Move apparmor option to the top of the options list in all profiles

2026-05-21 06:45:29 -06:00 · 2018-03-17 15:56:06 -04:00 · 2018-03-17 15:56:06 -04:00 · 68fd00cfe4
commit 68fd00cfe4
parent 82f5c2175e
31 changed files with 31 additions and 32 deletions
--- a/etc/ark.profile
+++ b/etc/ark.profile
@ -16,6 +16,7 @@ include /etc/firejail/disable-programs.inc

 include /etc/firejail/whitelist-var-common.inc

+apparmor
 caps.drop all
 # net none
 netfilter
@ -29,7 +30,6 @@ novideo
 protocol unix
 seccomp
 shell none
-apparmor

 private-dev
 private-tmp
--- a/etc/atril.profile
+++ b/etc/atril.profile
@ -17,6 +17,7 @@ include /etc/firejail/disable-programs.inc

 include /etc/firejail/whitelist-var-common.inc

+apparmor
 caps.drop all
 machine-id
 no3d
@ -31,7 +32,6 @@ protocol unix
 seccomp
 shell none
 tracelog
-apparmor

 private-bin atril, atril-previewer, atril-thumbnailer
 private-dev
--- a/etc/audacious.profile
+++ b/etc/audacious.profile
@ -15,6 +15,7 @@ include /etc/firejail/disable-programs.inc

 include /etc/firejail/whitelist-var-common.inc

+apparmor
 caps.drop all
 netfilter
 nogroups
@ -26,7 +27,6 @@ protocol unix,inet,inet6
 seccomp
 shell none
 tracelog
-apparmor

 # private-bin audacious
 private-dev
--- a/etc/audacity.profile
+++ b/etc/audacity.profile
@ -16,6 +16,7 @@ include /etc/firejail/disable-programs.inc

 include /etc/firejail/whitelist-var-common.inc

+apparmor
 caps.drop all
 #net none
 no3d
@ -29,7 +30,6 @@ protocol unix
 seccomp
 shell none
 tracelog
-apparmor

 private-bin audacity
 private-dev
--- a/etc/chromium-common.profile
+++ b/etc/chromium-common.profile
@ -17,13 +17,13 @@ whitelist ${HOME}/.pki
 include /etc/firejail/whitelist-common.inc
 include /etc/firejail/whitelist-var-common.inc

+apparmor
 caps.keep sys_chroot,sys_admin
 netfilter
 nodvd
 nogroups
 notv
 shell none
-apparmor

 disable-mnt
 private-dev
--- a/etc/digikam.profile
+++ b/etc/digikam.profile
@ -17,6 +17,7 @@ include /etc/firejail/disable-programs.inc

 include /etc/firejail/whitelist-var-common.inc

+apparmor
 caps.drop all
 netfilter
 nodvd
@ -28,7 +29,6 @@ protocol unix,inet,inet6,netlink
 seccomp
 # seccomp.keep fallocate,getrusage,openat,access,arch_prctl,bind,brk,chdir,chmod,clock_getres,clone,close,connect,dup2,dup3,eventfd2,execve,fadvise64,fcntl,fdatasync,flock,fstat,fstatfs,ftruncate,futex,getcwd,getdents,getegid,geteuid,getgid,getpeername,getpgrp,getpid,getppid,getrandom,getresgid,getresuid,getrlimit,getsockname,getsockopt,gettid,getuid,inotify_add_watch,inotify_init,inotify_init1,inotify_rm_watch,ioctl,lseek,lstat,madvise,mbind,memfd_create,mkdir,mmap,mprotect,msync,munmap,nanosleep,open,pipe,pipe2,poll,ppoll,prctl,pread64,pwrite64,read,readlink,readlinkat,recvfrom,recvmsg,rename,rt_sigaction,rt_sigprocmask,rt_sigreturn,sched_getaffinity,sched_getparam,sched_get_priority_max,sched_get_priority_min,sched_getscheduler,sched_setscheduler,sched_yield,sendmsg,sendto,setgid,setresgid,setresuid,set_robust_list,setsid,setsockopt,set_tid_address,setuid,shmat,shmctl,shmdt,shmget,shutdown,socket,stat,statfs,sysinfo,timerfd_create,umask,uname,unlink,wait4,waitid,write,writev,fchmod,fchown,unshare,exit,exit_group
 shell none
-apparmor

 # private-bin program
 # private-dev - prevents libdc1394 loading; this lib is used to connect to a camera device
--- a/etc/electron.profile
+++ b/etc/electron.profile
@ -11,6 +11,7 @@ include /etc/firejail/disable-programs.inc

 whitelist ${DOWNLOADS}

+apparmor
 caps.drop all
 netfilter
 nodvd
@ -20,4 +21,3 @@ noroot
 notv
 protocol unix,inet,inet6,netlink
 seccomp
-apparmor
--- a/etc/eog.profile
+++ b/etc/eog.profile
@ -19,6 +19,7 @@ include /etc/firejail/disable-programs.inc

 include /etc/firejail/whitelist-var-common.inc

+apparmor
 caps.drop all
 # net none - makes settings immutable
 no3d
@ -32,7 +33,6 @@ novideo
 protocol unix
 seccomp
 shell none
-apparmor

 private-bin eog
 private-dev
--- a/etc/eom.profile
+++ b/etc/eom.profile
@ -19,6 +19,7 @@ include /etc/firejail/disable-programs.inc

 include /etc/firejail/whitelist-var-common.inc

+apparmor
 caps.drop all
 # net none - makes settings immutable
 no3d
@ -33,7 +34,6 @@ protocol unix
 seccomp
 shell none
 tracelog
-apparmor

 private-bin eom
 private-dev
--- a/etc/firefox-common.profile
+++ b/etc/firefox-common.profile
@ -20,6 +20,7 @@ whitelist ${HOME}/.pki
 include /etc/firejail/whitelist-common.inc
 include /etc/firejail/whitelist-var-common.inc

+apparmor
 caps.drop all
 # machine-id breaks pulse audio; it should work fine in setups where sound is not required
 #machine-id
@ -33,7 +34,6 @@ protocol unix,inet,inet6,netlink
 seccomp
 shell none
 tracelog
-apparmor

 disable-mnt
 private-dev
--- a/etc/galculator.profile
+++ b/etc/galculator.profile
@ -19,6 +19,7 @@ whitelist ${HOME}/.config/galculator
 include /etc/firejail/whitelist-common.inc
 include /etc/firejail/whitelist-var-common.inc

+apparmor
 caps.drop all
 net none
 nodvd
@ -32,7 +33,6 @@ protocol unix
 seccomp
 shell none
 tracelog
-apparmor

 private-bin galculator
 private-dev
--- a/etc/gimp.profile
+++ b/etc/gimp.profile
@ -15,6 +15,7 @@ include /etc/firejail/disable-programs.inc

 include /etc/firejail/whitelist-var-common.inc

+apparmor
 caps.drop all
 net none
 nodvd
@ -26,7 +27,6 @@ notv
 protocol unix
 seccomp
 shell none
-apparmor

 private-dev
 private-tmp
--- a/etc/gnome-calculator.profile
+++ b/etc/gnome-calculator.profile
@ -14,6 +14,7 @@ include /etc/firejail/disable-programs.inc
 include /etc/firejail/whitelist-common.inc
 include /etc/firejail/whitelist-var-common.inc

+apparmor
 caps.drop all
 netfilter
 no3d
@ -27,7 +28,6 @@ novideo
 protocol unix,inet,inet6
 seccomp
 shell none
-apparmor

 disable-mnt
 private-bin gnome-calculator
--- a/etc/handbrake.profile
+++ b/etc/handbrake.profile
@ -14,6 +14,7 @@ include /etc/firejail/disable-programs.inc

 include /etc/firejail/whitelist-var-common.inc

+apparmor
 caps.drop all
 netfilter
 nogroups
@ -23,7 +24,6 @@ novideo
 protocol unix,inet,inet6,netlink
 seccomp
 shell none
-apparmor

 private-dev
 private-tmp
--- a/etc/inkscape.profile
+++ b/etc/inkscape.profile
@ -16,6 +16,7 @@ include /etc/firejail/disable-programs.inc

 include /etc/firejail/whitelist-var-common.inc

+apparmor
 caps.drop all
 netfilter
 nodvd
@ -28,7 +29,6 @@ novideo
 protocol unix
 seccomp
 shell none
-apparmor

 # private-bin inkscape,potrace - problems on Debian stretch
 private-dev
--- a/etc/kate.profile
+++ b/etc/kate.profile
@ -21,6 +21,7 @@ include /etc/firejail/disable-programs.inc

 include /etc/firejail/whitelist-var-common.inc

+apparmor
 caps.drop all
 # net none
 netfilter
@ -35,7 +36,6 @@ protocol unix
 seccomp
 shell none
 tracelog
-apparmor

 # private-bin kate
 private-dev
--- a/etc/kdenlive.profile
+++ b/etc/kdenlive.profile
@ -15,6 +15,7 @@ include /etc/firejail/disable-devel.inc
 include /etc/firejail/disable-passwdmgr.inc
 include /etc/firejail/disable-programs.inc

+apparmor
 caps.drop all
 # net none
 nodvd
@ -25,7 +26,6 @@ notv
 protocol unix,netlink
 seccomp
 shell none
-apparmor

 private-bin kdenlive,kdenlive_render,dbus-launch,melt,ffmpeg,ffplay,ffprobe,dvdauthor,genisoimage,vlc,xine,kdeinit5,kshell5,kdeinit5_shutdown,kdeinit5_wrapper,kdeinit4,kshell4,kdeinit4_shutdown,kdeinit4_wrapper
 private-dev
--- a/etc/kodi.profile
+++ b/etc/kodi.profile
@ -12,6 +12,7 @@ include /etc/firejail/disable-devel.inc
 include /etc/firejail/disable-passwdmgr.inc
 include /etc/firejail/disable-programs.inc

+apparmor
 caps.drop all
 netfilter
 nogroups
@ -21,7 +22,6 @@ protocol unix,inet,inet6,netlink
 seccomp
 shell none
 tracelog
-apparmor

 private-dev
 private-tmp
--- a/etc/krita.profile
+++ b/etc/krita.profile
@ -14,6 +14,7 @@ include /etc/firejail/disable-devel.inc
 include /etc/firejail/disable-passwdmgr.inc
 include /etc/firejail/disable-programs.inc

+apparmor
 caps.drop all
 ipc-namespace
 # net none
@ -27,7 +28,6 @@ novideo
 protocol unix
 seccomp
 shell none
-apparmor

 private-dev
 private-tmp
--- a/etc/kwrite.profile
+++ b/etc/kwrite.profile
@ -22,6 +22,7 @@ include /etc/firejail/disable-programs.inc

 include /etc/firejail/whitelist-var-common.inc

+apparmor
 caps.drop all
 # net none
 netfilter
@ -36,7 +37,6 @@ protocol unix
 seccomp
 shell none
 tracelog
-apparmor

 private-bin kwrite,kbuildsycoca4,kdeinit4
 private-dev
--- a/etc/libreoffice.profile
+++ b/etc/libreoffice.profile
@ -16,6 +16,7 @@ include /etc/firejail/disable-programs.inc

 include /etc/firejail/whitelist-var-common.inc

+apparmor
 caps.drop all
 machine-id
 netfilter
@ -28,7 +29,6 @@ protocol unix,inet,inet6
 seccomp
 shell none
 tracelog
-apparmor

 private-dev
 private-tmp
--- a/etc/mpv.profile
+++ b/etc/mpv.profile
@ -15,6 +15,7 @@ include /etc/firejail/disable-programs.inc

 include /etc/firejail/whitelist-var-common.inc

+apparmor
 caps.drop all
 netfilter
 nogroups
@ -24,7 +25,6 @@ protocol unix,inet,inet6
 seccomp
 shell none
 tracelog
-apparmor

 private-bin mpv,youtube-dl,python*,env
 private-dev
--- a/etc/okular.profile
+++ b/etc/okular.profile
@ -25,6 +25,7 @@ include /etc/firejail/disable-programs.inc

 include /etc/firejail/whitelist-var-common.inc

+apparmor
 caps.drop all
 machine-id
 # net none
@ -40,7 +41,6 @@ protocol unix
 seccomp
 shell none
 tracelog
-apparmor

 private-bin okular,kbuildsycoca4,kdeinit4,lpr
 private-dev
--- a/etc/openshot.profile
+++ b/etc/openshot.profile
@ -15,6 +15,7 @@ include /etc/firejail/disable-programs.inc

 include /etc/firejail/whitelist-var-common.inc

+apparmor
 caps.drop all
 netfilter
 nodvd
@ -25,7 +26,6 @@ notv
 protocol unix,inet,inet6,netlink
 seccomp
 shell none
-apparmor

 private-dev
 private-tmp
--- a/etc/qbittorrent.profile
+++ b/etc/qbittorrent.profile
@ -26,6 +26,7 @@ whitelist ${HOME}/.local/share/data/qBittorrent
 include /etc/firejail/whitelist-common.inc
 include /etc/firejail/whitelist-var-common.inc

+apparmor
 caps.drop all
 machine-id
 netfilter
@ -39,7 +40,6 @@ novideo
 protocol unix,inet,inet6,netlink
 seccomp
 shell none
-apparmor

 private-bin qbittorrent,python*
 private-dev
--- a/etc/rhythmbox.profile
+++ b/etc/rhythmbox.profile
@ -13,6 +13,7 @@ include /etc/firejail/disable-programs.inc

 include /etc/firejail/whitelist-var-common.inc

+apparmor
 caps.drop all
 netfilter
 # no3d
@ -25,7 +26,6 @@ protocol unix,inet,inet6
 seccomp
 shell none
 tracelog
-apparmor

 private-bin rhythmbox
 private-dev
--- a/etc/smplayer.profile
+++ b/etc/smplayer.profile
@ -15,6 +15,7 @@ include /etc/firejail/disable-programs.inc

 include /etc/firejail/whitelist-var-common.inc

+apparmor
 caps.drop all
 netfilter
 # nogroups
@ -23,7 +24,6 @@ noroot
 protocol unix,inet,inet6,netlink
 seccomp
 shell none
-apparmor

 private-bin smplayer,smtube,mplayer,mpv
 private-dev
--- a/etc/totem.profile
+++ b/etc/totem.profile
@ -15,6 +15,7 @@ include /etc/firejail/disable-programs.inc

 include /etc/firejail/whitelist-var-common.inc

+apparmor
 caps.drop all
 netfilter
 nogroups
@ -23,7 +24,6 @@ noroot
 protocol unix,inet,inet6
 seccomp
 shell none
-apparmor

 private-bin totem
 private-dev
--- a/etc/transmission-gtk.profile
+++ b/etc/transmission-gtk.profile
@ -21,6 +21,7 @@ whitelist ${HOME}/.config/transmission
 include /etc/firejail/whitelist-common.inc
 include /etc/firejail/whitelist-var-common.inc

+apparmor
 caps.drop all
 machine-id
 netfilter
@ -34,7 +35,6 @@ protocol unix,inet,inet6
 seccomp
 shell none
 tracelog
-apparmor

 private-bin transmission-gtk
 private-dev
--- a/etc/transmission-qt.profile
+++ b/etc/transmission-qt.profile
@ -21,6 +21,7 @@ whitelist ${HOME}/.config/transmission
 include /etc/firejail/whitelist-common.inc
 include /etc/firejail/whitelist-var-common.inc

+apparmor
 caps.drop all
 machine-id
 netfilter
@ -34,7 +35,6 @@ protocol unix,inet,inet6
 seccomp
 shell none
 tracelog
-apparmor

 private-bin transmission-qt
 private-dev
@ -42,4 +42,3 @@ private-dev
 private-tmp

 # memory-deny-write-execute - problems on Qt 5.10.0, KDE Frameworks 5.41.0
-
--- a/etc/vlc.profile
+++ b/etc/vlc.profile
@ -15,6 +15,7 @@ include /etc/firejail/disable-programs.inc

 include /etc/firejail/whitelist-var-common.inc

+apparmor
 caps.drop all
 netfilter
 # nogroups
@ -23,7 +24,6 @@ noroot
 protocol unix,inet,inet6,netlink
 seccomp
 shell none
-apparmor

 private-bin vlc,cvlc,nvlc,rvlc,qvlc,svlc
 private-dev