mirror of
https://github.com/netblue30/firejail.git
synced 2026-05-15 14:16:14 -06:00
add restrict-namespaces to (almost) all profiles
This commit is contained in:
smitsohu
parent
372f39dded
commit
e4f0f91ebd
628 changed files with 967 additions and 13 deletions
|
|
@ -54,3 +54,5 @@ private-tmp
|
|||
|
||||
dbus-user none
|
||||
dbus-system none
|
||||
|
||||
restrict-namespaces
|
||||
|
|
|
|||
|
|
@ -40,3 +40,5 @@ seccomp
|
|||
disable-mnt
|
||||
private-dev
|
||||
private-tmp
|
||||
|
||||
restrict-namespaces
|
||||
|
|
|
|||
|
|
@ -28,3 +28,5 @@ seccomp
|
|||
private-cache
|
||||
private-dev
|
||||
private-tmp
|
||||
|
||||
restrict-namespaces
|
||||
|
|
|
|||
|
|
@ -36,3 +36,4 @@ seccomp
|
|||
private-dev
|
||||
private-tmp
|
||||
|
||||
restrict-namespaces
|
||||
|
|
|
|||
|
|
@ -45,3 +45,5 @@ private-tmp
|
|||
|
||||
dbus-user none
|
||||
dbus-system none
|
||||
|
||||
restrict-namespaces
|
||||
|
|
|
|||
|
|
@ -46,3 +46,5 @@ private-tmp
|
|||
|
||||
# dbus-user none
|
||||
# dbus-system none
|
||||
|
||||
restrict-namespaces
|
||||
|
|
|
|||
|
|
@ -56,3 +56,4 @@ dbus-user none
|
|||
dbus-system none
|
||||
|
||||
memory-deny-write-execute
|
||||
restrict-namespaces
|
||||
|
|
|
|||
|
|
@ -55,3 +55,4 @@ tracelog
|
|||
private-dev
|
||||
# private-tmp - breaks programs that depend on akonadi
|
||||
|
||||
# restrict-namespaces
|
||||
|
|
|
|||
|
|
@ -49,3 +49,4 @@ private-dev
|
|||
private-tmp
|
||||
|
||||
deterministic-shutdown
|
||||
# restrict-namespaces
|
||||
|
|
|
|||
|
|
@ -62,3 +62,4 @@ read-write ${HOME}/.config/menus
|
|||
read-write ${HOME}/.gnome/apps
|
||||
read-write ${HOME}/.local/share/applications
|
||||
read-write ${HOME}/.local/share/flatpak/exports
|
||||
restrict-namespaces
|
||||
|
|
|
|||
|
|
@ -48,3 +48,5 @@ private-tmp
|
|||
|
||||
dbus-user none
|
||||
dbus-system none
|
||||
|
||||
restrict-namespaces
|
||||
|
|
|
|||
|
|
@ -100,3 +100,4 @@ dbus-system none
|
|||
|
||||
memory-deny-write-execute
|
||||
read-only ${HOME}/.signature
|
||||
restrict-namespaces
|
||||
|
|
|
|||
|
|
@ -44,3 +44,5 @@ dbus-user.talk org.freedesktop.Notifications
|
|||
#dbus-user.own org.kde.klauncher
|
||||
#dbus-user.talk org.kde.knotify
|
||||
dbus-system none
|
||||
|
||||
# restrict-namespaces
|
||||
|
|
|
|||
|
|
@ -40,3 +40,4 @@ private-bin amule
|
|||
private-dev
|
||||
private-tmp
|
||||
|
||||
restrict-namespaces
|
||||
|
|
|
|||
|
|
@ -40,3 +40,4 @@ private-cache
|
|||
|
||||
# noexec /tmp breaks 'Android Profiler'
|
||||
#noexec /tmp
|
||||
restrict-namespaces
|
||||
|
|
|
|||
|
|
@ -54,3 +54,5 @@ private-tmp
|
|||
|
||||
dbus-user none
|
||||
dbus-system none
|
||||
|
||||
# restrict-namespaces
|
||||
|
|
|
|||
|
|
@ -33,3 +33,5 @@ disable-mnt
|
|||
private-bin anydesk
|
||||
private-dev
|
||||
private-tmp
|
||||
|
||||
restrict-namespaces
|
||||
|
|
|
|||
|
|
@ -40,3 +40,5 @@ protocol unix,inet,inet6
|
|||
#seccomp
|
||||
|
||||
private-tmp
|
||||
|
||||
#restrict-namespaces
|
||||
|
|
|
|||
|
|
@ -35,3 +35,5 @@ private-dev
|
|||
|
||||
dbus-user none
|
||||
dbus-system none
|
||||
|
||||
restrict-namespaces
|
||||
|
|
|
|||
|
|
@ -69,3 +69,5 @@ dbus-user filter
|
|||
dbus-user.own org.gnome.gitlab.somas.Apostrophe
|
||||
dbus-user.talk ca.desrt.dconf
|
||||
dbus-system none
|
||||
|
||||
restrict-namespaces
|
||||
|
|
|
|||
|
|
@ -49,3 +49,4 @@ dbus-user none
|
|||
dbus-system none
|
||||
|
||||
memory-deny-write-execute
|
||||
restrict-namespaces
|
||||
|
|
|
|||
|
|
@ -36,3 +36,4 @@ private-bin arch-audit,archaudit-report,bash,cat,comm,cut,date,fold,grep,pacman,
|
|||
private-tmp
|
||||
|
||||
memory-deny-write-execute
|
||||
restrict-namespaces
|
||||
|
|
|
|||
|
|
@ -49,3 +49,4 @@ dbus-user none
|
|||
dbus-system none
|
||||
|
||||
memory-deny-write-execute
|
||||
restrict-namespaces
|
||||
|
|
|
|||
|
|
@ -40,3 +40,5 @@ private-tmp
|
|||
|
||||
dbus-user none
|
||||
dbus-system none
|
||||
|
||||
restrict-namespaces
|
||||
|
|
|
|||
|
|
@ -33,3 +33,4 @@ seccomp
|
|||
private-cache
|
||||
private-tmp
|
||||
|
||||
restrict-namespaces
|
||||
|
|
|
|||
|
|
@ -53,3 +53,4 @@ dbus-user none
|
|||
dbus-system none
|
||||
|
||||
memory-deny-write-execute
|
||||
restrict-namespaces
|
||||
|
|
|
|||
|
|
@ -44,3 +44,5 @@ private-tmp
|
|||
|
||||
# dbus-user none
|
||||
# dbus-system none
|
||||
|
||||
restrict-namespaces
|
||||
|
|
|
|||
|
|
@ -45,3 +45,4 @@ private-dev
|
|||
private-etc alternatives,ca-certificates,crypto-policies,ld.so.cache,ld.so.preload,passwd,pki,ssl,tor
|
||||
private-tmp
|
||||
|
||||
restrict-namespaces
|
||||
|
|
|
|||
|
|
@ -65,3 +65,4 @@ dbus-user.talk org.freedesktop.Notifications
|
|||
dbus-system none
|
||||
|
||||
memory-deny-write-execute
|
||||
restrict-namespaces
|
||||
|
|
|
|||
|
|
@ -51,3 +51,4 @@ dbus-system none
|
|||
|
||||
memory-deny-write-execute
|
||||
read-write ${HOME}/.local/share/mime
|
||||
restrict-namespaces
|
||||
|
|
|
|||
|
|
@ -45,3 +45,4 @@ dbus-system none
|
|||
|
||||
# mdwe is disabled due to breaking hardware accelerated decoding
|
||||
# memory-deny-write-execute
|
||||
restrict-namespaces
|
||||
|
|
|
|||
|
|
@ -49,3 +49,4 @@ private-tmp
|
|||
|
||||
# webkit gtk killed by memory-deny-write-execute
|
||||
#memory-deny-write-execute
|
||||
restrict-namespaces
|
||||
|
|
|
|||
|
|
@ -42,3 +42,5 @@ private-tmp
|
|||
# dbus needed for MPRIS
|
||||
# dbus-user none
|
||||
# dbus-system none
|
||||
|
||||
restrict-namespaces
|
||||
|
|
|
|||
|
|
@ -44,3 +44,5 @@ private-tmp
|
|||
# problems on Fedora 27
|
||||
# dbus-user none
|
||||
# dbus-system none
|
||||
|
||||
restrict-namespaces
|
||||
|
|
|
|||
|
|
@ -51,3 +51,4 @@ dbus-user.talk ca.desrt.dconf
|
|||
dbus-system none
|
||||
|
||||
# memory-deny-write-execute - breaks on Arch
|
||||
restrict-namespaces
|
||||
|
|
|
|||
|
|
@ -52,3 +52,5 @@ private-tmp
|
|||
dbus-user filter
|
||||
dbus-user.talk ca.desrt.dconf
|
||||
dbus-system none
|
||||
|
||||
restrict-namespaces
|
||||
|
|
|
|||
|
|
@ -46,3 +46,4 @@ private-tmp
|
|||
# dbus-system none
|
||||
|
||||
#memory-deny-write-execute - breaks on Arch (see issue #1803)
|
||||
restrict-namespaces
|
||||
|
|
|
|||
|
|
@ -39,3 +39,4 @@ private-dev
|
|||
private-tmp
|
||||
|
||||
#memory-deny-write-execute - breaks on Arch (see issue #1803)
|
||||
restrict-namespaces
|
||||
|
|
|
|||
|
|
@ -55,3 +55,5 @@ private-tmp
|
|||
|
||||
dbus-user none
|
||||
dbus-system none
|
||||
|
||||
restrict-namespaces
|
||||
|
|
|
|||
|
|
@ -37,3 +37,5 @@ tracelog
|
|||
private-bin aweather
|
||||
private-dev
|
||||
private-tmp
|
||||
|
||||
restrict-namespaces
|
||||
|
|
|
|||
|
|
@ -17,3 +17,4 @@ protocol unix,inet,inet6
|
|||
seccomp
|
||||
|
||||
read-only ${HOME}/.config/awesome/autorun.sh
|
||||
restrict-namespaces
|
||||
|
|
|
|||
|
|
@ -49,3 +49,5 @@ private-tmp
|
|||
|
||||
dbus-user none
|
||||
dbus-system none
|
||||
|
||||
restrict-namespaces
|
||||
|
|
|
|||
|
|
@ -52,3 +52,5 @@ private-bin baloo_file,baloo_file_extractor,baloo_filemetadata_temp_extractor,kb
|
|||
private-cache
|
||||
private-dev
|
||||
private-tmp
|
||||
|
||||
restrict-namespaces
|
||||
|
|
|
|||
|
|
@ -79,3 +79,4 @@ dbus-user.talk org.gnome.keyring.SystemPrompter
|
|||
dbus-system none
|
||||
|
||||
read-only ${HOME}/.mozilla/firefox/profiles.ini
|
||||
restrict-namespaces
|
||||
|
|
|
|||
|
|
@ -41,3 +41,4 @@ private-tmp
|
|||
# dbus-system none
|
||||
|
||||
read-only ${HOME}
|
||||
restrict-namespaces
|
||||
|
|
|
|||
|
|
@ -42,3 +42,4 @@ private-cache
|
|||
private-tmp
|
||||
|
||||
memory-deny-write-execute
|
||||
restrict-namespaces
|
||||
|
|
|
|||
|
|
@ -22,5 +22,8 @@ ignore seccomp
|
|||
#private-etc basilisk
|
||||
#private-opt basilisk
|
||||
|
||||
restrict-namespaces
|
||||
ignore restrict-namespaces
|
||||
|
||||
# Redirect
|
||||
include firefox-common.profile
|
||||
|
|
|
|||
|
|
@ -44,3 +44,5 @@ private-tmp
|
|||
|
||||
dbus-user none
|
||||
dbus-system none
|
||||
|
||||
restrict-namespaces
|
||||
|
|
|
|||
|
|
@ -56,3 +56,5 @@ private-tmp
|
|||
|
||||
dbus-user none
|
||||
dbus-system none
|
||||
|
||||
# restrict-namespaces
|
||||
|
|
|
|||
|
|
@ -60,3 +60,4 @@ dbus-user.talk org.freedesktop.Tracker1
|
|||
dbus-system none
|
||||
|
||||
env WEBKIT_FORCE_SANDBOX=0
|
||||
restrict-namespaces
|
||||
|
|
|
|||
|
|
@ -47,3 +47,4 @@ private-dev
|
|||
private-tmp
|
||||
|
||||
memory-deny-write-execute
|
||||
restrict-namespaces
|
||||
|
|
|
|||
|
|
@ -38,3 +38,4 @@ private-dev
|
|||
private-tmp
|
||||
|
||||
read-write /var/lib/bitlbee
|
||||
restrict-namespaces
|
||||
|
|
|
|||
|
|
@ -16,3 +16,4 @@ noroot
|
|||
protocol unix,inet,inet6
|
||||
seccomp
|
||||
|
||||
restrict-namespaces
|
||||
|
|
|
|||
|
|
@ -40,3 +40,4 @@ dbus-system none
|
|||
|
||||
# memory-deny-write-execute breaks some systems, see issue #1850
|
||||
# memory-deny-write-execute
|
||||
restrict-namespaces
|
||||
|
|
|
|||
|
|
@ -37,3 +37,5 @@ protocol unix,inet,inet6,netlink
|
|||
seccomp !mbind
|
||||
|
||||
private-dev
|
||||
|
||||
restrict-namespaces
|
||||
|
|
|
|||
|
|
@ -39,3 +39,5 @@ private-tmp
|
|||
|
||||
dbus-user none
|
||||
dbus-system none
|
||||
|
||||
restrict-namespaces
|
||||
|
|
|
|||
|
|
@ -48,3 +48,4 @@ dbus-user none
|
|||
dbus-system none
|
||||
|
||||
memory-deny-write-execute
|
||||
restrict-namespaces
|
||||
|
|
|
|||
|
|
@ -47,3 +47,5 @@ private-tmp
|
|||
|
||||
dbus-user none
|
||||
dbus-system none
|
||||
|
||||
restrict-namespaces
|
||||
|
|
|
|||
|
|
@ -37,3 +37,5 @@ private-tmp
|
|||
|
||||
dbus-user none
|
||||
dbus-system none
|
||||
|
||||
restrict-namespaces
|
||||
|
|
|
|||
|
|
@ -31,3 +31,5 @@ seccomp !chroot,!ioperm
|
|||
|
||||
private-cache
|
||||
private-dev
|
||||
|
||||
# restrict-namespaces
|
||||
|
|
|
|||
|
|
@ -33,3 +33,5 @@ tracelog
|
|||
private-cache
|
||||
# private-dev
|
||||
# private-tmp
|
||||
|
||||
restrict-namespaces
|
||||
|
|
|
|||
|
|
@ -63,3 +63,5 @@ private-tmp
|
|||
|
||||
dbus-user none
|
||||
dbus-system none
|
||||
|
||||
restrict-namespaces
|
||||
|
|
|
|||
|
|
@ -44,3 +44,5 @@ private-tmp
|
|||
|
||||
dbus-user none
|
||||
dbus-system none
|
||||
|
||||
restrict-namespaces
|
||||
|
|
|
|||
|
|
@ -35,3 +35,5 @@ seccomp !chroot
|
|||
|
||||
private-dev
|
||||
private-tmp
|
||||
|
||||
# restrict-namespaces
|
||||
|
|
|
|||
|
|
@ -37,3 +37,4 @@ private-dev
|
|||
|
||||
# noexec ${HOME}
|
||||
noexec /tmp
|
||||
restrict-namespaces
|
||||
|
|
|
|||
|
|
@ -52,3 +52,4 @@ private-tmp
|
|||
# dbus-system none
|
||||
|
||||
# memory-deny-write-execute - breaks on Arch
|
||||
restrict-namespaces
|
||||
|
|
|
|||
|
|
@ -37,3 +37,5 @@ seccomp
|
|||
# private-etc alternatives,drirc,fonts,gcrypt,hosts,kde5rc,mpd.conf,passwd,samba,ssl,xdg
|
||||
private-bin cantata,mpd,perl
|
||||
private-dev
|
||||
|
||||
restrict-namespaces
|
||||
|
|
|
|||
|
|
@ -46,3 +46,5 @@ tracelog
|
|||
|
||||
dbus-user none
|
||||
dbus-system none
|
||||
|
||||
restrict-namespaces
|
||||
|
|
|
|||
|
|
@ -43,3 +43,5 @@ private-tmp
|
|||
|
||||
# dbus-user none
|
||||
dbus-system none
|
||||
|
||||
restrict-namespaces
|
||||
|
|
|
|||
|
|
@ -64,3 +64,4 @@ dbus-system none
|
|||
|
||||
read-only ${HOME}
|
||||
read-write ${HOME}/.config/celluloid
|
||||
restrict-namespaces
|
||||
|
|
|
|||
|
|
@ -53,3 +53,4 @@ dbus-user none
|
|||
dbus-system none
|
||||
|
||||
read-only ${HOME}
|
||||
restrict-namespaces
|
||||
|
|
|
|||
|
|
@ -52,3 +52,4 @@ dbus-user none
|
|||
dbus-system none
|
||||
|
||||
memory-deny-write-execute
|
||||
restrict-namespaces
|
||||
|
|
|
|||
|
|
@ -58,3 +58,5 @@ dbus-user filter
|
|||
dbus-user.own org.gnome.Cheese
|
||||
dbus-user.talk ca.desrt.dconf
|
||||
dbus-system none
|
||||
|
||||
restrict-namespaces
|
||||
|
|
|
|||
|
|
@ -40,3 +40,4 @@ private-cache
|
|||
private-dev
|
||||
private-tmp
|
||||
|
||||
restrict-namespaces
|
||||
|
|
|
|||
|
|
@ -7,3 +7,5 @@ nonewprivs
|
|||
noroot
|
||||
protocol unix,inet,inet6,netlink
|
||||
seccomp !chroot
|
||||
|
||||
#restrict-namespaces
|
||||
|
|
|
|||
|
|
@ -34,3 +34,5 @@ private-dev
|
|||
|
||||
dbus-user none
|
||||
dbus-system none
|
||||
|
||||
restrict-namespaces
|
||||
|
|
|
|||
|
|
@ -37,3 +37,4 @@ dbus-system none
|
|||
read-only ${HOME}
|
||||
|
||||
memory-deny-write-execute
|
||||
restrict-namespaces
|
||||
|
|
|
|||
|
|
@ -27,3 +27,5 @@ private-dev
|
|||
|
||||
dbus-user none
|
||||
dbus-system none
|
||||
|
||||
restrict-namespaces
|
||||
|
|
|
|||
|
|
@ -51,3 +51,4 @@ dbus-user none
|
|||
dbus-system none
|
||||
|
||||
#memory-deny-write-execute - breaks on Arch (see issue #1803)
|
||||
restrict-namespaces
|
||||
|
|
|
|||
|
|
@ -38,3 +38,5 @@ private-tmp
|
|||
|
||||
dbus-system none
|
||||
# dbus-user none
|
||||
|
||||
restrict-namespaces
|
||||
|
|
|
|||
|
|
@ -40,3 +40,4 @@ private-dev
|
|||
# private-tmp
|
||||
|
||||
noexec /tmp
|
||||
restrict-namespaces
|
||||
|
|
|
|||
|
|
@ -48,3 +48,5 @@ private-tmp
|
|||
# 'dbus-user none' breaks tray menu - add 'dbus-user none' to your clipgrab.local if you don't need it.
|
||||
# dbus-user none
|
||||
# dbus-system none
|
||||
|
||||
# restrict-namespaces
|
||||
|
|
|
|||
|
|
@ -59,5 +59,5 @@ dbus-user none
|
|||
dbus-system none
|
||||
|
||||
#memory-deny-write-execute
|
||||
restrict-namespaces
|
||||
read-only ${HOME}
|
||||
restrict-namespaces
|
||||
|
|
|
|||
|
|
@ -27,3 +27,5 @@ seccomp
|
|||
|
||||
private-bin cmus
|
||||
private-etc alternatives,asound.conf,ca-certificates,crypto-policies,group,ld.so.cache,ld.so.preload,machine-id,pki,pulse,resolv.conf,ssl
|
||||
|
||||
restrict-namespaces
|
||||
|
|
|
|||
|
|
@ -60,3 +60,4 @@ dbus-user none
|
|||
dbus-system none
|
||||
|
||||
memory-deny-write-execute
|
||||
restrict-namespaces
|
||||
|
|
|
|||
|
|
@ -49,3 +49,5 @@ private-tmp
|
|||
|
||||
dbus-user none
|
||||
dbus-system none
|
||||
|
||||
restrict-namespaces
|
||||
|
|
|
|||
|
|
@ -52,3 +52,5 @@ private-tmp
|
|||
# dbus-user.own com.github.bleakgrey.tootle
|
||||
# dbus-user.talk ca.desrt.dconf
|
||||
dbus-system none
|
||||
|
||||
restrict-namespaces
|
||||
|
|
|
|||
|
|
@ -63,3 +63,4 @@ read-only ${HOME}
|
|||
read-write ${HOME}/.cache/agenda
|
||||
read-write ${HOME}/.config/agenda
|
||||
read-write ${HOME}/.local/share/agenda
|
||||
restrict-namespaces
|
||||
|
|
|
|||
|
|
@ -60,3 +60,4 @@ private-tmp
|
|||
read-only ${HOME}
|
||||
read-write ${HOME}/.cache/com.github.johnfactotum.Foliate
|
||||
read-write ${HOME}/.local/share/com.github.johnfactotum.Foliate
|
||||
restrict-namespaces
|
||||
|
|
|
|||
|
|
@ -58,3 +58,5 @@ dbus-user filter
|
|||
dbus-user.own com.github.phase1geo.minder
|
||||
dbus-user.talk ca.desrt.dconf
|
||||
dbus-system none
|
||||
|
||||
restrict-namespaces
|
||||
|
|
|
|||
|
|
@ -62,3 +62,4 @@ dbus-user.talk org.gnome.Software
|
|||
dbus-system none
|
||||
|
||||
read-write ${HOME}/.local/share/flatpak/overrides
|
||||
restrict-namespaces
|
||||
|
|
|
|||
|
|
@ -34,3 +34,5 @@ protocol unix,inet,inet6
|
|||
seccomp
|
||||
|
||||
disable-mnt
|
||||
|
||||
restrict-namespaces
|
||||
|
|
|
|||
|
|
@ -43,3 +43,4 @@ private-dev
|
|||
private-tmp
|
||||
|
||||
memory-deny-write-execute
|
||||
restrict-namespaces
|
||||
|
|
|
|||
|
|
@ -35,3 +35,4 @@ private-bin corebird
|
|||
private-dev
|
||||
private-tmp
|
||||
|
||||
restrict-namespaces
|
||||
|
|
|
|||
|
|
@ -46,3 +46,4 @@ private-tmp
|
|||
|
||||
memory-deny-write-execute
|
||||
read-only ${HOME}/.config/cower/config
|
||||
restrict-namespaces
|
||||
|
|
|
|||
|
|
@ -46,3 +46,4 @@ dbus-user none
|
|||
dbus-system none
|
||||
|
||||
#memory-deny-write-execute
|
||||
restrict-namespaces
|
||||
|
|
|
|||
|
|
@ -44,3 +44,5 @@ private-tmp
|
|||
|
||||
dbus-user none
|
||||
dbus-system none
|
||||
|
||||
restrict-namespaces
|
||||
|
|
|
|||
|
|
@ -43,3 +43,4 @@ private-opt none
|
|||
private-tmp
|
||||
private-srv none
|
||||
|
||||
restrict-namespaces
|
||||
|
|
|
|||
|
|
@ -58,3 +58,5 @@ private-tmp
|
|||
|
||||
dbus-user none
|
||||
dbus-system none
|
||||
|
||||
restrict-namespaces
|
||||
|
|
|
|||
|
|
@ -53,3 +53,4 @@ private-etc alternatives,dbus-1,fonts,ld.so.cache,ld.so.preload,machine-id
|
|||
private-tmp
|
||||
|
||||
#memory-deny-write-execute - breaks on Arch (see issue #1803)
|
||||
restrict-namespaces
|
||||
|
|
|
|||
Some files were not shown because too many files have changed in this diff Show more
Loading…
Add table
Add a link
Reference in a new issue