From 5b649f1a421c7330d9d8181f4ee7774abb2be4c5 Mon Sep 17 00:00:00 2001 From: Melvin Vermeeren Date: Sat, 16 Sep 2017 13:08:06 -0400 Subject: Add a profile for TeamSpeak3 --- etc/teamspeak3.profile | 25 +++++++++++++++++++++++++ 1 file changed, 25 insertions(+) create mode 100644 etc/teamspeak3.profile (limited to 'etc/teamspeak3.profile') diff --git a/etc/teamspeak3.profile b/etc/teamspeak3.profile new file mode 100644 index 000000000..7ca5ae666 --- /dev/null +++ b/etc/teamspeak3.profile @@ -0,0 +1,25 @@ +# Firejail profile for teamspeak3 +# This file is overwritten after every install/update +# Persistent local customizations +include /etc/firejail/teamspeak3.local +# Persistent global definitions +include /etc/firejail/globals.local + +noblacklist ${DOWNLOADS} +noblacklist ${HOME}/.ts3client + +include /etc/firejail/disable-common.inc +include /etc/firejail/disable-devel.inc +include /etc/firejail/disable-passwdmgr.inc +include /etc/firejail/disable-programs.inc + +mkdir ${HOME}/.ts3client +whitelist ${DOWNLOADS} +whitelist ${HOME}/.ts3client +include /etc/firejail/whitelist-common.inc + +caps.drop all +netfilter +noroot +protocol unix,inet,inet6 +seccomp -- cgit v1.2.3-54-g00ecf From 3c3602fe4e747f3489c917f4de991c9043df9751 Mon Sep 17 00:00:00 2001 From: Tad Date: Sat, 16 Sep 2017 14:11:43 -0400 Subject: Harden 25 profiles --- etc/Viber.profile | 5 +++++ etc/amule.profile | 9 +++++++++ etc/ardour5.profile | 5 ++++- etc/brackets.profile | 14 +++++++++----- etc/calligra.profile | 9 ++++++--- etc/cin.profile | 7 +++++-- etc/dooble.profile | 12 ++++++++++++ etc/fetchmail.profile | 9 ++++++++- etc/freecad.profile | 5 ++++- etc/google-earth.profile | 7 ++++++- etc/imagej.profile | 10 +++++++++- etc/karbon.profile | 24 ++---------------------- etc/kdenlive.profile | 4 ++++ etc/krita.profile | 7 +++++++ etc/linphone.profile | 16 ++++++++++++++++ etc/lmms.profile | 10 ++++++++-- etc/macrofusion.profile | 9 ++++++++- etc/mpd.profile | 13 +++++++++++++ etc/natron.profile | 11 +++++++++-- etc/ricochet.profile | 10 +++++++++- etc/shotcut.profile | 7 +++++-- etc/teamspeak3.profile | 16 ++++++++++++++++ etc/tor-browser-en.profile | 8 ++++++++ etc/tor.profile | 9 +++++++++ etc/zart.profile | 6 ++++++ 25 files changed, 197 insertions(+), 45 deletions(-) (limited to 'etc/teamspeak3.profile') diff --git a/etc/Viber.profile b/etc/Viber.profile index ee1ab6219..468199dd8 100644 --- a/etc/Viber.profile +++ b/etc/Viber.profile @@ -19,11 +19,16 @@ include /etc/firejail/whitelist-common.inc caps.drop all ipc-namespace +netfilter +nodvd nogroups +nonewprivs noroot +notv seccomp shell none +disable-mnt private-bin sh,dig,awk private-etc hosts,fonts,mailcap,resolv.conf,X11,pulse,alternatives,localtime,nsswitch.conf,ssl,proxychains.conf private-tmp diff --git a/etc/amule.profile b/etc/amule.profile index 48aad759d..c59377850 100644 --- a/etc/amule.profile +++ b/etc/amule.profile @@ -19,12 +19,21 @@ include /etc/firejail/whitelist-common.inc caps.drop all ipc-namespace +netfilter +no3d +nodvd nogroups nonewprivs noroot +nosound +notv +novideo seccomp shell none private-bin amule private-dev private-tmp + +noexec ${HOME} +noexec /tmp diff --git a/etc/ardour5.profile b/etc/ardour5.profile index 42744f4dd..738b5990a 100644 --- a/etc/ardour5.profile +++ b/etc/ardour5.profile @@ -19,8 +19,11 @@ include /etc/firejail/disable-programs.inc caps.drop all ipc-namespace net none +nodvd nogroups +nonewprivs noroot +notv seccomp shell none @@ -29,5 +32,5 @@ private-dev #private-etc pulse,X11,alternatives,ardour4,ardour5,fonts private-tmp -noexec /home +noexec ${HOME} noexec /tmp diff --git a/etc/brackets.profile b/etc/brackets.profile index 151d88bdd..0a8c592a7 100644 --- a/etc/brackets.profile +++ b/etc/brackets.profile @@ -14,12 +14,16 @@ include /etc/firejail/disable-passwdmgr.inc include /etc/firejail/disable-programs.inc caps.drop all -# Comment out or use --ignore=net if you want to install extensions or themes -net none -# Disable these if you use live preview (until I figure out a workaround) -# Doing so should be relatively safe since there is no network access +netfilter +nodvd +nogroups +nonewprivs noroot +nosound +notv +novideo +protocol unix,inet,inet6 seccomp +shell none -private-bin bash,brackets,readlink,dirname,google-chrome,cat private-dev diff --git a/etc/calligra.profile b/etc/calligra.profile index 58006f203..e90c8efe8 100644 --- a/etc/calligra.profile +++ b/etc/calligra.profile @@ -12,15 +12,18 @@ include /etc/firejail/disable-programs.inc caps.drop all ipc-namespace -net none +nodvd nogroups +nonewprivs noroot +notv +novideo +protocol unix seccomp shell none private-bin calligra,calligraauthor,calligraconverter,calligraflow,calligraplan,calligraplanwork,calligrasheets,calligrastage,calligrawords,dbus-launch private-dev -#private-etc fonts,passwd,alternatives,X11 -noexec /home +noexec ${HOME} noexec /tmp diff --git a/etc/cin.profile b/etc/cin.profile index e895805eb..93a94c910 100644 --- a/etc/cin.profile +++ b/etc/cin.profile @@ -15,14 +15,17 @@ include /etc/firejail/disable-programs.inc caps.drop all ipc-namespace net none +nodvd nogroups +nonewprivs +notv noroot +protocol unix seccomp shell none private-bin cin private-dev -#private-etc fonts,pulse -noexec /home +noexec ${HOME} noexec /tmp diff --git a/etc/dooble.profile b/etc/dooble.profile index cbb0f96b8..aabfcd8bb 100644 --- a/etc/dooble.profile +++ b/etc/dooble.profile @@ -20,8 +20,20 @@ include /etc/firejail/whitelist-common.inc caps.drop all netfilter +nodvd +nogroups nonewprivs noroot +notv +novideo protocol unix,inet,inet6,netlink seccomp +shell none tracelog + +disable-mnt +private-dev +private-tmp + +noexec ${HOME} +noexec /tmp diff --git a/etc/fetchmail.profile b/etc/fetchmail.profile index 2b2be4c16..9ee59f453 100644 --- a/etc/fetchmail.profile +++ b/etc/fetchmail.profile @@ -12,11 +12,18 @@ include /etc/firejail/disable-passwdmgr.inc include /etc/firejail/disable-programs.inc caps.drop all +netfilter +no3d +nodvd nogroups +nonewprivs noroot nosound +notv +novideo +protocol unix,inet,inet6 seccomp +shell none # private-bin fetchmail,procmail,bash,chmod private-dev -# private-etc passwd,hosts,resolv.conf diff --git a/etc/freecad.profile b/etc/freecad.profile index c2d4661e8..4fde66839 100644 --- a/etc/freecad.profile +++ b/etc/freecad.profile @@ -16,16 +16,19 @@ include /etc/firejail/disable-programs.inc caps.drop all ipc-namespace net none +nodvd nogroups +nonewprivs noroot nosound +notv +novideo protocol unix seccomp shell none private-bin freecad,freecadcmd private-dev -#private-etc fonts,passwd,alternatives,X11 private-tmp noexec ${HOME} diff --git a/etc/google-earth.profile b/etc/google-earth.profile index 11d55281a..32da9a5a8 100644 --- a/etc/google-earth.profile +++ b/etc/google-earth.profile @@ -21,14 +21,19 @@ include /etc/firejail/whitelist-common.inc caps.drop all ipc-namespace +netfilter +nodvd nogroups +nonewprivs noroot +notv +novideo +protocol unix,inet,inet6 seccomp shell none private-bin google-earth,sh,grep,sed,ls,dirname private-dev -#private-etc fonts,resolv.conf,X11,alternatives,pulse noexec ${HOME} noexec /tmp diff --git a/etc/imagej.profile b/etc/imagej.profile index 4613e378f..88a56c706 100644 --- a/etc/imagej.profile +++ b/etc/imagej.profile @@ -16,12 +16,20 @@ include /etc/firejail/disable-programs.inc caps.drop all ipc-namespace net none +nodvd nogroups nonewprivs noroot +nosound +notv +novideo +protocol unix seccomp +shell none private-bin imagej,bash,grep,sort,tail,tr,cut,whoami,hostname,uname,mkdir,ls,touch,free,awk,update-java-alternatives,basename,xprop,rm,ln private-dev -# private-etc passwd,alternatives,hosts,fonts,X11 private-tmp + +noexec ${HOME} +noexec /tmp diff --git a/etc/karbon.profile b/etc/karbon.profile index 7d7f25ad0..d94f20012 100644 --- a/etc/karbon.profile +++ b/etc/karbon.profile @@ -1,25 +1,5 @@ -# Firejail profile for karbon +# Firejail profile alias for krita # This file is overwritten after every install/update -# Persistent local customizations -include /etc/firejail/karbon.local -# Persistent global definitions -include /etc/firejail/globals.local -include /etc/firejail/disable-common.inc -include /etc/firejail/disable-devel.inc -include /etc/firejail/disable-passwdmgr.inc -include /etc/firejail/disable-programs.inc - -caps.drop all -ipc-namespace -net none -nogroups -noroot -seccomp -shell none - -private-dev - -noexec /home -noexec /tmp +include /etc/firejail/krita.profile diff --git a/etc/kdenlive.profile b/etc/kdenlive.profile index b91bd9c41..56bb729e1 100644 --- a/etc/kdenlive.profile +++ b/etc/kdenlive.profile @@ -13,8 +13,12 @@ include /etc/firejail/disable-programs.inc caps.drop all net none +nodvd nogroups +nonewprivs noroot +notv +protocol unix,inet,inet6 seccomp shell none diff --git a/etc/krita.profile b/etc/krita.profile index d60ef2fa7..2dfd084ef 100644 --- a/etc/krita.profile +++ b/etc/krita.profile @@ -14,12 +14,19 @@ include /etc/firejail/disable-programs.inc caps.drop all ipc-namespace net none +nodvd nogroups +nonewprivs noroot +nosound +notv +novideo +protocol unix seccomp shell none private-dev +private-tmp noexec /home noexec /tmp diff --git a/etc/linphone.profile b/etc/linphone.profile index 8763b348a..41f9245a2 100644 --- a/etc/linphone.profile +++ b/etc/linphone.profile @@ -21,5 +21,21 @@ whitelist ${HOME}/Downloads include /etc/firejail/whitelist-common.inc caps.drop all +netfilter +no3d +nodvd +nogroups +nonewprivs noroot +notv +novideo +protocol unix,inet,inet6 seccomp +shell none + +disable-mnt +private-dev +private-tmp + +noexec ${HOME} +noexec /tmp diff --git a/etc/lmms.profile b/etc/lmms.profile index 14a7209a9..29ed235c6 100644 --- a/etc/lmms.profile +++ b/etc/lmms.profile @@ -16,13 +16,19 @@ include /etc/firejail/disable-programs.inc caps.drop all ipc-namespace net none +no3d +nodvd nogroups +nonewprivs noroot +notv +novideo +protocol unix seccomp shell none private-dev -private-etc fonts,pulse +private-tmp -noexec /home +noexec ${HOME} noexec /tmp diff --git a/etc/macrofusion.profile b/etc/macrofusion.profile index e53f175f8..be66cf6ee 100644 --- a/etc/macrofusion.profile +++ b/etc/macrofusion.profile @@ -16,13 +16,20 @@ include /etc/firejail/disable-programs.inc caps.drop all ipc-namespace net none +nodvd nogroups nonewprivs noroot +nosound +notv +novideo +protocol unix seccomp shell none #private-bin python3,macrofusion,env,enfuse,exiftool,align_image_stack private-dev -#private-etc fonts private-tmp + +noexec ${HOME} +noexec /tmp diff --git a/etc/mpd.profile b/etc/mpd.profile index ebcdca443..601861083 100644 --- a/etc/mpd.profile +++ b/etc/mpd.profile @@ -14,8 +14,21 @@ include /etc/firejail/disable-passwdmgr.inc include /etc/firejail/disable-programs.inc caps.drop all +netfilter +no3d +nodvd +nogroups +nonewprivs noroot +notv +novideo +protocol unix,inet,inet6 seccomp +shell none #private-bin mpd,bash private-dev +private-tmp + +noexec ${HOME} +noexec /tmp diff --git a/etc/natron.profile b/etc/natron.profile index 8f266f56c..ac89409f1 100644 --- a/etc/natron.profile +++ b/etc/natron.profile @@ -16,11 +16,18 @@ include /etc/firejail/disable-devel.inc include /etc/firejail/disable-passwdmgr.inc include /etc/firejail/disable-programs.inc -ipc-namespace +caps.drop all +netfilter +nodvd +nogroups +nonewprivs +noroot +notv +protocol unix,inet,inet6 +seccomp shell none private-bin natron -#private-etc fonts,X11,pulse noexec ${HOME} noexec /tmp diff --git a/etc/ricochet.profile b/etc/ricochet.profile index 423dfb887..6da0e21d5 100644 --- a/etc/ricochet.profile +++ b/etc/ricochet.profile @@ -19,14 +19,22 @@ include /etc/firejail/whitelist-common.inc caps.drop all ipc-namespace +netfilter +no3d +nodvd nogroups +nonewprivs noroot +notv +novideo +protocol unix,inet,inet6 seccomp shell none +disable-mnt private-bin ricochet,tor private-dev #private-etc fonts,tor,X11,alternatives -noexec /home +noexec ${HOME} noexec /tmp diff --git a/etc/shotcut.profile b/etc/shotcut.profile index 1a7ce6bce..e30bc1f46 100644 --- a/etc/shotcut.profile +++ b/etc/shotcut.profile @@ -15,14 +15,17 @@ include /etc/firejail/disable-programs.inc caps.drop all net none +nodvd nogroups +nonewprivs noroot +notv +protocol unix seccomp shell none -private-bin shotcut,melt,qmelt,nice +#private-bin shotcut,melt,qmelt,nice private-dev -#private-etc X11,alternatives,pulse,fonts noexec ${HOME} noexec /tmp diff --git a/etc/teamspeak3.profile b/etc/teamspeak3.profile index 7ca5ae666..f8afff551 100644 --- a/etc/teamspeak3.profile +++ b/etc/teamspeak3.profile @@ -19,7 +19,23 @@ whitelist ${HOME}/.ts3client include /etc/firejail/whitelist-common.inc caps.drop all +ipc-namespace netfilter +no3d +nodvd +nogroups +nonewprivs noroot +notv +novideo protocol unix,inet,inet6 seccomp +shell none + +disable-mnt +private +private-dev +private-tmp + +noexec ${HOME} +noexec /tmp diff --git a/etc/tor-browser-en.profile b/etc/tor-browser-en.profile index 65ea41e18..75a079a2e 100644 --- a/etc/tor-browser-en.profile +++ b/etc/tor-browser-en.profile @@ -17,10 +17,18 @@ whitelist ${HOME}/.tor-browser-en include /etc/firejail/whitelist-common.inc caps.drop all +netfilter +nodvd +nogroups +nonewprivs noroot +notv +novideo +protocol unix,inet,inet6 seccomp shell none +disable-mnt private-bin bash,grep,sed,tail,tor-browser-en,env,id,readlink,dirname,test,mkdir,ln,sed,cp,rm,getconf,file,expr private-tmp diff --git a/etc/tor.profile b/etc/tor.profile index 73577825a..fcb123eef 100644 --- a/etc/tor.profile +++ b/etc/tor.profile @@ -23,16 +23,25 @@ include /etc/firejail/disable-programs.inc caps.keep setuid,setgid,net_bind_service,dac_read_search ipc-namespace +netfilter no3d +nodvd nogroups nonewprivs nosound +notv +novideo +protocol unix,inet,inet6 seccomp shell none writable-var +disable-mnt private private-bin tor,bash private-dev private-etc tor,passwd private-tmp + +noexec ${HOME} +noexec /tmp diff --git a/etc/zart.profile b/etc/zart.profile index 6022e8260..b5897f4a9 100644 --- a/etc/zart.profile +++ b/etc/zart.profile @@ -14,7 +14,13 @@ include /etc/firejail/disable-programs.inc caps.drop all ipc-namespace net none +nodvd +nogroups +nonewprivs noroot +notv +novideo +protocol unix seccomp shell none -- cgit v1.2.3-54-g00ecf From 78bb84ddf277dab653a08f97303894e35433402f Mon Sep 17 00:00:00 2001 From: Tad Date: Sat, 16 Sep 2017 15:35:55 -0400 Subject: Misc fixes Thanks to @Fred-Barclay, @smitsohu and @reinerh for a bunch of these --- etc/Viber.profile | 3 ++- etc/amule.profile | 1 + etc/ardour5.profile | 3 ++- etc/cin.profile | 2 +- etc/disable-programs.inc | 5 ++++- etc/dooble.profile | 6 +++--- etc/fetchmail.profile | 2 +- etc/google-earth.profile | 17 +++++++++++++---- etc/kdenlive.profile | 3 +++ etc/krita.profile | 2 +- etc/mpd.profile | 1 - etc/natron.profile | 6 +++--- etc/teamspeak3.profile | 2 -- etc/tor-browser-en.profile | 35 +++-------------------------------- etc/torbrowser-launcher.profile | 11 +++++++---- etc/x-terminal-emulator.profile | 1 + etc/zart.profile | 1 - 17 files changed, 45 insertions(+), 56 deletions(-) (limited to 'etc/teamspeak3.profile') diff --git a/etc/Viber.profile b/etc/Viber.profile index 468199dd8..03e5f1086 100644 --- a/etc/Viber.profile +++ b/etc/Viber.profile @@ -25,11 +25,12 @@ nogroups nonewprivs noroot notv +protocol unix,inet,inet6 seccomp shell none disable-mnt -private-bin sh,dig,awk +private-bin sh,bash,dash,dig,awk,Viber private-etc hosts,fonts,mailcap,resolv.conf,X11,pulse,alternatives,localtime,nsswitch.conf,ssl,proxychains.conf private-tmp diff --git a/etc/amule.profile b/etc/amule.profile index c59377850..98ec52015 100644 --- a/etc/amule.profile +++ b/etc/amule.profile @@ -28,6 +28,7 @@ noroot nosound notv novideo +protocol unix,inet,inet6 seccomp shell none diff --git a/etc/ardour5.profile b/etc/ardour5.profile index 738b5990a..69b3dde46 100644 --- a/etc/ardour5.profile +++ b/etc/ardour5.profile @@ -24,10 +24,11 @@ nogroups nonewprivs noroot notv +protocol unix seccomp shell none -#private-bin sh,ardour5,ardour5-copy-mixer,ardour5-export,ardour5-fix_bbtppq,grep,sed,ldd,nm +#private-bin sh,ardour4,ardour5,ardour5-copy-mixer,ardour5-export,ardour5-fix_bbtppq,grep,sed,ldd,nm private-dev #private-etc pulse,X11,alternatives,ardour4,ardour5,fonts private-tmp diff --git a/etc/cin.profile b/etc/cin.profile index 93a94c910..eeeda476f 100644 --- a/etc/cin.profile +++ b/etc/cin.profile @@ -24,7 +24,7 @@ protocol unix seccomp shell none -private-bin cin +#private-bin cin private-dev noexec ${HOME} diff --git a/etc/disable-programs.inc b/etc/disable-programs.inc index e22fb6fa3..88b7e7d32 100644 --- a/etc/disable-programs.inc +++ b/etc/disable-programs.inc @@ -208,7 +208,10 @@ blacklist ${HOME}/.frozen-bubble blacklist ${HOME}/.gimp* blacklist ${HOME}/.git-credential-cache blacklist ${HOME}/.gitconfig -blacklist ${HOME}/.googleearth +blacklist ${HOME}/.googleearth/Cache/ +blacklist ${HOME}/.googleearth/Temp/ +blacklist ${HOME}/.googleearth/myplaces.backup.kml +blacklist ${HOME}/.googleearth/myplaces.kml blacklist ${HOME}/.gradle blacklist ${HOME}/.guayadeque blacklist ${HOME}/.hedgewars diff --git a/etc/dooble.profile b/etc/dooble.profile index aabfcd8bb..2a57b0ef3 100644 --- a/etc/dooble.profile +++ b/etc/dooble.profile @@ -1,4 +1,4 @@ -# Firejail profile for dooble-qt4 +# Firejail profile for dooble # This file is overwritten after every install/update # Persistent local customizations include /etc/firejail/dooble-qt4.local @@ -6,7 +6,7 @@ include /etc/firejail/dooble-qt4.local include /etc/firejail/globals.local -noblacklist ~/.dooble +noblacklist ${HOME}/.dooble include /etc/firejail/disable-common.inc include /etc/firejail/disable-devel.inc @@ -15,7 +15,7 @@ include /etc/firejail/disable-programs.inc mkdir ${HOME}/.dooble whitelist ${DOWNLOADS} -whitelist ~/.dooble +whitelist ${HOME}/.dooble include /etc/firejail/whitelist-common.inc caps.drop all diff --git a/etc/fetchmail.profile b/etc/fetchmail.profile index 9ee59f453..3fd7f3d75 100644 --- a/etc/fetchmail.profile +++ b/etc/fetchmail.profile @@ -25,5 +25,5 @@ protocol unix,inet,inet6 seccomp shell none -# private-bin fetchmail,procmail,bash,chmod +#private-bin fetchmail,procmail,bash,chmod private-dev diff --git a/etc/google-earth.profile b/etc/google-earth.profile index 32da9a5a8..b60f5b3a5 100644 --- a/etc/google-earth.profile +++ b/etc/google-earth.profile @@ -6,7 +6,10 @@ include /etc/firejail/google-earth.local include /etc/firejail/globals.local noblacklist ${HOME}/.config/Google -noblacklist ${HOME}/.googleearth +noblacklist ${HOME}/.googleearth/Cache/ +noblacklist ${HOME}/.googleearth/Temp/ +noblacklist ${HOME}/.googleearth/myplaces.backup.kml +noblacklist ${HOME}/.googleearth/myplaces.kml include /etc/firejail/disable-common.inc include /etc/firejail/disable-devel.inc @@ -14,9 +17,15 @@ include /etc/firejail/disable-passwdmgr.inc include /etc/firejail/disable-programs.inc mkdir ${HOME}/.config/Google -mkdir ${HOME}/.googleearth +mkdir ${HOME}/.googleearth/Cache/ +mkdir ${HOME}/.googleearth/Temp/ +mkfile ${HOME}/.googleearth/myplaces.backup.kml +mkfile ${HOME}/.googleearth/myplaces.kml whitelist ${HOME}/.config/Google -whitelist ${HOME}/.googleearth +whitelist ${HOME}/.googleearth/Cache/ +whitelist ${HOME}/.googleearth/Temp/ +whitelist ${HOME}/.googleearth/myplaces.backup.kml +whitelist ${HOME}/.googleearth/myplaces.kml include /etc/firejail/whitelist-common.inc caps.drop all @@ -32,7 +41,7 @@ protocol unix,inet,inet6 seccomp shell none -private-bin google-earth,sh,grep,sed,ls,dirname +private-bin google-earth,sh,bash,dash,grep,sed,ls,dirname private-dev noexec ${HOME} diff --git a/etc/kdenlive.profile b/etc/kdenlive.profile index 56bb729e1..a1a5f957c 100644 --- a/etc/kdenlive.profile +++ b/etc/kdenlive.profile @@ -25,3 +25,6 @@ shell none private-bin kdenlive,kdenlive_render,dbus-launch,melt,ffmpeg,ffplay,ffprobe,dvdauthor,genisoimage,vlc,xine,kdeinit5,kshell5,kdeinit5_shutdown,kdeinit5_wrapper,kdeinit4,kshell4,kdeinit4_shutdown,kdeinit4_wrapper private-dev #private-etc fonts,alternatives,X11,pulse,passwd + +noexec ${HOME} +noexec /tmp diff --git a/etc/krita.profile b/etc/krita.profile index 2dfd084ef..e91f5b242 100644 --- a/etc/krita.profile +++ b/etc/krita.profile @@ -28,5 +28,5 @@ shell none private-dev private-tmp -noexec /home +noexec ${HOME} noexec /tmp diff --git a/etc/mpd.profile b/etc/mpd.profile index 601861083..7bfa47d77 100644 --- a/etc/mpd.profile +++ b/etc/mpd.profile @@ -17,7 +17,6 @@ caps.drop all netfilter no3d nodvd -nogroups nonewprivs noroot notv diff --git a/etc/natron.profile b/etc/natron.profile index 49eaf2f0d..d77539d83 100644 --- a/etc/natron.profile +++ b/etc/natron.profile @@ -7,9 +7,9 @@ include /etc/firejail/globals.local noblacklist ${HOME}/.Natron -noblacklist ${HOME}/.cache/INRIA/Natron/ -noblacklist ${HOME}/.config/INRIA/ -noblacklist /opt/natron/ +noblacklist ${HOME}/.cache/INRIA/Natron +noblacklist ${HOME}/.config/INRIA +noblacklist /opt/natron include /etc/firejail/disable-common.inc include /etc/firejail/disable-devel.inc diff --git a/etc/teamspeak3.profile b/etc/teamspeak3.profile index f8afff551..86f96ba50 100644 --- a/etc/teamspeak3.profile +++ b/etc/teamspeak3.profile @@ -5,7 +5,6 @@ include /etc/firejail/teamspeak3.local # Persistent global definitions include /etc/firejail/globals.local -noblacklist ${DOWNLOADS} noblacklist ${HOME}/.ts3client include /etc/firejail/disable-common.inc @@ -33,7 +32,6 @@ seccomp shell none disable-mnt -private private-dev private-tmp diff --git a/etc/tor-browser-en.profile b/etc/tor-browser-en.profile index 75a079a2e..bf3a80139 100644 --- a/etc/tor-browser-en.profile +++ b/etc/tor-browser-en.profile @@ -1,35 +1,6 @@ -# Firejail profile for tor-browser-en +# Firejail profile alias for torbrowser-launcher # This file is overwritten after every install/update -# Persistent local customizations -include /etc/firejail/tor-browser-en.local -# Persistent global definitions -include /etc/firejail/globals.local -noblacklist ${HOME}/.tor-browser-en - -include /etc/firejail/disable-common.inc -include /etc/firejail/disable-devel.inc -include /etc/firejail/disable-passwdmgr.inc -include /etc/firejail/disable-programs.inc - -whitelist ${HOME}/.tor-browser-en -include /etc/firejail/whitelist-common.inc - -caps.drop all -netfilter -nodvd -nogroups -nonewprivs -noroot -notv -novideo -protocol unix,inet,inet6 -seccomp -shell none - -disable-mnt -private-bin bash,grep,sed,tail,tor-browser-en,env,id,readlink,dirname,test,mkdir,ln,sed,cp,rm,getconf,file,expr -private-tmp - -noexec /tmp +# Redirect +include /etc/firejail/torbrowser-launcher.profile diff --git a/etc/torbrowser-launcher.profile b/etc/torbrowser-launcher.profile index 763c2d051..3b6b65bec 100644 --- a/etc/torbrowser-launcher.profile +++ b/etc/torbrowser-launcher.profile @@ -5,17 +5,20 @@ include /etc/firejail/torbrowser-launcher.local # Persistent global definitions include /etc/firejail/globals.local - +noblacklist ~/.tor-browser-en noblacklist ~/.config/torbrowser -whitelist ~/.config/torbrowser noblacklist ~/.local/share/torbrowser -whitelist ~/.local/share/torbrowser include /etc/firejail/disable-common.inc include /etc/firejail/disable-devel.inc include /etc/firejail/disable-passwdmgr.inc include /etc/firejail/disable-programs.inc +whitelist ~/.tor-browser-en +whitelist ~/.config/torbrowser +whitelist ~/.local/share/torbrowser +include /etc/firejail/whitelist-common.inc + caps.drop all netfilter nodvd @@ -29,7 +32,7 @@ seccomp shell none tracelog -private-bin torbrowser-launcher,python2.7,python,bash,dash,sh,grep,tail,env,gpg,id,readlink,dirname,test,mkdir,ln,sed,cp,rm,getconf +private-bin bash,cp,dash,dirname,env,expr,file,getconf,gpg,grep,id,ln,mkdir,python,python2.7,readlink,rm,sed,sh,tail,test,tor-browser-en,torbrowser-launcher private-dev private-etc fonts private-tmp diff --git a/etc/x-terminal-emulator.profile b/etc/x-terminal-emulator.profile index aca0d7144..1395b81c9 100644 --- a/etc/x-terminal-emulator.profile +++ b/etc/x-terminal-emulator.profile @@ -12,6 +12,7 @@ net none netfilter nogroups noroot +protocol unix seccomp private-dev diff --git a/etc/zart.profile b/etc/zart.profile index b5897f4a9..6e136d0c9 100644 --- a/etc/zart.profile +++ b/etc/zart.profile @@ -19,7 +19,6 @@ nogroups nonewprivs noroot notv -novideo protocol unix seccomp shell none -- cgit v1.2.3-54-g00ecf