From 2d8ff695ad5f240f99f1b789fb8994350e6eedf6 Mon Sep 17 00:00:00 2001 From: Fred Barclay Date: Mon, 2 Apr 2018 10:56:55 -0500 Subject: WIP: Blacklist common programming interpreters. (#1837) * Use path variable instead of full path when blacklisting devel tools. * Part 1: blacklist python, perl, ruby, etc in disable-interpreters.inc * Part 2: allow access to java as needed * Typo: missing blacklist * Part 3: allow perl access as needed * typo * Add xreader thumbnailer and previewer profiles * Add xplayer audio-preview and thumbnailer profiles * Add atril thumbnailer and previewer profiles * More fixups after adding disable-interpreters.inc * Blacklist javac * More javac noblacklisting * Remove javac from dex2jar, libreoffice, multimc5, and pdfsam profiles * --nodbus, first draft for #1825 * dbus.c * rework akonadi integration the usr.sbin.mysqld-akonadi apparmor profile, enforced by default in ubuntu and debian testing (and probably opensuse), doesn't play well with a number of firejail options. the reason for this is that once the no_new_privs bit is set, apparmor profile transitions are forbidden. enforcing our own apparmor policy instead is also no solution, because these programs don't even start without d-bus. relaxing the kmail profile was necessary so that kmail can fire up akonadi itself, just in case akonadi has not been started earlier already by another program. this is always an issue when kmail is the only installed akonadi client, but there may be more circumstances. for reasons outlined above this doesn't help debian and ubuntu (opensuse?) users though :-/ a brief summary of the seccomp exceptions: chroot is needed for qt webengine, io_prioset for the akonadi indexing agent, io_getevents, io_submit, io_setup are needed for mysqld. when akonadi has an sqlite3 backend, less exceptions to the seccomp filter are necessary, but mysqld is the default. in the future all kontact suite profiles (itm only kmail, knotes) should probably be redirections to akonadi_control, but the issues with apparmor make this somewhat impractical for now (options like 'protocol' couldn't go to akonadi_control.local any more, if current kmail redirected to there). * Add nodbus to some profiles - part 1 * Spotify works with nodbus on Arch * Enable nodbus for keepassx and keepassxc profiles. I've tested on keepassxc but should work for keepassx as well. Settings are not immutable. * recalibrate dbus access, deploy nodbus option see #1822 and #1825. also systematically replaces 'blacklist /run/user/*/bus' with 'nodbus'. with contributions from @Fred-Barclay * various blacklist additions * Add a profile for ncdu, enable private-etc in Steam again, and fixup gnome-recipes * comment nodbus where it interferes with dconf pending further discussion * Add a disabled and extensive private-bin for Steam * Further improve private-bin in steam * comment apparmor, net where they interfere with dconf - #1843 * gnome-calculator fixup * spectre support for clang compiler * spectre clang support * enable/disable dbus handling in /etc/firejail/firejail.config * nodbus man pages, etc. * redirect knotes to kmail, some tweaks * testing * gimp fixup * Even more fixups after adding disable-interpreters.inc * AWS and GCP store credentials in local directories as part of project setup. Configuration for cloud providers is sensitive information; it should be in the default block list. I didn't see profiles for gcloud or awscli, so haven't added any exclusions. boto and kubectl are not provider-specific, but also store credentials for whichever platforms they happen to be being used with. * testing * consolidate makefiles * gitignore * Use path variable instead of full path when blacklisting devel tools. * Part 1: blacklist python, perl, ruby, etc in disable-interpreters.inc * Part 2: allow access to java as needed * Typo: missing blacklist * Part 3: allow perl access as needed * typo * More fixups after adding disable-interpreters.inc * Blacklist javac * More javac noblacklisting * Remove javac from dex2jar, libreoffice, multimc5, and pdfsam profiles * Cleanup rebase leftovers * imagej doesn't need javac access * Add cc to blacklisted compilers * Use wildcards when blacklisting some gcc paths * Blacklist lua in disable-interpreters * Correct blacklist for node.js * Fred Barclay note: some of these commits (all of the ones that don't affect files inside etc/) aren't mine but were added during a rebase + squash --- etc/0ad.profile | 1 + etc/2048-qt.profile | 1 + etc/Cryptocat.profile | 1 + etc/Fritzing.profile | 1 + etc/Mathematica.profile | 1 + etc/Thunar.profile | 1 + etc/Viber.profile | 1 + etc/akonadi_control.profile | 1 + etc/akregator.profile | 1 + etc/amarok.profile | 1 + etc/amule.profile | 1 + etc/arch-audit.profile | 1 + etc/archaudit-report.profile | 2 + etc/ardour5.profile | 1 + etc/arduino.profile | 1 + etc/ark.profile | 1 + etc/arm.profile | 7 +++ etc/asunder.profile | 1 + etc/atool.profile | 1 + etc/atril.profile | 1 + etc/audacious.profile | 1 + etc/audacity.profile | 1 + etc/aweather.profile | 1 + etc/baloo_file.profile | 1 + etc/baobab.profile | 1 + etc/basilisk.profile | 1 + etc/bibletime.profile | 1 + etc/bitcoin-qt.profile | 1 + etc/bitlbee.profile | 1 + etc/bleachbit.profile | 1 + etc/blender.profile | 7 +++ etc/bless.profile | 1 + etc/bluefish.profile | 1 + etc/brasero.profile | 1 + etc/bsdtar.profile | 1 + etc/caja.profile | 7 +++ etc/calibre.profile | 2 +- etc/calligra.profile | 1 + etc/catfish.profile | 7 +++ etc/cherrytree.profile | 9 ++- etc/chromium-common.profile | 1 + etc/cin.profile | 1 + etc/claws-mail.profile | 1 + etc/clementine.profile | 1 + etc/clipit.profile | 1 + etc/cmus.profile | 1 + etc/conky.profile | 1 + etc/corebird.profile | 1 + etc/cower.profile | 1 + etc/darktable.profile | 1 + etc/deadbeef.profile | 1 + etc/default.profile | 1 + etc/deluge.profile | 7 +++ etc/dex2jar.profile | 13 ++++ etc/dia.profile | 1 + etc/digikam.profile | 1 + etc/dillo.profile | 1 + etc/dino.profile | 1 + etc/disable-devel.inc | 90 +++++++++++----------------- etc/disable-interpreters.inc | 44 ++++++++++++++ etc/display.profile | 13 ++++ etc/dnscrypt-proxy.profile | 1 + etc/dnsmasq.profile | 1 + etc/dolphin.profile | 1 + etc/dooble.profile | 1 + etc/dosbox.profile | 1 + etc/dragon.profile | 1 + etc/dropbox.profile | 1 + etc/elinks.profile | 1 + etc/empathy.profile | 1 + etc/enchant.profile | 1 + etc/engrampa.profile | 1 + etc/enpass.profile | 1 + etc/eog.profile | 1 + etc/eom.profile | 1 + etc/epiphany.profile | 1 + etc/evince.profile | 1 + etc/evolution.profile | 1 + etc/exiftool.profile | 4 +- etc/falkon.profile | 1 + etc/fbreader.profile | 1 + etc/feh.profile | 1 + etc/fetchmail.profile | 1 + etc/ffmpeg.profile | 1 + etc/file-roller.profile | 1 + etc/filezilla.profile | 7 +++ etc/firefox-common.profile | 1 + etc/flowblade.profile | 1 + etc/fontforge.profile | 1 + etc/franz.profile | 1 + etc/freecad.profile | 1 + etc/frozen-bubble.profile | 1 + etc/gajim.profile | 5 ++ etc/galculator.profile | 1 + etc/gedit.profile | 1 + etc/geeqie.profile | 1 + etc/gitg.profile | 1 + etc/gitter.profile | 1 + etc/gjs.profile | 1 + etc/globaltime.profile | 1 + etc/gnome-2048.profile | 1 + etc/gnome-books.profile | 1 + etc/gnome-calculator.profile | 2 + etc/gnome-chess.profile | 1 + etc/gnome-clocks.profile | 1 + etc/gnome-contacts.profile | 2 + etc/gnome-documents.profile | 1 + etc/gnome-font-viewer.profile | 1 + etc/gnome-maps.profile | 1 + etc/gnome-mplayer.profile | 1 + etc/gnome-music.profile | 7 +++ etc/gnome-photos.profile | 1 + etc/gnome-recipes.profile | 1 + etc/gnome-ring.profile | 1 + etc/gnome-twitch.profile | 1 + etc/gnome-weather.profile | 1 + etc/goobox.profile | 1 + etc/google-earth.profile | 1 + etc/google-play-music-desktop-player.profile | 1 + etc/gpa.profile | 1 + etc/gpg-agent.profile | 1 + etc/gpg.profile | 1 + etc/gpicview.profile | 1 + etc/gpredict.profile | 1 + etc/gthumb.profile | 1 + etc/guayadeque.profile | 1 + etc/gucharmap.profile | 1 + etc/gwenview.profile | 1 + etc/handbrake.profile | 1 + etc/hashcat.profile | 1 + etc/hedgewars.profile | 1 + etc/hexchat.profile | 10 +++- etc/highlight.profile | 1 + etc/hugin.profile | 1 + etc/imagej.profile | 7 +++ etc/img2txt.profile | 1 + etc/inkscape.profile | 1 + etc/itch.profile | 1 + etc/jd-gui.profile | 1 + etc/jitsi.profile | 7 +++ etc/k3b.profile | 1 + etc/kaffeine.profile | 1 + etc/kate.profile | 1 + etc/kcalc.profile | 1 + etc/kdeinit4.profile | 1 + etc/kdenlive.profile | 1 + etc/keepass.profile | 1 + etc/keepassx.profile | 1 + etc/keepassxc.profile | 1 + etc/kget.profile | 1 + etc/kino.profile | 1 + etc/kmail.profile | 1 + etc/knotes.profile | 11 +++- etc/kodi.profile | 7 +++ etc/konversation.profile | 1 + etc/kopete.profile | 1 + etc/krita.profile | 1 + etc/krunner.profile | 1 + etc/ktorrent.profile | 1 + etc/kwin_x11.profile | 1 + etc/kwrite.profile | 1 + etc/leafpad.profile | 1 + etc/libreoffice.profile | 10 +++- etc/liferea.profile | 7 +++ etc/linphone.profile | 1 + etc/lmms.profile | 1 + etc/lollypop.profile | 1 + etc/luminance-hdr.profile | 1 + etc/lximage-qt.profile | 1 + etc/lxmusic.profile | 1 + etc/lynx.profile | 1 + etc/macrofusion.profile | 7 +++ etc/mate-calc.profile | 1 + etc/mate-color-select.profile | 1 + etc/mate-dictionary.profile | 1 + etc/mcabber.profile | 1 + etc/mediainfo.profile | 1 + etc/mediathekview.profile | 7 +++ etc/midori.profile | 1 + etc/minetest.profile | 1 + etc/mousepad.profile | 1 + etc/mpd.profile | 1 + etc/mplayer.profile | 1 + etc/mpv.profile | 7 +++ etc/multimc5.profile | 7 +++ etc/mumble.profile | 1 + etc/mupdf.profile | 1 + etc/mupen64plus.profile | 1 + etc/musescore.profile | 1 + etc/mutt.profile | 1 + etc/natron.profile | 1 + etc/nautilus.profile | 7 +++ etc/nemo.profile | 7 +++ etc/netsurf.profile | 1 + etc/neverball.profile | 1 + etc/nheko.profile | 1 + etc/nylas.profile | 1 + etc/obs.profile | 1 + etc/odt2txt.profile | 1 + etc/okular.profile | 1 + etc/onionshare-gui.profile | 5 ++ etc/open-invaders.profile | 1 + etc/openshot.profile | 1 + etc/orage.profile | 1 + etc/parole.profile | 1 + etc/pcmanfm.profile | 1 + etc/pdfchain.profile | 3 +- etc/pdfmod.profile | 1 + etc/pdfsam.profile | 8 +++ etc/pdftotext.profile | 1 + etc/peek.profile | 1 + etc/picard.profile | 5 ++ etc/pidgin.profile | 1 + etc/ping.profile | 1 + etc/pingus.profile | 1 + etc/pinta.profile | 1 + etc/pithos.profile | 7 +++ etc/pitivi.profile | 7 +++ etc/pix.profile | 1 + etc/playonlinux.profile | 10 +++- etc/pluma.profile | 1 + etc/polari.profile | 1 + etc/psi-plus.profile | 1 + etc/qbittorrent.profile | 7 +++ etc/qlipper.profile | 1 + etc/qpdfview.profile | 1 + etc/qtox.profile | 1 + etc/quassel.profile | 1 + etc/quiterss.profile | 1 + etc/qupzilla.profile | 1 + etc/qutebrowser.profile | 7 +++ etc/rambox.profile | 1 + etc/ranger.profile | 5 +- etc/redeclipse.profile | 1 + etc/remmina.profile | 1 + etc/rhythmbox.profile | 1 + etc/ricochet.profile | 1 + etc/ristretto.profile | 1 + etc/rtorrent.profile | 1 + etc/scribus.profile | 7 +++ etc/sdat2img.profile | 7 +++ etc/seamonkey.profile | 1 + etc/server.profile | 1 + etc/shotcut.profile | 1 + etc/signal-desktop.profile | 1 + etc/silentarmy.profile | 1 + etc/simple-scan.profile | 1 + etc/simutrans.profile | 1 + etc/skanlite.profile | 1 + etc/skype.profile | 1 + etc/skypeforlinux.profile | 1 + etc/slack.profile | 1 + etc/smplayer.profile | 1 + etc/smtube.profile | 1 + etc/soundconverter.profile | 1 + etc/spotify.profile | 1 + etc/sqlitebrowser.profile | 1 + etc/start-tor-browser.profile | 1 + etc/steam.profile | 1 + etc/stellarium.profile | 1 + etc/supertux2.profile | 1 + etc/surf.profile | 1 + etc/sylpheed.profile | 1 + etc/synfigstudio.profile | 1 + etc/teamspeak3.profile | 1 + etc/telegram.profile | 1 + etc/terasology.profile | 1 + etc/tilp.profile | 1 + etc/tor.profile | 1 + etc/torbrowser-launcher.profile | 7 +++ etc/totem.profile | 1 + etc/tracker.profile | 1 + etc/transmission-cli.profile | 1 + etc/transmission-gtk.profile | 1 + etc/transmission-qt.profile | 1 + etc/transmission-show.profile | 1 + etc/truecraft.profile | 1 + etc/tuxguitar.profile | 7 +++ etc/uefitool.profile | 1 + etc/uget-gtk.profile | 1 + etc/unbound.profile | 1 + etc/uzbl-browser.profile | 1 + etc/viewnior.profile | 1 + etc/viking.profile | 1 + etc/vlc.profile | 1 + etc/vym.profile | 1 + etc/w3m.profile | 1 + etc/warzone2100.profile | 1 + etc/wesnoth.profile | 1 + etc/wine.profile | 1 + etc/wire.profile | 1 + etc/wireshark.profile | 1 + etc/xcalc.profile | 1 + etc/xed.profile | 1 + etc/xfburn.profile | 1 + etc/xfce4-dict.profile | 1 + etc/xfce4-notes.profile | 1 + etc/xiphos.profile | 1 + etc/xmms.profile | 1 + etc/xmr-stak.profile | 1 + etc/xonotic.profile | 1 + etc/xpdf.profile | 1 + etc/xplayer.profile | 1 + etc/xpra.profile | 7 +++ etc/xreader.profile | 1 + etc/xviewer.profile | 1 + etc/youtube-dl.profile | 7 +++ etc/zaproxy.profile | 1 + etc/zart.profile | 1 + etc/zathura.profile | 1 + etc/zoom.profile | 1 + 311 files changed, 636 insertions(+), 70 deletions(-) create mode 100644 etc/disable-interpreters.inc mode change 100755 => 100644 etc/pdfchain.profile (limited to 'etc') diff --git a/etc/0ad.profile b/etc/0ad.profile index 766783997..238dbbce2 100644 --- a/etc/0ad.profile +++ b/etc/0ad.profile @@ -11,6 +11,7 @@ noblacklist ${HOME}/.local/share/0ad include /etc/firejail/disable-common.inc include /etc/firejail/disable-devel.inc +include /etc/firejail/disable-interpreters.inc include /etc/firejail/disable-passwdmgr.inc include /etc/firejail/disable-programs.inc diff --git a/etc/2048-qt.profile b/etc/2048-qt.profile index fa29925c4..2e74e74e3 100644 --- a/etc/2048-qt.profile +++ b/etc/2048-qt.profile @@ -10,6 +10,7 @@ noblacklist ${HOME}/.config/xiaoyong include /etc/firejail/disable-common.inc include /etc/firejail/disable-devel.inc +include /etc/firejail/disable-interpreters.inc include /etc/firejail/disable-passwdmgr.inc include /etc/firejail/disable-programs.inc diff --git a/etc/Cryptocat.profile b/etc/Cryptocat.profile index add122a5e..08c2860b3 100644 --- a/etc/Cryptocat.profile +++ b/etc/Cryptocat.profile @@ -9,6 +9,7 @@ noblacklist ${HOME}/.config/Cryptocat include /etc/firejail/disable-common.inc include /etc/firejail/disable-devel.inc +include /etc/firejail/disable-interpreters.inc include /etc/firejail/disable-passwdmgr.inc include /etc/firejail/disable-programs.inc diff --git a/etc/Fritzing.profile b/etc/Fritzing.profile index 0c4ad0647..453b9979e 100644 --- a/etc/Fritzing.profile +++ b/etc/Fritzing.profile @@ -9,6 +9,7 @@ noblacklist ${HOME}/.config/Fritzing include /etc/firejail/disable-common.inc include /etc/firejail/disable-devel.inc +include /etc/firejail/disable-interpreters.inc include /etc/firejail/disable-passwdmgr.inc include /etc/firejail/disable-programs.inc diff --git a/etc/Mathematica.profile b/etc/Mathematica.profile index 1ceaaf8dc..deff02028 100644 --- a/etc/Mathematica.profile +++ b/etc/Mathematica.profile @@ -10,6 +10,7 @@ noblacklist ${HOME}/.Wolfram Research include /etc/firejail/disable-common.inc include /etc/firejail/disable-devel.inc +include /etc/firejail/disable-interpreters.inc include /etc/firejail/disable-passwdmgr.inc include /etc/firejail/disable-programs.inc diff --git a/etc/Thunar.profile b/etc/Thunar.profile index 29cfebe13..fbd475ca6 100644 --- a/etc/Thunar.profile +++ b/etc/Thunar.profile @@ -11,6 +11,7 @@ noblacklist ${HOME}/.config/xfce4/xfconf/xfce-perchannel-xml/thunar.xml include /etc/firejail/disable-common.inc include /etc/firejail/disable-devel.inc +include /etc/firejail/disable-interpreters.inc include /etc/firejail/disable-passwdmgr.inc # include /etc/firejail/disable-programs.inc diff --git a/etc/Viber.profile b/etc/Viber.profile index eb244efca..6a58da8c9 100644 --- a/etc/Viber.profile +++ b/etc/Viber.profile @@ -10,6 +10,7 @@ noblacklist ${HOME}/.ViberPC include /etc/firejail/disable-common.inc include /etc/firejail/disable-devel.inc +include /etc/firejail/disable-interpreters.inc include /etc/firejail/disable-passwdmgr.inc include /etc/firejail/disable-programs.inc diff --git a/etc/akonadi_control.profile b/etc/akonadi_control.profile index 3a4404b28..ee73accdf 100644 --- a/etc/akonadi_control.profile +++ b/etc/akonadi_control.profile @@ -18,6 +18,7 @@ noblacklist /usr/sbin include /etc/firejail/disable-common.inc include /etc/firejail/disable-devel.inc +include /etc/firejail/disable-interpreters.inc include /etc/firejail/disable-passwdmgr.inc include /etc/firejail/disable-programs.inc diff --git a/etc/akregator.profile b/etc/akregator.profile index 2c49ef9f0..19da62916 100644 --- a/etc/akregator.profile +++ b/etc/akregator.profile @@ -10,6 +10,7 @@ noblacklist ${HOME}/.local/share/akregator include /etc/firejail/disable-common.inc include /etc/firejail/disable-devel.inc +include /etc/firejail/disable-interpreters.inc include /etc/firejail/disable-passwdmgr.inc include /etc/firejail/disable-programs.inc diff --git a/etc/amarok.profile b/etc/amarok.profile index 79343fcdf..8fa919131 100644 --- a/etc/amarok.profile +++ b/etc/amarok.profile @@ -8,6 +8,7 @@ include /etc/firejail/globals.local include /etc/firejail/disable-common.inc include /etc/firejail/disable-devel.inc +include /etc/firejail/disable-interpreters.inc include /etc/firejail/disable-passwdmgr.inc include /etc/firejail/disable-programs.inc diff --git a/etc/amule.profile b/etc/amule.profile index 98ec52015..0d71f8f3b 100644 --- a/etc/amule.profile +++ b/etc/amule.profile @@ -10,6 +10,7 @@ noblacklist ${HOME}/.aMule include /etc/firejail/disable-common.inc include /etc/firejail/disable-devel.inc +include /etc/firejail/disable-interpreters.inc include /etc/firejail/disable-passwdmgr.inc include /etc/firejail/disable-programs.inc diff --git a/etc/arch-audit.profile b/etc/arch-audit.profile index d8ed64811..70e02fc7b 100644 --- a/etc/arch-audit.profile +++ b/etc/arch-audit.profile @@ -11,6 +11,7 @@ noblacklist /var/lib/pacman include /etc/firejail/disable-common.inc include /etc/firejail/disable-devel.inc +include /etc/firejail/disable-interpreters.inc include /etc/firejail/disable-passwdmgr.inc include /etc/firejail/disable-programs.inc diff --git a/etc/archaudit-report.profile b/etc/archaudit-report.profile index 3d0d1d356..f4340faf3 100644 --- a/etc/archaudit-report.profile +++ b/etc/archaudit-report.profile @@ -11,8 +11,10 @@ noblacklist /var/lib/pacman include /etc/firejail/disable-common.inc include /etc/firejail/disable-devel.inc +include /etc/firejail/disable-interpreters.inc include /etc/firejail/disable-passwdmgr.inc include /etc/firejail/disable-programs.inc + include /etc/firejail/whitelist-common.inc caps.drop all diff --git a/etc/ardour5.profile b/etc/ardour5.profile index cf72561da..df42dfaed 100644 --- a/etc/ardour5.profile +++ b/etc/ardour5.profile @@ -12,6 +12,7 @@ noblacklist ${HOME}/.vst include /etc/firejail/disable-common.inc include /etc/firejail/disable-devel.inc +include /etc/firejail/disable-interpreters.inc include /etc/firejail/disable-passwdmgr.inc include /etc/firejail/disable-programs.inc diff --git a/etc/arduino.profile b/etc/arduino.profile index b529ec266..e7d0d68dd 100644 --- a/etc/arduino.profile +++ b/etc/arduino.profile @@ -11,6 +11,7 @@ noblacklist ${HOME}/Arduino include /etc/firejail/disable-common.inc include /etc/firejail/disable-devel.inc +include /etc/firejail/disable-interpreters.inc include /etc/firejail/disable-passwdmgr.inc include /etc/firejail/disable-programs.inc diff --git a/etc/ark.profile b/etc/ark.profile index 8e156df0f..125720189 100644 --- a/etc/ark.profile +++ b/etc/ark.profile @@ -9,6 +9,7 @@ noblacklist ${HOME}/.config/arkrc include /etc/firejail/disable-common.inc include /etc/firejail/disable-devel.inc +include /etc/firejail/disable-interpreters.inc include /etc/firejail/disable-passwdmgr.inc include /etc/firejail/disable-programs.inc diff --git a/etc/arm.profile b/etc/arm.profile index 8b41d787e..a89ee86cc 100644 --- a/etc/arm.profile +++ b/etc/arm.profile @@ -7,8 +7,15 @@ include /etc/firejail/globals.local noblacklist ${HOME}/.arm +# Allow python (blacklisted by disable-interpreters.inc) +noblacklist ${PATH}/python2* +noblacklist ${PATH}/python3* +noblacklist /usr/lib/python2* +noblacklist /usr/lib/python3* + include /etc/firejail/disable-common.inc include /etc/firejail/disable-devel.inc +include /etc/firejail/disable-interpreters.inc include /etc/firejail/disable-passwdmgr.inc include /etc/firejail/disable-programs.inc diff --git a/etc/asunder.profile b/etc/asunder.profile index 7d643877f..1787ad0cc 100644 --- a/etc/asunder.profile +++ b/etc/asunder.profile @@ -12,6 +12,7 @@ noblacklist ${HOME}/.asunder_album_artist include /etc/firejail/disable-common.inc include /etc/firejail/disable-devel.inc +include /etc/firejail/disable-interpreters.inc include /etc/firejail/disable-passwdmgr.inc include /etc/firejail/disable-programs.inc diff --git a/etc/atool.profile b/etc/atool.profile index 4cc3f02de..881c7dc88 100644 --- a/etc/atool.profile +++ b/etc/atool.profile @@ -9,6 +9,7 @@ blacklist /tmp/.X11-unix include /etc/firejail/disable-common.inc # include /etc/firejail/disable-devel.inc +include /etc/firejail/disable-interpreters.inc include /etc/firejail/disable-passwdmgr.inc include /etc/firejail/disable-programs.inc diff --git a/etc/atril.profile b/etc/atril.profile index e08b70ac6..95120681c 100644 --- a/etc/atril.profile +++ b/etc/atril.profile @@ -13,6 +13,7 @@ noblacklist ${HOME}/.config/atril include /etc/firejail/disable-common.inc include /etc/firejail/disable-devel.inc +include /etc/firejail/disable-interpreters.inc include /etc/firejail/disable-passwdmgr.inc include /etc/firejail/disable-programs.inc diff --git a/etc/audacious.profile b/etc/audacious.profile index 71003f156..8d3689487 100644 --- a/etc/audacious.profile +++ b/etc/audacious.profile @@ -10,6 +10,7 @@ noblacklist ${HOME}/.config/audacious include /etc/firejail/disable-common.inc include /etc/firejail/disable-devel.inc +include /etc/firejail/disable-interpreters.inc include /etc/firejail/disable-passwdmgr.inc include /etc/firejail/disable-programs.inc diff --git a/etc/audacity.profile b/etc/audacity.profile index 907dbeb55..c5e54ee24 100644 --- a/etc/audacity.profile +++ b/etc/audacity.profile @@ -9,6 +9,7 @@ noblacklist ${HOME}/.audacity-data include /etc/firejail/disable-common.inc include /etc/firejail/disable-devel.inc +include /etc/firejail/disable-interpreters.inc include /etc/firejail/disable-passwdmgr.inc include /etc/firejail/disable-programs.inc diff --git a/etc/aweather.profile b/etc/aweather.profile index 2a4a9b591..57b8fb61a 100644 --- a/etc/aweather.profile +++ b/etc/aweather.profile @@ -9,6 +9,7 @@ noblacklist ${HOME}/.config/aweather include /etc/firejail/disable-common.inc include /etc/firejail/disable-devel.inc +include /etc/firejail/disable-interpreters.inc include /etc/firejail/disable-passwdmgr.inc include /etc/firejail/disable-programs.inc diff --git a/etc/baloo_file.profile b/etc/baloo_file.profile index e265bcd82..b71f66ba5 100644 --- a/etc/baloo_file.profile +++ b/etc/baloo_file.profile @@ -14,6 +14,7 @@ noblacklist ${HOME}/.local/share/baloo include /etc/firejail/disable-common.inc include /etc/firejail/disable-devel.inc +include /etc/firejail/disable-interpreters.inc include /etc/firejail/disable-passwdmgr.inc include /etc/firejail/disable-programs.inc diff --git a/etc/baobab.profile b/etc/baobab.profile index 5c1675611..8ff282151 100644 --- a/etc/baobab.profile +++ b/etc/baobab.profile @@ -7,6 +7,7 @@ include /etc/firejail/globals.local include /etc/firejail/disable-common.inc include /etc/firejail/disable-devel.inc +include /etc/firejail/disable-interpreters.inc include /etc/firejail/disable-passwdmgr.inc # include /etc/firejail/disable-programs.inc diff --git a/etc/basilisk.profile b/etc/basilisk.profile index a87391942..c13be364b 100644 --- a/etc/basilisk.profile +++ b/etc/basilisk.profile @@ -10,6 +10,7 @@ noblacklist ${HOME}/.moonchild productions/basilisk include /etc/firejail/disable-common.inc include /etc/firejail/disable-devel.inc +include /etc/firejail/disable-interpreters.inc include /etc/firejail/disable-programs.inc # These are uncommented in the Firefox profile. If you run into trouble you may diff --git a/etc/bibletime.profile b/etc/bibletime.profile index f23a29052..d5933dcf4 100644 --- a/etc/bibletime.profile +++ b/etc/bibletime.profile @@ -12,6 +12,7 @@ noblacklist ${HOME}/.sword include /etc/firejail/disable-common.inc include /etc/firejail/disable-devel.inc +include /etc/firejail/disable-interpreters.inc include /etc/firejail/disable-passwdmgr.inc include /etc/firejail/disable-programs.inc diff --git a/etc/bitcoin-qt.profile b/etc/bitcoin-qt.profile index 0981d9f10..84c2c77de 100644 --- a/etc/bitcoin-qt.profile +++ b/etc/bitcoin-qt.profile @@ -9,6 +9,7 @@ noblacklist ${HOME}/.bitcoin include /etc/firejail/disable-common.inc include /etc/firejail/disable-devel.inc +include /etc/firejail/disable-interpreters.inc include /etc/firejail/disable-passwdmgr.inc include /etc/firejail/disable-programs.inc diff --git a/etc/bitlbee.profile b/etc/bitlbee.profile index 0f57c9e69..b6baa66bc 100644 --- a/etc/bitlbee.profile +++ b/etc/bitlbee.profile @@ -11,6 +11,7 @@ noblacklist /usr/sbin include /etc/firejail/disable-common.inc include /etc/firejail/disable-devel.inc +include /etc/firejail/disable-interpreters.inc include /etc/firejail/disable-passwdmgr.inc include /etc/firejail/disable-programs.inc diff --git a/etc/bleachbit.profile b/etc/bleachbit.profile index ae40c3ec7..0a0d502d3 100644 --- a/etc/bleachbit.profile +++ b/etc/bleachbit.profile @@ -7,6 +7,7 @@ include /etc/firejail/globals.local include /etc/firejail/disable-common.inc include /etc/firejail/disable-devel.inc +include /etc/firejail/disable-interpreters.inc include /etc/firejail/disable-passwdmgr.inc # include /etc/firejail/disable-programs.inc diff --git a/etc/blender.profile b/etc/blender.profile index 29df27759..fc7b996e9 100644 --- a/etc/blender.profile +++ b/etc/blender.profile @@ -7,8 +7,15 @@ include /etc/firejail/globals.local noblacklist ${HOME}/.config/blender +# Allow python (blacklisted by disable-interpreters.inc) +noblacklist ${PATH}/python2* +noblacklist ${PATH}/python3* +noblacklist /usr/lib/python2* +noblacklist /usr/lib/python3* + include /etc/firejail/disable-common.inc include /etc/firejail/disable-devel.inc +include /etc/firejail/disable-interpreters.inc include /etc/firejail/disable-passwdmgr.inc include /etc/firejail/disable-programs.inc diff --git a/etc/bless.profile b/etc/bless.profile index 10b471582..3fd04cae6 100644 --- a/etc/bless.profile +++ b/etc/bless.profile @@ -9,6 +9,7 @@ noblacklist ${HOME}/.config/bless include /etc/firejail/disable-common.inc include /etc/firejail/disable-devel.inc +include /etc/firejail/disable-interpreters.inc include /etc/firejail/disable-passwdmgr.inc include /etc/firejail/disable-programs.inc diff --git a/etc/bluefish.profile b/etc/bluefish.profile index 6eb1d753f..3931819f1 100644 --- a/etc/bluefish.profile +++ b/etc/bluefish.profile @@ -7,6 +7,7 @@ include /etc/firejail/globals.local include /etc/firejail/disable-common.inc include /etc/firejail/disable-devel.inc +include /etc/firejail/disable-interpreters.inc include /etc/firejail/disable-passwdmgr.inc include /etc/firejail/disable-programs.inc diff --git a/etc/brasero.profile b/etc/brasero.profile index 90a7b176e..26074af22 100644 --- a/etc/brasero.profile +++ b/etc/brasero.profile @@ -9,6 +9,7 @@ noblacklist ${HOME}/.config/brasero include /etc/firejail/disable-common.inc include /etc/firejail/disable-devel.inc +include /etc/firejail/disable-interpreters.inc include /etc/firejail/disable-passwdmgr.inc include /etc/firejail/disable-programs.inc diff --git a/etc/bsdtar.profile b/etc/bsdtar.profile index d4fe080d0..a49fc023a 100644 --- a/etc/bsdtar.profile +++ b/etc/bsdtar.profile @@ -8,6 +8,7 @@ include /etc/firejail/globals.local include /etc/firejail/disable-common.inc # include /etc/firejail/disable-devel.inc +include /etc/firejail/disable-interpreters.inc include /etc/firejail/disable-passwdmgr.inc include /etc/firejail/disable-programs.inc diff --git a/etc/caja.profile b/etc/caja.profile index 26190ad48..2d292e614 100644 --- a/etc/caja.profile +++ b/etc/caja.profile @@ -12,8 +12,15 @@ noblacklist ${HOME}/.local/share/Trash # noblacklist ${HOME}/.config/caja - disable-programs.inc is disabled, see below # noblacklist ${HOME}/.local/share/caja-python +# Allow python (blacklisted by disable-interpreters.inc) +noblacklist ${PATH}/python2* +noblacklist ${PATH}/python3* +noblacklist /usr/lib/python2* +noblacklist /usr/lib/python3* + include /etc/firejail/disable-common.inc include /etc/firejail/disable-devel.inc +include /etc/firejail/disable-interpreters.inc include /etc/firejail/disable-passwdmgr.inc # include /etc/firejail/disable-programs.inc diff --git a/etc/calibre.profile b/etc/calibre.profile index 468d68f7b..436ac3234 100644 --- a/etc/calibre.profile +++ b/etc/calibre.profile @@ -9,7 +9,7 @@ noblacklist ${HOME}/.cache/calibre noblacklist ${HOME}/.config/calibre include /etc/firejail/disable-common.inc -# include /etc/firejail/disable-devel.inc +include /etc/firejail/disable-devel.inc include /etc/firejail/disable-passwdmgr.inc include /etc/firejail/disable-programs.inc diff --git a/etc/calligra.profile b/etc/calligra.profile index f7df8ce85..bc041a718 100644 --- a/etc/calligra.profile +++ b/etc/calligra.profile @@ -7,6 +7,7 @@ include /etc/firejail/globals.local include /etc/firejail/disable-common.inc include /etc/firejail/disable-devel.inc +include /etc/firejail/disable-interpreters.inc include /etc/firejail/disable-passwdmgr.inc include /etc/firejail/disable-programs.inc diff --git a/etc/catfish.profile b/etc/catfish.profile index 6a608c673..02c5db969 100644 --- a/etc/catfish.profile +++ b/etc/catfish.profile @@ -10,8 +10,15 @@ include /etc/firejail/globals.local noblacklist ${HOME}/.config/catfish +# Allow python (blacklisted by disable-interpreters.inc) +noblacklist ${PATH}/python2* +noblacklist ${PATH}/python3* +noblacklist /usr/lib/python2* +noblacklist /usr/lib/python3* + include /etc/firejail/disable-common.inc # include /etc/firejail/disable-devel.inc +include /etc/firejail/disable-interpreters.inc include /etc/firejail/disable-passwdmgr.inc include /etc/firejail/disable-programs.inc diff --git a/etc/cherrytree.profile b/etc/cherrytree.profile index 3db2aeb09..e33e010aa 100644 --- a/etc/cherrytree.profile +++ b/etc/cherrytree.profile @@ -6,11 +6,16 @@ include /etc/firejail/cherrytree.local include /etc/firejail/globals.local noblacklist ${HOME}/.config/cherrytree -#noblacklist /usr/bin/python2* -#noblacklist /usr/lib/python3* + +# Allow python (blacklisted by disable-interpreters.inc) +noblacklist ${PATH}/python2* +noblacklist ${PATH}/python3* +noblacklist /usr/lib/python2* +noblacklist /usr/lib/python3* include /etc/firejail/disable-common.inc include /etc/firejail/disable-devel.inc +include /etc/firejail/disable-interpreters.inc include /etc/firejail/disable-passwdmgr.inc include /etc/firejail/disable-programs.inc diff --git a/etc/chromium-common.profile b/etc/chromium-common.profile index 7f07c5b26..8b25f4e60 100644 --- a/etc/chromium-common.profile +++ b/etc/chromium-common.profile @@ -9,6 +9,7 @@ noblacklist ${HOME}/.pki include /etc/firejail/disable-common.inc include /etc/firejail/disable-devel.inc +include /etc/firejail/disable-interpreters.inc include /etc/firejail/disable-programs.inc mkdir ${HOME}/.pki diff --git a/etc/cin.profile b/etc/cin.profile index e86a4d9b4..0a5b0c728 100644 --- a/etc/cin.profile +++ b/etc/cin.profile @@ -9,6 +9,7 @@ noblacklist ${HOME}/.bcast5 include /etc/firejail/disable-common.inc include /etc/firejail/disable-devel.inc +include /etc/firejail/disable-interpreters.inc include /etc/firejail/disable-passwdmgr.inc include /etc/firejail/disable-programs.inc diff --git a/etc/claws-mail.profile b/etc/claws-mail.profile index 319515bde..343f8bed8 100644 --- a/etc/claws-mail.profile +++ b/etc/claws-mail.profile @@ -11,6 +11,7 @@ noblacklist ${HOME}/.signature include /etc/firejail/disable-common.inc include /etc/firejail/disable-devel.inc +include /etc/firejail/disable-interpreters.inc include /etc/firejail/disable-passwdmgr.inc include /etc/firejail/disable-programs.inc diff --git a/etc/clementine.profile b/etc/clementine.profile index ccf6f9c97..ce4b8deb8 100644 --- a/etc/clementine.profile +++ b/etc/clementine.profile @@ -10,6 +10,7 @@ noblacklist ${HOME}/.config/Clementine include /etc/firejail/disable-common.inc include /etc/firejail/disable-devel.inc +include /etc/firejail/disable-interpreters.inc include /etc/firejail/disable-passwdmgr.inc include /etc/firejail/disable-programs.inc diff --git a/etc/clipit.profile b/etc/clipit.profile index e6ee7b636..e5660f859 100644 --- a/etc/clipit.profile +++ b/etc/clipit.profile @@ -10,6 +10,7 @@ noblacklist ${HOME}/.local/share/clipit include /etc/firejail/disable-common.inc include /etc/firejail/disable-devel.inc +include /etc/firejail/disable-interpreters.inc include /etc/firejail/disable-passwdmgr.inc include /etc/firejail/disable-programs.inc diff --git a/etc/cmus.profile b/etc/cmus.profile index 2d6f2454b..03f234913 100644 --- a/etc/cmus.profile +++ b/etc/cmus.profile @@ -9,6 +9,7 @@ noblacklist ${HOME}/.config/cmus include /etc/firejail/disable-common.inc include /etc/firejail/disable-devel.inc +include /etc/firejail/disable-interpreters.inc include /etc/firejail/disable-passwdmgr.inc include /etc/firejail/disable-programs.inc diff --git a/etc/conky.profile b/etc/conky.profile index 4ee25f099..fe90ac099 100644 --- a/etc/conky.profile +++ b/etc/conky.profile @@ -8,6 +8,7 @@ include /etc/firejail/globals.local include /etc/firejail/disable-common.inc include /etc/firejail/disable-devel.inc +include /etc/firejail/disable-interpreters.inc include /etc/firejail/disable-passwdmgr.inc include /etc/firejail/disable-programs.inc diff --git a/etc/corebird.profile b/etc/corebird.profile index 3c9740cb7..a99a6b732 100644 --- a/etc/corebird.profile +++ b/etc/corebird.profile @@ -9,6 +9,7 @@ noblacklist ${HOME}/.config/corebird include /etc/firejail/disable-common.inc include /etc/firejail/disable-devel.inc +include /etc/firejail/disable-interpreters.inc include /etc/firejail/disable-passwdmgr.inc include /etc/firejail/disable-programs.inc diff --git a/etc/cower.profile b/etc/cower.profile index 565c417ed..dcc388f87 100644 --- a/etc/cower.profile +++ b/etc/cower.profile @@ -19,6 +19,7 @@ noblacklist /var/lib/pacman include /etc/firejail/disable-common.inc include /etc/firejail/disable-devel.inc +include /etc/firejail/disable-interpreters.inc include /etc/firejail/disable-passwdmgr.inc include /etc/firejail/disable-programs.inc diff --git a/etc/darktable.profile b/etc/darktable.profile index 176ffaca1..511e4e475 100644 --- a/etc/darktable.profile +++ b/etc/darktable.profile @@ -10,6 +10,7 @@ noblacklist ${HOME}/.config/darktable include /etc/firejail/disable-common.inc include /etc/firejail/disable-devel.inc +include /etc/firejail/disable-interpreters.inc include /etc/firejail/disable-passwdmgr.inc include /etc/firejail/disable-programs.inc diff --git a/etc/deadbeef.profile b/etc/deadbeef.profile index 3367aa8f4..53383d88d 100644 --- a/etc/deadbeef.profile +++ b/etc/deadbeef.profile @@ -9,6 +9,7 @@ noblacklist ${HOME}/.config/deadbeef include /etc/firejail/disable-common.inc include /etc/firejail/disable-devel.inc +include /etc/firejail/disable-interpreters.inc include /etc/firejail/disable-passwdmgr.inc include /etc/firejail/disable-programs.inc diff --git a/etc/default.profile b/etc/default.profile index 1af7ceba4..9a2fcae64 100644 --- a/etc/default.profile +++ b/etc/default.profile @@ -10,6 +10,7 @@ include /etc/firejail/globals.local include /etc/firejail/disable-common.inc # include /etc/firejail/disable-devel.inc +# include /etc/firejail/disable-interpreters.inc include /etc/firejail/disable-passwdmgr.inc include /etc/firejail/disable-programs.inc diff --git a/etc/deluge.profile b/etc/deluge.profile index 401623ae6..da7e0dcdc 100644 --- a/etc/deluge.profile +++ b/etc/deluge.profile @@ -7,8 +7,15 @@ include /etc/firejail/globals.local noblacklist ${HOME}/.config/deluge +# Allow python (blacklisted by disable-interpreters.inc) +noblacklist ${PATH}/python2* +noblacklist ${PATH}/python3* +noblacklist /usr/lib/python2* +noblacklist /usr/lib/python3* + include /etc/firejail/disable-common.inc # include /etc/firejail/disable-devel.inc +include /etc/firejail/disable-interpreters.inc include /etc/firejail/disable-passwdmgr.inc include /etc/firejail/disable-programs.inc diff --git a/etc/dex2jar.profile b/etc/dex2jar.profile index ed73b8b8c..f01675186 100644 --- a/etc/dex2jar.profile +++ b/etc/dex2jar.profile @@ -6,8 +6,21 @@ include /etc/firejail/dex2jar.local # Persistent global definitions include /etc/firejail/globals.local +# Allow access to java +noblacklist ${PATH}/java +noblacklist /usr/lib/java +noblacklist /etc/java +noblacklist /usr/share/java + +# Allow access to java +noblacklist ${PATH}/java +noblacklist /usr/lib/java +noblacklist /etc/java +noblacklist /usr/share/java + include /etc/firejail/disable-common.inc include /etc/firejail/disable-devel.inc +include /etc/firejail/disable-interpreters.inc include /etc/firejail/disable-passwdmgr.inc include /etc/firejail/disable-programs.inc diff --git a/etc/dia.profile b/etc/dia.profile index fb3506955..49c6727f9 100644 --- a/etc/dia.profile +++ b/etc/dia.profile @@ -9,6 +9,7 @@ noblacklist ${HOME}/.dia include /etc/firejail/disable-common.inc include /etc/firejail/disable-devel.inc +include /etc/firejail/disable-interpreters.inc include /etc/firejail/disable-passwdmgr.inc include /etc/firejail/disable-programs.inc diff --git a/etc/digikam.profile b/etc/digikam.profile index 4df344cbc..819b8fe41 100644 --- a/etc/digikam.profile +++ b/etc/digikam.profile @@ -12,6 +12,7 @@ noblacklist ${HOME}/.kde4/share/apps/digikam include /etc/firejail/disable-common.inc include /etc/firejail/disable-devel.inc +include /etc/firejail/disable-interpreters.inc include /etc/firejail/disable-passwdmgr.inc include /etc/firejail/disable-programs.inc diff --git a/etc/dillo.profile b/etc/dillo.profile index 6afb999e7..05413fe56 100644 --- a/etc/dillo.profile +++ b/etc/dillo.profile @@ -9,6 +9,7 @@ noblacklist ${HOME}/.dillo include /etc/firejail/disable-common.inc include /etc/firejail/disable-devel.inc +include /etc/firejail/disable-interpreters.inc include /etc/firejail/disable-passwdmgr.inc include /etc/firejail/disable-programs.inc diff --git a/etc/dino.profile b/etc/dino.profile index 72f4f40b2..5c9d44140 100644 --- a/etc/dino.profile +++ b/etc/dino.profile @@ -9,6 +9,7 @@ noblacklist ${HOME}/.local/share/dino include /etc/firejail/disable-common.inc include /etc/firejail/disable-devel.inc +include /etc/firejail/disable-interpreters.inc include /etc/firejail/disable-passwdmgr.inc include /etc/firejail/disable-programs.inc diff --git a/etc/disable-devel.inc b/etc/disable-devel.inc index 9ff58ae2a..0327e717e 100644 --- a/etc/disable-devel.inc +++ b/etc/disable-devel.inc @@ -6,76 +6,54 @@ include /etc/firejail/disable-devel.local # GCC #blacklist /usr/lib/gcc - seems to create problems on Gentoo -blacklist /usr/bin/as -blacklist /usr/bin/c++* -blacklist /usr/bin/c8* -blacklist /usr/bin/c9* -blacklist /usr/bin/cpp* -blacklist /usr/bin/g++* -blacklist /usr/bin/gcc* -blacklist /usr/bin/gdb -blacklist /usr/bin/ld -blacklist /usr/bin/x86_64-unknown-linux-gnu-gcc* -blacklist /usr/bin/x86_64-linux-gnu-g++* -blacklist /usr/bin/x86_64-linux-gnu-gcc* -blacklist /usr/bin/x86_64-unknown-linux-gnu-g++* +blacklist ${PATH}/as +blacklist ${PATH}/cc +blacklist ${PATH}/c++* +blacklist ${PATH}/c8* +blacklist ${PATH}/c9* +blacklist ${PATH}/cpp* +blacklist ${PATH}/g++* +blacklist ${PATH}/gcc* +blacklist ${PATH}/gdb +blacklist ${PATH}/ld +blacklist ${PATH}/*-gcc* +blacklist ${PATH}/*-g++* +blacklist ${PATH}/*-gcc* +blacklist ${PATH}/*-g++* blacklist /usr/include # clang/llvm -blacklist /usr/bin/clang* -blacklist /usr/bin/lldb* -blacklist /usr/bin/llvm* +blacklist ${PATH}/clang* +blacklist ${PATH}/lldb* +blacklist ${PATH}/llvm* blacklist /usr/lib/llvm* # tcc - Tiny C Compiler -blacklist /usr/bin/tcc -blacklist /usr/bin/x86_64-tcc +blacklist ${PATH}/tcc +blacklist ${PATH}/x86_64-tcc blacklist /usr/lib/tcc # Valgrind -blacklist /usr/bin/valgrind* +blacklist ${PATH}/valgrind* blacklist /usr/lib/valgrind -# Perl -blacklist /usr/bin/cpan* -blacklist /usr/bin/perl -blacklist /usr/lib/perl* -blacklist /usr/share/perl* - -# PHP -blacklist /usr/bin/php* -blacklist /usr/lib/php* -blacklist /usr/share/php* - -# Ruby -blacklist /usr/bin/ruby -blacklist /usr/lib/ruby - -# Programs using python: deluge, firefox addons, filezilla, cherrytree, xchat, hexchat, libreoffice, scribus -# Python 2 -#blacklist /usr/bin/python2* -#blacklist /usr/include/python2* -#blacklist /usr/lib/python2* -#blacklist /usr/local/lib/python2* -#blacklist /usr/share/python2* -# -# Python 3 -#blacklist /usr/bin/python3* -#blacklist /usr/include/python3* -#blacklist /usr/lib/python3* -#blacklist /usr/local/lib/python3* -#blacklist /usr/share/python3* +# Java +blacklist ${PATH}/java +blacklist ${PATH}/javac +blacklist /usr/lib/java +blacklist /etc/java +blacklist /usr/share/java #Go -blacklist /usr/bin/gccgo -blacklist /usr/bin/go -blacklist /usr/bin/gofmt +blacklist ${PATH}/gccgo +blacklist ${PATH}/go +blacklist ${PATH}/gofmt #Rust -blacklist /usr/bin/rust-gdb -blacklist /usr/bin/rust-lldb -blacklist /usr/bin/rustc +blacklist ${PATH}/rust-gdb +blacklist ${PATH}/rust-lldb +blacklist ${PATH}/rustc #OpenSSL -blacklist /usr/bin/openssl -blacklist /usr/bin/openssl-1.0 +blacklist ${PATH}/openssl +blacklist ${PATH}/openssl-1.0 diff --git a/etc/disable-interpreters.inc b/etc/disable-interpreters.inc new file mode 100644 index 000000000..5c68485aa --- /dev/null +++ b/etc/disable-interpreters.inc @@ -0,0 +1,44 @@ +# This file is overwritten during software install. +# Persistent customizations should go in a .local file. +include /etc/firejail/disable-interpreters.local + +# Lua +blacklist ${PATH}/lua* +blacklist /usr/lib/lua +blacklist /usr/include/lua* +blacklist /usr/share/lua + +# Node.js +blacklist ${PATH}/node +blacklist /usr/include/node + +# Perl +blacklist ${PATH}/cpan* +blacklist ${PATH}/core_perl +blacklist ${PATH}/perl +blacklist /usr/lib/perl* +blacklist /usr/share/perl* + +# PHP +blacklist ${PATH}/php* +blacklist /usr/lib/php* +blacklist /usr/share/php* + +# Ruby +blacklist ${PATH}/ruby +blacklist /usr/lib/ruby + +# Programs using python: deluge, firefox addons, filezilla, cherrytree, xchat, hexchat, libreoffice, scribus +# Python 2 +blacklist ${PATH}/python2* +blacklist /usr/include/python2* +blacklist /usr/lib/python2* +blacklist /usr/local/lib/python2* +blacklist /usr/share/python2* + +# Python 3 +blacklist ${PATH}/python3* +blacklist /usr/include/python3* +blacklist /usr/lib/python3* +blacklist /usr/local/lib/python3* +blacklist /usr/share/python3* diff --git a/etc/display.profile b/etc/display.profile index 69183f4ca..ca776a5d1 100644 --- a/etc/display.profile +++ b/etc/display.profile @@ -5,8 +5,21 @@ include /etc/firejail/display.local # Persistent global definitions include /etc/firejail/globals.local +# Allow python (blacklisted by disable-interpreters.inc) +noblacklist ${PATH}/python2* +noblacklist ${PATH}/python3* +noblacklist /usr/lib/python2* +noblacklist /usr/lib/python3* + +# Allow python (blacklisted by disable-interpreters.inc) +noblacklist ${PATH}/python2* +noblacklist ${PATH}/python3* +noblacklist /usr/lib/python2* +noblacklist /usr/lib/python3* + include /etc/firejail/disable-common.inc include /etc/firejail/disable-devel.inc +include /etc/firejail/disable-interpreters.inc include /etc/firejail/disable-passwdmgr.inc include /etc/firejail/disable-programs.inc diff --git a/etc/dnscrypt-proxy.profile b/etc/dnscrypt-proxy.profile index 458de81e2..4d0afc159 100644 --- a/etc/dnscrypt-proxy.profile +++ b/etc/dnscrypt-proxy.profile @@ -12,6 +12,7 @@ noblacklist /usr/sbin include /etc/firejail/disable-common.inc include /etc/firejail/disable-devel.inc +include /etc/firejail/disable-interpreters.inc include /etc/firejail/disable-passwdmgr.inc include /etc/firejail/disable-programs.inc diff --git a/etc/dnsmasq.profile b/etc/dnsmasq.profile index e6086d1b2..f71f5bb02 100644 --- a/etc/dnsmasq.profile +++ b/etc/dnsmasq.profile @@ -12,6 +12,7 @@ noblacklist /usr/sbin include /etc/firejail/disable-common.inc include /etc/firejail/disable-devel.inc +include /etc/firejail/disable-interpreters.inc include /etc/firejail/disable-passwdmgr.inc include /etc/firejail/disable-programs.inc diff --git a/etc/dolphin.profile b/etc/dolphin.profile index c694a96e5..f9fa977a9 100644 --- a/etc/dolphin.profile +++ b/etc/dolphin.profile @@ -14,6 +14,7 @@ noblacklist ${HOME}/.local/share/Trash include /etc/firejail/disable-common.inc include /etc/firejail/disable-devel.inc +include /etc/firejail/disable-interpreters.inc include /etc/firejail/disable-passwdmgr.inc # dolphin needs to be able to start arbitrary applications so we cannot blacklist their files # include /etc/firejail/disable-programs.inc diff --git a/etc/dooble.profile b/etc/dooble.profile index 2a57b0ef3..df68a4aef 100644 --- a/etc/dooble.profile +++ b/etc/dooble.profile @@ -10,6 +10,7 @@ noblacklist ${HOME}/.dooble include /etc/firejail/disable-common.inc include /etc/firejail/disable-devel.inc +include /etc/firejail/disable-interpreters.inc include /etc/firejail/disable-passwdmgr.inc include /etc/firejail/disable-programs.inc diff --git a/etc/dosbox.profile b/etc/dosbox.profile index 736c7da2f..79514c373 100644 --- a/etc/dosbox.profile +++ b/etc/dosbox.profile @@ -9,6 +9,7 @@ noblacklist ${HOME}/.dosbox include /etc/firejail/disable-common.inc include /etc/firejail/disable-devel.inc +include /etc/firejail/disable-interpreters.inc include /etc/firejail/disable-passwdmgr.inc include /etc/firejail/disable-programs.inc diff --git a/etc/dragon.profile b/etc/dragon.profile index 392b4146e..bdaa12e75 100644 --- a/etc/dragon.profile +++ b/etc/dragon.profile @@ -9,6 +9,7 @@ noblacklist ${HOME}/.config/dragonplayerrc include /etc/firejail/disable-common.inc include /etc/firejail/disable-devel.inc +include /etc/firejail/disable-interpreters.inc include /etc/firejail/disable-passwdmgr.inc include /etc/firejail/disable-programs.inc diff --git a/etc/dropbox.profile b/etc/dropbox.profile index 138b3912a..24b69e118 100644 --- a/etc/dropbox.profile +++ b/etc/dropbox.profile @@ -11,6 +11,7 @@ noblacklist ${HOME}/.dropbox-dist include /etc/firejail/disable-common.inc include /etc/firejail/disable-devel.inc +include /etc/firejail/disable-interpreters.inc include /etc/firejail/disable-passwdmgr.inc include /etc/firejail/disable-programs.inc diff --git a/etc/elinks.profile b/etc/elinks.profile index aca30c933..5d28ac0c8 100644 --- a/etc/elinks.profile +++ b/etc/elinks.profile @@ -11,6 +11,7 @@ noblacklist ${HOME}/.elinks include /etc/firejail/disable-common.inc include /etc/firejail/disable-devel.inc +include /etc/firejail/disable-interpreters.inc include /etc/firejail/disable-passwdmgr.inc include /etc/firejail/disable-programs.inc diff --git a/etc/empathy.profile b/etc/empathy.profile index b2cfa369c..b9d682322 100644 --- a/etc/empathy.profile +++ b/etc/empathy.profile @@ -8,6 +8,7 @@ include /etc/firejail/globals.local include /etc/firejail/disable-common.inc include /etc/firejail/disable-devel.inc +include /etc/firejail/disable-interpreters.inc include /etc/firejail/disable-programs.inc caps.drop all diff --git a/etc/enchant.profile b/etc/enchant.profile index 8178bb2c8..0e9ed3f22 100644 --- a/etc/enchant.profile +++ b/etc/enchant.profile @@ -9,6 +9,7 @@ noblacklist ${HOME}/.config/enchant include /etc/firejail/disable-common.inc include /etc/firejail/disable-devel.inc +include /etc/firejail/disable-interpreters.inc include /etc/firejail/disable-passwdmgr.inc include /etc/firejail/disable-programs.inc diff --git a/etc/engrampa.profile b/etc/engrampa.profile index cf32d579e..70ec7615e 100644 --- a/etc/engrampa.profile +++ b/etc/engrampa.profile @@ -7,6 +7,7 @@ include /etc/firejail/globals.local include /etc/firejail/disable-common.inc include /etc/firejail/disable-devel.inc +include /etc/firejail/disable-interpreters.inc include /etc/firejail/disable-passwdmgr.inc include /etc/firejail/disable-programs.inc diff --git a/etc/enpass.profile b/etc/enpass.profile index 4c19d5825..2ee7a97f6 100644 --- a/etc/enpass.profile +++ b/etc/enpass.profile @@ -6,6 +6,7 @@ include /etc/firejail/globals.local include /etc/firejail/disable-common.inc include /etc/firejail/disable-devel.inc +include /etc/firejail/disable-interpreters.inc include /etc/firejail/disable-passwdmgr.inc include /etc/firejail/disable-programs.inc diff --git a/etc/eog.profile b/etc/eog.profile index 66434ae05..8a0925655 100644 --- a/etc/eog.profile +++ b/etc/eog.profile @@ -12,6 +12,7 @@ noblacklist ${HOME}/.steam include /etc/firejail/disable-common.inc include /etc/firejail/disable-devel.inc +include /etc/firejail/disable-interpreters.inc include /etc/firejail/disable-passwdmgr.inc include /etc/firejail/disable-programs.inc diff --git a/etc/eom.profile b/etc/eom.profile index 48965bcb9..86ce01d1b 100644 --- a/etc/eom.profile +++ b/etc/eom.profile @@ -12,6 +12,7 @@ noblacklist ${HOME}/.steam include /etc/firejail/disable-common.inc include /etc/firejail/disable-devel.inc +include /etc/firejail/disable-interpreters.inc include /etc/firejail/disable-passwdmgr.inc include /etc/firejail/disable-programs.inc diff --git a/etc/epiphany.profile b/etc/epiphany.profile index 0f9a9cf55..e579fb4f6 100644 --- a/etc/epiphany.profile +++ b/etc/epiphany.profile @@ -11,6 +11,7 @@ noblacklist ${HOME}/.local/share/epiphany include /etc/firejail/disable-common.inc include /etc/firejail/disable-devel.inc +include /etc/firejail/disable-interpreters.inc include /etc/firejail/disable-programs.inc mkdir ${HOME}/.cache/epiphany diff --git a/etc/evince.profile b/etc/evince.profile index 38c9ee9a9..cca564557 100644 --- a/etc/evince.profile +++ b/etc/evince.profile @@ -9,6 +9,7 @@ noblacklist ${HOME}/.config/evince include /etc/firejail/disable-common.inc include /etc/firejail/disable-devel.inc +include /etc/firejail/disable-interpreters.inc include /etc/firejail/disable-passwdmgr.inc include /etc/firejail/disable-programs.inc diff --git a/etc/evolution.profile b/etc/evolution.profile index d946cc9f9..0584b2744 100644 --- a/etc/evolution.profile +++ b/etc/evolution.profile @@ -16,6 +16,7 @@ noblacklist ${HOME}/.pki include /etc/firejail/disable-common.inc include /etc/firejail/disable-devel.inc +include /etc/firejail/disable-interpreters.inc include /etc/firejail/disable-passwdmgr.inc include /etc/firejail/disable-programs.inc diff --git a/etc/exiftool.profile b/etc/exiftool.profile index 8ab6012f5..2522a32a3 100644 --- a/etc/exiftool.profile +++ b/etc/exiftool.profile @@ -8,12 +8,14 @@ include /etc/firejail/globals.local blacklist /tmp/.X11-unix -noblacklist /usr/bin/perl +# Allow access to perl +noblacklist ${PATH}/perl noblacklist /usr/lib/perl* noblacklist /usr/share/perl* include /etc/firejail/disable-common.inc include /etc/firejail/disable-devel.inc +include /etc/firejail/disable-interpreters.inc include /etc/firejail/disable-passwdmgr.inc include /etc/firejail/disable-programs.inc diff --git a/etc/falkon.profile b/etc/falkon.profile index a86c83329..cd98d2d65 100644 --- a/etc/falkon.profile +++ b/etc/falkon.profile @@ -10,6 +10,7 @@ noblacklist ${HOME}/.config/falkon include /etc/firejail/disable-common.inc include /etc/firejail/disable-devel.inc +include /etc/firejail/disable-interpreters.inc include /etc/firejail/disable-passwdmgr.inc include /etc/firejail/disable-programs.inc diff --git a/etc/fbreader.profile b/etc/fbreader.profile index 8e2e5b169..573099429 100644 --- a/etc/fbreader.profile +++ b/etc/fbreader.profile @@ -9,6 +9,7 @@ noblacklist ${HOME}/.FBReader include /etc/firejail/disable-common.inc include /etc/firejail/disable-devel.inc +include /etc/firejail/disable-interpreters.inc include /etc/firejail/disable-passwdmgr.inc include /etc/firejail/disable-programs.inc diff --git a/etc/feh.profile b/etc/feh.profile index ba7a76c49..657f05f3c 100644 --- a/etc/feh.profile +++ b/etc/feh.profile @@ -7,6 +7,7 @@ include /etc/firejail/globals.local include /etc/firejail/disable-common.inc include /etc/firejail/disable-devel.inc +include /etc/firejail/disable-interpreters.inc include /etc/firejail/disable-passwdmgr.inc include /etc/firejail/disable-programs.inc diff --git a/etc/fetchmail.profile b/etc/fetchmail.profile index 6bda49ee1..12175295f 100644 --- a/etc/fetchmail.profile +++ b/etc/fetchmail.profile @@ -10,6 +10,7 @@ noblacklist ${HOME}/.netrc include /etc/firejail/disable-common.inc include /etc/firejail/disable-devel.inc +include /etc/firejail/disable-interpreters.inc include /etc/firejail/disable-passwdmgr.inc include /etc/firejail/disable-programs.inc diff --git a/etc/ffmpeg.profile b/etc/ffmpeg.profile index 538179107..4e55039cf 100644 --- a/etc/ffmpeg.profile +++ b/etc/ffmpeg.profile @@ -8,6 +8,7 @@ include /etc/firejail/globals.local include /etc/firejail/disable-common.inc include /etc/firejail/disable-devel.inc +include /etc/firejail/disable-interpreters.inc include /etc/firejail/disable-passwdmgr.inc include /etc/firejail/disable-programs.inc diff --git a/etc/file-roller.profile b/etc/file-roller.profile index eb76d1dbb..69b9c18da 100644 --- a/etc/file-roller.profile +++ b/etc/file-roller.profile @@ -7,6 +7,7 @@ include /etc/firejail/globals.local include /etc/firejail/disable-common.inc include /etc/firejail/disable-devel.inc +include /etc/firejail/disable-interpreters.inc include /etc/firejail/disable-passwdmgr.inc include /etc/firejail/disable-programs.inc diff --git a/etc/filezilla.profile b/etc/filezilla.profile index 0f6cb22f3..1bc78e5ef 100644 --- a/etc/filezilla.profile +++ b/etc/filezilla.profile @@ -8,8 +8,15 @@ include /etc/firejail/globals.local noblacklist ${HOME}/.config/filezilla noblacklist ${HOME}/.filezilla +# Allow python (blacklisted by disable-interpreters.inc) +noblacklist ${PATH}/python2* +noblacklist ${PATH}/python3* +noblacklist /usr/lib/python2* +noblacklist /usr/lib/python3* + include /etc/firejail/disable-common.inc include /etc/firejail/disable-devel.inc +include /etc/firejail/disable-interpreters.inc include /etc/firejail/disable-programs.inc include /etc/firejail/whitelist-var-common.inc diff --git a/etc/firefox-common.profile b/etc/firefox-common.profile index 1f531c1b7..3fe83eda0 100644 --- a/etc/firefox-common.profile +++ b/etc/firefox-common.profile @@ -12,6 +12,7 @@ noblacklist ${HOME}/.pki include /etc/firejail/disable-common.inc include /etc/firejail/disable-devel.inc +include /etc/firejail/disable-interpreters.inc include /etc/firejail/disable-programs.inc mkdir ${HOME}/.pki diff --git a/etc/flowblade.profile b/etc/flowblade.profile index 79dab0751..bad8538cf 100644 --- a/etc/flowblade.profile +++ b/etc/flowblade.profile @@ -10,6 +10,7 @@ noblacklist ${HOME}/.flowblade include /etc/firejail/disable-common.inc include /etc/firejail/disable-devel.inc +include /etc/firejail/disable-interpreters.inc include /etc/firejail/disable-passwdmgr.inc include /etc/firejail/disable-programs.inc diff --git a/etc/fontforge.profile b/etc/fontforge.profile index 29295f8a0..be5f0d4e2 100644 --- a/etc/fontforge.profile +++ b/etc/fontforge.profile @@ -9,6 +9,7 @@ noblacklist ${HOME}/.FontForge include /etc/firejail/disable-common.inc include /etc/firejail/disable-devel.inc +include /etc/firejail/disable-interpreters.inc include /etc/firejail/disable-passwdmgr.inc include /etc/firejail/disable-programs.inc diff --git a/etc/franz.profile b/etc/franz.profile index 42b14fa2f..fbe1c0f65 100644 --- a/etc/franz.profile +++ b/etc/franz.profile @@ -11,6 +11,7 @@ noblacklist ${HOME}/.pki include /etc/firejail/disable-common.inc include /etc/firejail/disable-devel.inc +include /etc/firejail/disable-interpreters.inc include /etc/firejail/disable-programs.inc mkdir ${HOME}/.cache/Franz diff --git a/etc/freecad.profile b/etc/freecad.profile index c51d88f7a..dc5738e01 100644 --- a/etc/freecad.profile +++ b/etc/freecad.profile @@ -9,6 +9,7 @@ noblacklist ${HOME}/.config/FreeCAD include /etc/firejail/disable-common.inc include /etc/firejail/disable-devel.inc +include /etc/firejail/disable-interpreters.inc include /etc/firejail/disable-passwdmgr.inc include /etc/firejail/disable-programs.inc diff --git a/etc/frozen-bubble.profile b/etc/frozen-bubble.profile index 8acd32bdd..63b4d3330 100644 --- a/etc/frozen-bubble.profile +++ b/etc/frozen-bubble.profile @@ -9,6 +9,7 @@ noblacklist ${HOME}/.frozen-bubble include /etc/firejail/disable-common.inc include /etc/firejail/disable-devel.inc +include /etc/firejail/disable-interpreters.inc include /etc/firejail/disable-passwdmgr.inc include /etc/firejail/disable-programs.inc diff --git a/etc/gajim.profile b/etc/gajim.profile index 9171b93af..02c818443 100644 --- a/etc/gajim.profile +++ b/etc/gajim.profile @@ -9,8 +9,13 @@ noblacklist ${HOME}/.cache/gajim noblacklist ${HOME}/.config/gajim noblacklist ${HOME}/.local/share/gajim +# Allow python2.7 (blacklisted by disable-interpreters.inc) +noblacklist ${PATH}/python2* +noblacklist /usr/lib/python2* + include /etc/firejail/disable-common.inc include /etc/firejail/disable-devel.inc +include /etc/firejail/disable-interpreters.inc include /etc/firejail/disable-passwdmgr.inc include /etc/firejail/disable-programs.inc diff --git a/etc/galculator.profile b/etc/galculator.profile index 8229f8250..1a5112ef5 100644 --- a/etc/galculator.profile +++ b/etc/galculator.profile @@ -9,6 +9,7 @@ noblacklist ${HOME}/.config/galculator include /etc/firejail/disable-common.inc include /etc/firejail/disable-devel.inc +include /etc/firejail/disable-interpreters.inc include /etc/firejail/disable-passwdmgr.inc include /etc/firejail/disable-programs.inc diff --git a/etc/gedit.profile b/etc/gedit.profile index e78b8a708..33d03f62e 100644 --- a/etc/gedit.profile +++ b/etc/gedit.profile @@ -11,6 +11,7 @@ noblacklist ${HOME}/.gitconfig include /etc/firejail/disable-common.inc # include /etc/firejail/disable-devel.inc +# include /etc/firejail/disable-interpreters.inc include /etc/firejail/disable-passwdmgr.inc include /etc/firejail/disable-programs.inc diff --git a/etc/geeqie.profile b/etc/geeqie.profile index 27ee343af..7512cbcd9 100644 --- a/etc/geeqie.profile +++ b/etc/geeqie.profile @@ -11,6 +11,7 @@ noblacklist ${HOME}/.local/share/geeqie include /etc/firejail/disable-common.inc include /etc/firejail/disable-devel.inc +include /etc/firejail/disable-interpreters.inc include /etc/firejail/disable-passwdmgr.inc include /etc/firejail/disable-programs.inc diff --git a/etc/gitg.profile b/etc/gitg.profile index 0c8495866..39cbdc53d 100644 --- a/etc/gitg.profile +++ b/etc/gitg.profile @@ -11,6 +11,7 @@ noblacklist ${HOME}/.ssh include /etc/firejail/disable-common.inc include /etc/firejail/disable-devel.inc +include /etc/firejail/disable-interpreters.inc include /etc/firejail/disable-passwdmgr.inc include /etc/firejail/disable-programs.inc diff --git a/etc/gitter.profile b/etc/gitter.profile index a3bbabd10..2edbf8a4e 100644 --- a/etc/gitter.profile +++ b/etc/gitter.profile @@ -10,6 +10,7 @@ noblacklist ${HOME}/.config/Gitter include /etc/firejail/disable-common.inc include /etc/firejail/disable-devel.inc +include /etc/firejail/disable-interpreters.inc include /etc/firejail/disable-passwdmgr.inc include /etc/firejail/disable-programs.inc diff --git a/etc/gjs.profile b/etc/gjs.profile index 32faeb8df..9d439782c 100644 --- a/etc/gjs.profile +++ b/etc/gjs.profile @@ -14,6 +14,7 @@ noblacklist ${HOME}/.local/share/gnome-photos include /etc/firejail/disable-common.inc include /etc/firejail/disable-devel.inc +include /etc/firejail/disable-interpreters.inc include /etc/firejail/disable-passwdmgr.inc include /etc/firejail/disable-programs.inc diff --git a/etc/globaltime.profile b/etc/globaltime.profile index 6961a56e9..19820ce85 100644 --- a/etc/globaltime.profile +++ b/etc/globaltime.profile @@ -9,6 +9,7 @@ noblacklist ${HOME}/.config/globaltime include /etc/firejail/disable-common.inc include /etc/firejail/disable-devel.inc +include /etc/firejail/disable-interpreters.inc include /etc/firejail/disable-passwdmgr.inc include /etc/firejail/disable-programs.inc diff --git a/etc/gnome-2048.profile b/etc/gnome-2048.profile index a292633c3..5ecb279e5 100644 --- a/etc/gnome-2048.profile +++ b/etc/gnome-2048.profile @@ -9,6 +9,7 @@ noblacklist ${HOME}/.local/share/gnome-2048 include /etc/firejail/disable-common.inc include /etc/firejail/disable-devel.inc +include /etc/firejail/disable-interpreters.inc include /etc/firejail/disable-passwdmgr.inc include /etc/firejail/disable-programs.inc diff --git a/etc/gnome-books.profile b/etc/gnome-books.profile index bd21cd39f..4274981b5 100644 --- a/etc/gnome-books.profile +++ b/etc/gnome-books.profile @@ -11,6 +11,7 @@ noblacklist ${HOME}/.cache/org.gnome.Books include /etc/firejail/disable-common.inc include /etc/firejail/disable-devel.inc +include /etc/firejail/disable-interpreters.inc include /etc/firejail/disable-passwdmgr.inc include /etc/firejail/disable-programs.inc diff --git a/etc/gnome-calculator.profile b/etc/gnome-calculator.profile index dfb93c3b0..0aed6f52a 100644 --- a/etc/gnome-calculator.profile +++ b/etc/gnome-calculator.profile @@ -9,7 +9,9 @@ include /etc/firejail/globals.local include /etc/firejail/disable-common.inc include /etc/firejail/disable-devel.inc include /etc/firejail/disable-passwdmgr.inc +include /etc/firejail/disable-interpreters.inc include /etc/firejail/disable-programs.inc + include /etc/firejail/whitelist-common.inc include /etc/firejail/whitelist-var-common.inc diff --git a/etc/gnome-chess.profile b/etc/gnome-chess.profile index f1f04d889..59a3d59af 100644 --- a/etc/gnome-chess.profile +++ b/etc/gnome-chess.profile @@ -9,6 +9,7 @@ noblacklist ${HOME}/.local/share/gnome-chess include /etc/firejail/disable-common.inc include /etc/firejail/disable-devel.inc +include /etc/firejail/disable-interpreters.inc include /etc/firejail/disable-passwdmgr.inc include /etc/firejail/disable-programs.inc diff --git a/etc/gnome-clocks.profile b/etc/gnome-clocks.profile index be294ae9a..103a5ff73 100644 --- a/etc/gnome-clocks.profile +++ b/etc/gnome-clocks.profile @@ -8,6 +8,7 @@ include /etc/firejail/globals.local include /etc/firejail/disable-common.inc include /etc/firejail/disable-devel.inc +include /etc/firejail/disable-interpreters.inc include /etc/firejail/disable-passwdmgr.inc include /etc/firejail/disable-programs.inc diff --git a/etc/gnome-contacts.profile b/etc/gnome-contacts.profile index 3a3808e56..d4d670998 100644 --- a/etc/gnome-contacts.profile +++ b/etc/gnome-contacts.profile @@ -8,8 +8,10 @@ include /etc/firejail/globals.local include /etc/firejail/disable-common.inc include /etc/firejail/disable-devel.inc +include /etc/firejail/disable-interpreters.inc include /etc/firejail/disable-passwdmgr.inc include /etc/firejail/disable-programs.inc + include /etc/firejail/whitelist-common.inc include /etc/firejail/whitelist-var-common.inc diff --git a/etc/gnome-documents.profile b/etc/gnome-documents.profile index 40bb63538..9089d7ee8 100644 --- a/etc/gnome-documents.profile +++ b/etc/gnome-documents.profile @@ -11,6 +11,7 @@ noblacklist ${HOME}/.config/libreoffice include /etc/firejail/disable-common.inc include /etc/firejail/disable-devel.inc +include /etc/firejail/disable-interpreters.inc include /etc/firejail/disable-passwdmgr.inc include /etc/firejail/disable-programs.inc diff --git a/etc/gnome-font-viewer.profile b/etc/gnome-font-viewer.profile index cca0313cc..ebd937f9b 100644 --- a/etc/gnome-font-viewer.profile +++ b/etc/gnome-font-viewer.profile @@ -8,6 +8,7 @@ include /etc/firejail/globals.local include /etc/firejail/disable-common.inc include /etc/firejail/disable-devel.inc +include /etc/firejail/disable-interpreters.inc include /etc/firejail/disable-passwdmgr.inc include /etc/firejail/disable-programs.inc diff --git a/etc/gnome-maps.profile b/etc/gnome-maps.profile index b1030597c..b5364e48d 100644 --- a/etc/gnome-maps.profile +++ b/etc/gnome-maps.profile @@ -11,6 +11,7 @@ noblacklist ${HOME}/.cache/champlain include /etc/firejail/disable-common.inc include /etc/firejail/disable-devel.inc +include /etc/firejail/disable-interpreters.inc include /etc/firejail/disable-passwdmgr.inc include /etc/firejail/disable-programs.inc diff --git a/etc/gnome-mplayer.profile b/etc/gnome-mplayer.profile index c9626950e..7cf97a79f 100644 --- a/etc/gnome-mplayer.profile +++ b/etc/gnome-mplayer.profile @@ -9,6 +9,7 @@ noblacklist ${HOME}/.config/gnome-mplayer include /etc/firejail/disable-common.inc include /etc/firejail/disable-devel.inc +include /etc/firejail/disable-interpreters.inc include /etc/firejail/disable-passwdmgr.inc include /etc/firejail/disable-programs.inc diff --git a/etc/gnome-music.profile b/etc/gnome-music.profile index f052563be..eec61b8db 100644 --- a/etc/gnome-music.profile +++ b/etc/gnome-music.profile @@ -7,8 +7,15 @@ include /etc/firejail/globals.local noblacklist ${HOME}/.local/share/gnome-music +# Allow python (blacklisted by disable-interpreters.inc) +noblacklist ${PATH}/python2* +noblacklist ${PATH}/python3* +noblacklist /usr/lib/python2* +noblacklist /usr/lib/python3* + include /etc/firejail/disable-common.inc include /etc/firejail/disable-devel.inc +include /etc/firejail/disable-interpreters.inc include /etc/firejail/disable-passwdmgr.inc include /etc/firejail/disable-programs.inc diff --git a/etc/gnome-photos.profile b/etc/gnome-photos.profile index f3b00a868..132f3b6bd 100644 --- a/etc/gnome-photos.profile +++ b/etc/gnome-photos.profile @@ -11,6 +11,7 @@ noblacklist ${HOME}/.local/share/gnome-photos include /etc/firejail/disable-common.inc include /etc/firejail/disable-devel.inc +include /etc/firejail/disable-interpreters.inc include /etc/firejail/disable-passwdmgr.inc include /etc/firejail/disable-programs.inc diff --git a/etc/gnome-recipes.profile b/etc/gnome-recipes.profile index 2f7657c0c..f1e062fd5 100644 --- a/etc/gnome-recipes.profile +++ b/etc/gnome-recipes.profile @@ -10,6 +10,7 @@ noblacklist ${HOME}/.local/share/gnome-recipes include /etc/firejail/disable-common.inc include /etc/firejail/disable-devel.inc +include /etc/firejail/disable-interpreters.inc include /etc/firejail/disable-passwdmgr.inc include /etc/firejail/disable-programs.inc diff --git a/etc/gnome-ring.profile b/etc/gnome-ring.profile index 5ae7f427a..cbc79320e 100644 --- a/etc/gnome-ring.profile +++ b/etc/gnome-ring.profile @@ -9,6 +9,7 @@ noblacklist ${HOME}/.local/share/gnome-ring include /etc/firejail/disable-common.inc include /etc/firejail/disable-devel.inc +include /etc/firejail/disable-interpreters.inc include /etc/firejail/disable-passwdmgr.inc include /etc/firejail/disable-programs.inc diff --git a/etc/gnome-twitch.profile b/etc/gnome-twitch.profile index 9e8f2a241..c7fc04be3 100644 --- a/etc/gnome-twitch.profile +++ b/etc/gnome-twitch.profile @@ -10,6 +10,7 @@ noblacklist ${HOME}/.local/share/gnome-twitch include /etc/firejail/disable-common.inc include /etc/firejail/disable-devel.inc +include /etc/firejail/disable-interpreters.inc include /etc/firejail/disable-passwdmgr.inc include /etc/firejail/disable-programs.inc diff --git a/etc/gnome-weather.profile b/etc/gnome-weather.profile index 0423b06dd..64482b246 100644 --- a/etc/gnome-weather.profile +++ b/etc/gnome-weather.profile @@ -11,6 +11,7 @@ noblacklist ${HOME}/.cache/libgweather include /etc/firejail/disable-common.inc include /etc/firejail/disable-devel.inc +include /etc/firejail/disable-interpreters.inc include /etc/firejail/disable-passwdmgr.inc include /etc/firejail/disable-programs.inc diff --git a/etc/goobox.profile b/etc/goobox.profile index 98514ce8d..ed7b4e761 100644 --- a/etc/goobox.profile +++ b/etc/goobox.profile @@ -8,6 +8,7 @@ include /etc/firejail/globals.local include /etc/firejail/disable-common.inc include /etc/firejail/disable-devel.inc +include /etc/firejail/disable-interpreters.inc include /etc/firejail/disable-passwdmgr.inc include /etc/firejail/disable-programs.inc diff --git a/etc/google-earth.profile b/etc/google-earth.profile index 2e0d11897..bafa716d1 100644 --- a/etc/google-earth.profile +++ b/etc/google-earth.profile @@ -13,6 +13,7 @@ noblacklist ${HOME}/.googleearth/myplaces.kml include /etc/firejail/disable-common.inc include /etc/firejail/disable-devel.inc +include /etc/firejail/disable-interpreters.inc include /etc/firejail/disable-passwdmgr.inc include /etc/firejail/disable-programs.inc diff --git a/etc/google-play-music-desktop-player.profile b/etc/google-play-music-desktop-player.profile index 58473d5c8..7a19cc676 100644 --- a/etc/google-play-music-desktop-player.profile +++ b/etc/google-play-music-desktop-player.profile @@ -9,6 +9,7 @@ noblacklist ${HOME}/.config/Google Play Music Desktop Player include /etc/firejail/disable-common.inc include /etc/firejail/disable-devel.inc +include /etc/firejail/disable-interpreters.inc include /etc/firejail/disable-passwdmgr.inc include /etc/firejail/disable-programs.inc diff --git a/etc/gpa.profile b/etc/gpa.profile index 725c744ed..17791bb82 100644 --- a/etc/gpa.profile +++ b/etc/gpa.profile @@ -9,6 +9,7 @@ noblacklist ${HOME}/.gnupg include /etc/firejail/disable-common.inc include /etc/firejail/disable-devel.inc +include /etc/firejail/disable-interpreters.inc include /etc/firejail/disable-passwdmgr.inc include /etc/firejail/disable-programs.inc diff --git a/etc/gpg-agent.profile b/etc/gpg-agent.profile index c59c624fc..7f50e1e8d 100644 --- a/etc/gpg-agent.profile +++ b/etc/gpg-agent.profile @@ -11,6 +11,7 @@ noblacklist ${HOME}/.gnupg include /etc/firejail/disable-common.inc include /etc/firejail/disable-devel.inc +include /etc/firejail/disable-interpreters.inc include /etc/firejail/disable-passwdmgr.inc include /etc/firejail/disable-programs.inc diff --git a/etc/gpg.profile b/etc/gpg.profile index cd2b30e9e..7eb8a3ac8 100644 --- a/etc/gpg.profile +++ b/etc/gpg.profile @@ -11,6 +11,7 @@ noblacklist ${HOME}/.gnupg include /etc/firejail/disable-common.inc include /etc/firejail/disable-devel.inc +include /etc/firejail/disable-interpreters.inc include /etc/firejail/disable-passwdmgr.inc include /etc/firejail/disable-programs.inc diff --git a/etc/gpicview.profile b/etc/gpicview.profile index c6453e972..9644ac59d 100644 --- a/etc/gpicview.profile +++ b/etc/gpicview.profile @@ -9,6 +9,7 @@ noblacklist ${HOME}/.config/gpicview include /etc/firejail/disable-common.inc include /etc/firejail/disable-devel.inc +include /etc/firejail/disable-interpreters.inc include /etc/firejail/disable-passwdmgr.inc include /etc/firejail/disable-programs.inc diff --git a/etc/gpredict.profile b/etc/gpredict.profile index 029c37290..51f384751 100644 --- a/etc/gpredict.profile +++ b/etc/gpredict.profile @@ -9,6 +9,7 @@ noblacklist ${HOME}/.config/Gpredict include /etc/firejail/disable-common.inc include /etc/firejail/disable-devel.inc +include /etc/firejail/disable-interpreters.inc include /etc/firejail/disable-passwdmgr.inc include /etc/firejail/disable-programs.inc diff --git a/etc/gthumb.profile b/etc/gthumb.profile index 5d066c141..eb0c38ec2 100644 --- a/etc/gthumb.profile +++ b/etc/gthumb.profile @@ -11,6 +11,7 @@ noblacklist ${HOME}/.steam include /etc/firejail/disable-common.inc include /etc/firejail/disable-devel.inc +include /etc/firejail/disable-interpreters.inc include /etc/firejail/disable-passwdmgr.inc include /etc/firejail/disable-programs.inc diff --git a/etc/guayadeque.profile b/etc/guayadeque.profile index 14662443c..e7e3f828c 100644 --- a/etc/guayadeque.profile +++ b/etc/guayadeque.profile @@ -9,6 +9,7 @@ noblacklist ${HOME}/.guayadeque include /etc/firejail/disable-common.inc include /etc/firejail/disable-devel.inc +include /etc/firejail/disable-interpreters.inc include /etc/firejail/disable-passwdmgr.inc include /etc/firejail/disable-programs.inc diff --git a/etc/gucharmap.profile b/etc/gucharmap.profile index b6be37439..16ea2047d 100644 --- a/etc/gucharmap.profile +++ b/etc/gucharmap.profile @@ -8,6 +8,7 @@ include /etc/firejail/globals.local include /etc/firejail/disable-common.inc include /etc/firejail/disable-devel.inc +include /etc/firejail/disable-interpreters.inc include /etc/firejail/disable-passwdmgr.inc include /etc/firejail/disable-programs.inc diff --git a/etc/gwenview.profile b/etc/gwenview.profile index d17be41cc..068a6d19b 100644 --- a/etc/gwenview.profile +++ b/etc/gwenview.profile @@ -17,6 +17,7 @@ noblacklist ${HOME}/.local/share/org.kde.gwenview include /etc/firejail/disable-common.inc include /etc/firejail/disable-devel.inc +include /etc/firejail/disable-interpreters.inc include /etc/firejail/disable-passwdmgr.inc include /etc/firejail/disable-programs.inc diff --git a/etc/handbrake.profile b/etc/handbrake.profile index ff9dd248f..6f2f3bf7f 100644 --- a/etc/handbrake.profile +++ b/etc/handbrake.profile @@ -9,6 +9,7 @@ noblacklist ${HOME}/.config/ghb include /etc/firejail/disable-common.inc include /etc/firejail/disable-devel.inc +include /etc/firejail/disable-interpreters.inc include /etc/firejail/disable-passwdmgr.inc include /etc/firejail/disable-programs.inc diff --git a/etc/hashcat.profile b/etc/hashcat.profile index c8ab268c8..d61165a91 100644 --- a/etc/hashcat.profile +++ b/etc/hashcat.profile @@ -11,6 +11,7 @@ noblacklist /usr/include include /etc/firejail/disable-common.inc include /etc/firejail/disable-devel.inc +include /etc/firejail/disable-interpreters.inc include /etc/firejail/disable-passwdmgr.inc include /etc/firejail/disable-programs.inc diff --git a/etc/hedgewars.profile b/etc/hedgewars.profile index 6f9117fae..d6b686be7 100644 --- a/etc/hedgewars.profile +++ b/etc/hedgewars.profile @@ -9,6 +9,7 @@ noblacklist ${HOME}/.hedgewars include /etc/firejail/disable-common.inc include /etc/firejail/disable-devel.inc +include /etc/firejail/disable-interpreters.inc include /etc/firejail/disable-passwdmgr.inc include /etc/firejail/disable-programs.inc diff --git a/etc/hexchat.profile b/etc/hexchat.profile index 02f8e9eeb..9b2eafcea 100644 --- a/etc/hexchat.profile +++ b/etc/hexchat.profile @@ -7,11 +7,17 @@ include /etc/firejail/globals.local noblacklist ${HOME}/.config/hexchat noblacklist /usr/share/perl* -# noblacklist /usr/lib/python2* -# noblacklist /usr/lib/python3* + +# Allow python (blacklisted by disable-interpreters.inc) +noblacklist ${PATH}/python2* +noblacklist ${PATH}/python3* +noblacklist /usr/lib/python2* +noblacklist /usr/lib/python3* include /etc/firejail/disable-common.inc include /etc/firejail/disable-devel.inc +include /etc/firejail/disable-interpreters.inc +include /etc/firejail/disable-passwdmgr.inc include /etc/firejail/disable-programs.inc mkdir ${HOME}/.config/hexchat diff --git a/etc/highlight.profile b/etc/highlight.profile index 781866f3b..a93019696 100644 --- a/etc/highlight.profile +++ b/etc/highlight.profile @@ -9,6 +9,7 @@ blacklist /tmp/.X11-unix include /etc/firejail/disable-common.inc include /etc/firejail/disable-devel.inc +include /etc/firejail/disable-interpreters.inc include /etc/firejail/disable-passwdmgr.inc include /etc/firejail/disable-programs.inc diff --git a/etc/hugin.profile b/etc/hugin.profile index 3847a7daf..761c4e039 100644 --- a/etc/hugin.profile +++ b/etc/hugin.profile @@ -9,6 +9,7 @@ noblacklist ${HOME}/.hugin include /etc/firejail/disable-common.inc include /etc/firejail/disable-devel.inc +include /etc/firejail/disable-interpreters.inc include /etc/firejail/disable-passwdmgr.inc include /etc/firejail/disable-programs.inc diff --git a/etc/imagej.profile b/etc/imagej.profile index 7396160af..bfd3444f0 100644 --- a/etc/imagej.profile +++ b/etc/imagej.profile @@ -7,8 +7,15 @@ include /etc/firejail/globals.local noblacklist ${HOME}/.imagej +# Allow access to java +noblacklist ${PATH}/java +noblacklist /usr/lib/java +noblacklist /etc/java +noblacklist /usr/share/java + include /etc/firejail/disable-common.inc include /etc/firejail/disable-devel.inc +include /etc/firejail/disable-interpreters.inc include /etc/firejail/disable-passwdmgr.inc include /etc/firejail/disable-programs.inc diff --git a/etc/img2txt.profile b/etc/img2txt.profile index 8c157bf2a..1cc8d2953 100644 --- a/etc/img2txt.profile +++ b/etc/img2txt.profile @@ -7,6 +7,7 @@ include /etc/firejail/globals.local include /etc/firejail/disable-common.inc include /etc/firejail/disable-devel.inc +include /etc/firejail/disable-interpreters.inc include /etc/firejail/disable-passwdmgr.inc include /etc/firejail/disable-programs.inc diff --git a/etc/inkscape.profile b/etc/inkscape.profile index af24bc3e9..0f5ca9d39 100644 --- a/etc/inkscape.profile +++ b/etc/inkscape.profile @@ -11,6 +11,7 @@ noblacklist ${HOME}/.inkscape include /etc/firejail/disable-common.inc include /etc/firejail/disable-devel.inc +include /etc/firejail/disable-interpreters.inc include /etc/firejail/disable-passwdmgr.inc include /etc/firejail/disable-programs.inc diff --git a/etc/itch.profile b/etc/itch.profile index 7e8f0518d..2ad669952 100644 --- a/etc/itch.profile +++ b/etc/itch.profile @@ -12,6 +12,7 @@ noblacklist ${HOME}/.config/itch include /etc/firejail/disable-common.inc include /etc/firejail/disable-devel.inc +include /etc/firejail/disable-interpreters.inc include /etc/firejail/disable-passwdmgr.inc include /etc/firejail/disable-programs.inc diff --git a/etc/jd-gui.profile b/etc/jd-gui.profile index f70eff3e4..f435b4ed7 100644 --- a/etc/jd-gui.profile +++ b/etc/jd-gui.profile @@ -10,6 +10,7 @@ noblacklist ${HOME}/.java include /etc/firejail/disable-common.inc include /etc/firejail/disable-devel.inc +include /etc/firejail/disable-interpreters.inc include /etc/firejail/disable-passwdmgr.inc include /etc/firejail/disable-programs.inc diff --git a/etc/jitsi.profile b/etc/jitsi.profile index bfccdf281..cb2f2092a 100644 --- a/etc/jitsi.profile +++ b/etc/jitsi.profile @@ -7,8 +7,15 @@ include /etc/firejail/globals.local noblacklist ${HOME}/.jitsi +# Allow access to java +noblacklist ${PATH}/java +noblacklist /usr/lib/java +noblacklist /etc/java +noblacklist /usr/share/java + include /etc/firejail/disable-common.inc include /etc/firejail/disable-devel.inc +include /etc/firejail/disable-interpreters.inc include /etc/firejail/disable-passwdmgr.inc include /etc/firejail/disable-programs.inc diff --git a/etc/k3b.profile b/etc/k3b.profile index 275304fb2..38ad97354 100644 --- a/etc/k3b.profile +++ b/etc/k3b.profile @@ -11,6 +11,7 @@ noblacklist ${HOME}/.kde4/share/config/k3brc include /etc/firejail/disable-common.inc include /etc/firejail/disable-devel.inc +include /etc/firejail/disable-interpreters.inc include /etc/firejail/disable-passwdmgr.inc include /etc/firejail/disable-programs.inc diff --git a/etc/kaffeine.profile b/etc/kaffeine.profile index 07280ab6d..93e27b7c3 100644 --- a/etc/kaffeine.profile +++ b/etc/kaffeine.profile @@ -14,6 +14,7 @@ noblacklist ${HOME}/.local/share/kaffeine include /etc/firejail/disable-common.inc include /etc/firejail/disable-devel.inc +include /etc/firejail/disable-interpreters.inc include /etc/firejail/disable-passwdmgr.inc include /etc/firejail/disable-programs.inc diff --git a/etc/kate.profile b/etc/kate.profile index b3c1e81d8..7408ee0ef 100644 --- a/etc/kate.profile +++ b/etc/kate.profile @@ -15,6 +15,7 @@ noblacklist ${HOME}/.local/share/kate include /etc/firejail/disable-common.inc # include /etc/firejail/disable-devel.inc +include /etc/firejail/disable-interpreters.inc include /etc/firejail/disable-passwdmgr.inc include /etc/firejail/disable-programs.inc diff --git a/etc/kcalc.profile b/etc/kcalc.profile index 86a3b1462..5afea9c1c 100644 --- a/etc/kcalc.profile +++ b/etc/kcalc.profile @@ -8,6 +8,7 @@ include /etc/firejail/globals.local include /etc/firejail/disable-common.inc include /etc/firejail/disable-devel.inc +include /etc/firejail/disable-interpreters.inc include /etc/firejail/disable-passwdmgr.inc include /etc/firejail/disable-programs.inc diff --git a/etc/kdeinit4.profile b/etc/kdeinit4.profile index e6a2653e1..76de15ccf 100644 --- a/etc/kdeinit4.profile +++ b/etc/kdeinit4.profile @@ -9,6 +9,7 @@ include /etc/firejail/globals.local include /etc/firejail/disable-common.inc include /etc/firejail/disable-devel.inc +include /etc/firejail/disable-interpreters.inc include /etc/firejail/disable-passwdmgr.inc include /etc/firejail/disable-programs.inc diff --git a/etc/kdenlive.profile b/etc/kdenlive.profile index 819279b10..0fa9da497 100644 --- a/etc/kdenlive.profile +++ b/etc/kdenlive.profile @@ -11,6 +11,7 @@ noblacklist ${HOME}/.local/share/kdenlive include /etc/firejail/disable-common.inc include /etc/firejail/disable-devel.inc +include /etc/firejail/disable-interpreters.inc include /etc/firejail/disable-passwdmgr.inc include /etc/firejail/disable-programs.inc diff --git a/etc/keepass.profile b/etc/keepass.profile index c133ce0fb..9ae6abfb2 100644 --- a/etc/keepass.profile +++ b/etc/keepass.profile @@ -15,6 +15,7 @@ noblacklist ${HOME}/.local/share/keepass include /etc/firejail/disable-common.inc include /etc/firejail/disable-devel.inc +include /etc/firejail/disable-interpreters.inc include /etc/firejail/disable-passwdmgr.inc include /etc/firejail/disable-programs.inc diff --git a/etc/keepassx.profile b/etc/keepassx.profile index 14af2682c..7a5e57d72 100644 --- a/etc/keepassx.profile +++ b/etc/keepassx.profile @@ -12,6 +12,7 @@ noblacklist ${HOME}/.keepassx include /etc/firejail/disable-common.inc include /etc/firejail/disable-devel.inc +include /etc/firejail/disable-interpreters.inc include /etc/firejail/disable-passwdmgr.inc include /etc/firejail/disable-programs.inc diff --git a/etc/keepassxc.profile b/etc/keepassxc.profile index 0e464cbe4..0edb375b3 100644 --- a/etc/keepassxc.profile +++ b/etc/keepassxc.profile @@ -14,6 +14,7 @@ noblacklist ${HOME}/.mozilla include /etc/firejail/disable-common.inc include /etc/firejail/disable-devel.inc +include /etc/firejail/disable-interpreters.inc include /etc/firejail/disable-passwdmgr.inc include /etc/firejail/disable-programs.inc diff --git a/etc/kget.profile b/etc/kget.profile index c4e073c2b..c45d8daba 100644 --- a/etc/kget.profile +++ b/etc/kget.profile @@ -14,6 +14,7 @@ noblacklist ${HOME}/.local/share/kget include /etc/firejail/disable-common.inc include /etc/firejail/disable-devel.inc +include /etc/firejail/disable-interpreters.inc include /etc/firejail/disable-passwdmgr.inc include /etc/firejail/disable-programs.inc diff --git a/etc/kino.profile b/etc/kino.profile index be51786f5..054b185dd 100644 --- a/etc/kino.profile +++ b/etc/kino.profile @@ -10,6 +10,7 @@ noblacklist ${HOME}/.kinorc include /etc/firejail/disable-common.inc include /etc/firejail/disable-devel.inc +include /etc/firejail/disable-interpreters.inc include /etc/firejail/disable-passwdmgr.inc include /etc/firejail/disable-programs.inc diff --git a/etc/kmail.profile b/etc/kmail.profile index 3e425b62e..f7b180f87 100644 --- a/etc/kmail.profile +++ b/etc/kmail.profile @@ -25,6 +25,7 @@ noblacklist /tmp/akonadi-* include /etc/firejail/disable-common.inc include /etc/firejail/disable-devel.inc +include /etc/firejail/disable-interpreters.inc include /etc/firejail/disable-passwdmgr.inc include /etc/firejail/disable-programs.inc diff --git a/etc/knotes.profile b/etc/knotes.profile index 4bbbd332d..35e2699bd 100644 --- a/etc/knotes.profile +++ b/etc/knotes.profile @@ -5,8 +5,15 @@ include /etc/firejail/knotes.local # Persistent global definitions include /etc/firejail/globals.local -# knotes has problems launching akonadi in debian and ubuntu. -# one solution is to have akonadi already running when knotes is started +noblacklist ${HOME}/.config/akonadi* +noblacklist ${HOME}/.config/knotesrc +noblacklist ${HOME}/.local/share/akonadi/* + +include /etc/firejail/disable-common.inc +include /etc/firejail/disable-devel.inc +include /etc/firejail/disable-interpreters.inc +include /etc/firejail/disable-passwdmgr.inc +include /etc/firejail/disable-programs.inc noblacklist ${HOME}/.config/knotesrc noblacklist ${HOME}/.local/share/knotes diff --git a/etc/kodi.profile b/etc/kodi.profile index dfe019641..54d548291 100644 --- a/etc/kodi.profile +++ b/etc/kodi.profile @@ -7,8 +7,15 @@ include /etc/firejail/globals.local noblacklist ${HOME}/.kodi +# Allow python (blacklisted by disable-interpreters.inc) +noblacklist ${PATH}/python2* +noblacklist ${PATH}/python3* +noblacklist /usr/lib/python2* +noblacklist /usr/lib/python3* + include /etc/firejail/disable-common.inc include /etc/firejail/disable-devel.inc +include /etc/firejail/disable-interpreters.inc include /etc/firejail/disable-passwdmgr.inc include /etc/firejail/disable-programs.inc diff --git a/etc/konversation.profile b/etc/konversation.profile index 356d2f314..0acad236a 100644 --- a/etc/konversation.profile +++ b/etc/konversation.profile @@ -11,6 +11,7 @@ noblacklist ${HOME}/.kde4/share/config/konversationrc include /etc/firejail/disable-common.inc include /etc/firejail/disable-devel.inc +include /etc/firejail/disable-interpreters.inc include /etc/firejail/disable-passwdmgr.inc include /etc/firejail/disable-programs.inc diff --git a/etc/kopete.profile b/etc/kopete.profile index 7f332d48e..0954b7dff 100644 --- a/etc/kopete.profile +++ b/etc/kopete.profile @@ -12,6 +12,7 @@ noblacklist ${HOME}/.kde4/share/config/kopeterc include /etc/firejail/disable-common.inc include /etc/firejail/disable-devel.inc +include /etc/firejail/disable-interpreters.inc include /etc/firejail/disable-passwdmgr.inc include /etc/firejail/disable-programs.inc diff --git a/etc/krita.profile b/etc/krita.profile index 24948c584..e52adaaec 100644 --- a/etc/krita.profile +++ b/etc/krita.profile @@ -10,6 +10,7 @@ noblacklist ${HOME}/.local/share/krita include /etc/firejail/disable-common.inc include /etc/firejail/disable-devel.inc +include /etc/firejail/disable-interpreters.inc include /etc/firejail/disable-passwdmgr.inc include /etc/firejail/disable-programs.inc diff --git a/etc/krunner.profile b/etc/krunner.profile index 17526c4ea..288327f9c 100644 --- a/etc/krunner.profile +++ b/etc/krunner.profile @@ -20,6 +20,7 @@ noblacklist ${HOME}/.kde4/share/config/krunnerrc include /etc/firejail/disable-common.inc # include /etc/firejail/disable-devel.inc +# include /etc/firejail/disable-interpreters.inc # include /etc/firejail/disable-passwdmgr.inc # include /etc/firejail/disable-programs.inc diff --git a/etc/ktorrent.profile b/etc/ktorrent.profile index d1b67a3f1..44fb5ae3e 100644 --- a/etc/ktorrent.profile +++ b/etc/ktorrent.profile @@ -14,6 +14,7 @@ noblacklist ${HOME}/.local/share/ktorrent include /etc/firejail/disable-common.inc include /etc/firejail/disable-devel.inc +include /etc/firejail/disable-interpreters.inc include /etc/firejail/disable-passwdmgr.inc include /etc/firejail/disable-programs.inc diff --git a/etc/kwin_x11.profile b/etc/kwin_x11.profile index 534e7cd51..ca7c5042d 100644 --- a/etc/kwin_x11.profile +++ b/etc/kwin_x11.profile @@ -12,6 +12,7 @@ noblacklist ${HOME}/.local/share/kwin include /etc/firejail/disable-common.inc include /etc/firejail/disable-devel.inc +include /etc/firejail/disable-interpreters.inc include /etc/firejail/disable-passwdmgr.inc include /etc/firejail/disable-programs.inc diff --git a/etc/kwrite.profile b/etc/kwrite.profile index ac51259c0..e416a5591 100644 --- a/etc/kwrite.profile +++ b/etc/kwrite.profile @@ -15,6 +15,7 @@ noblacklist ${HOME}/.local/share/kwrite include /etc/firejail/disable-common.inc include /etc/firejail/disable-devel.inc +include /etc/firejail/disable-interpreters.inc include /etc/firejail/disable-passwdmgr.inc include /etc/firejail/disable-programs.inc diff --git a/etc/leafpad.profile b/etc/leafpad.profile index bca6e9c22..0374d2e4a 100644 --- a/etc/leafpad.profile +++ b/etc/leafpad.profile @@ -9,6 +9,7 @@ noblacklist ${HOME}/.config/leafpad include /etc/firejail/disable-common.inc include /etc/firejail/disable-devel.inc +include /etc/firejail/disable-interpreters.inc include /etc/firejail/disable-passwdmgr.inc include /etc/firejail/disable-programs.inc diff --git a/etc/libreoffice.profile b/etc/libreoffice.profile index 15961321e..4b3eb1ac7 100644 --- a/etc/libreoffice.profile +++ b/etc/libreoffice.profile @@ -9,9 +9,15 @@ noblacklist ${HOME}/.java noblacklist /usr/local/sbin noblacklist ${HOME}/.config/libreoffice +# libreoffice uses java; if you don't care about java functionality, +# comment the next four lines +noblacklist ${PATH}/java +noblacklist /usr/lib/java +noblacklist /etc/java +noblacklist /usr/share/java + include /etc/firejail/disable-common.inc -# libreoffice uses java; if you don't care about java functionality, uncomment this line; -#include /etc/firejail/disable-devel.inc +include /etc/firejail/disable-devel.inc include /etc/firejail/disable-passwdmgr.inc include /etc/firejail/disable-programs.inc diff --git a/etc/liferea.profile b/etc/liferea.profile index 552a45bbb..4b7905cb7 100644 --- a/etc/liferea.profile +++ b/etc/liferea.profile @@ -9,8 +9,15 @@ noblacklist ${HOME}/.cache/liferea noblacklist ${HOME}/.config/liferea noblacklist ${HOME}/.local/share/liferea +# Allow python (blacklisted by disable-interpreters.inc) +noblacklist ${PATH}/python2* +noblacklist ${PATH}/python3* +noblacklist /usr/lib/python2* +noblacklist /usr/lib/python3* + include /etc/firejail/disable-common.inc include /etc/firejail/disable-devel.inc +include /etc/firejail/disable-interpreters.inc include /etc/firejail/disable-passwdmgr.inc include /etc/firejail/disable-programs.inc diff --git a/etc/linphone.profile b/etc/linphone.profile index 41f9245a2..9e54db3ca 100644 --- a/etc/linphone.profile +++ b/etc/linphone.profile @@ -10,6 +10,7 @@ noblacklist ${HOME}/.linphonerc include /etc/firejail/disable-common.inc include /etc/firejail/disable-devel.inc +include /etc/firejail/disable-interpreters.inc include /etc/firejail/disable-passwdmgr.inc include /etc/firejail/disable-programs.inc diff --git a/etc/lmms.profile b/etc/lmms.profile index a9fecf5be..58f82726d 100644 --- a/etc/lmms.profile +++ b/etc/lmms.profile @@ -9,6 +9,7 @@ noblacklist ${HOME}/.lmmsrc.xml include /etc/firejail/disable-common.inc include /etc/firejail/disable-devel.inc +include /etc/firejail/disable-interpreters.inc include /etc/firejail/disable-passwdmgr.inc include /etc/firejail/disable-programs.inc diff --git a/etc/lollypop.profile b/etc/lollypop.profile index f42489cd3..596da5925 100644 --- a/etc/lollypop.profile +++ b/etc/lollypop.profile @@ -9,6 +9,7 @@ noblacklist ${HOME}/.local/share/lollypop include /etc/firejail/disable-common.inc include /etc/firejail/disable-devel.inc +include /etc/firejail/disable-interpreters.inc include /etc/firejail/disable-passwdmgr.inc include /etc/firejail/disable-programs.inc diff --git a/etc/luminance-hdr.profile b/etc/luminance-hdr.profile index ec2a65290..8d55f5de2 100644 --- a/etc/luminance-hdr.profile +++ b/etc/luminance-hdr.profile @@ -9,6 +9,7 @@ noblacklist ${HOME}/.config/Luminance include /etc/firejail/disable-common.inc include /etc/firejail/disable-devel.inc +include /etc/firejail/disable-interpreters.inc include /etc/firejail/disable-passwdmgr.inc include /etc/firejail/disable-programs.inc diff --git a/etc/lximage-qt.profile b/etc/lximage-qt.profile index d4bb1b0e8..971d969ad 100644 --- a/etc/lximage-qt.profile +++ b/etc/lximage-qt.profile @@ -9,6 +9,7 @@ noblacklist ${HOME}/.config/lximage-qt include /etc/firejail/disable-common.inc include /etc/firejail/disable-devel.inc +include /etc/firejail/disable-interpreters.inc include /etc/firejail/disable-passwdmgr.inc include /etc/firejail/disable-programs.inc diff --git a/etc/lxmusic.profile b/etc/lxmusic.profile index 71d7a056f..5962c7dc7 100644 --- a/etc/lxmusic.profile +++ b/etc/lxmusic.profile @@ -10,6 +10,7 @@ noblacklist ${HOME}/.config/xmms2 include /etc/firejail/disable-common.inc include /etc/firejail/disable-devel.inc +include /etc/firejail/disable-interpreters.inc include /etc/firejail/disable-passwdmgr.inc include /etc/firejail/disable-programs.inc diff --git a/etc/lynx.profile b/etc/lynx.profile index d54bed564..fec9661c6 100644 --- a/etc/lynx.profile +++ b/etc/lynx.profile @@ -9,6 +9,7 @@ blacklist /tmp/.X11-unix include /etc/firejail/disable-common.inc include /etc/firejail/disable-devel.inc +include /etc/firejail/disable-interpreters.inc include /etc/firejail/disable-passwdmgr.inc include /etc/firejail/disable-programs.inc diff --git a/etc/macrofusion.profile b/etc/macrofusion.profile index 948c7226d..bbef46567 100644 --- a/etc/macrofusion.profile +++ b/etc/macrofusion.profile @@ -7,8 +7,15 @@ include /etc/firejail/globals.local noblacklist ${HOME}/.config/mfusion +# Allow python (blacklisted by disable-interpreters.inc) +noblacklist ${PATH}/python2* +noblacklist ${PATH}/python3* +noblacklist /usr/lib/python2* +noblacklist /usr/lib/python3* + include /etc/firejail/disable-common.inc include /etc/firejail/disable-devel.inc +include /etc/firejail/disable-interpreters.inc include /etc/firejail/disable-passwdmgr.inc include /etc/firejail/disable-programs.inc diff --git a/etc/mate-calc.profile b/etc/mate-calc.profile index f452b751a..6185b013f 100644 --- a/etc/mate-calc.profile +++ b/etc/mate-calc.profile @@ -9,6 +9,7 @@ noblacklist ${HOME}/.config/mate-calc include /etc/firejail/disable-common.inc include /etc/firejail/disable-devel.inc +include /etc/firejail/disable-interpreters.inc include /etc/firejail/disable-passwdmgr.inc include /etc/firejail/disable-programs.inc diff --git a/etc/mate-color-select.profile b/etc/mate-color-select.profile index 24f59e1d5..c3a3ee446 100644 --- a/etc/mate-color-select.profile +++ b/etc/mate-color-select.profile @@ -8,6 +8,7 @@ include /etc/firejail/globals.local include /etc/firejail/disable-common.inc include /etc/firejail/disable-devel.inc +include /etc/firejail/disable-interpreters.inc include /etc/firejail/disable-passwdmgr.inc include /etc/firejail/disable-programs.inc diff --git a/etc/mate-dictionary.profile b/etc/mate-dictionary.profile index 3f85addaf..6c9ed4499 100644 --- a/etc/mate-dictionary.profile +++ b/etc/mate-dictionary.profile @@ -9,6 +9,7 @@ noblacklist ${HOME}/.config/mate/mate-dictionary include /etc/firejail/disable-common.inc include /etc/firejail/disable-devel.inc +include /etc/firejail/disable-interpreters.inc include /etc/firejail/disable-passwdmgr.inc include /etc/firejail/disable-programs.inc diff --git a/etc/mcabber.profile b/etc/mcabber.profile index 2e31e09ec..860de3f0a 100644 --- a/etc/mcabber.profile +++ b/etc/mcabber.profile @@ -10,6 +10,7 @@ noblacklist ${HOME}/.mcabberrc include /etc/firejail/disable-common.inc include /etc/firejail/disable-devel.inc +include /etc/firejail/disable-interpreters.inc include /etc/firejail/disable-passwdmgr.inc include /etc/firejail/disable-programs.inc diff --git a/etc/mediainfo.profile b/etc/mediainfo.profile index c3c84ed39..d79a0e886 100644 --- a/etc/mediainfo.profile +++ b/etc/mediainfo.profile @@ -9,6 +9,7 @@ blacklist /tmp/.X11-unix include /etc/firejail/disable-common.inc include /etc/firejail/disable-devel.inc +include /etc/firejail/disable-interpreters.inc include /etc/firejail/disable-passwdmgr.inc include /etc/firejail/disable-programs.inc diff --git a/etc/mediathekview.profile b/etc/mediathekview.profile index 9eae27765..12956bab6 100644 --- a/etc/mediathekview.profile +++ b/etc/mediathekview.profile @@ -16,8 +16,15 @@ noblacklist ${HOME}/.local/share/xplayer noblacklist ${HOME}/.mediathek3 noblacklist ${HOME}/.mplayer +# Allow access to java +noblacklist ${PATH}/java +noblacklist /usr/lib/java +noblacklist /etc/java +noblacklist /usr/share/java + include /etc/firejail/disable-common.inc include /etc/firejail/disable-devel.inc +include /etc/firejail/disable-interpreters.inc include /etc/firejail/disable-passwdmgr.inc include /etc/firejail/disable-programs.inc diff --git a/etc/midori.profile b/etc/midori.profile index 831f68864..2f7e238cb 100644 --- a/etc/midori.profile +++ b/etc/midori.profile @@ -13,6 +13,7 @@ noblacklist ${HOME}/.pki include /etc/firejail/disable-common.inc include /etc/firejail/disable-devel.inc +include /etc/firejail/disable-interpreters.inc include /etc/firejail/disable-programs.inc mkdir ${HOME}/.cache/midori diff --git a/etc/minetest.profile b/etc/minetest.profile index c560ac47c..cdbf21935 100644 --- a/etc/minetest.profile +++ b/etc/minetest.profile @@ -9,6 +9,7 @@ noblacklist ${HOME}/.minetest include /etc/firejail/disable-common.inc include /etc/firejail/disable-devel.inc +include /etc/firejail/disable-interpreters.inc include /etc/firejail/disable-passwdmgr.inc include /etc/firejail/disable-programs.inc diff --git a/etc/mousepad.profile b/etc/mousepad.profile index 0f0051c0a..a4a1ad599 100644 --- a/etc/mousepad.profile +++ b/etc/mousepad.profile @@ -9,6 +9,7 @@ noblacklist ${HOME}/.config/Mousepad include /etc/firejail/disable-common.inc include /etc/firejail/disable-devel.inc +include /etc/firejail/disable-interpreters.inc include /etc/firejail/disable-passwdmgr.inc include /etc/firejail/disable-programs.inc diff --git a/etc/mpd.profile b/etc/mpd.profile index 7bfa47d77..a624ea091 100644 --- a/etc/mpd.profile +++ b/etc/mpd.profile @@ -10,6 +10,7 @@ noblacklist ${HOME}/.mpdconf include /etc/firejail/disable-common.inc include /etc/firejail/disable-devel.inc +include /etc/firejail/disable-interpreters.inc include /etc/firejail/disable-passwdmgr.inc include /etc/firejail/disable-programs.inc diff --git a/etc/mplayer.profile b/etc/mplayer.profile index 58b94c171..8e8d224a9 100644 --- a/etc/mplayer.profile +++ b/etc/mplayer.profile @@ -9,6 +9,7 @@ noblacklist ${HOME}/.mplayer include /etc/firejail/disable-common.inc include /etc/firejail/disable-devel.inc +include /etc/firejail/disable-interpreters.inc include /etc/firejail/disable-passwdmgr.inc include /etc/firejail/disable-programs.inc diff --git a/etc/mpv.profile b/etc/mpv.profile index dcd8b05e1..18233c31b 100644 --- a/etc/mpv.profile +++ b/etc/mpv.profile @@ -8,8 +8,15 @@ include /etc/firejail/globals.local noblacklist ${HOME}/.config/mpv noblacklist ${HOME}/.netrc +# Allow python (blacklisted by disable-interpreters.inc) +noblacklist ${PATH}/python2* +noblacklist ${PATH}/python3* +noblacklist /usr/lib/python2* +noblacklist /usr/lib/python3* + include /etc/firejail/disable-common.inc include /etc/firejail/disable-devel.inc +include /etc/firejail/disable-interpreters.inc include /etc/firejail/disable-passwdmgr.inc include /etc/firejail/disable-programs.inc diff --git a/etc/multimc5.profile b/etc/multimc5.profile index 8a70d9d36..2b63c2032 100644 --- a/etc/multimc5.profile +++ b/etc/multimc5.profile @@ -10,8 +10,15 @@ noblacklist ${HOME}/.local/share/multimc noblacklist ${HOME}/.local/share/multimc5 noblacklist ${HOME}/.multimc5 +# Allow access to java +noblacklist ${PATH}/java +noblacklist /usr/lib/java +noblacklist /etc/java +noblacklist /usr/share/java + include /etc/firejail/disable-common.inc include /etc/firejail/disable-devel.inc +include /etc/firejail/disable-interpreters.inc include /etc/firejail/disable-passwdmgr.inc include /etc/firejail/disable-programs.inc diff --git a/etc/mumble.profile b/etc/mumble.profile index e58dc93f4..f8a49eb13 100644 --- a/etc/mumble.profile +++ b/etc/mumble.profile @@ -10,6 +10,7 @@ noblacklist ${HOME}/.local/share/data/Mumble include /etc/firejail/disable-common.inc include /etc/firejail/disable-devel.inc +include /etc/firejail/disable-interpreters.inc include /etc/firejail/disable-passwdmgr.inc include /etc/firejail/disable-programs.inc diff --git a/etc/mupdf.profile b/etc/mupdf.profile index af5859dbc..9ccdf60a8 100644 --- a/etc/mupdf.profile +++ b/etc/mupdf.profile @@ -7,6 +7,7 @@ include /etc/firejail/globals.local include /etc/firejail/disable-common.inc include /etc/firejail/disable-devel.inc +include /etc/firejail/disable-interpreters.inc include /etc/firejail/disable-passwdmgr.inc include /etc/firejail/disable-programs.inc diff --git a/etc/mupen64plus.profile b/etc/mupen64plus.profile index 2e3d7cfb8..a91b6753c 100644 --- a/etc/mupen64plus.profile +++ b/etc/mupen64plus.profile @@ -11,6 +11,7 @@ noblacklist ${HOME}/.local/share/mupen64plus include /etc/firejail/disable-common.inc include /etc/firejail/disable-devel.inc include /etc/firejail/disable-passwdmgr.inc +include /etc/firejail/disable-passwdmgr.inc include /etc/firejail/disable-programs.inc # you'll need to manually whitelist ROM files diff --git a/etc/musescore.profile b/etc/musescore.profile index 75f86c842..5b07a59da 100644 --- a/etc/musescore.profile +++ b/etc/musescore.profile @@ -12,6 +12,7 @@ noblacklist ${HOME}/.local/share/data/MuseScore include /etc/firejail/disable-common.inc include /etc/firejail/disable-devel.inc +include /etc/firejail/disable-interpreters.inc include /etc/firejail/disable-passwdmgr.inc include /etc/firejail/disable-programs.inc diff --git a/etc/mutt.profile b/etc/mutt.profile index 92567f10a..bc257f156 100644 --- a/etc/mutt.profile +++ b/etc/mutt.profile @@ -33,6 +33,7 @@ noblacklist ${HOME}/sent include /etc/firejail/disable-common.inc include /etc/firejail/disable-devel.inc +include /etc/firejail/disable-interpreters.inc include /etc/firejail/disable-passwdmgr.inc include /etc/firejail/disable-programs.inc diff --git a/etc/natron.profile b/etc/natron.profile index cf01c862c..f6ebf2b65 100644 --- a/etc/natron.profile +++ b/etc/natron.profile @@ -12,6 +12,7 @@ noblacklist /opt/natron include /etc/firejail/disable-common.inc include /etc/firejail/disable-devel.inc +include /etc/firejail/disable-interpreters.inc include /etc/firejail/disable-passwdmgr.inc include /etc/firejail/disable-programs.inc diff --git a/etc/nautilus.profile b/etc/nautilus.profile index 5ba0850fc..f1f565515 100644 --- a/etc/nautilus.profile +++ b/etc/nautilus.profile @@ -13,8 +13,15 @@ noblacklist ${HOME}/.local/share/Trash noblacklist ${HOME}/.local/share/nautilus noblacklist ${HOME}/.local/share/nautilus-python +# Allow python (blacklisted by disable-interpreters.inc) +noblacklist ${PATH}/python2* +noblacklist ${PATH}/python3* +noblacklist /usr/lib/python2* +noblacklist /usr/lib/python3* + include /etc/firejail/disable-common.inc include /etc/firejail/disable-devel.inc +include /etc/firejail/disable-interpreters.inc include /etc/firejail/disable-passwdmgr.inc # include /etc/firejail/disable-programs.inc diff --git a/etc/nemo.profile b/etc/nemo.profile index b11ad645a..962549a04 100644 --- a/etc/nemo.profile +++ b/etc/nemo.profile @@ -10,8 +10,15 @@ noblacklist ${HOME}/.local/share/Trash noblacklist ${HOME}/.local/share/nemo noblacklist ${HOME}/.local/share/nemo-python +# Allow python (blacklisted by disable-interpreters.inc) +noblacklist ${PATH}/python2* +noblacklist ${PATH}/python3* +noblacklist /usr/lib/python2* +noblacklist /usr/lib/python3* + include /etc/firejail/disable-common.inc include /etc/firejail/disable-devel.inc +include /etc/firejail/disable-interpreters.inc include /etc/firejail/disable-passwdmgr.inc caps.drop all diff --git a/etc/netsurf.profile b/etc/netsurf.profile index 6e8f02328..847e81999 100644 --- a/etc/netsurf.profile +++ b/etc/netsurf.profile @@ -10,6 +10,7 @@ noblacklist ${HOME}/.config/netsurf include /etc/firejail/disable-common.inc include /etc/firejail/disable-devel.inc +include /etc/firejail/disable-interpreters.inc include /etc/firejail/disable-programs.inc mkdir ${HOME}/.cache/netsurf diff --git a/etc/neverball.profile b/etc/neverball.profile index 6a9a3a577..de8bb5d9d 100644 --- a/etc/neverball.profile +++ b/etc/neverball.profile @@ -9,6 +9,7 @@ noblacklist ${HOME}/.neverball include /etc/firejail/disable-common.inc include /etc/firejail/disable-devel.inc +include /etc/firejail/disable-interpreters.inc include /etc/firejail/disable-passwdmgr.inc include /etc/firejail/disable-programs.inc diff --git a/etc/nheko.profile b/etc/nheko.profile index d0d3ae612..fa9ce2e8b 100644 --- a/etc/nheko.profile +++ b/etc/nheko.profile @@ -10,6 +10,7 @@ noblacklist ${HOME}/.cache/nheko/nheko include /etc/firejail/disable-common.inc include /etc/firejail/disable-devel.inc +include /etc/firejail/disable-interpreters.inc include /etc/firejail/disable-passwdmgr.inc include /etc/firejail/disable-programs.inc diff --git a/etc/nylas.profile b/etc/nylas.profile index c2e1e1fdb..28305a203 100644 --- a/etc/nylas.profile +++ b/etc/nylas.profile @@ -10,6 +10,7 @@ noblacklist ${HOME}/.nylas-mail include /etc/firejail/disable-common.inc include /etc/firejail/disable-devel.inc +include /etc/firejail/disable-interpreters.inc include /etc/firejail/disable-passwdmgr.inc include /etc/firejail/disable-programs.inc diff --git a/etc/obs.profile b/etc/obs.profile index 187862752..9a0fab3f8 100644 --- a/etc/obs.profile +++ b/etc/obs.profile @@ -9,6 +9,7 @@ noblacklist ${HOME}/.config/obs-studio include /etc/firejail/disable-common.inc include /etc/firejail/disable-devel.inc +include /etc/firejail/disable-interpreters.inc include /etc/firejail/disable-passwdmgr.inc include /etc/firejail/disable-programs.inc diff --git a/etc/odt2txt.profile b/etc/odt2txt.profile index c807a5399..32d51f478 100644 --- a/etc/odt2txt.profile +++ b/etc/odt2txt.profile @@ -9,6 +9,7 @@ blacklist /tmp/.X11-unix include /etc/firejail/disable-common.inc include /etc/firejail/disable-devel.inc +include /etc/firejail/disable-interpreters.inc include /etc/firejail/disable-passwdmgr.inc include /etc/firejail/disable-programs.inc diff --git a/etc/okular.profile b/etc/okular.profile index f1f0b2c7e..50b69ceaf 100644 --- a/etc/okular.profile +++ b/etc/okular.profile @@ -18,6 +18,7 @@ noblacklist ${HOME}/.local/share/okular include /etc/firejail/disable-common.inc include /etc/firejail/disable-devel.inc +include /etc/firejail/disable-interpreters.inc include /etc/firejail/disable-passwdmgr.inc include /etc/firejail/disable-programs.inc diff --git a/etc/onionshare-gui.profile b/etc/onionshare-gui.profile index 8cbe5be7f..1c93ef9b9 100644 --- a/etc/onionshare-gui.profile +++ b/etc/onionshare-gui.profile @@ -7,8 +7,13 @@ include /etc/firejail/globals.local noblacklist ${HOME}/.config/onionshare +# Allow python (blacklisted by disable-interpreters.inc) +noblacklist ${PATH}/python3* +noblacklist /usr/lib/python3* + include /etc/firejail/disable-common.inc include /etc/firejail/disable-devel.inc +include /etc/firejail/disable-interpreters.inc include /etc/firejail/disable-passwdmgr.inc include /etc/firejail/disable-programs.inc diff --git a/etc/open-invaders.profile b/etc/open-invaders.profile index 3c3609dae..5d331423e 100644 --- a/etc/open-invaders.profile +++ b/etc/open-invaders.profile @@ -9,6 +9,7 @@ noblacklist ${HOME}/.openinvaders include /etc/firejail/disable-common.inc include /etc/firejail/disable-devel.inc +include /etc/firejail/disable-interpreters.inc include /etc/firejail/disable-passwdmgr.inc include /etc/firejail/disable-programs.inc diff --git a/etc/openshot.profile b/etc/openshot.profile index b9eb29590..114580f1e 100644 --- a/etc/openshot.profile +++ b/etc/openshot.profile @@ -10,6 +10,7 @@ noblacklist ${HOME}/.openshot_qt include /etc/firejail/disable-common.inc include /etc/firejail/disable-devel.inc +include /etc/firejail/disable-interpreters.inc include /etc/firejail/disable-passwdmgr.inc include /etc/firejail/disable-programs.inc diff --git a/etc/orage.profile b/etc/orage.profile index 209c7e9db..8e218eb2d 100644 --- a/etc/orage.profile +++ b/etc/orage.profile @@ -10,6 +10,7 @@ noblacklist ${HOME}/.local/share/orage include /etc/firejail/disable-common.inc include /etc/firejail/disable-devel.inc +include /etc/firejail/disable-interpreters.inc include /etc/firejail/disable-passwdmgr.inc include /etc/firejail/disable-programs.inc diff --git a/etc/parole.profile b/etc/parole.profile index a8ce63e73..c659614e3 100644 --- a/etc/parole.profile +++ b/etc/parole.profile @@ -8,6 +8,7 @@ include /etc/firejail/globals.local include /etc/firejail/disable-common.inc include /etc/firejail/disable-devel.inc +include /etc/firejail/disable-interpreters.inc include /etc/firejail/disable-passwdmgr.inc include /etc/firejail/disable-programs.inc diff --git a/etc/pcmanfm.profile b/etc/pcmanfm.profile index 0dcd21549..83c1864e9 100644 --- a/etc/pcmanfm.profile +++ b/etc/pcmanfm.profile @@ -11,6 +11,7 @@ noblacklist ${HOME}/.local/share/Trash include /etc/firejail/disable-common.inc include /etc/firejail/disable-devel.inc +include /etc/firejail/disable-interpreters.inc include /etc/firejail/disable-passwdmgr.inc # include /etc/firejail/disable-programs.inc diff --git a/etc/pdfchain.profile b/etc/pdfchain.profile old mode 100755 new mode 100644 index b4ccb6003..8da5869e3 --- a/etc/pdfchain.profile +++ b/etc/pdfchain.profile @@ -6,9 +6,10 @@ include /etc/firejail/pdfchain.local include /etc/firejail/globals.local include /etc/firejail/disable-common.inc -include /etc/firejail/disable-programs.inc include /etc/firejail/disable-devel.inc +include /etc/firejail/disable-interpreters.inc include /etc/firejail/disable-passwdmgr.inc +include /etc/firejail/disable-programs.inc include /etc/firejail/whitelist-var-common.inc diff --git a/etc/pdfmod.profile b/etc/pdfmod.profile index 9b08dfd84..aa674419d 100644 --- a/etc/pdfmod.profile +++ b/etc/pdfmod.profile @@ -10,6 +10,7 @@ noblacklist ${HOME}/.config/pdfmod include /etc/firejail/disable-common.inc include /etc/firejail/disable-devel.inc +include /etc/firejail/disable-interpreters.inc include /etc/firejail/disable-passwdmgr.inc include /etc/firejail/disable-programs.inc diff --git a/etc/pdfsam.profile b/etc/pdfsam.profile index 465f68fd6..a5d9c2d65 100644 --- a/etc/pdfsam.profile +++ b/etc/pdfsam.profile @@ -5,10 +5,18 @@ include /etc/firejail/pdfsam.local # Persistent global definitions include /etc/firejail/globals.local +# Allow access to java noblacklist ${HOME}/.java +# Allow access to java +noblacklist ${PATH}/java +noblacklist /usr/lib/java +noblacklist /etc/java +noblacklist /usr/share/java + include /etc/firejail/disable-common.inc include /etc/firejail/disable-devel.inc +include /etc/firejail/disable-interpreters.inc include /etc/firejail/disable-passwdmgr.inc include /etc/firejail/disable-programs.inc diff --git a/etc/pdftotext.profile b/etc/pdftotext.profile index a97063754..9e672d199 100644 --- a/etc/pdftotext.profile +++ b/etc/pdftotext.profile @@ -9,6 +9,7 @@ blacklist /tmp/.X11-unix include /etc/firejail/disable-common.inc include /etc/firejail/disable-devel.inc +include /etc/firejail/disable-interpreters.inc include /etc/firejail/disable-passwdmgr.inc include /etc/firejail/disable-programs.inc diff --git a/etc/peek.profile b/etc/peek.profile index 7b7ab9470..5d5a32b8a 100644 --- a/etc/peek.profile +++ b/etc/peek.profile @@ -9,6 +9,7 @@ noblacklist ${HOME}/.cache/peek include /etc/firejail/disable-common.inc include /etc/firejail/disable-devel.inc +include /etc/firejail/disable-interpreters.inc include /etc/firejail/disable-passwdmgr.inc include /etc/firejail/disable-programs.inc diff --git a/etc/picard.profile b/etc/picard.profile index 8dc79b4ad..9e0d4ab55 100644 --- a/etc/picard.profile +++ b/etc/picard.profile @@ -8,8 +8,13 @@ include /etc/firejail/globals.local noblacklist ${HOME}/.cache/MusicBrainz noblacklist ${HOME}/.config/MusicBrainz +# Allow python (blacklisted by disable-interpreters.inc) +noblacklist ${PATH}/python3* +noblacklist /usr/lib/python3* + include /etc/firejail/disable-common.inc include /etc/firejail/disable-devel.inc +include /etc/firejail/disable-interpreters.inc include /etc/firejail/disable-passwdmgr.inc include /etc/firejail/disable-programs.inc diff --git a/etc/pidgin.profile b/etc/pidgin.profile index d195cf586..ac2597a68 100644 --- a/etc/pidgin.profile +++ b/etc/pidgin.profile @@ -9,6 +9,7 @@ noblacklist ${HOME}/.purple include /etc/firejail/disable-common.inc include /etc/firejail/disable-devel.inc +include /etc/firejail/disable-interpreters.inc include /etc/firejail/disable-passwdmgr.inc include /etc/firejail/disable-programs.inc diff --git a/etc/ping.profile b/etc/ping.profile index f1c6d32d8..d014fb82c 100644 --- a/etc/ping.profile +++ b/etc/ping.profile @@ -8,6 +8,7 @@ include /etc/firejail/globals.local include /etc/firejail/disable-common.inc include /etc/firejail/disable-devel.inc +include /etc/firejail/disable-interpreters.inc include /etc/firejail/disable-passwdmgr.inc include /etc/firejail/disable-programs.inc include /etc/firejail/whitelist-common.inc diff --git a/etc/pingus.profile b/etc/pingus.profile index b287e7ee8..89247f847 100644 --- a/etc/pingus.profile +++ b/etc/pingus.profile @@ -9,6 +9,7 @@ noblacklist ${HOME}/.pingus include /etc/firejail/disable-common.inc include /etc/firejail/disable-devel.inc +include /etc/firejail/disable-interpreters.inc include /etc/firejail/disable-passwdmgr.inc include /etc/firejail/disable-programs.inc diff --git a/etc/pinta.profile b/etc/pinta.profile index b51521ef7..73fabb95f 100644 --- a/etc/pinta.profile +++ b/etc/pinta.profile @@ -9,6 +9,7 @@ noblacklist ${HOME}/.config/Pinta include /etc/firejail/disable-common.inc include /etc/firejail/disable-devel.inc +include /etc/firejail/disable-interpreters.inc include /etc/firejail/disable-passwdmgr.inc include /etc/firejail/disable-programs.inc diff --git a/etc/pithos.profile b/etc/pithos.profile index f3949d3f1..c7eac0d53 100644 --- a/etc/pithos.profile +++ b/etc/pithos.profile @@ -5,11 +5,18 @@ include /etc/firejail/pithos.local # Persistent global definitions include /etc/firejail/globals.local +# Allow python (blacklisted by disable-interpreters.inc) +noblacklist ${PATH}/python2* +noblacklist ${PATH}/python3* +noblacklist /usr/lib/python2* +noblacklist /usr/lib/python3* include /etc/firejail/disable-common.inc include /etc/firejail/disable-devel.inc +include /etc/firejail/disable-interpreters.inc include /etc/firejail/disable-passwdmgr.inc include /etc/firejail/disable-programs.inc + include /etc/firejail/whitelist-common.inc caps.drop all diff --git a/etc/pitivi.profile b/etc/pitivi.profile index 6df03e042..1d7c4f721 100644 --- a/etc/pitivi.profile +++ b/etc/pitivi.profile @@ -8,8 +8,15 @@ include /etc/firejail/globals.local noblacklist ${HOME}/.config/pitivi +# Allow python (blacklisted by disable-interpreters.inc) +noblacklist ${PATH}/python2* +noblacklist ${PATH}/python3* +noblacklist /usr/lib/python2* +noblacklist /usr/lib/python3* + include /etc/firejail/disable-common.inc include /etc/firejail/disable-devel.inc +include /etc/firejail/disable-interpreters.inc include /etc/firejail/disable-passwdmgr.inc include /etc/firejail/disable-programs.inc diff --git a/etc/pix.profile b/etc/pix.profile index 9eca6f87e..ec495269d 100644 --- a/etc/pix.profile +++ b/etc/pix.profile @@ -12,6 +12,7 @@ noblacklist ${HOME}/.steam include /etc/firejail/disable-common.inc include /etc/firejail/disable-devel.inc +include /etc/firejail/disable-interpreters.inc include /etc/firejail/disable-passwdmgr.inc include /etc/firejail/disable-programs.inc diff --git a/etc/playonlinux.profile b/etc/playonlinux.profile index 54dd4d5fd..1179a7a01 100644 --- a/etc/playonlinux.profile +++ b/etc/playonlinux.profile @@ -14,9 +14,17 @@ noblacklist ${HOME}/.PlayOnLinux # nc is needed to run playonlinux noblacklist ${PATH}/nc +# Allow access to perl +noblacklist ${PATH}/cpan* +noblacklist ${PATH}/core_perl +noblacklist ${PATH}/perl +noblacklist /usr/lib/perl* +noblacklist /usr/share/perl* + include /etc/firejail/disable-common.inc # playonlinux uses perl -# include /etc/firejail/disable-devel.inc +include /etc/firejail/disable-devel.inc +include /etc/firejail/disable-interpreters.inc include /etc/firejail/disable-programs.inc caps.drop all diff --git a/etc/pluma.profile b/etc/pluma.profile index d0acfeb1a..7a70c88ab 100644 --- a/etc/pluma.profile +++ b/etc/pluma.profile @@ -9,6 +9,7 @@ noblacklist ${HOME}/.config/pluma include /etc/firejail/disable-common.inc include /etc/firejail/disable-devel.inc +include /etc/firejail/disable-interpreters.inc include /etc/firejail/disable-passwdmgr.inc include /etc/firejail/disable-programs.inc diff --git a/etc/polari.profile b/etc/polari.profile index a990194c9..aba5ea57e 100644 --- a/etc/polari.profile +++ b/etc/polari.profile @@ -8,6 +8,7 @@ include /etc/firejail/globals.local include /etc/firejail/disable-common.inc include /etc/firejail/disable-devel.inc +include /etc/firejail/disable-interpreters.inc include /etc/firejail/disable-programs.inc mkdir ${HOME}/.cache/telepathy diff --git a/etc/psi-plus.profile b/etc/psi-plus.profile index 8d2ace96a..6d7050b7a 100644 --- a/etc/psi-plus.profile +++ b/etc/psi-plus.profile @@ -10,6 +10,7 @@ noblacklist ${HOME}/.local/share/psi+ include /etc/firejail/disable-common.inc include /etc/firejail/disable-devel.inc +include /etc/firejail/disable-interpreters.inc include /etc/firejail/disable-passwdmgr.inc include /etc/firejail/disable-programs.inc diff --git a/etc/qbittorrent.profile b/etc/qbittorrent.profile index 14a9e8adc..2017beee4 100644 --- a/etc/qbittorrent.profile +++ b/etc/qbittorrent.profile @@ -10,8 +10,15 @@ noblacklist ${HOME}/.config/qBittorrent noblacklist ${HOME}/.config/qBittorrentrc noblacklist ${HOME}/.local/share/data/qBittorrent +# Allow python (blacklisted by disable-interpreters.inc) +noblacklist ${PATH}/python2* +noblacklist ${PATH}/python3* +noblacklist /usr/lib/python2* +noblacklist /usr/lib/python3* + include /etc/firejail/disable-common.inc include /etc/firejail/disable-devel.inc +include /etc/firejail/disable-interpreters.inc include /etc/firejail/disable-passwdmgr.inc include /etc/firejail/disable-programs.inc diff --git a/etc/qlipper.profile b/etc/qlipper.profile index 796015654..237cd240b 100644 --- a/etc/qlipper.profile +++ b/etc/qlipper.profile @@ -9,6 +9,7 @@ noblacklist ${HOME}/.config/Qlipper include /etc/firejail/disable-common.inc include /etc/firejail/disable-devel.inc +include /etc/firejail/disable-interpreters.inc include /etc/firejail/disable-passwdmgr.inc include /etc/firejail/disable-programs.inc diff --git a/etc/qpdfview.profile b/etc/qpdfview.profile index 36ce0cda6..e422d2196 100644 --- a/etc/qpdfview.profile +++ b/etc/qpdfview.profile @@ -10,6 +10,7 @@ noblacklist ${HOME}/.local/share/qpdfview include /etc/firejail/disable-common.inc include /etc/firejail/disable-devel.inc +include /etc/firejail/disable-interpreters.inc include /etc/firejail/disable-passwdmgr.inc include /etc/firejail/disable-programs.inc diff --git a/etc/qtox.profile b/etc/qtox.profile index 648282db4..26697eeaa 100644 --- a/etc/qtox.profile +++ b/etc/qtox.profile @@ -9,6 +9,7 @@ noblacklist ${HOME}/.config/tox include /etc/firejail/disable-common.inc include /etc/firejail/disable-devel.inc +include /etc/firejail/disable-interpreters.inc include /etc/firejail/disable-passwdmgr.inc include /etc/firejail/disable-programs.inc diff --git a/etc/quassel.profile b/etc/quassel.profile index af0f723f1..6783d5a43 100644 --- a/etc/quassel.profile +++ b/etc/quassel.profile @@ -8,6 +8,7 @@ include /etc/firejail/globals.local include /etc/firejail/disable-common.inc include /etc/firejail/disable-devel.inc +include /etc/firejail/disable-interpreters.inc include /etc/firejail/disable-programs.inc caps.drop all diff --git a/etc/quiterss.profile b/etc/quiterss.profile index 94c64f2dd..c9e7f9089 100644 --- a/etc/quiterss.profile +++ b/etc/quiterss.profile @@ -12,6 +12,7 @@ noblacklist ${HOME}/.local/share/QuiteRss include /etc/firejail/disable-common.inc include /etc/firejail/disable-devel.inc +include /etc/firejail/disable-interpreters.inc include /etc/firejail/disable-passwdmgr.inc include /etc/firejail/disable-programs.inc diff --git a/etc/qupzilla.profile b/etc/qupzilla.profile index e59a94bf8..947689d96 100644 --- a/etc/qupzilla.profile +++ b/etc/qupzilla.profile @@ -10,6 +10,7 @@ noblacklist ${HOME}/.config/qupzilla include /etc/firejail/disable-common.inc include /etc/firejail/disable-devel.inc +include /etc/firejail/disable-interpreters.inc include /etc/firejail/disable-passwdmgr.inc include /etc/firejail/disable-programs.inc diff --git a/etc/qutebrowser.profile b/etc/qutebrowser.profile index 43c2bf5c7..8849cc7b8 100644 --- a/etc/qutebrowser.profile +++ b/etc/qutebrowser.profile @@ -9,8 +9,15 @@ noblacklist ${HOME}/.cache/qutebrowser noblacklist ${HOME}/.config/qutebrowser noblacklist ${HOME}/.local/share/qutebrowser +# Allow python (blacklisted by disable-interpreters.inc) +noblacklist ${PATH}/python2* +noblacklist ${PATH}/python3* +noblacklist /usr/lib/python2* +noblacklist /usr/lib/python3* + include /etc/firejail/disable-common.inc include /etc/firejail/disable-devel.inc +include /etc/firejail/disable-interpreters.inc include /etc/firejail/disable-programs.inc mkdir ${HOME}/.cache/qutebrowser diff --git a/etc/rambox.profile b/etc/rambox.profile index f17f1d202..afe9b41e7 100644 --- a/etc/rambox.profile +++ b/etc/rambox.profile @@ -10,6 +10,7 @@ noblacklist ${HOME}/.pki include /etc/firejail/disable-common.inc include /etc/firejail/disable-devel.inc +include /etc/firejail/disable-interpreters.inc include /etc/firejail/disable-programs.inc mkdir ${HOME}/.config/Rambox diff --git a/etc/ranger.profile b/etc/ranger.profile index fd5bbf89c..94b282669 100644 --- a/etc/ranger.profile +++ b/etc/ranger.profile @@ -5,14 +5,15 @@ include /etc/firejail/ranger.local # Persistent global definitions include /etc/firejail/globals.local -# noblacklist /usr/bin/cpan* -noblacklist /usr/bin/perl +# noblacklist ${PATH}/cpan* +noblacklist ${PATH}/perl noblacklist /usr/lib/perl* noblacklist /usr/share/perl* noblacklist ${HOME}/.config/ranger include /etc/firejail/disable-common.inc include /etc/firejail/disable-devel.inc +include /etc/firejail/disable-interpreters.inc include /etc/firejail/disable-passwdmgr.inc include /etc/firejail/disable-programs.inc diff --git a/etc/redeclipse.profile b/etc/redeclipse.profile index f0a993c54..536c7073c 100644 --- a/etc/redeclipse.profile +++ b/etc/redeclipse.profile @@ -9,6 +9,7 @@ noblacklist ${HOME}/.redeclipse include /etc/firejail/disable-common.inc include /etc/firejail/disable-devel.inc +include /etc/firejail/disable-interpreters.inc include /etc/firejail/disable-passwdmgr.inc include /etc/firejail/disable-programs.inc diff --git a/etc/remmina.profile b/etc/remmina.profile index cc209b84a..4cd93b567 100644 --- a/etc/remmina.profile +++ b/etc/remmina.profile @@ -12,6 +12,7 @@ noblacklist ${HOME}/.ssh include /etc/firejail/disable-common.inc include /etc/firejail/disable-devel.inc +include /etc/firejail/disable-interpreters.inc include /etc/firejail/disable-passwdmgr.inc include /etc/firejail/disable-programs.inc diff --git a/etc/rhythmbox.profile b/etc/rhythmbox.profile index 6322f8217..38ccb886f 100644 --- a/etc/rhythmbox.profile +++ b/etc/rhythmbox.profile @@ -8,6 +8,7 @@ include /etc/firejail/globals.local include /etc/firejail/disable-common.inc include /etc/firejail/disable-devel.inc +include /etc/firejail/disable-interpreters.inc include /etc/firejail/disable-passwdmgr.inc include /etc/firejail/disable-programs.inc diff --git a/etc/ricochet.profile b/etc/ricochet.profile index 6da0e21d5..e23e7c756 100644 --- a/etc/ricochet.profile +++ b/etc/ricochet.profile @@ -10,6 +10,7 @@ noblacklist ${HOME}/.local/share/Ricochet include /etc/firejail/disable-common.inc include /etc/firejail/disable-devel.inc +include /etc/firejail/disable-interpreters.inc include /etc/firejail/disable-passwdmgr.inc include /etc/firejail/disable-programs.inc diff --git a/etc/ristretto.profile b/etc/ristretto.profile index 114bb30f4..7628d386f 100644 --- a/etc/ristretto.profile +++ b/etc/ristretto.profile @@ -11,6 +11,7 @@ noblacklist ${HOME}/.steam include /etc/firejail/disable-common.inc include /etc/firejail/disable-devel.inc +include /etc/firejail/disable-interpreters.inc include /etc/firejail/disable-passwdmgr.inc include /etc/firejail/disable-programs.inc diff --git a/etc/rtorrent.profile b/etc/rtorrent.profile index 413ea1ac9..57e933467 100644 --- a/etc/rtorrent.profile +++ b/etc/rtorrent.profile @@ -8,6 +8,7 @@ include /etc/firejail/globals.local include /etc/firejail/disable-common.inc include /etc/firejail/disable-devel.inc +include /etc/firejail/disable-interpreters.inc include /etc/firejail/disable-passwdmgr.inc include /etc/firejail/disable-programs.inc diff --git a/etc/scribus.profile b/etc/scribus.profile index f9f585a20..f3759ffc9 100644 --- a/etc/scribus.profile +++ b/etc/scribus.profile @@ -22,8 +22,15 @@ noblacklist ${HOME}/.local/share/okular noblacklist ${HOME}/.local/share/scribus noblacklist ${HOME}/.scribus +# Allow python (blacklisted by disable-interpreters.inc) +noblacklist ${PATH}/python2* +noblacklist ${PATH}/python3* +noblacklist /usr/lib/python2* +noblacklist /usr/lib/python3* + include /etc/firejail/disable-common.inc include /etc/firejail/disable-devel.inc +include /etc/firejail/disable-interpreters.inc include /etc/firejail/disable-passwdmgr.inc include /etc/firejail/disable-programs.inc diff --git a/etc/sdat2img.profile b/etc/sdat2img.profile index 2f3d94f01..a0674acbc 100644 --- a/etc/sdat2img.profile +++ b/etc/sdat2img.profile @@ -6,8 +6,15 @@ include /etc/firejail/sdat2img.local # Persistent global definitions include /etc/firejail/globals.local +# Allow python (blacklisted by disable-interpreters.inc) +noblacklist ${PATH}/python2* +noblacklist ${PATH}/python3* +noblacklist /usr/lib/python2* +noblacklist /usr/lib/python3* + include /etc/firejail/disable-common.inc include /etc/firejail/disable-devel.inc +include /etc/firejail/disable-interpreters.inc include /etc/firejail/disable-passwdmgr.inc include /etc/firejail/disable-programs.inc diff --git a/etc/seamonkey.profile b/etc/seamonkey.profile index 23072fc0f..423863cc2 100644 --- a/etc/seamonkey.profile +++ b/etc/seamonkey.profile @@ -11,6 +11,7 @@ noblacklist ${HOME}/.pki include /etc/firejail/disable-common.inc include /etc/firejail/disable-devel.inc +include /etc/firejail/disable-interpreters.inc include /etc/firejail/disable-programs.inc mkdir ${HOME}/.cache/mozilla diff --git a/etc/server.profile b/etc/server.profile index 860e0056d..9cc906e55 100644 --- a/etc/server.profile +++ b/etc/server.profile @@ -17,6 +17,7 @@ noblacklist /usr/sbin include /etc/firejail/disable-common.inc # include /etc/firejail/disable-devel.inc +# include /etc/firejail/disable-interpreters.inc include /etc/firejail/disable-passwdmgr.inc include /etc/firejail/disable-programs.inc diff --git a/etc/shotcut.profile b/etc/shotcut.profile index 293a89ba3..d76c486ea 100644 --- a/etc/shotcut.profile +++ b/etc/shotcut.profile @@ -9,6 +9,7 @@ noblacklist ${HOME}/.config/Meltytech include /etc/firejail/disable-common.inc include /etc/firejail/disable-devel.inc +include /etc/firejail/disable-interpreters.inc include /etc/firejail/disable-passwdmgr.inc include /etc/firejail/disable-programs.inc diff --git a/etc/signal-desktop.profile b/etc/signal-desktop.profile index 2cb2f644e..c52f45f31 100644 --- a/etc/signal-desktop.profile +++ b/etc/signal-desktop.profile @@ -9,6 +9,7 @@ noblacklist ${HOME}/.config/Signal include /etc/firejail/disable-common.inc include /etc/firejail/disable-devel.inc +include /etc/firejail/disable-interpreters.inc include /etc/firejail/disable-programs.inc include /etc/firejail/disable-passwdmgr.inc diff --git a/etc/silentarmy.profile b/etc/silentarmy.profile index 88bf23158..c83c56798 100644 --- a/etc/silentarmy.profile +++ b/etc/silentarmy.profile @@ -8,6 +8,7 @@ include /etc/firejail/globals.local include /etc/firejail/disable-common.inc # include /etc/firejail/disable-devel.inc +include /etc/firejail/disable-interpreters.inc include /etc/firejail/disable-passwdmgr.inc include /etc/firejail/disable-programs.inc diff --git a/etc/simple-scan.profile b/etc/simple-scan.profile index a205024cc..02c7cc6ed 100644 --- a/etc/simple-scan.profile +++ b/etc/simple-scan.profile @@ -9,6 +9,7 @@ noblacklist ${HOME}/.cache/simple-scan include /etc/firejail/disable-common.inc include /etc/firejail/disable-devel.inc +include /etc/firejail/disable-interpreters.inc include /etc/firejail/disable-passwdmgr.inc include /etc/firejail/disable-programs.inc diff --git a/etc/simutrans.profile b/etc/simutrans.profile index adde3f8ce..41832011e 100644 --- a/etc/simutrans.profile +++ b/etc/simutrans.profile @@ -9,6 +9,7 @@ noblacklist ${HOME}/.simutrans include /etc/firejail/disable-common.inc include /etc/firejail/disable-devel.inc +include /etc/firejail/disable-interpreters.inc include /etc/firejail/disable-passwdmgr.inc include /etc/firejail/disable-programs.inc diff --git a/etc/skanlite.profile b/etc/skanlite.profile index 4fa649654..0eb70e698 100644 --- a/etc/skanlite.profile +++ b/etc/skanlite.profile @@ -7,6 +7,7 @@ include /etc/firejail/globals.local include /etc/firejail/disable-common.inc include /etc/firejail/disable-devel.inc +include /etc/firejail/disable-interpreters.inc include /etc/firejail/disable-passwdmgr.inc include /etc/firejail/disable-programs.inc diff --git a/etc/skype.profile b/etc/skype.profile index b12f9879e..f08542079 100644 --- a/etc/skype.profile +++ b/etc/skype.profile @@ -9,6 +9,7 @@ noblacklist ${HOME}/.Skype include /etc/firejail/disable-common.inc include /etc/firejail/disable-devel.inc +include /etc/firejail/disable-interpreters.inc include /etc/firejail/disable-devel.inc include /etc/firejail/disable-programs.inc diff --git a/etc/skypeforlinux.profile b/etc/skypeforlinux.profile index ebfab3681..015709247 100644 --- a/etc/skypeforlinux.profile +++ b/etc/skypeforlinux.profile @@ -9,6 +9,7 @@ noblacklist ${HOME}/.config/skypeforlinux include /etc/firejail/disable-common.inc include /etc/firejail/disable-devel.inc +include /etc/firejail/disable-interpreters.inc include /etc/firejail/disable-passwdmgr.inc include /etc/firejail/disable-programs.inc diff --git a/etc/slack.profile b/etc/slack.profile index da1f86638..c198ddfdd 100644 --- a/etc/slack.profile +++ b/etc/slack.profile @@ -12,6 +12,7 @@ noblacklist ${HOME}/Downloads include /etc/firejail/disable-common.inc include /etc/firejail/disable-devel.inc +include /etc/firejail/disable-interpreters.inc include /etc/firejail/disable-passwdmgr.inc include /etc/firejail/disable-programs.inc diff --git a/etc/smplayer.profile b/etc/smplayer.profile index 187b0674a..63c13ff37 100644 --- a/etc/smplayer.profile +++ b/etc/smplayer.profile @@ -10,6 +10,7 @@ noblacklist ${HOME}/.mplayer include /etc/firejail/disable-common.inc include /etc/firejail/disable-devel.inc +include /etc/firejail/disable-interpreters.inc include /etc/firejail/disable-passwdmgr.inc include /etc/firejail/disable-programs.inc diff --git a/etc/smtube.profile b/etc/smtube.profile index a8f57f07e..040a7c754 100644 --- a/etc/smtube.profile +++ b/etc/smtube.profile @@ -14,6 +14,7 @@ noblacklist ${HOME}/.local/share/vlc include /etc/firejail/disable-common.inc include /etc/firejail/disable-devel.inc +include /etc/firejail/disable-interpreters.inc include /etc/firejail/disable-passwdmgr.inc include /etc/firejail/disable-programs.inc diff --git a/etc/soundconverter.profile b/etc/soundconverter.profile index 1f64567ef..944417083 100644 --- a/etc/soundconverter.profile +++ b/etc/soundconverter.profile @@ -7,6 +7,7 @@ include /etc/firejail/globals.local include /etc/firejail/disable-common.inc include /etc/firejail/disable-devel.inc +include /etc/firejail/disable-interpreters.inc include /etc/firejail/disable-passwdmgr.inc include /etc/firejail/disable-programs.inc diff --git a/etc/spotify.profile b/etc/spotify.profile index dfd3bae7f..0d395fe9e 100644 --- a/etc/spotify.profile +++ b/etc/spotify.profile @@ -17,6 +17,7 @@ noblacklist ${HOME}/.local/share/spotify include /etc/firejail/disable-common.inc include /etc/firejail/disable-devel.inc +include /etc/firejail/disable-interpreters.inc include /etc/firejail/disable-passwdmgr.inc include /etc/firejail/disable-programs.inc diff --git a/etc/sqlitebrowser.profile b/etc/sqlitebrowser.profile index 22c37645d..4c473a9ad 100644 --- a/etc/sqlitebrowser.profile +++ b/etc/sqlitebrowser.profile @@ -9,6 +9,7 @@ noblacklist ${HOME}/.config/sqlitebrowser include /etc/firejail/disable-common.inc include /etc/firejail/disable-devel.inc +include /etc/firejail/disable-interpreters.inc include /etc/firejail/disable-passwdmgr.inc include /etc/firejail/disable-programs.inc diff --git a/etc/start-tor-browser.profile b/etc/start-tor-browser.profile index e3e323616..e7eb01eb5 100644 --- a/etc/start-tor-browser.profile +++ b/etc/start-tor-browser.profile @@ -8,6 +8,7 @@ include /etc/firejail/globals.local include /etc/firejail/disable-common.inc include /etc/firejail/disable-devel.inc +include /etc/firejail/disable-interpreters.inc include /etc/firejail/disable-passwdmgr.inc include /etc/firejail/disable-programs.inc diff --git a/etc/steam.profile b/etc/steam.profile index bcdea9bc7..e1e6fd0e1 100644 --- a/etc/steam.profile +++ b/etc/steam.profile @@ -26,6 +26,7 @@ noblacklist /sbin include /etc/firejail/disable-common.inc include /etc/firejail/disable-devel.inc +include /etc/firejail/disable-interpreters.inc include /etc/firejail/disable-passwdmgr.inc include /etc/firejail/disable-programs.inc diff --git a/etc/stellarium.profile b/etc/stellarium.profile index 889a21a60..a174dcd42 100644 --- a/etc/stellarium.profile +++ b/etc/stellarium.profile @@ -10,6 +10,7 @@ noblacklist ${HOME}/.stellarium include /etc/firejail/disable-common.inc include /etc/firejail/disable-devel.inc +include /etc/firejail/disable-interpreters.inc include /etc/firejail/disable-passwdmgr.inc include /etc/firejail/disable-programs.inc diff --git a/etc/supertux2.profile b/etc/supertux2.profile index 24f42c276..84083e9aa 100644 --- a/etc/supertux2.profile +++ b/etc/supertux2.profile @@ -9,6 +9,7 @@ noblacklist ${HOME}/.local/share/supertux2 include /etc/firejail/disable-common.inc include /etc/firejail/disable-devel.inc +include /etc/firejail/disable-interpreters.inc include /etc/firejail/disable-passwdmgr.inc include /etc/firejail/disable-programs.inc diff --git a/etc/surf.profile b/etc/surf.profile index b91c09885..46c4a363c 100644 --- a/etc/surf.profile +++ b/etc/surf.profile @@ -9,6 +9,7 @@ noblacklist ${HOME}/.surf include /etc/firejail/disable-common.inc include /etc/firejail/disable-devel.inc +include /etc/firejail/disable-passwdmgr.inc include /etc/firejail/disable-programs.inc mkdir ${HOME}/.surf diff --git a/etc/sylpheed.profile b/etc/sylpheed.profile index c4d93a0e3..54edbd20d 100644 --- a/etc/sylpheed.profile +++ b/etc/sylpheed.profile @@ -9,6 +9,7 @@ noblacklist ${HOME}/.sylpheed-2.0 include /etc/firejail/disable-common.inc include /etc/firejail/disable-devel.inc +include /etc/firejail/disable-interpreters.inc include /etc/firejail/disable-passwdmgr.inc include /etc/firejail/disable-programs.inc diff --git a/etc/synfigstudio.profile b/etc/synfigstudio.profile index be9c2aa64..677920266 100644 --- a/etc/synfigstudio.profile +++ b/etc/synfigstudio.profile @@ -10,6 +10,7 @@ noblacklist ${HOME}/.synfig include /etc/firejail/disable-common.inc include /etc/firejail/disable-devel.inc +include /etc/firejail/disable-interpreters.inc include /etc/firejail/disable-passwdmgr.inc include /etc/firejail/disable-programs.inc diff --git a/etc/teamspeak3.profile b/etc/teamspeak3.profile index 3e2c71a24..ad7564bb6 100644 --- a/etc/teamspeak3.profile +++ b/etc/teamspeak3.profile @@ -10,6 +10,7 @@ noblacklist ${PATH}/openssl include /etc/firejail/disable-common.inc include /etc/firejail/disable-devel.inc +include /etc/firejail/disable-interpreters.inc include /etc/firejail/disable-passwdmgr.inc include /etc/firejail/disable-programs.inc diff --git a/etc/telegram.profile b/etc/telegram.profile index ba5512ed3..db055a898 100644 --- a/etc/telegram.profile +++ b/etc/telegram.profile @@ -10,6 +10,7 @@ noblacklist ${HOME}/.local/share/TelegramDesktop include /etc/firejail/disable-common.inc include /etc/firejail/disable-devel.inc +include /etc/firejail/disable-interpreters.inc include /etc/firejail/disable-programs.inc caps.drop all diff --git a/etc/terasology.profile b/etc/terasology.profile index e671c4dc3..0a4067341 100644 --- a/etc/terasology.profile +++ b/etc/terasology.profile @@ -10,6 +10,7 @@ noblacklist ${HOME}/.local/share/terasology include /etc/firejail/disable-common.inc include /etc/firejail/disable-devel.inc +include /etc/firejail/disable-interpreters.inc include /etc/firejail/disable-passwdmgr.inc include /etc/firejail/disable-programs.inc diff --git a/etc/tilp.profile b/etc/tilp.profile index a6165fbfe..a9cccbd7b 100644 --- a/etc/tilp.profile +++ b/etc/tilp.profile @@ -9,6 +9,7 @@ noblacklist ${HOME}/.tilp include /etc/firejail/disable-common.inc include /etc/firejail/disable-devel.inc +include /etc/firejail/disable-interpreters.inc include /etc/firejail/disable-passwdmgr.inc include /etc/firejail/disable-programs.inc diff --git a/etc/tor.profile b/etc/tor.profile index bd129ae29..5029cf9b1 100644 --- a/etc/tor.profile +++ b/etc/tor.profile @@ -18,6 +18,7 @@ include /etc/firejail/globals.local include /etc/firejail/disable-common.inc include /etc/firejail/disable-devel.inc +include /etc/firejail/disable-interpreters.inc include /etc/firejail/disable-passwdmgr.inc include /etc/firejail/disable-programs.inc diff --git a/etc/torbrowser-launcher.profile b/etc/torbrowser-launcher.profile index c1f15fcbf..a63798731 100644 --- a/etc/torbrowser-launcher.profile +++ b/etc/torbrowser-launcher.profile @@ -8,8 +8,15 @@ include /etc/firejail/globals.local noblacklist ${HOME}/.config/torbrowser noblacklist ${HOME}/.local/share/torbrowser +# Allow python (blacklisted by disable-interpreters.inc) +noblacklist ${PATH}/python2* +noblacklist ${PATH}/python3* +noblacklist /usr/lib/python2* +noblacklist /usr/lib/python3* + include /etc/firejail/disable-common.inc include /etc/firejail/disable-devel.inc +include /etc/firejail/disable-interpreters.inc include /etc/firejail/disable-passwdmgr.inc include /etc/firejail/disable-programs.inc diff --git a/etc/totem.profile b/etc/totem.profile index ad3845d90..fecf12a4c 100644 --- a/etc/totem.profile +++ b/etc/totem.profile @@ -10,6 +10,7 @@ noblacklist ${HOME}/.local/share/totem include /etc/firejail/disable-common.inc include /etc/firejail/disable-devel.inc +include /etc/firejail/disable-interpreters.inc include /etc/firejail/disable-passwdmgr.inc include /etc/firejail/disable-programs.inc diff --git a/etc/tracker.profile b/etc/tracker.profile index f3dfb2d4e..fc58fc479 100644 --- a/etc/tracker.profile +++ b/etc/tracker.profile @@ -11,6 +11,7 @@ blacklist /tmp/.X11-unix include /etc/firejail/disable-common.inc include /etc/firejail/disable-devel.inc +include /etc/firejail/disable-interpreters.inc include /etc/firejail/disable-passwdmgr.inc include /etc/firejail/disable-programs.inc diff --git a/etc/transmission-cli.profile b/etc/transmission-cli.profile index 867716ab3..8b50859fc 100644 --- a/etc/transmission-cli.profile +++ b/etc/transmission-cli.profile @@ -10,6 +10,7 @@ noblacklist ${HOME}/.config/transmission include /etc/firejail/disable-common.inc include /etc/firejail/disable-devel.inc +include /etc/firejail/disable-interpreters.inc include /etc/firejail/disable-passwdmgr.inc include /etc/firejail/disable-programs.inc diff --git a/etc/transmission-gtk.profile b/etc/transmission-gtk.profile index bedc8d370..6366aa89d 100644 --- a/etc/transmission-gtk.profile +++ b/etc/transmission-gtk.profile @@ -10,6 +10,7 @@ noblacklist ${HOME}/.config/transmission include /etc/firejail/disable-common.inc include /etc/firejail/disable-devel.inc +include /etc/firejail/disable-interpreters.inc include /etc/firejail/disable-passwdmgr.inc include /etc/firejail/disable-programs.inc diff --git a/etc/transmission-qt.profile b/etc/transmission-qt.profile index a8fb80fd8..added7067 100644 --- a/etc/transmission-qt.profile +++ b/etc/transmission-qt.profile @@ -10,6 +10,7 @@ noblacklist ${HOME}/.config/transmission include /etc/firejail/disable-common.inc include /etc/firejail/disable-devel.inc +include /etc/firejail/disable-interpreters.inc include /etc/firejail/disable-passwdmgr.inc include /etc/firejail/disable-programs.inc diff --git a/etc/transmission-show.profile b/etc/transmission-show.profile index 575bf77dc..06b79effd 100644 --- a/etc/transmission-show.profile +++ b/etc/transmission-show.profile @@ -10,6 +10,7 @@ noblacklist ${HOME}/.config/transmission include /etc/firejail/disable-common.inc include /etc/firejail/disable-devel.inc +include /etc/firejail/disable-interpreters.inc include /etc/firejail/disable-passwdmgr.inc include /etc/firejail/disable-programs.inc diff --git a/etc/truecraft.profile b/etc/truecraft.profile index 4e48f6c6b..1eb7b65ba 100644 --- a/etc/truecraft.profile +++ b/etc/truecraft.profile @@ -10,6 +10,7 @@ noblacklist ${HOME}/.config/truecraft include /etc/firejail/disable-common.inc include /etc/firejail/disable-devel.inc +include /etc/firejail/disable-interpreters.inc include /etc/firejail/disable-passwdmgr.inc include /etc/firejail/disable-programs.inc diff --git a/etc/tuxguitar.profile b/etc/tuxguitar.profile index 1a426cbf6..b07c7c359 100644 --- a/etc/tuxguitar.profile +++ b/etc/tuxguitar.profile @@ -8,8 +8,15 @@ include /etc/firejail/globals.local noblacklist ${HOME}/.java noblacklist ${HOME}/.tuxguitar* +# Allow access to java +noblacklist ${PATH}/java +noblacklist /usr/lib/java +noblacklist /etc/java +noblacklist /usr/share/java + include /etc/firejail/disable-common.inc include /etc/firejail/disable-devel.inc +include /etc/firejail/disable-interpreters.inc include /etc/firejail/disable-passwdmgr.inc include /etc/firejail/disable-programs.inc diff --git a/etc/uefitool.profile b/etc/uefitool.profile index a10b44fb1..2ab2d2652 100644 --- a/etc/uefitool.profile +++ b/etc/uefitool.profile @@ -7,6 +7,7 @@ include /etc/firejail/globals.local include /etc/firejail/disable-common.inc include /etc/firejail/disable-devel.inc +include /etc/firejail/disable-interpreters.inc include /etc/firejail/disable-passwdmgr.inc include /etc/firejail/disable-programs.inc diff --git a/etc/uget-gtk.profile b/etc/uget-gtk.profile index 8fbc3b7e6..3c3c685e0 100644 --- a/etc/uget-gtk.profile +++ b/etc/uget-gtk.profile @@ -9,6 +9,7 @@ noblacklist ${HOME}/.config/uGet include /etc/firejail/disable-common.inc include /etc/firejail/disable-devel.inc +include /etc/firejail/disable-interpreters.inc include /etc/firejail/disable-programs.inc mkdir ${HOME}/.config/uGet diff --git a/etc/unbound.profile b/etc/unbound.profile index 3735d1d3f..35bda2edc 100644 --- a/etc/unbound.profile +++ b/etc/unbound.profile @@ -12,6 +12,7 @@ noblacklist /usr/sbin include /etc/firejail/disable-common.inc include /etc/firejail/disable-devel.inc +include /etc/firejail/disable-interpreters.inc include /etc/firejail/disable-passwdmgr.inc include /etc/firejail/disable-programs.inc diff --git a/etc/uzbl-browser.profile b/etc/uzbl-browser.profile index 1070a6c2c..0a3549c97 100644 --- a/etc/uzbl-browser.profile +++ b/etc/uzbl-browser.profile @@ -10,6 +10,7 @@ noblacklist ${HOME}/.gnupg include /etc/firejail/disable-common.inc include /etc/firejail/disable-devel.inc +include /etc/firejail/disable-interpreters.inc include /etc/firejail/disable-programs.inc mkdir ${HOME}/.config/uzbl diff --git a/etc/viewnior.profile b/etc/viewnior.profile index 135147266..d867e0e05 100644 --- a/etc/viewnior.profile +++ b/etc/viewnior.profile @@ -13,6 +13,7 @@ noblacklist ${HOME}/.steam include /etc/firejail/disable-common.inc include /etc/firejail/disable-devel.inc +include /etc/firejail/disable-interpreters.inc include /etc/firejail/disable-passwdmgr.inc include /etc/firejail/disable-programs.inc diff --git a/etc/viking.profile b/etc/viking.profile index 30e89b511..fa87b915c 100644 --- a/etc/viking.profile +++ b/etc/viking.profile @@ -10,6 +10,7 @@ noblacklist ${HOME}/.viking-maps include /etc/firejail/disable-common.inc include /etc/firejail/disable-devel.inc +include /etc/firejail/disable-interpreters.inc include /etc/firejail/disable-passwdmgr.inc include /etc/firejail/disable-programs.inc diff --git a/etc/vlc.profile b/etc/vlc.profile index c8c84b992..6b0bee7bd 100644 --- a/etc/vlc.profile +++ b/etc/vlc.profile @@ -11,6 +11,7 @@ noblacklist ${HOME}/.local/share/vlc include /etc/firejail/disable-common.inc include /etc/firejail/disable-devel.inc +include /etc/firejail/disable-interpreters.inc include /etc/firejail/disable-passwdmgr.inc include /etc/firejail/disable-programs.inc diff --git a/etc/vym.profile b/etc/vym.profile index b73916b0f..f926bf1f4 100644 --- a/etc/vym.profile +++ b/etc/vym.profile @@ -9,6 +9,7 @@ noblacklist ${HOME}/.config/InSilmaril include /etc/firejail/disable-common.inc include /etc/firejail/disable-devel.inc +include /etc/firejail/disable-interpreters.inc include /etc/firejail/disable-passwdmgr.inc include /etc/firejail/disable-programs.inc diff --git a/etc/w3m.profile b/etc/w3m.profile index d35ed9ae0..59544f5b5 100644 --- a/etc/w3m.profile +++ b/etc/w3m.profile @@ -11,6 +11,7 @@ noblacklist ${HOME}/.w3m include /etc/firejail/disable-common.inc include /etc/firejail/disable-devel.inc +include /etc/firejail/disable-interpreters.inc include /etc/firejail/disable-passwdmgr.inc include /etc/firejail/disable-programs.inc diff --git a/etc/warzone2100.profile b/etc/warzone2100.profile index d8d68da64..e339b4100 100644 --- a/etc/warzone2100.profile +++ b/etc/warzone2100.profile @@ -9,6 +9,7 @@ noblacklist ${HOME}/.warzone2100-3.* include /etc/firejail/disable-common.inc include /etc/firejail/disable-devel.inc +include /etc/firejail/disable-interpreters.inc include /etc/firejail/disable-passwdmgr.inc include /etc/firejail/disable-programs.inc diff --git a/etc/wesnoth.profile b/etc/wesnoth.profile index d6318c81b..732b37df0 100644 --- a/etc/wesnoth.profile +++ b/etc/wesnoth.profile @@ -11,6 +11,7 @@ noblacklist ${HOME}/.local/share/wesnoth include /etc/firejail/disable-common.inc include /etc/firejail/disable-devel.inc +include /etc/firejail/disable-interpreters.inc include /etc/firejail/disable-passwdmgr.inc include /etc/firejail/disable-programs.inc diff --git a/etc/wine.profile b/etc/wine.profile index 266d05d0f..914a2225f 100644 --- a/etc/wine.profile +++ b/etc/wine.profile @@ -15,6 +15,7 @@ noblacklist /usr/lib/llvm* include /etc/firejail/disable-common.inc include /etc/firejail/disable-devel.inc +include /etc/firejail/disable-interpreters.inc include /etc/firejail/disable-programs.inc caps.drop all diff --git a/etc/wire.profile b/etc/wire.profile index fc25cbc1e..e43ba792e 100644 --- a/etc/wire.profile +++ b/etc/wire.profile @@ -13,6 +13,7 @@ noblacklist ${HOME}/.config/wire include /etc/firejail/disable-common.inc include /etc/firejail/disable-devel.inc +include /etc/firejail/disable-interpreters.inc include /etc/firejail/disable-passwdmgr.inc include /etc/firejail/disable-programs.inc diff --git a/etc/wireshark.profile b/etc/wireshark.profile index ba717cfe5..5130a4e64 100644 --- a/etc/wireshark.profile +++ b/etc/wireshark.profile @@ -11,6 +11,7 @@ noblacklist ${HOME}/.wireshark include /etc/firejail/disable-common.inc include /etc/firejail/disable-devel.inc +include /etc/firejail/disable-interpreters.inc include /etc/firejail/disable-passwdmgr.inc include /etc/firejail/disable-programs.inc diff --git a/etc/xcalc.profile b/etc/xcalc.profile index 8493fe658..9e68ab17d 100644 --- a/etc/xcalc.profile +++ b/etc/xcalc.profile @@ -7,6 +7,7 @@ include /etc/firejail/globals.local include /etc/firejail/disable-common.inc include /etc/firejail/disable-devel.inc +include /etc/firejail/disable-interpreters.inc include /etc/firejail/disable-passwdmgr.inc include /etc/firejail/disable-programs.inc diff --git a/etc/xed.profile b/etc/xed.profile index 5d46560b7..ded4f846d 100644 --- a/etc/xed.profile +++ b/etc/xed.profile @@ -9,6 +9,7 @@ noblacklist ${HOME}/.config/xed include /etc/firejail/disable-common.inc include /etc/firejail/disable-devel.inc +include /etc/firejail/disable-interpreters.inc include /etc/firejail/disable-passwdmgr.inc include /etc/firejail/disable-programs.inc diff --git a/etc/xfburn.profile b/etc/xfburn.profile index fc90f67e2..b63e430f6 100644 --- a/etc/xfburn.profile +++ b/etc/xfburn.profile @@ -9,6 +9,7 @@ noblacklist ${HOME}/.config/xfburn include /etc/firejail/disable-common.inc include /etc/firejail/disable-devel.inc +include /etc/firejail/disable-interpreters.inc include /etc/firejail/disable-passwdmgr.inc include /etc/firejail/disable-programs.inc diff --git a/etc/xfce4-dict.profile b/etc/xfce4-dict.profile index ab52d17e9..0be0b56a5 100644 --- a/etc/xfce4-dict.profile +++ b/etc/xfce4-dict.profile @@ -9,6 +9,7 @@ noblacklist ${HOME}/.config/xfce4-dict include /etc/firejail/disable-common.inc include /etc/firejail/disable-devel.inc +include /etc/firejail/disable-interpreters.inc include /etc/firejail/disable-passwdmgr.inc include /etc/firejail/disable-programs.inc diff --git a/etc/xfce4-notes.profile b/etc/xfce4-notes.profile index 868b4796b..484b66722 100644 --- a/etc/xfce4-notes.profile +++ b/etc/xfce4-notes.profile @@ -11,6 +11,7 @@ noblacklist ${HOME}/.local/share/notes include /etc/firejail/disable-common.inc include /etc/firejail/disable-devel.inc +include /etc/firejail/disable-interpreters.inc include /etc/firejail/disable-passwdmgr.inc include /etc/firejail/disable-programs.inc diff --git a/etc/xiphos.profile b/etc/xiphos.profile index d9b1a01b0..9358fe192 100644 --- a/etc/xiphos.profile +++ b/etc/xiphos.profile @@ -12,6 +12,7 @@ noblacklist ${HOME}/.xiphos include /etc/firejail/disable-common.inc include /etc/firejail/disable-devel.inc +include /etc/firejail/disable-interpreters.inc include /etc/firejail/disable-passwdmgr.inc include /etc/firejail/disable-programs.inc diff --git a/etc/xmms.profile b/etc/xmms.profile index 717c81fd0..b3e567443 100644 --- a/etc/xmms.profile +++ b/etc/xmms.profile @@ -9,6 +9,7 @@ noblacklist ${HOME}/.xmms include /etc/firejail/disable-common.inc include /etc/firejail/disable-devel.inc +include /etc/firejail/disable-interpreters.inc include /etc/firejail/disable-passwdmgr.inc include /etc/firejail/disable-programs.inc diff --git a/etc/xmr-stak.profile b/etc/xmr-stak.profile index 151a4c694..ec98d8557 100644 --- a/etc/xmr-stak.profile +++ b/etc/xmr-stak.profile @@ -10,6 +10,7 @@ noblacklist /usr/lib/llvm* include /etc/firejail/disable-common.inc include /etc/firejail/disable-devel.inc +include /etc/firejail/disable-interpreters.inc include /etc/firejail/disable-passwdmgr.inc include /etc/firejail/disable-programs.inc diff --git a/etc/xonotic.profile b/etc/xonotic.profile index 7a466db9b..1d2493f36 100644 --- a/etc/xonotic.profile +++ b/etc/xonotic.profile @@ -9,6 +9,7 @@ noblacklist ${HOME}/.xonotic include /etc/firejail/disable-common.inc include /etc/firejail/disable-devel.inc +include /etc/firejail/disable-interpreters.inc include /etc/firejail/disable-passwdmgr.inc include /etc/firejail/disable-programs.inc diff --git a/etc/xpdf.profile b/etc/xpdf.profile index 9eeda4d29..e61e9f5a8 100644 --- a/etc/xpdf.profile +++ b/etc/xpdf.profile @@ -9,6 +9,7 @@ noblacklist ${HOME}/.xpdfrc include /etc/firejail/disable-common.inc include /etc/firejail/disable-devel.inc +include /etc/firejail/disable-interpreters.inc include /etc/firejail/disable-passwdmgr.inc include /etc/firejail/disable-programs.inc diff --git a/etc/xplayer.profile b/etc/xplayer.profile index 7e475bd58..5e37519f2 100644 --- a/etc/xplayer.profile +++ b/etc/xplayer.profile @@ -10,6 +10,7 @@ noblacklist ${HOME}/.local/share/xplayer include /etc/firejail/disable-common.inc include /etc/firejail/disable-devel.inc +include /etc/firejail/disable-interpreters.inc include /etc/firejail/disable-passwdmgr.inc include /etc/firejail/disable-programs.inc diff --git a/etc/xpra.profile b/etc/xpra.profile index 849bb9868..0535d85a5 100644 --- a/etc/xpra.profile +++ b/etc/xpra.profile @@ -15,8 +15,15 @@ include /etc/firejail/globals.local blacklist /media +# Allow python (blacklisted by disable-interpreters.inc) +noblacklist ${PATH}/python2* +noblacklist ${PATH}/python3* +noblacklist /usr/lib/python2* +noblacklist /usr/lib/python3* + include /etc/firejail/disable-common.inc include /etc/firejail/disable-devel.inc +include /etc/firejail/disable-interpreters.inc include /etc/firejail/disable-passwdmgr.inc include /etc/firejail/disable-programs.inc diff --git a/etc/xreader.profile b/etc/xreader.profile index 1ddfad26f..c7bcb56a2 100644 --- a/etc/xreader.profile +++ b/etc/xreader.profile @@ -11,6 +11,7 @@ noblacklist ${HOME}/.config/xreader include /etc/firejail/disable-common.inc include /etc/firejail/disable-devel.inc +include /etc/firejail/disable-interpreters.inc include /etc/firejail/disable-passwdmgr.inc include /etc/firejail/disable-programs.inc diff --git a/etc/xviewer.profile b/etc/xviewer.profile index 26f9f0238..aa582a56a 100644 --- a/etc/xviewer.profile +++ b/etc/xviewer.profile @@ -12,6 +12,7 @@ noblacklist ${HOME}/.steam include /etc/firejail/disable-common.inc include /etc/firejail/disable-devel.inc +include /etc/firejail/disable-interpreters.inc include /etc/firejail/disable-passwdmgr.inc include /etc/firejail/disable-programs.inc diff --git a/etc/youtube-dl.profile b/etc/youtube-dl.profile index d41591fd6..965517293 100644 --- a/etc/youtube-dl.profile +++ b/etc/youtube-dl.profile @@ -8,8 +8,15 @@ include /etc/firejail/globals.local noblacklist ${HOME}/.netrc +# Allow python (blacklisted by disable-interpreters.inc) +noblacklist ${PATH}/python2* +noblacklist ${PATH}/python3* +noblacklist /usr/lib/python2* +noblacklist /usr/lib/python3* + include /etc/firejail/disable-common.inc include /etc/firejail/disable-devel.inc +include /etc/firejail/disable-interpreters.inc include /etc/firejail/disable-passwdmgr.inc include /etc/firejail/disable-programs.inc diff --git a/etc/zaproxy.profile b/etc/zaproxy.profile index 3cce79a2e..8e63014ce 100644 --- a/etc/zaproxy.profile +++ b/etc/zaproxy.profile @@ -10,6 +10,7 @@ noblacklist ${HOME}/.ZAP include /etc/firejail/disable-common.inc include /etc/firejail/disable-devel.inc +include /etc/firejail/disable-interpreters.inc include /etc/firejail/disable-passwdmgr.inc include /etc/firejail/disable-programs.inc diff --git a/etc/zart.profile b/etc/zart.profile index 60eb09c71..e7fb83b29 100644 --- a/etc/zart.profile +++ b/etc/zart.profile @@ -7,6 +7,7 @@ include /etc/firejail/globals.local include /etc/firejail/disable-common.inc include /etc/firejail/disable-devel.inc +include /etc/firejail/disable-interpreters.inc include /etc/firejail/disable-passwdmgr.inc include /etc/firejail/disable-programs.inc diff --git a/etc/zathura.profile b/etc/zathura.profile index 3edece779..b47aeb0da 100644 --- a/etc/zathura.profile +++ b/etc/zathura.profile @@ -10,6 +10,7 @@ noblacklist ${HOME}/.local/share/zathura include /etc/firejail/disable-common.inc include /etc/firejail/disable-devel.inc +include /etc/firejail/disable-interpreters.inc include /etc/firejail/disable-passwdmgr.inc include /etc/firejail/disable-programs.inc diff --git a/etc/zoom.profile b/etc/zoom.profile index 061efb44d..419c25f18 100644 --- a/etc/zoom.profile +++ b/etc/zoom.profile @@ -9,6 +9,7 @@ noblacklist ${HOME}/.config/zoomus.conf include /etc/firejail/disable-common.inc include /etc/firejail/disable-devel.inc +include /etc/firejail/disable-interpreters.inc include /etc/firejail/disable-programs.inc mkdir ${HOME}/.zoom -- cgit v1.2.3-54-g00ecf