diff --git a/etc/0ad.profile b/etc/0ad.profile index 88c9c453b..565d42567 100644 --- a/etc/0ad.profile +++ b/etc/0ad.profile @@ -24,6 +24,7 @@ whitelist ${HOME}/.cache/0ad whitelist ${HOME}/.config/0ad whitelist ${HOME}/.local/share/0ad include whitelist-common.inc +include whitelist-var-common.inc caps.drop all netfilter diff --git a/etc/QMediathekView.profile b/etc/QMediathekView.profile index ece681c35..eb21349a9 100644 --- a/etc/QMediathekView.profile +++ b/etc/QMediathekView.profile @@ -39,6 +39,7 @@ nonewprivs noroot notv nou2f +novideo protocol unix,inet,inet6,netlink seccomp shell none diff --git a/etc/Xvfb.profile b/etc/Xvfb.profile index 6559be21a..937d02d60 100644 --- a/etc/Xvfb.profile +++ b/etc/Xvfb.profile @@ -31,6 +31,7 @@ nonewprivs nosound notv nou2f +novideo protocol unix seccomp shell none diff --git a/etc/asunder.profile b/etc/asunder.profile index fc10739aa..1f3acd735 100644 --- a/etc/asunder.profile +++ b/etc/asunder.profile @@ -30,6 +30,7 @@ nodbus nonewprivs noroot nou2f +novideo protocol unix,inet,inet6 seccomp shell none diff --git a/etc/baobab.profile b/etc/baobab.profile index d2980f75c..c419aa202 100644 --- a/etc/baobab.profile +++ b/etc/baobab.profile @@ -32,5 +32,3 @@ shell none private-bin baobab private-dev private-tmp - -#memory-deny-write-execute - breaks on Arch (see issue #1803) diff --git a/etc/dconf-editor.profile b/etc/dconf-editor.profile index 7cd39ca6a..29f676535 100644 --- a/etc/dconf-editor.profile +++ b/etc/dconf-editor.profile @@ -41,5 +41,3 @@ private-dev private-etc alternatives,dconf,fonts,gtk-3.0,machine-id private-lib private-tmp - -# memory-deny-write-execute diff --git a/etc/devhelp.profile b/etc/devhelp.profile index 60bebb0c9..02b752b5f 100644 --- a/etc/devhelp.profile +++ b/etc/devhelp.profile @@ -41,6 +41,6 @@ private-dev private-etc alternatives,dconf,fonts,ld.so.cache,machine-id,ssl private-tmp -#memory-deny-write-execute - breaks on Arch (see issue 1803) +#memory-deny-write-execute - breaks on Arch (see issue #1803) read-only ${HOME} diff --git a/etc/dino.profile b/etc/dino.profile index f7b220936..82ddf2819 100644 --- a/etc/dino.profile +++ b/etc/dino.profile @@ -1,4 +1,5 @@ # Firejail profile for dino +# Description: Modern XMPP Chat Client using GTK+/Vala # This file is overwritten after every install/update # Persistent local customizations include dino.local diff --git a/etc/disable-common.inc b/etc/disable-common.inc index 5fc65193a..fe49ce2f4 100644 --- a/etc/disable-common.inc +++ b/etc/disable-common.inc @@ -299,11 +299,14 @@ blacklist ${HOME}/*.kdbx blacklist ${HOME}/*.key blacklist ${HOME}/.Private blacklist ${HOME}/.caff +blacklist ${HOME}/.cargo/credentials blacklist ${HOME}/.cert blacklist ${HOME}/.config/keybase blacklist ${HOME}/.davfs2/secrets blacklist ${HOME}/.ecryptfs blacklist ${HOME}/.fetchmailrc +blacklist ${HOME}/.git-credential-cache +blacklist ${HOME}/.git-credentials blacklist ${HOME}/.gnome2/keyrings blacklist ${HOME}/.gnupg blacklist ${HOME}/.config/hub diff --git a/etc/disable-programs.inc b/etc/disable-programs.inc index 260d317d1..e54b651a6 100644 --- a/etc/disable-programs.inc +++ b/etc/disable-programs.inc @@ -29,9 +29,9 @@ blacklist ${HOME}/.Steam blacklist ${HOME}/.Steampath blacklist ${HOME}/.Steampid blacklist ${HOME}/.TelegramDesktop +blacklist ${HOME}/.VSCodium blacklist ${HOME}/.ViberPC blacklist ${HOME}/.VirtualBox -blacklist ${HOME}/.VSCodium blacklist ${HOME}/.WebStorm* blacklist ${HOME}/.Wolfram Research blacklist ${HOME}/.ZAP @@ -97,9 +97,9 @@ blacklist ${HOME}/.config/MusicBrainz blacklist ${HOME}/.config/Nathan Osman blacklist ${HOME}/.config/Nylas Mail blacklist ${HOME}/.config/PBE -blacklist ${HOME}/.config/Qlipper blacklist ${HOME}/.config/QGIS blacklist ${HOME}/.config/QMediathekView +blacklist ${HOME}/.config/Qlipper blacklist ${HOME}/.config/QuiteRss blacklist ${HOME}/.config/QuiteRssrc blacklist ${HOME}/.config/Rambox @@ -182,10 +182,11 @@ blacklist ${HOME}/.config/ghb blacklist ${HOME}/.config/ghostwriter blacklist ${HOME}/.config/git blacklist ${HOME}/.config/globaltime +blacklist ${HOME}/.config/gnome-builder blacklist ${HOME}/.config/gnome-mplayer blacklist ${HOME}/.config/gnome-mpv -blacklist ${HOME}/.config/godot blacklist ${HOME}/.config/gnome-pie +blacklist ${HOME}/.config/godot blacklist ${HOME}/.config/google-chrome blacklist ${HOME}/.config/google-chrome-beta blacklist ${HOME}/.config/google-chrome-unstable @@ -235,8 +236,8 @@ blacklist ${HOME}/.config/meteo-qt blacklist ${HOME}/.config/mfusion blacklist ${HOME}/.config/midori blacklist ${HOME}/.config/mono -blacklist ${HOME}/.config/mpd blacklist ${HOME}/.config/mpDris2 +blacklist ${HOME}/.config/mpd blacklist ${HOME}/.config/mps-youtube blacklist ${HOME}/.config/mpv blacklist ${HOME}/.config/mupen64plus @@ -257,8 +258,8 @@ blacklist ${HOME}/.config/opera blacklist ${HOME}/.config/opera-beta blacklist ${HOME}/.config/orage blacklist ${HOME}/.config/org.kde.gwenviewrc -blacklist ${HOME}/.config/pavucontrol.ini blacklist ${HOME}/.config/pavucontrol-qt +blacklist ${HOME}/.config/pavucontrol.ini blacklist ${HOME}/.config/pcmanfm blacklist ${HOME}/.config/pdfmod blacklist ${HOME}/.config/Pinta @@ -356,8 +357,6 @@ blacklist ${HOME}/.freecol blacklist ${HOME}/.freemind blacklist ${HOME}/.frozen-bubble blacklist ${HOME}/.gimp* -blacklist ${HOME}/.git-credentials -blacklist ${HOME}/.git-credential-cache blacklist ${HOME}/.gitconfig blacklist ${HOME}/.gnome/gnome-schedule blacklist ${HOME}/.googleearth/Cache/ @@ -417,13 +416,13 @@ blacklist ${HOME}/.kde4/share/apps/kaffeine blacklist ${HOME}/.kde4/share/apps/kcookiejar blacklist ${HOME}/.kde4/share/apps/kget blacklist ${HOME}/.kde4/share/apps/khtml -blacklist ${HOME}/.kde4/share/apps/konqueror blacklist ${HOME}/.kde4/share/apps/konqsidebartng +blacklist ${HOME}/.kde4/share/apps/konqueror blacklist ${HOME}/.kde4/share/apps/kopete blacklist ${HOME}/.kde4/share/apps/ktorrent blacklist ${HOME}/.kde4/share/apps/okular -blacklist ${HOME}/.kde4/share/config/baloorc blacklist ${HOME}/.kde4/share/config/baloofilerc +blacklist ${HOME}/.kde4/share/config/baloorc blacklist ${HOME}/.kde4/share/config/digikam blacklist ${HOME}/.kde4/share/config/gwenviewrc blacklist ${HOME}/.kde4/share/config/k3brc @@ -446,9 +445,9 @@ blacklist ${HOME}/.kinorc blacklist ${HOME}/.klatexformula blacklist ${HOME}/.kodi blacklist ${HOME}/.lincity-ng +blacklist ${HOME}/.links blacklist ${HOME}/.linphone-history.db blacklist ${HOME}/.linphonerc -blacklist ${HOME}/.links blacklist ${HOME}/.lmmsrc.xml blacklist ${HOME}/.local/lib/vivaldi blacklist ${HOME}/.local/share/0ad @@ -502,6 +501,7 @@ blacklist ${HOME}/.local/share/geeqie blacklist ${HOME}/.local/share/gitg blacklist ${HOME}/.local/share/gnome-2048 blacklist ${HOME}/.local/share/gnome-chess +blacklist ${HOME}/.local/share/gnome-builder blacklist ${HOME}/.local/share/gnome-music blacklist ${HOME}/.local/share/gnome-photos blacklist ${HOME}/.local/share/gnome-recipes @@ -637,9 +637,7 @@ blacklist ${HOME}/.teeworlds blacklist ${HOME}/.thunderbird blacklist ${HOME}/.tilp blacklist ${HOME}/.tooling -blacklist ${HOME}/.tor-browser -blacklist ${HOME}/.tor-browser-* -blacklist ${HOME}/.tor-browser_* +blacklist ${HOME}/.tor-browser* blacklist ${HOME}/.torcs blacklist ${HOME}/.tremulous blacklist ${HOME}/.ts3client @@ -718,6 +716,7 @@ blacklist ${HOME}/.cache/godot blacklist ${HOME}/.cache/google-chrome blacklist ${HOME}/.cache/google-chrome-beta blacklist ${HOME}/.cache/google-chrome-unstable +blacklist ${HOME}/.cache/gnome-builder blacklist ${HOME}/.cache/gnome-recipes blacklist ${HOME}/.cache/gnome-twitch blacklist ${HOME}/.cache/gradio diff --git a/etc/emacs.profile b/etc/emacs.profile index 071a9f5d2..ab378105e 100644 --- a/etc/emacs.profile +++ b/etc/emacs.profile @@ -26,5 +26,6 @@ nogroups nonewprivs noroot notv +novideo protocol unix,inet,inet6 seccomp diff --git a/etc/eo-common.profile b/etc/eo-common.profile index f4b263f50..c4ad8ced4 100644 --- a/etc/eo-common.profile +++ b/etc/eo-common.profile @@ -43,5 +43,3 @@ private-dev private-etc alternatives,dconf,fonts,gtk-3.0 private-lib eog,eom,gdk-pixbuf-2.*,gio,girepository-1.*,gvfs,libgconf-2.so.* private-tmp - -#memory-deny-write-execute - breaks on Arch (see issue #1803) diff --git a/etc/etr.profile b/etc/etr.profile index d93d3de63..97a43bb59 100644 --- a/etc/etr.profile +++ b/etc/etr.profile @@ -1,4 +1,5 @@ # Firejail profile for etr +# Description: High speed arctic racing game # This file is overwritten after every install/update # Persistent local customizations include etr.local @@ -29,6 +30,7 @@ nonewprivs noroot notv nou2f +novideo protocol unix,netlink seccomp shell none diff --git a/etc/falkon.profile b/etc/falkon.profile index cabf5aeba..ddcda6228 100644 --- a/etc/falkon.profile +++ b/etc/falkon.profile @@ -38,5 +38,6 @@ seccomp.drop @clock,@cpu-emulation,@debug,@module,@obsolete,@raw-io,@reboot,@res # tracelog private-dev +# private-etc alternatives,passwd,group,hostname,hosts,localtime,nsswitch.conf,resolv.conf,gtk-2.0,pango,fonts,adobe,mime.types,mailcap,asound.conf,pulse,machine-id,ca-certificates,ssl,pki,crypto-policies # private-tmp - interferes with the opening of downloaded files diff --git a/etc/feedreader.profile b/etc/feedreader.profile index e453cc611..e381b12d6 100644 --- a/etc/feedreader.profile +++ b/etc/feedreader.profile @@ -15,6 +15,7 @@ include disable-exec.inc include disable-interpreters.inc include disable-passwdmgr.inc include disable-programs.inc +include disable-xdg.inc mkdir ${HOME}/.cache/feedreader mkdir ${HOME}/.local/share/feedreader diff --git a/etc/file-roller.profile b/etc/file-roller.profile index db1426f36..496152540 100644 --- a/etc/file-roller.profile +++ b/etc/file-roller.profile @@ -37,5 +37,3 @@ tracelog # private-bin file-roller private-dev # private-tmp - -# memory-deny-write-execute diff --git a/etc/firefox.profile b/etc/firefox.profile index 0c143f569..8d90a0917 100644 --- a/etc/firefox.profile +++ b/etc/firefox.profile @@ -17,7 +17,7 @@ whitelist ${HOME}/.mozilla # firefox requires a shell to launch on Arch. #private-bin bash,dbus-launch,dbus-send,env,firefox,sh,which # Fedora use shell scripts to launch firefox, at least this is required -#private-bin awk,basename,bash,cat,dirname,env,expr,false,firefox,firefox-wayland,ln,mkdir,pidof,rm,rmdir,sed,sh,tclsh,true,uname,which +#private-bin awk,basename,bash,cat,dbus-launch,dbus-send,dirname,env,expr,false,firefox,firefox-wayland,ln,mkdir,pidof,rm,rmdir,sed,sh,tclsh,true,uname,which # private-etc must first be enabled in firefox-common.profile #private-etc firefox diff --git a/etc/frozen-bubble.profile b/etc/frozen-bubble.profile index 3931aa64a..6cef181c8 100644 --- a/etc/frozen-bubble.profile +++ b/etc/frozen-bubble.profile @@ -31,6 +31,7 @@ nonewprivs noroot notv nou2f +novideo protocol unix,netlink seccomp shell none diff --git a/etc/ghostwriter.profile b/etc/ghostwriter.profile index cb7e7c513..ed9e23b3b 100644 --- a/etc/ghostwriter.profile +++ b/etc/ghostwriter.profile @@ -35,8 +35,7 @@ protocol unix,inet,inet6,netlink shell none #tracelog -- breaks -# Breaks Translation -#private-bin ghostwriter,pandoc +private-bin ghostwriter,pandoc,gettext private-cache private-dev # passwd,login.defs,firejail are a temporary workaround for #2877 and can be removed once it is fixed diff --git a/etc/gimp.profile b/etc/gimp.profile index 762e743c8..fab7fa123 100644 --- a/etc/gimp.profile +++ b/etc/gimp.profile @@ -8,7 +8,7 @@ include globals.local # gimp plugins are installed by the user in ${HOME}/.gimp-2.8/plug-ins/ directory # if you are not using external plugins, you can comment 'ignore noexec' statement below -# or put 'ignore ignore noexec ${HOME}' in your gimp.local +# or put 'noexec ${HOME}' in your gimp.local ignore noexec ${HOME} noblacklist ${HOME}/.config/GIMP diff --git a/etc/gitg.profile b/etc/gitg.profile index f6f51ef6f..08c1c94b6 100644 --- a/etc/gitg.profile +++ b/etc/gitg.profile @@ -22,6 +22,7 @@ include disable-programs.inc include whitelist-var-common.inc caps.drop all +netfilter no3d nodvd nogroups @@ -39,6 +40,3 @@ private-bin git,gitg,ssh private-cache private-dev private-tmp - -# mdwe breaks diff in older versions -#memory-deny-write-execute diff --git a/etc/gnome-builder.profile b/etc/gnome-builder.profile index ab2ca183b..726a74089 100644 --- a/etc/gnome-builder.profile +++ b/etc/gnome-builder.profile @@ -6,6 +6,10 @@ include gnome-builder.local # Persistent global definitions include globals.local +noblacklist ${HOME}/.cache/gnome-builder +noblacklist ${HOME}/.config/gnome-builder +noblacklist ${HOME}/.local/share/gnome-builder + # Allows files commonly used by IDEs include allow-common-devel.inc diff --git a/etc/gnome-character-map.profile b/etc/gnome-character-map.profile index 35db448f2..27804fdd0 100644 --- a/etc/gnome-character-map.profile +++ b/etc/gnome-character-map.profile @@ -6,4 +6,5 @@ include gnome-character-map.local # added by included profile #include globals.local +# Redirect include gucharmap.profile diff --git a/etc/gnome-photos.profile b/etc/gnome-photos.profile index 3bbad67bb..aa0b7dbe3 100644 --- a/etc/gnome-photos.profile +++ b/etc/gnome-photos.profile @@ -28,6 +28,7 @@ noroot nosound notv nou2f +novideo protocol unix seccomp shell none diff --git a/etc/gnome-schedule.profile b/etc/gnome-schedule.profile index e8b36dd41..005808379 100644 --- a/etc/gnome-schedule.profile +++ b/etc/gnome-schedule.profile @@ -35,14 +35,6 @@ include disable-xdg.inc mkfile ${HOME}/.gnome/gnome-schedule whitelist ${HOME}/.gnome/gnome-schedule -whitelist /etc/at.allow -whitelist /etc/at.deny -whitelist /etc/cron.allow -whitelist /etc/cron.deny -whitelist /etc/fonts -whitelist /etc/pam.d -whitelist /etc/ld.so.preload -whitelist /etc/shadow whitelist /var/spool/atd whitelist /var/spool/cron include whitelist-common.inc @@ -66,5 +58,6 @@ tracelog disable-mnt private-cache private-dev +private-etc at.allow,at.deny,cron.allow,cron.deny,fonts,pam.d,ld.so.preload,shadow writable-var diff --git a/etc/hedgewars.profile b/etc/hedgewars.profile index 1e9f898e0..898a07a5f 100644 --- a/etc/hedgewars.profile +++ b/etc/hedgewars.profile @@ -26,6 +26,7 @@ nonewprivs noroot notv nou2f +novideo seccomp tracelog diff --git a/etc/less.profile b/etc/less.profile index 0f31d344b..282b033a6 100644 --- a/etc/less.profile +++ b/etc/less.profile @@ -8,8 +8,6 @@ include less.local include globals.local noblacklist ${HOME}/.lesshst -read-only ${HOME} -read-write ${HOME}/.lesshst include disable-devel.inc include disable-exec.inc @@ -45,3 +43,5 @@ private-dev writable-var-log memory-deny-write-execute +read-only ${HOME} +read-write ${HOME}/.lesshst diff --git a/etc/libreoffice.profile b/etc/libreoffice.profile index b8a6201b2..aa113883e 100644 --- a/etc/libreoffice.profile +++ b/etc/libreoffice.profile @@ -34,6 +34,7 @@ nonewprivs noroot notv nou2f +novideo # comment the protocol line when using the ubuntu 18.04/debian 10 apparmor profile protocol unix,inet,inet6 # comment seccomp when using the ubuntu 18.04/debian 10 apparmor profile diff --git a/etc/mencoder.profile b/etc/mencoder.profile index 136412d11..aac394a59 100644 --- a/etc/mencoder.profile +++ b/etc/mencoder.profile @@ -25,4 +25,5 @@ shell none private-bin mencoder +# Redirect include mplayer.profile diff --git a/etc/mousepad.profile b/etc/mousepad.profile index 3b9807b28..20370a5b5 100644 --- a/etc/mousepad.profile +++ b/etc/mousepad.profile @@ -26,6 +26,7 @@ noroot nosound notv nou2f +novideo protocol unix seccomp shell none diff --git a/etc/mpsyt.profile b/etc/mpsyt.profile index 878a5f654..6839f7cf4 100644 --- a/etc/mpsyt.profile +++ b/etc/mpsyt.profile @@ -48,15 +48,21 @@ include whitelist-var-common.inc apparmor caps.drop all netfilter +nodbus +nodvd # Seems to cause issues with Nvidia drivers sometimes nogroups nonewprivs noroot +notv +nou2f +novideo protocol unix,inet,inet6 seccomp shell none tracelog +#private-cache private-bin env,ffmpeg,mplayer,mpsyt,mpv,python*,youtube-dl private-dev private-tmp diff --git a/etc/open-invaders.profile b/etc/open-invaders.profile index d80b3d351..5925ccc09 100644 --- a/etc/open-invaders.profile +++ b/etc/open-invaders.profile @@ -27,6 +27,7 @@ nonewprivs noroot notv nou2f +novideo protocol unix,netlink seccomp shell none diff --git a/etc/pdftotext.profile b/etc/pdftotext.profile index c5016201d..f1a5741d0 100644 --- a/etc/pdftotext.profile +++ b/etc/pdftotext.profile @@ -1,4 +1,5 @@ # Firejail profile for pdftotext +# Description: Portable Document Format (PDF) to text converter # This file is overwritten after every install/update # Persistent local customizations include pdftotext.local diff --git a/etc/ping.profile b/etc/ping.profile index 00ac45c5a..4ff5250d7 100644 --- a/etc/ping.profile +++ b/etc/ping.profile @@ -1,4 +1,5 @@ # Firejail profile for ping +# Description: send ICMP ECHO_REQUEST to network hosts # This file is overwritten after every install/update quiet # Persistent local customizations diff --git a/etc/pingus.profile b/etc/pingus.profile index 782ee200d..a3adc55a2 100644 --- a/etc/pingus.profile +++ b/etc/pingus.profile @@ -27,6 +27,7 @@ nonewprivs noroot notv nou2f +novideo protocol unix,netlink seccomp shell none diff --git a/etc/qemu-system-x86_64.profile b/etc/qemu-system-x86_64.profile index 1399328d3..47b9d6a9a 100644 --- a/etc/qemu-system-x86_64.profile +++ b/etc/qemu-system-x86_64.profile @@ -1,4 +1,5 @@ # Firejail profile for qemu-system-x86_64 +# Description: QEMU system emulator for x86_64 # This file is overwritten after every install/update # Persistent local customizations include qemu-system-x86_64.local diff --git a/etc/qupzilla.profile b/etc/qupzilla.profile index 954b1a3b4..3f3270dd6 100644 --- a/etc/qupzilla.profile +++ b/etc/qupzilla.profile @@ -3,7 +3,8 @@ # Persistent local customizations include qupzilla.local # Persistent global definitions -include globals.local +# added by included profile +#include globals.local noblacklist ${HOME}/.cache/qupzilla noblacklist ${HOME}/.config/qupzilla @@ -17,26 +18,10 @@ include disable-programs.inc mkdir ${HOME}/.cache/qupzilla mkdir ${HOME}/.config/qupzilla -whitelist ${DOWNLOADS} whitelist ${HOME}/.cache/qupzilla whitelist ${HOME}/.config/qupzilla -include whitelist-common.inc -include whitelist-var-common.inc -caps.drop all -netfilter -nodvd -nogroups -nonewprivs -noroot -notv -nou2f -protocol unix,inet,inet6,netlink -# blacklisting of chroot system calls breaks qupzilla -seccomp.drop @clock,@cpu-emulation,@debug,@module,@obsolete,@raw-io,@reboot,@resources,@swap,acct,add_key,bpf,fanotify_init,io_cancel,io_destroy,io_getevents,io_setup,io_submit,ioprio_set,kcmp,keyctl,mount,name_to_handle_at,nfsservctl,ni_syscall,open_by_handle_at,personality,pivot_root,process_vm_readv,ptrace,remap_file_pages,request_key,setdomainname,sethostname,syslog,umount,umount2,userfaultfd,vhangup,vmsplice -# tracelog - -private-dev -# private-etc alternatives,passwd,group,hostname,hosts,localtime,nsswitch.conf,resolv.conf,gtk-2.0,pango,fonts,adobe,mime.types,mailcap,asound.conf,pulse,machine-id,ca-certificates,ssl,pki,crypto-policies # private-tmp - interferes with the opening of downloaded files +# Redirect +include falkon.profile diff --git a/etc/shotcut.profile b/etc/shotcut.profile index e6c48561f..5b3c5439d 100644 --- a/etc/shotcut.profile +++ b/etc/shotcut.profile @@ -1,4 +1,5 @@ # Firejail profile for shotcut +# Description: A free, open source, cross-platform video editor # This file is overwritten after every install/update # Persistent local customizations include shotcut.local diff --git a/etc/simutrans.profile b/etc/simutrans.profile index 7febcde46..c6f5f70b0 100644 --- a/etc/simutrans.profile +++ b/etc/simutrans.profile @@ -27,6 +27,7 @@ nonewprivs noroot notv nou2f +novideo protocol unix seccomp shell none diff --git a/etc/sqlitebrowser.profile b/etc/sqlitebrowser.profile index 9cba69a77..d423bb65c 100644 --- a/etc/sqlitebrowser.profile +++ b/etc/sqlitebrowser.profile @@ -42,4 +42,4 @@ private-dev private-etc alternatives,ca-certificates,crypto-policies,fonts,group,machine-id,passwd,pki,ssl private-tmp -#memory-deny-write-execute - breaks on Arch +#memory-deny-write-execute - breaks on Arch (see issue #1803) diff --git a/etc/ssh-agent.profile b/etc/ssh-agent.profile index 15e2de9b0..9934e92b0 100644 --- a/etc/ssh-agent.profile +++ b/etc/ssh-agent.profile @@ -24,6 +24,7 @@ nodvd nonewprivs noroot notv +novideo protocol unix,inet,inet6 seccomp shell none diff --git a/etc/ssh.profile b/etc/ssh.profile index 7a9bb5abe..6949299af 100644 --- a/etc/ssh.profile +++ b/etc/ssh.profile @@ -30,6 +30,7 @@ nonewprivs nosound notv nou2f +novideo protocol unix,inet,inet6 seccomp shell none diff --git a/etc/start-tor-browser.desktop.profile b/etc/start-tor-browser.desktop.profile index 9c3175ad7..2f73c9fee 100644 --- a/etc/start-tor-browser.desktop.profile +++ b/etc/start-tor-browser.desktop.profile @@ -6,8 +6,7 @@ include start-tor-browser.desktop.local # added by included profile #include globals.local -noblacklist ${HOME}/.tor-browser-* -noblacklist ${HOME}/.tor-browser_* +noblacklist ${HOME}/.tor-browser* whitelist ${HOME}/.tor-browser-ar whitelist ${HOME}/.tor-browser-ca diff --git a/etc/strings.profile b/etc/strings.profile index 9e681537c..0817d7331 100644 --- a/etc/strings.profile +++ b/etc/strings.profile @@ -1,4 +1,5 @@ # Firejail profile for strings +# Description: print the strings of printable characters in files # This file is overwritten after every install/update quiet # Persistent local customizations diff --git a/etc/subdownloader.profile b/etc/subdownloader.profile index d0176a657..6de408740 100644 --- a/etc/subdownloader.profile +++ b/etc/subdownloader.profile @@ -31,6 +31,7 @@ nonewprivs noroot notv nou2f +novideo protocol unix,inet,inet6 seccomp shell none diff --git a/etc/supertux2.profile b/etc/supertux2.profile index 287a078b3..4c64ee766 100644 --- a/etc/supertux2.profile +++ b/etc/supertux2.profile @@ -1,4 +1,5 @@ # Firejail profile for supertux2 +# Description: Jump'n run like game # This file is overwritten after every install/update # Persistent local customizations include supertux2.local @@ -27,6 +28,7 @@ nonewprivs noroot notv nou2f +novideo protocol unix,netlink seccomp shell none diff --git a/etc/supertuxkart.profile b/etc/supertuxkart.profile index 2cd5ec3ad..8a48eeac8 100644 --- a/etc/supertuxkart.profile +++ b/etc/supertuxkart.profile @@ -47,7 +47,7 @@ disable-mnt private-bin supertuxkart private-cache private-dev -private-etc alternatives,ca-certificates,crypto-policies,drirc,hosts,machine-id,openal,pki,resolv.conf,selinux,ssl,system-fips,xdg +private-etc alternatives,ca-certificates,crypto-policies,drirc,hosts,machine-id,openal,pki,resolv.conf,ssl private-tmp private-opt none private-srv none diff --git a/etc/transmission-cli.profile b/etc/transmission-cli.profile index 00b2fa122..486be5fe6 100644 --- a/etc/transmission-cli.profile +++ b/etc/transmission-cli.profile @@ -5,8 +5,7 @@ quiet # Persistent local customizations include transmission-cli.local # Persistent global definitions -# added by included profile -#include globals.local +include globals.local private-bin transmission-cli private-etc alternatives,ca-certificates,crypto-policies,nsswitch.conf,pki,resolv.conf,ssl diff --git a/etc/transmission-common.profile b/etc/transmission-common.profile index e786fa8a3..1b1fc4af7 100644 --- a/etc/transmission-common.profile +++ b/etc/transmission-common.profile @@ -1,11 +1,8 @@ # Firejail profile for transmission-common # Description: Fast, easy and free BitTorrent client # This file is overwritten after every install/update -quiet # Persistent local customizations -include transmission-gtk.local -# Persistent global definitions -include globals.local +include transmission-common.local noblacklist ${HOME}/.cache/transmission noblacklist ${HOME}/.config/transmission diff --git a/etc/transmission-create.profile b/etc/transmission-create.profile index 7c09878bc..8220b7887 100644 --- a/etc/transmission-create.profile +++ b/etc/transmission-create.profile @@ -5,8 +5,7 @@ quiet # Persistent local customizations include transmission-create.local # Persistent global definitions -# added by included profile -#include globals.local +include globals.local private-bin transmission-create diff --git a/etc/transmission-daemon.profile b/etc/transmission-daemon.profile index ca97bb4dc..f1e7fcb17 100644 --- a/etc/transmission-daemon.profile +++ b/etc/transmission-daemon.profile @@ -5,8 +5,7 @@ quiet # Persistent local customizations include transmission-daemon.local # Persistent global definitions -# added by included profile -#include globals.local +include globals.local whitelist /var/lib/transmission diff --git a/etc/transmission-edit.profile b/etc/transmission-edit.profile index 487ea8e51..df381b5cd 100644 --- a/etc/transmission-edit.profile +++ b/etc/transmission-edit.profile @@ -5,8 +5,7 @@ quiet # Persistent local customizations include transmission-edit.local # Persistent global definitions -# added by included profile -#include globals.local +include globals.local private-bin transmission-edit diff --git a/etc/transmission-gtk.profile b/etc/transmission-gtk.profile index a45d672ac..01bdeb4ef 100644 --- a/etc/transmission-gtk.profile +++ b/etc/transmission-gtk.profile @@ -5,8 +5,7 @@ quiet # Persistent local customizations include transmission-gtk.local # Persistent global definitions -# added by included profile -#include globals.local +include globals.local private-bin transmission-gtk diff --git a/etc/transmission-qt.profile b/etc/transmission-qt.profile index f207a7e90..94f3c3a20 100644 --- a/etc/transmission-qt.profile +++ b/etc/transmission-qt.profile @@ -5,8 +5,7 @@ quiet # Persistent local customizations include transmission-qt.local # Persistent global definitions -# added by included profile -#include globals.local +include globals.local private-bin transmission-qt diff --git a/etc/transmission-remote-cli.profile b/etc/transmission-remote-cli.profile index d69e70ece..8b3a966c1 100644 --- a/etc/transmission-remote-cli.profile +++ b/etc/transmission-remote-cli.profile @@ -5,15 +5,13 @@ quiet # Persistent local customizations include transmission-remote-cli.local # Persistent global definitions -# added by included profile -#include globals.local +include globals.local # Allow python (blacklisted by disable-interpreters.inc) include allow-python2.inc include allow-python3.inc private-bin python*,transmission-remote-cli -private-etc # Redirect include transmission-common.profile diff --git a/etc/transmission-remote-gtk.profile b/etc/transmission-remote-gtk.profile index f0b313aed..a6400e2c0 100644 --- a/etc/transmission-remote-gtk.profile +++ b/etc/transmission-remote-gtk.profile @@ -5,8 +5,7 @@ quiet # Persistent local customizations include transmission-remote-gtk.local # Persistent global definitions -# added by included profile -#include globals.local +include globals.local noblacklist ${HOME}/.config/transmission-remote-gtk diff --git a/etc/transmission-remote.profile b/etc/transmission-remote.profile index 9ef7119d9..fee4999e6 100644 --- a/etc/transmission-remote.profile +++ b/etc/transmission-remote.profile @@ -5,8 +5,7 @@ quiet # Persistent local customizations include transmission-remote.local # Persistent global definitions -# added by included profile -#include globals.local +include globals.local private-bin transmission-remote private-etc alternatives,hosts,nsswitch.conf diff --git a/etc/transmission-show.profile b/etc/transmission-show.profile index 89051f956..5a3c83f58 100644 --- a/etc/transmission-show.profile +++ b/etc/transmission-show.profile @@ -5,8 +5,7 @@ quiet # Persistent local customizations include transmission-show.local # Persistent global definitions -# added by included profile -#include globals.local +include globals.local private-bin transmission-show private-etc alternatives,hosts,nsswitch.conf diff --git a/etc/unknown-horizons.profile b/etc/unknown-horizons.profile index b62d3111d..7223ea2e1 100644 --- a/etc/unknown-horizons.profile +++ b/etc/unknown-horizons.profile @@ -23,6 +23,7 @@ nonewprivs noroot notv nou2f +novideo protocol unix,inet,inet6,netlink seccomp shell none diff --git a/etc/warzone2100.profile b/etc/warzone2100.profile index 85cbc5e43..e65e0a0c3 100644 --- a/etc/warzone2100.profile +++ b/etc/warzone2100.profile @@ -30,6 +30,7 @@ nonewprivs noroot notv nou2f +novideo protocol unix,inet,inet6,netlink seccomp shell none diff --git a/etc/wesnoth.profile b/etc/wesnoth.profile index a67d3a1b8..934edfce9 100644 --- a/etc/wesnoth.profile +++ b/etc/wesnoth.profile @@ -30,6 +30,7 @@ nonewprivs noroot notv nou2f +novideo protocol unix,inet,inet6 seccomp diff --git a/etc/youtube-dl.profile b/etc/youtube-dl.profile index 6fc519bee..d87d29ee8 100644 --- a/etc/youtube-dl.profile +++ b/etc/youtube-dl.profile @@ -19,6 +19,8 @@ noblacklist ${VIDEOS} include allow-python2.inc include allow-python3.inc +blacklist /tmp/.X11-unix + include disable-common.inc include disable-devel.inc include disable-exec.inc diff --git a/etc/zathura.profile b/etc/zathura.profile index 922284353..db03076be 100644 --- a/etc/zathura.profile +++ b/etc/zathura.profile @@ -28,6 +28,7 @@ noroot nosound notv nou2f +novideo protocol unix seccomp shell none