From 68fd00cfe4033a0299c481825373df696b7acdb5 Mon Sep 17 00:00:00 2001 From: Tad Date: Sat, 17 Mar 2018 15:56:06 -0400 Subject: Move apparmor option to the top of the options list in all profiles --- etc/ark.profile | 2 +- etc/atril.profile | 2 +- etc/audacious.profile | 2 +- etc/audacity.profile | 2 +- etc/chromium-common.profile | 2 +- etc/digikam.profile | 2 +- etc/electron.profile | 2 +- etc/eog.profile | 2 +- etc/eom.profile | 2 +- etc/firefox-common.profile | 2 +- etc/galculator.profile | 2 +- etc/gimp.profile | 2 +- etc/gnome-calculator.profile | 2 +- etc/handbrake.profile | 2 +- etc/inkscape.profile | 2 +- etc/kate.profile | 2 +- etc/kdenlive.profile | 2 +- etc/kodi.profile | 2 +- etc/krita.profile | 2 +- etc/kwrite.profile | 2 +- etc/libreoffice.profile | 2 +- etc/mpv.profile | 2 +- etc/okular.profile | 2 +- etc/openshot.profile | 2 +- etc/qbittorrent.profile | 2 +- etc/rhythmbox.profile | 2 +- etc/smplayer.profile | 2 +- etc/totem.profile | 2 +- etc/transmission-gtk.profile | 2 +- etc/transmission-qt.profile | 3 +-- etc/vlc.profile | 2 +- 31 files changed, 31 insertions(+), 32 deletions(-) diff --git a/etc/ark.profile b/etc/ark.profile index f3e366854..beeb652cf 100644 --- a/etc/ark.profile +++ b/etc/ark.profile @@ -16,6 +16,7 @@ include /etc/firejail/disable-programs.inc include /etc/firejail/whitelist-var-common.inc +apparmor caps.drop all # net none netfilter @@ -29,7 +30,6 @@ novideo protocol unix seccomp shell none -apparmor private-dev private-tmp diff --git a/etc/atril.profile b/etc/atril.profile index 5d8cc54bd..a05f11076 100644 --- a/etc/atril.profile +++ b/etc/atril.profile @@ -17,6 +17,7 @@ include /etc/firejail/disable-programs.inc include /etc/firejail/whitelist-var-common.inc +apparmor caps.drop all machine-id no3d @@ -31,7 +32,6 @@ protocol unix seccomp shell none tracelog -apparmor private-bin atril, atril-previewer, atril-thumbnailer private-dev diff --git a/etc/audacious.profile b/etc/audacious.profile index 818d4455b..93ba5a45d 100644 --- a/etc/audacious.profile +++ b/etc/audacious.profile @@ -15,6 +15,7 @@ include /etc/firejail/disable-programs.inc include /etc/firejail/whitelist-var-common.inc +apparmor caps.drop all netfilter nogroups @@ -26,7 +27,6 @@ protocol unix,inet,inet6 seccomp shell none tracelog -apparmor # private-bin audacious private-dev diff --git a/etc/audacity.profile b/etc/audacity.profile index 3575e297a..8c85dd6be 100644 --- a/etc/audacity.profile +++ b/etc/audacity.profile @@ -16,6 +16,7 @@ include /etc/firejail/disable-programs.inc include /etc/firejail/whitelist-var-common.inc +apparmor caps.drop all #net none no3d @@ -29,7 +30,6 @@ protocol unix seccomp shell none tracelog -apparmor private-bin audacity private-dev diff --git a/etc/chromium-common.profile b/etc/chromium-common.profile index 0e7e185d0..a11947334 100644 --- a/etc/chromium-common.profile +++ b/etc/chromium-common.profile @@ -17,13 +17,13 @@ whitelist ${HOME}/.pki include /etc/firejail/whitelist-common.inc include /etc/firejail/whitelist-var-common.inc +apparmor caps.keep sys_chroot,sys_admin netfilter nodvd nogroups notv shell none -apparmor disable-mnt private-dev diff --git a/etc/digikam.profile b/etc/digikam.profile index 179204036..516876c6b 100644 --- a/etc/digikam.profile +++ b/etc/digikam.profile @@ -17,6 +17,7 @@ include /etc/firejail/disable-programs.inc include /etc/firejail/whitelist-var-common.inc +apparmor caps.drop all netfilter nodvd @@ -28,7 +29,6 @@ protocol unix,inet,inet6,netlink seccomp # seccomp.keep fallocate,getrusage,openat,access,arch_prctl,bind,brk,chdir,chmod,clock_getres,clone,close,connect,dup2,dup3,eventfd2,execve,fadvise64,fcntl,fdatasync,flock,fstat,fstatfs,ftruncate,futex,getcwd,getdents,getegid,geteuid,getgid,getpeername,getpgrp,getpid,getppid,getrandom,getresgid,getresuid,getrlimit,getsockname,getsockopt,gettid,getuid,inotify_add_watch,inotify_init,inotify_init1,inotify_rm_watch,ioctl,lseek,lstat,madvise,mbind,memfd_create,mkdir,mmap,mprotect,msync,munmap,nanosleep,open,pipe,pipe2,poll,ppoll,prctl,pread64,pwrite64,read,readlink,readlinkat,recvfrom,recvmsg,rename,rt_sigaction,rt_sigprocmask,rt_sigreturn,sched_getaffinity,sched_getparam,sched_get_priority_max,sched_get_priority_min,sched_getscheduler,sched_setscheduler,sched_yield,sendmsg,sendto,setgid,setresgid,setresuid,set_robust_list,setsid,setsockopt,set_tid_address,setuid,shmat,shmctl,shmdt,shmget,shutdown,socket,stat,statfs,sysinfo,timerfd_create,umask,uname,unlink,wait4,waitid,write,writev,fchmod,fchown,unshare,exit,exit_group shell none -apparmor # private-bin program # private-dev - prevents libdc1394 loading; this lib is used to connect to a camera device diff --git a/etc/electron.profile b/etc/electron.profile index 2ff61914e..222beada0 100644 --- a/etc/electron.profile +++ b/etc/electron.profile @@ -11,6 +11,7 @@ include /etc/firejail/disable-programs.inc whitelist ${DOWNLOADS} +apparmor caps.drop all netfilter nodvd @@ -20,4 +21,3 @@ noroot notv protocol unix,inet,inet6,netlink seccomp -apparmor diff --git a/etc/eog.profile b/etc/eog.profile index e5302a84f..545a6e432 100644 --- a/etc/eog.profile +++ b/etc/eog.profile @@ -19,6 +19,7 @@ include /etc/firejail/disable-programs.inc include /etc/firejail/whitelist-var-common.inc +apparmor caps.drop all # net none - makes settings immutable no3d @@ -32,7 +33,6 @@ novideo protocol unix seccomp shell none -apparmor private-bin eog private-dev diff --git a/etc/eom.profile b/etc/eom.profile index e5024a2bf..c7c92db0e 100644 --- a/etc/eom.profile +++ b/etc/eom.profile @@ -19,6 +19,7 @@ include /etc/firejail/disable-programs.inc include /etc/firejail/whitelist-var-common.inc +apparmor caps.drop all # net none - makes settings immutable no3d @@ -33,7 +34,6 @@ protocol unix seccomp shell none tracelog -apparmor private-bin eom private-dev diff --git a/etc/firefox-common.profile b/etc/firefox-common.profile index 021c9b6a4..12d160155 100644 --- a/etc/firefox-common.profile +++ b/etc/firefox-common.profile @@ -20,6 +20,7 @@ whitelist ${HOME}/.pki include /etc/firejail/whitelist-common.inc include /etc/firejail/whitelist-var-common.inc +apparmor caps.drop all # machine-id breaks pulse audio; it should work fine in setups where sound is not required #machine-id @@ -33,7 +34,6 @@ protocol unix,inet,inet6,netlink seccomp shell none tracelog -apparmor disable-mnt private-dev diff --git a/etc/galculator.profile b/etc/galculator.profile index c851e7038..b28c7943f 100644 --- a/etc/galculator.profile +++ b/etc/galculator.profile @@ -19,6 +19,7 @@ whitelist ${HOME}/.config/galculator include /etc/firejail/whitelist-common.inc include /etc/firejail/whitelist-var-common.inc +apparmor caps.drop all net none nodvd @@ -32,7 +33,6 @@ protocol unix seccomp shell none tracelog -apparmor private-bin galculator private-dev diff --git a/etc/gimp.profile b/etc/gimp.profile index 1f15677a1..3cc012a88 100644 --- a/etc/gimp.profile +++ b/etc/gimp.profile @@ -15,6 +15,7 @@ include /etc/firejail/disable-programs.inc include /etc/firejail/whitelist-var-common.inc +apparmor caps.drop all net none nodvd @@ -26,7 +27,6 @@ notv protocol unix seccomp shell none -apparmor private-dev private-tmp diff --git a/etc/gnome-calculator.profile b/etc/gnome-calculator.profile index b6fcb0668..d13208a1e 100644 --- a/etc/gnome-calculator.profile +++ b/etc/gnome-calculator.profile @@ -14,6 +14,7 @@ include /etc/firejail/disable-programs.inc include /etc/firejail/whitelist-common.inc include /etc/firejail/whitelist-var-common.inc +apparmor caps.drop all netfilter no3d @@ -27,7 +28,6 @@ novideo protocol unix,inet,inet6 seccomp shell none -apparmor disable-mnt private-bin gnome-calculator diff --git a/etc/handbrake.profile b/etc/handbrake.profile index dd814222b..b99842d60 100644 --- a/etc/handbrake.profile +++ b/etc/handbrake.profile @@ -14,6 +14,7 @@ include /etc/firejail/disable-programs.inc include /etc/firejail/whitelist-var-common.inc +apparmor caps.drop all netfilter nogroups @@ -23,7 +24,6 @@ novideo protocol unix,inet,inet6,netlink seccomp shell none -apparmor private-dev private-tmp diff --git a/etc/inkscape.profile b/etc/inkscape.profile index 924691743..6e669ea2c 100644 --- a/etc/inkscape.profile +++ b/etc/inkscape.profile @@ -16,6 +16,7 @@ include /etc/firejail/disable-programs.inc include /etc/firejail/whitelist-var-common.inc +apparmor caps.drop all netfilter nodvd @@ -28,7 +29,6 @@ novideo protocol unix seccomp shell none -apparmor # private-bin inkscape,potrace - problems on Debian stretch private-dev diff --git a/etc/kate.profile b/etc/kate.profile index d1cfef49b..43f38d7e6 100644 --- a/etc/kate.profile +++ b/etc/kate.profile @@ -21,6 +21,7 @@ include /etc/firejail/disable-programs.inc include /etc/firejail/whitelist-var-common.inc +apparmor caps.drop all # net none netfilter @@ -35,7 +36,6 @@ protocol unix seccomp shell none tracelog -apparmor # private-bin kate private-dev diff --git a/etc/kdenlive.profile b/etc/kdenlive.profile index a52cd832f..424ad767e 100644 --- a/etc/kdenlive.profile +++ b/etc/kdenlive.profile @@ -15,6 +15,7 @@ include /etc/firejail/disable-devel.inc include /etc/firejail/disable-passwdmgr.inc include /etc/firejail/disable-programs.inc +apparmor caps.drop all # net none nodvd @@ -25,7 +26,6 @@ notv protocol unix,netlink seccomp shell none -apparmor private-bin kdenlive,kdenlive_render,dbus-launch,melt,ffmpeg,ffplay,ffprobe,dvdauthor,genisoimage,vlc,xine,kdeinit5,kshell5,kdeinit5_shutdown,kdeinit5_wrapper,kdeinit4,kshell4,kdeinit4_shutdown,kdeinit4_wrapper private-dev diff --git a/etc/kodi.profile b/etc/kodi.profile index 4eb2c9df1..dfe019641 100644 --- a/etc/kodi.profile +++ b/etc/kodi.profile @@ -12,6 +12,7 @@ include /etc/firejail/disable-devel.inc include /etc/firejail/disable-passwdmgr.inc include /etc/firejail/disable-programs.inc +apparmor caps.drop all netfilter nogroups @@ -21,7 +22,6 @@ protocol unix,inet,inet6,netlink seccomp shell none tracelog -apparmor private-dev private-tmp diff --git a/etc/krita.profile b/etc/krita.profile index 9fddf2214..0f4c5210b 100644 --- a/etc/krita.profile +++ b/etc/krita.profile @@ -14,6 +14,7 @@ include /etc/firejail/disable-devel.inc include /etc/firejail/disable-passwdmgr.inc include /etc/firejail/disable-programs.inc +apparmor caps.drop all ipc-namespace # net none @@ -27,7 +28,6 @@ novideo protocol unix seccomp shell none -apparmor private-dev private-tmp diff --git a/etc/kwrite.profile b/etc/kwrite.profile index 386ef142c..6e8e33cb3 100644 --- a/etc/kwrite.profile +++ b/etc/kwrite.profile @@ -22,6 +22,7 @@ include /etc/firejail/disable-programs.inc include /etc/firejail/whitelist-var-common.inc +apparmor caps.drop all # net none netfilter @@ -36,7 +37,6 @@ protocol unix seccomp shell none tracelog -apparmor private-bin kwrite,kbuildsycoca4,kdeinit4 private-dev diff --git a/etc/libreoffice.profile b/etc/libreoffice.profile index a67fafa30..8b801f11e 100644 --- a/etc/libreoffice.profile +++ b/etc/libreoffice.profile @@ -16,6 +16,7 @@ include /etc/firejail/disable-programs.inc include /etc/firejail/whitelist-var-common.inc +apparmor caps.drop all machine-id netfilter @@ -28,7 +29,6 @@ protocol unix,inet,inet6 seccomp shell none tracelog -apparmor private-dev private-tmp diff --git a/etc/mpv.profile b/etc/mpv.profile index e864d5d45..a4dc679f4 100644 --- a/etc/mpv.profile +++ b/etc/mpv.profile @@ -15,6 +15,7 @@ include /etc/firejail/disable-programs.inc include /etc/firejail/whitelist-var-common.inc +apparmor caps.drop all netfilter nogroups @@ -24,7 +25,6 @@ protocol unix,inet,inet6 seccomp shell none tracelog -apparmor private-bin mpv,youtube-dl,python*,env private-dev diff --git a/etc/okular.profile b/etc/okular.profile index 016316b29..ffe0d2bfb 100644 --- a/etc/okular.profile +++ b/etc/okular.profile @@ -25,6 +25,7 @@ include /etc/firejail/disable-programs.inc include /etc/firejail/whitelist-var-common.inc +apparmor caps.drop all machine-id # net none @@ -40,7 +41,6 @@ protocol unix seccomp shell none tracelog -apparmor private-bin okular,kbuildsycoca4,kdeinit4,lpr private-dev diff --git a/etc/openshot.profile b/etc/openshot.profile index 5d81df193..ca9110be6 100644 --- a/etc/openshot.profile +++ b/etc/openshot.profile @@ -15,6 +15,7 @@ include /etc/firejail/disable-programs.inc include /etc/firejail/whitelist-var-common.inc +apparmor caps.drop all netfilter nodvd @@ -25,7 +26,6 @@ notv protocol unix,inet,inet6,netlink seccomp shell none -apparmor private-dev private-tmp diff --git a/etc/qbittorrent.profile b/etc/qbittorrent.profile index 60bcc73d2..8df8177eb 100644 --- a/etc/qbittorrent.profile +++ b/etc/qbittorrent.profile @@ -26,6 +26,7 @@ whitelist ${HOME}/.local/share/data/qBittorrent include /etc/firejail/whitelist-common.inc include /etc/firejail/whitelist-var-common.inc +apparmor caps.drop all machine-id netfilter @@ -39,7 +40,6 @@ novideo protocol unix,inet,inet6,netlink seccomp shell none -apparmor private-bin qbittorrent,python* private-dev diff --git a/etc/rhythmbox.profile b/etc/rhythmbox.profile index b6f16cecf..a20bdb883 100644 --- a/etc/rhythmbox.profile +++ b/etc/rhythmbox.profile @@ -13,6 +13,7 @@ include /etc/firejail/disable-programs.inc include /etc/firejail/whitelist-var-common.inc +apparmor caps.drop all netfilter # no3d @@ -25,7 +26,6 @@ protocol unix,inet,inet6 seccomp shell none tracelog -apparmor private-bin rhythmbox private-dev diff --git a/etc/smplayer.profile b/etc/smplayer.profile index d0180e185..64eff5670 100644 --- a/etc/smplayer.profile +++ b/etc/smplayer.profile @@ -15,6 +15,7 @@ include /etc/firejail/disable-programs.inc include /etc/firejail/whitelist-var-common.inc +apparmor caps.drop all netfilter # nogroups @@ -23,7 +24,6 @@ noroot protocol unix,inet,inet6,netlink seccomp shell none -apparmor private-bin smplayer,smtube,mplayer,mpv private-dev diff --git a/etc/totem.profile b/etc/totem.profile index 2b591cc69..6dbc5f0c2 100644 --- a/etc/totem.profile +++ b/etc/totem.profile @@ -15,6 +15,7 @@ include /etc/firejail/disable-programs.inc include /etc/firejail/whitelist-var-common.inc +apparmor caps.drop all netfilter nogroups @@ -23,7 +24,6 @@ noroot protocol unix,inet,inet6 seccomp shell none -apparmor private-bin totem private-dev diff --git a/etc/transmission-gtk.profile b/etc/transmission-gtk.profile index d67bda4cc..3d249748d 100644 --- a/etc/transmission-gtk.profile +++ b/etc/transmission-gtk.profile @@ -21,6 +21,7 @@ whitelist ${HOME}/.config/transmission include /etc/firejail/whitelist-common.inc include /etc/firejail/whitelist-var-common.inc +apparmor caps.drop all machine-id netfilter @@ -34,7 +35,6 @@ protocol unix,inet,inet6 seccomp shell none tracelog -apparmor private-bin transmission-gtk private-dev diff --git a/etc/transmission-qt.profile b/etc/transmission-qt.profile index f2bfd1ff6..4f4d9bac1 100644 --- a/etc/transmission-qt.profile +++ b/etc/transmission-qt.profile @@ -21,6 +21,7 @@ whitelist ${HOME}/.config/transmission include /etc/firejail/whitelist-common.inc include /etc/firejail/whitelist-var-common.inc +apparmor caps.drop all machine-id netfilter @@ -34,7 +35,6 @@ protocol unix,inet,inet6 seccomp shell none tracelog -apparmor private-bin transmission-qt private-dev @@ -42,4 +42,3 @@ private-dev private-tmp # memory-deny-write-execute - problems on Qt 5.10.0, KDE Frameworks 5.41.0 - diff --git a/etc/vlc.profile b/etc/vlc.profile index c244be08b..dad9a9ae1 100644 --- a/etc/vlc.profile +++ b/etc/vlc.profile @@ -15,6 +15,7 @@ include /etc/firejail/disable-programs.inc include /etc/firejail/whitelist-var-common.inc +apparmor caps.drop all netfilter # nogroups @@ -23,7 +24,6 @@ noroot protocol unix,inet,inet6,netlink seccomp shell none -apparmor private-bin vlc,cvlc,nvlc,rvlc,qvlc,svlc private-dev -- cgit v1.2.3-54-g00ecf