master
51x 4 years ago
parent bf695e1588
commit 777ae32ba6

@ -0,0 +1,31 @@
# Firejail profile for 0ad.
noblacklist ~/.cache/0ad
noblacklist ~/.config/0ad
noblacklist ~/.local/share/0ad
include /etc/firejail/disable-common.inc
include /etc/firejail/disable-devel.inc
include /etc/firejail/disable-passwdmgr.inc
include /etc/firejail/disable-programs.inc
# Whitelists
mkdir ~/.cache/0ad
whitelist ~/.cache/0ad
mkdir ~/.config/0ad
whitelist ~/.config/0ad
mkdir ~/.local/share/0ad
whitelist ~/.local/share/0ad
caps.drop all
netfilter
nogroups
nonewprivs
noroot
protocol unix,inet,inet6
seccomp
shell none
tracelog
private-dev
private-tmp

@ -0,0 +1,9 @@
# 7zip crompression tool profile
quiet
ignore noroot
include /etc/firejail/default.profile
tracelog
net none
shell none
private-dev
nosound

@ -0,0 +1,3 @@
# Firejail profile for Cyberfox (based on Mozilla Firefox)
include /etc/firejail/cyberfox.profile

@ -0,0 +1,20 @@
# Mathematica profile
noblacklist ${HOME}/.Mathematica
noblacklist ${HOME}/.Wolfram Research
mkdir ~/.Mathematica
whitelist ~/.Mathematica
mkdir ~/.Wolfram Research
whitelist ~/.Wolfram Research
whitelist ~/Documents/Wolfram Mathematica
include /etc/firejail/whitelist-common.inc
include /etc/firejail/disable-common.inc
include /etc/firejail/disable-programs.inc
include /etc/firejail/disable-devel.inc
include /etc/firejail/disable-passwdmgr.inc
caps.drop all
nonewprivs
noroot
seccomp

@ -0,0 +1,2 @@
# Telegram IRC profile
include /etc/firejail/telegram.profile

@ -0,0 +1,50 @@
# Firejail profile for Abrowser
noblacklist ~/.mozilla
noblacklist ~/.cache/mozilla
include /etc/firejail/disable-common.inc
include /etc/firejail/disable-programs.inc
include /etc/firejail/disable-devel.inc
caps.drop all
netfilter
nonewprivs
noroot
protocol unix,inet,inet6,netlink
seccomp
tracelog
whitelist ${DOWNLOADS}
mkdir ~/.mozilla
whitelist ~/.mozilla
mkdir ~/.cache/mozilla/abrowser
whitelist ~/.cache/mozilla/abrowser
whitelist ~/dwhelper
whitelist ~/.zotero
whitelist ~/.vimperatorrc
whitelist ~/.vimperator
whitelist ~/.pentadactylrc
whitelist ~/.pentadactyl
whitelist ~/.keysnail.js
whitelist ~/.config/gnome-mplayer
whitelist ~/.cache/gnome-mplayer/plugin
whitelist ~/.pki
# lastpass, keepassx
whitelist ~/.keepassx
whitelist ~/.config/keepassx
whitelist ~/keepassx.kdbx
whitelist ~/.lastpass
whitelist ~/.config/lastpass
#silverlight
whitelist ~/.wine-pipelight
whitelist ~/.wine-pipelight64
whitelist ~/.config/pipelight-widevine
whitelist ~/.config/pipelight-silverlight5.1
include /etc/firejail/whitelist-common.inc
# experimental features
#private-etc passwd,group,hostname,hosts,localtime,nsswitch.conf,resolv.conf,gtk-2.0,pango,fonts,iceweasel,firefox,adobe,mime.types,mailcap,asound.conf,pulse

@ -0,0 +1,20 @@
# Firejail profile for Atom Beta.
noblacklist ~/.atom
noblacklist ~/.config/Atom
include /etc/firejail/disable-common.inc
include /etc/firejail/disable-programs.inc
include /etc/firejail/disable-passwdmgr.inc
caps.drop all
netfilter
nonewprivs
nogroups
noroot
nosound
protocol unix,inet,inet6,netlink
seccomp
shell none
private-dev
private-tmp

@ -0,0 +1,20 @@
# Firejail profile for Atom.
noblacklist ~/.atom
noblacklist ~/.config/Atom
include /etc/firejail/disable-common.inc
include /etc/firejail/disable-programs.inc
include /etc/firejail/disable-passwdmgr.inc
caps.drop all
netfilter
nonewprivs
nogroups
noroot
nosound
protocol unix,inet,inet6,netlink
seccomp
shell none
private-dev
private-tmp

@ -0,0 +1,21 @@
# Atril profile
noblacklist ~/.config/atril
noblacklist ~/.local/share
include /etc/firejail/disable-common.inc
include /etc/firejail/disable-programs.inc
include /etc/firejail/disable-devel.inc
include /etc/firejail/disable-passwdmgr.inc
caps.drop all
nonewprivs
nogroups
noroot
nosound
protocol unix
seccomp
shell none
tracelog
private-bin atril, atril-previewer, atril-thumbnailer
private-dev
private-tmp

@ -0,0 +1,11 @@
# Audacious media player profile
include /etc/firejail/disable-common.inc
include /etc/firejail/disable-programs.inc
include /etc/firejail/disable-devel.inc
include /etc/firejail/disable-passwdmgr.inc
caps.drop all
nonewprivs
noroot
protocol unix,inet,inet6
seccomp

@ -0,0 +1,21 @@
# Audacity profile
noblacklist ~/.audacity-data
include /etc/firejail/disable-common.inc
include /etc/firejail/disable-devel.inc
include /etc/firejail/disable-passwdmgr.inc
include /etc/firejail/disable-programs.inc
caps.drop all
netfilter
nonewprivs
nogroups
noroot
protocol unix
seccomp
shell none
tracelog
private-bin audacity
private-dev
private-tmp

@ -0,0 +1,25 @@
# Firejail profile for aweather.
noblacklist ~/.config/aweather
include /etc/firejail/disable-common.inc
include /etc/firejail/disable-devel.inc
include /etc/firejail/disable-passwdmgr.inc
include /etc/firejail/disable-programs.inc
# Whitelist
mkdir ~/.config/aweather
whitelist ~/.config/aweather
caps.drop all
netfilter
nonewprivs
nogroups
noroot
nosound
protocol unix,inet,inet6
seccomp
shell none
tracelog
private-bin aweather
private-dev
private-tmp

@ -0,0 +1,14 @@
# BitlBee instant messaging profile
noblacklist /sbin
noblacklist /usr/sbin
include /etc/firejail/disable-common.inc
include /etc/firejail/disable-programs.inc
netfilter
nonewprivs
private
private-dev
protocol unix,inet,inet6
seccomp
nosound
read-write /var/lib/bitlbee

@ -0,0 +1,18 @@
# Profile for Brave browser
noblacklist ~/.config/brave
include /etc/firejail/disable-common.inc
include /etc/firejail/disable-programs.inc
include /etc/firejail/disable-devel.inc
caps.drop all
netfilter
nonewprivs
noroot
protocol unix,inet,inet6,netlink
seccomp
whitelist ${DOWNLOADS}
mkdir ~/.config/brave
whitelist ~/.config/brave

@ -0,0 +1,19 @@
# cherrytree note taking application
noblacklist /usr/bin/python2*
noblacklist /usr/lib/python3*
noblacklist ${HOME}/.config/cherrytree
include /etc/firejail/disable-common.inc
include /etc/firejail/disable-programs.inc
include /etc/firejail/disable-devel.inc
include /etc/firejail/disable-passwdmgr.inc
caps.drop all
netfilter
nonewprivs
noroot
nosound
seccomp
protocol unix,inet,inet6,netlink
tracelog

@ -0,0 +1,2 @@
# Chromium browser profile
include /etc/firejail/chromium.profile

@ -0,0 +1,31 @@
# Chromium browser profile
noblacklist ~/.config/chromium
noblacklist ~/.cache/chromium
include /etc/firejail/disable-common.inc
include /etc/firejail/disable-programs.inc
# chromium is distributed with a perl script on Arch
# include /etc/firejail/disable-devel.inc
#
netfilter
whitelist ${DOWNLOADS}
mkdir ~/.config/chromium
whitelist ~/.config/chromium
mkdir ~/.cache/chromium
whitelist ~/.cache/chromium
mkdir ~/.pki
whitelist ~/.pki
# lastpass, keepassx
whitelist ~/.keepassx
whitelist ~/.config/keepassx
whitelist ~/keepassx.kdbx
whitelist ~/.lastpass
whitelist ~/.config/lastpass
# specific to Arch
whitelist ~/.config/chromium-flags.conf
include /etc/firejail/whitelist-common.inc

@ -0,0 +1,24 @@
# claws-mail profile
noblacklist ~/.claws-mail
noblacklist ~/.signature
noblacklist ~/.gnupg
include /etc/firejail/disable-common.inc
include /etc/firejail/disable-programs.inc
include /etc/firejail/disable-devel.inc
include /etc/firejail/disable-passwdmgr.inc
caps.drop all
netfilter
nonewprivs
noroot
nogroups
nosound
protocol unix,inet,inet6
seccomp
shell none
private-dev
private-tmp

@ -0,0 +1,11 @@
# Clementine media player profile
include /etc/firejail/disable-common.inc
include /etc/firejail/disable-programs.inc
include /etc/firejail/disable-devel.inc
include /etc/firejail/disable-passwdmgr.inc
caps.drop all
nonewprivs
noroot
protocol unix,inet,inet6
seccomp

@ -0,0 +1,18 @@
# cmus profile
noblacklist ${HOME}/.config/cmus
include /etc/firejail/disable-common.inc
include /etc/firejail/disable-programs.inc
include /etc/firejail/disable-devel.inc
include /etc/firejail/disable-passwdmgr.inc
caps.drop all
netfilter
nonewprivs
noroot
protocol unix,inet,inet6
seccomp
private-bin cmus
private-etc group
shell none

@ -0,0 +1,24 @@
# Firejail profile for Conkeror web browser profile
noblacklist ${HOME}/.conkeror.mozdev.org
include /etc/firejail/disable-common.inc
include /etc/firejail/disable-programs.inc
caps.drop all
netfilter
nonewprivs
noroot
protocol unix,inet,inet6
seccomp
whitelist ~/.conkeror.mozdev.org
whitelist ~/Downloads
whitelist ~/dwhelper
whitelist ~/.zotero
whitelist ~/.lastpass
whitelist ~/.gtkrc-2.0
whitelist ~/.vimperatorrc
whitelist ~/.vimperator
whitelist ~/.pentadactylrc
whitelist ~/.pentadactyl
whitelist ~/.conkerorrc
include /etc/firejail/whitelist-common.inc

@ -0,0 +1,12 @@
# Firejail corebird profile
include /etc/firejail/disable-common.inc
include /etc/firejail/disable-programs.inc
include /etc/firejail/disable-devel.inc
include /etc/firejail/disable-passwdmgr.inc
caps.drop all
netfilter
noroot
protocol unix,inet,inet6
seccomp

@ -0,0 +1,21 @@
# cpio profile
# /sbin and /usr/sbin are visible inside the sandbox
# /boot is not visible and /var is heavily modified
quiet
noblacklist /sbin
noblacklist /usr/sbin
include /etc/firejail/disable-common.inc
include /etc/firejail/disable-programs.inc
include /etc/firejail/disable-passwdmgr.inc
private-dev
seccomp
caps.drop all
net none
shell none
tracelog
net none
nosound

@ -0,0 +1,50 @@
# Firejail profile for Cyberfox (based on Mozilla Firefox)
noblacklist ~/.8pecxstudios
noblacklist ~/.cache/8pecxstudios
include /etc/firejail/disable-common.inc
include /etc/firejail/disable-programs.inc
include /etc/firejail/disable-devel.inc
caps.drop all
netfilter
nonewprivs
noroot
protocol unix,inet,inet6,netlink
seccomp
tracelog
whitelist ${DOWNLOADS}
mkdir ~/.8pecxstudios
whitelist ~/.8pecxstudios
mkdir ~/.cache/8pecxstudios
whitelist ~/.cache/8pecxstudios
whitelist ~/dwhelper
whitelist ~/.zotero
whitelist ~/.vimperatorrc
whitelist ~/.vimperator
whitelist ~/.pentadactylrc
whitelist ~/.pentadactyl
whitelist ~/.keysnail.js
whitelist ~/.config/gnome-mplayer
whitelist ~/.cache/gnome-mplayer/plugin
whitelist ~/.pki
# lastpass, keepassx
whitelist ~/.keepassx
whitelist ~/.config/keepassx
whitelist ~/keepassx.kdbx
whitelist ~/.lastpass
whitelist ~/.config/lastpass
#silverlight
whitelist ~/.wine-pipelight
whitelist ~/.wine-pipelight64
whitelist ~/.config/pipelight-widevine
whitelist ~/.config/pipelight-silverlight5.1
include /etc/firejail/whitelist-common.inc
# experimental features
#private-etc passwd,group,hostname,hosts,localtime,nsswitch.conf,resolv.conf,gtk-2.0,pango,fonts,iceweasel,firefox,adobe,mime.types,mailcap,asound.conf,pulse

@ -0,0 +1,13 @@
# DeaDBeeF media player profile
noblacklist ${HOME}/.config/deadbeef
include /etc/firejail/disable-common.inc
include /etc/firejail/disable-programs.inc
include /etc/firejail/disable-devel.inc
include /etc/firejail/disable-passwdmgr.inc
caps.drop all
nonewprivs
noroot
protocol unix,inet,inet6
seccomp

@ -0,0 +1,15 @@
################################
# Generic GUI application profile
################################
include /etc/firejail/disable-common.inc
include /etc/firejail/disable-programs.inc
include /etc/firejail/disable-passwdmgr.inc
#blacklist ${HOME}/.wine
caps.drop all
netfilter
nonewprivs
noroot
protocol unix,inet,inet6
seccomp

@ -0,0 +1,20 @@
# deluge bittorrernt client profile
include /etc/firejail/disable-common.inc
include /etc/firejail/disable-programs.inc
# deluge is using python on Debian
#include /etc/firejail/disable-devel.inc
include /etc/firejail/disable-passwdmgr.inc
caps.drop all
netfilter
nonewprivs
noroot
nosound
protocol unix,inet,inet6
seccomp
shell none
#private-bin deluge,sh,python,uname
private-dev
private-tmp

@ -0,0 +1,23 @@
# Firejail profile for Dillo web browser
noblacklist ~/.dillo
include /etc/firejail/disable-common.inc
include /etc/firejail/disable-programs.inc
include /etc/firejail/disable-devel.inc
include /etc/firejail/disable-passwdmgr.inc
caps.drop all
netfilter
nonewprivs
noroot
protocol unix,inet,inet6
seccomp
tracelog
whitelist ${DOWNLOADS}
mkdir ~/.dillo
whitelist ~/.dillo
mkdir ~/.fltk
whitelist ~/.fltk
include /etc/firejail/whitelist-common.inc

@ -0,0 +1,177 @@
# Local customizations come here
include /etc/firejail/disable-common.local
# History files in $HOME
blacklist-nolog ${HOME}/.history
blacklist-nolog ${HOME}/.*_history
blacklist ${HOME}/.local/share/systemd
blacklist-nolog ${HOME}/.adobe
blacklist-nolog ${HOME}/.macromedia
read-only ${HOME}/.local/share/applications
# X11 session autostart
blacklist ${HOME}/.xinitrc
blacklist ${HOME}/.xprofile
blacklist ${HOME}/.config/autostart
blacklist /etc/xdg/autostart
blacklist ${HOME}/.kde4/Autostart
blacklist ${HOME}/.kde4/share/autostart
blacklist ${HOME}/.kde/Autostart
blacklist ${HOME}/.kde/share/autostart
blacklist ${HOME}/.config/plasma-workspace/shutdown
blacklist ${HOME}/.config/plasma-workspace/env
blacklist ${HOME}/.config/lxsession/LXDE/autostart
blacklist ${HOME}/.fluxbox/startup
blacklist ${HOME}/.config/openbox/autostart
blacklist ${HOME}/.config/openbox/environment
blacklist ${HOME}/.gnomerc
blacklist /etc/X11/Xsession.d/
# VirtualBox
blacklist ${HOME}/.VirtualBox
blacklist ${HOME}/VirtualBox VMs
blacklist ${HOME}/.config/VirtualBox
# VeraCrypt
blacklist ${PATH}/veracrypt
blacklist ${PATH}/veracrypt-uninstall.sh
blacklist /usr/share/veracrypt
blacklist /usr/share/applications/veracrypt.*
blacklist /usr/share/pixmaps/veracrypt.*
blacklist ${HOME}/.VeraCrypt
# var
blacklist /var/spool/cron
blacklist /var/spool/anacron
blacklist /var/run/acpid.socket
blacklist /var/run/minissdpd.sock
blacklist /var/run/rpcbind.sock
blacklist /var/run/mysqld/mysqld.sock
blacklist /var/run/mysql/mysqld.sock
blacklist /var/lib/mysqld/mysql.sock
blacklist /var/lib/mysql/mysql.sock
blacklist /var/run/docker.sock
# etc
blacklist /etc/cron.*
blacklist /etc/profile.d
blacklist /etc/rc.local
blacklist /etc/anacrontab
# General startup files
read-only ${HOME}/.xinitrc
read-only ${HOME}/.xserverrc
read-only ${HOME}/.profile
# Shell startup files
read-only ${HOME}/.antigen
read-only ${HOME}/.bash_login
read-only ${HOME}/.bashrc
read-only ${HOME}/.bash_profile
read-only ${HOME}/.bash_logout
read-only ${HOME}/.zsh.d
read-only ${HOME}/.zshenv
read-only ${HOME}/.zshrc
read-only ${HOME}/.zshrc.local
read-only ${HOME}/.zlogin
read-only ${HOME}/.zprofile
read-only ${HOME}/.zlogout
read-only ${HOME}/.zsh_files
read-only ${HOME}/.tcshrc
read-only ${HOME}/.cshrc
read-only ${HOME}/.csh_files
read-only ${HOME}/.profile
# Initialization files that allow arbitrary command execution
read-only ${HOME}/.caffrc
read-only ${HOME}/.dotfiles
read-only ${HOME}/dotfiles
read-only ${HOME}/.mailcap
read-only ${HOME}/.exrc
read-only ${HOME}/_exrc
read-only ${HOME}/.vimrc
read-only ${HOME}/_vimrc
read-only ${HOME}/.gvimrc
read-only ${HOME}/_gvimrc
read-only ${HOME}/.vim
read-only ${HOME}/.emacs
read-only ${HOME}/.emacs.d
read-only ${HOME}/.nano
read-only ${HOME}/.tmux.conf
read-only ${HOME}/.iscreenrc
read-only ${HOME}/.muttrc
read-only ${HOME}/.mutt/muttrc
read-only ${HOME}/.msmtprc
read-only ${HOME}/.reportbugrc
read-only ${HOME}/.xmonad
read-only ${HOME}/.xscreensaver
# The user ~/bin directory can override commands such as ls
read-only ${HOME}/bin
# top secret
blacklist ${HOME}/.ssh
blacklist ${HOME}/.cert
blacklist ${HOME}/.gnome2/keyrings
blacklist ${HOME}/.kde4/share/apps/kwallet
blacklist ${HOME}/.kde/share/apps/kwallet
blacklist ${HOME}/.local/share/kwalletd
blacklist ${HOME}/.config/keybase
blacklist ${HOME}/.netrc
blacklist ${HOME}/.gnupg
blacklist ${HOME}/.caff
blacklist ${HOME}/.smbcredentials
blacklist ${HOME}/*.kdbx
blacklist ${HOME}/*.kdb
blacklist ${HOME}/*.key
blacklist ${HOME}/.muttrc
blacklist ${HOME}/.mutt/muttrc
blacklist ${HOME}/.msmtprc
blacklist /etc/shadow
blacklist /etc/gshadow
blacklist /etc/passwd-
blacklist /etc/group-
blacklist /etc/shadow-
blacklist /etc/gshadow-
blacklist /etc/passwd+
blacklist /etc/group+
blacklist /etc/shadow+
blacklist /etc/gshadow+
blacklist /etc/ssh
blacklist /var/backup
# system management
blacklist ${PATH}/umount
blacklist ${PATH}/mount
blacklist ${PATH}/fusermount
blacklist ${PATH}/su
blacklist ${PATH}/sudo
blacklist ${PATH}/xinput
blacklist ${PATH}/evtest
blacklist ${PATH}/xev
blacklist ${PATH}/strace
blacklist ${PATH}/nc
blacklist ${PATH}/ncat
# system directories
blacklist /sbin
blacklist /usr/sbin
blacklist /usr/local/sbin
# prevent lxterminal connecting to an existing lxterminal session
blacklist /tmp/.lxterminal-socket*
# disable terminals running as server resulting in sandbox escape
blacklist ${PATH}/gnome-terminal
blacklist ${PATH}/gnome-terminal.wrapper
blacklist ${PATH}/xfce4-terminal
blacklist ${PATH}/xfce4-terminal.wrapper
blacklist ${PATH}/mate-terminal
blacklist ${PATH}/mate-terminal.wrapper
blacklist ${PATH}/lilyterm
blacklist ${PATH}/pantheon-terminal
blacklist ${PATH}/roxterm
blacklist ${PATH}/roxterm-config
blacklist ${PATH}/terminix
blacklist ${PATH}/urxvtc
blacklist ${PATH}/urxvtcd

@ -0,0 +1,66 @@
# Local customizations come here
include /etc/firejail/disable-devel.local
# development tools
# GCC
blacklist /usr/include
#blacklist /usr/lib/gcc - seems to create problems on Gentoo
blacklist /usr/bin/gcc*
blacklist /usr/bin/cpp*
blacklist /usr/bin/c9*
blacklist /usr/bin/c8*
blacklist /usr/bin/c++*
blacklist /usr/bin/as
blacklist /usr/bin/ld
blacklist /usr/bin/gdb
blacklist /usr/bin/g++*
blacklist /usr/bin/x86_64-linux-gnu-g++*
blacklist /usr/bin/x86_64-linux-gnu-gcc*
blacklist /usr/bin/x86_64-unknown-linux-gnu-g++*
blacklist /usr/bin/x86_64-unknown-linux-gnu-gcc*
# clang/llvm
blacklist /usr/bin/clang*
blacklist /usr/bin/llvm*
blacklist /usr/bin/lldb*
blacklist /usr/lib/llvm*
# tcc - Tiny C Compiler
blacklist /usr/bin/tcc
blacklist /usr/bin/x86_64-tcc
blacklist /usr/lib/tcc
# Valgrind
blacklist /usr/bin/valgrind*
blacklist /usr/lib/valgrind
# Perl
blacklist /usr/bin/perl
blacklist /usr/bin/cpan*
blacklist /usr/share/perl*
blacklist /usr/lib/perl*
# PHP
blacklist /usr/bin/php*
blacklist /usr/share/php*
blacklist /usr/lib/php*
# Ruby
blacklist /usr/bin/ruby
blacklist /usr/lib/ruby
# Programs using python: deluge, firefox addons, filezilla, cherrytree, xchat, hexchat, libreoffice
# Python 2
#blacklist /usr/bin/python2*
#blacklist /usr/lib/python2*
#blacklist /usr/local/lib/python2*
#blacklist /usr/include/python2*
#blacklist /usr/share/python2*
#
# Python 3
#blacklist /usr/bin/python3*
#blacklist /usr/lib/python3*
#blacklist /usr/local/lib/python3*
#blacklist /usr/share/python3*
#blacklist /usr/include/python3*

@ -0,0 +1,10 @@
# Local customizations come here
include /etc/firejail/disable-passwdmgr.local
blacklist ${HOME}/.pki/nssdb
blacklist ${HOME}/.lastpass
blacklist ${HOME}/.keepassx
blacklist ${HOME}/.password-store
blacklist ${HOME}/keepassx.kdbx
blacklist ${HOME}/.config/keepassx

@ -0,0 +1,167 @@
# Local customizations come here
include /etc/firejail/disable-programs.local
# various programs
blacklist ${HOME}/.Atom
blacklist ${HOME}/.remmina
blacklist ${HOME}/.tconn
blacklist ${HOME}/.FBReader
blacklist ${HOME}/.wine
blacklist ${HOME}/.Mathematica
blacklist ${HOME}/.Wolfram Research
blacklist ${HOME}/.stellarium
blacklist ${HOME}/.config/Atom
blacklist ${HOME}/.config/gthumb
blacklist ${HOME}/.config/mupen64plus
blacklist ${HOME}/.config/transmission
blacklist ${HOME}/.config/uGet
blacklist ${HOME}/.config/Gpredict
blacklist ${HOME}/.config/aweather
blacklist ${HOME}/.config/stellarium
blacklist ${HOME}/.config/atril
blacklist ${HOME}/.config/xreader
blacklist ${HOME}/.config/xviewer
blacklist ${HOME}/.config/libreoffice
blacklist ${HOME}/.config/pix
blacklist ${HOME}/.config/mate/eom
blacklist ${HOME}/.kde/share/apps/okular
blacklist ${HOME}/.kde/share/config/okularrc
blacklist ${HOME}/.kde/share/config/okularpartrc
blacklist ${HOME}/.kde/share/apps/gwenview
blacklist ${HOME}/.kde/share/config/gwenviewrc
blacklist ${HOME}/.config/qpdfview
blacklist ${HOME}/.config/Luminance
blacklist ${HOME}/.config/synfig
blacklist ${HOME}/.synfig
blacklist ${HOME}/.inkscape
blacklist ${HOME}/.gimp*
blacklist ${HOME}/.config/zathura
blacklist ${HOME}/.config/cherrytree
blacklist ${HOME}/.xpdfrc
blacklist ${HOME}/.openshot
blacklist ${HOME}/.openshot_qt
blacklist ${HOME}/.flowblade
blacklist ${HOME}/.config/flowblade
blacklist ${HOME}/.config/eog
# Media players
blacklist ${HOME}/.config/cmus
blacklist ${HOME}/.config/deadbeef
blacklist ${HOME}/.config/spotify
blacklist ${HOME}/.config/vlc
blacklist ${HOME}/.config/mpv
blacklist ${HOME}/.config/totem
blacklist ${HOME}/.config/xplayer
blacklist ${HOME}/.audacity-data
# HTTP / FTP / Mail
blacklist ${HOME}/.icedove
blacklist ${HOME}/.thunderbird
blacklist ${HOME}/.sylpheed-2.0
blacklist ${HOME}/.config/midori
blacklist ${HOME}/.mozilla
blacklist ${HOME}/.config/chromium
blacklist ${HOME}/.config/google-chrome
blacklist ${HOME}/.config/google-chrome-beta
blacklist ${HOME}/.config/google-chrome-unstable
blacklist ${HOME}/.config/opera
blacklist ${HOME}/.config/opera-beta
blacklist ${HOME}/.opera
blacklist ${HOME}/.config/vivaldi
blacklist ${HOME}/.filezilla
blacklist ${HOME}/.config/filezilla
blacklist ${HOME}/.dillo
blacklist ${HOME}/.conkeror.mozdev.org
blacklist ${HOME}/.config/epiphany
blacklist ${HOME}/.config/slimjet
blacklist ${HOME}/.config/qutebrowser
blacklist ${HOME}/.8pecxstudios
blacklist ${HOME}/.config/brave
blacklist ${HOME}/.config/inox
blacklist ${HOME}/.muttrc
blacklist ${HOME}/.mutt
blacklist ${HOME}/.mutt/muttrc
blacklist ${HOME}/.msmtprc
blacklist ${HOME}/.config/evolution
blacklist ${HOME}/.local/share/evolution
blacklist ${HOME}/.cache/evolution
# Instant Messaging
blacklist ${HOME}/.config/hexchat
blacklist ${HOME}/.mcabber
blacklist ${HOME}/.mcabberrc
blacklist ${HOME}/.purple
blacklist ${HOME}/.config/psi+
blacklist ${HOME}/.retroshare
blacklist ${HOME}/.weechat
blacklist ${HOME}/.config/xchat
blacklist ${HOME}/.Skype
blacklist ${HOME}/.config/skypeforlinux
blacklist ${HOME}/.config/tox
blacklist ${HOME}/.TelegramDesktop
blacklist ${HOME}/.config/Gitter
blacklist ${HOME}/.config/Franz
blacklist ${HOME}/.jitsi
blacklist ${HOME}/.config/Slack
blacklist ${HOME}/.cache/gajim
blacklist ${HOME}/.local/share/gajim
blacklist ${HOME}/.config/gajim
# Games
blacklist ${HOME}/.hedgewars
blacklist ${HOME}/.steam
blacklist ${HOME}/.config/wesnoth
blacklist ${HOME}/.config/0ad
blacklist ${HOME}/.warzone2100-3.1
blacklist ${HOME}/.dosbox
# Cryptocoins
blacklist ${HOME}/.*coin
blacklist ${HOME}/.electrum*
blacklist ${HOME}/wallet.dat
# git, subversion
blacklist ${HOME}/.subversion
blacklist ${HOME}/.gitconfig
blacklist ${HOME}/.git-credential-cache
# cache
blacklist ${HOME}/.cache/mozilla
blacklist ${HOME}/.cache/chromium
blacklist ${HOME}/.cache/google-chrome
blacklist ${HOME}/.cache/google-chrome-beta
blacklist ${HOME}/.cache/google-chrome-unstable
blacklist ${HOME}/.cache/opera
blacklist ${HOME}/.cache/opera-beta
blacklist ${HOME}/.cache/vivaldi
blacklist ${HOME}/.cache/epiphany
blacklist ${HOME}/.cache/slimjet
blacklist ${HOME}/.cache/qutebrowser
blacklist ${HOME}/.cache/spotify
blacklist ${HOME}/.cache/thunderbird
blacklist ${HOME}/.cache/icedove
blacklist ${HOME}/.cache/transmission
blacklist ${HOME}/.cache/wesnoth
blacklist ${HOME}/.cache/0ad
blacklist ${HOME}/.cache/8pecxstudios
blacklist ${HOME}/.cache/xreader
blacklist ${HOME}/.cache/Franz
# share
blacklist ${HOME}/.local/share/epiphany
blacklist ${HOME}/.local/share/mupen64plus
blacklist ${HOME}/.local/share/spotify
blacklist ${HOME}/.local/share/steam
blacklist ${HOME}/.local/share/wesnoth
blacklist ${HOME}/.local/share/0ad
blacklist ${HOME}/.local/share/xplayer
blacklist ${HOME}/.local/share/totem
blacklist ${HOME}/.local/share/psi+
blacklist ${HOME}/.local/share/pix
blacklist ${HOME}/.local/share/gnome-chess
blacklist ${HOME}/.local/share/qpdfview
blacklist ${HOME}/.local/share/zathura
# ssh
blacklist /tmp/ssh-*

@ -0,0 +1,14 @@
# security profile for dnscrypt-proxy
noblacklist /sbin
noblacklist /usr/sbin
include /etc/firejail/disable-common.inc
include /etc/firejail/disable-programs.inc
include /etc/firejail/disable-devel.inc
include /etc/firejail/disable-passwdmgr.inc
private
private-dev
nosound
no3d
seccomp.drop mount,umount2,ptrace,kexec_load,kexec_file_load,open_by_handle_at,init_module,finit_module,delete_module,iopl,ioperm,swapon,swapoff,syslog,process_vm_readv,process_vm_writev,sysfs,_sysctl,adjtimex,clock_adjtime,lookup_dcookie,perf_event_open,fanotify_init,kcmp,add_key,request_key,keyctl,uselib,acct,modify_ldt,pivot_root,io_setup,io_destroy,io_getevents,io_submit,io_cancel,remap_file_pages,mbind,get_mempolicy,set_mempolicy,migrate_pages,move_pages,vmsplice,perf_event_open

@ -0,0 +1,17 @@
# dnsmasq profile
noblacklist /sbin
noblacklist /usr/sbin
include /etc/firejail/disable-common.inc
include /etc/firejail/disable-programs.inc
include /etc/firejail/disable-passwdmgr.inc
include /etc/firejail/disable-devel.inc
caps
netfilter
nonewprivs
private
private-dev
nosound
no3d
protocol unix,inet,inet6,netlink
seccomp

@ -0,0 +1,21 @@
# Firejail profile for dosbox
noblacklist ~/.dosbox
include /etc/firejail/disable-common.inc
include /etc/firejail/disable-programs.inc
include /etc/firejail/disable-devel.inc
include /etc/firejail/disable-passwdmgr.inc
caps.drop all
netfilter
nogroups
nonewprivs
noroot
protocol unix,inet,inet6
seccomp
shell none
tracelog
private-bin dosbox
private-dev
private-tmp

@ -0,0 +1,21 @@
# dropbox profile
noblacklist ~/.config/autostart
include /etc/firejail/disable-common.inc
include /etc/firejail/disable-programs.inc
include /etc/firejail/disable-passwdmgr.inc
caps
nonewprivs
noroot
protocol unix,inet,inet6
seccomp
mkdir ~/Dropbox
whitelist ~/Dropbox
mkdir ~/.dropbox
whitelist ~/.dropbox
mkdir ~/.dropbox-dist
whitelist ~/.dropbox-dist
mkfile ~/.config/autostart/dropbox.desktop
whitelist ~/.config/autostart/dropbox.desktop

@ -0,0 +1,17 @@
# emacs profile
noblacklist ~/.emacs
noblacklist ~/.emacs.d
include /etc/firejail/disable-common.inc
include /etc/firejail/disable-programs.inc
include /etc/firejail/disable-passwdmgr.inc
caps.drop all
netfilter
nonewprivs
noroot
nogroups
protocol unix,inet,inet6
seccomp

@ -0,0 +1,10 @@
# Empathy instant messaging profile
include /etc/firejail/disable-common.inc
include /etc/firejail/disable-programs.inc
include /etc/firejail/disable-devel.inc
caps.drop all
netfilter
nonewprivs
protocol unix,inet,inet6
seccomp

@ -0,0 +1,23 @@
# eog (gnome image viewer) profile
noblacklist ~/.config/eog
include /etc/firejail/disable-common.inc
include /etc/firejail/disable-programs.inc
include /etc/firejail/disable-devel.inc
include /etc/firejail/disable-passwdmgr.inc
caps.drop all
netfilter
nonewprivs
noroot
nogroups
protocol unix
seccomp
shell none
private-bin eog
private-dev
private-etc fonts
private-tmp

@ -0,0 +1,21 @@
# Firejail profile for Eye of Mate (eom)
noblacklist ~/.config/mate/eom
include /etc/firejail/disable-common.inc
include /etc/firejail/disable-programs.inc
include /etc/firejail/disable-devel.inc
include /etc/firejail/disable-passwdmgr.inc
caps.drop all
nogroups
nonewprivs
noroot
nosound
protocol unix
seccomp
shell none
tracelog
private-bin eom
private-dev
private-tmp

@ -0,0 +1,23 @@
# Epiphany browser profile
noblacklist ${HOME}/.config/epiphany
noblacklist ${HOME}/.cache/epiphany
noblacklist ${HOME}/.local/share/epiphany
include /etc/firejail/disable-common.inc
include /etc/firejail/disable-programs.inc
include /etc/firejail/disable-devel.inc
whitelist ${DOWNLOADS}
mkdir ${HOME}/.local/share/epiphany
whitelist ${HOME}/.local/share/epiphany
mkdir ${HOME}/.config/epiphany
whitelist ${HOME}/.config/epiphany
mkdir ${HOME}/.cache/epiphany
whitelist ${HOME}/.cache/epiphany
include /etc/firejail/whitelist-common.inc
caps.drop all
netfilter
nonewprivs
protocol unix,inet,inet6
seccomp

@ -0,0 +1,18 @@
# evince pdf reader profile
include /etc/firejail/disable-common.inc
include /etc/firejail/disable-programs.inc
include /etc/firejail/disable-devel.inc
include /etc/firejail/disable-passwdmgr.inc
caps.drop all
nogroups
nonewprivs
noroot
nosound
protocol unix
seccomp
shell none
tracelog
private-bin evince,evince-previewer,evince-thumbnailer
private-dev

@ -0,0 +1,25 @@
# evolution profile
noblacklist ~/.config/evolution
noblacklist ~/.local/share/evolution
noblacklist ~/.cache/evolution
noblacklist ~/.pki
noblacklist ~/.pki/nssdb
noblacklist ~/.gnupg
include /etc/firejail/disable-common.inc
include /etc/firejail/disable-programs.inc
include /etc/firejail/disable-devel.inc
include /etc/firejail/disable-passwdmgr.inc
caps.drop all
netfilter
nonewprivs
noroot
nogroups
protocol unix,inet,inet6
seccomp
shell none
private-dev
private-tmp

@ -0,0 +1,21 @@
# fbreader ebook reader profile
noblacklist ${HOME}/.FBReader
include /etc/firejail/disable-common.inc
include /etc/firejail/disable-programs.inc
include /etc/firejail/disable-devel.inc
include /etc/firejail/disable-passwdmgr.inc
caps.drop all
netfilter
nonewprivs
noroot
nosound
protocol unix,inet,inet6
seccomp
shell none
private-bin fbreader,FBReader
whitelist /tmp/.X11-unix
private-dev
nosound

@ -0,0 +1,21 @@
# feh image viewer profile
include /etc/firejail/disable-common.inc
include /etc/firejail/disable-programs.inc
include /etc/firejail/disable-devel.inc
include /etc/firejail/disable-passwdmgr.inc
caps.drop all
seccomp
protocol unix
netfilter
net none
nonewprivs
noroot
nogroups
nosound
shell none
private-bin feh
whitelist /tmp/.X11-unix
private-dev
private-etc feh

@ -0,0 +1,16 @@
# file profile
quiet
ignore noroot
include /etc/firejail/default.profile
tracelog
net none
shell none
private-bin file
private-etc magic.mgc,magic,localtime
hostname file
private-dev
nosound
no3d
blacklist /tmp/.X11-unix

@ -0,0 +1,22 @@
# FileZilla ftp profile
noblacklist ${HOME}/.filezilla
noblacklist ${HOME}/.config/filezilla
include /etc/firejail/disable-common.inc
include /etc/firejail/disable-programs.inc
include /etc/firejail/disable-devel.inc
caps.drop all
netfilter
nonewprivs
noroot
nosound
protocol unix,inet,inet6
seccomp
shell none
private-bin filezilla,uname,sh,python,lsb_release,fzputtygen,fzsftp
whitelist /tmp/.X11-unix
private-dev
nosound

@ -0,0 +1,2 @@
# Firejail profile for Mozilla Firefox ESR
include /etc/firejail/firefox.profile

@ -0,0 +1,50 @@
# Firejail profile for Mozilla Firefox (Iceweasel in Debian)
noblacklist ~/.mozilla
noblacklist ~/.cache/mozilla
include /etc/firejail/disable-common.inc
include /etc/firejail/disable-programs.inc
include /etc/firejail/disable-devel.inc
caps.drop all
netfilter
nonewprivs
noroot
protocol unix,inet,inet6,netlink
seccomp
tracelog
whitelist ${DOWNLOADS}
mkdir ~/.mozilla
whitelist ~/.mozilla
mkdir ~/.cache/mozilla/firefox
whitelist ~/.cache/mozilla/firefox
whitelist ~/dwhelper
whitelist ~/.zotero
whitelist ~/.vimperatorrc
whitelist ~/.vimperator
whitelist ~/.pentadactylrc
whitelist ~/.pentadactyl
whitelist ~/.keysnail.js
whitelist ~/.config/gnome-mplayer
whitelist ~/.cache/gnome-mplayer/plugin
whitelist ~/.pki
# lastpass, keepassx
whitelist ~/.keepassx
whitelist ~/.config/keepassx
whitelist ~/keepassx.kdbx
whitelist ~/.lastpass
whitelist ~/.config/lastpass
#silverlight
whitelist ~/.wine-pipelight
whitelist ~/.wine-pipelight64
whitelist ~/.config/pipelight-widevine
whitelist ~/.config/pipelight-silverlight5.1
include /etc/firejail/whitelist-common.inc
# experimental features
#private-etc passwd,group,hostname,hosts,localtime,nsswitch.conf,resolv.conf,gtk-2.0,pango,fonts,iceweasel,firefox,adobe,mime.types,mailcap,asound.conf,pulse

@ -0,0 +1,81 @@
# This is Firejail system-wide configuration file, see firejail-config(5) for
# more information. The file contains keyword-argument pairs, one per line.
# Most features are enabled by default. Use 'yes' or 'no' as configuration
# values.
# Enable or disable bind support, default enabled.
# bind yes
# Enable or disable chroot support, default enabled.
# chroot yes
# Use chroot for desktop programs, default enabled. The sandbox will have full
# access to system's /dev directory in order to allow video acceleration,
# and it will harden the rest of the chroot tree.
# chroot-desktop yes
# Enable or disable file transfer support, default enabled.
# file-transfer yes
# Force use of nonewprivs. This mitigates the possibility of
# a user abusing firejail's features to trick a privileged (suid
# or file capabilities) process into loading code or configuration
# that is partially under their control. Default disabled.
# force-nonewprivs no
# Enable or disable networking features, default enabled.
# network yes
# Enable or disable overlayfs features, default enabled.
# overlayfs yes
# Remove /usr/local directories from private-bin list, default disabled.
# private-bin-no-local no
# Enable or disable private-home feature, default enabled
# private-home yes
# Enable --quiet as default every time the sandbox is started. Default disabled.
# quiet-by-default no
# Remount /proc and /sys inside the sandbox, default enabled.
# remount-proc-sys yes
# Enable or disable restricted network support, default disabled. If enabled,
# networking features should also be enabled (network yes).
# Restricted networking grants access to --interface, --net=ethXXX and
# --netfilter only to root user. Regular users are only allowed --net=none.
# restricted-network no
# Change default netfilter configuration. When using --netfilter option without
# a file argument, the default filter is hardcoded (see man 1 firejail). This
# configuration entry allows the user to change the default by specifying
# a file containing the filter configuration. The filter file format is the
# format of iptables-save and iptable-restore commands. Example:
# netfilter-default /etc/iptables.iptables.rules
# Enable or disable seccomp support, default enabled.
# seccomp yes
# Enable or disable user namespace support, default enabled.
# userns yes
# Enable or disable whitelisting support, default enabled.
# whitelist yes
# Enable or disable X11 sandboxing support, default enabled.
# x11 yes
# Screen size for --x11=xephyr, default 800x600. Run /usr/bin/xrandr for
# a full list of resolutions available on your specific setup.
# xephyr-screen 640x480
# xephyr-screen 800x600
# xephyr-screen 1024x768
# xephyr-screen 1280x1024
# Firejail window title in Xephyr, default enabled.
# xephyr-window-title yes
# Xephyr command extra parameters. None by default, and the declaration is commented out.
# xephyr-extra-params -keybd ephyr,,,xkbmodel=evdev
# xephyr-extra-params -grayscale

@ -0,0 +1,39 @@
# SlimJet browser profile
# This is a whitelisted profile, the internal browser sandbox
# is disabled because it requires sudo password. The command
# to run it is as follows:
#
# firejail flashpeak-slimjet --no-sandbox
#
noblacklist ~/.config/slimjet
noblacklist ~/.cache/slimjet
include /etc/firejail/disable-common.inc
include /etc/firejail/disable-programs.inc
# chromium is distributed with a perl script on Arch
# include /etc/firejail/disable-devel.inc
#
caps.drop all
netfilter
nonewprivs
noroot
protocol unix,inet,inet6,netlink
seccomp
whitelist ${DOWNLOADS}
mkdir ~/.config/slimjet
whitelist ~/.config/slimjet
mkdir ~/.cache/slimjet
whitelist ~/.cache/slimjet
mkdir ~/.pki
whitelist ~/.pki
# lastpass, keepassx
whitelist ~/.keepassx
whitelist ~/.config/keepassx
whitelist ~/keepassx.kdbx
whitelist ~/.lastpass
whitelist ~/.config/lastpass
include /etc/firejail/whitelist-common.inc

@ -0,0 +1,13 @@
# OpenShot profile
noblacklist ${HOME}/.flowblade
noblacklist ${HOME}/.config/flowblade
include /etc/firejail/disable-common.inc
include /etc/firejail/disable-programs.inc
include /etc/firejail/disable-passwdmgr.inc
caps.drop all
netfilter
nonewprivs
noroot
protocol unix,inet,inet6,netlink
seccomp

@ -0,0 +1,24 @@
# Franz profile
noblacklist ~/.config/Franz
noblacklist ~/.cache/Franz
include /etc/firejail/disable-common.inc
include /etc/firejail/disable-programs.inc
include /etc/firejail/disable-devel.inc
caps.drop all
seccomp
protocol unix,inet,inet6,netlink
netfilter
#tracelog
nonewprivs
noroot
whitelist ${DOWNLOADS}
mkdir ~/.config/Franz
whitelist ~/.config/Franz
mkdir ~/.cache/Franz
whitelist ~/.cache/Franz
mkdir ~/.pki
whitelist ~/.pki
include /etc/firejail/whitelist-common.inc

@ -0,0 +1,33 @@
# Firejail profile for Gajim
mkdir ${HOME}/.cache/gajim
mkdir ${HOME}/.local/share/gajim
mkdir ${HOME}/.config/gajim
mkdir ${HOME}/Downloads
# Allow the local python 2.7 site packages, in case any plugins are using these
mkdir ${HOME}/.local/lib/python2.7/site-packages/
whitelist ${HOME}/.local/lib/python2.7/site-packages/
read-only ${HOME}/.local/lib/python2.7/site-packages/
whitelist ${HOME}/.cache/gajim
whitelist ${HOME}/.local/share/gajim
whitelist ${HOME}/.config/gajim
whitelist ${HOME}/Downloads
include /etc/firejail/disable-common.inc
include /etc/firejail/disable-passwdmgr.inc
include /etc/firejail/disable-programs.inc
include /etc/firejail/disable-devel.inc
caps.drop all
netfilter
nonewprivs
nogroups
noroot
protocol unix,inet,inet6
seccomp
shell none
#private-bin python2.7 gajim
private-dev

@ -0,0 +1,18 @@
# gimp
noblacklist ${HOME}/.gimp*
include /etc/firejail/disable-common.inc
include /etc/firejail/disable-programs.inc
include /etc/firejail/disable-passwdmgr.inc
caps.drop all
netfilter
nonewprivs
noroot
protocol unix
seccomp
private-dev
private-tmp
noexec ${HOME}
noexec /tmp
nogroups
nosound

@ -0,0 +1,26 @@
# git profile
quiet
noblacklist ~/.gitconfig
noblacklist ~/.ssh
noblacklist ~/.gnupg
noblacklist ~/.emacs
noblacklist ~/.emacs.d
noblacklist ~/.viminfo
noblacklist ~/.vim
include /etc/firejail/disable-common.inc
include /etc/firejail/disable-programs.inc
include /etc/firejail/disable-passwdmgr.inc
caps.drop all
netfilter
nonewprivs
noroot
nogroups
nosound
protocol unix,inet,inet6
seccomp
shell none
private-dev

@ -0,0 +1,20 @@
# Firejail profile for Gitter
noblacklist ~/.config/Gitter
include /etc/firejail/disable-common.inc
include /etc/firejail/disable-passwdmgr.inc
include /etc/firejail/disable-programs.inc
include /etc/firejail/disable-devel.inc
caps.drop all
netfilter
nogroups
nonewprivs
noroot
nosound
protocol unix,inet,inet6,netlink
seccomp
shell none
private-bin gitter
private-dev
private-tmp

@ -0,0 +1,22 @@
# Firejail profile for gnome-chess
noblacklist /.local/share/gnome-chess
include /etc/firejail/disable-common.inc
include /etc/firejail/disable-devel.inc
include /etc/firejail/disable-programs.inc
include /etc/firejail/disable-passwdmgr.inc
caps.drop all
nogroups
nonewprivs
noroot
nosound
protocol unix
seccomp
shell none
tracelog
private-bin fairymax,gnome-chess,hoichess
private-dev