From ec34ed78af30cba5b582ab7c06951d2632c7b3e8 Mon Sep 17 00:00:00 2001 From: netblue30 Date: Mon, 28 Mar 2016 12:05:15 -0400 Subject: introducing disable-passwdmgr.inc --- Makefile.in | 1 + etc/Mathematica.profile | 1 + etc/atril.profile | 8 +++----- etc/audacious.profile | 7 +++---- etc/bitlbee.profile | 1 + etc/cherrytree.profile | 4 ++++ etc/chromium.profile | 1 - etc/clementine.profile | 7 +++---- etc/conkeror.profile | 4 ++-- etc/deadbeef.profile | 7 +++---- etc/deluge.profile | 7 +++---- etc/disable-passwdmgr.inc | 6 ++++++ etc/dnscrypt-proxy.profile | 2 ++ etc/dropbox.profile | 7 +++---- etc/empathy.profile | 2 ++ etc/evince.profile | 6 ++---- etc/fbreader.profile | 6 ++---- etc/filezilla.profile | 1 + etc/firefox.profile | 1 - etc/flashpeak-slimjet.profile | 1 - etc/generic.profile | 7 +++---- etc/gnome-mplayer.profile | 6 ++---- etc/google-chrome-beta.profile | 1 - etc/google-chrome-unstable.profile | 1 - etc/google-chrome.profile | 1 - etc/hedgewars.profile | 2 ++ etc/kmail.profile | 5 +---- etc/lxterminal.profile | 6 +----- etc/mupen64plus.profile | 1 + etc/opera-beta.profile | 1 - etc/opera.profile | 1 - etc/parole.profile | 6 +----- etc/qbittorrent.profile | 5 +---- etc/qutebrowser.profile | 1 - etc/rhythmbox.profile | 5 +---- etc/rtorrent.profile | 1 + etc/seamonkey.profile | 1 - etc/server.profile | 1 + etc/spotify.profile | 1 + etc/ssh.profile | 6 ++---- etc/steam.profile | 1 + etc/totem.profile | 5 +---- etc/transmission-gtk.profile | 5 +---- etc/transmission-qt.profile | 5 +---- etc/unbound.profile | 1 + etc/vivaldi.profile | 1 - etc/vlc.profile | 5 +---- etc/wesnoth.profile | 2 +- etc/xchat.profile | 1 + platform/debian/conffiles | 1 + 50 files changed, 69 insertions(+), 97 deletions(-) create mode 100644 etc/disable-passwdmgr.inc diff --git a/Makefile.in b/Makefile.in index df010c199..76dff61ae 100644 --- a/Makefile.in +++ b/Makefile.in @@ -145,6 +145,7 @@ realinstall: install -c -m 0644 .etc/uget-gtk.profile $(DESTDIR)/$(sysconfdir)/firejail/. install -c -m 0644 .etc/mupen64plus.profile $(DESTDIR)/$(sysconfdir)/firejail/. install -c -m 0644 .etc/disable-programs.inc $(DESTDIR)/$(sysconfdir)/firejail/. + install -c -m 0644 .etc/disable-passwdmgr.inc $(DESTDIR)/$(sysconfdir)/firejail/. install -c -m 0644 .etc/lxterminal.profile $(DESTDIR)/$(sysconfdir)/firejail/. install -c -m 0644 .etc/cherrytree.profile $(DESTDIR)/$(sysconfdir)/firejail/. install -c -m 0644 .etc/wesnoth.profile $(DESTDIR)/$(sysconfdir)/firejail/. diff --git a/etc/Mathematica.profile b/etc/Mathematica.profile index 1ee50b4d4..52fd62ada 100644 --- a/etc/Mathematica.profile +++ b/etc/Mathematica.profile @@ -9,6 +9,7 @@ include /etc/firejail/whitelist-common.inc include /etc/firejail/disable-common.inc include /etc/firejail/disable-programs.inc include /etc/firejail/disable-devel.inc +include /etc/firejail/disable-passwdmgr.inc caps.drop all seccomp diff --git a/etc/atril.profile b/etc/atril.profile index d0df28ac2..f142f50bc 100644 --- a/etc/atril.profile +++ b/etc/atril.profile @@ -2,16 +2,14 @@ include /etc/firejail/disable-common.inc include /etc/firejail/disable-programs.inc include /etc/firejail/disable-devel.inc +include /etc/firejail/disable-passwdmgr.inc + +blacklist ${HOME}/.wine -blacklist ${HOME}/.pki/nssdb -blacklist ${HOME}/.lastpass -blacklist ${HOME}/.keepassx -blacklist ${HOME}/.password-store caps.drop all seccomp protocol unix,inet,inet6 netfilter noroot - tracelog diff --git a/etc/audacious.profile b/etc/audacious.profile index 690463a46..0c79d02ac 100644 --- a/etc/audacious.profile +++ b/etc/audacious.profile @@ -2,11 +2,10 @@ include /etc/firejail/disable-common.inc include /etc/firejail/disable-programs.inc include /etc/firejail/disable-devel.inc -blacklist ${HOME}/.pki/nssdb -blacklist ${HOME}/.lastpass -blacklist ${HOME}/.keepassx -blacklist ${HOME}/.password-store +include /etc/firejail/disable-passwdmgr.inc + blacklist ${HOME}/.wine + caps.drop all seccomp protocol unix,inet,inet6 diff --git a/etc/bitlbee.profile b/etc/bitlbee.profile index 753e42480..fb84c260a 100644 --- a/etc/bitlbee.profile +++ b/etc/bitlbee.profile @@ -3,6 +3,7 @@ noblacklist /sbin noblacklist /usr/sbin include /etc/firejail/disable-common.inc include /etc/firejail/disable-programs.inc + protocol unix,inet,inet6 private private-dev diff --git a/etc/cherrytree.profile b/etc/cherrytree.profile index 349cc7acf..3cc384b37 100644 --- a/etc/cherrytree.profile +++ b/etc/cherrytree.profile @@ -2,6 +2,9 @@ include /etc/firejail/disable-common.inc include /etc/firejail/disable-programs.inc include /etc/firejail/disable-devel.inc +include /etc/firejail/disable-passwdmgr.inc + +blacklist ${HOME}/.wine whitelist ${HOME}/cherrytree mkdir ~/.config @@ -10,6 +13,7 @@ whitelist ${HOME}/.config/cherrytree/ mkdir ~/.local mkdir ~/.local/share whitelist ${HOME}/.local/share/ + caps.drop all seccomp protocol unix,inet,inet6,netlink diff --git a/etc/chromium.profile b/etc/chromium.profile index 58f62daa2..7cf2853ca 100644 --- a/etc/chromium.profile +++ b/etc/chromium.profile @@ -1,7 +1,6 @@ # Chromium browser profile noblacklist ~/.config/chromium noblacklist ~/.cache/chromium -noblacklist ~/keepassx.kdbx include /etc/firejail/disable-common.inc include /etc/firejail/disable-programs.inc diff --git a/etc/clementine.profile b/etc/clementine.profile index cc0614551..a02e05f9c 100644 --- a/etc/clementine.profile +++ b/etc/clementine.profile @@ -2,11 +2,10 @@ include /etc/firejail/disable-common.inc include /etc/firejail/disable-programs.inc include /etc/firejail/disable-devel.inc -blacklist ${HOME}/.pki/nssdb -blacklist ${HOME}/.lastpass -blacklist ${HOME}/.keepassx -blacklist ${HOME}/.password-store +include /etc/firejail/disable-passwdmgr.inc + blacklist ${HOME}/.wine + caps.drop all seccomp protocol unix,inet,inet6 diff --git a/etc/conkeror.profile b/etc/conkeror.profile index 67e529d0a..007eef663 100644 --- a/etc/conkeror.profile +++ b/etc/conkeror.profile @@ -2,11 +2,13 @@ noblacklist ${HOME}/.conkeror.mozdev.org include /etc/firejail/disable-common.inc include /etc/firejail/disable-programs.inc + caps.drop all seccomp protocol unix,inet,inet6 netfilter noroot + whitelist ~/.conkeror.mozdev.org whitelist ~/Downloads whitelist ~/dwhelper @@ -18,6 +20,4 @@ whitelist ~/.vimperator whitelist ~/.pentadactylrc whitelist ~/.pentadactyl whitelist ~/.conkerorrc - -# common include /etc/firejail/whitelist-common.inc diff --git a/etc/deadbeef.profile b/etc/deadbeef.profile index 89661d83c..dbf4531c4 100644 --- a/etc/deadbeef.profile +++ b/etc/deadbeef.profile @@ -2,11 +2,10 @@ include /etc/firejail/disable-common.inc include /etc/firejail/disable-programs.inc include /etc/firejail/disable-devel.inc -blacklist ${HOME}/.pki/nssdb -blacklist ${HOME}/.lastpass -blacklist ${HOME}/.keepassx -blacklist ${HOME}/.password-store +include /etc/firejail/disable-passwdmgr.inc + blacklist ${HOME}/.wine + caps.drop all seccomp protocol unix,inet,inet6 diff --git a/etc/deluge.profile b/etc/deluge.profile index eef2a42ee..9b2c65656 100644 --- a/etc/deluge.profile +++ b/etc/deluge.profile @@ -2,11 +2,10 @@ include /etc/firejail/disable-common.inc include /etc/firejail/disable-programs.inc include /etc/firejail/disable-devel.inc -blacklist ${HOME}/.pki/nssdb -blacklist ${HOME}/.lastpass -blacklist ${HOME}/.keepassx -blacklist ${HOME}/.password-store +include /etc/firejail/disable-passwdmgr.inc + blacklist ${HOME}/.wine + caps.drop all seccomp protocol unix,inet,inet6 diff --git a/etc/disable-passwdmgr.inc b/etc/disable-passwdmgr.inc new file mode 100644 index 000000000..c1e68d1ec --- /dev/null +++ b/etc/disable-passwdmgr.inc @@ -0,0 +1,6 @@ +blacklist ${HOME}/.pki/nssdb +blacklist ${HOME}/.lastpass +blacklist ${HOME}/.keepassx +blacklist ${HOME}/.password-store +blacklist ${HOME}/keepassx.kdbx + diff --git a/etc/dnscrypt-proxy.profile b/etc/dnscrypt-proxy.profile index dc6b783ee..bd7e19dc2 100644 --- a/etc/dnscrypt-proxy.profile +++ b/etc/dnscrypt-proxy.profile @@ -4,6 +4,8 @@ noblacklist /usr/sbin include /etc/firejail/disable-common.inc include /etc/firejail/disable-programs.inc include /etc/firejail/disable-devel.inc +include /etc/firejail/disable-passwdmgr.inc + private private-dev seccomp.drop mount,umount2,ptrace,kexec_load,kexec_file_load,open_by_handle_at,init_module,finit_module,delete_module,iopl,ioperm,swapon,swapoff,syslog,process_vm_readv,process_vm_writev,sysfs,_sysctl,adjtimex,clock_adjtime,lookup_dcookie,perf_event_open,fanotify_init,kcmp,add_key,request_key,keyctl,uselib,acct,modify_ldt,pivot_root,io_setup,io_destroy,io_getevents,io_submit,io_cancel,remap_file_pages,mbind,get_mempolicy,set_mempolicy,migrate_pages,move_pages,vmsplice,perf_event_open diff --git a/etc/dropbox.profile b/etc/dropbox.profile index 3b48f0d49..ea0dc1fcb 100644 --- a/etc/dropbox.profile +++ b/etc/dropbox.profile @@ -1,11 +1,10 @@ # dropbox profile include /etc/firejail/disable-common.inc include /etc/firejail/disable-programs.inc -blacklist ${HOME}/.pki/nssdb -blacklist ${HOME}/.lastpass -blacklist ${HOME}/.keepassx -blacklist ${HOME}/.password-store +include /etc/firejail/disable-passwdmgr.inc + blacklist ${HOME}/.wine + caps seccomp protocol unix,inet,inet6 diff --git a/etc/empathy.profile b/etc/empathy.profile index 1c46f8b3e..37277e3d1 100644 --- a/etc/empathy.profile +++ b/etc/empathy.profile @@ -2,7 +2,9 @@ include /etc/firejail/disable-common.inc include /etc/firejail/disable-programs.inc include /etc/firejail/disable-devel.inc + blacklist ${HOME}/.wine + caps.drop all seccomp protocol unix,inet,inet6 diff --git a/etc/evince.profile b/etc/evince.profile index 13b342f06..693593713 100644 --- a/etc/evince.profile +++ b/etc/evince.profile @@ -2,12 +2,10 @@ include /etc/firejail/disable-common.inc include /etc/firejail/disable-programs.inc include /etc/firejail/disable-devel.inc +include /etc/firejail/disable-passwdmgr.inc -blacklist ${HOME}/.pki/nssdb -blacklist ${HOME}/.lastpass -blacklist ${HOME}/.keepassx -blacklist ${HOME}/.password-store blacklist ${HOME}/.wine + caps.drop all seccomp protocol unix,inet,inet6 diff --git a/etc/fbreader.profile b/etc/fbreader.profile index 4b45208d7..c45acc901 100644 --- a/etc/fbreader.profile +++ b/etc/fbreader.profile @@ -3,12 +3,10 @@ noblacklist ${HOME}/.FBReader include /etc/firejail/disable-common.inc include /etc/firejail/disable-programs.inc include /etc/firejail/disable-devel.inc +include /etc/firejail/disable-passwdmgr.inc -blacklist ${HOME}/.pki/nssdb -blacklist ${HOME}/.lastpass -blacklist ${HOME}/.keepassx -blacklist ${HOME}/.password-store blacklist ${HOME}/.wine + caps.drop all seccomp protocol unix,inet,inet6 diff --git a/etc/filezilla.profile b/etc/filezilla.profile index 09e56b1ce..dc677542f 100644 --- a/etc/filezilla.profile +++ b/etc/filezilla.profile @@ -6,6 +6,7 @@ include /etc/firejail/disable-programs.inc include /etc/firejail/disable-devel.inc blacklist ${HOME}/.wine + caps.drop all seccomp protocol unix,inet,inet6 diff --git a/etc/firefox.profile b/etc/firefox.profile index 2d2716256..1ea94a2c7 100644 --- a/etc/firefox.profile +++ b/etc/firefox.profile @@ -2,7 +2,6 @@ noblacklist ~/.mozilla noblacklist ~/.cache/mozilla -noblacklist ~/keepassx.kdbx include /etc/firejail/disable-common.inc include /etc/firejail/disable-programs.inc include /etc/firejail/disable-devel.inc diff --git a/etc/flashpeak-slimjet.profile b/etc/flashpeak-slimjet.profile index 3f6af42b1..94c672acf 100644 --- a/etc/flashpeak-slimjet.profile +++ b/etc/flashpeak-slimjet.profile @@ -7,7 +7,6 @@ # noblacklist ~/.config/slimjet noblacklist ~/.cache/slimjet -noblacklist ~/keepassx.kdbx include /etc/firejail/disable-common.inc include /etc/firejail/disable-programs.inc diff --git a/etc/generic.profile b/etc/generic.profile index 2bf7a0703..f2c7d4114 100644 --- a/etc/generic.profile +++ b/etc/generic.profile @@ -3,11 +3,10 @@ ################################ include /etc/firejail/disable-common.inc include /etc/firejail/disable-programs.inc +include /etc/firejail/disable-passwdmgr.inc + +#blacklist ${HOME}/.wine -blacklist ${HOME}/.pki/nssdb -blacklist ${HOME}/.lastpass -blacklist ${HOME}/.keepassx -blacklist ${HOME}/.password-store caps.drop all seccomp protocol unix,inet,inet6 diff --git a/etc/gnome-mplayer.profile b/etc/gnome-mplayer.profile index 1138a73bd..a96b19ec3 100644 --- a/etc/gnome-mplayer.profile +++ b/etc/gnome-mplayer.profile @@ -2,12 +2,10 @@ include /etc/firejail/disable-common.inc include /etc/firejail/disable-programs.inc include /etc/firejail/disable-devel.inc +include /etc/firejail/disable-passwdmgr.inc -blacklist ${HOME}/.pki/nssdb -blacklist ${HOME}/.lastpass -blacklist ${HOME}/.keepassx -blacklist ${HOME}/.password-store blacklist ${HOME}/.wine + caps.drop all seccomp protocol unix,inet,inet6 diff --git a/etc/google-chrome-beta.profile b/etc/google-chrome-beta.profile index 8ca049778..11f9f9e33 100644 --- a/etc/google-chrome-beta.profile +++ b/etc/google-chrome-beta.profile @@ -1,7 +1,6 @@ # Google Chrome beta browser profile noblacklist ~/.config/google-chrome-beta noblacklist ~/.cache/google-chrome-beta -noblacklist ~/keepassx.kdbx include /etc/firejail/disable-common.inc include /etc/firejail/disable-programs.inc diff --git a/etc/google-chrome-unstable.profile b/etc/google-chrome-unstable.profile index 3e238d8f8..f253e5a90 100644 --- a/etc/google-chrome-unstable.profile +++ b/etc/google-chrome-unstable.profile @@ -1,7 +1,6 @@ # Google Chrome unstable browser profile noblacklist ~/.config/google-chrome-unstable noblacklist ~/.cache/google-chrome-unstable -noblacklist ~/keepassx.kdbx include /etc/firejail/disable-common.inc include /etc/firejail/disable-programs.inc diff --git a/etc/google-chrome.profile b/etc/google-chrome.profile index afc57f948..5e168aae5 100644 --- a/etc/google-chrome.profile +++ b/etc/google-chrome.profile @@ -1,7 +1,6 @@ # Google Chrome browser profile noblacklist ~/.config/google-chrome noblacklist ~/.cache/google-chrome -noblacklist ~/keepassx.kdbx include /etc/firejail/disable-common.inc include /etc/firejail/disable-programs.inc diff --git a/etc/hedgewars.profile b/etc/hedgewars.profile index 13a311070..53d0c2eaf 100644 --- a/etc/hedgewars.profile +++ b/etc/hedgewars.profile @@ -3,6 +3,7 @@ include /etc/firejail/disable-common.inc include /etc/firejail/disable-programs.inc include /etc/firejail/disable-devel.inc +include /etc/firejail/disable-passwdmgr.inc caps.drop all noroot @@ -12,3 +13,4 @@ tracelog mkdir ~/.hedgewars whitelist ~/.hedgewars +include /etc/firejail/whitelist-common.inc diff --git a/etc/kmail.profile b/etc/kmail.profile index 78e72a7a7..67a7b4eb1 100644 --- a/etc/kmail.profile +++ b/etc/kmail.profile @@ -3,11 +3,8 @@ noblacklist ${HOME}/.gnupg include /etc/firejail/disable-common.inc include /etc/firejail/disable-programs.inc include /etc/firejail/disable-devel.inc +include /etc/firejail/disable-passwdmgr.inc -blacklist ${HOME}/.pki/nssdb -blacklist ${HOME}/.lastpass -blacklist ${HOME}/.keepassx -blacklist ${HOME}/.password-store blacklist ${HOME}/.wine caps.drop all diff --git a/etc/lxterminal.profile b/etc/lxterminal.profile index 88a7a8c7a..b6acf2587 100644 --- a/etc/lxterminal.profile +++ b/etc/lxterminal.profile @@ -2,11 +2,7 @@ include /etc/firejail/disable-common.inc include /etc/firejail/disable-programs.inc - -blacklist ${HOME}/.pki/nssdb -blacklist ${HOME}/.lastpass -blacklist ${HOME}/.keepassx -blacklist ${HOME}/.password-store +include /etc/firejail/disable-passwdmgr.inc caps.drop all seccomp diff --git a/etc/mupen64plus.profile b/etc/mupen64plus.profile index 45dc4757f..101074c24 100644 --- a/etc/mupen64plus.profile +++ b/etc/mupen64plus.profile @@ -3,6 +3,7 @@ include /etc/firejail/disable-common.inc include /etc/firejail/disable-programs.inc include /etc/firejail/disable-devel.inc +include /etc/firejail/disable-passwdmgr.inc mkdir ${HOME}/.local mkdir ${HOME}/.local/share diff --git a/etc/opera-beta.profile b/etc/opera-beta.profile index 7b74d6dd1..3d6edb286 100644 --- a/etc/opera-beta.profile +++ b/etc/opera-beta.profile @@ -1,7 +1,6 @@ # Opera-beta browser profile noblacklist ~/.config/opera-beta noblacklist ~/.cache/opera-beta -noblacklist ~/keepassx.kdbx include /etc/firejail/disable-common.inc include /etc/firejail/disable-programs.inc include /etc/firejail/disable-devel.inc diff --git a/etc/opera.profile b/etc/opera.profile index 2d7a9ca06..11e6e2a6e 100644 --- a/etc/opera.profile +++ b/etc/opera.profile @@ -1,7 +1,6 @@ # Opera browser profile noblacklist ~/.config/opera noblacklist ~/.cache/opera -noblacklist ~/keepassx.kdbx include /etc/firejail/disable-common.inc include /etc/firejail/disable-programs.inc include /etc/firejail/disable-devel.inc diff --git a/etc/parole.profile b/etc/parole.profile index 9f63e5b16..0c9a72143 100644 --- a/etc/parole.profile +++ b/etc/parole.profile @@ -2,15 +2,11 @@ include /etc/firejail/disable-common.inc include /etc/firejail/disable-programs.inc include /etc/firejail/disable-devel.inc +include /etc/firejail/disable-passwdmgr.inc private-etc passwd,group,fonts private-bin parole,dbus-launch -blacklist ${HOME}/.pki/nssdb -blacklist ${HOME}/.lastpass -blacklist ${HOME}/.keepassx -blacklist ${HOME}/.password-store - caps.drop all seccomp protocol unix,inet,inet6 diff --git a/etc/qbittorrent.profile b/etc/qbittorrent.profile index 9ad073b05..121d08a13 100644 --- a/etc/qbittorrent.profile +++ b/etc/qbittorrent.profile @@ -2,11 +2,8 @@ include /etc/firejail/disable-common.inc include /etc/firejail/disable-programs.inc include /etc/firejail/disable-devel.inc +include /etc/firejail/disable-passwdmgr.inc -blacklist ${HOME}/.pki/nssdb -blacklist ${HOME}/.lastpass -blacklist ${HOME}/.keepassx -blacklist ${HOME}/.password-store blacklist ${HOME}/.wine caps.drop all diff --git a/etc/qutebrowser.profile b/etc/qutebrowser.profile index 3b7bf2d55..934a374de 100644 --- a/etc/qutebrowser.profile +++ b/etc/qutebrowser.profile @@ -19,5 +19,4 @@ whitelist ~/.config/qutebrowser mkdir ~/.cache mkdir ~/.cache/qutebrowser whitelist ~/.cache/qutebrowser - include /etc/firejail/whitelist-common.inc diff --git a/etc/rhythmbox.profile b/etc/rhythmbox.profile index 50838a15b..a3204c5f9 100644 --- a/etc/rhythmbox.profile +++ b/etc/rhythmbox.profile @@ -2,11 +2,8 @@ include /etc/firejail/disable-common.inc include /etc/firejail/disable-programs.inc include /etc/firejail/disable-devel.inc +include /etc/firejail/disable-passwdmgr.inc -blacklist ${HOME}/.pki/nssdb -blacklist ${HOME}/.lastpass -blacklist ${HOME}/.keepassx -blacklist ${HOME}/.password-store blacklist ${HOME}/.wine caps.drop all diff --git a/etc/rtorrent.profile b/etc/rtorrent.profile index 67477dad6..ae0430830 100644 --- a/etc/rtorrent.profile +++ b/etc/rtorrent.profile @@ -2,6 +2,7 @@ include /etc/firejail/disable-common.inc include /etc/firejail/disable-programs.inc include /etc/firejail/disable-devel.inc +include /etc/firejail/disable-passwdmgr.inc caps.drop all seccomp diff --git a/etc/seamonkey.profile b/etc/seamonkey.profile index 71a52b3bb..a10d5b0ec 100644 --- a/etc/seamonkey.profile +++ b/etc/seamonkey.profile @@ -1,7 +1,6 @@ # Firejail profile for Seamoneky based off Mozilla Firefox noblacklist ~/.mozilla noblacklist ~/.cache/mozilla -noblacklist ~/keepassx.kdbx include /etc/firejail/disable-common.inc include /etc/firejail/disable-programs.inc include /etc/firejail/disable-devel.inc diff --git a/etc/server.profile b/etc/server.profile index 61d10ba64..1b3cb7207 100644 --- a/etc/server.profile +++ b/etc/server.profile @@ -4,6 +4,7 @@ noblacklist /sbin noblacklist /usr/sbin include /etc/firejail/disable-common.inc include /etc/firejail/disable-programs.inc +include /etc/firejail/disable-passwdmgr.inc private private-dev diff --git a/etc/spotify.profile b/etc/spotify.profile index 326d5d93e..dfe298e1d 100644 --- a/etc/spotify.profile +++ b/etc/spotify.profile @@ -2,6 +2,7 @@ include /etc/firejail/disable-common.inc include /etc/firejail/disable-programs.inc include /etc/firejail/disable-devel.inc +include /etc/firejail/disable-passwdmgr.inc # Whitelist the folders needed by Spotify - This is more restrictive # than a blacklist though, but this is all spotify requires for diff --git a/etc/ssh.profile b/etc/ssh.profile index 32536c0a7..7e105724e 100644 --- a/etc/ssh.profile +++ b/etc/ssh.profile @@ -2,11 +2,9 @@ noblacklist ~/.ssh include /etc/firejail/disable-common.inc include /etc/firejail/disable-programs.inc +include /etc/firejail/disable-passwdmgr.inc -blacklist ${HOME}/.pki/nssdb -blacklist ${HOME}/.lastpass -blacklist ${HOME}/.keepassx -blacklist ${HOME}/.password-store +blacklist ${HOME}/.wine caps.drop all seccomp diff --git a/etc/steam.profile b/etc/steam.profile index 31ebf543e..4c96e8258 100644 --- a/etc/steam.profile +++ b/etc/steam.profile @@ -4,6 +4,7 @@ noblacklist ${HOME}/.local/share/steam include /etc/firejail/disable-common.inc include /etc/firejail/disable-programs.inc include /etc/firejail/disable-devel.inc +include /etc/firejail/disable-passwdmgr.inc caps.drop all netfilter diff --git a/etc/totem.profile b/etc/totem.profile index ad55e320a..5eeeb4402 100644 --- a/etc/totem.profile +++ b/etc/totem.profile @@ -2,11 +2,8 @@ include /etc/firejail/disable-common.inc include /etc/firejail/disable-programs.inc include /etc/firejail/disable-devel.inc +include /etc/firejail/disable-passwdmgr.inc -blacklist ${HOME}/.pki/nssdb -blacklist ${HOME}/.lastpass -blacklist ${HOME}/.keepassx -blacklist ${HOME}/.password-store blacklist ${HOME}/.wine caps.drop all diff --git a/etc/transmission-gtk.profile b/etc/transmission-gtk.profile index ac685aee4..9e64c6d59 100644 --- a/etc/transmission-gtk.profile +++ b/etc/transmission-gtk.profile @@ -2,11 +2,8 @@ include /etc/firejail/disable-common.inc include /etc/firejail/disable-programs.inc include /etc/firejail/disable-devel.inc +include /etc/firejail/disable-passwdmgr.inc -blacklist ${HOME}/.pki/nssdb -blacklist ${HOME}/.lastpass -blacklist ${HOME}/.keepassx -blacklist ${HOME}/.password-store blacklist ${HOME}/.wine caps.drop all diff --git a/etc/transmission-qt.profile b/etc/transmission-qt.profile index b8dffbece..1059ad3ee 100644 --- a/etc/transmission-qt.profile +++ b/etc/transmission-qt.profile @@ -2,11 +2,8 @@ include /etc/firejail/disable-common.inc include /etc/firejail/disable-programs.inc include /etc/firejail/disable-devel.inc +include /etc/firejail/disable-passwdmgr.inc -blacklist ${HOME}/.pki/nssdb -blacklist ${HOME}/.lastpass -blacklist ${HOME}/.keepassx -blacklist ${HOME}/.password-store blacklist ${HOME}/.wine caps.drop all diff --git a/etc/unbound.profile b/etc/unbound.profile index 24ca88b03..4365e4fee 100644 --- a/etc/unbound.profile +++ b/etc/unbound.profile @@ -4,6 +4,7 @@ noblacklist /usr/sbin include /etc/firejail/disable-common.inc include /etc/firejail/disable-programs.inc include /etc/firejail/disable-devel.inc +include /etc/firejail/disable-passwdmgr.inc private private-dev diff --git a/etc/vivaldi.profile b/etc/vivaldi.profile index a4ab60e6c..449d9a168 100644 --- a/etc/vivaldi.profile +++ b/etc/vivaldi.profile @@ -1,7 +1,6 @@ # Vivaldi browser profile noblacklist ~/.config/vivaldi noblacklist ~/.cache/vivaldi -noblacklist ~/keepassx.kdbx include /etc/firejail/disable-common.inc include /etc/firejail/disable-programs.inc include /etc/firejail/disable-devel.inc diff --git a/etc/vlc.profile b/etc/vlc.profile index 7cd913040..0a7469339 100644 --- a/etc/vlc.profile +++ b/etc/vlc.profile @@ -3,11 +3,8 @@ noblacklist ${HOME}/.config/vlc include /etc/firejail/disable-common.inc include /etc/firejail/disable-programs.inc include /etc/firejail/disable-devel.inc +include /etc/firejail/disable-passwdmgr.inc -blacklist ${HOME}/.pki/nssdb -blacklist ${HOME}/.lastpass -blacklist ${HOME}/.keepassx -blacklist ${HOME}/.password-store blacklist ${HOME}/.wine caps.drop all diff --git a/etc/wesnoth.profile b/etc/wesnoth.profile index 4075232d2..24b245b6c 100644 --- a/etc/wesnoth.profile +++ b/etc/wesnoth.profile @@ -1,8 +1,8 @@ # Whitelist-based profile for "Battle for Wesnoth" (game). - include /etc/firejail/disable-common.inc include /etc/firejail/disable-programs.inc include /etc/firejail/disable-devel.inc +include /etc/firejail/disable-passwdmgr.inc caps.drop all seccomp diff --git a/etc/xchat.profile b/etc/xchat.profile index ae1a6de53..7c11ba76c 100644 --- a/etc/xchat.profile +++ b/etc/xchat.profile @@ -5,6 +5,7 @@ include /etc/firejail/disable-programs.inc include /etc/firejail/disable-devel.inc blacklist ${HOME}/.wine + caps.drop all seccomp protocol unix,inet,inet6 diff --git a/platform/debian/conffiles b/platform/debian/conffiles index 64a7006a3..267990a24 100644 --- a/platform/debian/conffiles +++ b/platform/debian/conffiles @@ -76,3 +76,4 @@ /etc/firejail/ssh /etc/firejail/openbox /etc/firejail/disable-programs.inc +/etc/firejail/disable-passwdmgr.inc -- cgit v1.2.3-54-g00ecf