github-starred/firejail
2
0
Fork 0
mirror of https://github.com/netblue30/firejail.git synced 2026-05-15 14:16:14 -06:00
Code Issues 531 Projects Packages Wiki Activity Actions 6

bwrap replacement - part 6 - allow /lib/libexec

Browse source
This commit is contained in:
netblue30 2025-12-20 12:27:12 -05:00
parent 24c0cff7fd
commit a98a1d2816
28 changed files with 60 additions and 29 deletions
Download patch file Download diff file Expand all files Collapse all files

3
etc/profile-a-l/0ad.profile
View file

@ -13,7 +13,8 @@ noblacklist ${HOME}/.local/share/0ad
# Allow gjs (blacklisted by disable-interpreters.inc)
include allow-gjs.inc
blacklist /usr/libexec
# uses libgdk-pixbuf and/or glycin - see #6906
# blacklist /usr/libexec
include disable-common.inc
include disable-devel.inc

4
etc/profile-a-l/apostrophe.profile
View file

@ -30,7 +30,9 @@ include disable-programs.inc
include disable-shell.inc
include disable-xdg.inc
whitelist /usr/libexec/webkit2gtk-4.0
# uses libgdk-pixbuf and/or glycin - see #6906
#whitelist /usr/libexec/webkit2gtk-4.0
whitelist /usr/share/apostrophe
whitelist /usr/share/texmf
whitelist /usr/share/pandoc-*

5
etc/profile-a-l/bijiben.profile
View file

@ -19,7 +19,10 @@ include disable-xdg.inc
mkdir ${HOME}/.local/share/bijiben
whitelist ${HOME}/.local/share/bijiben
whitelist ${HOME}/.cache/tracker
whitelist /usr/libexec/webkit2gtk-4.0
# uses libgdk-pixbuf and/or glycin - see #6906
#whitelist /usr/libexec/webkit2gtk-4.0
whitelist /usr/share/bijiben
whitelist /usr/share/tracker
whitelist /usr/share/tracker3

3
etc/profile-a-l/celluloid.profile
View file

@ -17,7 +17,8 @@ include allow-lua.inc
include allow-python2.inc
include allow-python3.inc
blacklist /usr/libexec
# uses libgdk-pixbuf and/or glycin - see #6906
#blacklist /usr/libexec
include disable-common.inc
include disable-devel.inc

3
etc/profile-a-l/chafa.profile
View file

@ -8,7 +8,8 @@ include chafa.local
include globals.local
blacklist ${RUNUSER}
blacklist /usr/libexec
# uses libgdk-pixbuf and/or glycin - see #6906
#blacklist /usr/libexec
include disable-common.inc
include disable-devel.inc

3
etc/profile-a-l/cheese.profile
View file

@ -21,7 +21,8 @@ include disable-xdg.inc
whitelist ${VIDEOS}
whitelist ${PICTURES}
whitelist /usr/libexec/gstreamer-1.0/gst-plugin-scanner
# uses libgdk-pixbuf and/or glycin - see #6906
#whitelist /usr/libexec/gstreamer-1.0/gst-plugin-scanner
whitelist /usr/share/gnome-video-effects
whitelist /usr/share/gstreamer-1.0
include whitelist-common.inc

3
etc/profile-a-l/eo-common.profile
View file

@ -11,7 +11,8 @@ noblacklist ${HOME}/.local/share/Trash
noblacklist ${HOME}/.Steam
noblacklist ${HOME}/.steam
blacklist /usr/libexec
# uses libgdk-pixbuf and/or glycin - see #6906
#blacklist /usr/libexec
include disable-common.inc
include disable-devel.inc

3
etc/profile-a-l/evince.profile
View file

@ -15,7 +15,8 @@ noblacklist ${DOCUMENTS}
include allow-bin-sh.inc
blacklist /usr/libexec
# uses libgdk-pixbuf and/or glycin - see #6906
#blacklist /usr/libexec
include disable-common.inc
include disable-devel.inc

5
etc/profile-a-l/file-roller.profile
View file

@ -14,8 +14,9 @@ include disable-exec.inc
include disable-interpreters.inc
include disable-programs.inc
whitelist /usr/libexec/file-roller
whitelist /usr/libexec/p7zip
# uses libgdk-pixbuf and/or glycin - see #6906
#whitelist /usr/libexec/file-roller
#whitelist /usr/libexec/p7zip
whitelist /usr/share/file-roller
include whitelist-runuser-common.inc
include whitelist-usr-share-common.inc

3
etc/profile-a-l/firefox.profile
View file

@ -22,7 +22,8 @@ noblacklist ${HOME}/.mozilla
noblacklist ${RUNUSER}/*firefox*
noblacklist ${RUNUSER}/psd/*firefox*
blacklist /usr/libexec
# uses libgdk-pixbuf and/or glycin - see #6906
#blacklist /usr/libexec
mkdir ${HOME}/.cache/mozilla/firefox
mkdir ${HOME}/.mozilla

3
etc/profile-a-l/gapplication.profile
View file

@ -7,7 +7,8 @@ include gapplication.local
include globals.local
blacklist ${RUNUSER}/wayland-*
blacklist /usr/libexec
# uses libgdk-pixbuf and/or glycin - see #6906
#blacklist /usr/libexec
include disable-common.inc
include disable-devel.inc

3
etc/profile-a-l/gnome-boxes.profile
View file

@ -14,7 +14,8 @@ noblacklist ${RUNUSER}/libvirt
noblacklist /sbin
noblacklist /usr/sbin
blacklist /usr/libexec
# uses libgdk-pixbuf and/or glycin - see #6906
#blacklist /usr/libexec
include disable-common.inc
include disable-devel.inc

3
etc/profile-a-l/gnome-maps.profile
View file

@ -18,7 +18,8 @@ noblacklist ${HOME}/.local/share/maps-places.json
# Allow gjs (blacklisted by disable-interpreters.inc)
include allow-gjs.inc
blacklist /usr/libexec
# uses libgdk-pixbuf and/or glycin - see #6906
#blacklist /usr/libexec
include disable-common.inc
include disable-devel.inc

3
etc/profile-a-l/gnome-passwordsafe.profile
View file

@ -13,7 +13,8 @@ noblacklist ${HOME}/*.kdbx
# Allow python (blacklisted by disable-interpreters.inc)
include allow-python3.inc
blacklist /usr/libexec
# uses libgdk-pixbuf and/or glycin - see #6906
#blacklist /usr/libexec
include disable-common.inc
include disable-devel.inc

3
etc/profile-a-l/gnote.profile
View file

@ -21,7 +21,8 @@ mkdir ${HOME}/.config/gnote
mkdir ${HOME}/.local/share/gnote
whitelist ${HOME}/.config/gnote
whitelist ${HOME}/.local/share/gnote
whitelist /usr/libexec/webkit2gtk-4.0
# uses libgdk-pixbuf and/or glycin - see #6906
#whitelist /usr/libexec/webkit2gtk-4.0
whitelist /usr/share/gnote
include whitelist-common.inc
include whitelist-runuser-common.inc

3
etc/profile-a-l/hexchat.profile
View file

@ -21,7 +21,8 @@ include allow-perl.inc
include allow-python2.inc
include allow-python3.inc
blacklist /usr/libexec
# uses libgdk-pixbuf and/or glycin - see #6906
#blacklist /usr/libexec
include disable-common.inc
include disable-devel.inc

3
etc/profile-a-l/imv.profile
View file

@ -8,7 +8,8 @@ include globals.local
include allow-bin-sh.inc
blacklist /usr/libexec
# uses libgdk-pixbuf and/or glycin - see #6906
#blacklist /usr/libexec
include disable-common.inc
include disable-devel.inc

3
etc/profile-a-l/libreoffice.profile
View file

@ -24,7 +24,8 @@ blacklist ${HOME}/.gnupg/random_seed
# Allow java (blacklisted by disable-devel.inc)
include allow-java.inc
blacklist /usr/libexec
# uses libgdk-pixbuf and/or glycin - see #6906
#blacklist /usr/libexec
include disable-common.inc
include disable-devel.inc

3
etc/profile-a-l/lifeograph.profile
View file

@ -8,7 +8,8 @@ include globals.local
noblacklist ${DOCUMENTS}
blacklist /usr/libexec
# uses libgdk-pixbuf and/or glycin - see #6906
#blacklist /usr/libexec
include disable-common.inc
include disable-devel.inc

3
etc/profile-m-z/marker.profile
View file

@ -24,7 +24,8 @@ include disable-programs.inc
include disable-shell.inc
include disable-xdg.inc
whitelist /usr/libexec/webkit2gtk-4.0
# uses libgdk-pixbuf and/or glycin - see #6906
#whitelist /usr/libexec/webkit2gtk-4.0
whitelist /usr/share/com.github.fabiocolacio.marker
include whitelist-runuser-common.inc
include whitelist-usr-share-common.inc

3
etc/profile-m-z/meld.profile
View file

@ -29,7 +29,8 @@ include allow-python3.inc
# Allow ssh (blacklisted by disable-common.inc)
include allow-ssh.inc
blacklist /usr/libexec
# uses libgdk-pixbuf and/or glycin - see #6906
#blacklist /usr/libexec
# Add the next line to your meld.local if you don't need to compare files in disable-common.inc.
#include disable-common.inc

3
etc/profile-m-z/mpv.profile
View file

@ -42,7 +42,8 @@ include allow-lua.inc
include allow-python2.inc
include allow-python3.inc
blacklist /usr/libexec
# uses libgdk-pixbuf and/or glycin - see #6906
#blacklist /usr/libexec
include disable-common.inc
include disable-devel.inc

3
etc/profile-m-z/mullvad-browser.profile
View file

@ -33,7 +33,8 @@ include allow-python3.inc
blacklist /srv
blacklist /sys/class/net
blacklist /usr/libexec
# uses libgdk-pixbuf and/or glycin - see #6906
#blacklist /usr/libexec
include disable-common.inc
include disable-devel.inc

3
etc/profile-m-z/rednotebook.profile
View file

@ -29,7 +29,8 @@ whitelist ${DOWNLOADS}
whitelist ${MUSIC}
whitelist ${PICTURES}
whitelist ${VIDEOS}
whitelist /usr/libexec/webkit2gtk-4.0
# uses libgdk-pixbuf and/or glycin - see #6906
#whitelist /usr/libexec/webkit2gtk-4.0
include whitelist-common.inc
include whitelist-runuser-common.inc
include whitelist-usr-share-common.inc

3
etc/profile-m-z/retroarch.profile
View file

@ -6,7 +6,8 @@ include retroarch.local
# Persistent global definitions
include globals.local
blacklist /usr/libexec
# uses libgdk-pixbuf and/or glycin - see #6906
#blacklist /usr/libexec
include disable-common.inc
include disable-devel.inc

3
etc/profile-m-z/virt-manager.profile
View file

@ -15,7 +15,8 @@ noblacklist /usr/sbin
# Allow python 3 (blacklisted by disable-interpreters.inc)
include allow-python3.inc
blacklist /usr/libexec
# uses libgdk-pixbuf and/or glycin - see #6906
#blacklist /usr/libexec
include disable-common.inc
include disable-devel.inc

3
etc/profile-m-z/yelp.profile
View file

@ -27,7 +27,8 @@ whitelist ${HOME}/.mozilla/firefox/profiles.ini
mkdir ${HOME}/.config/yelp
whitelist ${HOME}/.config/yelp
whitelist /usr/libexec/webkit2gtk-4.0
# uses libgdk-pixbuf and/or glycin - see #6906
#whitelist /usr/libexec/webkit2gtk-4.0
whitelist /usr/share/doc
whitelist /usr/share/groff
whitelist /usr/share/help

3
etc/profile-m-z/zim.profile
View file

@ -13,7 +13,8 @@ noblacklist ${HOME}/.config/zim
include allow-python2.inc
include allow-python3.inc
blacklist /usr/libexec
# uses libgdk-pixbuf and/or glycin - see #6906
#blacklist /usr/libexec
include disable-common.inc
include disable-devel.inc