From 3597df9bc04fe4ab6eb891d267b0a08121416018 Mon Sep 17 00:00:00 2001 From: netblue30 Date: Tue, 31 May 2016 21:40:55 -0400 Subject: merged Various #542 pull request from Fred-Barclay --- etc/0ad.profile | 6 +++--- etc/Mathematica.profile | 2 +- etc/abrowser.profile | 13 ++++++------- etc/atril.profile | 8 ++++---- etc/audacious.profile | 4 ++-- etc/bitlbee.profile | 6 +++--- etc/brave.profile | 5 +++-- etc/cherrytree.profile | 9 +++++---- etc/clementine.profile | 4 ++-- etc/cmus.profile | 4 ++-- etc/conkeror.profile | 4 ++-- etc/corebird.profile | 4 ++-- etc/cyberfox.profile | 13 ++++++------- etc/deadbeef.profile | 4 ++-- etc/default.profile | 5 ++--- etc/deluge.profile | 4 ++-- etc/dillo.profile | 9 +++------ etc/disable-programs.inc | 1 + etc/dnsmasq.profile | 7 ++++--- etc/dropbox.profile | 4 ++-- etc/empathy.profile | 4 ++-- etc/epiphany.profile | 5 +++-- etc/evince.profile | 4 ++-- etc/fbreader.profile | 4 ++-- etc/filezilla.profile | 6 +++--- etc/firefox.profile | 14 ++++++-------- etc/flashpeak-slimjet.profile | 4 ++-- etc/gitter.profile | 13 +++++++++++++ etc/gnome-mplayer.profile | 4 ++-- etc/google-play-music-desktop-player.profile | 4 ++-- etc/gwenview.profile | 6 +++--- etc/hexchat.profile | 4 ++-- etc/kmail.profile | 4 ++-- etc/konversation.profile | 4 ++-- etc/lxterminal.profile | 4 ++-- etc/mcabber.profile | 4 ++-- etc/midori.profile | 4 ++-- etc/mupen64plus.profile | 4 ++-- etc/netsurf.profile | 9 +++------ etc/okular.profile | 8 ++++---- etc/openbox.profile | 5 ++--- etc/palemoon.profile | 12 ++++++------ etc/parole.profile | 4 ++-- etc/pidgin.profile | 4 ++-- etc/polari.profile | 7 +++---- etc/psi-plus.profile | 4 ++-- etc/qbittorrent.profile | 4 ++-- etc/qtox.profile | 4 ++-- etc/quassel.profile | 4 ++-- etc/quiterss.profile | 13 +++++++------ etc/qutebrowser.profile | 6 +++--- etc/rhythmbox.profile | 6 +++--- etc/rtorrent.profile | 4 ++-- etc/seamonkey.profile | 13 ++++++------- etc/skype.profile | 2 +- etc/spotify.profile | 9 ++++----- etc/ssh.profile | 4 ++-- etc/steam.profile | 2 +- etc/telegram.profile | 6 +++--- etc/totem.profile | 4 ++-- etc/transmission-gtk.profile | 6 +++--- etc/transmission-qt.profile | 6 +++--- etc/uget-gtk.profile | 4 ++-- etc/vlc.profile | 6 +++--- etc/weechat.profile | 5 ++--- etc/wesnoth.profile | 4 ++-- etc/xchat.profile | 4 ++-- etc/xplayer.profile | 6 +++--- etc/xreader.profile | 8 ++++---- etc/xviewer.profile | 6 +++--- 70 files changed, 202 insertions(+), 199 deletions(-) create mode 100644 etc/gitter.profile (limited to 'etc') diff --git a/etc/0ad.profile b/etc/0ad.profile index e6540fb5d..3797ae5cd 100644 --- a/etc/0ad.profile +++ b/etc/0ad.profile @@ -7,12 +7,12 @@ include /etc/firejail/disable-programs.inc # Call these options caps.drop all -seccomp -protocol unix,inet,inet6,netlink netfilter -tracelog noroot nonewprivs +protocol unix,inet,inet6,netlink +seccomp +tracelog # Whitelists noblacklist ~/.cache/0ad diff --git a/etc/Mathematica.profile b/etc/Mathematica.profile index 75dbebcf0..e719f070f 100644 --- a/etc/Mathematica.profile +++ b/etc/Mathematica.profile @@ -15,6 +15,6 @@ include /etc/firejail/disable-devel.inc include /etc/firejail/disable-passwdmgr.inc caps.drop all -seccomp nonewprivs noroot +seccomp diff --git a/etc/abrowser.profile b/etc/abrowser.profile index 6a06ce76b..65247e7d3 100644 --- a/etc/abrowser.profile +++ b/etc/abrowser.profile @@ -7,12 +7,12 @@ include /etc/firejail/disable-programs.inc include /etc/firejail/disable-devel.inc caps.drop all -seccomp -protocol unix,inet,inet6,netlink netfilter -tracelog nonewprivs noroot +protocol unix,inet,inet6,netlink +seccomp +tracelog whitelist ${DOWNLOADS} mkdir ~/.mozilla @@ -41,13 +41,12 @@ whitelist ~/.config/lastpass #silverlight -whitelist ~/.wine-pipelight -whitelist ~/.wine-pipelight64 -whitelist ~/.config/pipelight-widevine +whitelist ~/.wine-pipelight +whitelist ~/.wine-pipelight64 +whitelist ~/.config/pipelight-widevine whitelist ~/.config/pipelight-silverlight5.1 include /etc/firejail/whitelist-common.inc # experimental features #private-etc passwd,group,hostname,hosts,localtime,nsswitch.conf,resolv.conf,gtk-2.0,pango,fonts,iceweasel,firefox,adobe,mime.types,mailcap,asound.conf,pulse - diff --git a/etc/atril.profile b/etc/atril.profile index b55f99cdd..8ee7da173 100644 --- a/etc/atril.profile +++ b/etc/atril.profile @@ -7,10 +7,10 @@ include /etc/firejail/disable-devel.inc include /etc/firejail/disable-passwdmgr.inc caps.drop all -seccomp -protocol unix,inet,inet6 +netfilter nonewprivs noroot -tracelog -netfilter nosound +protocol unix,inet,inet6 +seccomp +tracelog diff --git a/etc/audacious.profile b/etc/audacious.profile index 0a1598dee..e5275213c 100644 --- a/etc/audacious.profile +++ b/etc/audacious.profile @@ -5,7 +5,7 @@ include /etc/firejail/disable-devel.inc include /etc/firejail/disable-passwdmgr.inc caps.drop all -seccomp -protocol unix,inet,inet6 nonewprivs noroot +protocol unix,inet,inet6 +seccomp diff --git a/etc/bitlbee.profile b/etc/bitlbee.profile index b7ccd132e..e63802c8a 100644 --- a/etc/bitlbee.profile +++ b/etc/bitlbee.profile @@ -4,9 +4,9 @@ noblacklist /usr/sbin include /etc/firejail/disable-common.inc include /etc/firejail/disable-programs.inc -protocol unix,inet,inet6 +netfilter +nonewprivs private private-dev +protocol unix,inet,inet6 seccomp -netfilter -nonewprivs diff --git a/etc/brave.profile b/etc/brave.profile index 24a0a31c9..4c42e9faa 100644 --- a/etc/brave.profile +++ b/etc/brave.profile @@ -6,10 +6,11 @@ include /etc/firejail/disable-programs.inc include /etc/firejail/disable-devel.inc caps.drop all -seccomp -protocol unix,inet,inet6,netlink netfilter +nonewprivs noroot +protocol unix,inet,inet6,netlink +seccomp whitelist ${DOWNLOADS} diff --git a/etc/cherrytree.profile b/etc/cherrytree.profile index b3a34fc9a..bc6fe1d86 100644 --- a/etc/cherrytree.profile +++ b/etc/cherrytree.profile @@ -15,11 +15,12 @@ mkdir ~/.local/share whitelist ${HOME}/.local/share/ caps.drop all -seccomp -protocol unix,inet,inet6,netlink netfilter -tracelog nonewprivs noroot -include /etc/firejail/whitelist-common.inc nosound +seccomp +protocol unix,inet,inet6,netlink +tracelog + +include /etc/firejail/whitelist-common.inc diff --git a/etc/clementine.profile b/etc/clementine.profile index fb9dca2a9..5ce085358 100644 --- a/etc/clementine.profile +++ b/etc/clementine.profile @@ -5,7 +5,7 @@ include /etc/firejail/disable-devel.inc include /etc/firejail/disable-passwdmgr.inc caps.drop all -seccomp -protocol unix,inet,inet6 nonewprivs noroot +protocol unix,inet,inet6 +seccomp diff --git a/etc/cmus.profile b/etc/cmus.profile index 16b9c112d..2e2a6940c 100644 --- a/etc/cmus.profile +++ b/etc/cmus.profile @@ -7,11 +7,11 @@ include /etc/firejail/disable-devel.inc include /etc/firejail/disable-passwdmgr.inc caps.drop all -seccomp -protocol unix,inet,inet6 netfilter nonewprivs noroot +protocol unix,inet,inet6 +seccomp private-bin cmus private-etc group diff --git a/etc/conkeror.profile b/etc/conkeror.profile index 0a7966e4b..e82eeec4c 100644 --- a/etc/conkeror.profile +++ b/etc/conkeror.profile @@ -4,11 +4,11 @@ include /etc/firejail/disable-common.inc include /etc/firejail/disable-programs.inc caps.drop all -seccomp -protocol unix,inet,inet6 netfilter nonewprivs noroot +protocol unix,inet,inet6 +seccomp whitelist ~/.conkeror.mozdev.org whitelist ~/Downloads diff --git a/etc/corebird.profile b/etc/corebird.profile index f3f73a44f..077ae30d0 100644 --- a/etc/corebird.profile +++ b/etc/corebird.profile @@ -6,7 +6,7 @@ include /etc/firejail/disable-devel.inc include /etc/firejail/disable-passwdmgr.inc caps.drop all -seccomp -protocol unix,inet,inet6 netfilter noroot +protocol unix,inet,inet6 +seccomp diff --git a/etc/cyberfox.profile b/etc/cyberfox.profile index c5fb25e9a..0035b6be6 100644 --- a/etc/cyberfox.profile +++ b/etc/cyberfox.profile @@ -7,12 +7,12 @@ include /etc/firejail/disable-programs.inc include /etc/firejail/disable-devel.inc caps.drop all -seccomp -protocol unix,inet,inet6,netlink netfilter -tracelog nonewprivs noroot +protocol unix,inet,inet6,netlink +seccomp +tracelog whitelist ${DOWNLOADS} mkdir ~/.8pecxstudios @@ -41,13 +41,12 @@ whitelist ~/.config/lastpass #silverlight -whitelist ~/.wine-pipelight -whitelist ~/.wine-pipelight64 -whitelist ~/.config/pipelight-widevine +whitelist ~/.wine-pipelight +whitelist ~/.wine-pipelight64 +whitelist ~/.config/pipelight-widevine whitelist ~/.config/pipelight-silverlight5.1 include /etc/firejail/whitelist-common.inc # experimental features #private-etc passwd,group,hostname,hosts,localtime,nsswitch.conf,resolv.conf,gtk-2.0,pango,fonts,iceweasel,firefox,adobe,mime.types,mailcap,asound.conf,pulse - diff --git a/etc/deadbeef.profile b/etc/deadbeef.profile index 9225ca16e..04abd0a92 100644 --- a/etc/deadbeef.profile +++ b/etc/deadbeef.profile @@ -7,7 +7,7 @@ include /etc/firejail/disable-devel.inc include /etc/firejail/disable-passwdmgr.inc caps.drop all -seccomp -protocol unix,inet,inet6 nonewprivs noroot +protocol unix,inet,inet6 +seccomp diff --git a/etc/default.profile b/etc/default.profile index d836a9f5d..a2de72695 100644 --- a/etc/default.profile +++ b/etc/default.profile @@ -8,9 +8,8 @@ include /etc/firejail/disable-passwdmgr.inc #blacklist ${HOME}/.wine caps.drop all -seccomp -protocol unix,inet,inet6 netfilter nonewprivs noroot - +protocol unix,inet,inet6 +seccomp diff --git a/etc/deluge.profile b/etc/deluge.profile index f7a2b98e4..277ecc15e 100644 --- a/etc/deluge.profile +++ b/etc/deluge.profile @@ -6,9 +6,9 @@ include /etc/firejail/disable-programs.inc include /etc/firejail/disable-passwdmgr.inc caps.drop all -seccomp -protocol unix,inet,inet6 netfilter nonewprivs noroot nosound +protocol unix,inet,inet6 +seccomp diff --git a/etc/dillo.profile b/etc/dillo.profile index 392000ade..2ddd363cb 100644 --- a/etc/dillo.profile +++ b/etc/dillo.profile @@ -7,12 +7,12 @@ include /etc/firejail/disable-devel.inc include /etc/firejail/disable-passwdmgr.inc caps.drop all -seccomp -protocol unix,inet,inet6 netfilter -tracelog nonewprivs noroot +protocol unix,inet,inet6 +seccomp +tracelog whitelist ${DOWNLOADS} mkdir ~/.dillo @@ -21,6 +21,3 @@ mkdir ~/.fltk whitelist ~/.fltk include /etc/firejail/whitelist-common.inc - - - diff --git a/etc/disable-programs.inc b/etc/disable-programs.inc index 633f9c548..1f86a0ebe 100644 --- a/etc/disable-programs.inc +++ b/etc/disable-programs.inc @@ -65,6 +65,7 @@ blacklist ${HOME}/.config/xchat blacklist ${HOME}/.Skype blacklist ${HOME}/.config/tox blacklist ${HOME}/.TelegramDesktop +blacklist ${HOME}/.config/Gitter # Games blacklist ${HOME}/.hedgewars diff --git a/etc/dnsmasq.profile b/etc/dnsmasq.profile index 4459c40dd..6b199c34b 100644 --- a/etc/dnsmasq.profile +++ b/etc/dnsmasq.profile @@ -5,10 +5,11 @@ include /etc/firejail/disable-common.inc include /etc/firejail/disable-programs.inc include /etc/firejail/disable-passwdmgr.inc include /etc/firejail/disable-devel.inc + caps -seccomp -protocol unix,inet,inet6,netlink netfilter +nonewprivs private private-dev -nonewprivs +protocol unix,inet,inet6,netlink +seccomp diff --git a/etc/dropbox.profile b/etc/dropbox.profile index 568ab230a..2427c6af8 100644 --- a/etc/dropbox.profile +++ b/etc/dropbox.profile @@ -4,7 +4,7 @@ include /etc/firejail/disable-programs.inc include /etc/firejail/disable-passwdmgr.inc caps -seccomp -protocol unix,inet,inet6 nonewprivs noroot +protocol unix,inet,inet6 +seccomp diff --git a/etc/empathy.profile b/etc/empathy.profile index c08398e84..371100814 100644 --- a/etc/empathy.profile +++ b/etc/empathy.profile @@ -4,7 +4,7 @@ include /etc/firejail/disable-programs.inc include /etc/firejail/disable-devel.inc caps.drop all -seccomp -protocol unix,inet,inet6 netfilter nonewprivs +protocol unix,inet,inet6 +seccomp diff --git a/etc/epiphany.profile b/etc/epiphany.profile index 7783a05fd..57191429a 100644 --- a/etc/epiphany.profile +++ b/etc/epiphany.profile @@ -19,8 +19,9 @@ mkdir ${HOME}/.cache mkdir ${HOME}/.cache/epiphany whitelist ${HOME}/.cache/epiphany include /etc/firejail/whitelist-common.inc + caps.drop all -seccomp -protocol unix,inet,inet6 netfilter nonewprivs +protocol unix,inet,inet6 +seccomp diff --git a/etc/evince.profile b/etc/evince.profile index 3c883d43c..8c84a1daa 100644 --- a/etc/evince.profile +++ b/etc/evince.profile @@ -5,8 +5,8 @@ include /etc/firejail/disable-devel.inc include /etc/firejail/disable-passwdmgr.inc caps.drop all -seccomp -protocol unix,inet,inet6 nonewprivs noroot nosound +protocol unix,inet,inet6 +seccomp diff --git a/etc/fbreader.profile b/etc/fbreader.profile index 7764a48c9..c4d84691c 100644 --- a/etc/fbreader.profile +++ b/etc/fbreader.profile @@ -7,9 +7,9 @@ include /etc/firejail/disable-devel.inc include /etc/firejail/disable-passwdmgr.inc caps.drop all -seccomp -protocol unix,inet,inet6 netfilter nonewprivs noroot nosound +protocol unix,inet,inet6 +seccomp diff --git a/etc/filezilla.profile b/etc/filezilla.profile index 1ab08b568..3cb4890e2 100644 --- a/etc/filezilla.profile +++ b/etc/filezilla.profile @@ -7,9 +7,9 @@ include /etc/firejail/disable-programs.inc include /etc/firejail/disable-devel.inc caps.drop all -seccomp -protocol unix,inet,inet6 +netfilter nonewprivs noroot -netfilter nosound +protocol unix,inet,inet6 +seccomp diff --git a/etc/firefox.profile b/etc/firefox.profile index 6796ef7c4..2cc4d3cd8 100644 --- a/etc/firefox.profile +++ b/etc/firefox.profile @@ -7,12 +7,12 @@ include /etc/firejail/disable-programs.inc include /etc/firejail/disable-devel.inc caps.drop all -seccomp -protocol unix,inet,inet6,netlink netfilter -tracelog nonewprivs noroot +protocol unix,inet,inet6,netlink +seccomp +tracelog whitelist ${DOWNLOADS} mkdir ~/.mozilla @@ -41,14 +41,12 @@ whitelist ~/.config/lastpass #silverlight -whitelist ~/.wine-pipelight -whitelist ~/.wine-pipelight64 -whitelist ~/.config/pipelight-widevine +whitelist ~/.wine-pipelight +whitelist ~/.wine-pipelight64 +whitelist ~/.config/pipelight-widevine whitelist ~/.config/pipelight-silverlight5.1 include /etc/firejail/whitelist-common.inc # experimental features #private-etc passwd,group,hostname,hosts,localtime,nsswitch.conf,resolv.conf,gtk-2.0,pango,fonts,iceweasel,firefox,adobe,mime.types,mailcap,asound.conf,pulse - - diff --git a/etc/flashpeak-slimjet.profile b/etc/flashpeak-slimjet.profile index 77a95aa17..f248c385a 100644 --- a/etc/flashpeak-slimjet.profile +++ b/etc/flashpeak-slimjet.profile @@ -15,11 +15,11 @@ include /etc/firejail/disable-programs.inc # caps.drop all -seccomp -protocol unix,inet,inet6,netlink netfilter nonewprivs noroot +protocol unix,inet,inet6,netlink +seccomp whitelist ${DOWNLOADS} mkdir ~/.config diff --git a/etc/gitter.profile b/etc/gitter.profile new file mode 100644 index 000000000..0c2bd1353 --- /dev/null +++ b/etc/gitter.profile @@ -0,0 +1,13 @@ +# Firejail profile for Gitter +noblacklist ~/.config/Gitter + +include /etc/firejail/disable-common.inc +include /etc/firejail/disable-passwdmgr.inc +include /etc/firejail/disable-programs.inc +include /etc/firejail/disable-devel.inc + +caps.drop all +netfilter +noroot +protocol unix,inet,inet6,netlink +seccomp diff --git a/etc/gnome-mplayer.profile b/etc/gnome-mplayer.profile index 010b19613..f15778534 100644 --- a/etc/gnome-mplayer.profile +++ b/etc/gnome-mplayer.profile @@ -5,7 +5,7 @@ include /etc/firejail/disable-devel.inc include /etc/firejail/disable-passwdmgr.inc caps.drop all -seccomp -protocol unix,inet,inet6 nonewprivs noroot +protocol unix,inet,inet6 +seccomp diff --git a/etc/google-play-music-desktop-player.profile b/etc/google-play-music-desktop-player.profile index fe2f79901..b4cf8d9ac 100644 --- a/etc/google-play-music-desktop-player.profile +++ b/etc/google-play-music-desktop-player.profile @@ -7,11 +7,11 @@ include /etc/firejail/disable-devel.inc include /etc/firejail/disable-passwdmgr.inc caps.drop all -seccomp -protocol unix,inet,inet6,netlink nonewprivs noroot netfilter +protocol unix,inet,inet6,netlink +seccomp #whitelist ~/.pulse #whitelist ~/.config/pulse diff --git a/etc/gwenview.profile b/etc/gwenview.profile index 87523d825..65cc084e6 100644 --- a/etc/gwenview.profile +++ b/etc/gwenview.profile @@ -5,16 +5,16 @@ include /etc/firejail/disable-common.inc include /etc/firejail/disable-programs.inc include /etc/firejail/disable-devel.inc include /etc/firejail/disable-passwdmgr.inc + caps.drop all -seccomp -protocol unix nonewprivs noroot nogroups private-dev +protocol unix +seccomp #Experimental: #shell none #private-bin gwenview #private-etc X11 - diff --git a/etc/hexchat.profile b/etc/hexchat.profile index 3eb350660..a584d25c5 100644 --- a/etc/hexchat.profile +++ b/etc/hexchat.profile @@ -7,11 +7,11 @@ include /etc/firejail/disable-programs.inc include /etc/firejail/disable-devel.inc caps.drop all -seccomp -protocol unix,inet,inet6 nonewprivs noroot netfilter +protocol unix,inet,inet6 +seccomp mkdir ~/.config mkdir ~/.config/hexchat diff --git a/etc/kmail.profile b/etc/kmail.profile index a47945bc6..44a53e258 100644 --- a/etc/kmail.profile +++ b/etc/kmail.profile @@ -7,9 +7,9 @@ include /etc/firejail/disable-devel.inc include /etc/firejail/disable-passwdmgr.inc caps.drop all -seccomp -protocol unix,inet,inet6,netlink netfilter nonewprivs noroot +protocol unix,inet,inet6,netlink +seccomp tracelog diff --git a/etc/konversation.profile b/etc/konversation.profile index d10decb8f..190061618 100644 --- a/etc/konversation.profile +++ b/etc/konversation.profile @@ -6,7 +6,7 @@ include /etc/firejail/disable-devel.inc include /etc/firejail/disable-passwdmgr.inc caps.drop all -seccomp -protocol unix,inet,inet6 netfilter noroot +seccomp +protocol unix,inet,inet6 diff --git a/etc/lxterminal.profile b/etc/lxterminal.profile index b6acf2587..d1d0b8a0d 100644 --- a/etc/lxterminal.profile +++ b/etc/lxterminal.profile @@ -5,7 +5,7 @@ include /etc/firejail/disable-programs.inc include /etc/firejail/disable-passwdmgr.inc caps.drop all -seccomp -protocol unix,inet,inet6 netfilter +protocol unix,inet,inet6 +seccomp #noroot - somehow this breaks on Debian Jessie! diff --git a/etc/mcabber.profile b/etc/mcabber.profile index 1536194b2..6b236a9a7 100644 --- a/etc/mcabber.profile +++ b/etc/mcabber.profile @@ -8,11 +8,11 @@ include /etc/firejail/disable-devel.inc include /etc/firejail/disable-passwdmgr.inc caps.drop all -seccomp -protocol inet,inet6 netfilter nonewprivs noroot +protocol inet,inet6 +seccomp private-bin mcabber private-etc null diff --git a/etc/midori.profile b/etc/midori.profile index 568687058..c4055fa83 100644 --- a/etc/midori.profile +++ b/etc/midori.profile @@ -5,8 +5,8 @@ include /etc/firejail/disable-programs.inc include /etc/firejail/disable-devel.inc caps.drop all -seccomp -protocol unix,inet,inet6 netfilter nonewprivs noroot +protocol unix,inet,inet6 +seccomp diff --git a/etc/mupen64plus.profile b/etc/mupen64plus.profile index c9a99bede..d4b442df8 100644 --- a/etc/mupen64plus.profile +++ b/etc/mupen64plus.profile @@ -16,8 +16,8 @@ mkdir ${HOME}/.config mkdir ${HOME}/.config/mupen64plus whitelist ${HOME}/.config/mupen64plus/ +caps.drop all +net none nonewprivs noroot -caps.drop all seccomp -net none diff --git a/etc/netsurf.profile b/etc/netsurf.profile index e01cace7f..3de6be238 100644 --- a/etc/netsurf.profile +++ b/etc/netsurf.profile @@ -7,12 +7,12 @@ include /etc/firejail/disable-programs.inc include /etc/firejail/disable-devel.inc caps.drop all -seccomp -protocol unix,inet,inet6,netlink netfilter -tracelog nonewprivs noroot +protocol unix,inet,inet6,netlink +seccomp +tracelog whitelist ${DOWNLOADS} mkdir ~/.config @@ -30,6 +30,3 @@ whitelist ~/.lastpass whitelist ~/.config/lastpass include /etc/firejail/whitelist-common.inc - - - diff --git a/etc/okular.profile b/etc/okular.profile index 5179da787..b1efc4753 100644 --- a/etc/okular.profile +++ b/etc/okular.profile @@ -6,17 +6,17 @@ include /etc/firejail/disable-common.inc include /etc/firejail/disable-programs.inc include /etc/firejail/disable-devel.inc include /etc/firejail/disable-passwdmgr.inc + caps.drop all -seccomp -protocol unix nonewprivs -noroot nogroups +noroot private-dev +protocol unix +seccomp #Experimental: #net none #shell none #private-bin okular,kbuildsycoca4,kbuildsycoca5 #private-etc X11 - diff --git a/etc/openbox.profile b/etc/openbox.profile index 6e2e5d6fd..f812768a1 100644 --- a/etc/openbox.profile +++ b/etc/openbox.profile @@ -5,8 +5,7 @@ include /etc/firejail/disable-common.inc caps.drop all -seccomp -protocol unix,inet,inet6 netfilter noroot - +protocol unix,inet,inet6 +seccomp diff --git a/etc/palemoon.profile b/etc/palemoon.profile index 4db9b7adc..a74954ddb 100644 --- a/etc/palemoon.profile +++ b/etc/palemoon.profile @@ -12,12 +12,12 @@ include /etc/firejail/whitelist-common.inc # Options caps.drop all -seccomp -protocol unix,inet,inet6,netlink netfilter -tracelog nonewprivs noroot +protocol unix,inet,inet6,netlink +seccomp +tracelog whitelist ${DOWNLOADS} mkdir ~/.moonchild productions @@ -41,9 +41,9 @@ whitelist ~/.cache/moonchild productions/pale moon #whitelist ~/.pki # For silverlight -#whitelist ~/.wine-pipelight -#whitelist ~/.wine-pipelight64 -#whitelist ~/.config/pipelight-widevine +#whitelist ~/.wine-pipelight +#whitelist ~/.wine-pipelight64 +#whitelist ~/.config/pipelight-widevine #whitelist ~/.config/pipelight-silverlight5.1 diff --git a/etc/parole.profile b/etc/parole.profile index c0be0453b..1440a9ef7 100644 --- a/etc/parole.profile +++ b/etc/parole.profile @@ -8,9 +8,9 @@ private-etc passwd,group,fonts private-bin parole,dbus-launch caps.drop all -seccomp -protocol unix,inet,inet6 netfilter nonewprivs noroot +protocol unix,inet,inet6 +seccomp shell none diff --git a/etc/pidgin.profile b/etc/pidgin.profile index 767da5f55..091456d76 100644 --- a/etc/pidgin.profile +++ b/etc/pidgin.profile @@ -6,7 +6,7 @@ include /etc/firejail/disable-programs.inc include /etc/firejail/disable-devel.inc caps.drop all -seccomp -protocol unix,inet,inet6 nonewprivs noroot +protocol unix,inet,inet6 +seccomp diff --git a/etc/polari.profile b/etc/polari.profile index 7910f4e9b..366883c83 100644 --- a/etc/polari.profile +++ b/etc/polari.profile @@ -22,9 +22,8 @@ whitelist ${HOME}/.purple include /etc/firejail/whitelist-common.inc caps.drop all -seccomp -protocol unix,inet,inet6 +netfilter nonewprivs noroot -netfilter - +protocol unix,inet,inet6 +seccomp diff --git a/etc/psi-plus.profile b/etc/psi-plus.profile index 8194da74f..9380237be 100644 --- a/etc/psi-plus.profile +++ b/etc/psi-plus.profile @@ -21,7 +21,7 @@ whitelist ~/.cache/psi+ include /etc/firejail/whitelist-common.inc caps.drop all -seccomp -protocol unix,inet,inet6 netfilter noroot +protocol unix,inet,inet6 +seccomp diff --git a/etc/qbittorrent.profile b/etc/qbittorrent.profile index 858fdda4d..cbf898502 100644 --- a/etc/qbittorrent.profile +++ b/etc/qbittorrent.profile @@ -5,9 +5,9 @@ include /etc/firejail/disable-devel.inc include /etc/firejail/disable-passwdmgr.inc caps.drop all -seccomp -protocol unix,inet,inet6 netfilter nonewprivs noroot nosound +protocol unix,inet,inet6 +seccomp diff --git a/etc/qtox.profile b/etc/qtox.profile index ca34e932a..3a19efa3a 100644 --- a/etc/qtox.profile +++ b/etc/qtox.profile @@ -10,7 +10,7 @@ whitelist ${DOWNLOADS} include /etc/firejail/whitelist-common.inc caps.drop all -seccomp -protocol unix,inet,inet6 nonewprivs noroot +protocol unix,inet,inet6 +seccomp diff --git a/etc/quassel.profile b/etc/quassel.profile index e68315c1c..f92dfeb9f 100644 --- a/etc/quassel.profile +++ b/etc/quassel.profile @@ -4,8 +4,8 @@ include /etc/firejail/disable-programs.inc include /etc/firejail/disable-devel.inc caps.drop all -seccomp -protocol unix,inet,inet6 nonewprivs noroot netfilter +protocol unix,inet,inet6 +seccomp diff --git a/etc/quiterss.profile b/etc/quiterss.profile index 5ad7ead1a..3e5dde36e 100644 --- a/etc/quiterss.profile +++ b/etc/quiterss.profile @@ -16,15 +16,16 @@ mkdir ~/.cache/QuiteRss whitelist ${HOME}/.cache/QuiteRss caps.drop all -seccomp -protocol unix,inet,inet6 netfilter -tracelog nonewprivs -noroot nogroups -shell none -private-dev +noroot private-bin quiterss +private-dev #private-etc X11,ssl +protocol unix,inet,inet6 +seccomp +shell none +tracelog + include /etc/firejail/whitelist-common.inc diff --git a/etc/qutebrowser.profile b/etc/qutebrowser.profile index 09d10b0bb..b590f0ef1 100644 --- a/etc/qutebrowser.profile +++ b/etc/qutebrowser.profile @@ -7,12 +7,12 @@ include /etc/firejail/disable-programs.inc include /etc/firejail/disable-devel.inc caps.drop all -seccomp -protocol unix,inet,inet6,netlink netfilter -tracelog nonewprivs noroot +protocol unix,inet,inet6,netlink +seccomp +tracelog whitelist ${DOWNLOADS} mkdir ~/.config/qutebrowser diff --git a/etc/rhythmbox.profile b/etc/rhythmbox.profile index ee0832863..0782a653d 100644 --- a/etc/rhythmbox.profile +++ b/etc/rhythmbox.profile @@ -5,8 +5,8 @@ include /etc/firejail/disable-devel.inc include /etc/firejail/disable-passwdmgr.inc caps.drop all -seccomp -protocol unix,inet,inet6 +netfilter nonewprivs noroot -netfilter +protocol unix,inet,inet6 +seccomp diff --git a/etc/rtorrent.profile b/etc/rtorrent.profile index 9ae2206c1..0be5e15d1 100644 --- a/etc/rtorrent.profile +++ b/etc/rtorrent.profile @@ -5,9 +5,9 @@ include /etc/firejail/disable-devel.inc include /etc/firejail/disable-passwdmgr.inc caps.drop all -seccomp -protocol unix,inet,inet6 netfilter nonewprivs noroot nosound +protocol unix,inet,inet6 +seccomp diff --git a/etc/seamonkey.profile b/etc/seamonkey.profile index 886af0f67..9ce4164c1 100644 --- a/etc/seamonkey.profile +++ b/etc/seamonkey.profile @@ -6,12 +6,12 @@ include /etc/firejail/disable-programs.inc include /etc/firejail/disable-devel.inc caps.drop all -seccomp -protocol unix,inet,inet6,netlink netfilter -tracelog nonewprivs noroot +protocol unix,inet,inet6,netlink +seccomp +tracelog whitelist ${DOWNLOADS} mkdir ~/.mozilla @@ -42,11 +42,10 @@ whitelist ~/.lastpass whitelist ~/.config/lastpass #silverlight -whitelist ~/.wine-pipelight -whitelist ~/.wine-pipelight64 -whitelist ~/.config/pipelight-widevine +whitelist ~/.wine-pipelight +whitelist ~/.wine-pipelight64 +whitelist ~/.config/pipelight-widevine whitelist ~/.config/pipelight-silverlight5.1 # experimental features #private-etc passwd,group,hostname,hosts,localtime,nsswitch.conf,resolv.conf,gtk-2.0,pango,fonts,iceweasel,firefox,adobe,mime.types,mailcap,asound.conf,pulse - diff --git a/etc/skype.profile b/etc/skype.profile index 4c4a34980..9cbcd5117 100644 --- a/etc/skype.profile +++ b/etc/skype.profile @@ -8,5 +8,5 @@ caps.drop all netfilter nonewprivs noroot -seccomp protocol unix,inet,inet6 +seccomp diff --git a/etc/spotify.profile b/etc/spotify.profile index 1ee379dea..9ba25b818 100644 --- a/etc/spotify.profile +++ b/etc/spotify.profile @@ -7,8 +7,8 @@ include /etc/firejail/disable-programs.inc include /etc/firejail/disable-devel.inc include /etc/firejail/disable-passwdmgr.inc -# Whitelist the folders needed by Spotify - This is more restrictive -# than a blacklist though, but this is all spotify requires for +# Whitelist the folders needed by Spotify - This is more restrictive +# than a blacklist though, but this is all spotify requires for # streaming audio mkdir ${HOME}/.config mkdir ${HOME}/.config/spotify @@ -23,9 +23,8 @@ whitelist ${HOME}/.cache/spotify include /etc/firejail/whitelist-common.inc caps.drop all -seccomp -protocol unix,inet,inet6,netlink netfilter nonewprivs noroot - +protocol unix,inet,inet6,netlink +seccomp diff --git a/etc/ssh.profile b/etc/ssh.profile index 0c4621f66..a6d52c5a5 100644 --- a/etc/ssh.profile +++ b/etc/ssh.profile @@ -6,8 +6,8 @@ include /etc/firejail/disable-programs.inc include /etc/firejail/disable-passwdmgr.inc caps.drop all -seccomp -protocol unix,inet,inet6 netfilter nonewprivs noroot +protocol unix,inet,inet6 +seccomp diff --git a/etc/steam.profile b/etc/steam.profile index ae5e93829..b15a54be9 100644 --- a/etc/steam.profile +++ b/etc/steam.profile @@ -10,5 +10,5 @@ caps.drop all netfilter nonewprivs noroot -seccomp protocol unix,inet,inet6 +seccomp diff --git a/etc/telegram.profile b/etc/telegram.profile index 62a0fa404..819cd8f3a 100644 --- a/etc/telegram.profile +++ b/etc/telegram.profile @@ -5,11 +5,11 @@ include /etc/firejail/disable-programs.inc include /etc/firejail/disable-devel.inc caps.drop all -seccomp -protocol unix,inet,inet6 +netfilter nonewprivs noroot -netfilter +protocol unix,inet,inet6 +seccomp whitelist ~/Downloads/Telegram Desktop mkdir ${HOME}/.TelegramDesktop diff --git a/etc/totem.profile b/etc/totem.profile index f2bce5dee..252b46979 100644 --- a/etc/totem.profile +++ b/etc/totem.profile @@ -8,8 +8,8 @@ include /etc/firejail/disable-devel.inc include /etc/firejail/disable-passwdmgr.inc caps.drop all -seccomp -protocol unix,inet,inet6 nonewprivs noroot netfilter +protocol unix,inet,inet6 +seccomp diff --git a/etc/transmission-gtk.profile b/etc/transmission-gtk.profile index e27873f88..5aef32d45 100644 --- a/etc/transmission-gtk.profile +++ b/etc/transmission-gtk.profile @@ -8,10 +8,10 @@ include /etc/firejail/disable-devel.inc include /etc/firejail/disable-passwdmgr.inc caps.drop all -seccomp -protocol unix,inet,inet6 netfilter nonewprivs noroot -tracelog nosound +protocol unix,inet,inet6 +seccomp +tracelog diff --git a/etc/transmission-qt.profile b/etc/transmission-qt.profile index 2caa923d8..d8ab1c60d 100644 --- a/etc/transmission-qt.profile +++ b/etc/transmission-qt.profile @@ -8,10 +8,10 @@ include /etc/firejail/disable-devel.inc include /etc/firejail/disable-passwdmgr.inc caps.drop all -seccomp -protocol unix,inet,inet6 netfilter nonewprivs noroot -tracelog nosound +protocol unix,inet,inet6 +seccomp +tracelog diff --git a/etc/uget-gtk.profile b/etc/uget-gtk.profile index 86e7be6fd..02c7f56bf 100644 --- a/etc/uget-gtk.profile +++ b/etc/uget-gtk.profile @@ -6,11 +6,11 @@ include /etc/firejail/disable-programs.inc include /etc/firejail/disable-devel.inc caps.drop all -seccomp -protocol unix,inet,inet6 netfilter nonewprivs noroot +protocol unix,inet,inet6 +seccomp whitelist ${DOWNLOADS} mkdir ~/.config diff --git a/etc/vlc.profile b/etc/vlc.profile index d26034748..f8eebd376 100644 --- a/etc/vlc.profile +++ b/etc/vlc.profile @@ -7,8 +7,8 @@ include /etc/firejail/disable-devel.inc include /etc/firejail/disable-passwdmgr.inc caps.drop all -seccomp -protocol unix,inet,inet6 +netfilter nonewprivs noroot -netfilter +protocol unix,inet,inet6 +seccomp diff --git a/etc/weechat.profile b/etc/weechat.profile index 11b5bd10f..6cfe58420 100644 --- a/etc/weechat.profile +++ b/etc/weechat.profile @@ -4,9 +4,8 @@ include /etc/firejail/disable-common.inc include /etc/firejail/disable-programs.inc caps.drop all -seccomp -protocol unix,inet,inet6 netfilter nonewprivs noroot -netfilter +protocol unix,inet,inet6 +seccomp diff --git a/etc/wesnoth.profile b/etc/wesnoth.profile index 61a87d994..cd0c6406f 100644 --- a/etc/wesnoth.profile +++ b/etc/wesnoth.profile @@ -9,10 +9,10 @@ include /etc/firejail/disable-devel.inc include /etc/firejail/disable-passwdmgr.inc caps.drop all -seccomp -protocol unix,inet,inet6 nonewprivs noroot +protocol unix,inet,inet6 +seccomp private-dev diff --git a/etc/xchat.profile b/etc/xchat.profile index f4b273693..061c4f3da 100644 --- a/etc/xchat.profile +++ b/etc/xchat.profile @@ -6,7 +6,7 @@ include /etc/firejail/disable-programs.inc include /etc/firejail/disable-devel.inc caps.drop all -seccomp -protocol unix,inet,inet6 nonewprivs noroot +protocol unix,inet,inet6 +seccomp diff --git a/etc/xplayer.profile b/etc/xplayer.profile index fb0e3c910..cd9cbed45 100644 --- a/etc/xplayer.profile +++ b/etc/xplayer.profile @@ -8,9 +8,9 @@ include /etc/firejail/disable-devel.inc include /etc/firejail/disable-passwdmgr.inc caps.drop all -seccomp -protocol unix,inet,inet6 +netfilter nonewprivs noroot +protocol unix,inet,inet6 +seccomp tracelog -netfilter diff --git a/etc/xreader.profile b/etc/xreader.profile index 267330c1f..2cf109f09 100644 --- a/etc/xreader.profile +++ b/etc/xreader.profile @@ -9,10 +9,10 @@ include /etc/firejail/disable-devel.inc include /etc/firejail/disable-passwdmgr.inc caps.drop all -seccomp -protocol unix,inet,inet6 +netfilter nonewprivs noroot -tracelog -netfilter nosound +protocol unix,inet,inet6 +seccomp +tracelog diff --git a/etc/xviewer.profile b/etc/xviewer.profile index a0c91f0f3..51949526d 100644 --- a/etc/xviewer.profile +++ b/etc/xviewer.profile @@ -6,9 +6,9 @@ include /etc/firejail/disable-devel.inc include /etc/firejail/disable-passwdmgr.inc caps.drop all -seccomp -protocol unix,inet,inet6 +netfilter noroot nonewprivs +protocol unix,inet,inet6 +seccomp tracelog -netfilter -- cgit v1.2.3-54-g00ecf