From 9fca4500c4d527afce3bd2228388c4a1990772a9 Mon Sep 17 00:00:00 2001 From: glitsj16 Date: Thu, 13 May 2021 13:48:23 +0000 Subject: Follow-up for #4165 (#4271) * Follow-up for #4165 * Follow-up for #4165 * Follow-up for #4165 * Follow-up for #4165 * Follow-up for #4165 * Follow-up for #4165 * Follow-up for #4165 * Follow-up for #4165 * Follow-up for #4165 * Follow-up for #4165 * Follow-up for #4165 * Follow-up for #4165 * Follow-up for #4165 * fix noroot comment As suggested [here](https://github.com/netblue30/firejail/pull/4271#discussion_r630981737). * fix dbus-user comment As suggested [here](https://github.com/netblue30/firejail/pull/4271#discussion_r630982527). * fix private-dev comment As suggested [here](https://github.com/netblue30/firejail/pull/4271#discussion_r630980029). * fix private-etc comment As suggested [here](https://github.com/netblue30/firejail/pull/4271#discussion_r630979698). * move writable-var comment cfr. profile.template --- etc/profile-m-z/minecraft-launcher.profile | 6 ++++-- etc/profile-m-z/nano.profile | 6 +++++- etc/profile-m-z/ostrichriders.profile | 2 +- etc/profile-m-z/spotify.profile | 2 +- etc/profile-m-z/steam.profile | 22 ++++++++++++---------- etc/profile-m-z/sysprof.profile | 16 ++++++++++++---- 6 files changed, 35 insertions(+), 19 deletions(-) (limited to 'etc/profile-m-z') diff --git a/etc/profile-m-z/minecraft-launcher.profile b/etc/profile-m-z/minecraft-launcher.profile index cdea91b8f..2536d0b38 100644 --- a/etc/profile-m-z/minecraft-launcher.profile +++ b/etc/profile-m-z/minecraft-launcher.profile @@ -6,7 +6,8 @@ include minecraft-launcher.local # Persistent global definitions include globals.local -# On some distros executable may be in '/opt/minecraft-launcher/', if so, run 'firejail /opt/minecraft-launcher/minecraft-launcher' to start it. +# Some distros put the executable in /opt/minecraft-launcher. +# Run 'firejail /opt/minecraft-launcher/minecraft-launcher' to start it. ignore noexec ${HOME} @@ -50,7 +51,8 @@ disable-mnt private-bin java,java-config,minecraft-launcher private-cache private-dev -# If multiplayer or realms break add your own java folder from /etc or comment the line below. +# If multiplayer or realms break, add 'private-etc ' +# or 'ignore private-etc' to your minecraft-launcher.local. private-etc alternatives,asound.conf,ati,ca-certificates,crypto-policies,drirc,fonts,group,gtk-2.0,gtk-3.0,host.conf,hostname,hosts,java-10-openjdk,java-11-openjdk,java-12-openjdk,java-13-openjdk,java-14-openjdk,java-7-openjdk,java-8-openjdk,java-9-openjdk,java-openjdk,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,localtime,login.defs,machine-id,mime.types,nvidia,passwd,pki,pulse,resolv.conf,selinux,services,ssl,timezone,X11,xdg private-opt minecraft-launcher private-tmp diff --git a/etc/profile-m-z/nano.profile b/etc/profile-m-z/nano.profile index 45d5f59dd..4698c2287 100644 --- a/etc/profile-m-z/nano.profile +++ b/etc/profile-m-z/nano.profile @@ -47,8 +47,12 @@ x11 none private-bin nano,rnano private-cache private-dev -# Comment the next line if you want to edit files in /etc directly +# Add the next lines to your nano.local if you want to edit files in /etc directly. +#ignore private-etc +#writable-etc private-etc alternatives,nanorc +# Add the next line to your nano.local if you want to edit files in /var directly. +#writable-var dbus-user none dbus-system none diff --git a/etc/profile-m-z/ostrichriders.profile b/etc/profile-m-z/ostrichriders.profile index e0be078a7..310b90919 100644 --- a/etc/profile-m-z/ostrichriders.profile +++ b/etc/profile-m-z/ostrichriders.profile @@ -29,6 +29,7 @@ ipc-namespace net none nodvd nogroups +# Add 'ignore noinput' to your ostrichriders.local if you need controller support. noinput nonewprivs noroot @@ -43,7 +44,6 @@ tracelog disable-mnt private-bin ostrichriders private-cache -# comment the following line if you need controller support private-dev private-tmp diff --git a/etc/profile-m-z/spotify.profile b/etc/profile-m-z/spotify.profile index f679be9e7..01bc2bc05 100644 --- a/etc/profile-m-z/spotify.profile +++ b/etc/profile-m-z/spotify.profile @@ -44,7 +44,7 @@ tracelog disable-mnt private-bin bash,cat,dirname,find,grep,head,rm,sh,spotify,tclsh,touch,zenity private-dev -# Comment the next line or put 'ignore private-etc' in your spotify.local if want to see the albums covers or if you want to use the radio +# If you want to see album covers or want to use the radio, add 'ignore private-etc' to your spotify.local. private-etc alternatives,ca-certificates,crypto-policies,fonts,group,host.conf,hosts,ld.so.cache,machine-id,nsswitch.conf,pki,pulse,resolv.conf,ssl private-opt spotify private-srv none diff --git a/etc/profile-m-z/steam.profile b/etc/profile-m-z/steam.profile index 369255324..06d08f3a2 100644 --- a/etc/profile-m-z/steam.profile +++ b/etc/profile-m-z/steam.profile @@ -119,7 +119,7 @@ whitelist ${HOME}/.steampid include whitelist-common.inc include whitelist-var-common.inc -# Note: The following were intentionally left out as they are alternative +# NOTE: The following were intentionally left out as they are alternative # (i.e.: unnecessary and/or legacy) paths whose existence may potentially # clobber other paths (see #4225). If you use any, either add the entry to # steam.local or move the contents to a path listed above (or open an issue if @@ -131,34 +131,36 @@ caps.drop all #ipc-namespace netfilter nodvd -# nVidia users may need to comment / ignore nogroups and noroot nogroups nonewprivs +# If you use nVidia you might need to add 'ignore noroot' to your steam.local. noroot notv nou2f -# novideo should be commented for VR +# For VR support add 'ignore novideo' to your steam.local. novideo protocol unix,inet,inet6,netlink -# seccomp sometimes causes issues (see #2951, #3267), -# comment it or add 'ignore seccomp' to steam.local if so. +# seccomp sometimes causes issues (see #2951, #3267). +# Add 'ignore seccomp' to your steam.local if you experience this. seccomp !ptrace shell none # tracelog breaks integrated browser #tracelog -# private-bin is disabled while in testing, but has been tested working with multiple games +# private-bin is disabled while in testing, but is known to work with multiple games. +# Add the next line to your steam.local to enable private-bin. #private-bin awk,basename,bash,bsdtar,bzip2,cat,chmod,cksum,cmp,comm,compress,cp,curl,cut,date,dbus-launch,dbus-send,desktop-file-edit,desktop-file-install,desktop-file-validate,dirname,echo,env,expr,file,find,getopt,grep,gtar,gzip,head,hostname,id,lbzip2,ldconfig,ldd,ln,ls,lsb_release,lsof,lspci,lz4,lzip,lzma,lzop,md5sum,mkdir,mktemp,mv,netstat,ps,pulseaudio,python*,readlink,realpath,rm,sed,sh,sha1sum,sha256sum,sha512sum,sleep,sort,steam,steamdeps,steam-native,steam-runtime,sum,tail,tar,tclsh,test,touch,tr,umask,uname,update-desktop-database,wc,wget,which,whoami,xterm,xz,zenity -# extra programs are available which might be needed for select games +# Extra programs are available which might be needed for select games. +# Add the next line to your steam.local to enable support for these programs. #private-bin java,java-config,mono -# picture viewers are needed for viewing screenshots +# To view screenshots add the next line to your steam.local. #private-bin eog,eom,gthumb,pix,viewnior,xviewer private-dev -# private-etc breaks a small selection of games on some systems, comment to support those +# private-etc breaks a small selection of games on some systems. Add 'ignore private-etc' +# to your steam.local to support those. private-etc alsa,alternatives,asound.conf,bumblebee,ca-certificates,crypto-policies,dbus-1,drirc,fonts,group,gtk-2.0,gtk-3.0,host.conf,hostname,hosts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,localtime,lsb-release,machine-id,mime.types,nvidia,os-release,passwd,pki,pulse,resolv.conf,services,ssl private-tmp -# breaks appindicator support # dbus-user none # dbus-system none diff --git a/etc/profile-m-z/sysprof.profile b/etc/profile-m-z/sysprof.profile index 2473988e4..b52b25b96 100644 --- a/etc/profile-m-z/sysprof.profile +++ b/etc/profile-m-z/sysprof.profile @@ -15,8 +15,15 @@ include disable-passwdmgr.inc include disable-programs.inc include disable-xdg.inc -# help menu functionality (yelp) - comment or add this block prepended with 'ignore' -# to your sysprof.local if you don't need the help functionality +# Add the next lines to your sysprof.local if you don't need (yelp) help menu functionality. +#ignore noblacklist ${HOME}/.config/yelp +#ignore mkdir ${HOME}/.config/yelp +#nowhitelist ${HOME}/.config/yelp +#nowhitelist /usr/share/help/C/sysprof +#nowhitelist /usr/share/yelp +#nowhitelist /usr/share/yelp-tools +#nowhitelist /usr/share/yelp-xsl + noblacklist ${HOME}/.config/yelp mkdir ${HOME}/.config/yelp whitelist ${HOME}/.config/yelp @@ -41,7 +48,8 @@ nodvd nogroups noinput nonewprivs -# Ubuntu 16.04 version needs root privileges - comment or put 'ignore noroot' in sysprof.local if you run Xenial +# Some older Debian/Ubuntu sysprof versions need root privileges. +# Add 'ignore noroot' to your sysprof.local if you run one of these. noroot nosound notv @@ -57,7 +65,7 @@ disable-mnt private-cache private-dev private-etc alternatives,fonts,ld.so.cache,machine-id,ssl -# private-lib breaks help menu +# private-lib - breaks help menu #private-lib gdk-pixbuf-2.*,gio,gtk3,gvfs/libgvfscommon.so,libgconf-2.so.*,librsvg-2.so.*,libsysprof-2.so,libsysprof-ui-2.so private-tmp -- cgit v1.2.3-70-g09d2