mirror of
https://github.com/netblue30/firejail.git
synced 2026-05-15 14:16:14 -06:00
Refactor electron.profile and electron based programs (#3807)
* Refactor electron.profile and electron based programs (1) * Refactor electron.profile and electron based programs (2) * Refactor electron.profile and electron based programs (3) * Refactor electron.profile and electron based programs (4) * Refactor electron.profile and electron based programs (5) * Refactor electron.profile and electron based programs (6) * Refactor electron.profile and electron based programs (7) * Refactor electron.profile and electron based programs (8)
This commit is contained in:
rusty-snake
GitHub
parent
70e429d1fc
commit
f4f6767458
23 changed files with 201 additions and 353 deletions
|
|
@ -6,31 +6,27 @@ include atom.local
|
|||
# Persistent global definitions
|
||||
include globals.local
|
||||
|
||||
# Disabled until someone reported positive feedback
|
||||
ignore include disable-devel.inc
|
||||
ignore include disable-interpreters.inc
|
||||
ignore include disable-xdg.inc
|
||||
ignore whitelist ${DOWNLOADS}
|
||||
ignore include whitelist-common.inc
|
||||
ignore include whitelist-runuser-common.inc
|
||||
ignore include whitelist-usr-share-common.inc
|
||||
ignore include whitelist-var-common.inc
|
||||
ignore apparmor
|
||||
ignore disable-mnt
|
||||
|
||||
noblacklist ${HOME}/.atom
|
||||
noblacklist ${HOME}/.config/Atom
|
||||
|
||||
# Allows files commonly used by IDEs
|
||||
include allow-common-devel.inc
|
||||
|
||||
include disable-common.inc
|
||||
include disable-exec.inc
|
||||
include disable-passwdmgr.inc
|
||||
include disable-programs.inc
|
||||
|
||||
caps.keep sys_admin,sys_chroot
|
||||
# net none
|
||||
netfilter
|
||||
nodvd
|
||||
nogroups
|
||||
nosound
|
||||
notv
|
||||
nou2f
|
||||
novideo
|
||||
shell none
|
||||
|
||||
private-cache
|
||||
private-dev
|
||||
private-tmp
|
||||
|
||||
dbus-user none
|
||||
dbus-system none
|
||||
# Redirect
|
||||
include electron.profile
|
||||
|
|
|
|||
|
|
@ -3,17 +3,26 @@
|
|||
# Persistent local customizations
|
||||
include beaker.local
|
||||
# Persistent global definitions
|
||||
# added by included profile
|
||||
#include globals.local
|
||||
include globals.local
|
||||
|
||||
# Disabled until someone reported positive feedback
|
||||
ignore include disable-exec.inc
|
||||
ignore include disable-xdg.inc
|
||||
ignore include whitelist-runuser-common.inc
|
||||
ignore include whitelist-usr-share-common.inc
|
||||
ignore include whitelist-var-common.inc
|
||||
ignore nou2f
|
||||
ignore novideo
|
||||
ignore shell none
|
||||
ignore disable-mnt
|
||||
ignore private-cache
|
||||
ignore private-dev
|
||||
ignore private-tmp
|
||||
|
||||
noblacklist ${HOME}/.config/Beaker Browser
|
||||
|
||||
include disable-devel.inc
|
||||
include disable-interpreters.inc
|
||||
|
||||
mkdir ${HOME}/.config/Beaker Browser
|
||||
whitelist ${HOME}/.config/Beaker Browser
|
||||
include whitelist-common.inc
|
||||
|
||||
# Redirect
|
||||
include electron.profile
|
||||
|
|
|
|||
|
|
@ -6,33 +6,24 @@ include discord-common.local
|
|||
# added by caller profile
|
||||
#include globals.local
|
||||
|
||||
# Disabled until someone reported positive feedback
|
||||
ignore include disable-interpreters.inc
|
||||
ignore include disable-xdg.inc
|
||||
ignore include whitelist-runuser-common.inc
|
||||
ignore include whitelist-usr-share-common.inc
|
||||
ignore apparmor
|
||||
ignore disable-mnt
|
||||
ignore private-cache
|
||||
ignore dbus-user none
|
||||
ignore dbus-system none
|
||||
|
||||
ignore noexec ${HOME}
|
||||
|
||||
include disable-common.inc
|
||||
include disable-devel.inc
|
||||
include disable-exec.inc
|
||||
include disable-passwdmgr.inc
|
||||
include disable-programs.inc
|
||||
|
||||
whitelist ${DOWNLOADS}
|
||||
whitelist ${HOME}/.config/BetterDiscord
|
||||
whitelist ${HOME}/.local/share/betterdiscordctl
|
||||
include whitelist-common.inc
|
||||
include whitelist-var-common.inc
|
||||
|
||||
caps.drop all
|
||||
netfilter
|
||||
nodvd
|
||||
nogroups
|
||||
nonewprivs
|
||||
noroot
|
||||
notv
|
||||
nou2f
|
||||
novideo
|
||||
protocol unix,inet,inet6,netlink
|
||||
seccomp !chroot
|
||||
|
||||
private-bin bash,cut,echo,egrep,fish,grep,head,sed,sh,tclsh,tr,xdg-mime,xdg-open,zsh
|
||||
private-dev
|
||||
private-etc alternatives,ca-certificates,crypto-policies,fonts,group,ld.so.cache,localtime,login.defs,machine-id,password,pki,resolv.conf,ssl
|
||||
private-tmp
|
||||
|
||||
# Redirect
|
||||
include electron.profile
|
||||
|
|
|
|||
|
|
@ -3,25 +3,39 @@
|
|||
# This file is overwritten after every install/update
|
||||
# Persistent local customizations
|
||||
include electron.local
|
||||
# Persistent global definitions
|
||||
include globals.local
|
||||
|
||||
include disable-common.inc
|
||||
include disable-devel.inc
|
||||
include disable-exec.inc
|
||||
include disable-interpreters.inc
|
||||
include disable-passwdmgr.inc
|
||||
include disable-programs.inc
|
||||
include disable-xdg.inc
|
||||
|
||||
whitelist ${DOWNLOADS}
|
||||
include whitelist-common.inc
|
||||
include whitelist-runuser-common.inc
|
||||
include whitelist-usr-share-common.inc
|
||||
include whitelist-var-common.inc
|
||||
|
||||
# Uncomment the next line (or add it to your chromium-common.local)
|
||||
# if your kernel allows unprivileged userns clone.
|
||||
#include chromium-common-hardened.inc
|
||||
|
||||
apparmor
|
||||
caps.drop all
|
||||
caps.keep sys_admin,sys_chroot
|
||||
netfilter
|
||||
nodvd
|
||||
nogroups
|
||||
nonewprivs
|
||||
noroot
|
||||
notv
|
||||
protocol unix,inet,inet6,netlink
|
||||
seccomp
|
||||
nou2f
|
||||
novideo
|
||||
shell none
|
||||
|
||||
disable-mnt
|
||||
private-cache
|
||||
private-dev
|
||||
private-tmp
|
||||
|
||||
dbus-user none
|
||||
dbus-system none
|
||||
|
|
|
|||
|
|
@ -8,24 +8,13 @@ include globals.local
|
|||
|
||||
noblacklist ${HOME}/.config/FreeTube
|
||||
|
||||
include disable-devel.inc
|
||||
include disable-exec.inc
|
||||
include disable-interpreters.inc
|
||||
include disable-shell.inc
|
||||
include disable-xdg.inc
|
||||
|
||||
mkdir ${HOME}/.config/FreeTube
|
||||
whitelist ${HOME}/.config/FreeTube
|
||||
|
||||
seccomp !chroot
|
||||
shell none
|
||||
|
||||
disable-mnt
|
||||
private-bin freetube
|
||||
private-cache
|
||||
private-dev
|
||||
private-etc alsa,alternatives,asound.conf,ca-certificates,crypto-policies,fonts,gtk-2.0,gtk-3.0,host.conf,hostname,hosts,mime.types,nsswitch.conf,pki,pulse,resolv.conf,ssl,X11,xdg
|
||||
private-tmp
|
||||
|
||||
# Redirect
|
||||
include electron.profile
|
||||
|
|
|
|||
|
|
@ -6,43 +6,35 @@ include github-desktop.local
|
|||
# Persistent global definitions
|
||||
include globals.local
|
||||
|
||||
noblacklist ${HOME}/.config/GitHub Desktop
|
||||
noblacklist ${HOME}/.config/git
|
||||
noblacklist ${HOME}/.gitconfig
|
||||
noblacklist ${HOME}/.git-credentials
|
||||
|
||||
include disable-common.inc
|
||||
include disable-passwdmgr.inc
|
||||
include disable-programs.inc
|
||||
include disable-devel.inc
|
||||
include disable-exec.inc
|
||||
include disable-interpreters.inc
|
||||
|
||||
caps.drop all
|
||||
netfilter
|
||||
# no3d
|
||||
nodvd
|
||||
nogroups
|
||||
nonewprivs
|
||||
noroot
|
||||
nosound
|
||||
notv
|
||||
nou2f
|
||||
novideo
|
||||
protocol unix,inet,inet6,netlink
|
||||
seccomp !chroot
|
||||
|
||||
# Note: On debian-based distributions the binary might be located in
|
||||
# /opt/GitHub Desktop/github-desktop, and therefore not be in PATH.
|
||||
# If that's the case you can start GitHub Desktop with firejail via
|
||||
# `firejail "/opt/GitHub Desktop/github-desktop"`.
|
||||
|
||||
disable-mnt
|
||||
# Disabled until someone reported positive feedback
|
||||
ignore include disable-xdg.inc
|
||||
ignore whitelist ${DOWNLOADS}
|
||||
ignore include whitelist-common.inc
|
||||
ignore include whitelist-runuser-common.inc
|
||||
ignore include whitelist-usr-share-common.inc
|
||||
ignore include whitelist-var-common.inc
|
||||
ignore apparmor
|
||||
ignore dbus-user none
|
||||
ignore dbus-system none
|
||||
|
||||
noblacklist ${HOME}/.config/GitHub Desktop
|
||||
noblacklist ${HOME}/.config/git
|
||||
noblacklist ${HOME}/.gitconfig
|
||||
noblacklist ${HOME}/.git-credentials
|
||||
|
||||
# no3d
|
||||
nosound
|
||||
|
||||
# private-bin github-desktop
|
||||
private-cache
|
||||
?HAS_APPIMAGE: ignore private-dev
|
||||
private-dev
|
||||
# private-lib
|
||||
private-tmp
|
||||
|
||||
# memory-deny-write-execute
|
||||
|
||||
# Redirect
|
||||
include electron.profile
|
||||
|
|
|
|||
|
|
@ -6,34 +6,22 @@ include jitsi-meet-desktop.local
|
|||
# Persistent global definitions
|
||||
include globals.local
|
||||
|
||||
# Disabled until someone reported positive feedback
|
||||
ignore nou2f
|
||||
ignore novideo
|
||||
ignore shell none
|
||||
|
||||
ignore noexec /tmp
|
||||
|
||||
noblacklist ${HOME}/.config/Jitsi Meet
|
||||
|
||||
include disable-devel.inc
|
||||
include disable-exec.inc
|
||||
include disable-interpreters.inc
|
||||
include disable-xdg.inc
|
||||
|
||||
nowhitelist ${DOWNLOADS}
|
||||
|
||||
mkdir ${HOME}/.config/Jitsi Meet
|
||||
|
||||
whitelist ${HOME}/.config/Jitsi Meet
|
||||
|
||||
include whitelist-common.inc
|
||||
include whitelist-usr-share-common.inc
|
||||
include whitelist-runuser-common.inc
|
||||
include whitelist-var-common.inc
|
||||
|
||||
seccomp !chroot
|
||||
|
||||
disable-mnt
|
||||
private-bin bash,jitsi-meet-desktop
|
||||
private-cache
|
||||
private-dev
|
||||
private-etc alsa,alternatives,asound.conf,bumblebee,ca-certificates,crypto-policies,drirc,fonts,glvnd,group,host.conf,hostname,hosts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,locale,locale.alias,locale.conf,localtime,machine-id,mime.types,nsswitch.conf,nvidia,pango,passwd,pki,protocols,pulse,resolv.conf,rpc,services,ssl,X11,xdg
|
||||
private-tmp
|
||||
|
||||
# Redirect
|
||||
include electron.profile
|
||||
|
|
|
|||
|
|
@ -10,31 +10,16 @@ ignore dbus-user
|
|||
|
||||
noblacklist ${HOME}/.config/nuclear
|
||||
|
||||
include disable-devel.inc
|
||||
include disable-exec.inc
|
||||
include disable-interpreters.inc
|
||||
include disable-shell.inc
|
||||
include disable-xdg.inc
|
||||
|
||||
mkdir ${HOME}/.config/nuclear
|
||||
whitelist ${HOME}/.config/nuclear
|
||||
include whitelist-common.inc
|
||||
include whitelist-runuser-common.inc
|
||||
include whitelist-usr-share-common.inc
|
||||
include whitelist-var-common.inc
|
||||
|
||||
no3d
|
||||
nou2f
|
||||
novideo
|
||||
shell none
|
||||
|
||||
disable-mnt
|
||||
# private-bin nuclear
|
||||
private-cache
|
||||
private-dev
|
||||
private-etc alsa,alternatives,asound.conf,ca-certificates,crypto-policies,fonts,gtk-2.0,gtk-3.0,host.conf,hostname,hosts,mime.types,nsswitch.conf,pki,pulse,resolv.conf,selinux,ssl,X11,xdg
|
||||
private-opt nuclear
|
||||
private-tmp
|
||||
|
||||
# Redirect
|
||||
include electron.profile
|
||||
|
|
|
|||
|
|
@ -7,7 +7,5 @@ include riot-desktop.local
|
|||
# added by included profile
|
||||
#include globals.local
|
||||
|
||||
seccomp !chroot
|
||||
|
||||
# Redirect
|
||||
include riot-web.profile
|
||||
|
|
|
|||
|
|
@ -4,14 +4,16 @@
|
|||
# Persistent local customizations
|
||||
include riot-web.local
|
||||
# Persistent global definitions
|
||||
# added by included profile
|
||||
#include globals.local
|
||||
include globals.local
|
||||
|
||||
ignore noexec /tmp
|
||||
|
||||
noblacklist ${HOME}/.config/Riot
|
||||
|
||||
mkdir ${HOME}/.config/Riot
|
||||
whitelist ${HOME}/.config/Riot
|
||||
include whitelist-common.inc
|
||||
whitelist /usr/share/chromium
|
||||
whitelist /usr/share/webapps/element
|
||||
|
||||
# Redirect
|
||||
include electron.profile
|
||||
|
|
|
|||
|
|
@ -3,14 +3,28 @@
|
|||
# Persistent local customizations
|
||||
include rocketchat.local
|
||||
# Persistent global definitions
|
||||
# added by included profile
|
||||
#include globals.local
|
||||
include globals.local
|
||||
|
||||
# Disabled until someone reported positive feedback
|
||||
ignore include disable-devel.inc
|
||||
ignore include disable-exec.inc
|
||||
ignore include disable-interpreters.inc
|
||||
ignore include disable-xdg.inc
|
||||
ignore include whitelist-runuser-common.inc
|
||||
ignore include whitelist-usr-share-common.inc
|
||||
ignore include whitelist-var-common.inc
|
||||
ignore nou2f
|
||||
ignore novideo
|
||||
ignore shell none
|
||||
ignore disable-mnt
|
||||
ignore private-cache
|
||||
ignore private-dev
|
||||
ignore private-tmp
|
||||
|
||||
noblacklist ${HOME}/.config/Rocket.Chat
|
||||
|
||||
mkdir ${HOME}/.config/Rocket.Chat
|
||||
whitelist ${HOME}/.config/Rocket.Chat
|
||||
include whitelist-common.inc
|
||||
|
||||
# Redirect
|
||||
include electron.profile
|
||||
|
|
|
|||
|
|
@ -5,6 +5,13 @@ include signal-desktop.local
|
|||
# Persistent global definitions
|
||||
include globals.local
|
||||
|
||||
# Disabled until someone reported positive feedback
|
||||
ignore include-xdg.inc
|
||||
ignore include whitelist-runuser-common.inc
|
||||
ignore include whitelist-usr-share-common.inc
|
||||
ignore private-cache
|
||||
ignore novideo
|
||||
|
||||
ignore noexec /tmp
|
||||
|
||||
noblacklist ${HOME}/.config/Signal
|
||||
|
|
@ -14,32 +21,12 @@ noblacklist ${HOME}/.mozilla
|
|||
whitelist ${HOME}/.mozilla/firefox/profiles.ini
|
||||
read-only ${HOME}/.mozilla/firefox/profiles.ini
|
||||
|
||||
include disable-common.inc
|
||||
include disable-devel.inc
|
||||
include disable-exec.inc
|
||||
include disable-interpreters.inc
|
||||
include disable-programs.inc
|
||||
include disable-passwdmgr.inc
|
||||
|
||||
mkdir ${HOME}/.config/Signal
|
||||
whitelist ${DOWNLOADS}
|
||||
whitelist ${HOME}/.config/Signal
|
||||
include whitelist-common.inc
|
||||
include whitelist-var-common.inc
|
||||
|
||||
apparmor
|
||||
caps.keep sys_admin,sys_chroot
|
||||
netfilter
|
||||
nodvd
|
||||
nogroups
|
||||
notv
|
||||
nou2f
|
||||
shell none
|
||||
|
||||
disable-mnt
|
||||
private-dev
|
||||
private-etc alternatives,ca-certificates,crypto-policies,fonts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,machine-id,nsswitch.conf,pki,resolv.conf,ssl
|
||||
private-tmp
|
||||
|
||||
dbus-user none
|
||||
dbus-system none
|
||||
# Redirect
|
||||
include electron.profile
|
||||
|
|
|
|||
|
|
@ -5,27 +5,24 @@ include skypeforlinux.local
|
|||
# Persistent global definitions
|
||||
include globals.local
|
||||
|
||||
# Disabled until someone reported positive feedback
|
||||
ignore whitelist ${DOWNLOADS}
|
||||
ignore include whitelist-common.inc
|
||||
ignore include whitelist-runuser-common.inc
|
||||
ignore include whitelist-usr-share-common.inc
|
||||
ignore include whitelist-var-common.inc
|
||||
ignore nou2f
|
||||
ignore novideo
|
||||
ignore private-dev
|
||||
ignore dbus-user none
|
||||
ignore dbus-system none
|
||||
|
||||
# breaks Skype
|
||||
ignore noexec /tmp
|
||||
|
||||
noblacklist ${HOME}/.config/skypeforlinux
|
||||
|
||||
include disable-common.inc
|
||||
include disable-devel.inc
|
||||
include disable-exec.inc
|
||||
include disable-interpreters.inc
|
||||
include disable-passwdmgr.inc
|
||||
include disable-programs.inc
|
||||
include disable-xdg.inc
|
||||
|
||||
caps.keep sys_admin,sys_chroot
|
||||
netfilter
|
||||
nodvd
|
||||
nogroups
|
||||
notv
|
||||
shell none
|
||||
|
||||
disable-mnt
|
||||
private-cache
|
||||
# private-dev - needs /dev/disk
|
||||
private-tmp
|
||||
|
||||
# Redirect
|
||||
include electron.profile
|
||||
|
|
|
|||
|
|
@ -5,31 +5,26 @@ include slack.local
|
|||
# Persistent global definitions
|
||||
include globals.local
|
||||
|
||||
# Disabled until someone reported positive feedback
|
||||
ignore include disable-exec.inc
|
||||
ignore include disable-xdg.inc
|
||||
ignore include whitelist-runuser-common.inc
|
||||
ignore include whitelist-usr-share-common.inc
|
||||
ignore apparmor
|
||||
ignore novideo
|
||||
ignore private-tmp
|
||||
ignore dbus-user none
|
||||
ignore dbus-system none
|
||||
|
||||
noblacklist ${HOME}/.config/Slack
|
||||
|
||||
include disable-common.inc
|
||||
include disable-devel.inc
|
||||
include disable-interpreters.inc
|
||||
include disable-passwdmgr.inc
|
||||
include disable-programs.inc
|
||||
include disable-shell.inc
|
||||
|
||||
mkdir ${HOME}/.config/Slack
|
||||
whitelist ${HOME}/.config/Slack
|
||||
whitelist ${DOWNLOADS}
|
||||
include whitelist-common.inc
|
||||
include whitelist-var-common.inc
|
||||
|
||||
caps.keep sys_admin,sys_chroot
|
||||
netfilter
|
||||
nodvd
|
||||
nogroups
|
||||
notv
|
||||
nou2f
|
||||
shell none
|
||||
|
||||
disable-mnt
|
||||
private-bin locale,slack
|
||||
private-cache
|
||||
private-dev
|
||||
private-etc alternatives,asound.conf,ca-certificates,crypto-policies,debian_version,fedora-release,fonts,group,ld.so.cache,ld.so.conf,localtime,machine-id,os-release,passwd,pki,pulse,redhat-release,resolv.conf,ssl,system-release,system-release-cpe
|
||||
|
||||
# Redirect
|
||||
include electron.profile
|
||||
|
|
|
|||
|
|
@ -4,33 +4,23 @@
|
|||
# Persistent local customizations
|
||||
include teams-for-linux.local
|
||||
# Persistent global definitions
|
||||
# added by included profile
|
||||
#include globals.local
|
||||
include globals.local
|
||||
|
||||
# Disabled until someone reported positive feedback
|
||||
ignore include disable-xdg.inc
|
||||
ignore include whitelist-runuser-common.inc
|
||||
ignore include whitelist-usr-share-common.inc
|
||||
|
||||
ignore dbus-user none
|
||||
ignore dbus-system none
|
||||
|
||||
noblacklist ${HOME}/.config/teams-for-linux
|
||||
|
||||
include disable-devel.inc
|
||||
include disable-exec.inc
|
||||
include disable-interpreters.inc
|
||||
|
||||
mkdir ${HOME}/.config/teams-for-linux
|
||||
whitelist ${HOME}/.config/teams-for-linux
|
||||
include whitelist-common.inc
|
||||
include whitelist-var-common.inc
|
||||
|
||||
nou2f
|
||||
novideo
|
||||
shell none
|
||||
|
||||
disable-mnt
|
||||
private-bin bash,cut,echo,egrep,grep,head,sed,sh,teams-for-linux,tr,xdg-mime,xdg-open,zsh
|
||||
private-cache
|
||||
private-dev
|
||||
private-etc ca-certificates,crypto-policies,fonts,ld.so.cache,localtime,machine-id,pki,resolv.conf,ssl
|
||||
private-tmp
|
||||
|
||||
# Redirect
|
||||
include electron.profile
|
||||
|
|
|
|||
|
|
@ -4,8 +4,14 @@
|
|||
# Persistent local customizations
|
||||
include teams.local
|
||||
# Persistent global definitions
|
||||
# added by included profile
|
||||
#include globals.local
|
||||
include globals.local
|
||||
|
||||
# Disabled until someone reported positive feedback
|
||||
ignore include disable-xdg.inc
|
||||
ignore include whitelist-runuser-common.inc
|
||||
ignore include whitelist-usr-share-common.inc
|
||||
ignore novideo
|
||||
ignore private-tmp
|
||||
|
||||
# see #3404
|
||||
ignore apparmor
|
||||
|
|
@ -15,24 +21,10 @@ ignore dbus-system none
|
|||
noblacklist ${HOME}/.config/teams
|
||||
noblacklist ${HOME}/.config/Microsoft
|
||||
|
||||
include disable-devel.inc
|
||||
include disable-exec.inc
|
||||
include disable-interpreters.inc
|
||||
|
||||
mkdir ${HOME}/.config/teams
|
||||
mkdir ${HOME}/.config/Microsoft
|
||||
whitelist ${HOME}/.config/teams
|
||||
whitelist ${HOME}/.config/Microsoft
|
||||
include whitelist-common.inc
|
||||
include whitelist-var-common.inc
|
||||
|
||||
nou2f
|
||||
seccomp !chroot
|
||||
shell none
|
||||
|
||||
disable-mnt
|
||||
private-cache
|
||||
private-dev
|
||||
|
||||
# Redirect
|
||||
include electron.profile
|
||||
|
|
|
|||
|
|
@ -6,31 +6,20 @@ include twitch.local
|
|||
# Persistent global definitions
|
||||
include globals.local
|
||||
|
||||
# Disabled until someone reported positive feedback
|
||||
ignore nou2f
|
||||
ignore novideo
|
||||
|
||||
noblacklist ${HOME}/.config/Twitch
|
||||
|
||||
include disable-devel.inc
|
||||
include disable-exec.inc
|
||||
include disable-interpreters.inc
|
||||
include disable-shell.inc
|
||||
include disable-xdg.inc
|
||||
|
||||
mkdir ${HOME}/.config/Twitch
|
||||
whitelist ${HOME}/.config/Twitch
|
||||
include whitelist-common.inc
|
||||
include whitelist-runuser-common.inc
|
||||
include whitelist-usr-share-common.inc
|
||||
include whitelist-var-common.inc
|
||||
|
||||
seccomp !chroot
|
||||
shell none
|
||||
|
||||
disable-mnt
|
||||
private-bin twitch
|
||||
private-cache
|
||||
private-dev
|
||||
private-etc alsa,alternatives,asound.conf,ati,bumblebee,ca-certificates,crypto-policies,drirc,fonts,gtk-2.0,gtk-3.0,host.conf,hostname,hosts,mime.types,nsswitch.conf,nvidia,pki,pulse,resolv.conf,selinux,ssl,X11,xdg
|
||||
private-opt Twitch
|
||||
private-tmp
|
||||
|
||||
# Redirect
|
||||
include electron.profile
|
||||
|
|
|
|||
|
|
@ -4,36 +4,24 @@
|
|||
# Persistent local customizations
|
||||
include whalebird.local
|
||||
# Persistent global definitions
|
||||
# added by included profile
|
||||
#include globals.local
|
||||
include globals.local
|
||||
|
||||
# Disabled until someone reported positive feedback
|
||||
ignore include whitelist-runuser-common.inc
|
||||
ignore include whitelist-usr-share-common.inc
|
||||
|
||||
ignore dbus-user none
|
||||
ignore dbus-system none
|
||||
|
||||
noblacklist ${HOME}/.config/Whalebird
|
||||
|
||||
include disable-devel.inc
|
||||
include disable-exec.inc
|
||||
include disable-interpreters.inc
|
||||
include disable-xdg.inc
|
||||
|
||||
mkdir ${HOME}/.config/Whalebird
|
||||
whitelist ${HOME}/.config/Whalebird
|
||||
include whitelist-common.inc
|
||||
include whitelist-var-common.inc
|
||||
|
||||
no3d
|
||||
nou2f
|
||||
novideo
|
||||
protocol unix,inet,inet6
|
||||
shell none
|
||||
|
||||
disable-mnt
|
||||
private-bin whalebird
|
||||
private-cache
|
||||
private-dev
|
||||
private-etc fonts,machine-id
|
||||
private-tmp
|
||||
|
||||
# Redirect
|
||||
include electron.profile
|
||||
|
|
|
|||
|
|
@ -4,33 +4,29 @@
|
|||
# Persistent local customizations
|
||||
include wire-desktop.local
|
||||
# Persistent global definitions
|
||||
# added by included profile
|
||||
#include globals.local
|
||||
include globals.local
|
||||
|
||||
# Debian/Ubuntu use /opt/Wire. As that is not in PATH by default, run `firejail /opt/Wire/wire-desktop` to start it.
|
||||
|
||||
# Disabled until someone reported positive feedback
|
||||
ignore include disable-exec.inc
|
||||
ignore include disable-xdg.inc
|
||||
ignore include whitelist-runuser-common.inc
|
||||
ignore include whitelist-usr-share-common.inc
|
||||
ignore include whitelist-var-common.inc
|
||||
ignore novideo
|
||||
ignore private-cache
|
||||
|
||||
ignore dbus-user none
|
||||
ignore dbus-system none
|
||||
|
||||
noblacklist ${HOME}/.config/Wire
|
||||
|
||||
include disable-devel.inc
|
||||
include disable-interpreters.inc
|
||||
|
||||
mkdir ${HOME}/.config/Wire
|
||||
whitelist ${HOME}/.config/Wire
|
||||
include whitelist-common.inc
|
||||
|
||||
nou2f
|
||||
ignore seccomp
|
||||
seccomp !chroot
|
||||
shell none
|
||||
|
||||
disable-mnt
|
||||
private-bin bash,electron,electron[0-9],electron[0-9][0-9],env,sh,wire-desktop
|
||||
private-dev
|
||||
private-etc alternatives,ca-certificates,crypto-policies,fonts,machine-id,pki,resolv.conf,ssl
|
||||
private-tmp
|
||||
|
||||
# Redirect
|
||||
include electron.profile
|
||||
|
|
|
|||
|
|
@ -6,32 +6,19 @@ include youtube.local
|
|||
# Persistent global definitions
|
||||
include globals.local
|
||||
|
||||
# Disabled until someone reported positive feedback
|
||||
ignore nou2f
|
||||
|
||||
noblacklist ${HOME}/.config/Youtube
|
||||
|
||||
include disable-devel.inc
|
||||
include disable-exec.inc
|
||||
include disable-interpreters.inc
|
||||
include disable-shell.inc
|
||||
include disable-xdg.inc
|
||||
|
||||
mkdir ${HOME}/.config/Youtube
|
||||
whitelist ${HOME}/.config/Youtube
|
||||
include whitelist-common.inc
|
||||
include whitelist-runuser-common.inc
|
||||
include whitelist-usr-share-common.inc
|
||||
include whitelist-var-common.inc
|
||||
|
||||
novideo
|
||||
seccomp !chroot
|
||||
shell none
|
||||
|
||||
disable-mnt
|
||||
private-bin youtube
|
||||
private-cache
|
||||
private-dev
|
||||
private-etc alsa,alternatives,asound.conf,ati,bumblebee,ca-certificates,crypto-policies,drirc,fonts,gtk-2.0,gtk-3.0,host.conf,hostname,hosts,mime.types,nsswitch.conf,nvidia,pki,pulse,resolv.conf,selinux,ssl,X11,xdg
|
||||
private-opt Youtube
|
||||
private-tmp
|
||||
|
||||
# Redirect
|
||||
include electron.profile
|
||||
|
|
|
|||
|
|
@ -8,31 +8,14 @@ include globals.local
|
|||
|
||||
noblacklist ${HOME}/.config/youtubemusic-nativefier-040164
|
||||
|
||||
include disable-devel.inc
|
||||
include disable-exec.inc
|
||||
include disable-interpreters.inc
|
||||
include disable-shell.inc
|
||||
include disable-xdg.inc
|
||||
|
||||
mkdir ${HOME}/.config/youtubemusic-nativefier-040164
|
||||
whitelist ${HOME}/.config/youtubemusic-nativefier-040164
|
||||
include whitelist-common.inc
|
||||
include whitelist-runuser-common.inc
|
||||
include whitelist-usr-share-common.inc
|
||||
include whitelist-var-common.inc
|
||||
|
||||
nou2f
|
||||
novideo
|
||||
seccomp !chroot
|
||||
shell none
|
||||
|
||||
disable-mnt
|
||||
private-bin youtubemusic-nativefier
|
||||
private-cache
|
||||
private-dev
|
||||
private-etc alsa,alternatives,asound.conf,ati,bumblebee,ca-certificates,crypto-policies,drirc,fonts,gtk-2.0,gtk-3.0,host.conf,hostname,hosts,mime.types,nsswitch.conf,nvidia,pki,pulse,resolv.conf,selinux,ssl,X11,xdg
|
||||
private-opt youtubemusic-nativefier
|
||||
private-tmp
|
||||
|
||||
# Redirect
|
||||
include electron.profile
|
||||
|
|
|
|||
|
|
@ -10,30 +10,12 @@ ignore dbus-user none
|
|||
|
||||
noblacklist ${HOME}/.config/youtube-music-desktop-app
|
||||
|
||||
include disable-devel.inc
|
||||
include disable-exec.inc
|
||||
include disable-interpreters.inc
|
||||
include disable-xdg.inc
|
||||
|
||||
mkdir ${HOME}/.config/youtube-music-desktop-app
|
||||
whitelist ${HOME}/.config/youtube-music-desktop-app
|
||||
include whitelist-common.inc
|
||||
include whitelist-runuser-common.inc
|
||||
include whitelist-usr-share-common.inc
|
||||
include whitelist-var-common.inc
|
||||
|
||||
nou2f
|
||||
novideo
|
||||
seccomp !chroot
|
||||
shell none
|
||||
|
||||
disable-mnt
|
||||
# private-bin env,ytmdesktop
|
||||
private-cache
|
||||
private-dev
|
||||
private-etc alsa,alternatives,asound.conf,ati,bumblebee,ca-certificates,crypto-policies,drirc,fonts,gtk-2.0,gtk-3.0,host.conf,hostname,hosts,mime.types,nsswitch.conf,nvidia,pki,pulse,resolv.conf,selinux,ssl,X11,xdg
|
||||
# private-opt
|
||||
private-tmp
|
||||
|
||||
# Redirect
|
||||
include electron.profile
|
||||
|
|
|
|||
|
|
@ -6,16 +6,20 @@ include zoom.local
|
|||
# Persistent global definitions
|
||||
include globals.local
|
||||
|
||||
# Disabled until someone reported positive feedback
|
||||
ignore apparmor
|
||||
ignore novideo
|
||||
ignore dbus-user none
|
||||
ignore dbus-system none
|
||||
|
||||
# nogroups breaks webcam access on non-systemd systems (see #3711).
|
||||
# If you use such a system uncomment the line below or put 'ignore nogroups' in your zoom.local
|
||||
#ignore nogroups
|
||||
|
||||
noblacklist ${HOME}/.config/zoomus.conf
|
||||
noblacklist ${HOME}/.zoom
|
||||
|
||||
include disable-common.inc
|
||||
include disable-devel.inc
|
||||
include disable-exec.inc
|
||||
include disable-interpreters.inc
|
||||
include disable-passwdmgr.inc
|
||||
include disable-programs.inc
|
||||
include disable-xdg.inc
|
||||
nowhitelist ${DOWNLOADS}
|
||||
|
||||
mkdir ${HOME}/.cache/zoom
|
||||
mkfile ${HOME}/.config/zoomus.conf
|
||||
|
|
@ -23,29 +27,9 @@ mkdir ${HOME}/.zoom
|
|||
whitelist ${HOME}/.cache/zoom
|
||||
whitelist ${HOME}/.config/zoomus.conf
|
||||
whitelist ${HOME}/.zoom
|
||||
include whitelist-common.inc
|
||||
include whitelist-runuser-common.inc
|
||||
include whitelist-usr-share-common.inc
|
||||
include whitelist-var-common.inc
|
||||
|
||||
caps.drop all
|
||||
netfilter
|
||||
nodvd
|
||||
# nogroups breaks webcam access on non-systemd systems (see #3711).
|
||||
# If you use such a system comment the line below or put 'ignore nogroups' in your zoom.local
|
||||
nogroups
|
||||
nonewprivs
|
||||
noroot
|
||||
notv
|
||||
nou2f
|
||||
protocol unix,inet,inet6,netlink
|
||||
seccomp !chroot
|
||||
shell none
|
||||
tracelog
|
||||
|
||||
disable-mnt
|
||||
private-cache
|
||||
private-dev
|
||||
# Disable for now, see https://github.com/netblue30/firejail/issues/3726
|
||||
#private-etc alternatives,ca-certificates,crypto-policies,fonts,group,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,machine-id,nsswitch.conf,pki,resolv.conf,ssl
|
||||
private-tmp
|
||||
|
||||
# Redirect
|
||||
include electron.profile
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue