From fa10ab0e093a4224b16491273b0162b0e0a77a3a Mon Sep 17 00:00:00 2001 From: valoq Date: Sat, 19 Nov 2016 21:57:42 +0100 Subject: many new profiles --- etc/amarok.profile | 19 +++++++++++++++++++ etc/ark.profile | 23 +++++++++++++++++++++++ etc/atool.profile | 24 ++++++++++++++++++++++++ etc/bleachbit.profile | 21 +++++++++++++++++++++ etc/brasero.profile | 23 +++++++++++++++++++++++ etc/dolphin.profile | 23 +++++++++++++++++++++++ etc/dragon.profile | 22 ++++++++++++++++++++++ etc/elinks.profile | 24 ++++++++++++++++++++++++ etc/enchant.profile | 23 +++++++++++++++++++++++ etc/exiftool.profile | 28 ++++++++++++++++++++++++++++ etc/file-roller.profile | 21 +++++++++++++++++++++ etc/gedit.profile | 26 ++++++++++++++++++++++++++ etc/gjs.profile | 28 ++++++++++++++++++++++++++++ etc/gnome-books.profile | 26 ++++++++++++++++++++++++++ etc/gnome-clocks.profile | 22 ++++++++++++++++++++++ etc/gnome-documents.profile | 24 ++++++++++++++++++++++++ etc/gnome-maps.profile | 24 ++++++++++++++++++++++++ etc/gnome-music.profile | 22 ++++++++++++++++++++++ etc/gnome-photos.profile | 26 ++++++++++++++++++++++++++ etc/gnome-weather.profile | 26 ++++++++++++++++++++++++++ etc/goobox.profile | 20 ++++++++++++++++++++ etc/gpa.profile | 23 +++++++++++++++++++++++ etc/gpg-agent.profile | 24 ++++++++++++++++++++++++ etc/gpg.profile | 24 ++++++++++++++++++++++++ etc/highlight.profile | 24 ++++++++++++++++++++++++ etc/img2txt.profile | 24 ++++++++++++++++++++++++ etc/k3b.profile | 21 +++++++++++++++++++++ etc/kate.profile | 28 ++++++++++++++++++++++++++++ etc/lynx.profile | 22 ++++++++++++++++++++++ etc/mediainfo.profile | 26 ++++++++++++++++++++++++++ etc/nautilus.profile | 26 ++++++++++++++++++++++++++ etc/odt2txt.profile | 24 ++++++++++++++++++++++++ etc/okular.profile | 16 ++++++++-------- etc/pdftotext.profile | 22 ++++++++++++++++++++++ etc/simple-scan.profile | 23 +++++++++++++++++++++++ etc/skanlite.profile | 21 +++++++++++++++++++++ etc/ssh-agent.profile | 15 +++++++++++++++ etc/tracker.profile | 24 ++++++++++++++++++++++++ etc/transmission-cli.profile | 24 ++++++++++++++++++++++++ etc/transmission-show.profile | 24 ++++++++++++++++++++++++ etc/w3m.profile | 23 +++++++++++++++++++++++ etc/xfburn.profile | 23 +++++++++++++++++++++++ etc/xpra.profile | 21 +++++++++++++++++++++ 43 files changed, 989 insertions(+), 8 deletions(-) create mode 100644 etc/amarok.profile create mode 100644 etc/ark.profile create mode 100644 etc/atool.profile create mode 100644 etc/bleachbit.profile create mode 100644 etc/brasero.profile create mode 100644 etc/dolphin.profile create mode 100644 etc/dragon.profile create mode 100644 etc/elinks.profile create mode 100644 etc/enchant.profile create mode 100644 etc/exiftool.profile create mode 100644 etc/file-roller.profile create mode 100644 etc/gedit.profile create mode 100644 etc/gjs.profile create mode 100644 etc/gnome-books.profile create mode 100644 etc/gnome-clocks.profile create mode 100644 etc/gnome-documents.profile create mode 100644 etc/gnome-maps.profile create mode 100644 etc/gnome-music.profile create mode 100644 etc/gnome-photos.profile create mode 100644 etc/gnome-weather.profile create mode 100644 etc/goobox.profile create mode 100644 etc/gpa.profile create mode 100644 etc/gpg-agent.profile create mode 100644 etc/gpg.profile create mode 100644 etc/highlight.profile create mode 100644 etc/img2txt.profile create mode 100644 etc/k3b.profile create mode 100644 etc/kate.profile create mode 100644 etc/lynx.profile create mode 100644 etc/mediainfo.profile create mode 100644 etc/nautilus.profile create mode 100644 etc/odt2txt.profile create mode 100644 etc/pdftotext.profile create mode 100644 etc/simple-scan.profile create mode 100644 etc/skanlite.profile create mode 100644 etc/ssh-agent.profile create mode 100644 etc/tracker.profile create mode 100644 etc/transmission-cli.profile create mode 100644 etc/transmission-show.profile create mode 100644 etc/w3m.profile create mode 100644 etc/xfburn.profile create mode 100644 etc/xpra.profile (limited to 'etc') diff --git a/etc/amarok.profile b/etc/amarok.profile new file mode 100644 index 000000000..962865790 --- /dev/null +++ b/etc/amarok.profile @@ -0,0 +1,19 @@ +# amorak profile +include /etc/firejail/disable-common.inc +include /etc/firejail/disable-programs.inc +include /etc/firejail/disable-devel.inc +include /etc/firejail/disable-passwdmgr.inc + +caps.drop all +netfilter +nogroups +nonewprivs +noroot +shell none +#seccomp +protocol unix,inet,inet6 + +#private-bin amorak +private-dev +private-tmp +#private-etc none diff --git a/etc/ark.profile b/etc/ark.profile new file mode 100644 index 000000000..61b4c6f60 --- /dev/null +++ b/etc/ark.profile @@ -0,0 +1,23 @@ +# ark profile +noblacklist ~/.config/arkrc + +include /etc/firejail/disable-common.inc +include /etc/firejail/disable-programs.inc +include /etc/firejail/disable-devel.inc +include /etc/firejail/disable-passwdmgr.inc + +caps.drop all +netfilter +nogroups +nonewprivs +noroot +nosound +shell none +seccomp +protocol unix + +# private-bin +private-dev +private-tmp +# private-etc + diff --git a/etc/atool.profile b/etc/atool.profile new file mode 100644 index 000000000..3fbfb9fc7 --- /dev/null +++ b/etc/atool.profile @@ -0,0 +1,24 @@ +# atool profile +include /etc/firejail/disable-common.inc +include /etc/firejail/disable-programs.inc +# include /etc/firejail/disable-devel.inc +include /etc/firejail/disable-passwdmgr.inc + +caps.drop all +nogroups +nonewprivs +noroot +nosound +protocol unix +seccomp +netfilter +net none +shell none +tracelog + +# private-bin atool +private-tmp +private-dev +private-etc none + + diff --git a/etc/bleachbit.profile b/etc/bleachbit.profile new file mode 100644 index 000000000..0a71db9f0 --- /dev/null +++ b/etc/bleachbit.profile @@ -0,0 +1,21 @@ +# bleachbit profile +include /etc/firejail/disable-common.inc +# include /etc/firejail/disable-programs.inc +include /etc/firejail/disable-devel.inc +include /etc/firejail/disable-passwdmgr.inc + +caps.drop all +netfilter +nogroups +nonewprivs +noroot +nosound +shell none +seccomp +protocol unix + +# private-bin +# private-dev +# private-tmp +# private-etc + diff --git a/etc/brasero.profile b/etc/brasero.profile new file mode 100644 index 000000000..66de6fa50 --- /dev/null +++ b/etc/brasero.profile @@ -0,0 +1,23 @@ +# brasero profile +noblacklist ~/.config/brasero + +include /etc/firejail/disable-common.inc +include /etc/firejail/disable-programs.inc +include /etc/firejail/disable-devel.inc +include /etc/firejail/disable-passwdmgr.inc + +caps.drop all +nogroups +nonewprivs +noroot +nosound +protocol unix +seccomp +netfilter +shell none +tracelog + +# private-bin brasero +# private-tmp +# private-dev +# private-etc fonts diff --git a/etc/dolphin.profile b/etc/dolphin.profile new file mode 100644 index 000000000..1a6abb71d --- /dev/null +++ b/etc/dolphin.profile @@ -0,0 +1,23 @@ +# dolphin profile +noblacklist ~/.config/dolphinrc +noblacklist ~/.local/share/dolphin + +include /etc/firejail/disable-common.inc +include /etc/firejail/disable-programs.inc +include /etc/firejail/disable-devel.inc +include /etc/firejail/disable-passwdmgr.inc + +caps.drop all +netfilter +nogroups +nonewprivs +noroot +shell none +seccomp +protocol unix + +# private-bin +# private-dev +# private-tmp +# private-etc + diff --git a/etc/dragon.profile b/etc/dragon.profile new file mode 100644 index 000000000..09cb73802 --- /dev/null +++ b/etc/dragon.profile @@ -0,0 +1,22 @@ +# dragon player profile +noblacklist ~/.config/dragonplayerrc + +include /etc/firejail/disable-common.inc +include /etc/firejail/disable-programs.inc +include /etc/firejail/disable-devel.inc +include /etc/firejail/disable-passwdmgr.inc + +caps.drop all +netfilter +nogroups +nonewprivs +noroot +shell none +seccomp +protocol unix,inet,inet6 + +private-bin dragon +private-dev +private-tmp +# private-etc + diff --git a/etc/elinks.profile b/etc/elinks.profile new file mode 100644 index 000000000..df817ea56 --- /dev/null +++ b/etc/elinks.profile @@ -0,0 +1,24 @@ +# elinks profile +noblacklist ~/.elinks + +include /etc/firejail/disable-common.inc +include /etc/firejail/disable-programs.inc +include /etc/firejail/disable-devel.inc +include /etc/firejail/disable-passwdmgr.inc + +caps.drop all +nogroups +nonewprivs +noroot +nosound +protocol unix,inet,inet6 +seccomp +netfilter +shell none +tracelog + +# private-bin elinks +private-tmp +private-dev +# private-etc none + diff --git a/etc/enchant.profile b/etc/enchant.profile new file mode 100644 index 000000000..cf8288919 --- /dev/null +++ b/etc/enchant.profile @@ -0,0 +1,23 @@ +# enchant profile +noblacklist ~/.config/enchant + +include /etc/firejail/disable-common.inc +include /etc/firejail/disable-programs.inc +include /etc/firejail/disable-devel.inc +include /etc/firejail/disable-passwdmgr.inc + +caps.drop all +nogroups +nonewprivs +noroot +nosound +protocol unix +seccomp +netfilter +shell none +tracelog + +# private-bin enchant +# private-tmp +# private-dev +# private-etc fonts diff --git a/etc/exiftool.profile b/etc/exiftool.profile new file mode 100644 index 000000000..384695473 --- /dev/null +++ b/etc/exiftool.profile @@ -0,0 +1,28 @@ +# exiftool profile +noblacklist /usr/bin/perl +noblacklist /usr/share/perl* +noblacklist /usr/lib/perl* + +include /etc/firejail/disable-common.inc +include /etc/firejail/disable-programs.inc +include /etc/firejail/disable-devel.inc +include /etc/firejail/disable-passwdmgr.inc + +caps.drop all +nogroups +nonewprivs +noroot +nosound +protocol unix +seccomp +netfilter +net none +shell none +tracelog + +# private-bin exiftool,perl +private-tmp +private-dev +private-etc none + + diff --git a/etc/file-roller.profile b/etc/file-roller.profile new file mode 100644 index 000000000..6116389db --- /dev/null +++ b/etc/file-roller.profile @@ -0,0 +1,21 @@ +# file-roller profile +include /etc/firejail/disable-common.inc +include /etc/firejail/disable-programs.inc +include /etc/firejail/disable-devel.inc +include /etc/firejail/disable-passwdmgr.inc + +caps.drop all +nogroups +nonewprivs +noroot +nosound +protocol unix +seccomp +netfilter +shell none +tracelog + +# private-bin file-roller +# private-tmp +private-dev +# private-etc fonts diff --git a/etc/gedit.profile b/etc/gedit.profile new file mode 100644 index 000000000..a25286bfa --- /dev/null +++ b/etc/gedit.profile @@ -0,0 +1,26 @@ +# gedit profile + +# when gedit is started via gnome-shell, firejail is not applied because systemd will start it + +noblacklist ~/.config/gedit + +include /etc/firejail/disable-common.inc +include /etc/firejail/disable-programs.inc +#include /etc/firejail/disable-devel.inc +include /etc/firejail/disable-passwdmgr.inc + +caps.drop all +nogroups +nonewprivs +noroot +nosound +protocol unix +seccomp +netfilter +shell none +tracelog + +# private-bin gedit +private-tmp +private-dev +# private-etc fonts diff --git a/etc/gjs.profile b/etc/gjs.profile new file mode 100644 index 000000000..8d71728a2 --- /dev/null +++ b/etc/gjs.profile @@ -0,0 +1,28 @@ +# gjs (gnome javascript bindings) profile + +# when gjs apps are started via gnome-shell, firejail is not applied because systemd will start them + +noblacklist ~/.cache/org.gnome.Books +noblacklist ~/.config/libreoffice +noblacklist ~/.local/share/gnome-photos +noblacklist ~/.cache/libgweather + +include /etc/firejail/disable-common.inc +include /etc/firejail/disable-programs.inc +include /etc/firejail/disable-devel.inc +include /etc/firejail/disable-passwdmgr.inc + +caps.drop all +nogroups +nonewprivs +noroot +protocol unix,inet,inet6 +seccomp +netfilter +shell none +tracelog + +# private-bin gjs,gnome-books,gnome-documents,gnome-photos,gnome-maps,gnome-weather +private-tmp +private-dev +# private-etc fonts diff --git a/etc/gnome-books.profile b/etc/gnome-books.profile new file mode 100644 index 000000000..10b06e173 --- /dev/null +++ b/etc/gnome-books.profile @@ -0,0 +1,26 @@ +# gnome-books profile + +# when gjs apps are started via gnome-shell, firejail is not applied because systemd will start them + +noblacklist ~/.cache/org.gnome.Books + +include /etc/firejail/disable-common.inc +include /etc/firejail/disable-programs.inc +include /etc/firejail/disable-devel.inc +include /etc/firejail/disable-passwdmgr.inc + +caps.drop all +nogroups +nonewprivs +noroot +nosound +protocol unix +seccomp +netfilter +shell none +tracelog + +# private-bin gjs gnome-books +private-tmp +private-dev +private-etc fonts diff --git a/etc/gnome-clocks.profile b/etc/gnome-clocks.profile new file mode 100644 index 000000000..30adadda1 --- /dev/null +++ b/etc/gnome-clocks.profile @@ -0,0 +1,22 @@ +# gnome-clocks profile + +include /etc/firejail/disable-common.inc +include /etc/firejail/disable-programs.inc +include /etc/firejail/disable-devel.inc +include /etc/firejail/disable-passwdmgr.inc + +caps.drop all +nogroups +nonewprivs +noroot +nosound +protocol unix,inet,inet6 +seccomp +netfilter +shell none +tracelog + +# private-bin gnome-clocks +private-tmp +private-dev +# private-etc fonts diff --git a/etc/gnome-documents.profile b/etc/gnome-documents.profile new file mode 100644 index 000000000..c5def7aff --- /dev/null +++ b/etc/gnome-documents.profile @@ -0,0 +1,24 @@ +# gnome-documents profile + +# when gjs apps are started via gnome-shell, firejail is not applied because systemd will start them + +noblacklist ~/.config/libreoffice + +include /etc/firejail/disable-common.inc +include /etc/firejail/disable-programs.inc +include /etc/firejail/disable-devel.inc +include /etc/firejail/disable-passwdmgr.inc + +caps.drop all +nogroups +nonewprivs +noroot +nosound +protocol unix +seccomp +netfilter +shell none +tracelog + +private-tmp +private-dev diff --git a/etc/gnome-maps.profile b/etc/gnome-maps.profile new file mode 100644 index 000000000..f1451506e --- /dev/null +++ b/etc/gnome-maps.profile @@ -0,0 +1,24 @@ +# gnome-maps profile + +# when gjs apps are started via gnome-shell, firejail is not applied because systemd will start them + +include /etc/firejail/disable-common.inc +include /etc/firejail/disable-programs.inc +include /etc/firejail/disable-devel.inc +include /etc/firejail/disable-passwdmgr.inc + +caps.drop all +nogroups +nonewprivs +noroot +nosound +protocol unix,inet,inet6 +seccomp +netfilter +shell none +tracelog + +# private-bin gjs gnome-maps +private-tmp +private-dev +# private-etc fonts diff --git a/etc/gnome-music.profile b/etc/gnome-music.profile new file mode 100644 index 000000000..4a8adeb22 --- /dev/null +++ b/etc/gnome-music.profile @@ -0,0 +1,22 @@ +# gnome-music profile +noblacklist ~/.local/share/gnome-music + +include /etc/firejail/disable-common.inc +include /etc/firejail/disable-programs.inc +include /etc/firejail/disable-devel.inc +include /etc/firejail/disable-passwdmgr.inc + +caps.drop all +nogroups +nonewprivs +noroot +protocol unix +seccomp +netfilter +shell none +tracelog + +# private-bin gnome-music,python3 +private-tmp +private-dev +# private-etc fonts diff --git a/etc/gnome-photos.profile b/etc/gnome-photos.profile new file mode 100644 index 000000000..8f9d60cb5 --- /dev/null +++ b/etc/gnome-photos.profile @@ -0,0 +1,26 @@ +# gnome-photos profile + +# when gjs apps are started via gnome-shell, firejail is not applied because systemd will start them + +noblacklist ~/.local/share/gnome-photos + +include /etc/firejail/disable-common.inc +include /etc/firejail/disable-programs.inc +include /etc/firejail/disable-devel.inc +include /etc/firejail/disable-passwdmgr.inc + +caps.drop all +nogroups +nonewprivs +noroot +nosound +protocol unix +seccomp +netfilter +shell none +tracelog + +# private-bin gjs gnome-photos +private-tmp +private-dev +# private-etc fonts diff --git a/etc/gnome-weather.profile b/etc/gnome-weather.profile new file mode 100644 index 000000000..9f93b8f15 --- /dev/null +++ b/etc/gnome-weather.profile @@ -0,0 +1,26 @@ +# gnome-weather profile + +# when gjs apps are started via gnome-shell, firejail is not applied because systemd will start them + +noblacklist ~/.cache/libgweather + +include /etc/firejail/disable-common.inc +include /etc/firejail/disable-programs.inc +include /etc/firejail/disable-devel.inc +include /etc/firejail/disable-passwdmgr.inc + +caps.drop all +nogroups +nonewprivs +noroot +nosound +protocol unix,inet,inet6 +seccomp +netfilter +shell none +tracelog + +# private-bin gjs gnome-weather +private-tmp +private-dev +# private-etc fonts diff --git a/etc/goobox.profile b/etc/goobox.profile new file mode 100644 index 000000000..8990943fc --- /dev/null +++ b/etc/goobox.profile @@ -0,0 +1,20 @@ +# goobox profile +include /etc/firejail/disable-common.inc +include /etc/firejail/disable-programs.inc +include /etc/firejail/disable-devel.inc +include /etc/firejail/disable-passwdmgr.inc + +caps.drop all +nogroups +nonewprivs +noroot +protocol unix +seccomp +netfilter +shell none +tracelog + +# private-bin goobox +# private-tmp +# private-dev +# private-etc fonts diff --git a/etc/gpa.profile b/etc/gpa.profile new file mode 100644 index 000000000..7d7277190 --- /dev/null +++ b/etc/gpa.profile @@ -0,0 +1,23 @@ +# gpa profile +noblacklist ~/.gnupg + +include /etc/firejail/disable-common.inc +include /etc/firejail/disable-programs.inc +include /etc/firejail/disable-devel.inc +include /etc/firejail/disable-passwdmgr.inc + +caps.drop all +nogroups +nonewprivs +noroot +nosound +protocol unix,inet,inet6 +seccomp +netfilter +shell none +tracelog + +# private-bin gpa,gpg +private-tmp +private-dev +# private-etc none diff --git a/etc/gpg-agent.profile b/etc/gpg-agent.profile new file mode 100644 index 000000000..31ed8812e --- /dev/null +++ b/etc/gpg-agent.profile @@ -0,0 +1,24 @@ +# gpg-agent profile + +noblacklist ~/.gnupg + +include /etc/firejail/disable-common.inc +include /etc/firejail/disable-programs.inc +include /etc/firejail/disable-devel.inc +include /etc/firejail/disable-passwdmgr.inc + +caps.drop all +nogroups +nonewprivs +noroot +nosound +protocol unix +seccomp +netfilter +shell none +tracelog + +# private-bin gpg-agent,gpg +private-tmp +private-dev +# private-etc none diff --git a/etc/gpg.profile b/etc/gpg.profile new file mode 100644 index 000000000..31372eb90 --- /dev/null +++ b/etc/gpg.profile @@ -0,0 +1,24 @@ +# gpg profile +noblacklist ~/.gnupg + +include /etc/firejail/disable-common.inc +include /etc/firejail/disable-programs.inc +include /etc/firejail/disable-devel.inc +include /etc/firejail/disable-passwdmgr.inc + +caps.drop all +nogroups +nonewprivs +noroot +nosound +protocol unix +seccomp +netfilter +net none +shell none +tracelog + +# private-bin gpg,gpg-agent +private-tmp +private-dev +# private-etc none diff --git a/etc/highlight.profile b/etc/highlight.profile new file mode 100644 index 000000000..f95f3924a --- /dev/null +++ b/etc/highlight.profile @@ -0,0 +1,24 @@ +# highlight profile +include /etc/firejail/disable-common.inc +include /etc/firejail/disable-programs.inc +include /etc/firejail/disable-devel.inc +include /etc/firejail/disable-passwdmgr.inc + +caps.drop all +nogroups +nonewprivs +noroot +nosound +protocol unix +seccomp +netfilter +net none +shell none +tracelog + +private-bin highlight +private-tmp +private-dev + + + diff --git a/etc/img2txt.profile b/etc/img2txt.profile new file mode 100644 index 000000000..d55a31cd0 --- /dev/null +++ b/etc/img2txt.profile @@ -0,0 +1,24 @@ +# img2txt profile +include /etc/firejail/disable-common.inc +include /etc/firejail/disable-programs.inc +include /etc/firejail/disable-devel.inc +include /etc/firejail/disable-passwdmgr.inc + +caps.drop all +nogroups +nonewprivs +noroot +nosound +protocol unix +seccomp +netfilter +net none +shell none +tracelog + +#private-bin img2txt +private-tmp +private-dev +#private-etc none + + diff --git a/etc/k3b.profile b/etc/k3b.profile new file mode 100644 index 000000000..6e16d233c --- /dev/null +++ b/etc/k3b.profile @@ -0,0 +1,21 @@ +# k3b profile +include /etc/firejail/disable-common.inc +include /etc/firejail/disable-programs.inc +include /etc/firejail/disable-devel.inc +include /etc/firejail/disable-passwdmgr.inc + +caps.drop all +netfilter +nogroups +nonewprivs +noroot +nosound +shell none +seccomp +protocol unix + +# private-bin +private-dev +private-tmp +# private-etc + diff --git a/etc/kate.profile b/etc/kate.profile new file mode 100644 index 000000000..4b07ea6cb --- /dev/null +++ b/etc/kate.profile @@ -0,0 +1,28 @@ +# kate profile +noblacklist ~/.local/share/kate +noblacklist ~/.config/katerc +noblacklist ~/.config/katepartrc +noblacklist ~/.config/kateschemarc +noblacklist ~/.config/katesyntaxhighlightingrc +noblacklist ~/.config/katevirc + +include /etc/firejail/disable-common.inc +include /etc/firejail/disable-programs.inc +#include /etc/firejail/disable-devel.inc +include /etc/firejail/disable-passwdmgr.inc + +caps.drop all +nogroups +nonewprivs +noroot +nosound +protocol unix +seccomp +netfilter +shell none +tracelog + +# private-bin kate +private-tmp +private-dev +# private-etc fonts diff --git a/etc/lynx.profile b/etc/lynx.profile new file mode 100644 index 000000000..6e150f62e --- /dev/null +++ b/etc/lynx.profile @@ -0,0 +1,22 @@ +# lynx profile +include /etc/firejail/disable-common.inc +include /etc/firejail/disable-programs.inc +include /etc/firejail/disable-devel.inc +include /etc/firejail/disable-passwdmgr.inc + +caps.drop all +nogroups +nonewprivs +noroot +nosound +protocol unix,inet,inet6 +seccomp +netfilter +shell none +tracelog + +# private-bin lynx +private-tmp +private-dev +# private-etc none + diff --git a/etc/mediainfo.profile b/etc/mediainfo.profile new file mode 100644 index 000000000..c07a9a9e8 --- /dev/null +++ b/etc/mediainfo.profile @@ -0,0 +1,26 @@ +# mediainfo profile +include /etc/firejail/disable-common.inc +include /etc/firejail/disable-programs.inc +include /etc/firejail/disable-devel.inc +include /etc/firejail/disable-passwdmgr.inc + +caps.drop all +nogroups +nonewprivs +noroot +nosound +protocol unix +seccomp +netfilter +net none +shell none +tracelog + +private-bin mediainfo +private-tmp +private-dev +private-etc none + + + + diff --git a/etc/nautilus.profile b/etc/nautilus.profile new file mode 100644 index 000000000..264ee0b9d --- /dev/null +++ b/etc/nautilus.profile @@ -0,0 +1,26 @@ +# nautilus profile + +# Nautilus is started by systemd on most systems. Therefore it is not firejailed by default. Since there is already a nautilus process running on gnome desktops firejail will have no effect. + +noblacklist ~/.config/nautilus + +include /etc/firejail/disable-common.inc +# nautilus needs to be able to start arbitrary applications so we cannot blacklist their files +#include /etc/firejail/disable-programs.inc +include /etc/firejail/disable-devel.inc +include /etc/firejail/disable-passwdmgr.inc + +caps.drop all +nogroups +nonewprivs +noroot +protocol unix +seccomp +netfilter +shell none +tracelog + +# private-bin nautilus +# private-tmp +# private-dev +# private-etc fonts diff --git a/etc/odt2txt.profile b/etc/odt2txt.profile new file mode 100644 index 000000000..329275022 --- /dev/null +++ b/etc/odt2txt.profile @@ -0,0 +1,24 @@ +# odt2txt profile +include /etc/firejail/disable-common.inc +include /etc/firejail/disable-programs.inc +include /etc/firejail/disable-devel.inc +include /etc/firejail/disable-passwdmgr.inc + +caps.drop all +nogroups +nonewprivs +noroot +nosound +protocol unix +seccomp +netfilter +net none +shell none +tracelog + +private-bin odt2txt +private-tmp +private-dev +private-etc none + +read-only ${HOME} diff --git a/etc/okular.profile b/etc/okular.profile index b43a5fbea..22e223cea 100644 --- a/etc/okular.profile +++ b/etc/okular.profile @@ -9,17 +9,17 @@ include /etc/firejail/disable-devel.inc include /etc/firejail/disable-passwdmgr.inc caps.drop all -nogroups +netfilter nonewprivs +nogroups noroot +nosound protocol unix seccomp -nosound +shell none +tracelog +# private-bin okular,kbuildsycoca4,kbuildsycoca5 +# private-etc X11 private-dev - -#Experimental: -#net none -#shell none -#private-bin okular,kbuildsycoca4,kbuildsycoca5 -#private-etc X11 +private-tmp diff --git a/etc/pdftotext.profile b/etc/pdftotext.profile new file mode 100644 index 000000000..632c9d15e --- /dev/null +++ b/etc/pdftotext.profile @@ -0,0 +1,22 @@ +# pdftotext profile +include /etc/firejail/disable-common.inc +include /etc/firejail/disable-programs.inc +include /etc/firejail/disable-devel.inc +include /etc/firejail/disable-passwdmgr.inc + +caps.drop all +nogroups +nonewprivs +noroot +nosound +protocol unix +seccomp +netfilter +net none +shell none +tracelog + +private-bin pdftotext +private-tmp +private-dev +private-etc none diff --git a/etc/simple-scan.profile b/etc/simple-scan.profile new file mode 100644 index 000000000..03089482b --- /dev/null +++ b/etc/simple-scan.profile @@ -0,0 +1,23 @@ +# simple-scan profile +noblacklist ~/.cache/simple-scan + +include /etc/firejail/disable-common.inc +include /etc/firejail/disable-programs.inc +include /etc/firejail/disable-devel.inc +include /etc/firejail/disable-passwdmgr.inc + +caps.drop all +nogroups +nonewprivs +noroot +nosound +protocol unix,inet,inet6 +#seccomp +netfilter +shell none +tracelog + +# private-bin simple-scan +# private-tmp +# private-dev +# private-etc fonts diff --git a/etc/skanlite.profile b/etc/skanlite.profile new file mode 100644 index 000000000..6e8face75 --- /dev/null +++ b/etc/skanlite.profile @@ -0,0 +1,21 @@ +# skanlite profile +include /etc/firejail/disable-common.inc +include /etc/firejail/disable-programs.inc +include /etc/firejail/disable-devel.inc +include /etc/firejail/disable-passwdmgr.inc + +caps.drop all +netfilter +nogroups +nonewprivs +noroot +nosound +shell none +#seccomp +protocol unix + +private-bin skanlite +# private-dev +# private-tmp +# private-etc + diff --git a/etc/ssh-agent.profile b/etc/ssh-agent.profile new file mode 100644 index 000000000..485bd8f3b --- /dev/null +++ b/etc/ssh-agent.profile @@ -0,0 +1,15 @@ +# ssh-agent +quiet +noblacklist ~/.ssh +noblacklist /tmp/ssh-* + +include /etc/firejail/disable-common.inc +include /etc/firejail/disable-programs.inc +include /etc/firejail/disable-passwdmgr.inc + +caps.drop all +netfilter +nonewprivs +noroot +protocol unix,inet,inet6 +seccomp diff --git a/etc/tracker.profile b/etc/tracker.profile new file mode 100644 index 000000000..217631216 --- /dev/null +++ b/etc/tracker.profile @@ -0,0 +1,24 @@ +# tracker profile + +# Tracker is started by systemd on most systems. Therefore it is not firejailed by default + +include /etc/firejail/disable-common.inc +include /etc/firejail/disable-programs.inc +include /etc/firejail/disable-devel.inc +include /etc/firejail/disable-passwdmgr.inc + +caps.drop all +nogroups +nonewprivs +noroot +nosound +protocol unix +seccomp +netfilter +shell none +tracelog + +# private-bin tracker +# private-tmp +# private-dev +# private-etc fonts diff --git a/etc/transmission-cli.profile b/etc/transmission-cli.profile new file mode 100644 index 000000000..88ded649c --- /dev/null +++ b/etc/transmission-cli.profile @@ -0,0 +1,24 @@ +# transmission-cli bittorrent profile +noblacklist ${HOME}/.config/transmission +noblacklist ${HOME}/.cache/transmission + +include /etc/firejail/disable-common.inc +include /etc/firejail/disable-programs.inc +include /etc/firejail/disable-devel.inc +include /etc/firejail/disable-passwdmgr.inc + +caps.drop all +netfilter +net none +nonewprivs +noroot +nosound +protocol unix +seccomp +shell none +tracelog + +#private-bin transmission-cli +private-tmp +private-dev +private-etc none diff --git a/etc/transmission-show.profile b/etc/transmission-show.profile new file mode 100644 index 000000000..5e5284b34 --- /dev/null +++ b/etc/transmission-show.profile @@ -0,0 +1,24 @@ +# transmission-show profile +noblacklist ${HOME}/.config/transmission +noblacklist ${HOME}/.cache/transmission + +include /etc/firejail/disable-common.inc +include /etc/firejail/disable-programs.inc +include /etc/firejail/disable-devel.inc +include /etc/firejail/disable-passwdmgr.inc + +caps.drop all +netfilter +net none +nonewprivs +noroot +nosound +protocol unix +seccomp +shell none +tracelog + +# private-bin +private-tmp +private-dev +private-etc none diff --git a/etc/w3m.profile b/etc/w3m.profile new file mode 100644 index 000000000..d765217cf --- /dev/null +++ b/etc/w3m.profile @@ -0,0 +1,23 @@ +# w3m profile +noblacklist ~/.w3m + +include /etc/firejail/disable-common.inc +include /etc/firejail/disable-programs.inc +include /etc/firejail/disable-devel.inc +include /etc/firejail/disable-passwdmgr.inc + +caps.drop all +nogroups +nonewprivs +noroot +nosound +protocol unix,inet,inet6 +seccomp +netfilter +shell none +tracelog + +# private-bin w3m +private-tmp +private-dev +private-etc none diff --git a/etc/xfburn.profile b/etc/xfburn.profile new file mode 100644 index 000000000..1dd24aa61 --- /dev/null +++ b/etc/xfburn.profile @@ -0,0 +1,23 @@ +# xfburn profile +noblacklist ~/.config/xfburn + +include /etc/firejail/disable-common.inc +include /etc/firejail/disable-programs.inc +include /etc/firejail/disable-devel.inc +include /etc/firejail/disable-passwdmgr.inc + +caps.drop all +nogroups +nonewprivs +noroot +nosound +protocol unix +seccomp +netfilter +shell none +tracelog + +# private-bin xfburn +# private-tmp +# private-dev +# private-etc fonts diff --git a/etc/xpra.profile b/etc/xpra.profile new file mode 100644 index 000000000..8584e4e5b --- /dev/null +++ b/etc/xpra.profile @@ -0,0 +1,21 @@ +# xpra profile +include /etc/firejail/disable-common.inc +include /etc/firejail/disable-programs.inc +include /etc/firejail/disable-devel.inc +include /etc/firejail/disable-passwdmgr.inc + +caps.drop all +netfilter +nogroups +nonewprivs +noroot +nosound +shell none +seccomp +protocol unix,inet,inet6 + +# private-bin +private-dev +private-tmp +# private-etc + -- cgit v1.2.3-54-g00ecf From ecd3b2191b573081c41cec0c497f8043790d50be Mon Sep 17 00:00:00 2001 From: valoq Date: Sat, 19 Nov 2016 22:22:19 +0100 Subject: fixed spacing in profiles --- etc/abrowser.profile | 1 - etc/brave.profile | 1 - etc/claws-mail.profile | 1 - etc/corebird.profile | 1 - etc/cyberfox.profile | 1 - etc/dillo.profile | 1 - etc/emacs.profile | 1 - etc/eog.profile | 1 - etc/evolution.profile | 1 - etc/firefox.profile | 1 - etc/gajim.profile | 1 - etc/git.profile | 1 - etc/gnome-clocks.profile | 1 - etc/gpg-agent.profile | 1 - etc/icecat.profile | 1 - etc/keepass.profile | 1 - etc/keepass2.profile | 1 - etc/keepassx.profile | 1 - etc/konversation.profile | 1 - etc/lxterminal.profile | 1 - etc/mutt.profile | 1 - etc/netsurf.profile | 1 - etc/psi-plus.profile | 1 - etc/qemu-launcher.profile | 1 - etc/qemu-system-x86_64.profile | 1 - etc/qutebrowser.profile | 1 - etc/virtualbox.profile | 1 - etc/wire.profile | 1 - etc/xviewer.profile | 1 + etc/zoom.profile | 1 - 30 files changed, 1 insertion(+), 29 deletions(-) (limited to 'etc') diff --git a/etc/abrowser.profile b/etc/abrowser.profile index 4aa18aa90..481301420 100644 --- a/etc/abrowser.profile +++ b/etc/abrowser.profile @@ -1,5 +1,4 @@ # Firejail profile for Abrowser - noblacklist ~/.mozilla noblacklist ~/.cache/mozilla include /etc/firejail/disable-common.inc diff --git a/etc/brave.profile b/etc/brave.profile index 4fc3a5bb0..21ea7f908 100644 --- a/etc/brave.profile +++ b/etc/brave.profile @@ -1,5 +1,4 @@ # Profile for Brave browser - noblacklist ~/.config/brave include /etc/firejail/disable-common.inc include /etc/firejail/disable-programs.inc diff --git a/etc/claws-mail.profile b/etc/claws-mail.profile index 1b6d2f645..8921bb25e 100644 --- a/etc/claws-mail.profile +++ b/etc/claws-mail.profile @@ -1,5 +1,4 @@ # claws-mail profile - noblacklist ~/.claws-mail noblacklist ~/.signature noblacklist ~/.gnupg diff --git a/etc/corebird.profile b/etc/corebird.profile index 077ae30d0..6fb8219e8 100644 --- a/etc/corebird.profile +++ b/etc/corebird.profile @@ -1,5 +1,4 @@ # Firejail corebird profile - include /etc/firejail/disable-common.inc include /etc/firejail/disable-programs.inc include /etc/firejail/disable-devel.inc diff --git a/etc/cyberfox.profile b/etc/cyberfox.profile index ae487fa3c..84021dab3 100644 --- a/etc/cyberfox.profile +++ b/etc/cyberfox.profile @@ -1,5 +1,4 @@ # Firejail profile for Cyberfox (based on Mozilla Firefox) - noblacklist ~/.8pecxstudios noblacklist ~/.cache/8pecxstudios include /etc/firejail/disable-common.inc diff --git a/etc/dillo.profile b/etc/dillo.profile index 2ddd363cb..108787920 100644 --- a/etc/dillo.profile +++ b/etc/dillo.profile @@ -1,5 +1,4 @@ # Firejail profile for Dillo web browser - noblacklist ~/.dillo include /etc/firejail/disable-common.inc include /etc/firejail/disable-programs.inc diff --git a/etc/emacs.profile b/etc/emacs.profile index cbdba7712..2b9c5805c 100644 --- a/etc/emacs.profile +++ b/etc/emacs.profile @@ -1,5 +1,4 @@ # emacs profile - noblacklist ~/.emacs noblacklist ~/.emacs.d diff --git a/etc/eog.profile b/etc/eog.profile index 68e950bd7..d463f3a97 100644 --- a/etc/eog.profile +++ b/etc/eog.profile @@ -1,5 +1,4 @@ # eog (gnome image viewer) profile - noblacklist ~/.config/eog include /etc/firejail/disable-common.inc diff --git a/etc/evolution.profile b/etc/evolution.profile index d63eeed74..ab6dd7a4a 100644 --- a/etc/evolution.profile +++ b/etc/evolution.profile @@ -1,5 +1,4 @@ # evolution profile - noblacklist ~/.config/evolution noblacklist ~/.local/share/evolution noblacklist ~/.cache/evolution diff --git a/etc/firefox.profile b/etc/firefox.profile index 6bb581f4f..4f971f330 100644 --- a/etc/firefox.profile +++ b/etc/firefox.profile @@ -1,5 +1,4 @@ # Firejail profile for Mozilla Firefox (Iceweasel in Debian) - noblacklist ~/.mozilla noblacklist ~/.cache/mozilla noblacklist ~/.config/qpdfview diff --git a/etc/gajim.profile b/etc/gajim.profile index 809378ef9..b030a68b4 100644 --- a/etc/gajim.profile +++ b/etc/gajim.profile @@ -1,5 +1,4 @@ # Firejail profile for Gajim - mkdir ${HOME}/.cache/gajim mkdir ${HOME}/.local/share/gajim mkdir ${HOME}/.config/gajim diff --git a/etc/git.profile b/etc/git.profile index 73122d347..edb59ce13 100644 --- a/etc/git.profile +++ b/etc/git.profile @@ -1,5 +1,4 @@ # git profile - noblacklist ~/.gitconfig noblacklist ~/.ssh noblacklist ~/.gnupg diff --git a/etc/gnome-clocks.profile b/etc/gnome-clocks.profile index 30adadda1..6cccf9d32 100644 --- a/etc/gnome-clocks.profile +++ b/etc/gnome-clocks.profile @@ -1,5 +1,4 @@ # gnome-clocks profile - include /etc/firejail/disable-common.inc include /etc/firejail/disable-programs.inc include /etc/firejail/disable-devel.inc diff --git a/etc/gpg-agent.profile b/etc/gpg-agent.profile index 31ed8812e..b0ebdf43c 100644 --- a/etc/gpg-agent.profile +++ b/etc/gpg-agent.profile @@ -1,5 +1,4 @@ # gpg-agent profile - noblacklist ~/.gnupg include /etc/firejail/disable-common.inc diff --git a/etc/icecat.profile b/etc/icecat.profile index 2f8e2df7f..0348076da 100644 --- a/etc/icecat.profile +++ b/etc/icecat.profile @@ -1,5 +1,4 @@ # Firejail profile for GNU Icecat - noblacklist ~/.mozilla noblacklist ~/.cache/mozilla include /etc/firejail/disable-common.inc diff --git a/etc/keepass.profile b/etc/keepass.profile index 23f9a7b40..18a5f4ebd 100644 --- a/etc/keepass.profile +++ b/etc/keepass.profile @@ -1,5 +1,4 @@ # keepass password manager profile - noblacklist ${HOME}/.config/keepass noblacklist ${HOME}/.keepass diff --git a/etc/keepass2.profile b/etc/keepass2.profile index fd390f7ed..9daa014e3 100644 --- a/etc/keepass2.profile +++ b/etc/keepass2.profile @@ -1,5 +1,4 @@ # keepass password manager profile - #noblacklist ${HOME}/.config/KeePass #noblacklist ${HOME}/.keepass diff --git a/etc/keepassx.profile b/etc/keepassx.profile index 415160df3..d8621773f 100644 --- a/etc/keepassx.profile +++ b/etc/keepassx.profile @@ -1,5 +1,4 @@ # keepassx password manager profile - noblacklist ${HOME}/.config/keepassx noblacklist ${HOME}/.keepassx noblacklist ${HOME}/keepassx.kdbx diff --git a/etc/konversation.profile b/etc/konversation.profile index e9546fd1b..c00b91c18 100644 --- a/etc/konversation.profile +++ b/etc/konversation.profile @@ -1,5 +1,4 @@ # Firejail konversation profile - include /etc/firejail/disable-common.inc include /etc/firejail/disable-programs.inc include /etc/firejail/disable-devel.inc diff --git a/etc/lxterminal.profile b/etc/lxterminal.profile index d1d0b8a0d..12765c299 100644 --- a/etc/lxterminal.profile +++ b/etc/lxterminal.profile @@ -1,5 +1,4 @@ # lxterminal (LXDE) profile - include /etc/firejail/disable-common.inc include /etc/firejail/disable-programs.inc include /etc/firejail/disable-passwdmgr.inc diff --git a/etc/mutt.profile b/etc/mutt.profile index 54cf828b1..2718421c5 100644 --- a/etc/mutt.profile +++ b/etc/mutt.profile @@ -1,5 +1,4 @@ # mutt email client profile - noblacklist ~/.muttrc noblacklist ~/.mutt noblacklist ~/.mutt/muttrc diff --git a/etc/netsurf.profile b/etc/netsurf.profile index 1ed2163c2..2071e5519 100644 --- a/etc/netsurf.profile +++ b/etc/netsurf.profile @@ -1,5 +1,4 @@ # Firejail profile for Mozilla Firefox (Iceweasel in Debian) - noblacklist ~/.config/netsurf noblacklist ~/.cache/netsurf include /etc/firejail/disable-common.inc diff --git a/etc/psi-plus.profile b/etc/psi-plus.profile index a9323448b..e4e69b9f6 100644 --- a/etc/psi-plus.profile +++ b/etc/psi-plus.profile @@ -1,5 +1,4 @@ # Firejail profile for Psi+ - noblacklist ${HOME}/.config/psi+ noblacklist ${HOME}/.local/share/psi+ include /etc/firejail/disable-common.inc diff --git a/etc/qemu-launcher.profile b/etc/qemu-launcher.profile index 9fa8a91d4..f9c8e6345 100644 --- a/etc/qemu-launcher.profile +++ b/etc/qemu-launcher.profile @@ -1,5 +1,4 @@ # qemu-launcher profile - noblacklist ~/.qemu-launcher include /etc/firejail/disable-common.inc diff --git a/etc/qemu-system-x86_64.profile b/etc/qemu-system-x86_64.profile index 3d4587fb1..65e1e44ea 100644 --- a/etc/qemu-system-x86_64.profile +++ b/etc/qemu-system-x86_64.profile @@ -1,5 +1,4 @@ # qemu profile - include /etc/firejail/disable-common.inc include /etc/firejail/disable-programs.inc include /etc/firejail/disable-passwdmgr.inc diff --git a/etc/qutebrowser.profile b/etc/qutebrowser.profile index 0efb7b629..eabbe0f3e 100644 --- a/etc/qutebrowser.profile +++ b/etc/qutebrowser.profile @@ -1,5 +1,4 @@ # Firejail profile for Qutebrowser (Qt5-Webkit+Python) browser - noblacklist ~/.config/qutebrowser noblacklist ~/.cache/qutebrowser include /etc/firejail/disable-common.inc diff --git a/etc/virtualbox.profile b/etc/virtualbox.profile index 49f8f8b24..36a1e0704 100644 --- a/etc/virtualbox.profile +++ b/etc/virtualbox.profile @@ -1,5 +1,4 @@ # VirtualBox profile - noblacklist ${HOME}/.VirtualBox noblacklist ${HOME}/VirtualBox VMs noblacklist ${HOME}/.config/VirtualBox diff --git a/etc/wire.profile b/etc/wire.profile index c84b4cc28..ec8ed8771 100644 --- a/etc/wire.profile +++ b/etc/wire.profile @@ -1,5 +1,4 @@ # wire messenger profile - noblacklist ~/.config/Wire noblacklist ~/.config/wire diff --git a/etc/xviewer.profile b/etc/xviewer.profile index cbb59d16e..ca380b4c7 100644 --- a/etc/xviewer.profile +++ b/etc/xviewer.profile @@ -1,3 +1,4 @@ +# xviewer profile noblacklist ~/.config/xviewer include /etc/firejail/disable-common.inc diff --git a/etc/zoom.profile b/etc/zoom.profile index f5831dd88..4c08868cf 100644 --- a/etc/zoom.profile +++ b/etc/zoom.profile @@ -1,5 +1,4 @@ # Firejail profile for zoom.us - noblacklist ~/.config/zoomus.conf include /etc/firejail/disable-common.inc -- cgit v1.2.3-54-g00ecf From b93b223507d3cb1a8b8f1c96657134d4c23da9a1 Mon Sep 17 00:00:00 2001 From: valoq Date: Sat, 19 Nov 2016 23:06:57 +0100 Subject: fixed typo --- etc/amarok.profile | 4 ++-- etc/k3b.profile | 4 ++-- 2 files changed, 4 insertions(+), 4 deletions(-) (limited to 'etc') diff --git a/etc/amarok.profile b/etc/amarok.profile index 962865790..8d5b35d47 100644 --- a/etc/amarok.profile +++ b/etc/amarok.profile @@ -1,4 +1,4 @@ -# amorak profile +# amarok profile include /etc/firejail/disable-common.inc include /etc/firejail/disable-programs.inc include /etc/firejail/disable-devel.inc @@ -13,7 +13,7 @@ shell none #seccomp protocol unix,inet,inet6 -#private-bin amorak +#private-bin amarok private-dev private-tmp #private-etc none diff --git a/etc/k3b.profile b/etc/k3b.profile index 6e16d233c..8a5fff0c6 100644 --- a/etc/k3b.profile +++ b/etc/k3b.profile @@ -15,7 +15,7 @@ seccomp protocol unix # private-bin -private-dev -private-tmp +# private-dev +# private-tmp # private-etc -- cgit v1.2.3-54-g00ecf From 35cf892b0bcb9b5a88e70c211c5dab3b65b86c2b Mon Sep 17 00:00:00 2001 From: valoq Date: Sat, 19 Nov 2016 23:10:01 +0100 Subject: minor fix --- etc/skanlite.profile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'etc') diff --git a/etc/skanlite.profile b/etc/skanlite.profile index 6e8face75..4dcfa64d9 100644 --- a/etc/skanlite.profile +++ b/etc/skanlite.profile @@ -12,7 +12,7 @@ noroot nosound shell none #seccomp -protocol unix +protocol unix,inet,inet6 private-bin skanlite # private-dev -- cgit v1.2.3-54-g00ecf From 84230c5ed4a507f4262ab764475eab962624e032 Mon Sep 17 00:00:00 2001 From: valoq Date: Sat, 19 Nov 2016 23:19:45 +0100 Subject: reversed incorrect changes --- etc/evince.profile | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) (limited to 'etc') diff --git a/etc/evince.profile b/etc/evince.profile index cbb2083f4..12ea358be 100644 --- a/etc/evince.profile +++ b/etc/evince.profile @@ -19,4 +19,5 @@ tracelog private-bin evince,evince-previewer,evince-thumbnailer private-dev private-etc fonts -private-tmp \ No newline at end of file +# evince needs access to /tmp/mozilla* to work in firefox +# private-tmp -- cgit v1.2.3-54-g00ecf From bedf08d73c59ac95e2de56ccf279108a038cb313 Mon Sep 17 00:00:00 2001 From: valoq Date: Sun, 20 Nov 2016 12:38:38 +0100 Subject: updated default.profile --- etc/default.profile | 10 ++++++++-- etc/file.profile | 19 ++++++++++++++----- 2 files changed, 22 insertions(+), 7 deletions(-) (limited to 'etc') diff --git a/etc/default.profile b/etc/default.profile index a2de72695..487e80c64 100644 --- a/etc/default.profile +++ b/etc/default.profile @@ -5,11 +5,17 @@ include /etc/firejail/disable-common.inc include /etc/firejail/disable-programs.inc include /etc/firejail/disable-passwdmgr.inc -#blacklist ${HOME}/.wine - caps.drop all netfilter +nogroups nonewprivs noroot protocol unix,inet,inet6 seccomp +shell none + +# private-bin program +# private-etc none +# private-dev +# private-tmp + diff --git a/etc/file.profile b/etc/file.profile index 199a97fad..f709e7f0c 100644 --- a/etc/file.profile +++ b/etc/file.profile @@ -1,16 +1,25 @@ # file profile -ignore noroot -include /etc/firejail/default.profile - -blacklist /tmp/.X11-unix +include /etc/firejail/disable-common.inc +include /etc/firejail/disable-programs.inc +include /etc/firejail/disable-passwdmgr.inc +caps.drop all hostname file +netfilter net none no3d +nogroups +nonewprivs +#noroot nosound -quiet +protocol unix +seccomp shell none tracelog +quiet +x11 none + +blacklist /tmp/.X11-unix private-dev private-bin file -- cgit v1.2.3-54-g00ecf From a9e69fe9e65f44f1f9fa4088842ff2af3cd8d6ca Mon Sep 17 00:00:00 2001 From: valoq Date: Sun, 20 Nov 2016 12:40:52 +0100 Subject: fixed mudpf profile for debian --- etc/mupdf.profile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'etc') diff --git a/etc/mupdf.profile b/etc/mupdf.profile index dc23d5840..7116fa1a6 100644 --- a/etc/mupdf.profile +++ b/etc/mupdf.profile @@ -18,7 +18,7 @@ tracelog #seccomp.keep access,arch_prctl,brk,clone,close,connect,execve,exit_group,fchmod,fchown,fcntl,fstat,futex,getcwd,getpeername,getrlimit,getsockname,getsockopt,lseek,lstat,mlock,mmap,mprotect,mremap,munmap,nanosleep,open,poll,prctl,read,recvfrom,recvmsg,restart_syscall,rt_sigaction,rt_sigprocmask,select,sendmsg,set_robust_list,set_tid_address,setresgid,setresuid,shmat,shmctl,shmget,shutdown,socket,stat,sysinfo,uname,unshare,wait4,write,writev -private-bin mupdf +private-bin mupdf,sh,tempfile,rm private-tmp private-dev private-etc fonts -- cgit v1.2.3-54-g00ecf From aaa9bcb02fae1eb9ffb765080d6b466f52918285 Mon Sep 17 00:00:00 2001 From: netblue30 Date: Sun, 20 Nov 2016 11:19:25 -0500 Subject: profiles --- README | 34 +++++++++++++++++++--------------- etc/default.profile | 7 +++++-- etc/mupdf.profile | 8 +++++--- src/fseccomp/main.c | 4 ++-- 4 files changed, 31 insertions(+), 22 deletions(-) (limited to 'etc') diff --git a/README b/README index bd32034a3..45d021008 100644 --- a/README +++ b/README @@ -80,6 +80,25 @@ Fred-Barclay (https://github.com/Fred-Barclay) - evince profile enhancement - tightened Spotify profile - added xiphos and Tor Browser Bundle profiles +valoq (https://github.com/valoq) + - lots of profile fixes + - added support for /srv in --whitelist feature + - Eye of GNOME, Evolution, display (imagemagik) and Wire profiles + - blacklist suid binaries in disable-common.inc + - fix man pages + - added keypass2, qemu profiles + - added amarok, ark, atool, bleachbit, brasero, dolphin, dragon, elinks, enchant, exiftool profiles + - added file-roller, gedit, gjs,gnome-books, gnome-documents, gnome-maps, gnome-music profiles + - added gnome-photos, gnome-weather, goobox, gpa, gpg, gpg-agent, highlight profiles + - added img2txt, k3b, kate, lynx, mediainfo, nautilus, odt2txt, pdftotext, simple-scan profiles + - added skanlite, ssh-agent, transmission-cli, tracker, transmission-show, w3m, xfburn, xpra profiles +Vasya Novikov (https://github.com/vn971) + - Wesnoth profile + - Hedegewars profile + - manpage fixes + - fixed firecfg clean/clear issue + - found the ugliest bug so far + - seccomp debug description in man page curiosity-seeker (https://github.com/curiosity-seeker) - tightening unbound and dnscrypt-proxy profiles - dnsmasq profile @@ -95,15 +114,6 @@ BogDan Vatra (https://github.com/bog-dan-ro) - zoom profile Impyy (https://github.com/Impyy) - added mumble profile -valoq (https://github.com/valoq) - - LibreOffice profile fixes - - cherrytree profile fixes - - added support for /srv in --whitelist feature - - Eye of GNOME, Evolution, display (imagemagik) and Wire profiles - - blacklist suid binaries in disable-common.inc - - fix man pages - - various profile improvements - - added keypass2, qemu profiles Vadim A. Misbakh-Soloviov (https://github.com/msva) - profile fixes Rafael Cavalcanti (https://github.com/rccavalcanti) @@ -196,12 +206,6 @@ avoidr (https://github.com/avoidr) - various other fixes Ruan (https://github.com/ruany) - fixed hexchat profile -Vasya Novikov (https://github.com/vn971) - - Wesnoth profile - - Hedegewars profile - - manpage fixes - - fixed firecfg clean/clear issue - - found the ugliest bug so far Matthew Gyurgyik (https://github.com/pyther) - rpm spec and several fixes Joan Figueras (https://github.com/figue) diff --git a/etc/default.profile b/etc/default.profile index 487e80c64..603321316 100644 --- a/etc/default.profile +++ b/etc/default.profile @@ -7,13 +7,16 @@ include /etc/firejail/disable-passwdmgr.inc caps.drop all netfilter -nogroups nonewprivs noroot protocol unix,inet,inet6 seccomp -shell none +# +# depending on you usage, you can enable some of the commands below: +# +# nogroups +# shell none # private-bin program # private-etc none # private-dev diff --git a/etc/mupdf.profile b/etc/mupdf.profile index 7116fa1a6..7f9261d8b 100644 --- a/etc/mupdf.profile +++ b/etc/mupdf.profile @@ -16,9 +16,6 @@ net none shell none tracelog -#seccomp.keep access,arch_prctl,brk,clone,close,connect,execve,exit_group,fchmod,fchown,fcntl,fstat,futex,getcwd,getpeername,getrlimit,getsockname,getsockopt,lseek,lstat,mlock,mmap,mprotect,mremap,munmap,nanosleep,open,poll,prctl,read,recvfrom,recvmsg,restart_syscall,rt_sigaction,rt_sigprocmask,select,sendmsg,set_robust_list,set_tid_address,setresgid,setresuid,shmat,shmctl,shmget,shutdown,socket,stat,sysinfo,uname,unshare,wait4,write,writev - -private-bin mupdf,sh,tempfile,rm private-tmp private-dev private-etc fonts @@ -26,3 +23,8 @@ private-etc fonts # mupdf will never write anything read-only ${HOME} +# +# Experimental: +# +#seccomp.keep access,arch_prctl,brk,clone,close,connect,execve,exit_group,fchmod,fchown,fcntl,fstat,futex,getcwd,getpeername,getrlimit,getsockname,getsockopt,lseek,lstat,mlock,mmap,mprotect,mremap,munmap,nanosleep,open,poll,prctl,read,recvfrom,recvmsg,restart_syscall,rt_sigaction,rt_sigprocmask,select,sendmsg,set_robust_list,set_tid_address,setresgid,setresuid,shmat,shmctl,shmget,shutdown,socket,stat,sysinfo,uname,unshare,wait4,write,writev +# private-bin mupdf,sh,tempfile,rm diff --git a/src/fseccomp/main.c b/src/fseccomp/main.c index 471e0b193..2f85a786b 100644 --- a/src/fseccomp/main.c +++ b/src/fseccomp/main.c @@ -38,7 +38,7 @@ static void usage(void) { } int main(int argc, char **argv) { -//#if 0 +#if 0 { //system("cat /proc/self/status"); int i; @@ -46,7 +46,7 @@ for (i = 0; i < argc; i++) printf("*%s* ", argv[i]); printf("\n"); } -//#endif +#endif if (argc < 2) { usage(); return 1; -- cgit v1.2.3-54-g00ecf