From c435504a3eb66dee9a2964658bce8e17627e9c68 Mon Sep 17 00:00:00 2001 From: juan Date: Sat, 16 Sep 2017 13:20:36 -0400 Subject: Add 5 profiles --- etc/ardour4.profile | 34 ++++++++++++++++++++++++++++++++++ 1 file changed, 34 insertions(+) create mode 100644 etc/ardour4.profile (limited to 'etc/ardour4.profile') diff --git a/etc/ardour4.profile b/etc/ardour4.profile new file mode 100644 index 000000000..3a52edb66 --- /dev/null +++ b/etc/ardour4.profile @@ -0,0 +1,34 @@ +# Firejail profile for ardour4 +# This file is overwritten after every install/update +# Persistent local customizations +include /etc/firejail/ardour4.local +# Persistent global definitions +include /etc/firejail/globals.local + +noblacklist ~/.config/ardour4 + +include /etc/firejail/disable-common.inc +include /etc/firejail/disable-devel.inc +include /etc/firejail/disable-passwdmgr.inc +include /etc/firejail/disable-programs.inc + +mkdir ~/.config/ardour4 +whitelist ~/.config/ardour4 +whitelist ~/Music +whitelist ~/Música +include /etc/firejail/whitelist-common.inc + +caps.drop all +netfilter +nogroups +nonewprivs +noroot +protocol unix +seccomp +shell none +tracelog + +# private-bin ardour4 +private-dev +# private-etc ardour4 +private-tmp -- cgit v1.2.3-54-g00ecf From 60606c2d041dc08b0af10baff1b18dbf507f8d81 Mon Sep 17 00:00:00 2001 From: Tad Date: Sat, 16 Sep 2017 13:47:31 -0400 Subject: Fixup 36 profiles --- etc/Viber.profile | 20 +++++++------------- etc/amule.profile | 17 +++++++---------- etc/ardour4.profile | 33 ++------------------------------- etc/ardour5.profile | 25 +++++++++++-------------- etc/brackets.profile | 18 ++++++------------ etc/calligra.profile | 21 +++++---------------- etc/calligraauthor.profile | 2 +- etc/calligraconverter.profile | 2 +- etc/calligraflow.profile | 2 +- etc/calligraplan.profile | 2 +- etc/calligraplanwork.profile | 2 +- etc/calligrasheets.profile | 2 +- etc/calligrastage.profile | 2 +- etc/calligrawords.profile | 2 +- etc/cin.profile | 16 ++++++---------- etc/dooble-qt4.profile | 32 ++------------------------------ etc/dooble.profile | 16 +++++----------- etc/fetchmail.profile | 17 ++++------------- etc/freecad.profile | 18 +++++++----------- etc/freecadcmd.profile | 2 +- etc/google-earth.profile | 22 ++++++++++++---------- etc/imagej.profile | 19 ++++++------------- etc/karbon.profile | 20 ++++---------------- etc/kdenlive.profile | 19 +++++-------------- etc/krita.profile | 20 ++++---------------- etc/linphone.profile | 15 +++++++++------ etc/lmms.profile | 16 ++++++---------- etc/macrofusion.profile | 16 ++++++++-------- etc/mpd.profile | 19 +++++++------------ etc/natron.profile | 26 +++++++++----------------- etc/ricochet.profile | 14 ++++++++------ etc/shotcut.profile | 14 +++++++------- etc/tor-browser-en.profile | 28 +++++++--------------------- etc/tor.profile | 10 +++++----- etc/x-terminal-emulator.profile | 6 ------ etc/zart.profile | 10 ++++------ 36 files changed, 172 insertions(+), 353 deletions(-) (limited to 'etc/ardour4.profile') diff --git a/etc/Viber.profile b/etc/Viber.profile index 5de92f36f..ee1ab6219 100644 --- a/etc/Viber.profile +++ b/etc/Viber.profile @@ -6,21 +6,15 @@ include /etc/firejail/Viber.local include /etc/firejail/globals.local +noblacklist ${HOME}/.ViberPC + +include /etc/firejail/disable-common.inc +include /etc/firejail/disable-devel.inc +include /etc/firejail/disable-passwdmgr.inc +include /etc/firejail/disable-programs.inc + whitelist ${DOWNLOADS} whitelist ${HOME}/.ViberPC -whitelist /dev/dri -whitelist /dev/full -whitelist /dev/null -whitelist /dev/ptmx -whitelist /dev/pts -whitelist /dev/random -whitelist /dev/shm -whitelist /dev/snd -whitelist /dev/tty -whitelist /dev/urandom -whitelist /dev/video0 -whitelist /dev/zero -whitelist /opt/viber include /etc/firejail/whitelist-common.inc caps.drop all diff --git a/etc/amule.profile b/etc/amule.profile index 5cd6e613e..48aad759d 100644 --- a/etc/amule.profile +++ b/etc/amule.profile @@ -5,18 +5,16 @@ include /etc/firejail/amule.local # Persistent global definitions include /etc/firejail/globals.local -blacklist /boot -blacklist /media -blacklist /mnt -blacklist /opt -blacklist /usr/local/bin -blacklist /usr/local/sbin + +noblacklist ${HOME}/.aMule + +include /etc/firejail/disable-common.inc +include /etc/firejail/disable-devel.inc +include /etc/firejail/disable-passwdmgr.inc +include /etc/firejail/disable-programs.inc whitelist ${DOWNLOADS} whitelist ${HOME}/.aMule -whitelist ${HOME}/.gtkrc-2.0 -whitelist ${HOME}/.gtkrc.mine -whitelist ${HOME}/.themes include /etc/firejail/whitelist-common.inc caps.drop all @@ -29,5 +27,4 @@ shell none private-bin amule private-dev -private-etc fonts,hosts private-tmp diff --git a/etc/ardour4.profile b/etc/ardour4.profile index 3a52edb66..095685364 100644 --- a/etc/ardour4.profile +++ b/etc/ardour4.profile @@ -1,34 +1,5 @@ -# Firejail profile for ardour4 +# Firejail profile alias for ardour5 # This file is overwritten after every install/update -# Persistent local customizations -include /etc/firejail/ardour4.local -# Persistent global definitions -include /etc/firejail/globals.local -noblacklist ~/.config/ardour4 -include /etc/firejail/disable-common.inc -include /etc/firejail/disable-devel.inc -include /etc/firejail/disable-passwdmgr.inc -include /etc/firejail/disable-programs.inc - -mkdir ~/.config/ardour4 -whitelist ~/.config/ardour4 -whitelist ~/Music -whitelist ~/Música -include /etc/firejail/whitelist-common.inc - -caps.drop all -netfilter -nogroups -nonewprivs -noroot -protocol unix -seccomp -shell none -tracelog - -# private-bin ardour4 -private-dev -# private-etc ardour4 -private-tmp +include /etc/firejail/ardour5.profile diff --git a/etc/ardour5.profile b/etc/ardour5.profile index f17c74e2b..42744f4dd 100644 --- a/etc/ardour5.profile +++ b/etc/ardour5.profile @@ -5,19 +5,16 @@ include /etc/firejail/ardour5.local # Persistent global definitions include /etc/firejail/globals.local -blacklist /boot -blacklist /media -blacklist /mnt -blacklist /opt -blacklist /usr/local/bin -whitelist ${DOWNLOADS} -whitelist ${HOME}/.config/ardour4 -whitelist ${HOME}/.config/ardour5 -whitelist ${HOME}/.lv2 -whitelist ${HOME}/.vst -whitelist ${HOME}/Documents -include /etc/firejail/whitelist-common.inc +noblacklist ${HOME}/.config/ardour4 +noblacklist ${HOME}/.config/ardour5 +noblacklist ${HOME}/.lv2 +noblacklist ${HOME}/.vst + +include /etc/firejail/disable-common.inc +include /etc/firejail/disable-devel.inc +include /etc/firejail/disable-passwdmgr.inc +include /etc/firejail/disable-programs.inc caps.drop all ipc-namespace @@ -27,9 +24,9 @@ noroot seccomp shell none -private-bin sh,ardour5,ardour5-copy-mixer,ardour5-export,ardour5-fix_bbtppq,grep,sed,ldd,nm +#private-bin sh,ardour5,ardour5-copy-mixer,ardour5-export,ardour5-fix_bbtppq,grep,sed,ldd,nm private-dev -private-etc pulse,X11,alternatives,ardour4,ardour5,fonts +#private-etc pulse,X11,alternatives,ardour4,ardour5,fonts private-tmp noexec /home diff --git a/etc/brackets.profile b/etc/brackets.profile index 3c7622435..151d88bdd 100644 --- a/etc/brackets.profile +++ b/etc/brackets.profile @@ -5,19 +5,13 @@ include /etc/firejail/brackets.local # Persistent global definitions include /etc/firejail/globals.local -blacklist /boot -blacklist /media -blacklist /mnt +noblacklist ${HOME}/.config/Brackets +noblacklist /opt/brackets/ +noblacklist /opt/google/ -whitelist ${DOWNLOADS} -whitelist ${HOME}/.config/Brackets -whitelist ${HOME}/.gtkrc-2.0 -whitelist ${HOME}/.themes -whitelist ${HOME}/Documents -whitelist /opt/brackets/ -whitelist /opt/google/ -whitelist /tmp/.X11-unix -include /etc/firejail/whitelist-common.inc +include /etc/firejail/disable-common.inc +include /etc/firejail/disable-passwdmgr.inc +include /etc/firejail/disable-programs.inc caps.drop all # Comment out or use --ignore=net if you want to install extensions or themes diff --git a/etc/calligra.profile b/etc/calligra.profile index 260097560..58006f203 100644 --- a/etc/calligra.profile +++ b/etc/calligra.profile @@ -5,21 +5,10 @@ include /etc/firejail/calligra.local # Persistent global definitions include /etc/firejail/globals.local -blacklist /boot -blacklist /media -blacklist /mnt -blacklist /opt - -whitelist ${DOWNLOADS} -whitelist ${HOME}/.config/Trolltech.conf -whitelist ${HOME}/.gtkrc-2.0 -whitelist ${HOME}/.kde -whitelist ${HOME}/.themes -whitelist ${HOME}/Documents -whitelist /tmp/.X11-unix -# DBus is forced to use an ordinary unix socket -whitelist /tmp/dbus_session_socket -include /etc/firejail/whitelist-common.inc +include /etc/firejail/disable-common.inc +include /etc/firejail/disable-devel.inc +include /etc/firejail/disable-passwdmgr.inc +include /etc/firejail/disable-programs.inc caps.drop all ipc-namespace @@ -31,7 +20,7 @@ shell none private-bin calligra,calligraauthor,calligraconverter,calligraflow,calligraplan,calligraplanwork,calligrasheets,calligrastage,calligrawords,dbus-launch private-dev -private-etc fonts,passwd,alternatives,X11 +#private-etc fonts,passwd,alternatives,X11 noexec /home noexec /tmp diff --git a/etc/calligraauthor.profile b/etc/calligraauthor.profile index 2b005c5c9..162823019 100644 --- a/etc/calligraauthor.profile +++ b/etc/calligraauthor.profile @@ -2,4 +2,4 @@ # This file is overwritten after every install/update -include ${HOME}/.config/firejail/calligra.profile +include /etc/firejail/calligra.profile diff --git a/etc/calligraconverter.profile b/etc/calligraconverter.profile index 2b005c5c9..162823019 100644 --- a/etc/calligraconverter.profile +++ b/etc/calligraconverter.profile @@ -2,4 +2,4 @@ # This file is overwritten after every install/update -include ${HOME}/.config/firejail/calligra.profile +include /etc/firejail/calligra.profile diff --git a/etc/calligraflow.profile b/etc/calligraflow.profile index 2b005c5c9..162823019 100644 --- a/etc/calligraflow.profile +++ b/etc/calligraflow.profile @@ -2,4 +2,4 @@ # This file is overwritten after every install/update -include ${HOME}/.config/firejail/calligra.profile +include /etc/firejail/calligra.profile diff --git a/etc/calligraplan.profile b/etc/calligraplan.profile index 2b005c5c9..162823019 100644 --- a/etc/calligraplan.profile +++ b/etc/calligraplan.profile @@ -2,4 +2,4 @@ # This file is overwritten after every install/update -include ${HOME}/.config/firejail/calligra.profile +include /etc/firejail/calligra.profile diff --git a/etc/calligraplanwork.profile b/etc/calligraplanwork.profile index 2b005c5c9..162823019 100644 --- a/etc/calligraplanwork.profile +++ b/etc/calligraplanwork.profile @@ -2,4 +2,4 @@ # This file is overwritten after every install/update -include ${HOME}/.config/firejail/calligra.profile +include /etc/firejail/calligra.profile diff --git a/etc/calligrasheets.profile b/etc/calligrasheets.profile index 2b005c5c9..162823019 100644 --- a/etc/calligrasheets.profile +++ b/etc/calligrasheets.profile @@ -2,4 +2,4 @@ # This file is overwritten after every install/update -include ${HOME}/.config/firejail/calligra.profile +include /etc/firejail/calligra.profile diff --git a/etc/calligrastage.profile b/etc/calligrastage.profile index 2b005c5c9..162823019 100644 --- a/etc/calligrastage.profile +++ b/etc/calligrastage.profile @@ -2,4 +2,4 @@ # This file is overwritten after every install/update -include ${HOME}/.config/firejail/calligra.profile +include /etc/firejail/calligra.profile diff --git a/etc/calligrawords.profile b/etc/calligrawords.profile index 2b005c5c9..162823019 100644 --- a/etc/calligrawords.profile +++ b/etc/calligrawords.profile @@ -2,4 +2,4 @@ # This file is overwritten after every install/update -include ${HOME}/.config/firejail/calligra.profile +include /etc/firejail/calligra.profile diff --git a/etc/cin.profile b/etc/cin.profile index 3a8a4d8de..e895805eb 100644 --- a/etc/cin.profile +++ b/etc/cin.profile @@ -5,16 +5,12 @@ include /etc/firejail/cin.local # Persistent global definitions include /etc/firejail/globals.local -blacklist /boot -blacklist /media -blacklist /mnt -blacklist /opt +noblacklist ${HOME}/.bcast5 -whitelist ${DOWNLOADS} -whitelist ${HOME}/.bcast5 -whitelist ${HOME}/Videos -whitelist /tmp/.X11-unix -include /etc/firejail/whitelist-common.inc +include /etc/firejail/disable-common.inc +include /etc/firejail/disable-devel.inc +include /etc/firejail/disable-passwdmgr.inc +include /etc/firejail/disable-programs.inc caps.drop all ipc-namespace @@ -26,7 +22,7 @@ shell none private-bin cin private-dev -private-etc fonts,pulse +#private-etc fonts,pulse noexec /home noexec /tmp diff --git a/etc/dooble-qt4.profile b/etc/dooble-qt4.profile index ec85c7b58..67df7ce36 100644 --- a/etc/dooble-qt4.profile +++ b/etc/dooble-qt4.profile @@ -1,33 +1,5 @@ -# Firejail profile for dooble-qt4 +# Firejail profile alias for dooble # This file is overwritten after every install/update -# Persistent local customizations -include /etc/firejail/dooble-qt4.local -# Persistent global definitions -include /etc/firejail/globals.local -noblacklist ~/.dooble -include /etc/firejail/disable-common.inc -include /etc/firejail/disable-devel.inc -include /etc/firejail/disable-programs.inc - -mkdir ~/.dooble -mkdir ~/usr/lib/dooble-qt4 -whitelist ${DOWNLOADS} -whitelist ~/.config/keepassx -whitelist ~/.config/lastpass -whitelist ~/.dooble -whitelist ~/.keepassx -whitelist ~/.lastpass -whitelist ~/keepassx.kdbx -whitelist ~/usr/lib/dooble -whitelist ~/usr/lib/dooble-qt4 -include /etc/firejail/whitelist-common.inc - -caps.drop all -netfilter -nonewprivs -noroot -protocol unix,inet,inet6,netlink -seccomp -tracelog +include /etc/firejail/dooble.profile diff --git a/etc/dooble.profile b/etc/dooble.profile index 13e4ead96..cbb0f96b8 100644 --- a/etc/dooble.profile +++ b/etc/dooble.profile @@ -1,27 +1,21 @@ -# Firejail profile for dooble +# Firejail profile for dooble-qt4 # This file is overwritten after every install/update # Persistent local customizations -include /etc/firejail/dooble.local +include /etc/firejail/dooble-qt4.local # Persistent global definitions include /etc/firejail/globals.local + noblacklist ~/.dooble include /etc/firejail/disable-common.inc include /etc/firejail/disable-devel.inc +include /etc/firejail/disable-passwdmgr.inc include /etc/firejail/disable-programs.inc -mkdir ~/.dooble -mkdir ~/usr/lib/dooble-qt4 +mkdir ${HOME}/.dooble whitelist ${DOWNLOADS} -whitelist ~/.config/keepassx -whitelist ~/.config/lastpass whitelist ~/.dooble -whitelist ~/.keepassx -whitelist ~/.lastpass -whitelist ~/keepassx.kdbx -whitelist ~/usr/lib/dooble -whitelist ~/usr/lib/dooble-qt4 include /etc/firejail/whitelist-common.inc caps.drop all diff --git a/etc/fetchmail.profile b/etc/fetchmail.profile index dc7f4abc3..2b2be4c16 100644 --- a/etc/fetchmail.profile +++ b/etc/fetchmail.profile @@ -5,26 +5,17 @@ include /etc/firejail/fetchmail.local # Persistent global definitions include /etc/firejail/globals.local -blacklist /boot -blacklist /media -blacklist /mnt -blacklist /opt -# Location of your fetchmailrc - I decrypt it into /tmp/fetchmailrc -# whitelist ${HOME}/.fetchmailrc.gpg -whitelist ${HOME}/.procmailrc.brown -whitelist ${HOME}/.procmailrc.gmail -whitelist ${HOME}/Mail -whitelist ${HOME}/scripts/fetchmail-real.sh -whitelist /tmp/fetchmailrc -include /etc/firejail/whitelist-common.inc +include /etc/firejail/disable-common.inc +include /etc/firejail/disable-devel.inc +include /etc/firejail/disable-passwdmgr.inc +include /etc/firejail/disable-programs.inc caps.drop all nogroups noroot nosound seccomp -x11 none # private-bin fetchmail,procmail,bash,chmod private-dev diff --git a/etc/freecad.profile b/etc/freecad.profile index 0467edb6d..c2d4661e8 100644 --- a/etc/freecad.profile +++ b/etc/freecad.profile @@ -5,17 +5,13 @@ include /etc/firejail/freecad.local # Persistent global definitions include /etc/firejail/globals.local -blacklist /boot -blacklist /media -blacklist /mnt -blacklist /opt -blacklist /usr/local/bin -blacklist /usr/local/sbin -whitelist ${DOWNLOADS} -whitelist ${HOME}/.config/FreeCAD -whitelist ${HOME}/Documents -include /etc/firejail/whitelist-common.inc +noblacklist ${HOME}/.config/FreeCAD + +include /etc/firejail/disable-common.inc +include /etc/firejail/disable-devel.inc +include /etc/firejail/disable-passwdmgr.inc +include /etc/firejail/disable-programs.inc caps.drop all ipc-namespace @@ -29,7 +25,7 @@ shell none private-bin freecad,freecadcmd private-dev -private-etc fonts,passwd,alternatives,X11 +#private-etc fonts,passwd,alternatives,X11 private-tmp noexec ${HOME} diff --git a/etc/freecadcmd.profile b/etc/freecadcmd.profile index 41cfd3fab..82ce8fcaa 100644 --- a/etc/freecadcmd.profile +++ b/etc/freecadcmd.profile @@ -2,4 +2,4 @@ # This file is overwritten after every install/update -include ${HOME}/.config/firejail/freecad.profile +include /etc/firejail/freecad.profile diff --git a/etc/google-earth.profile b/etc/google-earth.profile index a339402e2..11d55281a 100644 --- a/etc/google-earth.profile +++ b/etc/google-earth.profile @@ -5,16 +5,18 @@ include /etc/firejail/google-earth.local # Persistent global definitions include /etc/firejail/globals.local -blacklist /boot -blacklist /media -blacklist /mnt +noblacklist ${HOME}/.config/Google +noblacklist ${HOME}/.googleearth +include /etc/firejail/disable-common.inc +include /etc/firejail/disable-devel.inc +include /etc/firejail/disable-passwdmgr.inc +include /etc/firejail/disable-programs.inc + +mkdir ${HOME}/.config/Google +mkdir ${HOME}/.googleearth whitelist ${HOME}/.config/Google -whitelist ${HOME}/.googleearth/Cache/ -whitelist ${HOME}/.googleearth/Temp/ -whitelist ${HOME}/.googleearth/myplaces.backup.kml -whitelist ${HOME}/.googleearth/myplaces.kml -whitelist /tmp/.X11-unix +whitelist ${HOME}/.googleearth include /etc/firejail/whitelist-common.inc caps.drop all @@ -26,7 +28,7 @@ shell none private-bin google-earth,sh,grep,sed,ls,dirname private-dev -private-etc fonts,resolv.conf,X11,alternatives,pulse +#private-etc fonts,resolv.conf,X11,alternatives,pulse -noexec /home +noexec ${HOME} noexec /tmp diff --git a/etc/imagej.profile b/etc/imagej.profile index 4404cc9a2..4613e378f 100644 --- a/etc/imagej.profile +++ b/etc/imagej.profile @@ -5,20 +5,13 @@ include /etc/firejail/imagej.local # Persistent global definitions include /etc/firejail/globals.local -blacklist /boot -blacklist /media -blacklist /mnt -blacklist /opt -blacklist /usr/local/bin -blacklist /usr/local/sbin -whitelist ${DOWNLOADS} -whitelist ${HOME}/.gtkrc-2.0 -whitelist ${HOME}/.gtkrc.mine -whitelist ${HOME}/.imagej -whitelist ${HOME}/.themes -whitelist ${HOME}/Pictures -include /etc/firejail/whitelist-common.inc +noblacklist ${HOME}/.imagej + +include /etc/firejail/disable-common.inc +include /etc/firejail/disable-devel.inc +include /etc/firejail/disable-passwdmgr.inc +include /etc/firejail/disable-programs.inc caps.drop all ipc-namespace diff --git a/etc/karbon.profile b/etc/karbon.profile index da72432f7..7d7f25ad0 100644 --- a/etc/karbon.profile +++ b/etc/karbon.profile @@ -5,21 +5,11 @@ include /etc/firejail/karbon.local # Persistent global definitions include /etc/firejail/globals.local -blacklist /boot -blacklist /media -blacklist /mnt -blacklist /opt -whitelist ${DOWNLOADS} -whitelist ${HOME}/.config/Trolltech.conf -whitelist ${HOME}/.gtkrc-2.0 -whitelist ${HOME}/.kde4 -whitelist ${HOME}/.themes -whitelist ${HOME}/Images -whitelist /tmp/.X11-unix -# DBus has been forced to use an ordinary unix socket -whitelist /tmp/dbus_session_socket -include /etc/firejail/whitelist-common.inc +include /etc/firejail/disable-common.inc +include /etc/firejail/disable-devel.inc +include /etc/firejail/disable-passwdmgr.inc +include /etc/firejail/disable-programs.inc caps.drop all ipc-namespace @@ -29,9 +19,7 @@ noroot seccomp shell none -# private-bin krita,dbus-launch private-dev -# private-etc fonts,passwd,alternatives,X11 noexec /home noexec /tmp diff --git a/etc/kdenlive.profile b/etc/kdenlive.profile index b982bd045..b91bd9c41 100644 --- a/etc/kdenlive.profile +++ b/etc/kdenlive.profile @@ -5,20 +5,11 @@ include /etc/firejail/kdenlive.local # Persistent global definitions include /etc/firejail/globals.local -blacklist /boot -blacklist /media -blacklist /mnt -blacklist /opt -# Apparently these break kdenlive for some people - they work for me though? -# whitelist ${DOWNLOADS} -# whitelist ${HOME}/.config/ -# whitelist ${HOME}/Videos -# whitelist ${HOME}/kdenlive -whitelist /tmp/.X11-unix -# DBus is forced to use an ordinary unix socket -whitelist /tmp/dbus_session_socket -include /etc/firejail/whitelist-common.inc +include /etc/firejail/disable-common.inc +include /etc/firejail/disable-devel.inc +include /etc/firejail/disable-passwdmgr.inc +include /etc/firejail/disable-programs.inc caps.drop all net none @@ -29,4 +20,4 @@ shell none private-bin kdenlive,kdenlive_render,dbus-launch,melt,ffmpeg,ffplay,ffprobe,dvdauthor,genisoimage,vlc,xine,kdeinit5,kshell5,kdeinit5_shutdown,kdeinit5_wrapper,kdeinit4,kshell4,kdeinit4_shutdown,kdeinit4_wrapper private-dev -private-etc fonts,alternatives,X11,pulse,passwd +#private-etc fonts,alternatives,X11,pulse,passwd diff --git a/etc/krita.profile b/etc/krita.profile index f6e62e387..d60ef2fa7 100644 --- a/etc/krita.profile +++ b/etc/krita.profile @@ -5,21 +5,11 @@ include /etc/firejail/krita.local # Persistent global definitions include /etc/firejail/globals.local -blacklist /boot -blacklist /media -blacklist /mnt -blacklist /opt -whitelist ${DOWNLOADS} -whitelist ${HOME}/.config/Trolltech.conf -whitelist ${HOME}/.gtkrc-2.0 -whitelist ${HOME}/.kde4 -whitelist ${HOME}/.themes -whitelist ${HOME}/Images -whitelist /tmp/.X11-unix -# DBus has been forced to use an ordinary unix socket -whitelist /tmp/dbus_session_socket -include /etc/firejail/whitelist-common.inc +include /etc/firejail/disable-common.inc +include /etc/firejail/disable-devel.inc +include /etc/firejail/disable-passwdmgr.inc +include /etc/firejail/disable-programs.inc caps.drop all ipc-namespace @@ -29,9 +19,7 @@ noroot seccomp shell none -# private-bin krita,dbus-launch private-dev -# private-etc fonts,passwd,alternatives,X11 noexec /home noexec /tmp diff --git a/etc/linphone.profile b/etc/linphone.profile index 850fcb320..8763b348a 100644 --- a/etc/linphone.profile +++ b/etc/linphone.profile @@ -5,13 +5,16 @@ include /etc/firejail/linphone.local # Persistent global definitions include /etc/firejail/globals.local -blacklist /boot -blacklist /media -blacklist /mnt -blacklist /opt +noblacklist ${HOME}/.linphone-history.db +noblacklist ${HOME}/.linphonerc -whitelist ${HOME}/.gtkrc-2.0 -whitelist ${HOME}/.gtkrc.mine +include /etc/firejail/disable-common.inc +include /etc/firejail/disable-devel.inc +include /etc/firejail/disable-passwdmgr.inc +include /etc/firejail/disable-programs.inc + +mkfile ${HOME}/.linphone-history.db +mkfile ${HOME}/.linphonerc whitelist ${HOME}/.linphone-history.db whitelist ${HOME}/.linphonerc whitelist ${HOME}/Downloads diff --git a/etc/lmms.profile b/etc/lmms.profile index 8ac039cc0..14a7209a9 100644 --- a/etc/lmms.profile +++ b/etc/lmms.profile @@ -5,17 +5,13 @@ include /etc/firejail/lmms.local # Persistent global definitions include /etc/firejail/globals.local -blacklist /boot -blacklist /media -blacklist /mnt -blacklist /opt -whitelist ${DOWNLOADS} -whitelist ${HOME}/.lmmsrc.xml -whitelist ${HOME}/Music -whitelist ${HOME}/lmms -whitelist /tmp/.X11-unix -include /etc/firejail/whitelist-common.inc +noblacklist ${HOME}/.lmmsrc.xml + +include /etc/firejail/disable-common.inc +include /etc/firejail/disable-devel.inc +include /etc/firejail/disable-passwdmgr.inc +include /etc/firejail/disable-programs.inc caps.drop all ipc-namespace diff --git a/etc/macrofusion.profile b/etc/macrofusion.profile index 287a5ea85..e53f175f8 100644 --- a/etc/macrofusion.profile +++ b/etc/macrofusion.profile @@ -6,12 +6,12 @@ include /etc/firejail/macrofusion.local include /etc/firejail/globals.local -whitelist ${DOWNLOADS} -whitelist ${HOME}/.config/gtk-3.0 -whitelist ${HOME}/.config/mfusion -whitelist ${HOME}/.themes -whitelist ${HOME}/Pictures -include /etc/firejail/whitelist-common.inc +noblacklist ${HOME}/.config/mfusion + +include /etc/firejail/disable-common.inc +include /etc/firejail/disable-devel.inc +include /etc/firejail/disable-passwdmgr.inc +include /etc/firejail/disable-programs.inc caps.drop all ipc-namespace @@ -22,7 +22,7 @@ noroot seccomp shell none -private-bin python3,macrofusion,env,enfuse,exiftool,align_image_stack +#private-bin python3,macrofusion,env,enfuse,exiftool,align_image_stack private-dev -private-etc fonts +#private-etc fonts private-tmp diff --git a/etc/mpd.profile b/etc/mpd.profile index 44baab7e9..ebcdca443 100644 --- a/etc/mpd.profile +++ b/etc/mpd.profile @@ -5,22 +5,17 @@ include /etc/firejail/mpd.local # Persistent global definitions include /etc/firejail/globals.local -blacklist /boot -blacklist /media -blacklist /mnt -blacklist /opt -whitelist ${HOME}/.config/pulse/ -whitelist ${HOME}/.mpdconf -whitelist ${HOME}/.pulse/ -whitelist ${HOME}/Music -whitelist ${HOME}/mpd -include /etc/firejail/whitelist-common.inc +noblacklist ${HOME}/.mpdconf + +include /etc/firejail/disable-common.inc +include /etc/firejail/disable-devel.inc +include /etc/firejail/disable-passwdmgr.inc +include /etc/firejail/disable-programs.inc caps.drop all noroot seccomp -private-bin mpd,bash +#private-bin mpd,bash private-dev -read-only ${HOME}/Music/ diff --git a/etc/natron.profile b/etc/natron.profile index 6101d1331..8f266f56c 100644 --- a/etc/natron.profile +++ b/etc/natron.profile @@ -5,30 +5,22 @@ include /etc/firejail/natron.local # Persistent global definitions include /etc/firejail/globals.local -# Contributed by triceratops1 (https://github.com/triceratops1) -blacklist /boot -blacklist /media -blacklist /mnt -blacklist /usr/local/bin -blacklist /usr/local/sbin +noblacklist ${HOME}/.Natron +noblacklist ${HOME}/.cache/INRIA/Natron/ +noblacklist ${HOME}/.config/INRIA/ +noblacklist /opt/natron/ -whitelist ${DOWNLOADS} -whitelist ${HOME}/.Natron -whitelist ${HOME}/.cache/INRIA/Natron/ -whitelist ${HOME}/.config/INRIA/ -whitelist ${HOME}/.gtkrc-2.0 -whitelist ${HOME}/.themes -whitelist ${HOME}/Videos -whitelist /opt/natron/ -whitelist /tmp/.X11-unix/ -include /etc/firejail/whitelist-common.inc +include /etc/firejail/disable-common.inc +include /etc/firejail/disable-devel.inc +include /etc/firejail/disable-passwdmgr.inc +include /etc/firejail/disable-programs.inc ipc-namespace shell none private-bin natron -private-etc fonts,X11,pulse +#private-etc fonts,X11,pulse noexec ${HOME} noexec /tmp diff --git a/etc/ricochet.profile b/etc/ricochet.profile index 47b16b30e..423dfb887 100644 --- a/etc/ricochet.profile +++ b/etc/ricochet.profile @@ -5,14 +5,16 @@ include /etc/firejail/ricochet.local # Persistent global definitions include /etc/firejail/globals.local -blacklist /boot -blacklist /media -blacklist /mnt -blacklist /opt + +noblacklist ${HOME}/.local/share/Ricochet + +include /etc/firejail/disable-common.inc +include /etc/firejail/disable-devel.inc +include /etc/firejail/disable-passwdmgr.inc +include /etc/firejail/disable-programs.inc whitelist ${DOWNLOADS} whitelist ${HOME}/.local/share/Ricochet -whitelist /tmp/.X11-unix include /etc/firejail/whitelist-common.inc caps.drop all @@ -24,7 +26,7 @@ shell none private-bin ricochet,tor private-dev -private-etc fonts,tor,X11,alternatives +#private-etc fonts,tor,X11,alternatives noexec /home noexec /tmp diff --git a/etc/shotcut.profile b/etc/shotcut.profile index 2bf3cc2e0..1a7ce6bce 100644 --- a/etc/shotcut.profile +++ b/etc/shotcut.profile @@ -5,13 +5,13 @@ include /etc/firejail/shotcut.local # Persistent global definitions include /etc/firejail/globals.local -blacklist /usr/local/bin -whitelist ${DOWNLOADS} -whitelist ${HOME}/.config/Meltytech -whitelist ${HOME}/Videos -whitelist /tmp/.X11-unix -include /etc/firejail/whitelist-common.inc +noblacklist ${HOME}/.config/Meltytech + +include /etc/firejail/disable-common.inc +include /etc/firejail/disable-devel.inc +include /etc/firejail/disable-passwdmgr.inc +include /etc/firejail/disable-programs.inc caps.drop all net none @@ -22,7 +22,7 @@ shell none private-bin shotcut,melt,qmelt,nice private-dev -private-etc X11,alternatives,pulse,fonts +#private-etc X11,alternatives,pulse,fonts noexec ${HOME} noexec /tmp diff --git a/etc/tor-browser-en.profile b/etc/tor-browser-en.profile index 1f0b61c75..65ea41e18 100644 --- a/etc/tor-browser-en.profile +++ b/etc/tor-browser-en.profile @@ -5,26 +5,15 @@ include /etc/firejail/tor-browser-en.local # Persistent global definitions include /etc/firejail/globals.local -blacklist /boot -blacklist /media -blacklist /mnt -blacklist /opt -blacklist /usr/local/bin -blacklist /var + +noblacklist ${HOME}/.tor-browser-en + +include /etc/firejail/disable-common.inc +include /etc/firejail/disable-devel.inc +include /etc/firejail/disable-passwdmgr.inc +include /etc/firejail/disable-programs.inc whitelist ${HOME}/.tor-browser-en -whitelist /dev/dri -whitelist /dev/full -whitelist /dev/null -whitelist /dev/ptmx -whitelist /dev/pts -whitelist /dev/random -whitelist /dev/shm -whitelist /dev/snd -whitelist /dev/tty -whitelist /dev/urandom -whitelist /dev/video0 -whitelist /dev/zero include /etc/firejail/whitelist-common.inc caps.drop all @@ -33,9 +22,6 @@ seccomp shell none private-bin bash,grep,sed,tail,tor-browser-en,env,id,readlink,dirname,test,mkdir,ln,sed,cp,rm,getconf,file,expr -# FIXME: Spoof D-Bus machine id (tor-browser segfaults when it is missing!) -# https://github.com/netblue30/firejail/issues/955 -private-etc X11,pulse,machine-id private-tmp noexec /tmp diff --git a/etc/tor.profile b/etc/tor.profile index 2e2172cad..73577825a 100644 --- a/etc/tor.profile +++ b/etc/tor.profile @@ -8,6 +8,7 @@ include /etc/firejail/globals.local # How to use: # Create a script called anything (e.g. mytor) # with the following contents: + # #!/bin/bash # TORCMD="tor --defaults-torrc /usr/share/tor/tor-service-defaults-torrc -f /etc/tor/torrc --RunAsDaemon 1" # sudo -b daemon -f -d -- firejail --profile=/home//.config/firejail/tor.profile $TORCMD @@ -15,10 +16,10 @@ include /etc/firejail/globals.local # You'll also likely want to disable the system service (if it exists) # Run mytor (or whatever you called the script above) whenever you want to start tor -blacklist /boot -blacklist /media -blacklist /mnt -blacklist /opt +include /etc/firejail/disable-common.inc +include /etc/firejail/disable-devel.inc +include /etc/firejail/disable-passwdmgr.inc +include /etc/firejail/disable-programs.inc caps.keep setuid,setgid,net_bind_service,dac_read_search ipc-namespace @@ -29,7 +30,6 @@ nosound seccomp shell none writable-var -x11 none private private-bin tor,bash diff --git a/etc/x-terminal-emulator.profile b/etc/x-terminal-emulator.profile index eb4c58480..aca0d7144 100644 --- a/etc/x-terminal-emulator.profile +++ b/etc/x-terminal-emulator.profile @@ -6,13 +6,7 @@ include /etc/firejail/x-terminal-emulator.local include /etc/firejail/globals.local -whitelist /tmp/.X11-unix/X470 -whitelist /tmp/fcitx-socket-:0 -whitelist /tmp/user/1000/ -include /etc/firejail/whitelist-common.inc - caps.drop all -env DISPLAY=:470 ipc-namespace net none netfilter diff --git a/etc/zart.profile b/etc/zart.profile index 654679174..6022e8260 100644 --- a/etc/zart.profile +++ b/etc/zart.profile @@ -5,12 +5,11 @@ include /etc/firejail/zart.local # Persistent global definitions include /etc/firejail/globals.local -# Contributed by triceratops1 (https://github.com/triceratops1) -whitelist ${DOWNLOADS} -whitelist ${HOME}/Videos -whitelist /tmp/.X11-unix -include /etc/firejail/whitelist-common.inc +include /etc/firejail/disable-common.inc +include /etc/firejail/disable-devel.inc +include /etc/firejail/disable-passwdmgr.inc +include /etc/firejail/disable-programs.inc caps.drop all ipc-namespace @@ -21,7 +20,6 @@ shell none private-bin zart,ffmpeg,melt,ffprobe,ffplay private-dev -private-etc fonts,X11 noexec ${HOME} noexec /tmp -- cgit v1.2.3-54-g00ecf From 8751a4c857a245abc2924b8827e28d7d9be2d641 Mon Sep 17 00:00:00 2001 From: Tad Date: Sat, 16 Sep 2017 14:13:02 -0400 Subject: Fixup 12 profiles --- etc/ardour4.profile | 1 + etc/calligraauthor.profile | 1 + etc/calligraconverter.profile | 1 + etc/calligraflow.profile | 1 + etc/calligraplan.profile | 1 + etc/calligraplanwork.profile | 1 + etc/calligrasheets.profile | 1 + etc/calligrastage.profile | 1 + etc/calligrawords.profile | 1 + etc/dooble-qt4.profile | 1 + etc/freecadcmd.profile | 1 + etc/karbon.profile | 1 + 12 files changed, 12 insertions(+) (limited to 'etc/ardour4.profile') diff --git a/etc/ardour4.profile b/etc/ardour4.profile index 095685364..7d1163174 100644 --- a/etc/ardour4.profile +++ b/etc/ardour4.profile @@ -2,4 +2,5 @@ # This file is overwritten after every install/update +# Redirect include /etc/firejail/ardour5.profile diff --git a/etc/calligraauthor.profile b/etc/calligraauthor.profile index 162823019..629ab46c1 100644 --- a/etc/calligraauthor.profile +++ b/etc/calligraauthor.profile @@ -2,4 +2,5 @@ # This file is overwritten after every install/update +# Redirect include /etc/firejail/calligra.profile diff --git a/etc/calligraconverter.profile b/etc/calligraconverter.profile index 162823019..629ab46c1 100644 --- a/etc/calligraconverter.profile +++ b/etc/calligraconverter.profile @@ -2,4 +2,5 @@ # This file is overwritten after every install/update +# Redirect include /etc/firejail/calligra.profile diff --git a/etc/calligraflow.profile b/etc/calligraflow.profile index 162823019..629ab46c1 100644 --- a/etc/calligraflow.profile +++ b/etc/calligraflow.profile @@ -2,4 +2,5 @@ # This file is overwritten after every install/update +# Redirect include /etc/firejail/calligra.profile diff --git a/etc/calligraplan.profile b/etc/calligraplan.profile index 162823019..629ab46c1 100644 --- a/etc/calligraplan.profile +++ b/etc/calligraplan.profile @@ -2,4 +2,5 @@ # This file is overwritten after every install/update +# Redirect include /etc/firejail/calligra.profile diff --git a/etc/calligraplanwork.profile b/etc/calligraplanwork.profile index 162823019..629ab46c1 100644 --- a/etc/calligraplanwork.profile +++ b/etc/calligraplanwork.profile @@ -2,4 +2,5 @@ # This file is overwritten after every install/update +# Redirect include /etc/firejail/calligra.profile diff --git a/etc/calligrasheets.profile b/etc/calligrasheets.profile index 162823019..629ab46c1 100644 --- a/etc/calligrasheets.profile +++ b/etc/calligrasheets.profile @@ -2,4 +2,5 @@ # This file is overwritten after every install/update +# Redirect include /etc/firejail/calligra.profile diff --git a/etc/calligrastage.profile b/etc/calligrastage.profile index 162823019..629ab46c1 100644 --- a/etc/calligrastage.profile +++ b/etc/calligrastage.profile @@ -2,4 +2,5 @@ # This file is overwritten after every install/update +# Redirect include /etc/firejail/calligra.profile diff --git a/etc/calligrawords.profile b/etc/calligrawords.profile index 162823019..629ab46c1 100644 --- a/etc/calligrawords.profile +++ b/etc/calligrawords.profile @@ -2,4 +2,5 @@ # This file is overwritten after every install/update +# Redirect include /etc/firejail/calligra.profile diff --git a/etc/dooble-qt4.profile b/etc/dooble-qt4.profile index 67df7ce36..4e1227a0f 100644 --- a/etc/dooble-qt4.profile +++ b/etc/dooble-qt4.profile @@ -2,4 +2,5 @@ # This file is overwritten after every install/update +# Redirect include /etc/firejail/dooble.profile diff --git a/etc/freecadcmd.profile b/etc/freecadcmd.profile index 82ce8fcaa..f8bbff593 100644 --- a/etc/freecadcmd.profile +++ b/etc/freecadcmd.profile @@ -2,4 +2,5 @@ # This file is overwritten after every install/update +# Redirect include /etc/firejail/freecad.profile diff --git a/etc/karbon.profile b/etc/karbon.profile index d94f20012..3525a3e06 100644 --- a/etc/karbon.profile +++ b/etc/karbon.profile @@ -2,4 +2,5 @@ # This file is overwritten after every install/update +# Redirect include /etc/firejail/krita.profile -- cgit v1.2.3-54-g00ecf