From cbbfcfd59519c555c8e4a347bf0d4e20ab717cd5 Mon Sep 17 00:00:00 2001 From: Your Name Date: Tue, 19 Sep 2017 18:48:37 -0400 Subject: 1 LIST --- etc/7z.profile | 1 + etc/atom.profile | 3 ++ etc/calligra.profile | 3 +- etc/cin.profile | 2 +- etc/cinelerra.profile | 31 ++++++++++++++++++ etc/cliqz.profile | 83 ++++++++++++++++++++++++++++++++++++++++++++++++ etc/dia.profile | 1 + etc/evince.profile | 1 + etc/hugin.profile | 1 + etc/inkscape.profile | 2 +- etc/inox.profile | 4 +++ etc/kdenlive.profile | 2 +- etc/libreoffice.profile | 1 + etc/natron.profile | 1 + etc/openshot-qt.profile | 31 ++++++++++++++++++ etc/pinta.profile | 33 +++++++++++++++++++ etc/scribus.profile | 1 + etc/shotcut.profile | 2 +- etc/synfigstudio.profile | 3 +- etc/tar.profile | 1 + etc/unrar.profile | 1 + etc/unzip.profile | 1 + 22 files changed, 203 insertions(+), 6 deletions(-) create mode 100644 etc/cinelerra.profile create mode 100644 etc/cliqz.profile create mode 100644 etc/openshot-qt.profile create mode 100644 etc/pinta.profile diff --git a/etc/7z.profile b/etc/7z.profile index ea67bbe19..53900bae6 100644 --- a/etc/7z.profile +++ b/etc/7z.profile @@ -17,6 +17,7 @@ notv novideo shell none tracelog +caps.drop all private-dev diff --git a/etc/atom.profile b/etc/atom.profile index 8629c3dd8..6fb6048b6 100644 --- a/etc/atom.profile +++ b/etc/atom.profile @@ -5,6 +5,8 @@ include /etc/firejail/atom.local # Persistent global definitions include /etc/firejail/globals.local +noexec ${HOME} +noexec /tmp noblacklist ~/.atom noblacklist ~/.config/Atom @@ -23,6 +25,7 @@ notv novideo protocol unix,inet,inet6,netlink seccomp +net none shell none private-dev diff --git a/etc/calligra.profile b/etc/calligra.profile index e90c8efe8..8c7e49121 100644 --- a/etc/calligra.profile +++ b/etc/calligra.profile @@ -21,9 +21,10 @@ novideo protocol unix seccomp shell none +net none private-bin calligra,calligraauthor,calligraconverter,calligraflow,calligraplan,calligraplanwork,calligrasheets,calligrastage,calligrawords,dbus-launch private-dev -noexec ${HOME} +#noexec ${HOME} noexec /tmp diff --git a/etc/cin.profile b/etc/cin.profile index eeeda476f..93a94c910 100644 --- a/etc/cin.profile +++ b/etc/cin.profile @@ -24,7 +24,7 @@ protocol unix seccomp shell none -#private-bin cin +private-bin cin private-dev noexec ${HOME} diff --git a/etc/cinelerra.profile b/etc/cinelerra.profile new file mode 100644 index 000000000..bd75a66a9 --- /dev/null +++ b/etc/cinelerra.profile @@ -0,0 +1,31 @@ +# Firejail profile for cin +# This file is overwritten after every install/update +# Persistent local customizations +include /etc/firejail/cin.local +# Persistent global definitions +include /etc/firejail/globals.local + +noblacklist ${HOME}/.bcast + +include /etc/firejail/disable-common.inc +include /etc/firejail/disable-devel.inc +include /etc/firejail/disable-passwdmgr.inc +include /etc/firejail/disable-programs.inc + +caps.drop all +ipc-namespace +net none +nodvd +nogroups +nonewprivs +notv +noroot +protocol unix +seccomp +shell none + +private-bin cinelerra +private-dev + +noexec ${HOME} +noexec /tmp diff --git a/etc/cliqz.profile b/etc/cliqz.profile new file mode 100644 index 000000000..9c0f44e97 --- /dev/null +++ b/etc/cliqz.profile @@ -0,0 +1,83 @@ +# Firejail profile for firefox +# This file is overwritten after every install/update +# Persistent local customizations +include /etc/firejail/firefox.local +# Persistent global definitions +include /etc/firejail/globals.local + +noblacklist ~/.cache/cliqz +noblacklist ~/.config/cliqz +noblacklist ~/.config/okularpartrc +noblacklist ~/.config/okularrc +noblacklist ~/.config/qpdfview +noblacklist ~/.kde/share/apps/okular +noblacklist ~/.kde/share/config/okularpartrc +noblacklist ~/.kde/share/config/okularrc +noblacklist ~/.kde4/share/apps/okular +noblacklist ~/.kde4/share/config/okularpartrc +noblacklist ~/.kde4/share/config/okularrc +noblacklist ~/.local/share/gnome-shell/extensions +noblacklist ~/.local/share/okular +noblacklist ~/.local/share/qpdfview + +noblacklist ~/.pki + +include /etc/firejail/disable-common.inc +include /etc/firejail/disable-devel.inc +include /etc/firejail/disable-programs.inc + +mkdir ~/.cache/mozilla/firefox +mkdir ~/.mozilla +mkdir ~/.pki +whitelist ${DOWNLOADS} +whitelist ~/.cache/gnome-mplayer/plugin +whitelist ~/.cache/mozilla/firefox +whitelist ~/.config/gnome-mplayer +whitelist ~/.config/okularpartrc +whitelist ~/.config/okularrc +whitelist ~/.config/pipelight-silverlight5.1 +whitelist ~/.config/pipelight-widevine +whitelist ~/.config/qpdfview +whitelist ~/.kde/share/apps/okular +whitelist ~/.kde/share/config/okularpartrc +whitelist ~/.kde/share/config/okularrc +whitelist ~/.kde4/share/apps/okular +whitelist ~/.kde4/share/config/okularpartrc +whitelist ~/.kde4/share/config/okularrc +whitelist ~/.keysnail.js +whitelist ~/.lastpass +whitelist ~/.local/share/gnome-shell/extensions +whitelist ~/.local/share/okular +whitelist ~/.local/share/qpdfview +whitelist ~/.mozilla +whitelist ~/.pentadactyl +whitelist ~/.pentadactylrc +whitelist ~/.pki +whitelist ~/.vimperator +whitelist ~/.vimperatorrc +whitelist ~/.wine-pipelight +whitelist ~/.wine-pipelight64 +whitelist ~/.zotero +whitelist ~/dwhelper +include /etc/firejail/whitelist-common.inc +include /etc/firejail/whitelist-var-common.inc + +caps.drop all +netfilter +nodvd +nogroups +nonewprivs +noroot +notv +protocol unix,inet,inet6,netlink +seccomp +shell none +tracelog + +# private-bin firefox,which,sh,dbus-launch,dbus-send,env +private-dev +# private-etc passwd,group,hostname,hosts,localtime,nsswitch.conf,resolv.conf,xdg,gtk-2.0,gtk-3.0,X11,pango,fonts,firefox,mime.types,mailcap,asound.conf,pulse +private-tmp + +noexec ${HOME} +noexec /tmp diff --git a/etc/dia.profile b/etc/dia.profile index abe83ac8c..6915318c0 100644 --- a/etc/dia.profile +++ b/etc/dia.profile @@ -25,6 +25,7 @@ novideo protocol unix seccomp shell none +net none disable-mnt #private-bin dia diff --git a/etc/evince.profile b/etc/evince.profile index f503b9a8e..5e7596352 100644 --- a/etc/evince.profile +++ b/etc/evince.profile @@ -28,6 +28,7 @@ protocol unix seccomp shell none tracelog +net none private-bin evince,evince-previewer,evince-thumbnailer private-dev diff --git a/etc/hugin.profile b/etc/hugin.profile index ff88e0d5c..dd7e326c6 100644 --- a/etc/hugin.profile +++ b/etc/hugin.profile @@ -24,6 +24,7 @@ novideo protocol unix seccomp shell none +net none private-bin PTBatcherGUI,calibrate_lens_gui,hugin,hugin_stitch_project,align_image_stack,autooptimiser,celeste_standalone,checkpto,cpclean,cpfind,deghosting_mask,fulla,geocpset,hugin_executor,hugin_hdrmerge,hugin_lensdb,icpfind,linefind,nona,pano_modify,pano_trafo,pto_gen,pto_lensstack,pto_mask,pto_merge,pto_move,pto_template,pto_var,tca_correct,verdandi,vig_optimize,enblend private-dev diff --git a/etc/inkscape.profile b/etc/inkscape.profile index c062ab8ef..04c1020ab 100644 --- a/etc/inkscape.profile +++ b/etc/inkscape.profile @@ -27,7 +27,7 @@ protocol unix seccomp shell none -#private-bin inkscape +private-bin inkscape,potrace private-dev private-tmp diff --git a/etc/inox.profile b/etc/inox.profile index 6273c4de6..ec8d12387 100644 --- a/etc/inox.profile +++ b/etc/inox.profile @@ -24,3 +24,7 @@ include /etc/firejail/whitelist-common.inc netfilter nodvd notv +nogroups +noroot +shell none +caps.keep sys_chroot,sys_admin \ No newline at end of file diff --git a/etc/kdenlive.profile b/etc/kdenlive.profile index a1a5f957c..10c2909a0 100644 --- a/etc/kdenlive.profile +++ b/etc/kdenlive.profile @@ -26,5 +26,5 @@ private-bin kdenlive,kdenlive_render,dbus-launch,melt,ffmpeg,ffplay,ffprobe,dvda private-dev #private-etc fonts,alternatives,X11,pulse,passwd -noexec ${HOME} +#noexec ${HOME} noexec /tmp diff --git a/etc/libreoffice.profile b/etc/libreoffice.profile index 8d05a557c..9acdc3789 100644 --- a/etc/libreoffice.profile +++ b/etc/libreoffice.profile @@ -27,6 +27,7 @@ protocol unix,inet,inet6 seccomp shell none tracelog +net none private-dev diff --git a/etc/natron.profile b/etc/natron.profile index d77539d83..b76649605 100644 --- a/etc/natron.profile +++ b/etc/natron.profile @@ -26,6 +26,7 @@ notv protocol unix,inet,inet6 seccomp shell none +net none private-bin natron,Natron,NatronRenderer diff --git a/etc/openshot-qt.profile b/etc/openshot-qt.profile new file mode 100644 index 000000000..02f4665d6 --- /dev/null +++ b/etc/openshot-qt.profile @@ -0,0 +1,31 @@ +# Firejail profile for openshot +# This file is overwritten after every install/update +# Persistent local customizations +include /etc/firejail/openshot.local +# Persistent global definitions +include /etc/firejail/globals.local + +noblacklist ${HOME}/.openshot +noblacklist ${HOME}/.openshot_qt + +include /etc/firejail/disable-common.inc +include /etc/firejail/disable-devel.inc +include /etc/firejail/disable-passwdmgr.inc +include /etc/firejail/disable-programs.inc + +caps.drop all +netfilter +nodvd +nogroups +nonewprivs +noroot +notv +protocol unix,inet,inet6,netlink +seccomp +shell none + +private-dev +private-tmp + +noexec ${HOME} +noexec /tmp diff --git a/etc/pinta.profile b/etc/pinta.profile new file mode 100644 index 000000000..2562e1b80 --- /dev/null +++ b/etc/pinta.profile @@ -0,0 +1,33 @@ +# Firejail profile for krita +# This file is overwritten after every install/update +# Persistent local customizations +include /etc/firejail/krita.local +# Persistent global definitions +include /etc/firejail/globals.local + +include /etc/firejail/disable-common.inc +include /etc/firejail/disable-devel.inc +include /etc/firejail/disable-passwdmgr.inc +include /etc/firejail/disable-programs.inc + +caps.drop all +ipc-namespace +net none +nodvd +nogroups +nonewprivs +noroot +nosound +notv +novideo +protocol unix +seccomp +shell none + +private-dev +private-tmp + + +whitelist ~/.config/Pinta +noexec ${HOME} +noexec /tmp diff --git a/etc/scribus.profile b/etc/scribus.profile index dd06fa59f..a6e86a7d6 100644 --- a/etc/scribus.profile +++ b/etc/scribus.profile @@ -36,6 +36,7 @@ notv novideo protocol unix seccomp +net none tracelog #private-bin scribus,gs diff --git a/etc/shotcut.profile b/etc/shotcut.profile index e30bc1f46..4e8b1da05 100644 --- a/etc/shotcut.profile +++ b/etc/shotcut.profile @@ -27,5 +27,5 @@ shell none #private-bin shotcut,melt,qmelt,nice private-dev -noexec ${HOME} +#noexec ${HOME} noexec /tmp diff --git a/etc/synfigstudio.profile b/etc/synfigstudio.profile index b0014ace6..1758659f2 100644 --- a/etc/synfigstudio.profile +++ b/etc/synfigstudio.profile @@ -25,8 +25,9 @@ novideo protocol unix seccomp shell none +net none -#private-bin synfigstudio +#private-bin synfigstudio,synfig,ffmpeg private-dev private-tmp diff --git a/etc/tar.profile b/etc/tar.profile index f14894c25..6ac530b15 100644 --- a/etc/tar.profile +++ b/etc/tar.profile @@ -18,6 +18,7 @@ notv novideo shell none tracelog +caps.drop all # support compressed archives private-bin sh,bash,dash,tar,gtar,compress,gzip,lzma,xz,bzip2,lbzip2,lzip,lzop diff --git a/etc/unrar.profile b/etc/unrar.profile index 12559a721..881572521 100644 --- a/etc/unrar.profile +++ b/etc/unrar.profile @@ -18,6 +18,7 @@ notv novideo shell none tracelog +caps.drop all private-bin unrar private-dev diff --git a/etc/unzip.profile b/etc/unzip.profile index 9828fa9b4..f913385fb 100644 --- a/etc/unzip.profile +++ b/etc/unzip.profile @@ -18,6 +18,7 @@ notv novideo shell none tracelog +caps.drop all private-bin unzip private-dev -- cgit v1.2.3-54-g00ecf