From 327d3d815db6619cc81fa6858a8ca8667189f7b7 Mon Sep 17 00:00:00 2001 From: startx2017 Date: Tue, 14 Aug 2018 08:04:40 -0400 Subject: merge 0.9.56-rc1 --- etc/Viber.profile | 2 +- etc/amarok.profile | 2 +- etc/ardour5.profile | 2 +- etc/arm.profile | 2 +- etc/beaker.profile | 19 ++++++++++++++++ etc/bibletime.profile | 2 +- etc/bitcoin-qt.profile | 2 +- etc/cmus.profile | 2 +- etc/curl.profile | 2 +- etc/digikam.profile | 2 +- etc/dino.profile | 2 +- etc/disable-programs.inc | 1 + etc/discord-common.profile | 4 ++-- etc/electrum.profile | 52 ++++++++++++++++++++++++++++++++++++++++++++ etc/elinks.profile | 2 +- etc/flameshot.profile | 2 +- etc/gitter.profile | 2 +- etc/gjs.profile | 2 +- etc/gnome-clocks.profile | 2 +- etc/gnome-maps.profile | 2 +- etc/gnome-music.profile | 2 +- etc/gnome-weather.profile | 2 +- etc/goobox.profile | 2 +- etc/gpredict.profile | 2 +- etc/lynx.profile | 2 +- etc/mate-dictionary.profile | 2 +- etc/mcabber.profile | 2 +- etc/minetest.profile | 2 +- etc/ms-office.profile | 2 +- etc/musixmatch.profile | 2 +- etc/parole.profile | 2 +- etc/ping.profile | 2 +- etc/ppsspp.profile | 2 +- etc/qbittorrent.profile | 2 +- etc/qtox.profile | 2 +- etc/qupzilla.profile | 2 +- etc/ricochet.profile | 2 +- etc/rview.profile | 10 +++++++++ etc/rvim.profile | 10 +++++++++ etc/seamonkey.profile | 2 +- etc/simple-scan.profile | 2 +- etc/slack.profile | 2 +- etc/spotify.profile | 2 +- etc/tor.profile | 2 +- etc/totem.profile | 5 +++-- etc/transmission-cli.profile | 2 +- etc/unknown-horizons.profile | 2 +- etc/vimcat.profile | 10 +++++++++ etc/vimdiff.profile | 10 +++++++++ etc/vimpager.profile | 10 +++++++++ etc/vimtutor.profile | 10 +++++++++ etc/wget.profile | 2 +- etc/wire-desktop.profile | 4 ++-- etc/wireshark.profile | 2 +- etc/xiphos.profile | 2 +- etc/xonotic.profile | 3 +-- etc/xplayer.profile | 2 +- etc/xviewer.profile | 2 +- etc/xxd.profile | 10 +++++++++ 59 files changed, 195 insertions(+), 53 deletions(-) create mode 100644 etc/beaker.profile create mode 100644 etc/electrum.profile create mode 100644 etc/rview.profile create mode 100644 etc/rvim.profile create mode 100644 etc/vimcat.profile create mode 100644 etc/vimdiff.profile create mode 100644 etc/vimpager.profile create mode 100644 etc/vimtutor.profile create mode 100644 etc/xxd.profile (limited to 'etc') diff --git a/etc/Viber.profile b/etc/Viber.profile index 6a58da8c9..cb9d01e03 100644 --- a/etc/Viber.profile +++ b/etc/Viber.profile @@ -32,7 +32,7 @@ shell none disable-mnt private-bin sh,bash,dig,awk,Viber -private-etc hosts,fonts,mailcap,resolv.conf,X11,pulse,alternatives,localtime,nsswitch.conf,ssl,proxychains.conf,pki,ca-certificates,crypto-policies +private-etc hosts,fonts,mailcap,resolv.conf,X11,pulse,alternatives,localtime,nsswitch.conf,ssl,proxychains.conf,pki,ca-certificates,crypto-policies,machine-id,asound.conf private-tmp noexec ${HOME} diff --git a/etc/amarok.profile b/etc/amarok.profile index aff78e210..c728ce4ab 100644 --- a/etc/amarok.profile +++ b/etc/amarok.profile @@ -29,5 +29,5 @@ shell none # private-bin amarok private-dev -# private-etc none +# private-etc machine-id,pulse,asound.conf,ca-certificates,ssl,pki,crypto-policies private-tmp diff --git a/etc/ardour5.profile b/etc/ardour5.profile index aaac62bc8..99649cc3f 100644 --- a/etc/ardour5.profile +++ b/etc/ardour5.profile @@ -35,7 +35,7 @@ shell none #private-bin sh,ardour4,ardour5,ardour5-copy-mixer,ardour5-export,ardour5-fix_bbtppq,grep,sed,ldd,nm private-cache private-dev -#private-etc pulse,X11,alternatives,ardour4,ardour5,fonts +#private-etc pulse,X11,alternatives,ardour4,ardour5,fonts,machine-id,asound.conf private-tmp noexec ${HOME} diff --git a/etc/arm.profile b/etc/arm.profile index a89ee86cc..bebf05366 100644 --- a/etc/arm.profile +++ b/etc/arm.profile @@ -42,7 +42,7 @@ tracelog disable-mnt private-bin arm,tor,sh,bash,python*,ps,lsof,ldconfig private-dev -private-etc tor,passwd +private-etc tor,passwd,ca-certificates,ssl,pki,crypto-policies private-tmp noexec ${HOME} diff --git a/etc/beaker.profile b/etc/beaker.profile new file mode 100644 index 000000000..9215576c7 --- /dev/null +++ b/etc/beaker.profile @@ -0,0 +1,19 @@ +# Firejail profile for beaker +# This file is overwritten after every install/update +# Persistent local customizations +include /etc/firejail/beaker.local +# Persistent global definitions +include /etc/firejail/globals.local + +noblacklist ${HOME}/.config/Beaker Browser + +include /etc/firejail/disable-devel.inc +include /etc/firejail/disable-interpreters.inc + +mkdir ${HOME}/.config/Beaker Browser +whitelist ${HOME}/.config/Beaker Browser +whitelist ${DOWNLOADS} +include /etc/firejail/whitelist-common.inc + +# Redirect +include /etc/firejail/electron.profile diff --git a/etc/bibletime.profile b/etc/bibletime.profile index b84e8186b..fef7474a9 100644 --- a/etc/bibletime.profile +++ b/etc/bibletime.profile @@ -38,5 +38,5 @@ tracelog # private-bin bibletime,qt5ct private-dev -private-etc fonts,resolv.conf,sword,sword.conf,passwd,machine-id +private-etc fonts,resolv.conf,sword,sword.conf,passwd,machine-id,ca-certificates,ssl,pki,crypto-policies private-tmp diff --git a/etc/bitcoin-qt.profile b/etc/bitcoin-qt.profile index 84c2c77de..efc11cc9c 100644 --- a/etc/bitcoin-qt.profile +++ b/etc/bitcoin-qt.profile @@ -40,7 +40,7 @@ tracelog private-bin bitcoin-qt private-dev # Causes problem with loading of libGL.so -#private-etc fonts +#private-etc fonts,ca-certificates,ssl,pki,crypto-policies # Works, but QT complains about OpenSSL a bit. #private-lib private-tmp diff --git a/etc/cmus.profile b/etc/cmus.profile index 3331bde22..a9f76ec80 100644 --- a/etc/cmus.profile +++ b/etc/cmus.profile @@ -26,4 +26,4 @@ seccomp shell none private-bin cmus -private-etc group +private-etc group,machine-id,pulse,asound.conf,ca-certificates,ssl,pki,crypto-policies diff --git a/etc/curl.profile b/etc/curl.profile index 1d2515f51..d1a682e60 100644 --- a/etc/curl.profile +++ b/etc/curl.profile @@ -31,7 +31,7 @@ shell none # private-bin curl private-cache private-dev -# private-etc resolv.conf +# private-etc resolv.conf,ca-certificates,ssl,pki,crypto-policies private-tmp noexec ${HOME} diff --git a/etc/digikam.profile b/etc/digikam.profile index 2e1947419..b3b0de1bc 100644 --- a/etc/digikam.profile +++ b/etc/digikam.profile @@ -36,7 +36,7 @@ shell none # private-bin program # private-dev - prevents libdc1394 loading; this lib is used to connect to a camera device -# private-etc none +# private-etc ca-certificates,ssl,pki,crypto-policies private-tmp noexec ${HOME} diff --git a/etc/dino.profile b/etc/dino.profile index 5c9d44140..a39ec8931 100644 --- a/etc/dino.profile +++ b/etc/dino.profile @@ -35,7 +35,7 @@ shell none disable-mnt private-bin dino private-dev -# private-etc fonts # breaks server connection +# private-etc fonts,ca-certificates,ssl,pki,crypto-policies # breaks server connection private-tmp noexec ${HOME} diff --git a/etc/disable-programs.inc b/etc/disable-programs.inc index 6d5b45da8..d685fceed 100644 --- a/etc/disable-programs.inc +++ b/etc/disable-programs.inc @@ -46,6 +46,7 @@ blacklist ${HOME}/.config/0ad blacklist ${HOME}/.config/2048-qt blacklist ${HOME}/.config/Atom blacklist ${HOME}/.config/Audaciousrc +blacklist ${HOME}/.config/Beaker Browser blacklist ${HOME}/.config/Brackets blacklist ${HOME}/.config/Clementine blacklist ${HOME}/.config/Code diff --git a/etc/discord-common.profile b/etc/discord-common.profile index 9f0e02525..b835ce401 100644 --- a/etc/discord-common.profile +++ b/etc/discord-common.profile @@ -24,9 +24,9 @@ novideo protocol unix,inet,inet6,netlink seccomp -private-bin sh,xdg-mime,tr,sed,echo,head,cut,xdg-open,grep,egrep +private-bin sh,xdg-mime,tr,sed,echo,head,cut,xdg-open,grep,egrep,bash,zsh private-dev -private-etc fonts,machine-id,localtime,ld.so.cache +private-etc fonts,machine-id,localtime,ld.so.cache,ca-certificates,ssl,pki,crypto-policies private-tmp noexec ${HOME} diff --git a/etc/electrum.profile b/etc/electrum.profile new file mode 100644 index 000000000..d611f3e61 --- /dev/null +++ b/etc/electrum.profile @@ -0,0 +1,52 @@ +# Firejail profile for electrum +# This file is overwritten after every install/update +# Persistent local customizations +include /etc/firejail/electrum.local +# Persistent global definitions +include /etc/firejail/globals.local + +noblacklist ${HOME}/.electrum + +# Allow python (blacklisted by disable-interpreters.inc) +noblacklist ${PATH}/python2* +noblacklist ${PATH}/python3* +noblacklist /usr/lib/python2* +noblacklist /usr/lib/python3* + +include /etc/firejail/disable-common.inc +include /etc/firejail/disable-devel.inc +include /etc/firejail/disable-interpreters.inc +include /etc/firejail/disable-passwdmgr.inc +include /etc/firejail/disable-programs.inc +include /etc/firejail/disable-xdg.inc + +mkdir ${HOME}/.electrum +whitelist ${HOME}/.electrum +include /etc/firejail/whitelist-common.inc +include /etc/firejail/whitelist-var-common.inc + +caps.drop all +ipc-namespace +netfilter +no3d +#nodbus +nodvd +nogroups +nonewprivs +noroot +nosound +notv +novideo +protocol unix,inet,inet6 +seccomp +shell none + +disable-mnt +private-bin electrum,python* +private-cache +private-dev +private-etc fonts,dconf,ca-certificates,ssl,pki,crypto-policies,machine-id +private-tmp + +noexec ${HOME} +noexec /tmp diff --git a/etc/elinks.profile b/etc/elinks.profile index 61fbab3cc..1da0360c7 100644 --- a/etc/elinks.profile +++ b/etc/elinks.profile @@ -34,5 +34,5 @@ tracelog # private-bin elinks private-cache private-dev -# private-etc none +# private-etc ca-certificates,ssl,pki,crypto-policies private-tmp diff --git a/etc/flameshot.profile b/etc/flameshot.profile index 7c2bc8c11..8dbd74cc1 100644 --- a/etc/flameshot.profile +++ b/etc/flameshot.profile @@ -33,7 +33,7 @@ shell none disable-mnt private-bin flameshot private-cache -private-etc fonts,ca-certificates,ld.so.conf,resolv.conf,ssl +private-etc fonts,ld.so.conf,resolv.conf,ca-certificates,ssl,pki,crypto-policies private-dev private-tmp diff --git a/etc/gitter.profile b/etc/gitter.profile index 2edbf8a4e..b5bedb66d 100644 --- a/etc/gitter.profile +++ b/etc/gitter.profile @@ -34,7 +34,7 @@ shell none disable-mnt private-bin bash,env,gitter -private-etc fonts,pulse,resolv.conf +private-etc fonts,pulse,resolv.conf,ca-certificates,ssl,pki,crypto-policies private-opt Gitter private-dev private-tmp diff --git a/etc/gjs.profile b/etc/gjs.profile index 9d439782c..6110cb71e 100644 --- a/etc/gjs.profile +++ b/etc/gjs.profile @@ -32,5 +32,5 @@ tracelog # private-bin gjs,gnome-books,gnome-documents,gnome-photos,gnome-maps,gnome-weather private-dev -# private-etc fonts +# private-etc fonts,ca-certificates,ssl,pki,crypto-policies private-tmp diff --git a/etc/gnome-clocks.profile b/etc/gnome-clocks.profile index 4251f70ed..b0a6cf80e 100644 --- a/etc/gnome-clocks.profile +++ b/etc/gnome-clocks.profile @@ -32,7 +32,7 @@ tracelog disable-mnt # private-bin gnome-clocks private-dev -# private-etc fonts +# private-etc fonts,ca-certificates,ssl,pki,crypto-policies private-tmp noexec ${HOME} diff --git a/etc/gnome-maps.profile b/etc/gnome-maps.profile index da73d9450..b747743fc 100644 --- a/etc/gnome-maps.profile +++ b/etc/gnome-maps.profile @@ -35,7 +35,7 @@ tracelog disable-mnt # private-bin gjs gnome-maps private-dev -# private-etc fonts +# private-etc fonts,ca-certificates,ssl,pki,crypto-policies private-tmp noexec ${HOME} diff --git a/etc/gnome-music.profile b/etc/gnome-music.profile index 90fb9814f..15710b363 100644 --- a/etc/gnome-music.profile +++ b/etc/gnome-music.profile @@ -38,7 +38,7 @@ tracelog private-bin gnome-music,python* private-dev -# private-etc fonts +# private-etc fonts,machine-id,pulse,asound.conf private-tmp noexec ${HOME} diff --git a/etc/gnome-weather.profile b/etc/gnome-weather.profile index 28c9e6d86..f2c6acac5 100644 --- a/etc/gnome-weather.profile +++ b/etc/gnome-weather.profile @@ -36,7 +36,7 @@ tracelog disable-mnt # private-bin gjs gnome-weather private-dev -# private-etc fonts +# private-etc fonts,ca-certificates,ssl,pki,crypto-policies private-tmp noexec ${HOME} diff --git a/etc/goobox.profile b/etc/goobox.profile index 5e5aad95b..ca92b1540 100644 --- a/etc/goobox.profile +++ b/etc/goobox.profile @@ -29,5 +29,5 @@ tracelog # private-bin goobox private-dev -# private-etc fonts +# private-etc fonts,machine-id,pulse,asound.conf,ca-certificates,ssl,pki,crypto-policies # private-tmp diff --git a/etc/gpredict.profile b/etc/gpredict.profile index 51f384751..58f79ac14 100644 --- a/etc/gpredict.profile +++ b/etc/gpredict.profile @@ -31,7 +31,7 @@ tracelog private-bin gpredict private-dev -private-etc fonts,resolv.conf +private-etc fonts,resolv.conf,ca-certificates,ssl,pki,crypto-policies private-tmp noexec ${HOME} diff --git a/etc/lynx.profile b/etc/lynx.profile index 0f4de2fee..3c70800be 100644 --- a/etc/lynx.profile +++ b/etc/lynx.profile @@ -32,5 +32,5 @@ tracelog # private-bin lynx private-cache private-dev -# private-etc none +# private-etc ca-certificates,ssl,pki,crypto-policies private-tmp diff --git a/etc/mate-dictionary.profile b/etc/mate-dictionary.profile index 6c9ed4499..b0bd99519 100644 --- a/etc/mate-dictionary.profile +++ b/etc/mate-dictionary.profile @@ -35,7 +35,7 @@ shell none disable-mnt private-bin mate-dictionary -private-etc fonts,resolv.conf +private-etc fonts,resolv.conf,ca-certificates,ssl,pki,crypto-policies private-opt mate-dictionary private-dev private-tmp diff --git a/etc/mcabber.profile b/etc/mcabber.profile index 860de3f0a..aee153110 100644 --- a/etc/mcabber.profile +++ b/etc/mcabber.profile @@ -28,4 +28,4 @@ shell none private-bin mcabber private-dev -private-etc null +private-etc ca-certificates,ssl,pki,crypto-policies diff --git a/etc/minetest.profile b/etc/minetest.profile index cdbf21935..6497fa9ba 100644 --- a/etc/minetest.profile +++ b/etc/minetest.profile @@ -34,7 +34,7 @@ disable-mnt private-bin minetest private-dev # private-etc needs to be updated, see #1702 -#private-etc asound.conf,ca-certificates,drirc,fonts,group,host.conf,hostname,hosts,ld.so.cache,ld.so.preload,localtime,nsswitch.conf,passwd,pulse,resolv.conf,ssl,pki,crypto-policies +#private-etc asound.conf,ca-certificates,drirc,fonts,group,host.conf,hostname,hosts,ld.so.cache,ld.so.preload,localtime,nsswitch.conf,passwd,pulse,resolv.conf,ssl,pki,crypto-policies,machine-id private-tmp noexec ${HOME} diff --git a/etc/ms-office.profile b/etc/ms-office.profile index 49bc4ad37..cedc5eff4 100644 --- a/etc/ms-office.profile +++ b/etc/ms-office.profile @@ -36,7 +36,7 @@ tracelog disable-mnt private-bin bash,fonts,env,jak,ms-office,python*,sh -private-etc ca-certificates,resolv.conf,ssl +private-etc resolv.conf,ca-certificates,ssl,pki,crypto-policies private-dev private-tmp diff --git a/etc/musixmatch.profile b/etc/musixmatch.profile index bc8965431..ba010d6a3 100644 --- a/etc/musixmatch.profile +++ b/etc/musixmatch.profile @@ -30,7 +30,7 @@ seccomp disable-mnt private-dev -private-etc none +private-etc machine-id,pulse,asound.conf,ca-certificates,ssl,pki,crypto-policies noexec ${HOME} noexec /tmp diff --git a/etc/parole.profile b/etc/parole.profile index f98703bd6..df8f8e194 100644 --- a/etc/parole.profile +++ b/etc/parole.profile @@ -26,4 +26,4 @@ shell none private-bin parole,dbus-launch private-cache -private-etc passwd,group,fonts +private-etc passwd,group,fonts,machine-id,pulse,asound.conf,ca-certificates,ssl,pki,crypto-policies diff --git a/etc/ping.profile b/etc/ping.profile index db5390a41..2b20bf8c9 100644 --- a/etc/ping.profile +++ b/etc/ping.profile @@ -40,7 +40,7 @@ private #private-bin has mammoth problems with execvp: "No such file or directory" private-dev # /etc/hosts is required in private-etc; however, just adding it to the list doesn't solve the problem! -#private-etc resolv.conf,hosts +#private-etc resolv.conf,hosts,ca-certificates,ssl,pki,crypto-policies private-tmp # memory-deny-write-execute is built using seccomp; nonewprivs will kill it diff --git a/etc/ppsspp.profile b/etc/ppsspp.profile index 073108464..3a40b6260 100644 --- a/etc/ppsspp.profile +++ b/etc/ppsspp.profile @@ -36,7 +36,7 @@ shell none # private-dev is disabled to allow controller support #private-dev -private-etc asound.conf,ca-certificates,drirc,fonts,group,host.conf,hostname,hosts,ld.so.cache,ld.so.preload,localtime,nsswitch.conf,passwd,pulse,resolv.conf,ssl,pki,crypto-policies +private-etc asound.conf,ca-certificates,drirc,fonts,group,host.conf,hostname,hosts,ld.so.cache,ld.so.preload,localtime,nsswitch.conf,passwd,pulse,resolv.conf,ssl,pki,crypto-policies,machine-id private-opt ppsspp private-tmp diff --git a/etc/qbittorrent.profile b/etc/qbittorrent.profile index 2017beee4..eb15ff445 100644 --- a/etc/qbittorrent.profile +++ b/etc/qbittorrent.profile @@ -51,7 +51,7 @@ shell none private-bin qbittorrent,python* private-dev -# private-etc X11,fonts,xdg,resolv.conf +# private-etc X11,fonts,xdg,resolv.conf,ca-certificates,ssl,pki,crypto-policies # private-lib - problems on Arch private-tmp diff --git a/etc/qtox.profile b/etc/qtox.profile index 26697eeaa..92a8bbf28 100644 --- a/etc/qtox.profile +++ b/etc/qtox.profile @@ -34,7 +34,7 @@ tracelog disable-mnt private-bin qtox -private-etc fonts,resolv.conf,ld.so.cache,localtime +private-etc fonts,resolv.conf,ld.so.cache,localtime,ca-certificates,ssl,pki,crypto-policies private-dev private-tmp diff --git a/etc/qupzilla.profile b/etc/qupzilla.profile index 947689d96..e73e8a5e1 100644 --- a/etc/qupzilla.profile +++ b/etc/qupzilla.profile @@ -33,7 +33,7 @@ seccomp.drop @clock,@cpu-emulation,@debug,@module,@obsolete,@raw-io,@reboot,@res # tracelog private-dev -# private-etc passwd,group,hostname,hosts,localtime,nsswitch.conf,resolv.conf,gtk-2.0,pango,fonts,adobe,mime.types,mailcap,asound.conf,pulse +# private-etc passwd,group,hostname,hosts,localtime,nsswitch.conf,resolv.conf,gtk-2.0,pango,fonts,adobe,mime.types,mailcap,asound.conf,pulse,machine-id,ca-certificates,ssl,pki,crypto-policies # private-tmp - interferes with the opening of downloaded files noexec ${HOME} diff --git a/etc/ricochet.profile b/etc/ricochet.profile index e23e7c756..2e2143a54 100644 --- a/etc/ricochet.profile +++ b/etc/ricochet.profile @@ -35,7 +35,7 @@ shell none disable-mnt private-bin ricochet,tor private-dev -#private-etc fonts,tor,X11,alternatives +#private-etc fonts,tor,X11,alternatives,ca-certificates,ssl,pki,crypto-policies noexec ${HOME} noexec /tmp diff --git a/etc/rview.profile b/etc/rview.profile new file mode 100644 index 000000000..90481b019 --- /dev/null +++ b/etc/rview.profile @@ -0,0 +1,10 @@ +# Firejail profile for rview +# This file is overwritten after every install/update +# Persistent local customizations +include /etc/firejail/rview.local +# Persistent global definitions +include /etc/firejail/globals.local + + +# Redirect +include /etc/firejail/vim.profile diff --git a/etc/rvim.profile b/etc/rvim.profile new file mode 100644 index 000000000..1070e9376 --- /dev/null +++ b/etc/rvim.profile @@ -0,0 +1,10 @@ +# Firejail profile for rvim +# This file is overwritten after every install/update +# Persistent local customizations +include /etc/firejail/rvim.local +# Persistent global definitions +include /etc/firejail/globals.local + + +# Redirect +include /etc/firejail/vim.profile diff --git a/etc/seamonkey.profile b/etc/seamonkey.profile index 423863cc2..365fd3a53 100644 --- a/etc/seamonkey.profile +++ b/etc/seamonkey.profile @@ -47,4 +47,4 @@ seccomp tracelog disable-mnt -# private-etc passwd,group,hostname,hosts,localtime,nsswitch.conf,resolv.conf,gtk-2.0,pango,fonts,iceweasel,firefox,adobe,mime.types,mailcap,asound.conf,pulse +# private-etc passwd,group,hostname,hosts,localtime,nsswitch.conf,resolv.conf,gtk-2.0,pango,fonts,iceweasel,firefox,adobe,mime.types,mailcap,asound.conf,pulse,machine-id,ca-certificates,ssl,pki,crypto-policies diff --git a/etc/simple-scan.profile b/etc/simple-scan.profile index 3e8a4e41b..a15576478 100644 --- a/etc/simple-scan.profile +++ b/etc/simple-scan.profile @@ -32,5 +32,5 @@ tracelog # private-bin simple-scan # private-dev -# private-etc fonts +# private-etc fonts,ca-certificates,ssl,pki,crypto-policies # private-tmp diff --git a/etc/slack.profile b/etc/slack.profile index 13106255b..91bf0a722 100644 --- a/etc/slack.profile +++ b/etc/slack.profile @@ -37,5 +37,5 @@ shell none disable-mnt private-bin slack,locale private-dev -private-etc asound.conf,ca-certificates,fonts,group,passwd,pulse,resolv.conf,ssl,ld.so.conf,ld.so.cache,localtime,pki,crypto-policies +private-etc asound.conf,ca-certificates,fonts,group,passwd,pulse,resolv.conf,ssl,ld.so.conf,ld.so.cache,localtime,pki,crypto-policies,machine-id private-tmp diff --git a/etc/spotify.profile b/etc/spotify.profile index 0688723c7..7f40d4399 100644 --- a/etc/spotify.profile +++ b/etc/spotify.profile @@ -46,7 +46,7 @@ tracelog disable-mnt private-bin spotify,bash,sh,zenity private-dev -private-etc fonts,group,ld.so.cache,machine-id,pulse,resolv.conf +private-etc fonts,group,ld.so.cache,machine-id,pulse,resolv.conf,ca-certificates,ssl,pki,crypto-policies private-opt spotify private-tmp diff --git a/etc/tor.profile b/etc/tor.profile index cbe932104..6bfc1c9a6 100644 --- a/etc/tor.profile +++ b/etc/tor.profile @@ -44,7 +44,7 @@ private private-bin tor,bash private-cache private-dev -private-etc tor,passwd +private-etc tor,passwd,ca-certificates,ssl,pki,crypto-policies private-tmp noexec ${HOME} diff --git a/etc/totem.profile b/etc/totem.profile index 3ac25440b..0acbc5127 100644 --- a/etc/totem.profile +++ b/etc/totem.profile @@ -31,9 +31,10 @@ seccomp shell none private-bin totem -private-cache +# totem needs access to ~/.cache/tracker or it exits +#private-cache private-dev -# private-etc fonts +# private-etc fonts,machine-id,pulse,asound.conf,ca-certificates,ssl,pki,crypto-policies private-tmp noexec ${HOME} diff --git a/etc/transmission-cli.profile b/etc/transmission-cli.profile index 8b50859fc..849f9ed49 100644 --- a/etc/transmission-cli.profile +++ b/etc/transmission-cli.profile @@ -30,7 +30,7 @@ tracelog # private-bin transmission-cli private-dev -private-etc none +private-etc ca-certificates,ssl,pki,crypto-policies private-tmp memory-deny-write-execute diff --git a/etc/unknown-horizons.profile b/etc/unknown-horizons.profile index 34c148ee9..985998382 100644 --- a/etc/unknown-horizons.profile +++ b/etc/unknown-horizons.profile @@ -27,5 +27,5 @@ shell none # private-bin unknown-horizons private-dev -# private-etc none +# private-etc ca-certificates,ssl,pki,crypto-policies private-tmp diff --git a/etc/vimcat.profile b/etc/vimcat.profile new file mode 100644 index 000000000..5067c2fd1 --- /dev/null +++ b/etc/vimcat.profile @@ -0,0 +1,10 @@ +# Firejail profile for vimcat +# This file is overwritten after every install/update +# Persistent local customizations +include /etc/firejail/vimcat.local +# Persistent global definitions +include /etc/firejail/globals.local + + +# Redirect +include /etc/firejail/vim.profile diff --git a/etc/vimdiff.profile b/etc/vimdiff.profile new file mode 100644 index 000000000..f89a2c112 --- /dev/null +++ b/etc/vimdiff.profile @@ -0,0 +1,10 @@ +# Firejail profile for vimdiff +# This file is overwritten after every install/update +# Persistent local customizations +include /etc/firejail/vimdiff.local +# Persistent global definitions +include /etc/firejail/globals.local + + +# Redirect +include /etc/firejail/vim.profile diff --git a/etc/vimpager.profile b/etc/vimpager.profile new file mode 100644 index 000000000..8bc7cc26a --- /dev/null +++ b/etc/vimpager.profile @@ -0,0 +1,10 @@ +# Firejail profile for vimpager +# This file is overwritten after every install/update +# Persistent local customizations +include /etc/firejail/vimpager.local +# Persistent global definitions +include /etc/firejail/globals.local + + +# Redirect +include /etc/firejail/vim.profile diff --git a/etc/vimtutor.profile b/etc/vimtutor.profile new file mode 100644 index 000000000..83851d37e --- /dev/null +++ b/etc/vimtutor.profile @@ -0,0 +1,10 @@ +# Firejail profile for vimtutor +# This file is overwritten after every install/update +# Persistent local customizations +include /etc/firejail/vimtutor.local +# Persistent global definitions +include /etc/firejail/globals.local + + +# Redirect +include /etc/firejail/vim.profile diff --git a/etc/wget.profile b/etc/wget.profile index a16d770f2..c509faecc 100644 --- a/etc/wget.profile +++ b/etc/wget.profile @@ -32,7 +32,7 @@ shell none # private-bin wget private-dev -# private-etc resolv.conf +# private-etc resolv.conf,ca-certificates,ssl,pki,crypto-policies # private-tmp noexec ${HOME} diff --git a/etc/wire-desktop.profile b/etc/wire-desktop.profile index e65cfc43c..64d2cefd5 100644 --- a/etc/wire-desktop.profile +++ b/etc/wire-desktop.profile @@ -33,8 +33,8 @@ shell none # Note: The current version of Wire is located in /opt/wire-desktop/wire-desktop, and therefore # it is not in PATH. To use Wire with firejail, run "firejail /opt/wire-desktop/wire-desktop" +disable-mnt private-bin wire-desktop private-dev -private-etc fonts,machine-id,resolv.conf -disable-mnt +private-etc fonts,machine-id,resolv.conf,ca-certificates,ssl,pki,crypto-policies private-tmp diff --git a/etc/wireshark.profile b/etc/wireshark.profile index 2b597ba35..d45198f6a 100644 --- a/etc/wireshark.profile +++ b/etc/wireshark.profile @@ -42,7 +42,7 @@ tracelog # private-bin wireshark private-dev -# private-etc fonts,group,hosts,machine-id,passwd +# private-etc fonts,group,hosts,machine-id,passwd,ca-certificates,ssl,pki,crypto-policies private-tmp noexec ${HOME} diff --git a/etc/xiphos.profile b/etc/xiphos.profile index 9358fe192..14aced0d9 100644 --- a/etc/xiphos.profile +++ b/etc/xiphos.profile @@ -36,5 +36,5 @@ tracelog private-bin xiphos private-dev -private-etc fonts,resolv.conf,sword +private-etc fonts,resolv.conf,sword,ca-certificates,ssl,pki,crypto-policies private-tmp diff --git a/etc/xonotic.profile b/etc/xonotic.profile index 1d2493f36..a5cfa7513 100644 --- a/etc/xonotic.profile +++ b/etc/xonotic.profile @@ -33,8 +33,7 @@ shell none disable-mnt private-bin bash,blind-id,darkplaces-glx,darkplaces-sdl,dirname,grep,ldd,netstat,ps,readlink,sh,uname,xonotic,xonotic-glx,xonotic-linux32-dedicated,xonotic-linux32-glx,xonotic-linux32-sdl,xonotic-linux64-dedicated,xonotic-linux64-glx,xonotic-linux64-sdl,xonotic-sdl private-dev -# private-etc breaks audio on some distros -#private-etc asound.conf,ca-certificates,drirc,fonts,group,host.conf,hostname,hosts,ld.so.cache,ld.so.preload,localtime,nsswitch.conf,passwd,pulse,resolv.conf,ssl,pki,crypto-policies +private-etc asound.conf,ca-certificates,drirc,fonts,group,host.conf,hostname,hosts,ld.so.cache,ld.so.preload,localtime,nsswitch.conf,passwd,pulse,resolv.conf,ssl,pki,crypto-policies,machine-id private-tmp noexec ${HOME} diff --git a/etc/xplayer.profile b/etc/xplayer.profile index 46579ead8..f51362b6b 100644 --- a/etc/xplayer.profile +++ b/etc/xplayer.profile @@ -39,7 +39,7 @@ tracelog private-bin xplayer,xplayer-audio-preview,xplayer-video-thumbnailer private-dev -# private-etc fonts +# private-etc fonts,machine-id,pulse,asound.conf,ca-certificates,ssl,pki,crypto-policies private-tmp noexec ${HOME} diff --git a/etc/xviewer.profile b/etc/xviewer.profile index aa582a56a..7ecc1ca0b 100644 --- a/etc/xviewer.profile +++ b/etc/xviewer.profile @@ -37,7 +37,7 @@ tracelog private-bin xviewer private-dev -private-etc fonts +#private-etc fonts private-lib private-tmp diff --git a/etc/xxd.profile b/etc/xxd.profile new file mode 100644 index 000000000..59dac5a91 --- /dev/null +++ b/etc/xxd.profile @@ -0,0 +1,10 @@ +# Firejail profile for xxd +# This file is overwritten after every install/update +# Persistent local customizations +include /etc/firejail/xxd.local +# Persistent global definitions +include /etc/firejail/globals.local + + +# Redirect +include /etc/firejail/vim.profile -- cgit v1.2.3-54-g00ecf