From 7a37dc31ab907d55eb88f2fa259f37046952a0c5 Mon Sep 17 00:00:00 2001 From: smitsohu Date: Wed, 28 Mar 2018 01:20:21 +0200 Subject: recalibrate dbus access, deploy nodbus option see #1822 and #1825. also systematically replaces 'blacklist /run/user/*/bus' with 'nodbus'. with contributions from @Fred-Barclay --- etc/7z.profile | 2 +- etc/apktool.profile | 3 +-- etc/ardour5.profile | 3 +-- etc/ark.profile | 3 +-- etc/asunder.profile | 1 + etc/atom.profile | 2 -- etc/atril.profile | 2 +- etc/audacious.profile | 1 + etc/audacity.profile | 5 ++--- etc/baobab.profile | 3 +-- etc/bleachbit.profile | 3 +-- etc/bless.profile | 3 +-- etc/bluefish.profile | 3 +-- etc/calligra.profile | 3 +-- etc/catfish.profile | 2 -- etc/chromium-common.profile | 4 ++++ etc/cin.profile | 3 +-- etc/clamav.profile | 3 +-- etc/cpio.profile | 2 +- etc/default.profile | 1 + etc/dex2jar.profile | 3 +-- etc/dia.profile | 3 +-- etc/digikam.profile | 1 + etc/display.profile | 3 +-- etc/ebook-viewer.profile | 3 +-- etc/engrampa.profile | 8 +++++--- etc/eog.profile | 7 ++++--- etc/eom.profile | 7 ++++--- etc/etr.profile | 3 +-- etc/evince.profile | 3 +-- etc/exiftool.profile | 2 +- etc/feh.profile | 3 +-- etc/ffmpeg.profile | 3 +-- etc/file-roller.profile | 8 +++++--- etc/file.profile | 2 +- etc/freecad.profile | 3 +-- etc/frozen-bubble.profile | 3 +-- etc/galculator.profile | 3 +-- etc/gedit.profile | 8 +++++--- etc/gimp.profile | 3 +-- etc/gnome-calculator.profile | 5 ++++- etc/gpicview.profile | 3 +-- etc/gwenview.profile | 4 ++-- etc/gzip.profile | 2 +- etc/handbrake.profile | 1 + etc/hashcat.profile | 3 +-- etc/highlight.profile | 2 +- etc/hugin.profile | 3 +-- etc/imagej.profile | 3 +-- etc/img2txt.profile | 3 +-- etc/inkscape.profile | 3 ++- etc/jd-gui.profile | 3 +-- etc/kate.profile | 5 ++--- etc/kcalc.profile | 3 +++ etc/kdenlive.profile | 2 +- etc/keepassx.profile | 2 -- etc/keepassxc.profile | 3 +-- etc/krita.profile | 2 +- etc/kwrite.profile | 3 +-- etc/less.profile | 2 +- etc/libreoffice.profile | 1 + etc/lmms.profile | 3 +-- etc/macrofusion.profile | 3 +-- etc/mate-calc.profile | 3 +-- etc/mediainfo.profile | 2 +- etc/meld.profile | 3 +-- etc/mpv.profile | 1 + etc/mupdf.profile | 3 +-- etc/mupen64plus.profile | 3 +-- etc/natron.profile | 3 +-- etc/odt2txt.profile | 2 +- etc/okular.profile | 3 +-- etc/open-invaders.profile | 3 +-- etc/openshot.profile | 1 + etc/pcmanfm.profile | 3 +-- etc/pdfchain.profile | 4 +--- etc/pdfmod.profile | 3 +-- etc/pdfsam.profile | 3 +-- etc/pdftotext.profile | 2 +- etc/peek.profile | 3 +-- etc/pingus.profile | 3 +-- etc/pinta.profile | 3 +-- etc/pluma.profile | 8 +++++--- etc/qbittorrent.profile | 1 + etc/ranger.profile | 3 +-- etc/rhythmbox.profile | 3 +++ etc/scribus.profile | 6 ++++-- etc/sdat2img.profile | 3 +-- etc/shotcut.profile | 3 +-- etc/simutrans.profile | 3 +-- etc/skanlite.profile | 3 +-- etc/smplayer.profile | 1 + etc/sqlitebrowser.profile | 3 +-- etc/strings.profile | 2 +- etc/supertux2.profile | 3 +-- etc/synfigstudio.profile | 3 +-- etc/tar.profile | 2 +- etc/terasology.profile | 3 +-- etc/totem.profile | 3 +++ etc/transmission-gtk.profile | 1 + etc/transmission-qt.profile | 1 + etc/transmission-show.profile | 3 +-- etc/uefitool.profile | 3 +-- etc/unrar.profile | 2 +- etc/unzip.profile | 2 +- etc/uudeview.profile | 3 +-- etc/viewnior.profile | 2 +- etc/vlc.profile | 1 + etc/x-terminal-emulator.profile | 3 +-- etc/xcalc.profile | 3 +-- etc/xed.profile | 8 +++++--- etc/xpdf.profile | 3 +-- etc/xplayer.profile | 4 ++++ etc/xreader.profile | 1 + etc/xviewer.profile | 8 +++++--- etc/xzdec.profile | 2 +- etc/zart.profile | 3 +-- etc/zathura.profile | 4 ++-- 118 files changed, 168 insertions(+), 188 deletions(-) (limited to 'etc') diff --git a/etc/7z.profile b/etc/7z.profile index ededacbbe..0330e4dbf 100644 --- a/etc/7z.profile +++ b/etc/7z.profile @@ -6,12 +6,12 @@ include /etc/firejail/7z.local # Persistent global definitions include /etc/firejail/globals.local -blacklist /run/user/*/bus blacklist /tmp/.X11-unix ignore noroot net none no3d +nodbus nodvd nosound notv diff --git a/etc/apktool.profile b/etc/apktool.profile index bbf91c264..d5063d79b 100644 --- a/etc/apktool.profile +++ b/etc/apktool.profile @@ -6,8 +6,6 @@ include /etc/firejail/apktool.local # Persistent global definitions include /etc/firejail/globals.local -blacklist /run/user/*/bus - include /etc/firejail/disable-common.inc include /etc/firejail/disable-passwdmgr.inc include /etc/firejail/disable-programs.inc @@ -15,6 +13,7 @@ include /etc/firejail/disable-programs.inc caps.drop all net none no3d +nodbus nodvd nogroups nonewprivs diff --git a/etc/ardour5.profile b/etc/ardour5.profile index 1f2228544..cf72561da 100644 --- a/etc/ardour5.profile +++ b/etc/ardour5.profile @@ -5,8 +5,6 @@ include /etc/firejail/ardour5.local # Persistent global definitions include /etc/firejail/globals.local -blacklist /run/user/*/bus - noblacklist ${HOME}/.config/ardour4 noblacklist ${HOME}/.config/ardour5 noblacklist ${HOME}/.lv2 @@ -20,6 +18,7 @@ include /etc/firejail/disable-programs.inc caps.drop all ipc-namespace net none +nodbus nodvd nogroups nonewprivs diff --git a/etc/ark.profile b/etc/ark.profile index beeb652cf..8e156df0f 100644 --- a/etc/ark.profile +++ b/etc/ark.profile @@ -5,8 +5,6 @@ include /etc/firejail/ark.local # Persistent global definitions include /etc/firejail/globals.local -# blacklist /run/user/*/bus - noblacklist ${HOME}/.config/arkrc include /etc/firejail/disable-common.inc @@ -20,6 +18,7 @@ apparmor caps.drop all # net none netfilter +# nodbus nodvd nogroups nonewprivs diff --git a/etc/asunder.profile b/etc/asunder.profile index 0fbc3a158..7d643877f 100644 --- a/etc/asunder.profile +++ b/etc/asunder.profile @@ -20,6 +20,7 @@ include /etc/firejail/whitelist-var-common.inc apparmor caps.drop all netfilter +nodbus # nogroups nonewprivs noroot diff --git a/etc/atom.profile b/etc/atom.profile index 2a20279e9..c513c7531 100644 --- a/etc/atom.profile +++ b/etc/atom.profile @@ -5,8 +5,6 @@ include /etc/firejail/atom.local # Persistent global definitions include /etc/firejail/globals.local -# blacklist /run/user/*/bus - noblacklist ${HOME}/.atom noblacklist ${HOME}/.config/Atom diff --git a/etc/atril.profile b/etc/atril.profile index a05f11076..b7e1e40e0 100644 --- a/etc/atril.profile +++ b/etc/atril.profile @@ -17,7 +17,7 @@ include /etc/firejail/disable-programs.inc include /etc/firejail/whitelist-var-common.inc -apparmor +# apparmor caps.drop all machine-id no3d diff --git a/etc/audacious.profile b/etc/audacious.profile index 93ba5a45d..71003f156 100644 --- a/etc/audacious.profile +++ b/etc/audacious.profile @@ -18,6 +18,7 @@ include /etc/firejail/whitelist-var-common.inc apparmor caps.drop all netfilter +nodbus nogroups nonewprivs noroot diff --git a/etc/audacity.profile b/etc/audacity.profile index 8c85dd6be..e8ad7347a 100644 --- a/etc/audacity.profile +++ b/etc/audacity.profile @@ -5,8 +5,6 @@ include /etc/firejail/audacity.local # Persistent global definitions include /etc/firejail/globals.local -blacklist /run/user/*/bus - noblacklist ${HOME}/.audacity-data include /etc/firejail/disable-common.inc @@ -18,8 +16,9 @@ include /etc/firejail/whitelist-var-common.inc apparmor caps.drop all -#net none +net none no3d +# nodbus nodvd nogroups nonewprivs diff --git a/etc/baobab.profile b/etc/baobab.profile index e47e31bb1..5c1675611 100644 --- a/etc/baobab.profile +++ b/etc/baobab.profile @@ -5,8 +5,6 @@ include /etc/firejail/baobab.local # Persistent global definitions include /etc/firejail/globals.local -blacklist /run/user/*/bus - include /etc/firejail/disable-common.inc include /etc/firejail/disable-devel.inc include /etc/firejail/disable-passwdmgr.inc @@ -15,6 +13,7 @@ include /etc/firejail/disable-passwdmgr.inc caps.drop all net none no3d +nodbus nodvd nogroups nonewprivs diff --git a/etc/bleachbit.profile b/etc/bleachbit.profile index dce7892a4..9785b9eae 100644 --- a/etc/bleachbit.profile +++ b/etc/bleachbit.profile @@ -5,8 +5,6 @@ include /etc/firejail/bleachbit.local # Persistent global definitions include /etc/firejail/globals.local -blacklist /run/user/*/bus - include /etc/firejail/disable-common.inc include /etc/firejail/disable-devel.inc include /etc/firejail/disable-passwdmgr.inc @@ -15,6 +13,7 @@ include /etc/firejail/disable-passwdmgr.inc caps.drop all net none no3d +nodbus nodvd nogroups nonewprivs diff --git a/etc/bless.profile b/etc/bless.profile index 37d1e856f..10b471582 100644 --- a/etc/bless.profile +++ b/etc/bless.profile @@ -5,8 +5,6 @@ include /etc/firejail/bless.local # Persistent global definitions include /etc/firejail/globals.local -blacklist /run/user/*/bus - noblacklist ${HOME}/.config/bless include /etc/firejail/disable-common.inc @@ -17,6 +15,7 @@ include /etc/firejail/disable-programs.inc caps.drop all net none no3d +nodbus nodvd nogroups nonewprivs diff --git a/etc/bluefish.profile b/etc/bluefish.profile index 66ba0168b..6eb1d753f 100644 --- a/etc/bluefish.profile +++ b/etc/bluefish.profile @@ -5,8 +5,6 @@ include /etc/firejail/bluefish.local # Persistent global definitions include /etc/firejail/globals.local -blacklist /run/user/*/bus - include /etc/firejail/disable-common.inc include /etc/firejail/disable-devel.inc include /etc/firejail/disable-passwdmgr.inc @@ -17,6 +15,7 @@ include /etc/firejail/whitelist-var-common.inc caps.drop all net none no3d +nodbus nodvd nogroups nonewprivs diff --git a/etc/calligra.profile b/etc/calligra.profile index f09716bc3..f7df8ce85 100644 --- a/etc/calligra.profile +++ b/etc/calligra.profile @@ -5,8 +5,6 @@ include /etc/firejail/calligra.local # Persistent global definitions include /etc/firejail/globals.local -# blacklist /run/user/*/bus - include /etc/firejail/disable-common.inc include /etc/firejail/disable-devel.inc include /etc/firejail/disable-passwdmgr.inc @@ -15,6 +13,7 @@ include /etc/firejail/disable-programs.inc caps.drop all ipc-namespace # net none +# nodbus nodvd nogroups nonewprivs diff --git a/etc/catfish.profile b/etc/catfish.profile index 8765ba950..6a608c673 100644 --- a/etc/catfish.profile +++ b/etc/catfish.profile @@ -8,8 +8,6 @@ include /etc/firejail/globals.local # We can't blacklist much since catfish # is for finding files/content -blacklist /run/user/*/bus - noblacklist ${HOME}/.config/catfish include /etc/firejail/disable-common.inc diff --git a/etc/chromium-common.profile b/etc/chromium-common.profile index a11947334..7f07c5b26 100644 --- a/etc/chromium-common.profile +++ b/etc/chromium-common.profile @@ -20,6 +20,7 @@ include /etc/firejail/whitelist-var-common.inc apparmor caps.keep sys_chroot,sys_admin netfilter +nodbus nodvd nogroups notv @@ -31,3 +32,6 @@ private-dev noexec ${HOME} noexec /tmp + +# the file dialog needs to work without d-bus +env NO_CHROME_KDE_FILE_DIALOG=1 diff --git a/etc/cin.profile b/etc/cin.profile index d114e50b1..e86a4d9b4 100644 --- a/etc/cin.profile +++ b/etc/cin.profile @@ -5,8 +5,6 @@ include /etc/firejail/cin.local # Persistent global definitions include /etc/firejail/globals.local -blacklist /run/user/*/bus - noblacklist ${HOME}/.bcast5 include /etc/firejail/disable-common.inc @@ -17,6 +15,7 @@ include /etc/firejail/disable-programs.inc caps.drop all ipc-namespace net none +nodbus nodvd nogroups nonewprivs diff --git a/etc/clamav.profile b/etc/clamav.profile index c3a0132d0..41bd3b679 100644 --- a/etc/clamav.profile +++ b/etc/clamav.profile @@ -6,12 +6,11 @@ include /etc/firejail/clamav.local # Persistent global definitions include /etc/firejail/globals.local -blacklist /run/user/*/bus - caps.drop all ipc-namespace net none no3d +nodbus nodvd nogroups nonewprivs diff --git a/etc/cpio.profile b/etc/cpio.profile index caee6570e..445e1cec7 100644 --- a/etc/cpio.profile +++ b/etc/cpio.profile @@ -6,7 +6,6 @@ include /etc/firejail/cpio.local # Persistent global definitions include /etc/firejail/globals.local -blacklist /run/user/*/bus blacklist /tmp/.X11-unix noblacklist /sbin @@ -19,6 +18,7 @@ include /etc/firejail/disable-programs.inc caps.drop all net none no3d +nodbus nodvd nonewprivs nosound diff --git a/etc/default.profile b/etc/default.profile index 82eded802..1af7ceba4 100644 --- a/etc/default.profile +++ b/etc/default.profile @@ -17,6 +17,7 @@ caps.drop all # ipc-namespace netfilter # no3d +# nodbus # nodvd # nogroups nonewprivs diff --git a/etc/dex2jar.profile b/etc/dex2jar.profile index f89e17239..ed73b8b8c 100644 --- a/etc/dex2jar.profile +++ b/etc/dex2jar.profile @@ -6,8 +6,6 @@ include /etc/firejail/dex2jar.local # Persistent global definitions include /etc/firejail/globals.local -blacklist /run/user/*/bus - include /etc/firejail/disable-common.inc include /etc/firejail/disable-devel.inc include /etc/firejail/disable-passwdmgr.inc @@ -16,6 +14,7 @@ include /etc/firejail/disable-programs.inc caps.drop all net none no3d +nodbus nodvd nogroups nonewprivs diff --git a/etc/dia.profile b/etc/dia.profile index b1a723da0..fb3506955 100644 --- a/etc/dia.profile +++ b/etc/dia.profile @@ -5,8 +5,6 @@ include /etc/firejail/dia.local # Persistent global definitions include /etc/firejail/globals.local -blacklist /run/user/*/bus - noblacklist ${HOME}/.dia include /etc/firejail/disable-common.inc @@ -17,6 +15,7 @@ include /etc/firejail/disable-programs.inc caps.drop all net none no3d +nodbus nodvd nogroups nonewprivs diff --git a/etc/digikam.profile b/etc/digikam.profile index 516876c6b..4df344cbc 100644 --- a/etc/digikam.profile +++ b/etc/digikam.profile @@ -20,6 +20,7 @@ include /etc/firejail/whitelist-var-common.inc apparmor caps.drop all netfilter +# nodbus nodvd nogroups nonewprivs diff --git a/etc/display.profile b/etc/display.profile index 41512a0cb..69183f4ca 100644 --- a/etc/display.profile +++ b/etc/display.profile @@ -5,8 +5,6 @@ include /etc/firejail/display.local # Persistent global definitions include /etc/firejail/globals.local -blacklist /run/user/*/bus - include /etc/firejail/disable-common.inc include /etc/firejail/disable-devel.inc include /etc/firejail/disable-passwdmgr.inc @@ -16,6 +14,7 @@ include /etc/firejail/whitelist-var-common.inc caps.drop all net none +nodbus nodvd nogroups nonewprivs diff --git a/etc/ebook-viewer.profile b/etc/ebook-viewer.profile index 9f7e1382b..1e28b854a 100644 --- a/etc/ebook-viewer.profile +++ b/etc/ebook-viewer.profile @@ -1,9 +1,8 @@ # Firejail profile alias for calibre # This file is overwritten after every install/update -blacklist /run/user/*/bus - net none +nodbus # Redirect include /etc/firejail/calibre.profile diff --git a/etc/engrampa.profile b/etc/engrampa.profile index ae61f1d93..1ecdbd1b8 100644 --- a/etc/engrampa.profile +++ b/etc/engrampa.profile @@ -5,8 +5,6 @@ include /etc/firejail/engrampa.local # Persistent global definitions include /etc/firejail/globals.local -# blacklist /run/user/*/bus - makes settings immutable - include /etc/firejail/disable-common.inc include /etc/firejail/disable-devel.inc include /etc/firejail/disable-passwdmgr.inc @@ -14,9 +12,13 @@ include /etc/firejail/disable-programs.inc include /etc/firejail/whitelist-var-common.inc +# following line makes settings immutable +apparmor caps.drop all -# net none - makes settings immutable +net none no3d +# following line makes settings immutable +nodbus nodvd nogroups nonewprivs diff --git a/etc/eog.profile b/etc/eog.profile index 475abc4a5..1ab78c345 100644 --- a/etc/eog.profile +++ b/etc/eog.profile @@ -5,8 +5,6 @@ include /etc/firejail/eog.local # Persistent global definitions include /etc/firejail/globals.local -# blacklist /run/user/*/bus - makes settings immutable - noblacklist ${HOME}/.Steam noblacklist ${HOME}/.config/eog noblacklist ${HOME}/.local/share/Trash @@ -19,10 +17,13 @@ include /etc/firejail/disable-programs.inc include /etc/firejail/whitelist-var-common.inc +# following line makes settings immutable apparmor caps.drop all -# net none - makes settings immutable +net none no3d +# following line makes settings immutable +nodbus nodvd nogroups nonewprivs diff --git a/etc/eom.profile b/etc/eom.profile index c7c92db0e..978fa78a4 100644 --- a/etc/eom.profile +++ b/etc/eom.profile @@ -5,8 +5,6 @@ include /etc/firejail/eom.local # Persistent global definitions include /etc/firejail/globals.local -# blacklist /run/user/*/bus - makes settings immutable - noblacklist ${HOME}/.Steam noblacklist ${HOME}/.config/mate/eom noblacklist ${HOME}/.local/share/Trash @@ -19,10 +17,13 @@ include /etc/firejail/disable-programs.inc include /etc/firejail/whitelist-var-common.inc +# following line makes settings immutable apparmor caps.drop all -# net none - makes settings immutable +net none no3d +# following line makes settings immutable +nodbus nodvd nogroups nonewprivs diff --git a/etc/etr.profile b/etc/etr.profile index ad2e5be5d..5c01636cc 100644 --- a/etc/etr.profile +++ b/etc/etr.profile @@ -5,8 +5,6 @@ include /etc/firejail/etr.local # Persistent global definitions include /etc/firejail/globals.local -blacklist /run/user/*/bus - noblacklist ${HOME}/.etr include /etc/firejail/disable-common.inc @@ -20,6 +18,7 @@ include /etc/firejail/whitelist-var-common.inc caps.drop all net none +nodbus nodvd nogroups nonewprivs diff --git a/etc/evince.profile b/etc/evince.profile index 72c1ffc97..08c82086b 100644 --- a/etc/evince.profile +++ b/etc/evince.profile @@ -5,8 +5,6 @@ include /etc/firejail/evince.local # Persistent global definitions include /etc/firejail/globals.local -# blacklist /run/user/*/bus - noblacklist ${HOME}/.config/evince include /etc/firejail/disable-common.inc @@ -21,6 +19,7 @@ machine-id # net none breaks AppArmor on Ubuntu systems netfilter no3d +# nodbus nodvd nogroups nonewprivs diff --git a/etc/exiftool.profile b/etc/exiftool.profile index 18d1e3c81..8ab6012f5 100644 --- a/etc/exiftool.profile +++ b/etc/exiftool.profile @@ -6,7 +6,6 @@ include /etc/firejail/exiftool.local # Persistent global definitions include /etc/firejail/globals.local -blacklist /run/user/*/bus blacklist /tmp/.X11-unix noblacklist /usr/bin/perl @@ -21,6 +20,7 @@ include /etc/firejail/disable-programs.inc caps.drop all net none no3d +nodbus nodvd nogroups nonewprivs diff --git a/etc/feh.profile b/etc/feh.profile index 1320434f1..ba7a76c49 100644 --- a/etc/feh.profile +++ b/etc/feh.profile @@ -5,8 +5,6 @@ include /etc/firejail/feh.local # Persistent global definitions include /etc/firejail/globals.local -blacklist /run/user/*/bus - include /etc/firejail/disable-common.inc include /etc/firejail/disable-devel.inc include /etc/firejail/disable-passwdmgr.inc @@ -15,6 +13,7 @@ include /etc/firejail/disable-programs.inc caps.drop all net none no3d +nodbus nodvd nogroups nonewprivs diff --git a/etc/ffmpeg.profile b/etc/ffmpeg.profile index acea1e834..538179107 100644 --- a/etc/ffmpeg.profile +++ b/etc/ffmpeg.profile @@ -6,8 +6,6 @@ include /etc/firejail/ffmpeg.local # Persistent global definitions include /etc/firejail/globals.local -blacklist /run/user/*/bus - include /etc/firejail/disable-common.inc include /etc/firejail/disable-devel.inc include /etc/firejail/disable-passwdmgr.inc @@ -18,6 +16,7 @@ include /etc/firejail/whitelist-var-common.inc caps.drop all net none no3d +nodbus nodvd nosound notv diff --git a/etc/file-roller.profile b/etc/file-roller.profile index bc4e70da4..83e6a9957 100644 --- a/etc/file-roller.profile +++ b/etc/file-roller.profile @@ -5,8 +5,6 @@ include /etc/firejail/file-roller.local # Persistent global definitions include /etc/firejail/globals.local -# blacklist /run/user/*/bus - makes settings immutable - include /etc/firejail/disable-common.inc include /etc/firejail/disable-devel.inc include /etc/firejail/disable-passwdmgr.inc @@ -14,9 +12,13 @@ include /etc/firejail/disable-programs.inc include /etc/firejail/whitelist-var-common.inc +# following line makes settings immutable +apparmor caps.drop all -# net none - makes settings immutable +net none no3d +# following line makes settings immutable +nodbus nodvd nogroups nonewprivs diff --git a/etc/file.profile b/etc/file.profile index 041bf5ae5..2bdbaaaa8 100644 --- a/etc/file.profile +++ b/etc/file.profile @@ -6,7 +6,6 @@ include /etc/firejail/file.local # Persistent global definitions include /etc/firejail/globals.local -blacklist /run/user/*/bus blacklist /tmp/.X11-unix include /etc/firejail/disable-common.inc @@ -17,6 +16,7 @@ caps.drop all hostname file net none no3d +nodbus nodvd nogroups nonewprivs diff --git a/etc/freecad.profile b/etc/freecad.profile index bac502a5f..c51d88f7a 100644 --- a/etc/freecad.profile +++ b/etc/freecad.profile @@ -5,8 +5,6 @@ include /etc/firejail/freecad.local # Persistent global definitions include /etc/firejail/globals.local -blacklist /run/user/*/bus - noblacklist ${HOME}/.config/FreeCAD include /etc/firejail/disable-common.inc @@ -17,6 +15,7 @@ include /etc/firejail/disable-programs.inc caps.drop all ipc-namespace net none +nodbus nodvd nogroups nonewprivs diff --git a/etc/frozen-bubble.profile b/etc/frozen-bubble.profile index ca38ed1b8..8acd32bdd 100644 --- a/etc/frozen-bubble.profile +++ b/etc/frozen-bubble.profile @@ -5,8 +5,6 @@ include /etc/firejail/frozen-bubble.local # Persistent global definitions include /etc/firejail/globals.local -blacklist /run/user/*/bus - noblacklist ${HOME}/.frozen-bubble include /etc/firejail/disable-common.inc @@ -21,6 +19,7 @@ include /etc/firejail/whitelist-var-common.inc caps.drop all net none +nodbus nodvd nogroups nonewprivs diff --git a/etc/galculator.profile b/etc/galculator.profile index b28c7943f..8229f8250 100644 --- a/etc/galculator.profile +++ b/etc/galculator.profile @@ -5,8 +5,6 @@ include /etc/firejail/galculator.local # Persistent global definitions include /etc/firejail/globals.local -blacklist /run/user/*/bus - noblacklist ${HOME}/.config/galculator include /etc/firejail/disable-common.inc @@ -22,6 +20,7 @@ include /etc/firejail/whitelist-var-common.inc apparmor caps.drop all net none +nodbus nodvd nogroups nonewprivs diff --git a/etc/gedit.profile b/etc/gedit.profile index 97eb692de..5b058ae28 100644 --- a/etc/gedit.profile +++ b/etc/gedit.profile @@ -5,8 +5,6 @@ include /etc/firejail/gedit.local # Persistent global definitions include /etc/firejail/globals.local -# blacklist /run/user/*/bus - makes settings immutable - noblacklist ${HOME}/.config/enchant noblacklist ${HOME}/.config/gedit noblacklist ${HOME}/.gitconfig @@ -18,10 +16,14 @@ include /etc/firejail/disable-programs.inc include /etc/firejail/whitelist-var-common.inc +# following line makes settings immutable +apparmor caps.drop all -# net none - makes settings immutable machine-id +net none no3d +# following line makes settings immutable +nodbus nodvd nogroups nonewprivs diff --git a/etc/gimp.profile b/etc/gimp.profile index 3cc012a88..49df54d1f 100644 --- a/etc/gimp.profile +++ b/etc/gimp.profile @@ -5,8 +5,6 @@ include /etc/firejail/gimp.local # Persistent global definitions include /etc/firejail/globals.local -blacklist /run/user/*/bus - noblacklist ${HOME}/.gimp* include /etc/firejail/disable-common.inc @@ -18,6 +16,7 @@ include /etc/firejail/whitelist-var-common.inc apparmor caps.drop all net none +nodbus nodvd nogroups nonewprivs diff --git a/etc/gnome-calculator.profile b/etc/gnome-calculator.profile index d13208a1e..a4ef9cfc1 100644 --- a/etc/gnome-calculator.profile +++ b/etc/gnome-calculator.profile @@ -14,10 +14,13 @@ include /etc/firejail/disable-programs.inc include /etc/firejail/whitelist-common.inc include /etc/firejail/whitelist-var-common.inc +# following line makes settings immutable apparmor caps.drop all -netfilter +net none no3d +# following line makes settings immutable +nodbus nodvd nogroups nonewprivs diff --git a/etc/gpicview.profile b/etc/gpicview.profile index 8d47d9c31..c6453e972 100644 --- a/etc/gpicview.profile +++ b/etc/gpicview.profile @@ -5,8 +5,6 @@ include /etc/firejail/gpicview.local # Persistent global definitions include /etc/firejail/globals.local -blacklist /run/user/*/bus - noblacklist ${HOME}/.config/gpicview include /etc/firejail/disable-common.inc @@ -18,6 +16,7 @@ include /etc/firejail/whitelist-var-common.inc caps.drop all net none +nodbus nodvd nogroups nonewprivs diff --git a/etc/gwenview.profile b/etc/gwenview.profile index d79b72152..d17be41cc 100644 --- a/etc/gwenview.profile +++ b/etc/gwenview.profile @@ -5,8 +5,6 @@ include /etc/firejail/gwenview.local # Persistent global definitions include /etc/firejail/globals.local -# blacklist /run/user/*/bus - noblacklist ${HOME}/.config/gwenviewrc noblacklist ${HOME}/.config/org.kde.gwenviewrc noblacklist ${HOME}/.gimp* @@ -24,8 +22,10 @@ include /etc/firejail/disable-programs.inc include /etc/firejail/whitelist-var-common.inc +apparmor caps.drop all # net none +# nodbus nodvd nogroups nonewprivs diff --git a/etc/gzip.profile b/etc/gzip.profile index 5187bb9f0..779067770 100644 --- a/etc/gzip.profile +++ b/etc/gzip.profile @@ -6,12 +6,12 @@ include /etc/firejail/gzip.local # Persistent global definitions include /etc/firejail/globals.local -blacklist /run/user/*/bus blacklist /tmp/.X11-unix ignore noroot net none no3d +nodbus nodvd nosound notv diff --git a/etc/handbrake.profile b/etc/handbrake.profile index b99842d60..ff9dd248f 100644 --- a/etc/handbrake.profile +++ b/etc/handbrake.profile @@ -17,6 +17,7 @@ include /etc/firejail/whitelist-var-common.inc apparmor caps.drop all netfilter +nodbus nogroups nonewprivs noroot diff --git a/etc/hashcat.profile b/etc/hashcat.profile index ad1aae523..c8ab268c8 100644 --- a/etc/hashcat.profile +++ b/etc/hashcat.profile @@ -6,8 +6,6 @@ include /etc/firejail/hashcat.local # Persistent global definitions include /etc/firejail/globals.local -blacklist /run/user/*/bus - noblacklist ${HOME}/.hashcat noblacklist /usr/include @@ -18,6 +16,7 @@ include /etc/firejail/disable-programs.inc caps.drop all net none +nodbus nodvd nogroups nonewprivs diff --git a/etc/highlight.profile b/etc/highlight.profile index a7c667ce1..781866f3b 100644 --- a/etc/highlight.profile +++ b/etc/highlight.profile @@ -5,7 +5,6 @@ include /etc/firejail/highlight.local # Persistent global definitions include /etc/firejail/globals.local -blacklist /run/user/*/bus blacklist /tmp/.X11-unix include /etc/firejail/disable-common.inc @@ -16,6 +15,7 @@ include /etc/firejail/disable-programs.inc caps.drop all net none no3d +nodbus nodvd nogroups nonewprivs diff --git a/etc/hugin.profile b/etc/hugin.profile index bff074b74..3847a7daf 100644 --- a/etc/hugin.profile +++ b/etc/hugin.profile @@ -5,8 +5,6 @@ include /etc/firejail/hugin.local # Persistent global definitions include /etc/firejail/globals.local -blacklist /run/user/*/bus - noblacklist ${HOME}/.hugin include /etc/firejail/disable-common.inc @@ -16,6 +14,7 @@ include /etc/firejail/disable-programs.inc caps.drop all net none +nodbus nodvd nogroups nonewprivs diff --git a/etc/imagej.profile b/etc/imagej.profile index 058da2805..7396160af 100644 --- a/etc/imagej.profile +++ b/etc/imagej.profile @@ -5,8 +5,6 @@ include /etc/firejail/imagej.local # Persistent global definitions include /etc/firejail/globals.local -blacklist /run/user/*/bus - noblacklist ${HOME}/.imagej include /etc/firejail/disable-common.inc @@ -17,6 +15,7 @@ include /etc/firejail/disable-programs.inc caps.drop all ipc-namespace net none +nodbus nodvd nogroups nonewprivs diff --git a/etc/img2txt.profile b/etc/img2txt.profile index 5a19a75f1..8c157bf2a 100644 --- a/etc/img2txt.profile +++ b/etc/img2txt.profile @@ -5,8 +5,6 @@ include /etc/firejail/img2txt.local # Persistent global definitions include /etc/firejail/globals.local -blacklist /run/user/*/bus - include /etc/firejail/disable-common.inc include /etc/firejail/disable-devel.inc include /etc/firejail/disable-passwdmgr.inc @@ -14,6 +12,7 @@ include /etc/firejail/disable-programs.inc caps.drop all net none +nodbus nodvd nogroups nonewprivs diff --git a/etc/inkscape.profile b/etc/inkscape.profile index 6e669ea2c..d573cc706 100644 --- a/etc/inkscape.profile +++ b/etc/inkscape.profile @@ -18,7 +18,8 @@ include /etc/firejail/whitelist-var-common.inc apparmor caps.drop all -netfilter +net none +nodbus nodvd nogroups nonewprivs diff --git a/etc/jd-gui.profile b/etc/jd-gui.profile index bf461b93d..f70eff3e4 100644 --- a/etc/jd-gui.profile +++ b/etc/jd-gui.profile @@ -5,8 +5,6 @@ include /etc/firejail/jd-gui.local # Persistent global definitions include /etc/firejail/globals.local -blacklist /run/user/*/bus - noblacklist ${HOME}/.config/jd-gui.cfg noblacklist ${HOME}/.java @@ -18,6 +16,7 @@ include /etc/firejail/disable-programs.inc caps.drop all net none no3d +nodbus nodvd nogroups nonewprivs diff --git a/etc/kate.profile b/etc/kate.profile index 5042077e5..df9643fee 100644 --- a/etc/kate.profile +++ b/etc/kate.profile @@ -5,8 +5,6 @@ include /etc/firejail/kate.local # Persistent global definitions include /etc/firejail/globals.local -# blacklist /run/user/*/bus - noblacklist ${HOME}/.config/katepartrc noblacklist ${HOME}/.config/katerc noblacklist ${HOME}/.config/kateschemarc @@ -21,9 +19,10 @@ include /etc/firejail/disable-programs.inc include /etc/firejail/whitelist-var-common.inc -apparmor +# apparmor caps.drop all # net none +# nodbus netfilter nodvd nogroups diff --git a/etc/kcalc.profile b/etc/kcalc.profile index 3f024f3fa..db10167ed 100644 --- a/etc/kcalc.profile +++ b/etc/kcalc.profile @@ -20,9 +20,12 @@ whitelist ${HOME}/.kde4/share/config/kcalcrc include /etc/firejail/whitelist-common.inc include /etc/firejail/whitelist-var-common.inc +apparmor caps.drop all +# net none netfilter no3d +# nodbus nodvd nogroups nonewprivs diff --git a/etc/kdenlive.profile b/etc/kdenlive.profile index 5c770856a..819279b10 100644 --- a/etc/kdenlive.profile +++ b/etc/kdenlive.profile @@ -5,7 +5,6 @@ include /etc/firejail/kdenlive.local # Persistent global definitions include /etc/firejail/globals.local -# blacklist /run/user/*/bus noblacklist ${HOME}/.cache/kdenlive noblacklist ${HOME}/.config/kdenliverc noblacklist ${HOME}/.local/share/kdenlive @@ -18,6 +17,7 @@ include /etc/firejail/disable-programs.inc apparmor caps.drop all # net none +# nodbus nodvd nogroups nonewprivs diff --git a/etc/keepassx.profile b/etc/keepassx.profile index 91ead4bfa..14af2682c 100644 --- a/etc/keepassx.profile +++ b/etc/keepassx.profile @@ -5,8 +5,6 @@ include /etc/firejail/keepassx.local # Persistent global definitions include /etc/firejail/globals.local -blacklist /run/user/*/bus - noblacklist ${HOME}/*.kdb noblacklist ${HOME}/*.kdbx noblacklist ${HOME}/.config/keepassx diff --git a/etc/keepassxc.profile b/etc/keepassxc.profile index 8b760cb02..0e464cbe4 100644 --- a/etc/keepassxc.profile +++ b/etc/keepassxc.profile @@ -5,8 +5,6 @@ include /etc/firejail/keepassxc.local # Persistent global definitions include /etc/firejail/globals.local -blacklist /run/user/*/bus - noblacklist ${HOME}/*.kdb noblacklist ${HOME}/*.kdbx noblacklist ${HOME}/.config/keepassxc @@ -22,6 +20,7 @@ include /etc/firejail/disable-programs.inc include /etc/firejail/whitelist-var-common.inc caps.drop all +machine-id net none no3d nodvd diff --git a/etc/krita.profile b/etc/krita.profile index 0f4c5210b..24948c584 100644 --- a/etc/krita.profile +++ b/etc/krita.profile @@ -5,7 +5,6 @@ include /etc/firejail/krita.local # Persistent global definitions include /etc/firejail/globals.local -# blacklist /run/user/*/bus noblacklist ${HOME}/.config/kritarc noblacklist ${HOME}/.local/share/krita @@ -18,6 +17,7 @@ apparmor caps.drop all ipc-namespace # net none +# nodbus nodvd nogroups nonewprivs diff --git a/etc/kwrite.profile b/etc/kwrite.profile index 1c4e50b77..ac51259c0 100644 --- a/etc/kwrite.profile +++ b/etc/kwrite.profile @@ -5,8 +5,6 @@ include /etc/firejail/kwrite.local # Persistent global definitions include /etc/firejail/globals.local -# blacklist /run/user/*/bus - noblacklist ${HOME}/.config/katepartrc noblacklist ${HOME}/.config/katerc noblacklist ${HOME}/.config/kateschemarc @@ -26,6 +24,7 @@ apparmor caps.drop all # net none netfilter +# nodbus nodvd nogroups nonewprivs diff --git a/etc/less.profile b/etc/less.profile index 3b1c5d6bf..e2616ba4f 100644 --- a/etc/less.profile +++ b/etc/less.profile @@ -6,12 +6,12 @@ include /etc/firejail/less.local # Persistent global definitions include /etc/firejail/globals.local -blacklist /run/user/*/bus blacklist /tmp/.X11-unix ignore noroot net none no3d +nodbus nodvd nosound notv diff --git a/etc/libreoffice.profile b/etc/libreoffice.profile index ceb680951..15961321e 100644 --- a/etc/libreoffice.profile +++ b/etc/libreoffice.profile @@ -21,6 +21,7 @@ apparmor caps.drop all machine-id netfilter +nodbus nodvd nogroups nonewprivs diff --git a/etc/lmms.profile b/etc/lmms.profile index b2bacb246..a9fecf5be 100644 --- a/etc/lmms.profile +++ b/etc/lmms.profile @@ -5,8 +5,6 @@ include /etc/firejail/lmms.local # Persistent global definitions include /etc/firejail/globals.local -blacklist /run/user/*/bus - noblacklist ${HOME}/.lmmsrc.xml include /etc/firejail/disable-common.inc @@ -18,6 +16,7 @@ caps.drop all ipc-namespace net none no3d +nodbus nodvd nogroups nonewprivs diff --git a/etc/macrofusion.profile b/etc/macrofusion.profile index f8c5c34ca..948c7226d 100644 --- a/etc/macrofusion.profile +++ b/etc/macrofusion.profile @@ -5,8 +5,6 @@ include /etc/firejail/macrofusion.local # Persistent global definitions include /etc/firejail/globals.local -blacklist /run/user/*/bus - noblacklist ${HOME}/.config/mfusion include /etc/firejail/disable-common.inc @@ -17,6 +15,7 @@ include /etc/firejail/disable-programs.inc caps.drop all ipc-namespace net none +nodbus nodvd nogroups nonewprivs diff --git a/etc/mate-calc.profile b/etc/mate-calc.profile index be5dac206..f452b751a 100644 --- a/etc/mate-calc.profile +++ b/etc/mate-calc.profile @@ -5,8 +5,6 @@ include /etc/firejail/mate-calc.local # Persistent global definitions include /etc/firejail/globals.local -blacklist /run/user/*/bus - noblacklist ${HOME}/.config/mate-calc include /etc/firejail/disable-common.inc @@ -24,6 +22,7 @@ whitelist ${HOME}/.themes caps.drop all net none no3d +nodbus nodvd nogroups nonewprivs diff --git a/etc/mediainfo.profile b/etc/mediainfo.profile index de9297174..c3c84ed39 100644 --- a/etc/mediainfo.profile +++ b/etc/mediainfo.profile @@ -5,7 +5,6 @@ include /etc/firejail/mediainfo.local # Persistent global definitions include /etc/firejail/globals.local -blacklist /run/user/*/bus blacklist /tmp/.X11-unix include /etc/firejail/disable-common.inc @@ -16,6 +15,7 @@ include /etc/firejail/disable-programs.inc caps.drop all net none no3d +nodbus nodvd nogroups nonewprivs diff --git a/etc/meld.profile b/etc/meld.profile index 1a451ff57..78d9e0c76 100644 --- a/etc/meld.profile +++ b/etc/meld.profile @@ -5,8 +5,6 @@ include /etc/firejail/meld.local # Persistent global definitions include /etc/firejail/globals.local -blacklist /run/user/*/bus - noblacklist ${HOME}/.local/share/meld include /etc/firejail/disable-common.inc @@ -17,6 +15,7 @@ include /etc/firejail/disable-programs.inc caps.drop all net none no3d +nodbus nodvd nogroups nonewprivs diff --git a/etc/mpv.profile b/etc/mpv.profile index a4dc679f4..dcd8b05e1 100644 --- a/etc/mpv.profile +++ b/etc/mpv.profile @@ -18,6 +18,7 @@ include /etc/firejail/whitelist-var-common.inc apparmor caps.drop all netfilter +nodbus nogroups nonewprivs noroot diff --git a/etc/mupdf.profile b/etc/mupdf.profile index 9e04c3a81..af5859dbc 100644 --- a/etc/mupdf.profile +++ b/etc/mupdf.profile @@ -5,8 +5,6 @@ include /etc/firejail/mupdf.local # Persistent global definitions include /etc/firejail/globals.local -blacklist /run/user/*/bus - include /etc/firejail/disable-common.inc include /etc/firejail/disable-devel.inc include /etc/firejail/disable-passwdmgr.inc @@ -17,6 +15,7 @@ include /etc/firejail/whitelist-var-common.inc caps.drop all machine-id net none +nodbus nodvd nogroups nonewprivs diff --git a/etc/mupen64plus.profile b/etc/mupen64plus.profile index e05babc91..2e3d7cfb8 100644 --- a/etc/mupen64plus.profile +++ b/etc/mupen64plus.profile @@ -5,8 +5,6 @@ include /etc/firejail/mupen64plus.local # Persistent global definitions include /etc/firejail/globals.local -blacklist /run/user/*/bus - noblacklist ${HOME}/.config/mupen64plus noblacklist ${HOME}/.local/share/mupen64plus @@ -24,6 +22,7 @@ include /etc/firejail/whitelist-common.inc caps.drop all net none +nodbus nodvd nonewprivs noroot diff --git a/etc/natron.profile b/etc/natron.profile index 413ea53f9..cf01c862c 100644 --- a/etc/natron.profile +++ b/etc/natron.profile @@ -5,8 +5,6 @@ include /etc/firejail/natron.local # Persistent global definitions include /etc/firejail/globals.local -blacklist /run/user/*/bus - noblacklist ${HOME}/.Natron noblacklist ${HOME}/.cache/INRIA/Natron noblacklist ${HOME}/.config/INRIA @@ -19,6 +17,7 @@ include /etc/firejail/disable-programs.inc caps.drop all net none +nodbus nodvd nogroups nonewprivs diff --git a/etc/odt2txt.profile b/etc/odt2txt.profile index b6d4a63b5..c807a5399 100644 --- a/etc/odt2txt.profile +++ b/etc/odt2txt.profile @@ -5,7 +5,6 @@ include /etc/firejail/odt2txt.local # Persistent global definitions include /etc/firejail/globals.local -blacklist /run/user/*/bus blacklist /tmp/.X11-unix include /etc/firejail/disable-common.inc @@ -16,6 +15,7 @@ include /etc/firejail/disable-programs.inc caps.drop all net none no3d +nodbus nodvd nogroups nonewprivs diff --git a/etc/okular.profile b/etc/okular.profile index ffe0d2bfb..f1f0b2c7e 100644 --- a/etc/okular.profile +++ b/etc/okular.profile @@ -5,8 +5,6 @@ include /etc/firejail/okular.local # Persistent global definitions include /etc/firejail/globals.local -# blacklist /run/user/*/bus - noblacklist ${HOME}/.cache/okular noblacklist ${HOME}/.config/okularpartrc noblacklist ${HOME}/.config/okularrc @@ -30,6 +28,7 @@ caps.drop all machine-id # net none netfilter +# nodbus nodvd nogroups nonewprivs diff --git a/etc/open-invaders.profile b/etc/open-invaders.profile index 191f8d87b..3c3609dae 100644 --- a/etc/open-invaders.profile +++ b/etc/open-invaders.profile @@ -5,8 +5,6 @@ include /etc/firejail/open-invaders.local # Persistent global definitions include /etc/firejail/globals.local -blacklist /run/user/*/bus - noblacklist ${HOME}/.openinvaders include /etc/firejail/disable-common.inc @@ -20,6 +18,7 @@ include /etc/firejail/whitelist-common.inc caps.drop all net none +nodbus nodvd nogroups nonewprivs diff --git a/etc/openshot.profile b/etc/openshot.profile index ca9110be6..b9eb29590 100644 --- a/etc/openshot.profile +++ b/etc/openshot.profile @@ -18,6 +18,7 @@ include /etc/firejail/whitelist-var-common.inc apparmor caps.drop all netfilter +nodbus nodvd nogroups nonewprivs diff --git a/etc/pcmanfm.profile b/etc/pcmanfm.profile index 08c607020..0dcd21549 100644 --- a/etc/pcmanfm.profile +++ b/etc/pcmanfm.profile @@ -5,8 +5,6 @@ include /etc/firejail/pcmanfm.local # Persistent global definitions include /etc/firejail/globals.local -# blacklist /run/user/*/bus - noblacklist ${HOME}/.local/share/Trash # noblacklist ${HOME}/.config/libfm - disable-programs.inc is disabled, see below # noblacklist ${HOME}/.config/pcmanfm @@ -19,6 +17,7 @@ include /etc/firejail/disable-passwdmgr.inc caps.drop all # net none - see issue #1467, computer:/// location broken no3d +# nodbus nodvd nonewprivs noroot diff --git a/etc/pdfchain.profile b/etc/pdfchain.profile index d43c0911e..b4ccb6003 100755 --- a/etc/pdfchain.profile +++ b/etc/pdfchain.profile @@ -5,9 +5,6 @@ include /etc/firejail/pdfchain.local # Persistent global definitions include /etc/firejail/globals.local - -blacklist /run/user/*/bus - include /etc/firejail/disable-common.inc include /etc/firejail/disable-programs.inc include /etc/firejail/disable-devel.inc @@ -19,6 +16,7 @@ caps.drop all ipc-namespace net none no3d +nodbus nogroups nonewprivs noroot diff --git a/etc/pdfmod.profile b/etc/pdfmod.profile index 8ac09dcdc..9b08dfd84 100644 --- a/etc/pdfmod.profile +++ b/etc/pdfmod.profile @@ -5,8 +5,6 @@ include /etc/firejail/pdfmod.local # Persistent global definitions include /etc/firejail/globals.local -blacklist /run/user/*/bus - noblacklist ${HOME}/.cache/pdfmod noblacklist ${HOME}/.config/pdfmod @@ -22,6 +20,7 @@ ipc-namespace machine-id net none no3d +nodbus nodvd nogroups nonewprivs diff --git a/etc/pdfsam.profile b/etc/pdfsam.profile index c1515ab73..465f68fd6 100644 --- a/etc/pdfsam.profile +++ b/etc/pdfsam.profile @@ -5,8 +5,6 @@ include /etc/firejail/pdfsam.local # Persistent global definitions include /etc/firejail/globals.local -blacklist /run/user/*/bus - noblacklist ${HOME}/.java include /etc/firejail/disable-common.inc @@ -18,6 +16,7 @@ caps.drop all machine-id net none no3d +nodbus nodvd nogroups nonewprivs diff --git a/etc/pdftotext.profile b/etc/pdftotext.profile index 736faa5ea..a97063754 100644 --- a/etc/pdftotext.profile +++ b/etc/pdftotext.profile @@ -5,7 +5,6 @@ include /etc/firejail/pdftotext.local # Persistent global definitions include /etc/firejail/globals.local -blacklist /run/user/*/bus blacklist /tmp/.X11-unix include /etc/firejail/disable-common.inc @@ -19,6 +18,7 @@ caps.drop all machine-id net none no3d +nodbus nodvd nogroups nonewprivs diff --git a/etc/peek.profile b/etc/peek.profile index 01db4fa08..7b7ab9470 100644 --- a/etc/peek.profile +++ b/etc/peek.profile @@ -5,8 +5,6 @@ include /etc/firejail/peek.local # Persistent global definitions include /etc/firejail/globals.local -blacklist /run/user/*/bus - noblacklist ${HOME}/.cache/peek include /etc/firejail/disable-common.inc @@ -17,6 +15,7 @@ include /etc/firejail/disable-programs.inc caps.drop all net none no3d +nodbus nodvd nogroups nonewprivs diff --git a/etc/pingus.profile b/etc/pingus.profile index ec7eff632..b287e7ee8 100644 --- a/etc/pingus.profile +++ b/etc/pingus.profile @@ -5,8 +5,6 @@ include /etc/firejail/pingus.local # Persistent global definitions include /etc/firejail/globals.local -blacklist /run/user/*/bus - noblacklist ${HOME}/.pingus include /etc/firejail/disable-common.inc @@ -20,6 +18,7 @@ include /etc/firejail/whitelist-common.inc caps.drop all net none +nodbus nodvd nogroups nonewprivs diff --git a/etc/pinta.profile b/etc/pinta.profile index 4a8815a73..b51521ef7 100644 --- a/etc/pinta.profile +++ b/etc/pinta.profile @@ -5,8 +5,6 @@ include /etc/firejail/pinta.local # Persistent global definitions include /etc/firejail/globals.local -blacklist /run/user/*/bus - noblacklist ${HOME}/.config/Pinta include /etc/firejail/disable-common.inc @@ -17,6 +15,7 @@ include /etc/firejail/disable-programs.inc caps.drop all ipc-namespace net none +nodbus nodvd nogroups nonewprivs diff --git a/etc/pluma.profile b/etc/pluma.profile index b50e3cbaf..a6c36f647 100644 --- a/etc/pluma.profile +++ b/etc/pluma.profile @@ -5,8 +5,6 @@ include /etc/firejail/pluma.local # Persistent global definitions include /etc/firejail/globals.local -# blacklist /run/user/*/bus - makes settings immutable - noblacklist ${HOME}/.config/pluma include /etc/firejail/disable-common.inc @@ -16,10 +14,14 @@ include /etc/firejail/disable-programs.inc include /etc/firejail/whitelist-var-common.inc +# following line makes settings immutable +apparmor caps.drop all -# net none - makes settings immutable machine-id +net none no3d +# following line makes settings immutable +nodbus nodvd nogroups nonewprivs diff --git a/etc/qbittorrent.profile b/etc/qbittorrent.profile index 8df8177eb..14a9e8adc 100644 --- a/etc/qbittorrent.profile +++ b/etc/qbittorrent.profile @@ -30,6 +30,7 @@ apparmor caps.drop all machine-id netfilter +nodbus nodvd nogroups nonewprivs diff --git a/etc/ranger.profile b/etc/ranger.profile index 211a1b2d5..fd5bbf89c 100644 --- a/etc/ranger.profile +++ b/etc/ranger.profile @@ -5,8 +5,6 @@ include /etc/firejail/ranger.local # Persistent global definitions include /etc/firejail/globals.local -blacklist /run/user/*/bus - # noblacklist /usr/bin/cpan* noblacklist /usr/bin/perl noblacklist /usr/lib/perl* @@ -20,6 +18,7 @@ include /etc/firejail/disable-programs.inc caps.drop all net none +nodbus nodvd nogroups nonewprivs diff --git a/etc/rhythmbox.profile b/etc/rhythmbox.profile index a20bdb883..62d0f6334 100644 --- a/etc/rhythmbox.profile +++ b/etc/rhythmbox.profile @@ -13,10 +13,13 @@ include /etc/firejail/disable-programs.inc include /etc/firejail/whitelist-var-common.inc +# following line makes settings immutable apparmor caps.drop all netfilter # no3d +# following line makes settings immutable +nodbus nogroups nonewprivs noroot diff --git a/etc/scribus.profile b/etc/scribus.profile index 8ce63fbf0..7325b663d 100644 --- a/etc/scribus.profile +++ b/etc/scribus.profile @@ -5,8 +5,6 @@ include /etc/firejail/scribus.local # Persistent global definitions include /etc/firejail/globals.local -blacklist /run/user/*/bus - # Support for PDF readers comes with Scribus 1.5 and higher noblacklist ${HOME}/.cache/okular noblacklist ${HOME}/.config/okularpartrc @@ -33,6 +31,7 @@ include /etc/firejail/whitelist-var-common.inc caps.drop all net none +nodbus nodvd nogroups nonewprivs @@ -48,3 +47,6 @@ tracelog # private-bin scribus,gs,gimp* private-dev private-tmp + +# noexec ${HOME} +noexec /tmp diff --git a/etc/sdat2img.profile b/etc/sdat2img.profile index bc94ae2a0..2f3d94f01 100644 --- a/etc/sdat2img.profile +++ b/etc/sdat2img.profile @@ -6,8 +6,6 @@ include /etc/firejail/sdat2img.local # Persistent global definitions include /etc/firejail/globals.local -blacklist /run/user/*/bus - include /etc/firejail/disable-common.inc include /etc/firejail/disable-devel.inc include /etc/firejail/disable-passwdmgr.inc @@ -16,6 +14,7 @@ include /etc/firejail/disable-programs.inc caps.drop all net none no3d +nodbus nodvd nogroups nonewprivs diff --git a/etc/shotcut.profile b/etc/shotcut.profile index 3f2cc3d33..293a89ba3 100644 --- a/etc/shotcut.profile +++ b/etc/shotcut.profile @@ -5,8 +5,6 @@ include /etc/firejail/shotcut.local # Persistent global definitions include /etc/firejail/globals.local -blacklist /run/user/*/bus - noblacklist ${HOME}/.config/Meltytech include /etc/firejail/disable-common.inc @@ -16,6 +14,7 @@ include /etc/firejail/disable-programs.inc caps.drop all net none +nodbus nodvd nogroups nonewprivs diff --git a/etc/simutrans.profile b/etc/simutrans.profile index 8b4113d2f..adde3f8ce 100644 --- a/etc/simutrans.profile +++ b/etc/simutrans.profile @@ -5,8 +5,6 @@ include /etc/firejail/simutrans.local # Persistent global definitions include /etc/firejail/globals.local -blacklist /run/user/*/bus - noblacklist ${HOME}/.simutrans include /etc/firejail/disable-common.inc @@ -20,6 +18,7 @@ include /etc/firejail/whitelist-common.inc caps.drop all net none +nodbus nodvd nogroups nonewprivs diff --git a/etc/skanlite.profile b/etc/skanlite.profile index 316cf5821..4fa649654 100644 --- a/etc/skanlite.profile +++ b/etc/skanlite.profile @@ -5,8 +5,6 @@ include /etc/firejail/skanlite.local # Persistent global definitions include /etc/firejail/globals.local -# blacklist /run/user/*/bus - include /etc/firejail/disable-common.inc include /etc/firejail/disable-devel.inc include /etc/firejail/disable-passwdmgr.inc @@ -15,6 +13,7 @@ include /etc/firejail/disable-programs.inc caps.drop all # net none netfilter +# nodbus nodvd nogroups nonewprivs diff --git a/etc/smplayer.profile b/etc/smplayer.profile index 64eff5670..60af4cf17 100644 --- a/etc/smplayer.profile +++ b/etc/smplayer.profile @@ -18,6 +18,7 @@ include /etc/firejail/whitelist-var-common.inc apparmor caps.drop all netfilter +# nodbus # nogroups nonewprivs noroot diff --git a/etc/sqlitebrowser.profile b/etc/sqlitebrowser.profile index 933d55b79..22c37645d 100644 --- a/etc/sqlitebrowser.profile +++ b/etc/sqlitebrowser.profile @@ -5,8 +5,6 @@ include /etc/firejail/sqlitebrowser.local # Persistent global definitions include /etc/firejail/globals.local -blacklist /run/user/*/bus - noblacklist ${HOME}/.config/sqlitebrowser include /etc/firejail/disable-common.inc @@ -17,6 +15,7 @@ include /etc/firejail/disable-programs.inc caps.drop all net none no3d +nodbus nodvd nogroups nonewprivs diff --git a/etc/strings.profile b/etc/strings.profile index 09273f35d..8995ad2a6 100644 --- a/etc/strings.profile +++ b/etc/strings.profile @@ -6,12 +6,12 @@ include /etc/firejail/strings.local # Persistent global definitions include /etc/firejail/globals.local -blacklist /run/user/*/bus blacklist /tmp/.X11-unix ignore noroot net none no3d +nodbus nodvd nosound notv diff --git a/etc/supertux2.profile b/etc/supertux2.profile index d60d7fa5f..24f42c276 100644 --- a/etc/supertux2.profile +++ b/etc/supertux2.profile @@ -5,8 +5,6 @@ include /etc/firejail/supertux2.local # Persistent global definitions include /etc/firejail/globals.local -blacklist /run/user/*/bus - noblacklist ${HOME}/.local/share/supertux2 include /etc/firejail/disable-common.inc @@ -21,6 +19,7 @@ include /etc/firejail/whitelist-var-common.inc caps.drop all net none +nodbus nodvd nogroups nonewprivs diff --git a/etc/synfigstudio.profile b/etc/synfigstudio.profile index 415a42cf5..be9c2aa64 100644 --- a/etc/synfigstudio.profile +++ b/etc/synfigstudio.profile @@ -5,8 +5,6 @@ include /etc/firejail/synfigstudio.local # Persistent global definitions include /etc/firejail/globals.local -blacklist /run/user/*/bus - noblacklist ${HOME}/.config/synfig noblacklist ${HOME}/.synfig @@ -17,6 +15,7 @@ include /etc/firejail/disable-programs.inc caps.drop all net none +nodbus nodvd nogroups nonewprivs diff --git a/etc/tar.profile b/etc/tar.profile index bd7973abf..5f54bf02d 100644 --- a/etc/tar.profile +++ b/etc/tar.profile @@ -6,13 +6,13 @@ include /etc/firejail/tar.local # Persistent global definitions include /etc/firejail/globals.local -blacklist /run/user/*/bus blacklist /tmp/.X11-unix hostname tar ignore noroot net none no3d +nodbus nodvd nosound notv diff --git a/etc/terasology.profile b/etc/terasology.profile index ea25938d3..e671c4dc3 100644 --- a/etc/terasology.profile +++ b/etc/terasology.profile @@ -5,8 +5,6 @@ include /etc/firejail/terasology.local # Persistent global definitions include /etc/firejail/globals.local -blacklist /run/user/*/bus - noblacklist ${HOME}/.java noblacklist ${HOME}/.local/share/terasology @@ -25,6 +23,7 @@ caps.drop all ipc-namespace net none netfilter +nodbus nodvd nogroups nonewprivs diff --git a/etc/totem.profile b/etc/totem.profile index 6dbc5f0c2..f466b3ea6 100644 --- a/etc/totem.profile +++ b/etc/totem.profile @@ -15,9 +15,12 @@ include /etc/firejail/disable-programs.inc include /etc/firejail/whitelist-var-common.inc +# following line makes settings immutable apparmor caps.drop all netfilter +# following line makes settings immutable +nodbus nogroups nonewprivs noroot diff --git a/etc/transmission-gtk.profile b/etc/transmission-gtk.profile index 3d249748d..ee044aa0d 100644 --- a/etc/transmission-gtk.profile +++ b/etc/transmission-gtk.profile @@ -25,6 +25,7 @@ apparmor caps.drop all machine-id netfilter +nodbus nodvd nonewprivs noroot diff --git a/etc/transmission-qt.profile b/etc/transmission-qt.profile index 4f4d9bac1..a8fb80fd8 100644 --- a/etc/transmission-qt.profile +++ b/etc/transmission-qt.profile @@ -25,6 +25,7 @@ apparmor caps.drop all machine-id netfilter +nodbus nodvd nonewprivs noroot diff --git a/etc/transmission-show.profile b/etc/transmission-show.profile index 135371747..575bf77dc 100644 --- a/etc/transmission-show.profile +++ b/etc/transmission-show.profile @@ -5,8 +5,6 @@ include /etc/firejail/transmission-show.local # Persistent global definitions include /etc/firejail/globals.local -blacklist /run/user/*/bus - noblacklist ${HOME}/.cache/transmission noblacklist ${HOME}/.config/transmission @@ -18,6 +16,7 @@ include /etc/firejail/disable-programs.inc caps.drop all machine-id net none +nodbus nodvd nonewprivs noroot diff --git a/etc/uefitool.profile b/etc/uefitool.profile index 6cff5249c..a10b44fb1 100644 --- a/etc/uefitool.profile +++ b/etc/uefitool.profile @@ -5,8 +5,6 @@ include /etc/firejail/uefitool.local # Persistent global definitions include /etc/firejail/globals.local -blacklist /run/user/*/bus - include /etc/firejail/disable-common.inc include /etc/firejail/disable-devel.inc include /etc/firejail/disable-passwdmgr.inc @@ -16,6 +14,7 @@ caps.drop all ipc-namespace net none no3d +nodbus nodvd nogroups nonewprivs diff --git a/etc/unrar.profile b/etc/unrar.profile index f7e25d5d7..ba2a86f4c 100644 --- a/etc/unrar.profile +++ b/etc/unrar.profile @@ -6,13 +6,13 @@ include /etc/firejail/unrar.local # Persistent global definitions include /etc/firejail/globals.local -blacklist /run/user/*/bus blacklist /tmp/.X11-unix hostname unrar ignore noroot net none no3d +nodbus nodvd nosound notv diff --git a/etc/unzip.profile b/etc/unzip.profile index fe16c670d..fddc79260 100644 --- a/etc/unzip.profile +++ b/etc/unzip.profile @@ -6,13 +6,13 @@ include /etc/firejail/unzip.local # Persistent global definitions include /etc/firejail/globals.local -blacklist /run/user/*/bus blacklist /tmp/.X11-unix hostname unzip ignore noroot net none no3d +nodbus nodvd nosound notv diff --git a/etc/uudeview.profile b/etc/uudeview.profile index f7699552d..b64ecaa3e 100644 --- a/etc/uudeview.profile +++ b/etc/uudeview.profile @@ -6,11 +6,10 @@ include /etc/firejail/uudeview.local # Persistent global definitions include /etc/firejail/globals.local -blacklist /run/user/*/bus - hostname uudeview ignore noroot net none +nodbus nodvd nosound notv diff --git a/etc/viewnior.profile b/etc/viewnior.profile index 39bf3f7ce..135147266 100644 --- a/etc/viewnior.profile +++ b/etc/viewnior.profile @@ -5,7 +5,6 @@ include /etc/firejail/viewnior.local # Persistent global definitions include /etc/firejail/globals.local -blacklist /run/user/*/bus blacklist ${HOME}/.bashrc noblacklist ${HOME}/.Steam @@ -20,6 +19,7 @@ include /etc/firejail/disable-programs.inc caps.drop all net none no3d +nodbus nodvd nogroups nonewprivs diff --git a/etc/vlc.profile b/etc/vlc.profile index dad9a9ae1..c36a1f238 100644 --- a/etc/vlc.profile +++ b/etc/vlc.profile @@ -18,6 +18,7 @@ include /etc/firejail/whitelist-var-common.inc apparmor caps.drop all netfilter +# nodbus # nogroups nonewprivs noroot diff --git a/etc/x-terminal-emulator.profile b/etc/x-terminal-emulator.profile index 67707ffb8..ac8f0fe2a 100644 --- a/etc/x-terminal-emulator.profile +++ b/etc/x-terminal-emulator.profile @@ -5,12 +5,11 @@ include /etc/firejail/x-terminal-emulator.local # Persistent global definitions include /etc/firejail/globals.local -blacklist /run/user/*/bus - caps.drop all ipc-namespace net none netfilter +nodbus nogroups noroot protocol unix diff --git a/etc/xcalc.profile b/etc/xcalc.profile index 467f96003..8493fe658 100644 --- a/etc/xcalc.profile +++ b/etc/xcalc.profile @@ -5,8 +5,6 @@ include /etc/firejail/xcalc.local # Persistent global definitions include /etc/firejail/globals.local -blacklist /run/user/*/bus - include /etc/firejail/disable-common.inc include /etc/firejail/disable-devel.inc include /etc/firejail/disable-passwdmgr.inc @@ -18,6 +16,7 @@ caps.drop all net none netfilter no3d +nodbus nodvd nogroups nonewprivs diff --git a/etc/xed.profile b/etc/xed.profile index e4ab673e8..2bc73693e 100644 --- a/etc/xed.profile +++ b/etc/xed.profile @@ -5,8 +5,6 @@ include /etc/firejail/xed.local # Persistent global definitions include /etc/firejail/globals.local -# blacklist /run/user/*/bus - makes settings immutable - noblacklist ${HOME}/.config/xed include /etc/firejail/disable-common.inc @@ -16,10 +14,14 @@ include /etc/firejail/disable-programs.inc include /etc/firejail/whitelist-var-common.inc +# following line makes settings immutable +apparmor caps.drop all -# net none - makes settings immutable machine-id +net none no3d +# following line makes settings immutable +nodbus nodvd nogroups nonewprivs diff --git a/etc/xpdf.profile b/etc/xpdf.profile index 7b8042e5c..9eeda4d29 100644 --- a/etc/xpdf.profile +++ b/etc/xpdf.profile @@ -5,8 +5,6 @@ include /etc/firejail/xpdf.local # Persistent global definitions include /etc/firejail/globals.local -blacklist /run/user/*/bus - noblacklist ${HOME}/.xpdfrc include /etc/firejail/disable-common.inc @@ -20,6 +18,7 @@ caps.drop all machine-id net none no3d +nodbus nodvd nogroups nonewprivs diff --git a/etc/xplayer.profile b/etc/xplayer.profile index 8ea361d79..ef1eb38e7 100644 --- a/etc/xplayer.profile +++ b/etc/xplayer.profile @@ -15,8 +15,12 @@ include /etc/firejail/disable-programs.inc include /etc/firejail/whitelist-var-common.inc +# following line makes settings immutable +apparmor caps.drop all netfilter +# following line makes settings immutable +nodbus nogroups nonewprivs noroot diff --git a/etc/xreader.profile b/etc/xreader.profile index 00bd1ee2f..1ddfad26f 100644 --- a/etc/xreader.profile +++ b/etc/xreader.profile @@ -16,6 +16,7 @@ include /etc/firejail/disable-programs.inc include /etc/firejail/whitelist-var-common.inc +# apparmor caps.drop all no3d nodvd diff --git a/etc/xviewer.profile b/etc/xviewer.profile index 7c4ede111..86d0b6d4a 100644 --- a/etc/xviewer.profile +++ b/etc/xviewer.profile @@ -5,8 +5,6 @@ include /etc/firejail/xviewer.local # Persistent global definitions include /etc/firejail/globals.local -# blacklist /run/user/*/bus - makes settings immutable - noblacklist ${HOME}/.Steam noblacklist ${HOME}/.config/xviewer noblacklist ${HOME}/.local/share/Trash @@ -19,9 +17,13 @@ include /etc/firejail/disable-programs.inc include /etc/firejail/whitelist-var-common.inc +# following line makes settings immutable +apparmor caps.drop all -# net none - makes settings immutable +net none no3d +# following line makes settings immutable +nodbus nodvd nogroups nonewprivs diff --git a/etc/xzdec.profile b/etc/xzdec.profile index 1136a6535..5913fd07a 100644 --- a/etc/xzdec.profile +++ b/etc/xzdec.profile @@ -6,12 +6,12 @@ include /etc/firejail/xzdec.local # Persistent global definitions include /etc/firejail/globals.local -blacklist /run/user/*/bus blacklist /tmp/.X11-unix ignore noroot net none no3d +nodbus nodvd nosound notv diff --git a/etc/zart.profile b/etc/zart.profile index e9fd9b3bd..60eb09c71 100644 --- a/etc/zart.profile +++ b/etc/zart.profile @@ -5,8 +5,6 @@ include /etc/firejail/zart.local # Persistent global definitions include /etc/firejail/globals.local -blacklist /run/user/*/bus - include /etc/firejail/disable-common.inc include /etc/firejail/disable-devel.inc include /etc/firejail/disable-passwdmgr.inc @@ -15,6 +13,7 @@ include /etc/firejail/disable-programs.inc caps.drop all ipc-namespace net none +nodbus nodvd nogroups nonewprivs diff --git a/etc/zathura.profile b/etc/zathura.profile index 288abb8ec..3edece779 100644 --- a/etc/zathura.profile +++ b/etc/zathura.profile @@ -5,8 +5,6 @@ include /etc/firejail/zathura.local # Persistent global definitions include /etc/firejail/globals.local -# blacklist /run/user/*/bus - noblacklist ${HOME}/.config/zathura noblacklist ${HOME}/.local/share/zathura @@ -17,6 +15,7 @@ include /etc/firejail/disable-programs.inc caps.drop all # net none +# nodbus nodvd nogroups nonewprivs @@ -31,5 +30,6 @@ private-bin zathura private-dev private-etc fonts private-tmp + read-only ${HOME}/ read-write ${HOME}/.local/share/zathura/ -- cgit v1.2.3-54-g00ecf