From 9c833ae929f64fa54c5d8aa49e4a784803b805c8 Mon Sep 17 00:00:00 2001 From: Chiraag Nataraj Date: Sat, 16 Sep 2017 13:18:26 -0400 Subject: Add 31 profiles --- etc/tor.profile | 38 ++++++++++++++++++++++++++++++++++++++ 1 file changed, 38 insertions(+) create mode 100644 etc/tor.profile (limited to 'etc/tor.profile') diff --git a/etc/tor.profile b/etc/tor.profile new file mode 100644 index 000000000..2e2172cad --- /dev/null +++ b/etc/tor.profile @@ -0,0 +1,38 @@ +# Firejail profile for tor +# This file is overwritten after every install/update +# Persistent local customizations +include /etc/firejail/tor.local +# Persistent global definitions +include /etc/firejail/globals.local + +# How to use: +# Create a script called anything (e.g. mytor) +# with the following contents: +# #!/bin/bash +# TORCMD="tor --defaults-torrc /usr/share/tor/tor-service-defaults-torrc -f /etc/tor/torrc --RunAsDaemon 1" +# sudo -b daemon -f -d -- firejail --profile=/home//.config/firejail/tor.profile $TORCMD + +# You'll also likely want to disable the system service (if it exists) +# Run mytor (or whatever you called the script above) whenever you want to start tor + +blacklist /boot +blacklist /media +blacklist /mnt +blacklist /opt + +caps.keep setuid,setgid,net_bind_service,dac_read_search +ipc-namespace +no3d +nogroups +nonewprivs +nosound +seccomp +shell none +writable-var +x11 none + +private +private-bin tor,bash +private-dev +private-etc tor,passwd +private-tmp -- cgit v1.2.3-54-g00ecf From 60606c2d041dc08b0af10baff1b18dbf507f8d81 Mon Sep 17 00:00:00 2001 From: Tad Date: Sat, 16 Sep 2017 13:47:31 -0400 Subject: Fixup 36 profiles --- etc/Viber.profile | 20 +++++++------------- etc/amule.profile | 17 +++++++---------- etc/ardour4.profile | 33 ++------------------------------- etc/ardour5.profile | 25 +++++++++++-------------- etc/brackets.profile | 18 ++++++------------ etc/calligra.profile | 21 +++++---------------- etc/calligraauthor.profile | 2 +- etc/calligraconverter.profile | 2 +- etc/calligraflow.profile | 2 +- etc/calligraplan.profile | 2 +- etc/calligraplanwork.profile | 2 +- etc/calligrasheets.profile | 2 +- etc/calligrastage.profile | 2 +- etc/calligrawords.profile | 2 +- etc/cin.profile | 16 ++++++---------- etc/dooble-qt4.profile | 32 ++------------------------------ etc/dooble.profile | 16 +++++----------- etc/fetchmail.profile | 17 ++++------------- etc/freecad.profile | 18 +++++++----------- etc/freecadcmd.profile | 2 +- etc/google-earth.profile | 22 ++++++++++++---------- etc/imagej.profile | 19 ++++++------------- etc/karbon.profile | 20 ++++---------------- etc/kdenlive.profile | 19 +++++-------------- etc/krita.profile | 20 ++++---------------- etc/linphone.profile | 15 +++++++++------ etc/lmms.profile | 16 ++++++---------- etc/macrofusion.profile | 16 ++++++++-------- etc/mpd.profile | 19 +++++++------------ etc/natron.profile | 26 +++++++++----------------- etc/ricochet.profile | 14 ++++++++------ etc/shotcut.profile | 14 +++++++------- etc/tor-browser-en.profile | 28 +++++++--------------------- etc/tor.profile | 10 +++++----- etc/x-terminal-emulator.profile | 6 ------ etc/zart.profile | 10 ++++------ 36 files changed, 172 insertions(+), 353 deletions(-) (limited to 'etc/tor.profile') diff --git a/etc/Viber.profile b/etc/Viber.profile index 5de92f36f..ee1ab6219 100644 --- a/etc/Viber.profile +++ b/etc/Viber.profile @@ -6,21 +6,15 @@ include /etc/firejail/Viber.local include /etc/firejail/globals.local +noblacklist ${HOME}/.ViberPC + +include /etc/firejail/disable-common.inc +include /etc/firejail/disable-devel.inc +include /etc/firejail/disable-passwdmgr.inc +include /etc/firejail/disable-programs.inc + whitelist ${DOWNLOADS} whitelist ${HOME}/.ViberPC -whitelist /dev/dri -whitelist /dev/full -whitelist /dev/null -whitelist /dev/ptmx -whitelist /dev/pts -whitelist /dev/random -whitelist /dev/shm -whitelist /dev/snd -whitelist /dev/tty -whitelist /dev/urandom -whitelist /dev/video0 -whitelist /dev/zero -whitelist /opt/viber include /etc/firejail/whitelist-common.inc caps.drop all diff --git a/etc/amule.profile b/etc/amule.profile index 5cd6e613e..48aad759d 100644 --- a/etc/amule.profile +++ b/etc/amule.profile @@ -5,18 +5,16 @@ include /etc/firejail/amule.local # Persistent global definitions include /etc/firejail/globals.local -blacklist /boot -blacklist /media -blacklist /mnt -blacklist /opt -blacklist /usr/local/bin -blacklist /usr/local/sbin + +noblacklist ${HOME}/.aMule + +include /etc/firejail/disable-common.inc +include /etc/firejail/disable-devel.inc +include /etc/firejail/disable-passwdmgr.inc +include /etc/firejail/disable-programs.inc whitelist ${DOWNLOADS} whitelist ${HOME}/.aMule -whitelist ${HOME}/.gtkrc-2.0 -whitelist ${HOME}/.gtkrc.mine -whitelist ${HOME}/.themes include /etc/firejail/whitelist-common.inc caps.drop all @@ -29,5 +27,4 @@ shell none private-bin amule private-dev -private-etc fonts,hosts private-tmp diff --git a/etc/ardour4.profile b/etc/ardour4.profile index 3a52edb66..095685364 100644 --- a/etc/ardour4.profile +++ b/etc/ardour4.profile @@ -1,34 +1,5 @@ -# Firejail profile for ardour4 +# Firejail profile alias for ardour5 # This file is overwritten after every install/update -# Persistent local customizations -include /etc/firejail/ardour4.local -# Persistent global definitions -include /etc/firejail/globals.local -noblacklist ~/.config/ardour4 -include /etc/firejail/disable-common.inc -include /etc/firejail/disable-devel.inc -include /etc/firejail/disable-passwdmgr.inc -include /etc/firejail/disable-programs.inc - -mkdir ~/.config/ardour4 -whitelist ~/.config/ardour4 -whitelist ~/Music -whitelist ~/Música -include /etc/firejail/whitelist-common.inc - -caps.drop all -netfilter -nogroups -nonewprivs -noroot -protocol unix -seccomp -shell none -tracelog - -# private-bin ardour4 -private-dev -# private-etc ardour4 -private-tmp +include /etc/firejail/ardour5.profile diff --git a/etc/ardour5.profile b/etc/ardour5.profile index f17c74e2b..42744f4dd 100644 --- a/etc/ardour5.profile +++ b/etc/ardour5.profile @@ -5,19 +5,16 @@ include /etc/firejail/ardour5.local # Persistent global definitions include /etc/firejail/globals.local -blacklist /boot -blacklist /media -blacklist /mnt -blacklist /opt -blacklist /usr/local/bin -whitelist ${DOWNLOADS} -whitelist ${HOME}/.config/ardour4 -whitelist ${HOME}/.config/ardour5 -whitelist ${HOME}/.lv2 -whitelist ${HOME}/.vst -whitelist ${HOME}/Documents -include /etc/firejail/whitelist-common.inc +noblacklist ${HOME}/.config/ardour4 +noblacklist ${HOME}/.config/ardour5 +noblacklist ${HOME}/.lv2 +noblacklist ${HOME}/.vst + +include /etc/firejail/disable-common.inc +include /etc/firejail/disable-devel.inc +include /etc/firejail/disable-passwdmgr.inc +include /etc/firejail/disable-programs.inc caps.drop all ipc-namespace @@ -27,9 +24,9 @@ noroot seccomp shell none -private-bin sh,ardour5,ardour5-copy-mixer,ardour5-export,ardour5-fix_bbtppq,grep,sed,ldd,nm +#private-bin sh,ardour5,ardour5-copy-mixer,ardour5-export,ardour5-fix_bbtppq,grep,sed,ldd,nm private-dev -private-etc pulse,X11,alternatives,ardour4,ardour5,fonts +#private-etc pulse,X11,alternatives,ardour4,ardour5,fonts private-tmp noexec /home diff --git a/etc/brackets.profile b/etc/brackets.profile index 3c7622435..151d88bdd 100644 --- a/etc/brackets.profile +++ b/etc/brackets.profile @@ -5,19 +5,13 @@ include /etc/firejail/brackets.local # Persistent global definitions include /etc/firejail/globals.local -blacklist /boot -blacklist /media -blacklist /mnt +noblacklist ${HOME}/.config/Brackets +noblacklist /opt/brackets/ +noblacklist /opt/google/ -whitelist ${DOWNLOADS} -whitelist ${HOME}/.config/Brackets -whitelist ${HOME}/.gtkrc-2.0 -whitelist ${HOME}/.themes -whitelist ${HOME}/Documents -whitelist /opt/brackets/ -whitelist /opt/google/ -whitelist /tmp/.X11-unix -include /etc/firejail/whitelist-common.inc +include /etc/firejail/disable-common.inc +include /etc/firejail/disable-passwdmgr.inc +include /etc/firejail/disable-programs.inc caps.drop all # Comment out or use --ignore=net if you want to install extensions or themes diff --git a/etc/calligra.profile b/etc/calligra.profile index 260097560..58006f203 100644 --- a/etc/calligra.profile +++ b/etc/calligra.profile @@ -5,21 +5,10 @@ include /etc/firejail/calligra.local # Persistent global definitions include /etc/firejail/globals.local -blacklist /boot -blacklist /media -blacklist /mnt -blacklist /opt - -whitelist ${DOWNLOADS} -whitelist ${HOME}/.config/Trolltech.conf -whitelist ${HOME}/.gtkrc-2.0 -whitelist ${HOME}/.kde -whitelist ${HOME}/.themes -whitelist ${HOME}/Documents -whitelist /tmp/.X11-unix -# DBus is forced to use an ordinary unix socket -whitelist /tmp/dbus_session_socket -include /etc/firejail/whitelist-common.inc +include /etc/firejail/disable-common.inc +include /etc/firejail/disable-devel.inc +include /etc/firejail/disable-passwdmgr.inc +include /etc/firejail/disable-programs.inc caps.drop all ipc-namespace @@ -31,7 +20,7 @@ shell none private-bin calligra,calligraauthor,calligraconverter,calligraflow,calligraplan,calligraplanwork,calligrasheets,calligrastage,calligrawords,dbus-launch private-dev -private-etc fonts,passwd,alternatives,X11 +#private-etc fonts,passwd,alternatives,X11 noexec /home noexec /tmp diff --git a/etc/calligraauthor.profile b/etc/calligraauthor.profile index 2b005c5c9..162823019 100644 --- a/etc/calligraauthor.profile +++ b/etc/calligraauthor.profile @@ -2,4 +2,4 @@ # This file is overwritten after every install/update -include ${HOME}/.config/firejail/calligra.profile +include /etc/firejail/calligra.profile diff --git a/etc/calligraconverter.profile b/etc/calligraconverter.profile index 2b005c5c9..162823019 100644 --- a/etc/calligraconverter.profile +++ b/etc/calligraconverter.profile @@ -2,4 +2,4 @@ # This file is overwritten after every install/update -include ${HOME}/.config/firejail/calligra.profile +include /etc/firejail/calligra.profile diff --git a/etc/calligraflow.profile b/etc/calligraflow.profile index 2b005c5c9..162823019 100644 --- a/etc/calligraflow.profile +++ b/etc/calligraflow.profile @@ -2,4 +2,4 @@ # This file is overwritten after every install/update -include ${HOME}/.config/firejail/calligra.profile +include /etc/firejail/calligra.profile diff --git a/etc/calligraplan.profile b/etc/calligraplan.profile index 2b005c5c9..162823019 100644 --- a/etc/calligraplan.profile +++ b/etc/calligraplan.profile @@ -2,4 +2,4 @@ # This file is overwritten after every install/update -include ${HOME}/.config/firejail/calligra.profile +include /etc/firejail/calligra.profile diff --git a/etc/calligraplanwork.profile b/etc/calligraplanwork.profile index 2b005c5c9..162823019 100644 --- a/etc/calligraplanwork.profile +++ b/etc/calligraplanwork.profile @@ -2,4 +2,4 @@ # This file is overwritten after every install/update -include ${HOME}/.config/firejail/calligra.profile +include /etc/firejail/calligra.profile diff --git a/etc/calligrasheets.profile b/etc/calligrasheets.profile index 2b005c5c9..162823019 100644 --- a/etc/calligrasheets.profile +++ b/etc/calligrasheets.profile @@ -2,4 +2,4 @@ # This file is overwritten after every install/update -include ${HOME}/.config/firejail/calligra.profile +include /etc/firejail/calligra.profile diff --git a/etc/calligrastage.profile b/etc/calligrastage.profile index 2b005c5c9..162823019 100644 --- a/etc/calligrastage.profile +++ b/etc/calligrastage.profile @@ -2,4 +2,4 @@ # This file is overwritten after every install/update -include ${HOME}/.config/firejail/calligra.profile +include /etc/firejail/calligra.profile diff --git a/etc/calligrawords.profile b/etc/calligrawords.profile index 2b005c5c9..162823019 100644 --- a/etc/calligrawords.profile +++ b/etc/calligrawords.profile @@ -2,4 +2,4 @@ # This file is overwritten after every install/update -include ${HOME}/.config/firejail/calligra.profile +include /etc/firejail/calligra.profile diff --git a/etc/cin.profile b/etc/cin.profile index 3a8a4d8de..e895805eb 100644 --- a/etc/cin.profile +++ b/etc/cin.profile @@ -5,16 +5,12 @@ include /etc/firejail/cin.local # Persistent global definitions include /etc/firejail/globals.local -blacklist /boot -blacklist /media -blacklist /mnt -blacklist /opt +noblacklist ${HOME}/.bcast5 -whitelist ${DOWNLOADS} -whitelist ${HOME}/.bcast5 -whitelist ${HOME}/Videos -whitelist /tmp/.X11-unix -include /etc/firejail/whitelist-common.inc +include /etc/firejail/disable-common.inc +include /etc/firejail/disable-devel.inc +include /etc/firejail/disable-passwdmgr.inc +include /etc/firejail/disable-programs.inc caps.drop all ipc-namespace @@ -26,7 +22,7 @@ shell none private-bin cin private-dev -private-etc fonts,pulse +#private-etc fonts,pulse noexec /home noexec /tmp diff --git a/etc/dooble-qt4.profile b/etc/dooble-qt4.profile index ec85c7b58..67df7ce36 100644 --- a/etc/dooble-qt4.profile +++ b/etc/dooble-qt4.profile @@ -1,33 +1,5 @@ -# Firejail profile for dooble-qt4 +# Firejail profile alias for dooble # This file is overwritten after every install/update -# Persistent local customizations -include /etc/firejail/dooble-qt4.local -# Persistent global definitions -include /etc/firejail/globals.local -noblacklist ~/.dooble -include /etc/firejail/disable-common.inc -include /etc/firejail/disable-devel.inc -include /etc/firejail/disable-programs.inc - -mkdir ~/.dooble -mkdir ~/usr/lib/dooble-qt4 -whitelist ${DOWNLOADS} -whitelist ~/.config/keepassx -whitelist ~/.config/lastpass -whitelist ~/.dooble -whitelist ~/.keepassx -whitelist ~/.lastpass -whitelist ~/keepassx.kdbx -whitelist ~/usr/lib/dooble -whitelist ~/usr/lib/dooble-qt4 -include /etc/firejail/whitelist-common.inc - -caps.drop all -netfilter -nonewprivs -noroot -protocol unix,inet,inet6,netlink -seccomp -tracelog +include /etc/firejail/dooble.profile diff --git a/etc/dooble.profile b/etc/dooble.profile index 13e4ead96..cbb0f96b8 100644 --- a/etc/dooble.profile +++ b/etc/dooble.profile @@ -1,27 +1,21 @@ -# Firejail profile for dooble +# Firejail profile for dooble-qt4 # This file is overwritten after every install/update # Persistent local customizations -include /etc/firejail/dooble.local +include /etc/firejail/dooble-qt4.local # Persistent global definitions include /etc/firejail/globals.local + noblacklist ~/.dooble include /etc/firejail/disable-common.inc include /etc/firejail/disable-devel.inc +include /etc/firejail/disable-passwdmgr.inc include /etc/firejail/disable-programs.inc -mkdir ~/.dooble -mkdir ~/usr/lib/dooble-qt4 +mkdir ${HOME}/.dooble whitelist ${DOWNLOADS} -whitelist ~/.config/keepassx -whitelist ~/.config/lastpass whitelist ~/.dooble -whitelist ~/.keepassx -whitelist ~/.lastpass -whitelist ~/keepassx.kdbx -whitelist ~/usr/lib/dooble -whitelist ~/usr/lib/dooble-qt4 include /etc/firejail/whitelist-common.inc caps.drop all diff --git a/etc/fetchmail.profile b/etc/fetchmail.profile index dc7f4abc3..2b2be4c16 100644 --- a/etc/fetchmail.profile +++ b/etc/fetchmail.profile @@ -5,26 +5,17 @@ include /etc/firejail/fetchmail.local # Persistent global definitions include /etc/firejail/globals.local -blacklist /boot -blacklist /media -blacklist /mnt -blacklist /opt -# Location of your fetchmailrc - I decrypt it into /tmp/fetchmailrc -# whitelist ${HOME}/.fetchmailrc.gpg -whitelist ${HOME}/.procmailrc.brown -whitelist ${HOME}/.procmailrc.gmail -whitelist ${HOME}/Mail -whitelist ${HOME}/scripts/fetchmail-real.sh -whitelist /tmp/fetchmailrc -include /etc/firejail/whitelist-common.inc +include /etc/firejail/disable-common.inc +include /etc/firejail/disable-devel.inc +include /etc/firejail/disable-passwdmgr.inc +include /etc/firejail/disable-programs.inc caps.drop all nogroups noroot nosound seccomp -x11 none # private-bin fetchmail,procmail,bash,chmod private-dev diff --git a/etc/freecad.profile b/etc/freecad.profile index 0467edb6d..c2d4661e8 100644 --- a/etc/freecad.profile +++ b/etc/freecad.profile @@ -5,17 +5,13 @@ include /etc/firejail/freecad.local # Persistent global definitions include /etc/firejail/globals.local -blacklist /boot -blacklist /media -blacklist /mnt -blacklist /opt -blacklist /usr/local/bin -blacklist /usr/local/sbin -whitelist ${DOWNLOADS} -whitelist ${HOME}/.config/FreeCAD -whitelist ${HOME}/Documents -include /etc/firejail/whitelist-common.inc +noblacklist ${HOME}/.config/FreeCAD + +include /etc/firejail/disable-common.inc +include /etc/firejail/disable-devel.inc +include /etc/firejail/disable-passwdmgr.inc +include /etc/firejail/disable-programs.inc caps.drop all ipc-namespace @@ -29,7 +25,7 @@ shell none private-bin freecad,freecadcmd private-dev -private-etc fonts,passwd,alternatives,X11 +#private-etc fonts,passwd,alternatives,X11 private-tmp noexec ${HOME} diff --git a/etc/freecadcmd.profile b/etc/freecadcmd.profile index 41cfd3fab..82ce8fcaa 100644 --- a/etc/freecadcmd.profile +++ b/etc/freecadcmd.profile @@ -2,4 +2,4 @@ # This file is overwritten after every install/update -include ${HOME}/.config/firejail/freecad.profile +include /etc/firejail/freecad.profile diff --git a/etc/google-earth.profile b/etc/google-earth.profile index a339402e2..11d55281a 100644 --- a/etc/google-earth.profile +++ b/etc/google-earth.profile @@ -5,16 +5,18 @@ include /etc/firejail/google-earth.local # Persistent global definitions include /etc/firejail/globals.local -blacklist /boot -blacklist /media -blacklist /mnt +noblacklist ${HOME}/.config/Google +noblacklist ${HOME}/.googleearth +include /etc/firejail/disable-common.inc +include /etc/firejail/disable-devel.inc +include /etc/firejail/disable-passwdmgr.inc +include /etc/firejail/disable-programs.inc + +mkdir ${HOME}/.config/Google +mkdir ${HOME}/.googleearth whitelist ${HOME}/.config/Google -whitelist ${HOME}/.googleearth/Cache/ -whitelist ${HOME}/.googleearth/Temp/ -whitelist ${HOME}/.googleearth/myplaces.backup.kml -whitelist ${HOME}/.googleearth/myplaces.kml -whitelist /tmp/.X11-unix +whitelist ${HOME}/.googleearth include /etc/firejail/whitelist-common.inc caps.drop all @@ -26,7 +28,7 @@ shell none private-bin google-earth,sh,grep,sed,ls,dirname private-dev -private-etc fonts,resolv.conf,X11,alternatives,pulse +#private-etc fonts,resolv.conf,X11,alternatives,pulse -noexec /home +noexec ${HOME} noexec /tmp diff --git a/etc/imagej.profile b/etc/imagej.profile index 4404cc9a2..4613e378f 100644 --- a/etc/imagej.profile +++ b/etc/imagej.profile @@ -5,20 +5,13 @@ include /etc/firejail/imagej.local # Persistent global definitions include /etc/firejail/globals.local -blacklist /boot -blacklist /media -blacklist /mnt -blacklist /opt -blacklist /usr/local/bin -blacklist /usr/local/sbin -whitelist ${DOWNLOADS} -whitelist ${HOME}/.gtkrc-2.0 -whitelist ${HOME}/.gtkrc.mine -whitelist ${HOME}/.imagej -whitelist ${HOME}/.themes -whitelist ${HOME}/Pictures -include /etc/firejail/whitelist-common.inc +noblacklist ${HOME}/.imagej + +include /etc/firejail/disable-common.inc +include /etc/firejail/disable-devel.inc +include /etc/firejail/disable-passwdmgr.inc +include /etc/firejail/disable-programs.inc caps.drop all ipc-namespace diff --git a/etc/karbon.profile b/etc/karbon.profile index da72432f7..7d7f25ad0 100644 --- a/etc/karbon.profile +++ b/etc/karbon.profile @@ -5,21 +5,11 @@ include /etc/firejail/karbon.local # Persistent global definitions include /etc/firejail/globals.local -blacklist /boot -blacklist /media -blacklist /mnt -blacklist /opt -whitelist ${DOWNLOADS} -whitelist ${HOME}/.config/Trolltech.conf -whitelist ${HOME}/.gtkrc-2.0 -whitelist ${HOME}/.kde4 -whitelist ${HOME}/.themes -whitelist ${HOME}/Images -whitelist /tmp/.X11-unix -# DBus has been forced to use an ordinary unix socket -whitelist /tmp/dbus_session_socket -include /etc/firejail/whitelist-common.inc +include /etc/firejail/disable-common.inc +include /etc/firejail/disable-devel.inc +include /etc/firejail/disable-passwdmgr.inc +include /etc/firejail/disable-programs.inc caps.drop all ipc-namespace @@ -29,9 +19,7 @@ noroot seccomp shell none -# private-bin krita,dbus-launch private-dev -# private-etc fonts,passwd,alternatives,X11 noexec /home noexec /tmp diff --git a/etc/kdenlive.profile b/etc/kdenlive.profile index b982bd045..b91bd9c41 100644 --- a/etc/kdenlive.profile +++ b/etc/kdenlive.profile @@ -5,20 +5,11 @@ include /etc/firejail/kdenlive.local # Persistent global definitions include /etc/firejail/globals.local -blacklist /boot -blacklist /media -blacklist /mnt -blacklist /opt -# Apparently these break kdenlive for some people - they work for me though? -# whitelist ${DOWNLOADS} -# whitelist ${HOME}/.config/ -# whitelist ${HOME}/Videos -# whitelist ${HOME}/kdenlive -whitelist /tmp/.X11-unix -# DBus is forced to use an ordinary unix socket -whitelist /tmp/dbus_session_socket -include /etc/firejail/whitelist-common.inc +include /etc/firejail/disable-common.inc +include /etc/firejail/disable-devel.inc +include /etc/firejail/disable-passwdmgr.inc +include /etc/firejail/disable-programs.inc caps.drop all net none @@ -29,4 +20,4 @@ shell none private-bin kdenlive,kdenlive_render,dbus-launch,melt,ffmpeg,ffplay,ffprobe,dvdauthor,genisoimage,vlc,xine,kdeinit5,kshell5,kdeinit5_shutdown,kdeinit5_wrapper,kdeinit4,kshell4,kdeinit4_shutdown,kdeinit4_wrapper private-dev -private-etc fonts,alternatives,X11,pulse,passwd +#private-etc fonts,alternatives,X11,pulse,passwd diff --git a/etc/krita.profile b/etc/krita.profile index f6e62e387..d60ef2fa7 100644 --- a/etc/krita.profile +++ b/etc/krita.profile @@ -5,21 +5,11 @@ include /etc/firejail/krita.local # Persistent global definitions include /etc/firejail/globals.local -blacklist /boot -blacklist /media -blacklist /mnt -blacklist /opt -whitelist ${DOWNLOADS} -whitelist ${HOME}/.config/Trolltech.conf -whitelist ${HOME}/.gtkrc-2.0 -whitelist ${HOME}/.kde4 -whitelist ${HOME}/.themes -whitelist ${HOME}/Images -whitelist /tmp/.X11-unix -# DBus has been forced to use an ordinary unix socket -whitelist /tmp/dbus_session_socket -include /etc/firejail/whitelist-common.inc +include /etc/firejail/disable-common.inc +include /etc/firejail/disable-devel.inc +include /etc/firejail/disable-passwdmgr.inc +include /etc/firejail/disable-programs.inc caps.drop all ipc-namespace @@ -29,9 +19,7 @@ noroot seccomp shell none -# private-bin krita,dbus-launch private-dev -# private-etc fonts,passwd,alternatives,X11 noexec /home noexec /tmp diff --git a/etc/linphone.profile b/etc/linphone.profile index 850fcb320..8763b348a 100644 --- a/etc/linphone.profile +++ b/etc/linphone.profile @@ -5,13 +5,16 @@ include /etc/firejail/linphone.local # Persistent global definitions include /etc/firejail/globals.local -blacklist /boot -blacklist /media -blacklist /mnt -blacklist /opt +noblacklist ${HOME}/.linphone-history.db +noblacklist ${HOME}/.linphonerc -whitelist ${HOME}/.gtkrc-2.0 -whitelist ${HOME}/.gtkrc.mine +include /etc/firejail/disable-common.inc +include /etc/firejail/disable-devel.inc +include /etc/firejail/disable-passwdmgr.inc +include /etc/firejail/disable-programs.inc + +mkfile ${HOME}/.linphone-history.db +mkfile ${HOME}/.linphonerc whitelist ${HOME}/.linphone-history.db whitelist ${HOME}/.linphonerc whitelist ${HOME}/Downloads diff --git a/etc/lmms.profile b/etc/lmms.profile index 8ac039cc0..14a7209a9 100644 --- a/etc/lmms.profile +++ b/etc/lmms.profile @@ -5,17 +5,13 @@ include /etc/firejail/lmms.local # Persistent global definitions include /etc/firejail/globals.local -blacklist /boot -blacklist /media -blacklist /mnt -blacklist /opt -whitelist ${DOWNLOADS} -whitelist ${HOME}/.lmmsrc.xml -whitelist ${HOME}/Music -whitelist ${HOME}/lmms -whitelist /tmp/.X11-unix -include /etc/firejail/whitelist-common.inc +noblacklist ${HOME}/.lmmsrc.xml + +include /etc/firejail/disable-common.inc +include /etc/firejail/disable-devel.inc +include /etc/firejail/disable-passwdmgr.inc +include /etc/firejail/disable-programs.inc caps.drop all ipc-namespace diff --git a/etc/macrofusion.profile b/etc/macrofusion.profile index 287a5ea85..e53f175f8 100644 --- a/etc/macrofusion.profile +++ b/etc/macrofusion.profile @@ -6,12 +6,12 @@ include /etc/firejail/macrofusion.local include /etc/firejail/globals.local -whitelist ${DOWNLOADS} -whitelist ${HOME}/.config/gtk-3.0 -whitelist ${HOME}/.config/mfusion -whitelist ${HOME}/.themes -whitelist ${HOME}/Pictures -include /etc/firejail/whitelist-common.inc +noblacklist ${HOME}/.config/mfusion + +include /etc/firejail/disable-common.inc +include /etc/firejail/disable-devel.inc +include /etc/firejail/disable-passwdmgr.inc +include /etc/firejail/disable-programs.inc caps.drop all ipc-namespace @@ -22,7 +22,7 @@ noroot seccomp shell none -private-bin python3,macrofusion,env,enfuse,exiftool,align_image_stack +#private-bin python3,macrofusion,env,enfuse,exiftool,align_image_stack private-dev -private-etc fonts +#private-etc fonts private-tmp diff --git a/etc/mpd.profile b/etc/mpd.profile index 44baab7e9..ebcdca443 100644 --- a/etc/mpd.profile +++ b/etc/mpd.profile @@ -5,22 +5,17 @@ include /etc/firejail/mpd.local # Persistent global definitions include /etc/firejail/globals.local -blacklist /boot -blacklist /media -blacklist /mnt -blacklist /opt -whitelist ${HOME}/.config/pulse/ -whitelist ${HOME}/.mpdconf -whitelist ${HOME}/.pulse/ -whitelist ${HOME}/Music -whitelist ${HOME}/mpd -include /etc/firejail/whitelist-common.inc +noblacklist ${HOME}/.mpdconf + +include /etc/firejail/disable-common.inc +include /etc/firejail/disable-devel.inc +include /etc/firejail/disable-passwdmgr.inc +include /etc/firejail/disable-programs.inc caps.drop all noroot seccomp -private-bin mpd,bash +#private-bin mpd,bash private-dev -read-only ${HOME}/Music/ diff --git a/etc/natron.profile b/etc/natron.profile index 6101d1331..8f266f56c 100644 --- a/etc/natron.profile +++ b/etc/natron.profile @@ -5,30 +5,22 @@ include /etc/firejail/natron.local # Persistent global definitions include /etc/firejail/globals.local -# Contributed by triceratops1 (https://github.com/triceratops1) -blacklist /boot -blacklist /media -blacklist /mnt -blacklist /usr/local/bin -blacklist /usr/local/sbin +noblacklist ${HOME}/.Natron +noblacklist ${HOME}/.cache/INRIA/Natron/ +noblacklist ${HOME}/.config/INRIA/ +noblacklist /opt/natron/ -whitelist ${DOWNLOADS} -whitelist ${HOME}/.Natron -whitelist ${HOME}/.cache/INRIA/Natron/ -whitelist ${HOME}/.config/INRIA/ -whitelist ${HOME}/.gtkrc-2.0 -whitelist ${HOME}/.themes -whitelist ${HOME}/Videos -whitelist /opt/natron/ -whitelist /tmp/.X11-unix/ -include /etc/firejail/whitelist-common.inc +include /etc/firejail/disable-common.inc +include /etc/firejail/disable-devel.inc +include /etc/firejail/disable-passwdmgr.inc +include /etc/firejail/disable-programs.inc ipc-namespace shell none private-bin natron -private-etc fonts,X11,pulse +#private-etc fonts,X11,pulse noexec ${HOME} noexec /tmp diff --git a/etc/ricochet.profile b/etc/ricochet.profile index 47b16b30e..423dfb887 100644 --- a/etc/ricochet.profile +++ b/etc/ricochet.profile @@ -5,14 +5,16 @@ include /etc/firejail/ricochet.local # Persistent global definitions include /etc/firejail/globals.local -blacklist /boot -blacklist /media -blacklist /mnt -blacklist /opt + +noblacklist ${HOME}/.local/share/Ricochet + +include /etc/firejail/disable-common.inc +include /etc/firejail/disable-devel.inc +include /etc/firejail/disable-passwdmgr.inc +include /etc/firejail/disable-programs.inc whitelist ${DOWNLOADS} whitelist ${HOME}/.local/share/Ricochet -whitelist /tmp/.X11-unix include /etc/firejail/whitelist-common.inc caps.drop all @@ -24,7 +26,7 @@ shell none private-bin ricochet,tor private-dev -private-etc fonts,tor,X11,alternatives +#private-etc fonts,tor,X11,alternatives noexec /home noexec /tmp diff --git a/etc/shotcut.profile b/etc/shotcut.profile index 2bf3cc2e0..1a7ce6bce 100644 --- a/etc/shotcut.profile +++ b/etc/shotcut.profile @@ -5,13 +5,13 @@ include /etc/firejail/shotcut.local # Persistent global definitions include /etc/firejail/globals.local -blacklist /usr/local/bin -whitelist ${DOWNLOADS} -whitelist ${HOME}/.config/Meltytech -whitelist ${HOME}/Videos -whitelist /tmp/.X11-unix -include /etc/firejail/whitelist-common.inc +noblacklist ${HOME}/.config/Meltytech + +include /etc/firejail/disable-common.inc +include /etc/firejail/disable-devel.inc +include /etc/firejail/disable-passwdmgr.inc +include /etc/firejail/disable-programs.inc caps.drop all net none @@ -22,7 +22,7 @@ shell none private-bin shotcut,melt,qmelt,nice private-dev -private-etc X11,alternatives,pulse,fonts +#private-etc X11,alternatives,pulse,fonts noexec ${HOME} noexec /tmp diff --git a/etc/tor-browser-en.profile b/etc/tor-browser-en.profile index 1f0b61c75..65ea41e18 100644 --- a/etc/tor-browser-en.profile +++ b/etc/tor-browser-en.profile @@ -5,26 +5,15 @@ include /etc/firejail/tor-browser-en.local # Persistent global definitions include /etc/firejail/globals.local -blacklist /boot -blacklist /media -blacklist /mnt -blacklist /opt -blacklist /usr/local/bin -blacklist /var + +noblacklist ${HOME}/.tor-browser-en + +include /etc/firejail/disable-common.inc +include /etc/firejail/disable-devel.inc +include /etc/firejail/disable-passwdmgr.inc +include /etc/firejail/disable-programs.inc whitelist ${HOME}/.tor-browser-en -whitelist /dev/dri -whitelist /dev/full -whitelist /dev/null -whitelist /dev/ptmx -whitelist /dev/pts -whitelist /dev/random -whitelist /dev/shm -whitelist /dev/snd -whitelist /dev/tty -whitelist /dev/urandom -whitelist /dev/video0 -whitelist /dev/zero include /etc/firejail/whitelist-common.inc caps.drop all @@ -33,9 +22,6 @@ seccomp shell none private-bin bash,grep,sed,tail,tor-browser-en,env,id,readlink,dirname,test,mkdir,ln,sed,cp,rm,getconf,file,expr -# FIXME: Spoof D-Bus machine id (tor-browser segfaults when it is missing!) -# https://github.com/netblue30/firejail/issues/955 -private-etc X11,pulse,machine-id private-tmp noexec /tmp diff --git a/etc/tor.profile b/etc/tor.profile index 2e2172cad..73577825a 100644 --- a/etc/tor.profile +++ b/etc/tor.profile @@ -8,6 +8,7 @@ include /etc/firejail/globals.local # How to use: # Create a script called anything (e.g. mytor) # with the following contents: + # #!/bin/bash # TORCMD="tor --defaults-torrc /usr/share/tor/tor-service-defaults-torrc -f /etc/tor/torrc --RunAsDaemon 1" # sudo -b daemon -f -d -- firejail --profile=/home//.config/firejail/tor.profile $TORCMD @@ -15,10 +16,10 @@ include /etc/firejail/globals.local # You'll also likely want to disable the system service (if it exists) # Run mytor (or whatever you called the script above) whenever you want to start tor -blacklist /boot -blacklist /media -blacklist /mnt -blacklist /opt +include /etc/firejail/disable-common.inc +include /etc/firejail/disable-devel.inc +include /etc/firejail/disable-passwdmgr.inc +include /etc/firejail/disable-programs.inc caps.keep setuid,setgid,net_bind_service,dac_read_search ipc-namespace @@ -29,7 +30,6 @@ nosound seccomp shell none writable-var -x11 none private private-bin tor,bash diff --git a/etc/x-terminal-emulator.profile b/etc/x-terminal-emulator.profile index eb4c58480..aca0d7144 100644 --- a/etc/x-terminal-emulator.profile +++ b/etc/x-terminal-emulator.profile @@ -6,13 +6,7 @@ include /etc/firejail/x-terminal-emulator.local include /etc/firejail/globals.local -whitelist /tmp/.X11-unix/X470 -whitelist /tmp/fcitx-socket-:0 -whitelist /tmp/user/1000/ -include /etc/firejail/whitelist-common.inc - caps.drop all -env DISPLAY=:470 ipc-namespace net none netfilter diff --git a/etc/zart.profile b/etc/zart.profile index 654679174..6022e8260 100644 --- a/etc/zart.profile +++ b/etc/zart.profile @@ -5,12 +5,11 @@ include /etc/firejail/zart.local # Persistent global definitions include /etc/firejail/globals.local -# Contributed by triceratops1 (https://github.com/triceratops1) -whitelist ${DOWNLOADS} -whitelist ${HOME}/Videos -whitelist /tmp/.X11-unix -include /etc/firejail/whitelist-common.inc +include /etc/firejail/disable-common.inc +include /etc/firejail/disable-devel.inc +include /etc/firejail/disable-passwdmgr.inc +include /etc/firejail/disable-programs.inc caps.drop all ipc-namespace @@ -21,7 +20,6 @@ shell none private-bin zart,ffmpeg,melt,ffprobe,ffplay private-dev -private-etc fonts,X11 noexec ${HOME} noexec /tmp -- cgit v1.2.3-54-g00ecf From 3c3602fe4e747f3489c917f4de991c9043df9751 Mon Sep 17 00:00:00 2001 From: Tad Date: Sat, 16 Sep 2017 14:11:43 -0400 Subject: Harden 25 profiles --- etc/Viber.profile | 5 +++++ etc/amule.profile | 9 +++++++++ etc/ardour5.profile | 5 ++++- etc/brackets.profile | 14 +++++++++----- etc/calligra.profile | 9 ++++++--- etc/cin.profile | 7 +++++-- etc/dooble.profile | 12 ++++++++++++ etc/fetchmail.profile | 9 ++++++++- etc/freecad.profile | 5 ++++- etc/google-earth.profile | 7 ++++++- etc/imagej.profile | 10 +++++++++- etc/karbon.profile | 24 ++---------------------- etc/kdenlive.profile | 4 ++++ etc/krita.profile | 7 +++++++ etc/linphone.profile | 16 ++++++++++++++++ etc/lmms.profile | 10 ++++++++-- etc/macrofusion.profile | 9 ++++++++- etc/mpd.profile | 13 +++++++++++++ etc/natron.profile | 11 +++++++++-- etc/ricochet.profile | 10 +++++++++- etc/shotcut.profile | 7 +++++-- etc/teamspeak3.profile | 16 ++++++++++++++++ etc/tor-browser-en.profile | 8 ++++++++ etc/tor.profile | 9 +++++++++ etc/zart.profile | 6 ++++++ 25 files changed, 197 insertions(+), 45 deletions(-) (limited to 'etc/tor.profile') diff --git a/etc/Viber.profile b/etc/Viber.profile index ee1ab6219..468199dd8 100644 --- a/etc/Viber.profile +++ b/etc/Viber.profile @@ -19,11 +19,16 @@ include /etc/firejail/whitelist-common.inc caps.drop all ipc-namespace +netfilter +nodvd nogroups +nonewprivs noroot +notv seccomp shell none +disable-mnt private-bin sh,dig,awk private-etc hosts,fonts,mailcap,resolv.conf,X11,pulse,alternatives,localtime,nsswitch.conf,ssl,proxychains.conf private-tmp diff --git a/etc/amule.profile b/etc/amule.profile index 48aad759d..c59377850 100644 --- a/etc/amule.profile +++ b/etc/amule.profile @@ -19,12 +19,21 @@ include /etc/firejail/whitelist-common.inc caps.drop all ipc-namespace +netfilter +no3d +nodvd nogroups nonewprivs noroot +nosound +notv +novideo seccomp shell none private-bin amule private-dev private-tmp + +noexec ${HOME} +noexec /tmp diff --git a/etc/ardour5.profile b/etc/ardour5.profile index 42744f4dd..738b5990a 100644 --- a/etc/ardour5.profile +++ b/etc/ardour5.profile @@ -19,8 +19,11 @@ include /etc/firejail/disable-programs.inc caps.drop all ipc-namespace net none +nodvd nogroups +nonewprivs noroot +notv seccomp shell none @@ -29,5 +32,5 @@ private-dev #private-etc pulse,X11,alternatives,ardour4,ardour5,fonts private-tmp -noexec /home +noexec ${HOME} noexec /tmp diff --git a/etc/brackets.profile b/etc/brackets.profile index 151d88bdd..0a8c592a7 100644 --- a/etc/brackets.profile +++ b/etc/brackets.profile @@ -14,12 +14,16 @@ include /etc/firejail/disable-passwdmgr.inc include /etc/firejail/disable-programs.inc caps.drop all -# Comment out or use --ignore=net if you want to install extensions or themes -net none -# Disable these if you use live preview (until I figure out a workaround) -# Doing so should be relatively safe since there is no network access +netfilter +nodvd +nogroups +nonewprivs noroot +nosound +notv +novideo +protocol unix,inet,inet6 seccomp +shell none -private-bin bash,brackets,readlink,dirname,google-chrome,cat private-dev diff --git a/etc/calligra.profile b/etc/calligra.profile index 58006f203..e90c8efe8 100644 --- a/etc/calligra.profile +++ b/etc/calligra.profile @@ -12,15 +12,18 @@ include /etc/firejail/disable-programs.inc caps.drop all ipc-namespace -net none +nodvd nogroups +nonewprivs noroot +notv +novideo +protocol unix seccomp shell none private-bin calligra,calligraauthor,calligraconverter,calligraflow,calligraplan,calligraplanwork,calligrasheets,calligrastage,calligrawords,dbus-launch private-dev -#private-etc fonts,passwd,alternatives,X11 -noexec /home +noexec ${HOME} noexec /tmp diff --git a/etc/cin.profile b/etc/cin.profile index e895805eb..93a94c910 100644 --- a/etc/cin.profile +++ b/etc/cin.profile @@ -15,14 +15,17 @@ include /etc/firejail/disable-programs.inc caps.drop all ipc-namespace net none +nodvd nogroups +nonewprivs +notv noroot +protocol unix seccomp shell none private-bin cin private-dev -#private-etc fonts,pulse -noexec /home +noexec ${HOME} noexec /tmp diff --git a/etc/dooble.profile b/etc/dooble.profile index cbb0f96b8..aabfcd8bb 100644 --- a/etc/dooble.profile +++ b/etc/dooble.profile @@ -20,8 +20,20 @@ include /etc/firejail/whitelist-common.inc caps.drop all netfilter +nodvd +nogroups nonewprivs noroot +notv +novideo protocol unix,inet,inet6,netlink seccomp +shell none tracelog + +disable-mnt +private-dev +private-tmp + +noexec ${HOME} +noexec /tmp diff --git a/etc/fetchmail.profile b/etc/fetchmail.profile index 2b2be4c16..9ee59f453 100644 --- a/etc/fetchmail.profile +++ b/etc/fetchmail.profile @@ -12,11 +12,18 @@ include /etc/firejail/disable-passwdmgr.inc include /etc/firejail/disable-programs.inc caps.drop all +netfilter +no3d +nodvd nogroups +nonewprivs noroot nosound +notv +novideo +protocol unix,inet,inet6 seccomp +shell none # private-bin fetchmail,procmail,bash,chmod private-dev -# private-etc passwd,hosts,resolv.conf diff --git a/etc/freecad.profile b/etc/freecad.profile index c2d4661e8..4fde66839 100644 --- a/etc/freecad.profile +++ b/etc/freecad.profile @@ -16,16 +16,19 @@ include /etc/firejail/disable-programs.inc caps.drop all ipc-namespace net none +nodvd nogroups +nonewprivs noroot nosound +notv +novideo protocol unix seccomp shell none private-bin freecad,freecadcmd private-dev -#private-etc fonts,passwd,alternatives,X11 private-tmp noexec ${HOME} diff --git a/etc/google-earth.profile b/etc/google-earth.profile index 11d55281a..32da9a5a8 100644 --- a/etc/google-earth.profile +++ b/etc/google-earth.profile @@ -21,14 +21,19 @@ include /etc/firejail/whitelist-common.inc caps.drop all ipc-namespace +netfilter +nodvd nogroups +nonewprivs noroot +notv +novideo +protocol unix,inet,inet6 seccomp shell none private-bin google-earth,sh,grep,sed,ls,dirname private-dev -#private-etc fonts,resolv.conf,X11,alternatives,pulse noexec ${HOME} noexec /tmp diff --git a/etc/imagej.profile b/etc/imagej.profile index 4613e378f..88a56c706 100644 --- a/etc/imagej.profile +++ b/etc/imagej.profile @@ -16,12 +16,20 @@ include /etc/firejail/disable-programs.inc caps.drop all ipc-namespace net none +nodvd nogroups nonewprivs noroot +nosound +notv +novideo +protocol unix seccomp +shell none private-bin imagej,bash,grep,sort,tail,tr,cut,whoami,hostname,uname,mkdir,ls,touch,free,awk,update-java-alternatives,basename,xprop,rm,ln private-dev -# private-etc passwd,alternatives,hosts,fonts,X11 private-tmp + +noexec ${HOME} +noexec /tmp diff --git a/etc/karbon.profile b/etc/karbon.profile index 7d7f25ad0..d94f20012 100644 --- a/etc/karbon.profile +++ b/etc/karbon.profile @@ -1,25 +1,5 @@ -# Firejail profile for karbon +# Firejail profile alias for krita # This file is overwritten after every install/update -# Persistent local customizations -include /etc/firejail/karbon.local -# Persistent global definitions -include /etc/firejail/globals.local -include /etc/firejail/disable-common.inc -include /etc/firejail/disable-devel.inc -include /etc/firejail/disable-passwdmgr.inc -include /etc/firejail/disable-programs.inc - -caps.drop all -ipc-namespace -net none -nogroups -noroot -seccomp -shell none - -private-dev - -noexec /home -noexec /tmp +include /etc/firejail/krita.profile diff --git a/etc/kdenlive.profile b/etc/kdenlive.profile index b91bd9c41..56bb729e1 100644 --- a/etc/kdenlive.profile +++ b/etc/kdenlive.profile @@ -13,8 +13,12 @@ include /etc/firejail/disable-programs.inc caps.drop all net none +nodvd nogroups +nonewprivs noroot +notv +protocol unix,inet,inet6 seccomp shell none diff --git a/etc/krita.profile b/etc/krita.profile index d60ef2fa7..2dfd084ef 100644 --- a/etc/krita.profile +++ b/etc/krita.profile @@ -14,12 +14,19 @@ include /etc/firejail/disable-programs.inc caps.drop all ipc-namespace net none +nodvd nogroups +nonewprivs noroot +nosound +notv +novideo +protocol unix seccomp shell none private-dev +private-tmp noexec /home noexec /tmp diff --git a/etc/linphone.profile b/etc/linphone.profile index 8763b348a..41f9245a2 100644 --- a/etc/linphone.profile +++ b/etc/linphone.profile @@ -21,5 +21,21 @@ whitelist ${HOME}/Downloads include /etc/firejail/whitelist-common.inc caps.drop all +netfilter +no3d +nodvd +nogroups +nonewprivs noroot +notv +novideo +protocol unix,inet,inet6 seccomp +shell none + +disable-mnt +private-dev +private-tmp + +noexec ${HOME} +noexec /tmp diff --git a/etc/lmms.profile b/etc/lmms.profile index 14a7209a9..29ed235c6 100644 --- a/etc/lmms.profile +++ b/etc/lmms.profile @@ -16,13 +16,19 @@ include /etc/firejail/disable-programs.inc caps.drop all ipc-namespace net none +no3d +nodvd nogroups +nonewprivs noroot +notv +novideo +protocol unix seccomp shell none private-dev -private-etc fonts,pulse +private-tmp -noexec /home +noexec ${HOME} noexec /tmp diff --git a/etc/macrofusion.profile b/etc/macrofusion.profile index e53f175f8..be66cf6ee 100644 --- a/etc/macrofusion.profile +++ b/etc/macrofusion.profile @@ -16,13 +16,20 @@ include /etc/firejail/disable-programs.inc caps.drop all ipc-namespace net none +nodvd nogroups nonewprivs noroot +nosound +notv +novideo +protocol unix seccomp shell none #private-bin python3,macrofusion,env,enfuse,exiftool,align_image_stack private-dev -#private-etc fonts private-tmp + +noexec ${HOME} +noexec /tmp diff --git a/etc/mpd.profile b/etc/mpd.profile index ebcdca443..601861083 100644 --- a/etc/mpd.profile +++ b/etc/mpd.profile @@ -14,8 +14,21 @@ include /etc/firejail/disable-passwdmgr.inc include /etc/firejail/disable-programs.inc caps.drop all +netfilter +no3d +nodvd +nogroups +nonewprivs noroot +notv +novideo +protocol unix,inet,inet6 seccomp +shell none #private-bin mpd,bash private-dev +private-tmp + +noexec ${HOME} +noexec /tmp diff --git a/etc/natron.profile b/etc/natron.profile index 8f266f56c..ac89409f1 100644 --- a/etc/natron.profile +++ b/etc/natron.profile @@ -16,11 +16,18 @@ include /etc/firejail/disable-devel.inc include /etc/firejail/disable-passwdmgr.inc include /etc/firejail/disable-programs.inc -ipc-namespace +caps.drop all +netfilter +nodvd +nogroups +nonewprivs +noroot +notv +protocol unix,inet,inet6 +seccomp shell none private-bin natron -#private-etc fonts,X11,pulse noexec ${HOME} noexec /tmp diff --git a/etc/ricochet.profile b/etc/ricochet.profile index 423dfb887..6da0e21d5 100644 --- a/etc/ricochet.profile +++ b/etc/ricochet.profile @@ -19,14 +19,22 @@ include /etc/firejail/whitelist-common.inc caps.drop all ipc-namespace +netfilter +no3d +nodvd nogroups +nonewprivs noroot +notv +novideo +protocol unix,inet,inet6 seccomp shell none +disable-mnt private-bin ricochet,tor private-dev #private-etc fonts,tor,X11,alternatives -noexec /home +noexec ${HOME} noexec /tmp diff --git a/etc/shotcut.profile b/etc/shotcut.profile index 1a7ce6bce..e30bc1f46 100644 --- a/etc/shotcut.profile +++ b/etc/shotcut.profile @@ -15,14 +15,17 @@ include /etc/firejail/disable-programs.inc caps.drop all net none +nodvd nogroups +nonewprivs noroot +notv +protocol unix seccomp shell none -private-bin shotcut,melt,qmelt,nice +#private-bin shotcut,melt,qmelt,nice private-dev -#private-etc X11,alternatives,pulse,fonts noexec ${HOME} noexec /tmp diff --git a/etc/teamspeak3.profile b/etc/teamspeak3.profile index 7ca5ae666..f8afff551 100644 --- a/etc/teamspeak3.profile +++ b/etc/teamspeak3.profile @@ -19,7 +19,23 @@ whitelist ${HOME}/.ts3client include /etc/firejail/whitelist-common.inc caps.drop all +ipc-namespace netfilter +no3d +nodvd +nogroups +nonewprivs noroot +notv +novideo protocol unix,inet,inet6 seccomp +shell none + +disable-mnt +private +private-dev +private-tmp + +noexec ${HOME} +noexec /tmp diff --git a/etc/tor-browser-en.profile b/etc/tor-browser-en.profile index 65ea41e18..75a079a2e 100644 --- a/etc/tor-browser-en.profile +++ b/etc/tor-browser-en.profile @@ -17,10 +17,18 @@ whitelist ${HOME}/.tor-browser-en include /etc/firejail/whitelist-common.inc caps.drop all +netfilter +nodvd +nogroups +nonewprivs noroot +notv +novideo +protocol unix,inet,inet6 seccomp shell none +disable-mnt private-bin bash,grep,sed,tail,tor-browser-en,env,id,readlink,dirname,test,mkdir,ln,sed,cp,rm,getconf,file,expr private-tmp diff --git a/etc/tor.profile b/etc/tor.profile index 73577825a..fcb123eef 100644 --- a/etc/tor.profile +++ b/etc/tor.profile @@ -23,16 +23,25 @@ include /etc/firejail/disable-programs.inc caps.keep setuid,setgid,net_bind_service,dac_read_search ipc-namespace +netfilter no3d +nodvd nogroups nonewprivs nosound +notv +novideo +protocol unix,inet,inet6 seccomp shell none writable-var +disable-mnt private private-bin tor,bash private-dev private-etc tor,passwd private-tmp + +noexec ${HOME} +noexec /tmp diff --git a/etc/zart.profile b/etc/zart.profile index 6022e8260..b5897f4a9 100644 --- a/etc/zart.profile +++ b/etc/zart.profile @@ -14,7 +14,13 @@ include /etc/firejail/disable-programs.inc caps.drop all ipc-namespace net none +nodvd +nogroups +nonewprivs noroot +notv +novideo +protocol unix seccomp shell none -- cgit v1.2.3-54-g00ecf