @@ include /etc/firejail/globals.local # Persistent customizations should go in a .local file. include /etc/firejail/kcalc.local -################################ -# Generic GUI application profile -################################ include /etc/firejail/disable-common.inc -include /etc/firejail/disable-programs.inc +include /etc/firejail/disable-devel.inc include /etc/firejail/disable-passwdmgr.inc +include /etc/firejail/disable-programs.inc caps.drop all -netfilter +no3d +nogroups nonewprivs noroot -protocol unix,inet,inet6 +nosound +novideo +protocol unix seccomp +shell none -# -# depending on your usage, you can enable some of the commands below: -# private -nogroups -shell none -# private-bin program -# private-etc none private-dev private-tmp +disable-mnt + +noexec ${HOME} +noexec /tmp diff --git a/etc/keepassx.profile b/etc/keepassx.profile index 34e260f8f..64fe62fb6 100644 --- a/etc/keepassx.profile +++ b/etc/keepassx.profile @@ -18,7 +18,6 @@ include /etc/firejail/disable-passwdmgr.inc caps.drop all machine-id -net none no3d nogroups nonewprivs diff --git a/etc/keepassx2.profile b/etc/keepassx2.profile index 0536866fb..fee04b6fb 100644 --- a/etc/keepassx2.profile +++ b/etc/keepassx2.profile @@ -17,7 +17,6 @@ include /etc/firejail/disable-devel.inc include /etc/firejail/disable-passwdmgr.inc caps.drop all -net none no3d nogroups nonewprivs diff --git a/etc/keepassxc.profile b/etc/keepassxc.profile index 4a5503944..4e4c305f0 100644 --- a/etc/keepassxc.profile +++ b/etc/keepassxc.profile @@ -16,10 +16,8 @@ include /etc/firejail/disable-programs.inc include /etc/firejail/disable-devel.inc include /etc/firejail/disable-passwdmgr.inc -# To use KeePassHTTP, comment out `net none` caps.drop all #ipc-namespace -net none no3d nogroups nonewprivs diff --git a/etc/kino.profile b/etc/kino.profile index b37569340..73b1e060b 100644 --- a/etc/kino.profile +++ b/etc/kino.profile @@ -5,28 +5,25 @@ include /etc/firejail/globals.local # Persistent customizations should go in a .local file. include /etc/firejail/kino.local -################################ -# Generic GUI application profile -################################ noblacklist ~/.kinorc noblacklist ~/.kino-history + include /etc/firejail/disable-common.inc -include /etc/firejail/disable-programs.inc +include /etc/firejail/disable-devel.inc include /etc/firejail/disable-passwdmgr.inc +include /etc/firejail/disable-programs.inc caps.drop all -netfilter +nogroups nonewprivs noroot -protocol unix,inet,inet6 +novideo +protocol unix seccomp +shell none + +private-dev +private-tmp -# -# depending on your usage, you can enable some of the commands below: -# -# nogroups -# shell none -# private-bin program -# private-etc none -# private-dev -# private-tmp +noexec ${HOME} +noexec /tmp diff --git a/etc/knotes.profile b/etc/knotes.profile index e7da44215..6a1233db0 100644 --- a/etc/knotes.profile +++ b/etc/knotes.profile @@ -20,7 +20,6 @@ noroot nosound protocol unix seccomp -netfilter shell none tracelog diff --git a/etc/ktorrent.profile b/etc/ktorrent.profile index 59c2827cd..c19f1c5ef 100644 --- a/etc/ktorrent.profile +++ b/etc/ktorrent.profile @@ -5,16 +5,15 @@ include /etc/firejail/globals.local # Persistent customizations should go in a .local file. include /etc/firejail/ktorrent.local -################################ -# Generic GUI application profile -################################ noblacklist ~/.config/ktorrentrc noblacklist ~/.local/share/ktorrent noblacklist ~/.kde/share/config/ktorrentrc noblacklist ~/.kde4/share/config/ktorrentrc noblacklist ~/.kde/share/apps/ktorrent noblacklist ~/.kde4/share/apps/ktorrent + include /etc/firejail/disable-common.inc +include /etc/firejail/disable-devel.inc include /etc/firejail/disable-programs.inc include /etc/firejail/disable-passwdmgr.inc @@ -36,17 +35,18 @@ include /etc/firejail/whitelist-common.inc caps.drop all netfilter +no3d +nogroups nonewprivs noroot +nosound +novideo protocol unix,inet,inet6 seccomp - -# -# depending on your usage, you can enable some of the commands below: -# -nogroups shell none -# private-bin program -# private-etc none + private-dev -# private-tmp +private-tmp + +noexec ${HOME} +noexec /tmp diff --git a/etc/kwrite.profile b/etc/kwrite.profile index 1c4d09f67..342427090 100644 --- a/etc/kwrite.profile +++ b/etc/kwrite.profile @@ -25,7 +25,6 @@ noroot #nosound - KWrite is using ALSA! protocol unix seccomp -netfilter shell none tracelog diff --git a/etc/leafpad.profile b/etc/leafpad.profile index 5ae025d6d..7403a13ab 100644 --- a/etc/leafpad.profile +++ b/etc/leafpad.profile @@ -6,24 +6,24 @@ include /etc/firejail/globals.local include /etc/firejail/leafpad.local noblacklist ${HOME}/.config/leafpad + include /etc/firejail/disable-common.inc -include /etc/firejail/disable-programs.inc +include /etc/firejail/disable-devel.inc include /etc/firejail/disable-passwdmgr.inc +include /etc/firejail/disable-programs.inc caps.drop all -netfilter +no3d +nogroups nonewprivs noroot -protocol unix,inet,inet6 +nosound +novideo +protocol unix seccomp - -# -# depending on your usage, you can enable some of the commands below: -# -nogroups shell none -# private-bin program -# private-etc none -# private-dev -# private-tmp -nosound + +private-dev + +noexec ${HOME} +noexec /tmp diff --git a/etc/liferea.profile b/etc/liferea.profile index 92b3b8f88..f11137cdd 100644 --- a/etc/liferea.profile +++ b/etc/liferea.profile @@ -20,10 +20,28 @@ noblacklist ~/.cache/liferea mkdir ~/.cache/liferea whitelist ~/.cache/liferea +include /etc/firejail/disable-common.inc +include /etc/firejail/disable-devel.inc +include /etc/firejail/disable-passwdmgr.inc +include /etc/firejail/disable-programs.inc include /etc/firejail/whitelist-common.inc -include /etc/firejail/default.profile +caps.drop all +#ipc-namespace +netfilter +#no3d nogroups +nonewprivs +noroot +#nosound +novideo +protocol unix,inet,inet6 +seccomp shell none + private-dev private-tmp +disable-mnt + +noexec ${HOME} +noexec /tmp diff --git a/etc/luminance-hdr.profile b/etc/luminance-hdr.profile index 6ee118f76..0b8742e49 100644 --- a/etc/luminance-hdr.profile +++ b/etc/luminance-hdr.profile @@ -7,24 +7,26 @@ include /etc/firejail/luminance-hdr.local # luminance-hdr noblacklist ${HOME}/.config/Luminance + include /etc/firejail/disable-common.inc +include /etc/firejail/disable-devel.inc include /etc/firejail/disable-programs.inc include /etc/firejail/disable-passwdmgr.inc caps.drop all #ipc-namespace -netfilter nogroups nonewprivs noroot nosound +novideo protocol unix seccomp shell none tracelog -noexec ${HOME} -noexec /tmp - private-tmp private-dev + +noexec ${HOME} +noexec /tmp diff --git a/etc/lximage-qt.profile b/etc/lximage-qt.profile index 28e674ebf..9e8bac878 100644 --- a/etc/lximage-qt.profile +++ b/etc/lximage-qt.profile @@ -6,24 +6,25 @@ include /etc/firejail/globals.local include /etc/firejail/lximage-qt.local noblacklist .config/lximage-qt + include /etc/firejail/disable-common.inc -include /etc/firejail/disable-programs.inc +include /etc/firejail/disable-devel.inc include /etc/firejail/disable-passwdmgr.inc +include /etc/firejail/disable-programs.inc caps.drop all -netfilter +no3d +nogroups nonewprivs noroot -protocol unix,inet,inet6 +nosound +novideo +protocol unix seccomp - -# -# depending on your usage, you can enable some of the commands below: -# -nogroups shell none -# private-bin program -# private-etc none -# private-dev -# private-tmp -nosound + +private-dev +private-tmp + +noexec ${HOME} +noexec /tmp diff --git a/etc/lxmusic.profile b/etc/lxmusic.profile index fd5136578..49057d0ab 100644 --- a/etc/lxmusic.profile +++ b/etc/lxmusic.profile @@ -7,24 +7,24 @@ include /etc/firejail/lxmusic.local noblacklist ~/.cache/xmms2 noblacklist ~/.config/xmms2 + include /etc/firejail/disable-common.inc -include /etc/firejail/disable-programs.inc +include /etc/firejail/disable-devel.inc include /etc/firejail/disable-passwdmgr.inc +include /etc/firejail/disable-programs.inc caps.drop all -netfilter +no3d +nogroups nonewprivs noroot -protocol unix,inet,inet6 +novideo +protocol unix seccomp - -# -# depending on your usage, you can enable some of the commands below: -# -nogroups shell none -# private-bin program -# private-etc none -# private-dev -# private-tmp -# nosound + +private-dev +private-tmp + +noexec ${HOME} +noexec /tmp diff --git a/etc/mate-calc.profile b/etc/mate-calc.profile index 76593df0b..75b51f96d 100644 --- a/etc/mate-calc.profile +++ b/etc/mate-calc.profile @@ -6,24 +6,26 @@ include /etc/firejail/globals.local include /etc/firejail/mate-calc.local noblacklist ${HOME}/.config/mate-calc + include /etc/firejail/disable-common.inc -include /etc/firejail/disable-programs.inc +include /etc/firejail/disable-devel.inc include /etc/firejail/disable-passwdmgr.inc +include /etc/firejail/disable-programs.inc caps.drop all -netfilter +no3d +nogroups nonewprivs noroot -protocol unix,inet,inet6 +nosound +novideo +protocol unix seccomp - -# -# depending on your usage, you can enable some of the commands below: -# -nogroups shell none -# private-bin program -# private-etc none -# private-dev -# private-tmp -nosound + +private-dev +private-tmp +disable-mnt + +noexec ${HOME} +noexec /tmp diff --git a/etc/mate-color-select.profile b/etc/mate-color-select.profile index 6db3dd624..b9b445ac6 100644 --- a/etc/mate-color-select.profile +++ b/etc/mate-color-select.profile @@ -3,27 +3,28 @@ include /etc/firejail/globals.local # This file is overwritten during software install. # Persistent customizations should go in a .local file. -include /etc/firejail/default.local +include /etc/firejail/mate-color-select.local -private -#include /etc/firejail/disable-common.inc -#include /etc/firejail/disable-programs.inc -#include /etc/firejail/disable-passwdmgr.inc +include /etc/firejail/disable-common.inc +include /etc/firejail/disable-devel.inc +include /etc/firejail/disable-passwdmgr.inc +include /etc/firejail/disable-programs.inc caps.drop all -netfilter +no3d +nogroups nonewprivs noroot -protocol unix,inet,inet6 +nosound +novideo +protocol unix seccomp - -# -# depending on your usage, you can enable some of the commands below: -# -nogroups shell none -# private-bin program -# private-etc none -# private-dev -# private-tmp -nosound + +private +private-dev +private-tmp +disable-mnt + +noexec ${HOME} +noexec /tmp diff --git a/etc/mate-dictionary.profile b/etc/mate-dictionary.profile index fc4c1c425..4fe0795d2 100644 --- a/etc/mate-dictionary.profile +++ b/etc/mate-dictionary.profile @@ -6,24 +6,27 @@ include /etc/firejail/globals.local include /etc/firejail/mate-dictionary.local noblacklist ${HOME}/.config/mate/mate-dictionary + include /etc/firejail/disable-common.inc -include /etc/firejail/disable-programs.inc +include /etc/firejail/disable-devel.inc include /etc/firejail/disable-passwdmgr.inc +include /etc/firejail/disable-programs.inc caps.drop all netfilter +no3d +nogroups nonewprivs noroot +nosound +novideo protocol unix,inet,inet6 seccomp - -# -# depending on your usage, you can enable some of the commands below: -# -nogroups shell none -# private-bin program -# private-etc none -# private-dev -# private-tmp -nosound + +private-dev +private-tmp +disable-mnt + +noexec ${HOME} +noexec /tmp diff --git a/etc/mediainfo.profile b/etc/mediainfo.profile index 59cb080d3..c6e95cc5c 100644 --- a/etc/mediainfo.profile +++ b/etc/mediainfo.profile @@ -12,15 +12,13 @@ include /etc/firejail/disable-devel.inc include /etc/firejail/disable-passwdmgr.inc caps.drop all -nogroups nonewprivs +nogroups noroot nosound no3d protocol unix seccomp -netfilter -net none shell none tracelog diff --git a/etc/meld.profile b/etc/meld.profile index bc4cd8356..535745e6f 100644 --- a/etc/meld.profile +++ b/etc/meld.profile @@ -15,8 +15,6 @@ include /etc/firejail/disable-programs.inc caps.drop all #ipc-namespace -net none -netfilter no3d nogroups nonewprivs diff --git a/etc/mousepad.profile b/etc/mousepad.profile index c3e85d55f..fc788fea6 100644 --- a/etc/mousepad.profile +++ b/etc/mousepad.profile @@ -14,7 +14,6 @@ include /etc/firejail/disable-devel.inc include /etc/firejail/disable-passwdmgr.inc caps.drop all -netfilter nogroups nonewprivs noroot diff --git a/etc/mupdf.profile b/etc/mupdf.profile index e6652e688..39b801e1a 100644 --- a/etc/mupdf.profile +++ b/etc/mupdf.profile @@ -18,8 +18,6 @@ noroot nosound protocol unix seccomp -netfilter -net none shell none tracelog diff --git a/etc/nautilus.profile b/etc/nautilus.profile index ef3203eb5..71d2b2192 100644 --- a/etc/nautilus.profile +++ b/etc/nautilus.profile @@ -22,12 +22,10 @@ include /etc/firejail/disable-devel.inc include /etc/firejail/disable-passwdmgr.inc caps.drop all -nogroups nonewprivs noroot protocol unix seccomp -netfilter shell none tracelog diff --git a/etc/nemo.profile b/etc/nemo.profile index 1d9124d19..d4bb0d5ff 100644 --- a/etc/nemo.profile +++ b/etc/nemo.profile @@ -16,18 +16,14 @@ include /etc/firejail/disable-devel.inc caps.drop all netfilter +no3d nonewprivs noroot +nosound +novideo protocol unix,inet,inet6 seccomp - -# -# depending on your usage, you can enable some of the commands below: -# -nogroups shell none -# private-bin program -# private-etc none -# private-dev -# private-tmp -# nosound + +noexec ${HOME} +noexec /tmp diff --git a/etc/odt2txt.profile b/etc/odt2txt.profile index abec7dde2..58440e50f 100644 --- a/etc/odt2txt.profile +++ b/etc/odt2txt.profile @@ -18,8 +18,6 @@ noroot nosound protocol unix seccomp -netfilter -net none no3d shell none tracelog diff --git a/etc/okular.profile b/etc/okular.profile index 982f524fa..351083582 100644 --- a/etc/okular.profile +++ b/etc/okular.profile @@ -21,7 +21,6 @@ include /etc/firejail/disable-devel.inc include /etc/firejail/disable-passwdmgr.inc caps.drop all -netfilter nonewprivs nogroups noroot diff --git a/etc/openshot.profile b/etc/openshot.profile index bc4ccc46a..25c803512 100644 --- a/etc/openshot.profile +++ b/etc/openshot.profile @@ -8,13 +8,23 @@ include /etc/firejail/openshot.local # OpenShot profile noblacklist ${HOME}/.openshot noblacklist ${HOME}/.openshot_qt + include /etc/firejail/disable-common.inc -include /etc/firejail/disable-programs.inc +include /etc/firejail/disable-devel.inc include /etc/firejail/disable-passwdmgr.inc +include /etc/firejail/disable-programs.inc caps.drop all netfilter +nogroups nonewprivs noroot protocol unix,inet,inet6,netlink seccomp +shell none + +private-dev +private-tmp + +noexec ${HOME} +noexec /tmp diff --git a/etc/orage.profile b/etc/orage.profile index ea577f873..ee96076eb 100644 --- a/etc/orage.profile +++ b/etc/orage.profile @@ -7,24 +7,26 @@ include /etc/firejail/orage.local noblacklist ${HOME}/.config/orage noblacklist ${HOME}/.local/share/orage + include /etc/firejail/disable-common.inc -include /etc/firejail/disable-programs.inc +include /etc/firejail/disable-devel.inc include /etc/firejail/disable-passwdmgr.inc +include /etc/firejail/disable-programs.inc caps.drop all -netfilter +no3d +nogroups nonewprivs noroot -protocol unix,inet,inet6 +nosound +novideo +protocol unix seccomp - -# -# depending on your usage, you can enable some of the commands below: -# -nogroups shell none -# private-bin program -# private-etc none + private-dev -# private-tmp +private-tmp +disable-mnt +noexec ${HOME} +noexec /tmp diff --git a/etc/pcmanfm.profile b/etc/pcmanfm.profile index 68d002f2d..67ab7f9e6 100644 --- a/etc/pcmanfm.profile +++ b/etc/pcmanfm.profile @@ -15,21 +15,12 @@ include /etc/firejail/disable-devel.inc include /etc/firejail/disable-passwdmgr.inc caps.drop all -netfilter -nogroups +no3d nonewprivs noroot nosound +novideo protocol unix seccomp shell none tracelog - -# -# depending on your usage, you can enable some of the commands below: -# -# private-bin program -# private-etc none -# private-dev -# private-tmp - diff --git a/etc/pdfsam.profile b/etc/pdfsam.profile index b46ac9294..4adb01c3f 100644 --- a/etc/pdfsam.profile +++ b/etc/pdfsam.profile @@ -19,8 +19,6 @@ include /etc/firejail/disable-devel.inc #Options caps.drop all #ipc-namespace -net none -netfilter no3d nogroups nonewprivs diff --git a/etc/pdftotext.profile b/etc/pdftotext.profile index a6b2b2f78..882b10678 100644 --- a/etc/pdftotext.profile +++ b/etc/pdftotext.profile @@ -18,8 +18,6 @@ noroot nosound protocol unix seccomp -netfilter -net none no3d shell none tracelog diff --git a/etc/peek.profile b/etc/peek.profile index bac3e0a99..cf60452d3 100644 --- a/etc/peek.profile +++ b/etc/peek.profile @@ -14,7 +14,6 @@ include /etc/firejail/disable-passwdmgr.inc include /etc/firejail/disable-programs.inc caps.drop all -net none no3d nogroups nonewprivs diff --git a/etc/psi-plus.profile b/etc/psi-plus.profile index e3ffad9a1..9500731fe 100644 --- a/etc/psi-plus.profile +++ b/etc/psi-plus.profile @@ -8,7 +8,9 @@ include /etc/firejail/psi-plus.local # Firejail profile for Psi+ noblacklist ${HOME}/.config/psi+ noblacklist ${HOME}/.local/share/psi+ + include /etc/firejail/disable-common.inc +include /etc/firejail/disable-devel.inc include /etc/firejail/disable-programs.inc include /etc/firejail/disable-passwdmgr.inc @@ -20,10 +22,22 @@ whitelist ~/.local/share/psi+ mkdir ~/.cache/psi+ whitelist ~/.cache/psi+ +include /etc/firejail/whitelist-common.inc + caps.drop all netfilter +no3d +nogroups +nonewprivs noroot +novideo protocol unix,inet,inet6 seccomp +shell none -include /etc/firejail/whitelist-common.inc +private-dev +private-tmp +disable-mnt + +noexec ${HOME} +noexec /tmp diff --git a/etc/qemu-launcher.profile b/etc/qemu-launcher.profile index bc92e50ea..f6458de86 100644 --- a/etc/qemu-launcher.profile +++ b/etc/qemu-launcher.profile @@ -23,3 +23,5 @@ shell none tracelog private-tmp + +noexec /tmp diff --git a/etc/qemu-system-x86_64.profile b/etc/qemu-system-x86_64.profile index 907de5e8f..fdfd7ab72 100644 --- a/etc/qemu-system-x86_64.profile +++ b/etc/qemu-system-x86_64.profile @@ -21,3 +21,5 @@ shell none tracelog private-tmp + +noexec /tmp diff --git a/etc/qlipper.profile b/etc/qlipper.profile index a5ef53112..6989acb7a 100644 --- a/etc/qlipper.profile +++ b/etc/qlipper.profile @@ -6,26 +6,26 @@ include /etc/firejail/globals.local include /etc/firejail/qlipper.local noblacklist ${HOME}/.config/Qlipper + include /etc/firejail/disable-common.inc -include /etc/firejail/disable-programs.inc +include /etc/firejail/disable-devel.inc include /etc/firejail/disable-passwdmgr.inc +include /etc/firejail/disable-programs.inc caps.drop all -netfilter +no3d +nogroups nonewprivs noroot -protocol unix,inet,inet6 +nosound +novideo +protocol unix seccomp +shell none +private-dev +private-tmp +disable-mnt - -# -# depending on your usage, you can enable some of the commands below: -# -nogroups -shell none -# private-bin program -# private-etc none -# private-dev -# private-tmp -nosound +noexec ${HOME} +noexec /tmp diff --git a/etc/ranger.profile b/etc/ranger.profile index 7103f821d..55e43d13b 100644 --- a/etc/ranger.profile +++ b/etc/ranger.profile @@ -18,14 +18,10 @@ include /etc/firejail/disable-devel.inc include /etc/firejail/disable-passwdmgr.inc caps.drop all -netfilter -net none -nogroups nonewprivs noroot protocol unix seccomp nosound -private-tmp private-dev diff --git a/etc/ristretto.profile b/etc/ristretto.profile index ca4b1a64d..5c72f9eb8 100644 --- a/etc/ristretto.profile +++ b/etc/ristretto.profile @@ -10,22 +10,23 @@ noblacklist ~/.Steam noblacklist ~/.steam include /etc/firejail/disable-common.inc -include /etc/firejail/disable-programs.inc +include /etc/firejail/disable-devel.inc include /etc/firejail/disable-passwdmgr.inc +include /etc/firejail/disable-programs.inc caps.drop all -netfilter +no3d +nogroups nonewprivs noroot -protocol unix,inet,inet6 +nosound +novideo +protocol unix seccomp - -# -# depending on your usage, you can enable some of the commands below: -# -nogroups shell none -# private-bin program -# private-etc none + private-dev -# private-tmp +private-tmp + +noexec ${HOME} +noexec /tmp diff --git a/etc/skype.profile b/etc/skype.profile index 8b97c7152..7c7a4eb17 100644 --- a/etc/skype.profile +++ b/etc/skype.profile @@ -7,17 +7,22 @@ include /etc/firejail/skype.local # Skype profile noblacklist ${HOME}/.Skype + include /etc/firejail/disable-common.inc +include /etc/firejail/disable-devel.inc include /etc/firejail/disable-programs.inc include /etc/firejail/disable-devel.inc caps.drop all netfilter +nogroups nonewprivs noroot protocol unix,inet,inet6 seccomp +shell none +private-dev private-tmp disable-mnt diff --git a/etc/skypeforlinux.profile b/etc/skypeforlinux.profile index 71bc1b9a6..a2f693945 100644 --- a/etc/skypeforlinux.profile +++ b/etc/skypeforlinux.profile @@ -7,16 +7,22 @@ include /etc/firejail/skypeforlinux.local # skypeforlinux profile noblacklist ${HOME}/.config/skypeforlinux + include /etc/firejail/disable-common.inc +include /etc/firejail/disable-devel.inc include /etc/firejail/disable-programs.inc include /etc/firejail/disable-passwdmgr.inc caps.drop all netfilter +nogroups +nonewprivs noroot -seccomp protocol unix,inet,inet6,netlink +seccomp +shell none +private-dev private-tmp disable-mnt diff --git a/etc/synfigstudio.profile b/etc/synfigstudio.profile index ffabdef76..c714fc70a 100644 --- a/etc/synfigstudio.profile +++ b/etc/synfigstudio.profile @@ -8,19 +8,24 @@ include /etc/firejail/synfigstudio.local # synfigstudio noblacklist ${HOME}/.config/synfig noblacklist ${HOME}/.synfig + include /etc/firejail/disable-common.inc -include /etc/firejail/disable-programs.inc +include /etc/firejail/disable-devel.inc include /etc/firejail/disable-passwdmgr.inc +include /etc/firejail/disable-programs.inc caps.drop all -netfilter +nogroups nonewprivs noroot +nosound +novideo protocol unix seccomp - -noexec ${HOME} -noexec /tmp +shell none private-dev private-tmp + +noexec ${HOME} +noexec /tmp diff --git a/etc/tracker.profile b/etc/tracker.profile index f2c91be86..d7b68ea5c 100644 --- a/etc/tracker.profile +++ b/etc/tracker.profile @@ -22,7 +22,6 @@ nosound no3d protocol unix seccomp -netfilter shell none tracelog diff --git a/etc/transmission-show.profile b/etc/transmission-show.profile index 8d1e1eac2..2447edc35 100644 --- a/etc/transmission-show.profile +++ b/etc/transmission-show.profile @@ -15,8 +15,6 @@ include /etc/firejail/disable-devel.inc include /etc/firejail/disable-passwdmgr.inc caps.drop all -netfilter -net none nonewprivs noroot nosound diff --git a/etc/viewnior.profile b/etc/viewnior.profile index 20f738d42..3b2b54264 100644 --- a/etc/viewnior.profile +++ b/etc/viewnior.profile @@ -19,7 +19,6 @@ blacklist ~/.bashrc blacklist ~/.Xauthority caps.drop all -net none nogroups nonewprivs noroot diff --git a/etc/vym.profile b/etc/vym.profile index 4139ea901..13fa08d4f 100644 --- a/etc/vym.profile +++ b/etc/vym.profile @@ -6,25 +6,26 @@ include /etc/firejail/globals.local include /etc/firejail/vym.local noblacklist ./.config/InSilmaril + include /etc/firejail/disable-common.inc -include /etc/firejail/disable-programs.inc +include /etc/firejail/disable-devel.inc include /etc/firejail/disable-passwdmgr.inc +include /etc/firejail/disable-programs.inc caps.drop all -netfilter +no3d +nogroups nonewprivs noroot -# no network connectivity +nosound +novideo protocol unix seccomp - -# -# depending on your usage, you can enable some of the commands below: -# -nogroups shell none -# private-bin vym -# private-etc none + private-dev private-tmp -nosound +disable-mnt + +noexec ${HOME} +noexec /tmp diff --git a/etc/xfburn.profile b/etc/xfburn.profile index 7a6d620cf..aaef6bb60 100644 --- a/etc/xfburn.profile +++ b/etc/xfburn.profile @@ -20,7 +20,6 @@ noroot nosound protocol unix seccomp -netfilter shell none tracelog diff --git a/etc/xfce4-dict.profile b/etc/xfce4-dict.profile index 4e466352d..08ae17a55 100644 --- a/etc/xfce4-dict.profile +++ b/etc/xfce4-dict.profile @@ -6,24 +6,27 @@ include /etc/firejail/globals.local include /etc/firejail/xfce4-dict.local noblacklist ${HOME}/.config/xfce4-dict + include /etc/firejail/disable-common.inc -include /etc/firejail/disable-programs.inc +include /etc/firejail/disable-devel.inc include /etc/firejail/disable-passwdmgr.inc +include /etc/firejail/disable-programs.inc caps.drop all netfilter +no3d +nogroups nonewprivs noroot +nosound +novideo protocol unix,inet,inet6 seccomp - -# -# depending on your usage, you can enable some of the commands below: -# -nogroups shell none -# private-bin program -# private-etc none + private-dev -# private-tmp +private-tmp +disable-mnt +noexec ${HOME} +noexec /tmp diff --git a/etc/xfce4-notes.profile b/etc/xfce4-notes.profile index 737bb0a23..544225920 100644 --- a/etc/xfce4-notes.profile +++ b/etc/xfce4-notes.profile @@ -8,23 +8,26 @@ include /etc/firejail/xfce4-notes.local noblacklist ${HOME}/.config/xfce4/xfce4-notes.rc noblacklist ${HOME}/.config/xfce4/xfce4-notes.gtkrc noblacklist ${HOME}/.local/share/notes + include /etc/firejail/disable-common.inc -include /etc/firejail/disable-programs.inc +include /etc/firejail/disable-devel.inc include /etc/firejail/disable-passwdmgr.inc +include /etc/firejail/disable-programs.inc caps.drop all -netfilter +no3d +nogroups nonewprivs noroot -protocol unix,inet,inet6 +nosound +novideo +protocol unix seccomp - -# -# depending on your usage, you can enable some of the commands below: -# -nogroups shell none -# private-bin program -# private-etc none + private-dev -# private-tmp +private-tmp +disable-mnt + +noexec ${HOME} +noexec /tmp diff --git a/etc/xonotic.profile b/etc/xonotic.profile index 611c7b379..957636124 100644 --- a/etc/xonotic.profile +++ b/etc/xonotic.profile @@ -30,6 +30,7 @@ netfilter nogroups nonewprivs noroot +novideo protocol unix,inet,inet6 seccomp shell none diff --git a/etc/xpdf.profile b/etc/xpdf.profile index 5b3018ce8..1f2344e21 100644 --- a/etc/xpdf.profile +++ b/etc/xpdf.profile @@ -9,17 +9,25 @@ include /etc/firejail/xpdf.local # xpdf application profile ################################ noblacklist ${HOME}/.xpdfrc + include /etc/firejail/disable-common.inc -include /etc/firejail/disable-programs.inc +include /etc/firejail/disable-devel.inc include /etc/firejail/disable-passwdmgr.inc +include /etc/firejail/disable-programs.inc caps.drop all -net none +no3d +nogroups nonewprivs noroot +nosound +novideo protocol unix -shell none seccomp +shell none private-dev private-tmp + +noexec ${HOME} +noexec /tmp diff --git a/etc/xpra.profile b/etc/xpra.profile index a41ee2613..c8bb3ef52 100644 --- a/etc/xpra.profile +++ b/etc/xpra.profile @@ -23,7 +23,6 @@ include /etc/firejail/disable-passwdmgr.inc caps.drop all # xpra needs to be allowed access to the abstract Unix socket namespace. -#net none nogroups nonewprivs # In noroot mode, xpra cannot create a socket in the real /tmp/.X11-unix. diff --git a/etc/zathura.profile b/etc/zathura.profile index 18afe3bfa..53e905e9c 100644 --- a/etc/zathura.profile +++ b/etc/zathura.profile @@ -14,8 +14,6 @@ include /etc/firejail/disable-devel.inc include /etc/firejail/disable-passwdmgr.inc caps.drop all -netfilter -net none nogroups nonewprivs noroot -- cgit v1.2.3-54-g00ecf From b18f42ab0236de7eed5888f43ba36cdaf990cbca Mon Sep 17 00:00:00 2001 From: Tad Date: Sun, 30 Jul 2017 16:56:31 -0400 Subject: Initial adding of memory-deny-write-execute to profiles - mdwe breaks most vm-based languages so python/java/javascript and some mono programs are not compatible - mdwe also breaks most 3d accelerated programs such as 3d games - mdwe is similar to PaX's mprotect meaning PaX flag managers can be used as reference -- See https://github.com/copperhead/paxd-archive/blob/master/paxd.conf -- See https://github.com/nning/linux-pax-flags --- etc/bleachbit.profile | 1 + etc/brasero.profile | 1 + etc/cvlc.profile | 2 ++ etc/eog.profile | 1 + etc/evince.profile | 1 + etc/file-roller.profile | 1 + etc/gnome-calculator.profile | 1 + etc/keepassxc.profile | 1 + etc/less.profile | 1 + etc/mumble.profile | 1 + etc/peek.profile | 1 + etc/ssh.profile | 1 + etc/strings.profile | 2 ++ etc/transmission-cli.profile | 2 ++ etc/transmission-gtk.profile | 2 ++ etc/vlc.profile | 1 + 16 files changed, 20 insertions(+) diff --git a/etc/bleachbit.profile b/etc/bleachbit.profile index 9d8ec1733..5cc025a4a 100644 --- a/etc/bleachbit.profile +++ b/etc/bleachbit.profile @@ -28,5 +28,6 @@ shell none # private-tmp # private-etc +memory-deny-write-execute noexec ${HOME} noexec /tmp diff --git a/etc/brasero.profile b/etc/brasero.profile index 1d6856b73..cafb9f39a 100644 --- a/etc/brasero.profile +++ b/etc/brasero.profile @@ -30,5 +30,6 @@ tracelog # private-etc fonts # private-tmp +memory-deny-write-execute noexec ${HOME} noexec /tmp diff --git a/etc/cvlc.profile b/etc/cvlc.profile index a52d62f83..921d505a9 100644 --- a/etc/cvlc.profile +++ b/etc/cvlc.profile @@ -27,3 +27,5 @@ tracelog #private-bin vlc,cvlc,nvlc,rvlc,qvlc,svlc private-dev private-tmp + +memory-deny-write-execute diff --git a/etc/eog.profile b/etc/eog.profile index 7c21b241e..aa986e7d7 100644 --- a/etc/eog.profile +++ b/etc/eog.profile @@ -33,5 +33,6 @@ private-dev private-etc fonts private-tmp +memory-deny-write-execute noexec ${HOME} noexec /tmp diff --git a/etc/evince.profile b/etc/evince.profile index 2173c7422..ee637c607 100644 --- a/etc/evince.profile +++ b/etc/evince.profile @@ -32,5 +32,6 @@ private-etc fonts # evince needs access to /tmp/mozilla* to work in firefox # private-tmp +memory-deny-write-execute noexec ${HOME} noexec /tmp diff --git a/etc/file-roller.profile b/etc/file-roller.profile index 920a60159..7cbfc4edb 100644 --- a/etc/file-roller.profile +++ b/etc/file-roller.profile @@ -29,5 +29,6 @@ tracelog private-dev # private-etc fonts +memory-deny-write-execute noexec ${HOME} noexec /tmp diff --git a/etc/gnome-calculator.profile b/etc/gnome-calculator.profile index 90749be8c..40328e5c3 100644 --- a/etc/gnome-calculator.profile +++ b/etc/gnome-calculator.profile @@ -37,5 +37,6 @@ private-dev private-tmp disable-mnt +memory-deny-write-execute noexec ${HOME} noexec /tmp diff --git a/etc/keepassxc.profile b/etc/keepassxc.profile index 4e4c305f0..719cf1dec 100644 --- a/etc/keepassxc.profile +++ b/etc/keepassxc.profile @@ -33,5 +33,6 @@ private-dev private-etc fonts,ld.so.cache private-tmp +memory-deny-write-execute noexec ${HOME} noexec /tmp diff --git a/etc/less.profile b/etc/less.profile index 9d4eb3fcf..f8c26879e 100644 --- a/etc/less.profile +++ b/etc/less.profile @@ -21,5 +21,6 @@ blacklist /tmp/.X11-unix private-dev +memory-deny-write-execute noexec ${HOME} noexec /tmp diff --git a/etc/mumble.profile b/etc/mumble.profile index 7303ac65a..a2104957d 100644 --- a/etc/mumble.profile +++ b/etc/mumble.profile @@ -35,5 +35,6 @@ private-bin mumble private-tmp disable-mnt +memory-deny-write-execute noexec ${HOME} noexec /tmp diff --git a/etc/peek.profile b/etc/peek.profile index cf60452d3..c2dd5c010 100644 --- a/etc/peek.profile +++ b/etc/peek.profile @@ -28,5 +28,6 @@ shell none private-dev private-tmp +memory-deny-write-execute noexec ${HOME} noexec /tmp diff --git a/etc/ssh.profile b/etc/ssh.profile index e592841a1..466abdc88 100644 --- a/etc/ssh.profile +++ b/etc/ssh.profile @@ -31,5 +31,6 @@ tracelog private-dev #private-tmp #Breaks when exiting +memory-deny-write-execute noexec ${HOME} noexec /tmp diff --git a/etc/strings.profile b/etc/strings.profile index af49feb04..a83e3a801 100644 --- a/etc/strings.profile +++ b/etc/strings.profile @@ -18,3 +18,5 @@ shell none tracelog private-dev blacklist /tmp/.X11-unix + +memory-deny-write-execute diff --git a/etc/transmission-cli.profile b/etc/transmission-cli.profile index 0502bbfb4..5b7e6e7c8 100644 --- a/etc/transmission-cli.profile +++ b/etc/transmission-cli.profile @@ -28,3 +28,5 @@ tracelog private-tmp private-dev private-etc none + +memory-deny-write-execute diff --git a/etc/transmission-gtk.profile b/etc/transmission-gtk.profile index 84d01179c..7f85aa69c 100644 --- a/etc/transmission-gtk.profile +++ b/etc/transmission-gtk.profile @@ -34,3 +34,5 @@ tracelog private-bin transmission-gtk private-dev private-tmp + +memory-deny-write-execute diff --git a/etc/vlc.profile b/etc/vlc.profile index b36e844ff..34f4aa5ff 100644 --- a/etc/vlc.profile +++ b/etc/vlc.profile @@ -27,5 +27,6 @@ private-bin vlc,cvlc,nvlc,rvlc,qvlc,svlc private-dev private-tmp +memory-deny-write-execute noexec ${HOME} noexec /tmp -- cgit v1.2.3-54-g00ecf From 0e7b0bd52e7bc26d7407a5f6f756b474e52dbaf1 Mon Sep 17 00:00:00 2001 From: Tad Date: Sun, 30 Jul 2017 17:26:38 -0400 Subject: Add noexec to more profiles as tested by @curiosity-seeker See https://github.com/netblue30/firejail/pull/1367#issuecomment-315793729 --- etc/digikam.profile | 3 +++ etc/dragon.profile | 3 +++ etc/google-chrome-beta.profile | 3 +++ etc/google-chrome-unstable.profile | 3 +++ etc/google-chrome.profile | 3 +++ etc/guayadeque.profile | 3 +++ etc/gwenview.profile | 3 +++ etc/icecat.profile | 3 +++ etc/okular.profile | 3 +++ etc/quiterss.profile | 3 +++ etc/vivaldi.profile | 3 +++ 11 files changed, 33 insertions(+) diff --git a/etc/digikam.profile b/etc/digikam.profile index fd19953a0..d81d00ed3 100644 --- a/etc/digikam.profile +++ b/etc/digikam.profile @@ -31,3 +31,6 @@ shell none # private-etc none # private-dev - prevents libdc1394 loading; this lib is used to connect to a camera device private-tmp + +noexec ${HOME} +noexec /tmp diff --git a/etc/dragon.profile b/etc/dragon.profile index d099f1d9d..47d2c593a 100644 --- a/etc/dragon.profile +++ b/etc/dragon.profile @@ -27,3 +27,6 @@ private-bin dragon private-dev private-tmp # private-etc + +noexec ${HOME} +noexec /tmp diff --git a/etc/google-chrome-beta.profile b/etc/google-chrome-beta.profile index 3b884bd64..e527318c2 100644 --- a/etc/google-chrome-beta.profile +++ b/etc/google-chrome-beta.profile @@ -26,3 +26,6 @@ whitelist ~/.cache/google-chrome-beta mkdir ~/.pki whitelist ~/.pki include /etc/firejail/whitelist-common.inc + +noexec ${HOME} +noexec /tmp diff --git a/etc/google-chrome-unstable.profile b/etc/google-chrome-unstable.profile index 18bcb94a6..860e2488a 100644 --- a/etc/google-chrome-unstable.profile +++ b/etc/google-chrome-unstable.profile @@ -26,3 +26,6 @@ whitelist ~/.cache/google-chrome-unstable mkdir ~/.pki whitelist ~/.pki include /etc/firejail/whitelist-common.inc + +noexec ${HOME} +noexec /tmp diff --git a/etc/google-chrome.profile b/etc/google-chrome.profile index 84e0c6cdc..7d27355d2 100644 --- a/etc/google-chrome.profile +++ b/etc/google-chrome.profile @@ -27,3 +27,6 @@ whitelist ~/.cache/google-chrome mkdir ~/.pki whitelist ~/.pki include /etc/firejail/whitelist-common.inc + +noexec ${HOME} +noexec /tmp diff --git a/etc/guayadeque.profile b/etc/guayadeque.profile index 5b3bc11f2..86f3d7838 100644 --- a/etc/guayadeque.profile +++ b/etc/guayadeque.profile @@ -24,3 +24,6 @@ shell none private-bin guayadeque private-dev private-tmp + +noexec ${HOME} +noexec /tmp diff --git a/etc/gwenview.profile b/etc/gwenview.profile index 97227186a..047d2e32e 100644 --- a/etc/gwenview.profile +++ b/etc/gwenview.profile @@ -32,3 +32,6 @@ private-dev # Experimental: #private-etc X11 + +noexec ${HOME} +noexec /tmp diff --git a/etc/icecat.profile b/etc/icecat.profile index 7684cedbe..600263a2a 100644 --- a/etc/icecat.profile +++ b/etc/icecat.profile @@ -48,3 +48,6 @@ include /etc/firejail/whitelist-common.inc # experimental features #private-etc passwd,group,hostname,hosts,localtime,nsswitch.conf,resolv.conf,gtk-2.0,pango,fonts,iceweasel,firefox,adobe,mime.types,mailcap,asound.conf,pulse + +noexec ${HOME} +noexec /tmp diff --git a/etc/okular.profile b/etc/okular.profile index 351083582..0944e900c 100644 --- a/etc/okular.profile +++ b/etc/okular.profile @@ -34,3 +34,6 @@ tracelog # private-etc fonts,X11 private-dev private-tmp + +noexec ${HOME} +noexec /tmp diff --git a/etc/quiterss.profile b/etc/quiterss.profile index c8112f064..aa17693cd 100644 --- a/etc/quiterss.profile +++ b/etc/quiterss.profile @@ -42,3 +42,6 @@ private-dev disable-mnt include /etc/firejail/whitelist-common.inc + +noexec ${HOME} +noexec /tmp diff --git a/etc/vivaldi.profile b/etc/vivaldi.profile index 25d78439d..7b9c4c9c6 100644 --- a/etc/vivaldi.profile +++ b/etc/vivaldi.profile @@ -22,3 +22,6 @@ whitelist ~/.config/vivaldi mkdir ~/.cache/vivaldi whitelist ~/.cache/vivaldi include /etc/firejail/whitelist-common.inc + +noexec ${HOME} +noexec /tmp -- cgit v1.2.3-54-g00ecf From 55b200c440fe49e3a2dadb2634025587083f774b Mon Sep 17 00:00:00 2001 From: Tad Date: Sun, 30 Jul 2017 17:32:15 -0400 Subject: Partially synchronize Chromium-based profiles --- etc/google-chrome-beta.profile | 12 ++++++++++-- etc/google-chrome-unstable.profile | 12 ++++++++++-- etc/google-chrome.profile | 13 ++++++++++--- etc/vivaldi.profile | 11 ++++++++++- 4 files changed, 40 insertions(+), 8 deletions(-) diff --git a/etc/google-chrome-beta.profile b/etc/google-chrome-beta.profile index e527318c2..22a2e8f88 100644 --- a/etc/google-chrome-beta.profile +++ b/etc/google-chrome-beta.profile @@ -16,8 +16,6 @@ include /etc/firejail/disable-programs.inc # include /etc/firejail/disable-devel.inc # -netfilter - whitelist ${DOWNLOADS} mkdir ~/.config/google-chrome-beta whitelist ~/.config/google-chrome-beta @@ -27,5 +25,15 @@ mkdir ~/.pki whitelist ~/.pki include /etc/firejail/whitelist-common.inc +caps.keep sys_chroot,sys_admin +#ipc-namespace +netfilter +nogroups +shell none + +private-dev +#private-tmp - problems with multiple browser sessions +#disable-mnt + noexec ${HOME} noexec /tmp diff --git a/etc/google-chrome-unstable.profile b/etc/google-chrome-unstable.profile index 860e2488a..0675d7b49 100644 --- a/etc/google-chrome-unstable.profile +++ b/etc/google-chrome-unstable.profile @@ -16,8 +16,6 @@ include /etc/firejail/disable-programs.inc # include /etc/firejail/disable-devel.inc # -netfilter - whitelist ${DOWNLOADS} mkdir ~/.config/google-chrome-unstable whitelist ~/.config/google-chrome-unstable @@ -27,5 +25,15 @@ mkdir ~/.pki whitelist ~/.pki include /etc/firejail/whitelist-common.inc +caps.keep sys_chroot,sys_admin +#ipc-namespace +netfilter +nogroups +shell none + +private-dev +#private-tmp - problems with multiple browser sessions +#disable-mnt + noexec ${HOME} noexec /tmp diff --git a/etc/google-chrome.profile b/etc/google-chrome.profile index 7d27355d2..e6fceadec 100644 --- a/etc/google-chrome.profile +++ b/etc/google-chrome.profile @@ -16,9 +16,6 @@ include /etc/firejail/disable-programs.inc # include /etc/firejail/disable-devel.inc # -caps.keep sys_chroot,sys_admin -netfilter - whitelist ${DOWNLOADS} mkdir ~/.config/google-chrome whitelist ~/.config/google-chrome @@ -28,5 +25,15 @@ mkdir ~/.pki whitelist ~/.pki include /etc/firejail/whitelist-common.inc +caps.keep sys_chroot,sys_admin +#ipc-namespace +netfilter +nogroups +shell none + +private-dev +#private-tmp - problems with multiple browser sessions +#disable-mnt + noexec ${HOME} noexec /tmp diff --git a/etc/vivaldi.profile b/etc/vivaldi.profile index 7b9c4c9c6..fab620499 100644 --- a/etc/vivaldi.profile +++ b/etc/vivaldi.profile @@ -14,7 +14,6 @@ include /etc/firejail/disable-common.inc include /etc/firejail/disable-programs.inc include /etc/firejail/disable-devel.inc -netfilter whitelist ${DOWNLOADS} mkdir ~/.config/vivaldi @@ -23,5 +22,15 @@ mkdir ~/.cache/vivaldi whitelist ~/.cache/vivaldi include /etc/firejail/whitelist-common.inc +caps.keep sys_chroot,sys_admin +#ipc-namespace +netfilter +nogroups +shell none + +private-dev +#private-tmp - problems with multiple browser sessions +#disable-mnt + noexec ${HOME} noexec /tmp -- cgit v1.2.3-54-g00ecf From 5e211950f7396f9daa893e1233f87bc789c625b0 Mon Sep 17 00:00:00 2001 From: Fred-Barclay Date: Tue, 1 Aug 2017 22:49:23 -0500 Subject: Add back net none/netfilter as needed --- etc/2048-qt.profile | 2 ++ etc/Thunar.profile | 2 ++ etc/ark.profile | 1 + etc/atool.profile | 1 + etc/audacity.profile | 1 + etc/bleachbit.profile | 1 + etc/bless.profile | 1 + etc/caja.profile | 1 + etc/catfish.profile | 1 + etc/clipit.profile | 1 + etc/dia.profile | 1 + etc/display.profile | 7 ++++--- etc/dolphin.profile | 1 + etc/enchant.profile | 1 + etc/engrampa.profile | 1 + etc/eog.profile | 1 + etc/evince.profile | 1 + etc/exiftool.profile | 1 + etc/feh.profile | 1 + etc/file-roller.profile | 1 + etc/file.profile | 1 + etc/fontforge.profile | 1 + etc/franz.profile | 2 +- etc/galculator.profile | 1 + etc/gedit.profile | 1 + etc/gimp.profile | 1 + etc/gnome-books.profile | 1 + etc/gnome-documents.profile | 1 + etc/gnome-music.profile | 1 + etc/gnome-photos.profile | 1 + etc/goobox.profile | 1 + etc/gpicview.profile | 1 + etc/gucharmap.profile | 1 + etc/highlight.profile | 1 + etc/hugin.profile | 1 + etc/img2txt.profile | 1 + etc/inkscape.profile | 1 + etc/jd-gui.profile | 1 + etc/kate.profile | 1 + etc/kcalc.profile | 1 + etc/keepassx.profile | 1 + etc/keepassx2.profile | 1 + etc/keepassxc.profile | 1 + etc/kino.profile | 1 + etc/knotes.profile | 1 + etc/kwrite.profile | 1 + etc/leafpad.profile | 1 + etc/luminance-hdr.profile | 1 + etc/lximage-qt.profile | 1 + etc/lxmusic.profile | 1 + etc/mate-calc.profile | 1 + etc/mate-color-select.profile | 1 + etc/mediainfo.profile | 1 + etc/meld.profile | 1 + etc/mousepad.profile | 1 + etc/mupdf.profile | 1 + etc/nautilus.profile | 2 ++ etc/nemo.profile | 1 + etc/odt2txt.profile | 1 + etc/okular.profile | 1 + etc/orage.profile | 1 + etc/pcmanfm.profile | 1 + etc/pdfsam.profile | 1 + etc/pdftotext.profile | 1 + etc/peek.profile | 1 + etc/qlipper.profile | 1 + etc/ranger.profile | 2 ++ etc/ristretto.profile | 1 + etc/synfigstudio.profile | 1 + etc/tracker.profile | 1 + etc/transmission-show.profile | 1 + etc/viewnior.profile | 1 + etc/vym.profile | 1 + etc/xfburn.profile | 1 + etc/xfce4-notes.profile | 1 + etc/xpdf.profile | 1 + etc/zathura.profile | 1 + 77 files changed, 84 insertions(+), 4 deletions(-) diff --git a/etc/2048-qt.profile b/etc/2048-qt.profile index c53cfef9d..2f3efe743 100644 --- a/etc/2048-qt.profile +++ b/etc/2048-qt.profile @@ -15,9 +15,11 @@ include /etc/firejail/disable-passwdmgr.inc caps.drop all #ipc-namespace +netfilter nogroups nonewprivs noroot +nosound novideo protocol unix seccomp diff --git a/etc/Thunar.profile b/etc/Thunar.profile index e62ce4e2d..30db6f023 100644 --- a/etc/Thunar.profile +++ b/etc/Thunar.profile @@ -16,7 +16,9 @@ include /etc/firejail/disable-devel.inc include /etc/firejail/disable-passwdmgr.inc caps.drop all +netfilter no3d +nogroups nonewprivs noroot nosound diff --git a/etc/ark.profile b/etc/ark.profile index 7aaa0bc5a..007748ed1 100644 --- a/etc/ark.profile +++ b/etc/ark.profile @@ -14,6 +14,7 @@ include /etc/firejail/disable-devel.inc include /etc/firejail/disable-passwdmgr.inc caps.drop all +netfilter nogroups nonewprivs noroot diff --git a/etc/atool.profile b/etc/atool.profile index b21c5855f..49637aa21 100644 --- a/etc/atool.profile +++ b/etc/atool.profile @@ -12,6 +12,7 @@ include /etc/firejail/disable-programs.inc include /etc/firejail/disable-passwdmgr.inc caps.drop all +netfilter nogroups nonewprivs noroot diff --git a/etc/audacity.profile b/etc/audacity.profile index 8cea3b18d..9ce997361 100644 --- a/etc/audacity.profile +++ b/etc/audacity.profile @@ -15,6 +15,7 @@ include /etc/firejail/disable-programs.inc caps.drop all #ipc-namespace +netfilter no3d nogroups nonewprivs diff --git a/etc/bleachbit.profile b/etc/bleachbit.profile index 5cc025a4a..7ecf899c9 100644 --- a/etc/bleachbit.profile +++ b/etc/bleachbit.profile @@ -13,6 +13,7 @@ include /etc/firejail/disable-passwdmgr.inc caps.drop all #ipc-namespace +netfilter no3d nogroups nonewprivs diff --git a/etc/bless.profile b/etc/bless.profile index 41712850e..ea9a2d8ec 100644 --- a/etc/bless.profile +++ b/etc/bless.profile @@ -21,6 +21,7 @@ include /etc/firejail/disable-devel.inc #Options caps.drop all #ipc-namespace +netfilter no3d nogroups nonewprivs diff --git a/etc/caja.profile b/etc/caja.profile index e6f38dfa9..a724e76b1 100644 --- a/etc/caja.profile +++ b/etc/caja.profile @@ -21,6 +21,7 @@ include /etc/firejail/disable-devel.inc include /etc/firejail/disable-passwdmgr.inc caps.drop all +netfilter nogroups nonewprivs noroot diff --git a/etc/catfish.profile b/etc/catfish.profile index 5612d4486..0deaca1b5 100644 --- a/etc/catfish.profile +++ b/etc/catfish.profile @@ -13,6 +13,7 @@ noblacklist ~/.config/catfish include /etc/firejail/disable-devel.inc caps.drop all +net none no3d nogroups nonewprivs diff --git a/etc/clipit.profile b/etc/clipit.profile index 7b1c584ac..b44041cbf 100644 --- a/etc/clipit.profile +++ b/etc/clipit.profile @@ -13,6 +13,7 @@ include /etc/firejail/disable-programs.inc include /etc/firejail/disable-passwdmgr.inc caps.drop all +netfilter no3d nogroups nonewprivs diff --git a/etc/dia.profile b/etc/dia.profile index 67cd2ca63..71d8a249b 100644 --- a/etc/dia.profile +++ b/etc/dia.profile @@ -12,6 +12,7 @@ include /etc/firejail/disable-programs.inc include /etc/firejail/disable-passwdmgr.inc caps.drop all +netfilter no3d nogroups nonewprivs diff --git a/etc/display.profile b/etc/display.profile index c9744b001..c2c46cba3 100644 --- a/etc/display.profile +++ b/etc/display.profile @@ -12,12 +12,13 @@ include /etc/firejail/disable-devel.inc include /etc/firejail/disable-passwdmgr.inc caps.drop all -seccomp -protocol unix +net none nonewprivs -noroot nogroups +noroot nosound +protocol unix +seccomp shell none x11 xorg diff --git a/etc/dolphin.profile b/etc/dolphin.profile index 5ba8dd497..0085fb004 100644 --- a/etc/dolphin.profile +++ b/etc/dolphin.profile @@ -22,6 +22,7 @@ include /etc/firejail/disable-devel.inc include /etc/firejail/disable-passwdmgr.inc caps.drop all +netfilter nogroups nonewprivs noroot diff --git a/etc/enchant.profile b/etc/enchant.profile index 97fb82da3..554ed5e28 100644 --- a/etc/enchant.profile +++ b/etc/enchant.profile @@ -14,6 +14,7 @@ include /etc/firejail/disable-devel.inc include /etc/firejail/disable-passwdmgr.inc caps.drop all +netfilter nogroups nonewprivs noroot diff --git a/etc/engrampa.profile b/etc/engrampa.profile index a786a702c..605643472 100644 --- a/etc/engrampa.profile +++ b/etc/engrampa.profile @@ -12,6 +12,7 @@ include /etc/firejail/disable-devel.inc include /etc/firejail/disable-passwdmgr.inc caps.drop all +netfilter nogroups nonewprivs noroot diff --git a/etc/eog.profile b/etc/eog.profile index aa986e7d7..e272a1935 100644 --- a/etc/eog.profile +++ b/etc/eog.profile @@ -18,6 +18,7 @@ include /etc/firejail/disable-passwdmgr.inc caps.drop all #ipc-namespace +net none no3d nogroups nonewprivs diff --git a/etc/evince.profile b/etc/evince.profile index ee637c607..9f1ebbf76 100644 --- a/etc/evince.profile +++ b/etc/evince.profile @@ -15,6 +15,7 @@ include /etc/firejail/disable-passwdmgr.inc caps.drop all #ipc-namespace +netfilter no3d nogroups nonewprivs diff --git a/etc/exiftool.profile b/etc/exiftool.profile index 9b0759dfe..e69a6206e 100644 --- a/etc/exiftool.profile +++ b/etc/exiftool.profile @@ -17,6 +17,7 @@ include /etc/firejail/disable-devel.inc include /etc/firejail/disable-passwdmgr.inc caps.drop all +net none nogroups nonewprivs noroot diff --git a/etc/feh.profile b/etc/feh.profile index e41a4ad94..8f40a0c3e 100644 --- a/etc/feh.profile +++ b/etc/feh.profile @@ -12,6 +12,7 @@ include /etc/firejail/disable-devel.inc include /etc/firejail/disable-passwdmgr.inc caps.drop all +net none nogroups nonewprivs noroot diff --git a/etc/file-roller.profile b/etc/file-roller.profile index 7cbfc4edb..15d8d36c6 100644 --- a/etc/file-roller.profile +++ b/etc/file-roller.profile @@ -13,6 +13,7 @@ include /etc/firejail/disable-passwdmgr.inc caps.drop all #ipc-namespace +net none no3d nogroups nonewprivs diff --git a/etc/file.profile b/etc/file.profile index ffdaf9f47..51e35007f 100644 --- a/etc/file.profile +++ b/etc/file.profile @@ -13,6 +13,7 @@ include /etc/firejail/disable-passwdmgr.inc caps.drop all hostname file +net none no3d nogroups nonewprivs diff --git a/etc/fontforge.profile b/etc/fontforge.profile index 2b3d0f258..e8e3df62b 100644 --- a/etc/fontforge.profile +++ b/etc/fontforge.profile @@ -13,6 +13,7 @@ include /etc/firejail/disable-programs.inc include /etc/firejail/disable-passwdmgr.inc caps.drop all +netfilter nogroups nonewprivs noroot diff --git a/etc/franz.profile b/etc/franz.profile index 859c6ed9b..c5e019947 100644 --- a/etc/franz.profile +++ b/etc/franz.profile @@ -32,7 +32,7 @@ noroot protocol unix,inet,inet6,netlink seccomp shell none -tracelog +#tracelog private-dev private-tmp diff --git a/etc/galculator.profile b/etc/galculator.profile index c346a382d..897946e7a 100644 --- a/etc/galculator.profile +++ b/etc/galculator.profile @@ -17,6 +17,7 @@ mkdir ~/.config/galculator whitelist ~/.config/galculator caps.drop all +net none nogroups nonewprivs noroot diff --git a/etc/gedit.profile b/etc/gedit.profile index c1bdacf44..3e78d939e 100644 --- a/etc/gedit.profile +++ b/etc/gedit.profile @@ -18,6 +18,7 @@ include /etc/firejail/disable-passwdmgr.inc caps.drop all #ipc-namespace +net none no3d nogroups nonewprivs diff --git a/etc/gimp.profile b/etc/gimp.profile index 7d2738adf..0fe462912 100644 --- a/etc/gimp.profile +++ b/etc/gimp.profile @@ -12,6 +12,7 @@ include /etc/firejail/disable-programs.inc include /etc/firejail/disable-passwdmgr.inc caps.drop all +net none nogroups nonewprivs noroot diff --git a/etc/gnome-books.profile b/etc/gnome-books.profile index 6258b1f77..e36294930 100644 --- a/etc/gnome-books.profile +++ b/etc/gnome-books.profile @@ -16,6 +16,7 @@ include /etc/firejail/disable-devel.inc include /etc/firejail/disable-passwdmgr.inc caps.drop all +netfilter no3d nogroups nonewprivs diff --git a/etc/gnome-documents.profile b/etc/gnome-documents.profile index ec5914e37..2d70bf7ef 100644 --- a/etc/gnome-documents.profile +++ b/etc/gnome-documents.profile @@ -17,6 +17,7 @@ include /etc/firejail/disable-devel.inc include /etc/firejail/disable-passwdmgr.inc caps.drop all +netfilter no3d nogroups nonewprivs diff --git a/etc/gnome-music.profile b/etc/gnome-music.profile index d571aff88..8b569e563 100644 --- a/etc/gnome-music.profile +++ b/etc/gnome-music.profile @@ -14,6 +14,7 @@ include /etc/firejail/disable-devel.inc include /etc/firejail/disable-passwdmgr.inc caps.drop all +netfilter no3d nogroups nonewprivs diff --git a/etc/gnome-photos.profile b/etc/gnome-photos.profile index 158311711..ed9dc0a03 100644 --- a/etc/gnome-photos.profile +++ b/etc/gnome-photos.profile @@ -17,6 +17,7 @@ include /etc/firejail/disable-devel.inc include /etc/firejail/disable-passwdmgr.inc caps.drop all +netfilter nogroups nonewprivs noroot diff --git a/etc/goobox.profile b/etc/goobox.profile index c670d5ec7..129d17ae7 100644 --- a/etc/goobox.profile +++ b/etc/goobox.profile @@ -12,6 +12,7 @@ include /etc/firejail/disable-devel.inc include /etc/firejail/disable-passwdmgr.inc caps.drop all +netfilter nogroups nonewprivs noroot diff --git a/etc/gpicview.profile b/etc/gpicview.profile index d1dee8914..f457f0590 100644 --- a/etc/gpicview.profile +++ b/etc/gpicview.profile @@ -14,6 +14,7 @@ include /etc/firejail/disable-devel.inc include /etc/firejail/disable-passwdmgr.inc caps.drop all +net none nogroups nonewprivs noroot diff --git a/etc/gucharmap.profile b/etc/gucharmap.profile index bc5d7dddf..4d6237067 100644 --- a/etc/gucharmap.profile +++ b/etc/gucharmap.profile @@ -11,6 +11,7 @@ include /etc/firejail/disable-passwdmgr.inc include /etc/firejail/disable-programs.inc caps.drop all +netfilter no3d nogroups nonewprivs diff --git a/etc/highlight.profile b/etc/highlight.profile index 327c77696..fefbcc55d 100644 --- a/etc/highlight.profile +++ b/etc/highlight.profile @@ -12,6 +12,7 @@ include /etc/firejail/disable-devel.inc include /etc/firejail/disable-passwdmgr.inc caps.drop all +net none nogroups nonewprivs noroot diff --git a/etc/hugin.profile b/etc/hugin.profile index 5d2891321..26e696f0d 100644 --- a/etc/hugin.profile +++ b/etc/hugin.profile @@ -13,6 +13,7 @@ include /etc/firejail/disable-programs.inc include /etc/firejail/disable-passwdmgr.inc caps.drop all +netfilter nogroups nonewprivs noroot diff --git a/etc/img2txt.profile b/etc/img2txt.profile index 1ac5e1fb0..8f63b103d 100644 --- a/etc/img2txt.profile +++ b/etc/img2txt.profile @@ -12,6 +12,7 @@ include /etc/firejail/disable-devel.inc include /etc/firejail/disable-passwdmgr.inc caps.drop all +netfilter nogroups nonewprivs noroot diff --git a/etc/inkscape.profile b/etc/inkscape.profile index 450e819b9..af1be565b 100644 --- a/etc/inkscape.profile +++ b/etc/inkscape.profile @@ -13,6 +13,7 @@ include /etc/firejail/disable-programs.inc include /etc/firejail/disable-passwdmgr.inc caps.drop all +netfilter nogroups nonewprivs noroot diff --git a/etc/jd-gui.profile b/etc/jd-gui.profile index 56cf43104..9cb845b50 100644 --- a/etc/jd-gui.profile +++ b/etc/jd-gui.profile @@ -21,6 +21,7 @@ include /etc/firejail/disable-devel.inc #Options caps.drop all #ipc-namespace +net none no3d nogroups nonewprivs diff --git a/etc/kate.profile b/etc/kate.profile index c4178a776..97372f752 100644 --- a/etc/kate.profile +++ b/etc/kate.profile @@ -19,6 +19,7 @@ include /etc/firejail/disable-programs.inc include /etc/firejail/disable-passwdmgr.inc caps.drop all +netfilter nogroups nonewprivs noroot diff --git a/etc/kcalc.profile b/etc/kcalc.profile index 24d7daa89..1d425cf47 100644 --- a/etc/kcalc.profile +++ b/etc/kcalc.profile @@ -11,6 +11,7 @@ include /etc/firejail/disable-passwdmgr.inc include /etc/firejail/disable-programs.inc caps.drop all +netfilter no3d nogroups nonewprivs diff --git a/etc/keepassx.profile b/etc/keepassx.profile index 64fe62fb6..34e260f8f 100644 --- a/etc/keepassx.profile +++ b/etc/keepassx.profile @@ -18,6 +18,7 @@ include /etc/firejail/disable-passwdmgr.inc caps.drop all machine-id +net none no3d nogroups nonewprivs diff --git a/etc/keepassx2.profile b/etc/keepassx2.profile index fee04b6fb..0536866fb 100644 --- a/etc/keepassx2.profile +++ b/etc/keepassx2.profile @@ -17,6 +17,7 @@ include /etc/firejail/disable-devel.inc include /etc/firejail/disable-passwdmgr.inc caps.drop all +net none no3d nogroups nonewprivs diff --git a/etc/keepassxc.profile b/etc/keepassxc.profile index 719cf1dec..3ab4115e6 100644 --- a/etc/keepassxc.profile +++ b/etc/keepassxc.profile @@ -18,6 +18,7 @@ include /etc/firejail/disable-passwdmgr.inc caps.drop all #ipc-namespace +net none no3d nogroups nonewprivs diff --git a/etc/kino.profile b/etc/kino.profile index 73b1e060b..bb37d56ab 100644 --- a/etc/kino.profile +++ b/etc/kino.profile @@ -14,6 +14,7 @@ include /etc/firejail/disable-passwdmgr.inc include /etc/firejail/disable-programs.inc caps.drop all +netfilter nogroups nonewprivs noroot diff --git a/etc/knotes.profile b/etc/knotes.profile index 6a1233db0..b1883112c 100644 --- a/etc/knotes.profile +++ b/etc/knotes.profile @@ -14,6 +14,7 @@ include /etc/firejail/disable-programs.inc include /etc/firejail/disable-passwdmgr.inc caps.drop all +netfilter nogroups nonewprivs noroot diff --git a/etc/kwrite.profile b/etc/kwrite.profile index 342427090..7ac881f6a 100644 --- a/etc/kwrite.profile +++ b/etc/kwrite.profile @@ -19,6 +19,7 @@ include /etc/firejail/disable-programs.inc include /etc/firejail/disable-passwdmgr.inc caps.drop all +netfilter nogroups nonewprivs noroot diff --git a/etc/leafpad.profile b/etc/leafpad.profile index 7403a13ab..fc2cc7e09 100644 --- a/etc/leafpad.profile +++ b/etc/leafpad.profile @@ -13,6 +13,7 @@ include /etc/firejail/disable-passwdmgr.inc include /etc/firejail/disable-programs.inc caps.drop all +netfilter no3d nogroups nonewprivs diff --git a/etc/luminance-hdr.profile b/etc/luminance-hdr.profile index 0b8742e49..f73c83cbd 100644 --- a/etc/luminance-hdr.profile +++ b/etc/luminance-hdr.profile @@ -15,6 +15,7 @@ include /etc/firejail/disable-passwdmgr.inc caps.drop all #ipc-namespace +netfilter nogroups nonewprivs noroot diff --git a/etc/lximage-qt.profile b/etc/lximage-qt.profile index 9e8bac878..42996af04 100644 --- a/etc/lximage-qt.profile +++ b/etc/lximage-qt.profile @@ -13,6 +13,7 @@ include /etc/firejail/disable-passwdmgr.inc include /etc/firejail/disable-programs.inc caps.drop all +netfilter no3d nogroups nonewprivs diff --git a/etc/lxmusic.profile b/etc/lxmusic.profile index 49057d0ab..eac72c6db 100644 --- a/etc/lxmusic.profile +++ b/etc/lxmusic.profile @@ -14,6 +14,7 @@ include /etc/firejail/disable-passwdmgr.inc include /etc/firejail/disable-programs.inc caps.drop all +netfilter no3d nogroups nonewprivs diff --git a/etc/mate-calc.profile b/etc/mate-calc.profile index 75b51f96d..e083e8b88 100644 --- a/etc/mate-calc.profile +++ b/etc/mate-calc.profile @@ -13,6 +13,7 @@ include /etc/firejail/disable-passwdmgr.inc include /etc/firejail/disable-programs.inc caps.drop all +netfilter no3d nogroups nonewprivs diff --git a/etc/mate-color-select.profile b/etc/mate-color-select.profile index b9b445ac6..74fe4bd69 100644 --- a/etc/mate-color-select.profile +++ b/etc/mate-color-select.profile @@ -11,6 +11,7 @@ include /etc/firejail/disable-passwdmgr.inc include /etc/firejail/disable-programs.inc caps.drop all +netfilter no3d nogroups nonewprivs diff --git a/etc/mediainfo.profile b/etc/mediainfo.profile index c6e95cc5c..8758d66b9 100644 --- a/etc/mediainfo.profile +++ b/etc/mediainfo.profile @@ -12,6 +12,7 @@ include /etc/firejail/disable-devel.inc include /etc/firejail/disable-passwdmgr.inc caps.drop all +net none nonewprivs nogroups noroot diff --git a/etc/meld.profile b/etc/meld.profile index 535745e6f..503f6d07c 100644 --- a/etc/meld.profile +++ b/etc/meld.profile @@ -15,6 +15,7 @@ include /etc/firejail/disable-programs.inc caps.drop all #ipc-namespace +net none no3d nogroups nonewprivs diff --git a/etc/mousepad.profile b/etc/mousepad.profile index fc788fea6..c3e85d55f 100644 --- a/etc/mousepad.profile +++ b/etc/mousepad.profile @@ -14,6 +14,7 @@ include /etc/firejail/disable-devel.inc include /etc/firejail/disable-passwdmgr.inc caps.drop all +netfilter nogroups nonewprivs noroot diff --git a/etc/mupdf.profile b/etc/mupdf.profile index 39b801e1a..ca61edfdd 100644 --- a/etc/mupdf.profile +++ b/etc/mupdf.profile @@ -12,6 +12,7 @@ include /etc/firejail/disable-devel.inc include /etc/firejail/disable-passwdmgr.inc caps.drop all +net none nogroups nonewprivs noroot diff --git a/etc/nautilus.profile b/etc/nautilus.profile index 71d2b2192..4f2f50d9f 100644 --- a/etc/nautilus.profile +++ b/etc/nautilus.profile @@ -22,6 +22,8 @@ include /etc/firejail/disable-devel.inc include /etc/firejail/disable-passwdmgr.inc caps.drop all +netfilter +nogroups nonewprivs noroot protocol unix diff --git a/etc/nemo.profile b/etc/nemo.profile index d4bb0d5ff..5e6f4936f 100644 --- a/etc/nemo.profile +++ b/etc/nemo.profile @@ -17,6 +17,7 @@ include /etc/firejail/disable-devel.inc caps.drop all netfilter no3d +nogroups nonewprivs noroot nosound diff --git a/etc/odt2txt.profile b/etc/odt2txt.profile index 58440e50f..8cfadd9ac 100644 --- a/etc/odt2txt.profile +++ b/etc/odt2txt.profile @@ -12,6 +12,7 @@ include /etc/firejail/disable-devel.inc include /etc/firejail/disable-passwdmgr.inc caps.drop all +net none nogroups nonewprivs noroot diff --git a/etc/okular.profile b/etc/okular.profile index 0944e900c..578f01915 100644 --- a/etc/okular.profile +++ b/etc/okular.profile @@ -21,6 +21,7 @@ include /etc/firejail/disable-devel.inc include /etc/firejail/disable-passwdmgr.inc caps.drop all +netfilter nonewprivs nogroups noroot diff --git a/etc/orage.profile b/etc/orage.profile index ee96076eb..c9977d002 100644 --- a/etc/orage.profile +++ b/etc/orage.profile @@ -14,6 +14,7 @@ include /etc/firejail/disable-passwdmgr.inc include /etc/firejail/disable-programs.inc caps.drop all +netfilter no3d nogroups nonewprivs diff --git a/etc/pcmanfm.profile b/etc/pcmanfm.profile index 67ab7f9e6..654904f17 100644 --- a/etc/pcmanfm.profile +++ b/etc/pcmanfm.profile @@ -15,6 +15,7 @@ include /etc/firejail/disable-devel.inc include /etc/firejail/disable-passwdmgr.inc caps.drop all +net none no3d nonewprivs noroot diff --git a/etc/pdfsam.profile b/etc/pdfsam.profile index 4adb01c3f..2465be252 100644 --- a/etc/pdfsam.profile +++ b/etc/pdfsam.profile @@ -19,6 +19,7 @@ include /etc/firejail/disable-devel.inc #Options caps.drop all #ipc-namespace +net none no3d nogroups nonewprivs diff --git a/etc/pdftotext.profile b/etc/pdftotext.profile index 882b10678..e5dab840f 100644 --- a/etc/pdftotext.profile +++ b/etc/pdftotext.profile @@ -12,6 +12,7 @@ include /etc/firejail/disable-devel.inc include /etc/firejail/disable-passwdmgr.inc caps.drop all +net none nogroups nonewprivs noroot diff --git a/etc/peek.profile b/etc/peek.profile index c2dd5c010..811eb701b 100644 --- a/etc/peek.profile +++ b/etc/peek.profile @@ -14,6 +14,7 @@ include /etc/firejail/disable-passwdmgr.inc include /etc/firejail/disable-programs.inc caps.drop all +net none no3d nogroups nonewprivs diff --git a/etc/qlipper.profile b/etc/qlipper.profile index 6989acb7a..d57856c1a 100644 --- a/etc/qlipper.profile +++ b/etc/qlipper.profile @@ -13,6 +13,7 @@ include /etc/firejail/disable-passwdmgr.inc include /etc/firejail/disable-programs.inc caps.drop all +netfilter no3d nogroups nonewprivs diff --git a/etc/ranger.profile b/etc/ranger.profile index 55e43d13b..ab0545aaf 100644 --- a/etc/ranger.profile +++ b/etc/ranger.profile @@ -18,6 +18,8 @@ include /etc/firejail/disable-devel.inc include /etc/firejail/disable-passwdmgr.inc caps.drop all +net none +nogroups nonewprivs noroot protocol unix diff --git a/etc/ristretto.profile b/etc/ristretto.profile index 5c72f9eb8..3d3491658 100644 --- a/etc/ristretto.profile +++ b/etc/ristretto.profile @@ -15,6 +15,7 @@ include /etc/firejail/disable-passwdmgr.inc include /etc/firejail/disable-programs.inc caps.drop all +netfilter no3d nogroups nonewprivs diff --git a/etc/synfigstudio.profile b/etc/synfigstudio.profile index c714fc70a..bcb42f624 100644 --- a/etc/synfigstudio.profile +++ b/etc/synfigstudio.profile @@ -15,6 +15,7 @@ include /etc/firejail/disable-passwdmgr.inc include /etc/firejail/disable-programs.inc caps.drop all +netfilter nogroups nonewprivs noroot diff --git a/etc/tracker.profile b/etc/tracker.profile index d7b68ea5c..b87bebf43 100644 --- a/etc/tracker.profile +++ b/etc/tracker.profile @@ -15,6 +15,7 @@ include /etc/firejail/disable-devel.inc include /etc/firejail/disable-passwdmgr.inc caps.drop all +netfilter nogroups nonewprivs noroot diff --git a/etc/transmission-show.profile b/etc/transmission-show.profile index 2447edc35..743f9ff4f 100644 --- a/etc/transmission-show.profile +++ b/etc/transmission-show.profile @@ -15,6 +15,7 @@ include /etc/firejail/disable-devel.inc include /etc/firejail/disable-passwdmgr.inc caps.drop all +net none nonewprivs noroot nosound diff --git a/etc/viewnior.profile b/etc/viewnior.profile index 3b2b54264..20f738d42 100644 --- a/etc/viewnior.profile +++ b/etc/viewnior.profile @@ -19,6 +19,7 @@ blacklist ~/.bashrc blacklist ~/.Xauthority caps.drop all +net none nogroups nonewprivs noroot diff --git a/etc/vym.profile b/etc/vym.profile index 13fa08d4f..d3058fa64 100644 --- a/etc/vym.profile +++ b/etc/vym.profile @@ -13,6 +13,7 @@ include /etc/firejail/disable-passwdmgr.inc include /etc/firejail/disable-programs.inc caps.drop all +netfilter no3d nogroups nonewprivs diff --git a/etc/xfburn.profile b/etc/xfburn.profile index aaef6bb60..7bfeba2b1 100644 --- a/etc/xfburn.profile +++ b/etc/xfburn.profile @@ -14,6 +14,7 @@ include /etc/firejail/disable-devel.inc include /etc/firejail/disable-passwdmgr.inc caps.drop all +netfilter nogroups nonewprivs noroot diff --git a/etc/xfce4-notes.profile b/etc/xfce4-notes.profile index 544225920..e3215d6ea 100644 --- a/etc/xfce4-notes.profile +++ b/etc/xfce4-notes.profile @@ -15,6 +15,7 @@ include /etc/firejail/disable-passwdmgr.inc include /etc/firejail/disable-programs.inc caps.drop all +netfilter no3d nogroups nonewprivs diff --git a/etc/xpdf.profile b/etc/xpdf.profile index 1f2344e21..ce8cd2459 100644 --- a/etc/xpdf.profile +++ b/etc/xpdf.profile @@ -16,6 +16,7 @@ include /etc/firejail/disable-passwdmgr.inc include /etc/firejail/disable-programs.inc caps.drop all +net none no3d nogroups nonewprivs diff --git a/etc/zathura.profile b/etc/zathura.profile index 53e905e9c..502e066c8 100644 --- a/etc/zathura.profile +++ b/etc/zathura.profile @@ -14,6 +14,7 @@ include /etc/firejail/disable-devel.inc include /etc/firejail/disable-passwdmgr.inc caps.drop all +net none nogroups nonewprivs noroot -- cgit v1.2.3-54-g00ecf From b1c7c360efd5b2ae749b5d4bb3612774ef716ec6 Mon Sep 17 00:00:00 2001 From: Fred-Barclay Date: Tue, 1 Aug 2017 22:57:01 -0500 Subject: Fixes --- etc/audacity.profile | 2 +- etc/bleachbit.profile | 2 +- etc/bless.profile | 2 +- etc/img2txt.profile | 2 +- 4 files changed, 4 insertions(+), 4 deletions(-) diff --git a/etc/audacity.profile b/etc/audacity.profile index 9ce997361..7c2072960 100644 --- a/etc/audacity.profile +++ b/etc/audacity.profile @@ -15,7 +15,7 @@ include /etc/firejail/disable-programs.inc caps.drop all #ipc-namespace -netfilter +net none no3d nogroups nonewprivs diff --git a/etc/bleachbit.profile b/etc/bleachbit.profile index 7ecf899c9..f2553cd9c 100644 --- a/etc/bleachbit.profile +++ b/etc/bleachbit.profile @@ -13,7 +13,7 @@ include /etc/firejail/disable-passwdmgr.inc caps.drop all #ipc-namespace -netfilter +net none no3d nogroups nonewprivs diff --git a/etc/bless.profile b/etc/bless.profile index ea9a2d8ec..25881fa3d 100644 --- a/etc/bless.profile +++ b/etc/bless.profile @@ -21,7 +21,7 @@ include /etc/firejail/disable-devel.inc #Options caps.drop all #ipc-namespace -netfilter +net none no3d nogroups nonewprivs diff --git a/etc/img2txt.profile b/etc/img2txt.profile index 8f63b103d..2ea359e72 100644 --- a/etc/img2txt.profile +++ b/etc/img2txt.profile @@ -12,7 +12,7 @@ include /etc/firejail/disable-devel.inc include /etc/firejail/disable-passwdmgr.inc caps.drop all -netfilter +net none nogroups nonewprivs noroot -- cgit v1.2.3-54-g00ecf