From 9e3ba319be6b9546d7e8f450ca419ee2f3f4040b Mon Sep 17 00:00:00 2001 From: Tad Date: Mon, 7 Aug 2017 01:22:08 -0400 Subject: Unify all profiles --- etc/inkscape.profile | 17 ++++++++++------- 1 file changed, 10 insertions(+), 7 deletions(-) (limited to 'etc/inkscape.profile') diff --git a/etc/inkscape.profile b/etc/inkscape.profile index af1be565b..cde845907 100644 --- a/etc/inkscape.profile +++ b/etc/inkscape.profile @@ -1,16 +1,16 @@ -# Persistent global definitions go here -include /etc/firejail/globals.local - -# This file is overwritten during software install. -# Persistent customizations should go in a .local file. +# Firejail profile for inkscape +# This file is overwritten after every install/update +# Persistent local customizations include /etc/firejail/inkscape.local +# Persistent global definitions +include /etc/firejail/globals.local -# inkscape noblacklist ${HOME}/.inkscape + include /etc/firejail/disable-common.inc include /etc/firejail/disable-devel.inc -include /etc/firejail/disable-programs.inc include /etc/firejail/disable-passwdmgr.inc +include /etc/firejail/disable-programs.inc caps.drop all netfilter @@ -28,3 +28,6 @@ private-tmp noexec ${HOME} noexec /tmp + +# CLOBBERED COMMENTS +# inkscape -- cgit v1.2.3-70-g09d2 From 00ea93e518be02e1bd759da4746a5f3e973f1dd2 Mon Sep 17 00:00:00 2001 From: Tad Date: Sat, 5 Aug 2017 17:32:30 -0400 Subject: Fix comments in 88 profiles There may actually be some other comments that were removed, but the bulk have been restored --- etc/akregator.profile | 3 --- etc/amarok.profile | 4 +-- etc/android-studio.profile | 3 --- etc/caja.profile | 9 +++---- etc/catfish.profile | 10 +++---- etc/cherrytree.profile | 3 --- etc/chromium.profile | 6 +---- etc/clementine.profile | 4 +-- etc/cpio.profile | 4 --- etc/cvlc.profile | 4 +-- etc/deluge.profile | 4 +-- etc/digikam.profile | 4 +-- etc/dolphin.profile | 7 +++-- etc/etr.profile | 4 --- etc/evince.profile | 4 +-- etc/file.profile | 3 --- etc/firefox.profile | 3 --- etc/flashpeak-slimjet.profile | 12 ++++----- etc/franz.profile | 3 --- etc/frozen-bubble.profile | 4 --- etc/gajim.profile | 4 +-- etc/geary.profile | 9 +++---- etc/gedit.profile | 5 ++-- etc/geeqie.profile | 3 --- etc/ghb.profile | 3 --- etc/gimp.profile | 5 +--- etc/gjs.profile | 5 ++-- etc/gnome-2048.profile | 3 --- etc/gnome-books.profile | 5 ++-- etc/gnome-calculator.profile | 3 --- etc/gnome-documents.profile | 5 ++-- etc/gnome-maps.profile | 5 ++-- etc/gnome-photos.profile | 5 ++-- etc/gnome-weather.profile | 5 ++-- etc/google-chrome-beta.profile | 5 +--- etc/google-chrome-unstable.profile | 5 +--- etc/google-chrome.profile | 5 +--- etc/google-play-music-desktop-player.profile | 6 ++--- etc/gwenview.profile | 3 --- etc/handbrake-gtk.profile | 3 --- etc/hexchat.profile | 9 +++---- etc/icedove.profile | 9 +++---- etc/idea.sh.profile | 3 --- etc/inkscape.profile | 3 --- etc/iridium.profile | 4 +-- etc/kodi.profile | 3 --- etc/kwrite.profile | 4 +-- etc/libreoffice.profile | 3 --- etc/liferea.profile | 6 ++--- etc/luminance-hdr.profile | 3 --- etc/lxterminal.profile | 4 +-- etc/midori.profile | 4 +-- etc/mplayer.profile | 4 +-- etc/mpv.profile | 3 --- etc/multimc5.profile | 4 +-- etc/mupdf.profile | 7 ++--- etc/mupen64plus.profile | 4 +-- etc/nautilus.profile | 9 +++---- etc/open-invaders.profile | 4 --- etc/palemoon.profile | 39 ++++++++++++++-------------- etc/pingus.profile | 4 --- etc/qbittorrent.profile | 5 +--- etc/rambox.profile | 2 -- etc/ranger.profile | 4 +-- etc/rhythmbox.profile | 4 +-- etc/scribus.profile | 4 +-- etc/simple-scan.profile | 4 +-- etc/simutrans.profile | 4 --- etc/skanlite.profile | 4 +-- etc/smplayer.profile | 4 +-- etc/ssh-agent.profile | 3 --- etc/ssh.profile | 3 --- etc/steam.profile | 10 +++---- etc/supertux2.profile | 4 --- etc/synfigstudio.profile | 3 --- etc/tar.profile | 4 +-- etc/thunderbird.profile | 9 +++---- etc/tracker.profile | 5 ++-- etc/unknown-horizons.profile | 4 --- etc/virtualbox.profile | 4 +-- etc/vivaldi.profile | 3 --- etc/vlc.profile | 5 +--- etc/warzone2100.profile | 7 ++--- etc/weechat.profile | 3 +-- etc/wire.profile | 7 +++-- etc/wireshark.profile | 14 +++++----- 86 files changed, 123 insertions(+), 323 deletions(-) (limited to 'etc/inkscape.profile') diff --git a/etc/akregator.profile b/etc/akregator.profile index 77868dac7..36886b961 100644 --- a/etc/akregator.profile +++ b/etc/akregator.profile @@ -30,6 +30,3 @@ private-tmp noexec ${HOME} noexec /tmp - -# CLOBBERED COMMENTS -# nosound diff --git a/etc/amarok.profile b/etc/amarok.profile index 69f41bb1b..28398e2c1 100644 --- a/etc/amarok.profile +++ b/etc/amarok.profile @@ -17,12 +17,10 @@ nogroups nonewprivs noroot protocol unix,inet,inet6 +# seccomp shell none # private-bin amarok private-dev # private-etc none private-tmp - -# CLOBBERED COMMENTS -# seccomp diff --git a/etc/android-studio.profile b/etc/android-studio.profile index 86e19f838..3f4795195 100644 --- a/etc/android-studio.profile +++ b/etc/android-studio.profile @@ -32,6 +32,3 @@ private-dev # private-tmp noexec /tmp - -# CLOBBERED COMMENTS -# nosound diff --git a/etc/caja.profile b/etc/caja.profile index adbcc09b9..1350b63dd 100644 --- a/etc/caja.profile +++ b/etc/caja.profile @@ -5,6 +5,9 @@ include /etc/firejail/caja.local # Persistent global definitions include /etc/firejail/globals.local +# Caja is started by systemd on most systems. Therefore it is not firejailed by default. Since there +# is already a caja process running on MATE desktops firejail will have no effect. + noblacklist ~/.config/caja noblacklist ~/.local/share/Trash noblacklist ~/.local/share/caja-python @@ -24,12 +27,8 @@ seccomp shell none tracelog +# caja needs to be able to start arbitrary applications so we cannot blacklist their files # private-bin caja # private-dev # private-etc fonts # private-tmp - -# CLOBBERED COMMENTS -# Caja is started by systemd on most systems. Therefore it is not firejailed by default. Since there -# caja needs to be able to start arbitrary applications so we cannot blacklist their files -# is already a caja process running on MATE desktops firejail will have no effect. diff --git a/etc/catfish.profile b/etc/catfish.profile index 9fef3dc83..759b5e384 100644 --- a/etc/catfish.profile +++ b/etc/catfish.profile @@ -5,6 +5,8 @@ include /etc/firejail/catfish.local # Persistent global definitions include /etc/firejail/globals.local +# We can't blacklist much since catfish +# is for finding files/content noblacklist ~/.config/catfish include /etc/firejail/disable-devel.inc @@ -22,12 +24,8 @@ seccomp shell none tracelog +# These options work but are disabled in case +# a users wants to search in these directories. # private-bin bash,catfish,env,locate,ls,mlocate,python,python2,python2.7,python3,python3.5,python3.5m,python3m # private-dev # private-tmp - -# CLOBBERED COMMENTS -# These options work but are disabled in case -# We can't blacklist much since catfish -# a users wants to search in these directories. -# is for finding files/content diff --git a/etc/cherrytree.profile b/etc/cherrytree.profile index 8aa11a0e6..fe0153959 100644 --- a/etc/cherrytree.profile +++ b/etc/cherrytree.profile @@ -32,6 +32,3 @@ private-tmp noexec ${HOME} noexec /tmp - -# CLOBBERED COMMENTS -# cherrytree note taking application diff --git a/etc/chromium.profile b/etc/chromium.profile index 97149d4d4..cec5366d9 100644 --- a/etc/chromium.profile +++ b/etc/chromium.profile @@ -11,6 +11,7 @@ noblacklist ~/.config/chromium-flags.conf noblacklist ~/.pki include /etc/firejail/disable-common.inc +# chromium is distributed with a perl script on Arch # include /etc/firejail/disable-devel.inc include /etc/firejail/disable-programs.inc @@ -34,8 +35,3 @@ private-dev noexec ${HOME} noexec /tmp - -# CLOBBERED COMMENTS -# chromium is distributed with a perl script on Arch -# disable-mnt -# specific to Arch diff --git a/etc/clementine.profile b/etc/clementine.profile index a69be26df..13a14af3b 100644 --- a/etc/clementine.profile +++ b/etc/clementine.profile @@ -16,7 +16,5 @@ nonewprivs noroot novideo protocol unix,inet,inet6 -seccomp.drop mount,umount2,ptrace,kexec_load,kexec_file_load,name_to_handle_at,open_by_handle_at,create_module,init_module,finit_module,delete_module,iopl,ioperm,swapon,swapoff,syslog,process_vm_readv,process_vm_writev,sysfs,_sysctl,adjtimex,clock_adjtime,lookup_dcookie,perf_event_open,fanotify_init,kcmp,add_key,request_key,keyctl,uselib,acct,modify_ldt,pivot_root,io_setup,io_destroy,io_getevents,io_submit,io_cancel,remap_file_pages,mbind,get_mempolicy,set_mempolicy,migrate_pages,move_pages,vmsplice,chroot,tuxcall,reboot,mfsservctl,get_kernel_syms,bpf,clock_settime,personality,process_vm_writev,query_module,settimeofday,stime,umount,userfaultfd,ustat,vm86,vm86old - -# CLOBBERED COMMENTS # Clementine makes ioprio_set system calls, which are blacklisted by default. +seccomp.drop mount,umount2,ptrace,kexec_load,kexec_file_load,name_to_handle_at,open_by_handle_at,create_module,init_module,finit_module,delete_module,iopl,ioperm,swapon,swapoff,syslog,process_vm_readv,process_vm_writev,sysfs,_sysctl,adjtimex,clock_adjtime,lookup_dcookie,perf_event_open,fanotify_init,kcmp,add_key,request_key,keyctl,uselib,acct,modify_ldt,pivot_root,io_setup,io_destroy,io_getevents,io_submit,io_cancel,remap_file_pages,mbind,get_mempolicy,set_mempolicy,migrate_pages,move_pages,vmsplice,chroot,tuxcall,reboot,mfsservctl,get_kernel_syms,bpf,clock_settime,personality,process_vm_writev,query_module,settimeofday,stime,umount,userfaultfd,ustat,vm86,vm86old diff --git a/etc/cpio.profile b/etc/cpio.profile index cd9b9ad7c..c5d7680a3 100644 --- a/etc/cpio.profile +++ b/etc/cpio.profile @@ -25,7 +25,3 @@ shell none tracelog private-dev - -# CLOBBERED COMMENTS -# /boot is not visible and /var is heavily modified -# /sbin and /usr/sbin are visible inside the sandbox diff --git a/etc/cvlc.profile b/etc/cvlc.profile index 0b63151a8..460966321 100644 --- a/etc/cvlc.profile +++ b/etc/cvlc.profile @@ -22,11 +22,9 @@ seccomp shell none tracelog +# clvc doesn't like private-bin # private-bin vlc,cvlc,nvlc,rvlc,qvlc,svlc private-dev private-tmp memory-deny-write-execute - -# CLOBBERED COMMENTS -# clvc doesn't like private-bin diff --git a/etc/deluge.profile b/etc/deluge.profile index ed115b024..bb45c4371 100644 --- a/etc/deluge.profile +++ b/etc/deluge.profile @@ -27,9 +27,7 @@ protocol unix,inet,inet6 seccomp shell none +# deluge is using python on Debian # private-bin deluge,sh,python,uname private-dev private-tmp - -# CLOBBERED COMMENTS -# deluge is using python on Debian diff --git a/etc/digikam.profile b/etc/digikam.profile index 0ff437608..35365984e 100644 --- a/etc/digikam.profile +++ b/etc/digikam.profile @@ -21,6 +21,7 @@ nonewprivs noroot protocol unix,inet,inet6,netlink seccomp +# seccomp.keep fallocate,getrusage,openat,access,arch_prctl,bind,brk,chdir,chmod,clock_getres,clone,close,connect,dup2,dup3,eventfd2,execve,fadvise64,fcntl,fdatasync,flock,fstat,fstatfs,ftruncate,futex,getcwd,getdents,getegid,geteuid,getgid,getpeername,getpgrp,getpid,getppid,getrandom,getresgid,getresuid,getrlimit,getsockname,getsockopt,gettid,getuid,inotify_add_watch,inotify_init,inotify_init1,inotify_rm_watch,ioctl,lseek,lstat,madvise,mbind,memfd_create,mkdir,mmap,mprotect,msync,munmap,nanosleep,open,pipe,pipe2,poll,ppoll,prctl,pread64,pwrite64,read,readlink,readlinkat,recvfrom,recvmsg,rename,rt_sigaction,rt_sigprocmask,rt_sigreturn,sched_getaffinity,sched_getparam,sched_get_priority_max,sched_get_priority_min,sched_getscheduler,sched_setscheduler,sched_yield,sendmsg,sendto,setgid,setresgid,setresuid,set_robust_list,setsid,setsockopt,set_tid_address,setuid,shmat,shmctl,shmdt,shmget,shutdown,socket,stat,statfs,sysinfo,timerfd_create,umask,uname,unlink,wait4,waitid,write,writev,fchmod,fchown,unshare,exit,exit_group shell none # private-bin program @@ -30,6 +31,3 @@ private-tmp noexec ${HOME} noexec /tmp - -# CLOBBERED COMMENTS -# seccomp.keep fallocate,getrusage,openat,access,arch_prctl,bind,brk,chdir,chmod,clock_getres,clone,close,connect,dup2,dup3,eventfd2,execve,fadvise64,fcntl,fdatasync,flock,fstat,fstatfs,ftruncate,futex,getcwd,getdents,getegid,geteuid,getgid,getpeername,getpgrp,getpid,getppid,getrandom,getresgid,getresuid,getrlimit,getsockname,getsockopt,gettid,getuid,inotify_add_watch,inotify_init,inotify_init1,inotify_rm_watch,ioctl,lseek,lstat,madvise,mbind,memfd_create,mkdir,mmap,mprotect,msync,munmap,nanosleep,open,pipe,pipe2,poll,ppoll,prctl,pread64,pwrite64,read,readlink,readlinkat,recvfrom,recvmsg,rename,rt_sigaction,rt_sigprocmask,rt_sigreturn,sched_getaffinity,sched_getparam,sched_get_priority_max,sched_get_priority_min,sched_getscheduler,sched_setscheduler,sched_yield,sendmsg,sendto,setgid,setresgid,setresuid,set_robust_list,setsid,setsockopt,set_tid_address,setuid,shmat,shmctl,shmdt,shmget,shutdown,socket,stat,statfs,sysinfo,timerfd_create,umask,uname,unlink,wait4,waitid,write,writev,fchmod,fchown,unshare,exit,exit_group diff --git a/etc/dolphin.profile b/etc/dolphin.profile index 5760f6811..93acbd09e 100644 --- a/etc/dolphin.profile +++ b/etc/dolphin.profile @@ -5,6 +5,8 @@ include /etc/firejail/dolphin.local # Persistent global definitions include /etc/firejail/globals.local +# warning: firejail is currently not effectively constraining dolphin since used services are started by kdeinit5 + noblacklist ${HOME}/.local/share/Trash noblacklist ~/.config/dolphinrc noblacklist ~/.local/share/dolphin @@ -23,11 +25,8 @@ protocol unix seccomp shell none +# dolphin needs to be able to start arbitrary applications so we cannot blacklist their files # private-bin # private-dev # private-etc # private-tmp - -# CLOBBERED COMMENTS -# dolphin needs to be able to start arbitrary applications so we cannot blacklist their files -# warning: firejail is currently not effectively constraining dolphin since used services are started by kdeinit5 diff --git a/etc/etr.profile b/etc/etr.profile index 6ed9a274d..dedc1e224 100644 --- a/etc/etr.profile +++ b/etc/etr.profile @@ -28,7 +28,3 @@ shell none private-dev # private-etc none private-tmp - -# CLOBBERED COMMENTS -# depending on your usage, you can enable some of the commands below: -# nosound diff --git a/etc/evince.profile b/etc/evince.profile index e58cef336..1a2b04160 100644 --- a/etc/evince.profile +++ b/etc/evince.profile @@ -28,11 +28,9 @@ tracelog private-bin evince,evince-previewer,evince-thumbnailer private-dev private-etc fonts +# evince needs access to /tmp/mozilla* to work in firefox # private-tmp memory-deny-write-execute noexec ${HOME} noexec /tmp - -# CLOBBERED COMMENTS -# evince needs access to /tmp/mozilla* to work in firefox diff --git a/etc/file.profile b/etc/file.profile index 6e8280c3b..99d2fd865 100644 --- a/etc/file.profile +++ b/etc/file.profile @@ -28,6 +28,3 @@ x11 none private-bin file private-dev private-etc magic.mgc,magic,localtime - -# CLOBBERED COMMENTS -# noroot diff --git a/etc/firefox.profile b/etc/firefox.profile index 8d48a4704..27f436c4f 100644 --- a/etc/firefox.profile +++ b/etc/firefox.profile @@ -68,6 +68,3 @@ private-tmp noexec ${HOME} noexec /tmp - -# CLOBBERED COMMENTS -# disable-mnt diff --git a/etc/flashpeak-slimjet.profile b/etc/flashpeak-slimjet.profile index b3aa80f85..be06dc460 100644 --- a/etc/flashpeak-slimjet.profile +++ b/etc/flashpeak-slimjet.profile @@ -5,11 +5,17 @@ include /etc/firejail/flashpeak-slimjet.local # Persistent global definitions include /etc/firejail/globals.local +# This is a whitelisted profile, the internal browser sandbox +# is disabled because it requires sudo password. The command +# to run it is as follows: +# firejail flashpeak-slimjet --no-sandbox + noblacklist ~/.cache/slimjet noblacklist ~/.config/slimjet noblacklist ~/.pki include /etc/firejail/disable-common.inc +# chromium is distributed with a perl script on Arch # include /etc/firejail/disable-devel.inc include /etc/firejail/disable-programs.inc @@ -28,9 +34,3 @@ nonewprivs noroot protocol unix,inet,inet6,netlink seccomp - -# CLOBBERED COMMENTS -# firejail flashpeak-slimjet --no-sandbox -# chromium is distributed with a perl script on Arch -# is disabled because it requires sudo password. The command -# to run it is as follows: diff --git a/etc/franz.profile b/etc/franz.profile index 486326fe0..82bdabfcd 100644 --- a/etc/franz.profile +++ b/etc/franz.profile @@ -37,6 +37,3 @@ private-tmp noexec ${HOME} noexec /tmp - -# CLOBBERED COMMENTS -# tracelog diff --git a/etc/frozen-bubble.profile b/etc/frozen-bubble.profile index dc8ad3e08..b1d9798bc 100644 --- a/etc/frozen-bubble.profile +++ b/etc/frozen-bubble.profile @@ -28,7 +28,3 @@ shell none private-dev # private-etc none private-tmp - -# CLOBBERED COMMENTS -# depending on your usage, you can enable some of the commands below: -# nosound diff --git a/etc/gajim.profile b/etc/gajim.profile index d8ca7424c..451a93c31 100644 --- a/etc/gajim.profile +++ b/etc/gajim.profile @@ -40,7 +40,5 @@ disable-mnt private-dev # private-etc fonts # private-tmp -read-only ${HOME}/.local/lib/python2.7/site-packages/ - -# CLOBBERED COMMENTS # Allow the local python 2.7 site packages, in case any plugins are using these +read-only ${HOME}/.local/lib/python2.7/site-packages/ diff --git a/etc/geary.profile b/etc/geary.profile index 5833e51cf..3f9faf058 100644 --- a/etc/geary.profile +++ b/etc/geary.profile @@ -5,6 +5,9 @@ include /etc/firejail/geary.local # Persistent global definitions include /etc/firejail/globals.local +# Users have Geary set to open a browser by clicking a link in an email +# We are not allowed to blacklist browser-specific directories + noblacklist ~/.gnupg noblacklist ~/.local/share/geary @@ -21,9 +24,5 @@ ignore private-tmp read-only ~/.config/mimeapps.list read-only ~/.local/share/applications -include /etc/firejail/firefox.profile - -# CLOBBERED COMMENTS -# Users have Geary set to open a browser by clicking a link in an email -# We are not allowed to blacklist browser-specific directories # allow browsers +include /etc/firejail/firefox.profile diff --git a/etc/gedit.profile b/etc/gedit.profile index 2fd7f20fe..aa91d9518 100644 --- a/etc/gedit.profile +++ b/etc/gedit.profile @@ -5,6 +5,8 @@ include /etc/firejail/gedit.local # Persistent global definitions include /etc/firejail/globals.local +# when gedit is started via gnome-shell, firejail is not applied because systemd will start it + noblacklist ~/.config/gedit include /etc/firejail/disable-common.inc @@ -31,6 +33,3 @@ private-tmp noexec ${HOME} noexec /tmp - -# CLOBBERED COMMENTS -# when gedit is started via gnome-shell, firejail is not applied because systemd will start it diff --git a/etc/geeqie.profile b/etc/geeqie.profile index 9434d49b8..5936787dd 100644 --- a/etc/geeqie.profile +++ b/etc/geeqie.profile @@ -26,6 +26,3 @@ shell none # private-bin geeqie private-dev # private-etc X11 - -# CLOBBERED COMMENTS -# Experimental: diff --git a/etc/ghb.profile b/etc/ghb.profile index 80291223c..9437cea9e 100644 --- a/etc/ghb.profile +++ b/etc/ghb.profile @@ -3,6 +3,3 @@ include /etc/firejail/handbrake.profile - -# CLOBBERED COMMENTS -# HandBrake diff --git a/etc/gimp.profile b/etc/gimp.profile index e63d10d35..d77c4df8d 100644 --- a/etc/gimp.profile +++ b/etc/gimp.profile @@ -24,10 +24,7 @@ shell none private-dev private-tmp -noexec /tmp - -# CLOBBERED COMMENTS -# gimp # gimp plugins are installed by the user in ~/.gimp-2.8/plug-ins/ directory # if you are not using external plugins, you can enable noexec statement below # noexec ${HOME} +noexec /tmp diff --git a/etc/gjs.profile b/etc/gjs.profile index 443dccfea..739100888 100644 --- a/etc/gjs.profile +++ b/etc/gjs.profile @@ -5,6 +5,8 @@ include /etc/firejail/gjs.local # Persistent global definitions include /etc/firejail/globals.local +# when gjs apps are started via gnome-shell, firejail is not applied because systemd will start them + noblacklist ~/.cache/libgweather noblacklist ~/.cache/org.gnome.Books noblacklist ~/.config/libreoffice @@ -29,6 +31,3 @@ tracelog private-dev # private-etc fonts private-tmp - -# CLOBBERED COMMENTS -# when gjs apps are started via gnome-shell, firejail is not applied because systemd will start them diff --git a/etc/gnome-2048.profile b/etc/gnome-2048.profile index 480c6a35f..996c8e1f4 100644 --- a/etc/gnome-2048.profile +++ b/etc/gnome-2048.profile @@ -31,6 +31,3 @@ private-tmp noexec ${HOME} noexec /tmp - -# CLOBBERED COMMENTS -# nosound diff --git a/etc/gnome-books.profile b/etc/gnome-books.profile index e934b48a5..60bd2f68d 100644 --- a/etc/gnome-books.profile +++ b/etc/gnome-books.profile @@ -5,6 +5,8 @@ include /etc/firejail/gnome-books.local # Persistent global definitions include /etc/firejail/globals.local +# when gjs apps are started via gnome-shell, firejail is not applied because systemd will start them + noblacklist ~/.cache/org.gnome.Books include /etc/firejail/disable-common.inc @@ -32,6 +34,3 @@ private-tmp noexec ${HOME} noexec /tmp - -# CLOBBERED COMMENTS -# when gjs apps are started via gnome-shell, firejail is not applied because systemd will start them diff --git a/etc/gnome-calculator.profile b/etc/gnome-calculator.profile index 2e949271b..995415edc 100644 --- a/etc/gnome-calculator.profile +++ b/etc/gnome-calculator.profile @@ -33,6 +33,3 @@ private-tmp memory-deny-write-execute noexec ${HOME} noexec /tmp - -# CLOBBERED COMMENTS -# net none diff --git a/etc/gnome-documents.profile b/etc/gnome-documents.profile index 2c77c32ae..e56a32a4a 100644 --- a/etc/gnome-documents.profile +++ b/etc/gnome-documents.profile @@ -5,6 +5,8 @@ include /etc/firejail/gnome-documents.local # Persistent global definitions include /etc/firejail/globals.local +# when gjs apps are started via gnome-shell, firejail is not applied because systemd will start them + noblacklist ~/.config/libreoffice include /etc/firejail/disable-common.inc @@ -30,6 +32,3 @@ private-tmp noexec ${HOME} noexec /tmp - -# CLOBBERED COMMENTS -# when gjs apps are started via gnome-shell, firejail is not applied because systemd will start them diff --git a/etc/gnome-maps.profile b/etc/gnome-maps.profile index 79ea783a6..1e60c4470 100644 --- a/etc/gnome-maps.profile +++ b/etc/gnome-maps.profile @@ -5,6 +5,8 @@ include /etc/firejail/gnome-maps.local # Persistent global definitions include /etc/firejail/globals.local +# when gjs apps are started via gnome-shell, firejail is not applied because systemd will start them + noblacklist ${HOME}/.cache/champlain include /etc/firejail/disable-common.inc @@ -32,6 +34,3 @@ private-tmp noexec ${HOME} noexec /tmp - -# CLOBBERED COMMENTS -# when gjs apps are started via gnome-shell, firejail is not applied because systemd will start them diff --git a/etc/gnome-photos.profile b/etc/gnome-photos.profile index bb13672f4..5982b9dbd 100644 --- a/etc/gnome-photos.profile +++ b/etc/gnome-photos.profile @@ -5,6 +5,8 @@ include /etc/firejail/gnome-photos.local # Persistent global definitions include /etc/firejail/globals.local +# when gjs apps are started via gnome-shell, firejail is not applied because systemd will start them + noblacklist ~/.local/share/gnome-photos include /etc/firejail/disable-common.inc @@ -30,6 +32,3 @@ private-tmp noexec ${HOME} noexec /tmp - -# CLOBBERED COMMENTS -# when gjs apps are started via gnome-shell, firejail is not applied because systemd will start them diff --git a/etc/gnome-weather.profile b/etc/gnome-weather.profile index 77538ad6e..514ef6f15 100644 --- a/etc/gnome-weather.profile +++ b/etc/gnome-weather.profile @@ -5,6 +5,8 @@ include /etc/firejail/gnome-weather.local # Persistent global definitions include /etc/firejail/globals.local +# when gjs apps are started via gnome-shell, firejail is not applied because systemd will start them + noblacklist ~/.cache/libgweather include /etc/firejail/disable-common.inc @@ -33,6 +35,3 @@ private-tmp noexec ${HOME} noexec /tmp - -# CLOBBERED COMMENTS -# when gjs apps are started via gnome-shell, firejail is not applied because systemd will start them diff --git a/etc/google-chrome-beta.profile b/etc/google-chrome-beta.profile index 53220997a..b6c39bfd2 100644 --- a/etc/google-chrome-beta.profile +++ b/etc/google-chrome-beta.profile @@ -10,6 +10,7 @@ noblacklist ~/.config/google-chrome-beta noblacklist ~/.pki include /etc/firejail/disable-common.inc +# chromium is distributed with a perl script on Arch # include /etc/firejail/disable-devel.inc include /etc/firejail/disable-programs.inc @@ -32,7 +33,3 @@ private-dev noexec ${HOME} noexec /tmp - -# CLOBBERED COMMENTS -# chromium is distributed with a perl script on Arch -# disable-mnt diff --git a/etc/google-chrome-unstable.profile b/etc/google-chrome-unstable.profile index 6f4ec9101..ea111c7f6 100644 --- a/etc/google-chrome-unstable.profile +++ b/etc/google-chrome-unstable.profile @@ -10,6 +10,7 @@ noblacklist ~/.config/google-chrome-unstable noblacklist ~/.pki include /etc/firejail/disable-common.inc +# chromium is distributed with a perl script on Arch # include /etc/firejail/disable-devel.inc include /etc/firejail/disable-programs.inc @@ -32,7 +33,3 @@ private-dev noexec ${HOME} noexec /tmp - -# CLOBBERED COMMENTS -# chromium is distributed with a perl script on Arch -# disable-mnt diff --git a/etc/google-chrome.profile b/etc/google-chrome.profile index 84fdcdd21..f0d452841 100644 --- a/etc/google-chrome.profile +++ b/etc/google-chrome.profile @@ -10,6 +10,7 @@ noblacklist ~/.config/google-chrome noblacklist ~/.pki include /etc/firejail/disable-common.inc +# chromium is distributed with a perl script on Arch # include /etc/firejail/disable-devel.inc include /etc/firejail/disable-programs.inc @@ -32,7 +33,3 @@ private-dev noexec ${HOME} noexec /tmp - -# CLOBBERED COMMENTS -# chromium is distributed with a perl script on Arch -# disable-mnt diff --git a/etc/google-play-music-desktop-player.profile b/etc/google-play-music-desktop-player.profile index e326c8083..9c6c70f9f 100644 --- a/etc/google-play-music-desktop-player.profile +++ b/etc/google-play-music-desktop-player.profile @@ -12,6 +12,8 @@ include /etc/firejail/disable-devel.inc include /etc/firejail/disable-passwdmgr.inc include /etc/firejail/disable-programs.inc +# whitelist ~/.config/pulse +# whitelist ~/.pulse whitelist ~/.config/Google Play Music Desktop Player include /etc/firejail/whitelist-common.inc @@ -32,7 +34,3 @@ private-tmp noexec ${HOME} noexec /tmp - -# CLOBBERED COMMENTS -# whitelist ~/.config/pulse -# whitelist ~/.pulse diff --git a/etc/gwenview.profile b/etc/gwenview.profile index 19d83866e..0f2be604b 100644 --- a/etc/gwenview.profile +++ b/etc/gwenview.profile @@ -34,6 +34,3 @@ private-dev noexec ${HOME} noexec /tmp - -# CLOBBERED COMMENTS -# Experimental: diff --git a/etc/handbrake-gtk.profile b/etc/handbrake-gtk.profile index 80291223c..9437cea9e 100644 --- a/etc/handbrake-gtk.profile +++ b/etc/handbrake-gtk.profile @@ -3,6 +3,3 @@ include /etc/firejail/handbrake.profile - -# CLOBBERED COMMENTS -# HandBrake diff --git a/etc/hexchat.profile b/etc/hexchat.profile index f070937ef..ceebb6d18 100644 --- a/etc/hexchat.profile +++ b/etc/hexchat.profile @@ -6,6 +6,8 @@ include /etc/firejail/hexchat.local include /etc/firejail/globals.local noblacklist ${HOME}/.config/hexchat +# noblacklist /usr/lib/python2* +# noblacklist /usr/lib/python3* include /etc/firejail/disable-common.inc include /etc/firejail/disable-devel.inc @@ -29,15 +31,10 @@ shell none tracelog disable-mnt +# debug note: private-bin requires perl, python, etc on some systems private-bin hexchat private-dev private-tmp noexec ${HOME} noexec /tmp - -# CLOBBERED COMMENTS -# Currently in testing (may not work for all users) -# debug note: private-bin requires perl, python, etc on some systems -# noblacklist /usr/lib/python2* -# noblacklist /usr/lib/python3* diff --git a/etc/icedove.profile b/etc/icedove.profile index 8cb4ec1ea..3931fd0c0 100644 --- a/etc/icedove.profile +++ b/etc/icedove.profile @@ -5,6 +5,9 @@ include /etc/firejail/icedove.local # Persistent global definitions include /etc/firejail/globals.local +# Users have icedove set to open a browser by clicking a link in an email +# We are not allowed to blacklist browser-specific directories + noblacklist ~/.cache/icedove noblacklist ~/.gnupg noblacklist ~/.icedove @@ -19,9 +22,5 @@ include /etc/firejail/whitelist-common.inc ignore private-tmp -include /etc/firejail/firefox.profile - -# CLOBBERED COMMENTS -# Users have icedove set to open a browser by clicking a link in an email -# We are not allowed to blacklist browser-specific directories # allow browsers +include /etc/firejail/firefox.profile diff --git a/etc/idea.sh.profile b/etc/idea.sh.profile index 2ca4cba69..f0f0637d9 100644 --- a/etc/idea.sh.profile +++ b/etc/idea.sh.profile @@ -32,6 +32,3 @@ private-dev # private-tmp noexec /tmp - -# CLOBBERED COMMENTS -# nosound diff --git a/etc/inkscape.profile b/etc/inkscape.profile index cde845907..6bba90d14 100644 --- a/etc/inkscape.profile +++ b/etc/inkscape.profile @@ -28,6 +28,3 @@ private-tmp noexec ${HOME} noexec /tmp - -# CLOBBERED COMMENTS -# inkscape diff --git a/etc/iridium.profile b/etc/iridium.profile index 03fae05dc..95e94cbf9 100644 --- a/etc/iridium.profile +++ b/etc/iridium.profile @@ -9,6 +9,7 @@ noblacklist ~/.cache/iridium noblacklist ~/.config/iridium include /etc/firejail/disable-common.inc +# chromium/iridium is distributed with a perl script on Arch # include /etc/firejail/disable-devel.inc include /etc/firejail/disable-programs.inc @@ -22,6 +23,3 @@ whitelist ~/.pki include /etc/firejail/whitelist-common.inc netfilter - -# CLOBBERED COMMENTS -# chromium/iridium is distributed with a perl script on Arch diff --git a/etc/kodi.profile b/etc/kodi.profile index f3eb6867f..06db44132 100644 --- a/etc/kodi.profile +++ b/etc/kodi.profile @@ -27,6 +27,3 @@ private-tmp noexec ${HOME} noexec /tmp - -# CLOBBERED COMMENTS -# novideo diff --git a/etc/kwrite.profile b/etc/kwrite.profile index 3b3045e07..b6406cc0d 100644 --- a/etc/kwrite.profile +++ b/etc/kwrite.profile @@ -22,6 +22,7 @@ netfilter nogroups nonewprivs noroot +# nosound - KWrite is using ALSA! protocol unix seccomp shell none @@ -31,6 +32,3 @@ tracelog private-dev # private-etc fonts private-tmp - -# CLOBBERED COMMENTS -# nosound - KWrite is using ALSA! diff --git a/etc/libreoffice.profile b/etc/libreoffice.profile index e2c8d0878..8387fef98 100644 --- a/etc/libreoffice.profile +++ b/etc/libreoffice.profile @@ -28,6 +28,3 @@ private-dev noexec ${HOME} noexec /tmp - -# CLOBBERED COMMENTS -# whitelist /tmp/.X11-unix/ diff --git a/etc/liferea.profile b/etc/liferea.profile index a0dd1a1ff..f9c050acb 100644 --- a/etc/liferea.profile +++ b/etc/liferea.profile @@ -24,9 +24,11 @@ include /etc/firejail/whitelist-common.inc caps.drop all netfilter +# no3d nogroups nonewprivs noroot +# nosound novideo protocol unix,inet,inet6 seccomp @@ -38,7 +40,3 @@ private-tmp noexec ${HOME} noexec /tmp - -# CLOBBERED COMMENTS -# no3d -# nosound diff --git a/etc/luminance-hdr.profile b/etc/luminance-hdr.profile index 961fca905..bbceee7c7 100644 --- a/etc/luminance-hdr.profile +++ b/etc/luminance-hdr.profile @@ -29,6 +29,3 @@ private-tmp noexec ${HOME} noexec /tmp - -# CLOBBERED COMMENTS -# luminance-hdr diff --git a/etc/lxterminal.profile b/etc/lxterminal.profile index 22ecbaa6f..771211b31 100644 --- a/etc/lxterminal.profile +++ b/etc/lxterminal.profile @@ -12,8 +12,6 @@ include /etc/firejail/disable-programs.inc caps.drop all netfilter +# noroot - somehow this breaks on Debian Jessie! protocol unix,inet,inet6 seccomp - -# CLOBBERED COMMENTS -# noroot - somehow this breaks on Debian Jessie! diff --git a/etc/midori.profile b/etc/midori.profile index f3a219f52..5b390a170 100644 --- a/etc/midori.profile +++ b/etc/midori.profile @@ -36,9 +36,7 @@ include /etc/firejail/whitelist-common.inc caps.drop all netfilter nonewprivs +# noroot - problems on Ubuntu 14.04 protocol unix,inet,inet6,netlink seccomp tracelog - -# CLOBBERED COMMENTS -# noroot - porblems on Ubuntu 14.04 diff --git a/etc/mplayer.profile b/etc/mplayer.profile index 25bcef47a..b431e4695 100644 --- a/etc/mplayer.profile +++ b/etc/mplayer.profile @@ -14,6 +14,7 @@ include /etc/firejail/disable-programs.inc caps.drop all netfilter +# nogroups nonewprivs noroot protocol unix,inet,inet6,netlink @@ -26,6 +27,3 @@ private-tmp noexec ${HOME} noexec /tmp - -# CLOBBERED COMMENTS -# nogroups diff --git a/etc/mpv.profile b/etc/mpv.profile index 7c1e5ea27..56192ac17 100644 --- a/etc/mpv.profile +++ b/etc/mpv.profile @@ -25,6 +25,3 @@ tracelog private-bin mpv,youtube-dl,python,python2.7,python3.6,env private-dev - -# CLOBBERED COMMENTS -# to test diff --git a/etc/multimc5.profile b/etc/multimc5.profile index 882f17485..a2f5d46b4 100644 --- a/etc/multimc5.profile +++ b/etc/multimc5.profile @@ -27,6 +27,7 @@ nonewprivs noroot novideo protocol unix,inet,inet6 +# seccomp shell none disable-mnt @@ -35,6 +36,3 @@ private-tmp noexec ${HOME} noexec /tmp - -# CLOBBERED COMMENTS -# seccomp diff --git a/etc/mupdf.profile b/etc/mupdf.profile index a55a01206..4b98552c4 100644 --- a/etc/mupdf.profile +++ b/etc/mupdf.profile @@ -19,6 +19,7 @@ noroot nosound protocol unix seccomp +# seccomp.keep access,arch_prctl,brk,clone,close,connect,execve,exit_group,fchmod,fchown,fcntl,fstat,futex,getcwd,getpeername,getrlimit,getsockname,getsockopt,lseek,lstat,mlock,mmap,mprotect,mremap,munmap,nanosleep,open,poll,prctl,read,recvfrom,recvmsg,restart_syscall,rt_sigaction,rt_sigprocmask,select,sendmsg,set_robust_list,set_tid_address,setresgid,setresuid,shmat,shmctl,shmget,shutdown,socket,stat,sysinfo,uname,unshare,wait4,write,writev shell none tracelog @@ -26,9 +27,5 @@ tracelog private-dev private-etc fonts private-tmp -read-only ${HOME} - -# CLOBBERED COMMENTS -# Experimental: # mupdf will never write anything -# seccomp.keep access,arch_prctl,brk,clone,close,connect,execve,exit_group,fchmod,fchown,fcntl,fstat,futex,getcwd,getpeername,getrlimit,getsockname,getsockopt,lseek,lstat,mlock,mmap,mprotect,mremap,munmap,nanosleep,open,poll,prctl,read,recvfrom,recvmsg,restart_syscall,rt_sigaction,rt_sigprocmask,select,sendmsg,set_robust_list,set_tid_address,setresgid,setresuid,shmat,shmctl,shmget,shutdown,socket,stat,sysinfo,uname,unshare,wait4,write,writev +read-only ${HOME} diff --git a/etc/mupen64plus.profile b/etc/mupen64plus.profile index 9c3bfe658..f0680c4ce 100644 --- a/etc/mupen64plus.profile +++ b/etc/mupen64plus.profile @@ -13,6 +13,7 @@ include /etc/firejail/disable-devel.inc include /etc/firejail/disable-passwdmgr.inc include /etc/firejail/disable-programs.inc +# you'll need to manually whitelist ROM files mkdir ${HOME}/.config/mupen64plus mkdir ${HOME}/.local/share/mupen64plus whitelist ${HOME}/.config/mupen64plus/ @@ -24,6 +25,3 @@ net none nonewprivs noroot seccomp - -# CLOBBERED COMMENTS -# manually whitelist ROM files diff --git a/etc/nautilus.profile b/etc/nautilus.profile index 350e7f9b6..2da8f32d7 100644 --- a/etc/nautilus.profile +++ b/etc/nautilus.profile @@ -5,6 +5,9 @@ include /etc/firejail/nautilus.local # Persistent global definitions include /etc/firejail/globals.local +# Nautilus is started by systemd on most systems. Therefore it is not firejailed by default. Since there +# is already a nautilus process running on gnome desktops firejail will have no effect. + noblacklist ~/.config/nautilus noblacklist ~/.local/share/Trash noblacklist ~/.local/share/nautilus @@ -25,12 +28,8 @@ seccomp shell none tracelog +# nautilus needs to be able to start arbitrary applications so we cannot blacklist their files # private-bin nautilus # private-dev # private-etc fonts # private-tmp - -# CLOBBERED COMMENTS -# Nautilus is started by systemd on most systems. Therefore it is not firejailed by default. Since there -# is already a nautilus process running on gnome desktops firejail will have no effect. -# nautilus needs to be able to start arbitrary applications so we cannot blacklist their files diff --git a/etc/open-invaders.profile b/etc/open-invaders.profile index e4c87e5b9..2587027ab 100644 --- a/etc/open-invaders.profile +++ b/etc/open-invaders.profile @@ -28,7 +28,3 @@ shell none private-dev # private-etc none private-tmp - -# CLOBBERED COMMENTS -# depending on your usage, you can enable some of the commands below: -# nosound diff --git a/etc/palemoon.profile b/etc/palemoon.profile index ab72497c0..e3e498195 100644 --- a/etc/palemoon.profile +++ b/etc/palemoon.profile @@ -12,6 +12,26 @@ include /etc/firejail/disable-common.inc include /etc/firejail/disable-devel.inc include /etc/firejail/disable-programs.inc +# These are uncommented in the Firefox profile. If you run into trouble you may +# want to uncomment (some of) them. +#whitelist ~/dwhelper +#whitelist ~/.zotero +#whitelist ~/.vimperatorrc +#whitelist ~/.vimperator +#whitelist ~/.pentadactylrc +#whitelist ~/.pentadactyl +#whitelist ~/.keysnail.js +#whitelist ~/.config/gnome-mplayer +#whitelist ~/.cache/gnome-mplayer/plugin +#whitelist ~/.pki +#whitelist ~/.lastpass + +# For silverlight +#whitelist ~/.wine-pipelight +#whitelist ~/.wine-pipelight64 +#whitelist ~/.config/pipelight-widevine +#whitelist ~/.config/pipelight-silverlight5.1 + mkdir ~/.cache/moonchild productions/pale moon mkdir ~/.moonchild productions whitelist ${DOWNLOADS} @@ -34,22 +54,3 @@ tracelog # private-etc passwd,group,hostname,hosts,localtime,nsswitch.conf,resolv.conf,gtk-2.0,pango,fonts,iceweasel,firefox,adobe,mime.types,mailcap,asound.conf,pulse # private-opt palemoon private-tmp - -# CLOBBERED COMMENTS -# For silverlight -# want to uncomment (some of) them. -# whitelist ~/.cache/gnome-mplayer/plugin -# whitelist ~/.config/gnome-mplayer -# whitelist ~/.config/pipelight-silverlight5.1 -# whitelist ~/.config/pipelight-widevine -# whitelist ~/.keysnail.js -# whitelist ~/.lastpass -# whitelist ~/.pentadactyl -# whitelist ~/.pentadactylrc -# whitelist ~/.pki -# whitelist ~/.vimperator -# whitelist ~/.vimperatorrc -# whitelist ~/.wine-pipelight -# whitelist ~/.wine-pipelight64 -# whitelist ~/.zotero -# whitelist ~/dwhelper diff --git a/etc/pingus.profile b/etc/pingus.profile index 6699b7944..848bf88ad 100644 --- a/etc/pingus.profile +++ b/etc/pingus.profile @@ -28,7 +28,3 @@ shell none private-dev # private-etc none private-tmp - -# CLOBBERED COMMENTS -# depending on your usage, you can enable some of the commands below: -# nosound diff --git a/etc/qbittorrent.profile b/etc/qbittorrent.profile index 5dcba0825..025a6fa61 100644 --- a/etc/qbittorrent.profile +++ b/etc/qbittorrent.profile @@ -35,12 +35,9 @@ noroot nosound protocol unix,inet,inet6,netlink seccomp +# shell none # private-bin qbittorrent private-dev # private-etc X11,fonts,xdg,resolv.conf private-tmp - -# CLOBBERED COMMENTS -# shell none -# there are some problems with "Open destination folder", see bug # 536 diff --git a/etc/rambox.profile b/etc/rambox.profile index ea88b472c..a5b87e901 100644 --- a/etc/rambox.profile +++ b/etc/rambox.profile @@ -26,6 +26,4 @@ nonewprivs noroot protocol unix,inet,inet6,netlink seccomp - -# CLOBBERED COMMENTS # tracelog diff --git a/etc/ranger.profile b/etc/ranger.profile index 3915cffb6..3767c7ba8 100644 --- a/etc/ranger.profile +++ b/etc/ranger.profile @@ -5,6 +5,7 @@ include /etc/firejail/ranger.local # Persistent global definitions include /etc/firejail/globals.local +# noblacklist /usr/bin/cpan* noblacklist /usr/bin/perl noblacklist /usr/lib/perl* noblacklist /usr/share/perl* @@ -25,6 +26,3 @@ protocol unix seccomp private-dev - -# CLOBBERED COMMENTS -# noblacklist /usr/bin/cpan* diff --git a/etc/rhythmbox.profile b/etc/rhythmbox.profile index 9f8e8fb1a..ac8882165 100644 --- a/etc/rhythmbox.profile +++ b/etc/rhythmbox.profile @@ -13,6 +13,7 @@ include /etc/firejail/disable-programs.inc caps.drop all netfilter +# no3d nogroups nonewprivs noroot @@ -28,6 +29,3 @@ private-tmp noexec ${HOME} noexec /tmp - -# CLOBBERED COMMENTS -# no3d diff --git a/etc/scribus.profile b/etc/scribus.profile index 73343f5da..7e117dcd1 100644 --- a/etc/scribus.profile +++ b/etc/scribus.profile @@ -5,6 +5,7 @@ include /etc/firejail/scribus.local # Persistent global definitions include /etc/firejail/globals.local +# Support for PDF readers (Scribus 1.5 and higher) noblacklist ~/.config/okularpartrc noblacklist ~/.config/okularrc noblacklist ~/.config/scribus @@ -35,6 +36,3 @@ tracelog private-dev # private-tmp - -# CLOBBERED COMMENTS -# Support for PDF readers (Scribus 1.5 and higher) diff --git a/etc/simple-scan.profile b/etc/simple-scan.profile index d6c6886c7..a55388fee 100644 --- a/etc/simple-scan.profile +++ b/etc/simple-scan.profile @@ -20,12 +20,10 @@ noroot nosound protocol unix,inet,inet6 shell none +# seccomp tracelog # private-bin simple-scan # private-dev # private-etc fonts # private-tmp - -# CLOBBERED COMMENTS -# seccomp diff --git a/etc/simutrans.profile b/etc/simutrans.profile index 32c0436f8..d67d2a575 100644 --- a/etc/simutrans.profile +++ b/etc/simutrans.profile @@ -28,7 +28,3 @@ shell none private-dev # private-etc none private-tmp - -# CLOBBERED COMMENTS -# depending on your usage, you can enable some of the commands below: -# nosound diff --git a/etc/skanlite.profile b/etc/skanlite.profile index f6e27a474..25f0107f8 100644 --- a/etc/skanlite.profile +++ b/etc/skanlite.profile @@ -17,6 +17,7 @@ nogroups nonewprivs noroot nosound +# protocol unix,inet,inet6 seccomp shell none @@ -24,6 +25,3 @@ shell none # private-dev # private-etc # private-tmp - -# CLOBBERED COMMENTS -# protocol unix,inet,inet6 diff --git a/etc/smplayer.profile b/etc/smplayer.profile index d3ff02ddf..d8861f937 100644 --- a/etc/smplayer.profile +++ b/etc/smplayer.profile @@ -15,6 +15,7 @@ include /etc/firejail/disable-programs.inc caps.drop all netfilter +# nogroups nonewprivs noroot protocol unix,inet,inet6,netlink @@ -27,6 +28,3 @@ private-tmp noexec ${HOME} noexec /tmp - -# CLOBBERED COMMENTS -# nogroups diff --git a/etc/ssh-agent.profile b/etc/ssh-agent.profile index 520524192..f2c88c943 100644 --- a/etc/ssh-agent.profile +++ b/etc/ssh-agent.profile @@ -23,6 +23,3 @@ nonewprivs noroot protocol unix,inet,inet6 seccomp - -# CLOBBERED COMMENTS -# ssh-agent diff --git a/etc/ssh.profile b/etc/ssh.profile index 0f9950a81..ac3b7a0ba 100644 --- a/etc/ssh.profile +++ b/etc/ssh.profile @@ -33,6 +33,3 @@ private-dev memory-deny-write-execute noexec ${HOME} noexec /tmp - -# CLOBBERED COMMENTS -# ssh client diff --git a/etc/steam.profile b/etc/steam.profile index b3b62471d..d928e660d 100644 --- a/etc/steam.profile +++ b/etc/steam.profile @@ -14,6 +14,7 @@ noblacklist ${HOME}/.local/share/steam noblacklist ${HOME}/.steam noblacklist ${HOME}/.steampath noblacklist ${HOME}/.steampid +# with >=llvm-4 mesa drivers need llvm stuff noblacklist /usr/lib/llvm* include /etc/firejail/disable-common.inc @@ -26,15 +27,12 @@ netfilter nogroups nonewprivs noroot +# novideo protocol unix,inet,inet6,netlink seccomp shell none +# tracelog disabled as it breaks integrated browser +# tracelog private-dev private-tmp - -# CLOBBERED COMMENTS -# novideo -# tracelog -# tracelog disabled as it breaks integrated browser -# with >=llvm-4 mesa drivers need llvm stuff diff --git a/etc/supertux2.profile b/etc/supertux2.profile index 87ad8da7f..4e70f9e8c 100644 --- a/etc/supertux2.profile +++ b/etc/supertux2.profile @@ -28,7 +28,3 @@ shell none private-dev # private-etc none private-tmp - -# CLOBBERED COMMENTS -# depending on your usage, you can enable some of the commands below: -# nosound diff --git a/etc/synfigstudio.profile b/etc/synfigstudio.profile index 02db74df3..6861e6efb 100644 --- a/etc/synfigstudio.profile +++ b/etc/synfigstudio.profile @@ -29,6 +29,3 @@ private-tmp noexec ${HOME} noexec /tmp - -# CLOBBERED COMMENTS -# synfigstudio diff --git a/etc/tar.profile b/etc/tar.profile index c3b5aa0e6..817e51542 100644 --- a/etc/tar.profile +++ b/etc/tar.profile @@ -16,11 +16,9 @@ nosound shell none tracelog +# support compressed archives private-bin sh,bash,dash,tar,gtar,compress,gzip,lzma,xz,bzip2,lbzip2,lzip,lzop private-dev private-etc passwd,group,localtime include /etc/firejail/default.profile - -# CLOBBERED COMMENTS -# support compressed archives diff --git a/etc/thunderbird.profile b/etc/thunderbird.profile index c80f76aa8..d3b7ee871 100644 --- a/etc/thunderbird.profile +++ b/etc/thunderbird.profile @@ -5,6 +5,9 @@ include /etc/firejail/thunderbird.local # Persistent global definitions include /etc/firejail/globals.local +# Users have thunderbird set to open a browser by clicking a link in an email +# We are not allowed to blacklist browser-specific directories + noblacklist ~/.cache/thunderbird noblacklist ~/.gnupg noblacklist ~/.icedove @@ -27,9 +30,5 @@ ignore private-tmp read-only ~/.config/mimeapps.list read-only ~/.local/share/applications -include /etc/firejail/firefox.profile - -# CLOBBERED COMMENTS -# Users have thunderbird set to open a browser by clicking a link in an email -# We are not allowed to blacklist browser-specific directories # allow browsers +include /etc/firejail/firefox.profile diff --git a/etc/tracker.profile b/etc/tracker.profile index 98040133c..feb8b4fd3 100644 --- a/etc/tracker.profile +++ b/etc/tracker.profile @@ -5,6 +5,8 @@ include /etc/firejail/tracker.local # Persistent global definitions include /etc/firejail/globals.local +# Tracker is started by systemd on most systems. Therefore it is not firejailed by default + blacklist /tmp/.X11-unix include /etc/firejail/disable-common.inc @@ -28,6 +30,3 @@ tracelog # private-dev # private-etc fonts # private-tmp - -# CLOBBERED COMMENTS -# Tracker is started by systemd on most systems. Therefore it is not firejailed by default diff --git a/etc/unknown-horizons.profile b/etc/unknown-horizons.profile index fc24fc04d..e09b65632 100644 --- a/etc/unknown-horizons.profile +++ b/etc/unknown-horizons.profile @@ -27,7 +27,3 @@ shell none private-dev # private-etc none private-tmp - -# CLOBBERED COMMENTS -# depending on your usage, you can enable some of the commands below: -# nosound diff --git a/etc/virtualbox.profile b/etc/virtualbox.profile index ca7987932..e94dec35c 100644 --- a/etc/virtualbox.profile +++ b/etc/virtualbox.profile @@ -8,6 +8,7 @@ include /etc/firejail/globals.local noblacklist ${HOME}/.VirtualBox noblacklist ${HOME}/.config/VirtualBox noblacklist ${HOME}/VirtualBox VMs +# noblacklist /usr/bin/virtualbox noblacklist /usr/lib/virtualbox noblacklist /usr/lib64/virtualbox @@ -23,6 +24,3 @@ include /etc/firejail/whitelist-common.inc caps.drop all netfilter - -# CLOBBERED COMMENTS -# noblacklist /usr/bin/virtualbox diff --git a/etc/vivaldi.profile b/etc/vivaldi.profile index 1b63f1573..ae9b49e8c 100644 --- a/etc/vivaldi.profile +++ b/etc/vivaldi.profile @@ -29,6 +29,3 @@ private-dev noexec ${HOME} noexec /tmp - -# CLOBBERED COMMENTS -# disable-mnt diff --git a/etc/vlc.profile b/etc/vlc.profile index c95f6f048..a41f367dd 100644 --- a/etc/vlc.profile +++ b/etc/vlc.profile @@ -14,6 +14,7 @@ include /etc/firejail/disable-programs.inc caps.drop all netfilter +# nogroups nonewprivs noroot protocol unix,inet,inet6,netlink @@ -26,7 +27,3 @@ private-tmp noexec ${HOME} noexec /tmp - -# CLOBBERED COMMENTS -# memory-deny-write-execute - breaks playing videos -# nogroups diff --git a/etc/warzone2100.profile b/etc/warzone2100.profile index 157fe3e81..9569226aa 100644 --- a/etc/warzone2100.profile +++ b/etc/warzone2100.profile @@ -12,6 +12,8 @@ include /etc/firejail/disable-devel.inc include /etc/firejail/disable-passwdmgr.inc include /etc/firejail/disable-programs.inc +# mkdir ~/.warzone2100-3.1 +# mkdir ~/.warzone2100-3.2 whitelist ~/.warzone2100-3.1 whitelist ~/.warzone2100-3.2 include /etc/firejail/whitelist-common.inc @@ -30,8 +32,3 @@ disable-mnt private-bin warzone2100 private-dev private-tmp - -# CLOBBERED COMMENTS -# Call these options -# mkdir ~/.warzone2100-3.1 -# mkdir ~/.warzone2100-3.2 diff --git a/etc/weechat.profile b/etc/weechat.profile index 75a4dc4a7..833414f3e 100644 --- a/etc/weechat.profile +++ b/etc/weechat.profile @@ -17,7 +17,6 @@ noroot protocol unix,inet,inet6 seccomp -# CLOBBERED COMMENTS +# no private-bin support for various reasons: # Plugins loaded: alias, aspell, charset, exec, fifo, guile, irc, # logger, lua, perl, python, relay, ruby, script, tcl, trigger, xferloading plugins -# no private-bin support for various reasons: diff --git a/etc/wire.profile b/etc/wire.profile index f20dfe8e2..aacea9940 100644 --- a/etc/wire.profile +++ b/etc/wire.profile @@ -5,6 +5,9 @@ include /etc/firejail/wire.local # Persistent global definitions include /etc/firejail/globals.local +# Note: the current beta version of wire is located in /opt/Wire/wire and therefore not in PATH. +# To use wire with firejail run "firejail /opt/Wire/wire" + noblacklist ~/.config/Wire noblacklist ~/.config/wire @@ -25,7 +28,3 @@ shell none disable-mnt private-dev private-tmp - -# CLOBBERED COMMENTS -# Note: the current beta version of wire is located in /opt/Wire/wire and therefore not in PATH. -# To use wire with firejail run "firejail /opt/Wire/wire" diff --git a/etc/wireshark.profile b/etc/wireshark.profile index 0c4bc8029..8a25ec011 100644 --- a/etc/wireshark.profile +++ b/etc/wireshark.profile @@ -12,9 +12,15 @@ include /etc/firejail/disable-devel.inc include /etc/firejail/disable-passwdmgr.inc include /etc/firejail/disable-programs.inc +# caps.drop all netfilter no3d +# nogroups - breaks unprivileged wireshark usage +# nonewprivs - breaks unprivileged wireshark usage +# noroot nosound +# protocol unix,inet,inet6,netlink +# seccomp - breaks unprivileged wireshark usage shell none tracelog @@ -25,11 +31,3 @@ private-tmp noexec ${HOME} noexec /tmp - -# CLOBBERED COMMENTS -# caps.drop all -# nogroups - breaks unprivileged wireshark usage -# nonewprivs - breaks unprivileged wireshark usage -# noroot -# protocol unix,inet,inet6,netlink -# seccomp - breaks unprivileged wireshark usage -- cgit v1.2.3-70-g09d2