From c3c52ef0a64cc04676a551d8bbb4d80a8ac61954 Mon Sep 17 00:00:00 2001 From: pirate486743186 Date: Mon, 31 May 2021 20:44:46 +0200 Subject: reorganizing links browsers (#4320) * Create links-common.profile * Update links.profile * Create links2.profile * Update links.profile * Update links2.profile * Update elinks.profile * Update elinks.profile * links2 * Update firecfg.config * Update xlinks.profile * .xlinks * add dbus and whitelist-usr-share-common * .xlinks doesn't exist * revert * Create xlinks2 * xlinks2 * Update xlinks2 * Update xlinks.profile * no wayland * no wayland * doesn't use /tmp/.X11-unix * doesn't use /tmp/.X11-unix * noblacklist /tmp/.X11-unix * noblacklist /tmp/.X11-unix --- etc/profile-a-l/elinks.profile | 38 ++++------------------ etc/profile-a-l/links-common.profile | 63 ++++++++++++++++++++++++++++++++++++ etc/profile-a-l/links.profile | 54 ++----------------------------- etc/profile-a-l/links2.profile | 18 +++++++++++ 4 files changed, 90 insertions(+), 83 deletions(-) create mode 100644 etc/profile-a-l/links-common.profile create mode 100644 etc/profile-a-l/links2.profile (limited to 'etc/profile-a-l') diff --git a/etc/profile-a-l/elinks.profile b/etc/profile-a-l/elinks.profile index 8120725d2..5a29eb24b 100644 --- a/etc/profile-a-l/elinks.profile +++ b/etc/profile-a-l/elinks.profile @@ -1,6 +1,7 @@ # Firejail profile for elinks # Description: Advanced text-mode WWW browser # This file is overwritten after every install/update +quiet # Persistent local customizations include elinks.local # Persistent global definitions @@ -8,37 +9,10 @@ include globals.local noblacklist ${HOME}/.elinks -blacklist /tmp/.X11-unix -blacklist ${RUNUSER}/wayland-* +mkdir ${HOME}/.elinks +whitelist ${HOME}/.elinks -include disable-common.inc -include disable-devel.inc -include disable-interpreters.inc -include disable-passwdmgr.inc -include disable-programs.inc -include disable-xdg.inc +private-bin elinks -include whitelist-runuser-common.inc - -caps.drop all -netfilter -no3d -nodvd -nogroups -noinput -nonewprivs -noroot -nosound -notv -nou2f -novideo -protocol unix,inet,inet6 -seccomp -shell none -tracelog - -# private-bin elinks -private-cache -private-dev -# private-etc alternatives,ca-certificates,crypto-policies,pki,ssl -private-tmp +# Redirect +include links-common.profile diff --git a/etc/profile-a-l/links-common.profile b/etc/profile-a-l/links-common.profile new file mode 100644 index 000000000..cd885b1d4 --- /dev/null +++ b/etc/profile-a-l/links-common.profile @@ -0,0 +1,63 @@ +# This file is overwritten during software install. +# Persistent customizations should go in a .local file. +include links-common.local + +# common profile for links browsers + +blacklist /tmp/.X11-unix +blacklist ${RUNUSER}/wayland-* + +include disable-common.inc +include disable-devel.inc +include disable-exec.inc +include disable-interpreters.inc +include disable-passwdmgr.inc +# Additional noblacklist files/directories (blacklisted in disable-programs.inc) +# used as associated programs can be added in your links-common.local. +include disable-programs.inc +include disable-xdg.inc + +whitelist ${DOWNLOADS} +include whitelist-runuser-common.inc +include whitelist-usr-share-common.inc +include whitelist-var-common.inc + +caps.drop all +ipc-namespace +# Add 'ignore machine-id' to your links-common.local if you want to restrict access to +# the user-configured associated media player. +machine-id +netfilter +# Add 'ignore no3d' to your links-common.local if you want to restrict access to +# the user-configured associated media player. +no3d +nodvd +nogroups +noinput +nonewprivs +noroot +# Add 'ignore nosound' to your links-common.local if you want to restrict access to +# the user-configured associated media player. +nosound +notv +nou2f +novideo +protocol unix,inet,inet6 +seccomp +shell none +tracelog + +disable-mnt +# Add 'private-bin PROGRAM1,PROGRAM2' to your links-common.local if you want to use user-configured programs. +private-bin sh +private-cache +private-dev +private-etc alternatives,ca-certificates,crypto-policies,nsswitch.conf,pki,resolv.conf,ssl +# Add the next line to your links-common.local to allow external media players. +# private-etc alsa,asound.conf,machine-id,openal,pulse +private-tmp + +dbus-user none +dbus-system none + +memory-deny-write-execute diff --git a/etc/profile-a-l/links.profile b/etc/profile-a-l/links.profile index a1eeda14a..8ce39cc7f 100644 --- a/etc/profile-a-l/links.profile +++ b/etc/profile-a-l/links.profile @@ -9,58 +9,10 @@ include globals.local noblacklist ${HOME}/.links -blacklist /tmp/.X11-unix -blacklist ${RUNUSER}/wayland-* - -include disable-common.inc -include disable-devel.inc -include disable-exec.inc -include disable-interpreters.inc -include disable-passwdmgr.inc -# Additional noblacklist files/directories (blacklisted in disable-programs.inc) -# used as associated programs can be added in your links.local. -include disable-programs.inc -include disable-xdg.inc - mkdir ${HOME}/.links whitelist ${HOME}/.links -whitelist ${DOWNLOADS} -include whitelist-runuser-common.inc -include whitelist-var-common.inc - -caps.drop all -ipc-namespace -# Add 'ignore machine-id' to your links.local if you want to restrict access to -# the user-configured associated media player. -machine-id -netfilter -# Add 'ignore no3d' to your links.local if you want to restrict access to -# the user-configured associated media player. -no3d -nodvd -nogroups -noinput -nonewprivs -noroot -# Add 'ignore nosound' to your links.local if you want to restrict access to -# the user-configured associated media player. -nosound -notv -nou2f -novideo -protocol unix,inet,inet6 -seccomp -shell none -tracelog -disable-mnt -# Add 'private-bin PROGRAM1,PROGRAM2' to your links.local if you want to use user-configured programs. -private-bin links,sh -private-cache -private-dev -private-etc alternatives,ca-certificates,crypto-policies,nsswitch.conf,pki,resolv.conf,ssl -# Add the next line to your links.local to allow external media players. -# private-etc alsa,asound.conf,machine-id,openal,pulse -private-tmp +private-bin links -memory-deny-write-execute +# Redirect +include links-common.profile diff --git a/etc/profile-a-l/links2.profile b/etc/profile-a-l/links2.profile new file mode 100644 index 000000000..5f91dfcd2 --- /dev/null +++ b/etc/profile-a-l/links2.profile @@ -0,0 +1,18 @@ +# Firejail profile for links2 +# Description: Text WWW browser with a graphic version +# This file is overwritten after every install/update +quiet +# Persistent local customizations +include links2.local +# Persistent global definitions +include globals.local + +noblacklist ${HOME}/.links2 + +mkdir ${HOME}/.links2 +whitelist ${HOME}/.links2 + +private-bin links2 + +# Redirect +include links-common.profile -- cgit v1.2.3-70-g09d2