six
/
LWHP
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

fj

master
51x 2019-05-12 14:11:43 +01:00
parent bf695e1588
commit 777ae32ba6
169 changed files with 3628 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

31
firejail_profiles/0ad.profile 100644
View File

@ -0,0 +1,31 @@
# Firejail profile for 0ad.
noblacklist ~/.cache/0ad
noblacklist ~/.config/0ad
noblacklist ~/.local/share/0ad
include /etc/firejail/disable-common.inc
include /etc/firejail/disable-devel.inc
include /etc/firejail/disable-passwdmgr.inc
include /etc/firejail/disable-programs.inc
# Whitelists
mkdir ~/.cache/0ad
whitelist ~/.cache/0ad
mkdir ~/.config/0ad
whitelist ~/.config/0ad
mkdir ~/.local/share/0ad
whitelist ~/.local/share/0ad
caps.drop all
netfilter
nogroups
nonewprivs
noroot
protocol unix,inet,inet6
seccomp
shell none
tracelog
private-dev
private-tmp

9
firejail_profiles/7z.profile 100644
View File

@ -0,0 +1,9 @@
# 7zip crompression tool profile
quiet
ignore noroot
include /etc/firejail/default.profile
tracelog
net none
shell none
private-dev
nosound

3
firejail_profiles/Cyberfox.profile 100644
View File

@ -0,0 +1,3 @@
# Firejail profile for Cyberfox (based on Mozilla Firefox)
include /etc/firejail/cyberfox.profile

20
firejail_profiles/Mathematica.profile 100644
View File

@ -0,0 +1,20 @@
# Mathematica profile
noblacklist ${HOME}/.Mathematica
noblacklist ${HOME}/.Wolfram Research
mkdir ~/.Mathematica
whitelist ~/.Mathematica
mkdir ~/.Wolfram Research
whitelist ~/.Wolfram Research
whitelist ~/Documents/Wolfram Mathematica
include /etc/firejail/whitelist-common.inc
include /etc/firejail/disable-common.inc
include /etc/firejail/disable-programs.inc
include /etc/firejail/disable-devel.inc
include /etc/firejail/disable-passwdmgr.inc
caps.drop all
nonewprivs
noroot
seccomp

2
firejail_profiles/Telegram.profile 100644
View File

@ -0,0 +1,2 @@
# Telegram IRC profile
include /etc/firejail/telegram.profile

50
firejail_profiles/abrowser.profile 100644
View File

@ -0,0 +1,50 @@
# Firejail profile for Abrowser
noblacklist ~/.mozilla
noblacklist ~/.cache/mozilla
include /etc/firejail/disable-common.inc
include /etc/firejail/disable-programs.inc
include /etc/firejail/disable-devel.inc
caps.drop all
netfilter
nonewprivs
noroot
protocol unix,inet,inet6,netlink
seccomp
tracelog
whitelist ${DOWNLOADS}
mkdir ~/.mozilla
whitelist ~/.mozilla
mkdir ~/.cache/mozilla/abrowser
whitelist ~/.cache/mozilla/abrowser
whitelist ~/dwhelper
whitelist ~/.zotero
whitelist ~/.vimperatorrc
whitelist ~/.vimperator
whitelist ~/.pentadactylrc
whitelist ~/.pentadactyl
whitelist ~/.keysnail.js
whitelist ~/.config/gnome-mplayer
whitelist ~/.cache/gnome-mplayer/plugin
whitelist ~/.pki
# lastpass, keepassx
whitelist ~/.keepassx
whitelist ~/.config/keepassx
whitelist ~/keepassx.kdbx
whitelist ~/.lastpass
whitelist ~/.config/lastpass
#silverlight
whitelist ~/.wine-pipelight
whitelist ~/.wine-pipelight64
whitelist ~/.config/pipelight-widevine
whitelist ~/.config/pipelight-silverlight5.1
include /etc/firejail/whitelist-common.inc
# experimental features
#private-etc passwd,group,hostname,hosts,localtime,nsswitch.conf,resolv.conf,gtk-2.0,pango,fonts,iceweasel,firefox,adobe,mime.types,mailcap,asound.conf,pulse

20
firejail_profiles/atom-beta.profile 100644
View File

@ -0,0 +1,20 @@
# Firejail profile for Atom Beta.
noblacklist ~/.atom
noblacklist ~/.config/Atom
include /etc/firejail/disable-common.inc
include /etc/firejail/disable-programs.inc
include /etc/firejail/disable-passwdmgr.inc
caps.drop all
netfilter
nonewprivs
nogroups
noroot
nosound
protocol unix,inet,inet6,netlink
seccomp
shell none
private-dev
private-tmp

20
firejail_profiles/atom.profile 100644
View File

@ -0,0 +1,20 @@
# Firejail profile for Atom.
noblacklist ~/.atom
noblacklist ~/.config/Atom
include /etc/firejail/disable-common.inc
include /etc/firejail/disable-programs.inc
include /etc/firejail/disable-passwdmgr.inc
caps.drop all
netfilter
nonewprivs
nogroups
noroot
nosound
protocol unix,inet,inet6,netlink
seccomp
shell none
private-dev
private-tmp

21
firejail_profiles/atril.profile 100644
View File

@ -0,0 +1,21 @@
# Atril profile
noblacklist ~/.config/atril
noblacklist ~/.local/share
include /etc/firejail/disable-common.inc
include /etc/firejail/disable-programs.inc
include /etc/firejail/disable-devel.inc
include /etc/firejail/disable-passwdmgr.inc
caps.drop all
nonewprivs
nogroups
noroot
nosound
protocol unix
seccomp
shell none
tracelog
private-bin atril, atril-previewer, atril-thumbnailer
private-dev
private-tmp

11
firejail_profiles/audacious.profile 100644
View File

@ -0,0 +1,11 @@
# Audacious media player profile
include /etc/firejail/disable-common.inc
include /etc/firejail/disable-programs.inc
include /etc/firejail/disable-devel.inc
include /etc/firejail/disable-passwdmgr.inc
caps.drop all
nonewprivs
noroot
protocol unix,inet,inet6
seccomp

21
firejail_profiles/audacity.profile 100644
View File

@ -0,0 +1,21 @@
# Audacity profile
noblacklist ~/.audacity-data
include /etc/firejail/disable-common.inc
include /etc/firejail/disable-devel.inc
include /etc/firejail/disable-passwdmgr.inc
include /etc/firejail/disable-programs.inc
caps.drop all
netfilter
nonewprivs
nogroups
noroot
protocol unix
seccomp
shell none
tracelog
private-bin audacity
private-dev
private-tmp

25
firejail_profiles/aweather.profile 100644
View File

@ -0,0 +1,25 @@
# Firejail profile for aweather.
noblacklist ~/.config/aweather
include /etc/firejail/disable-common.inc
include /etc/firejail/disable-devel.inc
include /etc/firejail/disable-passwdmgr.inc
include /etc/firejail/disable-programs.inc
# Whitelist
mkdir ~/.config/aweather
whitelist ~/.config/aweather
caps.drop all
netfilter
nonewprivs
nogroups
noroot
nosound
protocol unix,inet,inet6
seccomp
shell none
tracelog
private-bin aweather
private-dev
private-tmp

14
firejail_profiles/bitlbee.profile 100644
View File

@ -0,0 +1,14 @@
# BitlBee instant messaging profile
noblacklist /sbin
noblacklist /usr/sbin
include /etc/firejail/disable-common.inc
include /etc/firejail/disable-programs.inc
netfilter
nonewprivs
private
private-dev
protocol unix,inet,inet6
seccomp
nosound
read-write /var/lib/bitlbee

18
firejail_profiles/brave.profile 100644
View File

@ -0,0 +1,18 @@
# Profile for Brave browser
noblacklist ~/.config/brave
include /etc/firejail/disable-common.inc
include /etc/firejail/disable-programs.inc
include /etc/firejail/disable-devel.inc
caps.drop all
netfilter
nonewprivs
noroot
protocol unix,inet,inet6,netlink
seccomp
whitelist ${DOWNLOADS}
mkdir ~/.config/brave
whitelist ~/.config/brave

19
firejail_profiles/cherrytree.profile 100644
View File

@ -0,0 +1,19 @@
# cherrytree note taking application
noblacklist /usr/bin/python2*
noblacklist /usr/lib/python3*
noblacklist ${HOME}/.config/cherrytree
include /etc/firejail/disable-common.inc
include /etc/firejail/disable-programs.inc
include /etc/firejail/disable-devel.inc
include /etc/firejail/disable-passwdmgr.inc
caps.drop all
netfilter
nonewprivs
noroot
nosound
seccomp
protocol unix,inet,inet6,netlink
tracelog

2
firejail_profiles/chromium-browser.profile 100644
View File

@ -0,0 +1,2 @@
# Chromium browser profile
include /etc/firejail/chromium.profile

31
firejail_profiles/chromium.profile 100644
View File

@ -0,0 +1,31 @@
# Chromium browser profile
noblacklist ~/.config/chromium
noblacklist ~/.cache/chromium
include /etc/firejail/disable-common.inc
include /etc/firejail/disable-programs.inc
# chromium is distributed with a perl script on Arch
# include /etc/firejail/disable-devel.inc
#
netfilter
whitelist ${DOWNLOADS}
mkdir ~/.config/chromium
whitelist ~/.config/chromium
mkdir ~/.cache/chromium
whitelist ~/.cache/chromium
mkdir ~/.pki
whitelist ~/.pki
# lastpass, keepassx
whitelist ~/.keepassx
whitelist ~/.config/keepassx
whitelist ~/keepassx.kdbx
whitelist ~/.lastpass
whitelist ~/.config/lastpass
# specific to Arch
whitelist ~/.config/chromium-flags.conf
include /etc/firejail/whitelist-common.inc

24
firejail_profiles/claws-mail.profile 100644
View File

@ -0,0 +1,24 @@
# claws-mail profile
noblacklist ~/.claws-mail
noblacklist ~/.signature
noblacklist ~/.gnupg
include /etc/firejail/disable-common.inc
include /etc/firejail/disable-programs.inc
include /etc/firejail/disable-devel.inc
include /etc/firejail/disable-passwdmgr.inc
caps.drop all
netfilter
nonewprivs
noroot
nogroups
nosound
protocol unix,inet,inet6
seccomp
shell none
private-dev
private-tmp

11
firejail_profiles/clementine.profile 100644
View File

@ -0,0 +1,11 @@
# Clementine media player profile
include /etc/firejail/disable-common.inc
include /etc/firejail/disable-programs.inc
include /etc/firejail/disable-devel.inc
include /etc/firejail/disable-passwdmgr.inc
caps.drop all
nonewprivs
noroot
protocol unix,inet,inet6
seccomp

18
firejail_profiles/cmus.profile 100644
View File

@ -0,0 +1,18 @@
# cmus profile
noblacklist ${HOME}/.config/cmus
include /etc/firejail/disable-common.inc
include /etc/firejail/disable-programs.inc
include /etc/firejail/disable-devel.inc
include /etc/firejail/disable-passwdmgr.inc
caps.drop all
netfilter
nonewprivs
noroot
protocol unix,inet,inet6
seccomp
private-bin cmus
private-etc group
shell none

24
firejail_profiles/conkeror.profile 100644
View File

@ -0,0 +1,24 @@
# Firejail profile for Conkeror web browser profile
noblacklist ${HOME}/.conkeror.mozdev.org
include /etc/firejail/disable-common.inc
include /etc/firejail/disable-programs.inc
caps.drop all
netfilter
nonewprivs
noroot
protocol unix,inet,inet6
seccomp
whitelist ~/.conkeror.mozdev.org
whitelist ~/Downloads
whitelist ~/dwhelper
whitelist ~/.zotero
whitelist ~/.lastpass
whitelist ~/.gtkrc-2.0
whitelist ~/.vimperatorrc
whitelist ~/.vimperator
whitelist ~/.pentadactylrc
whitelist ~/.pentadactyl
whitelist ~/.conkerorrc
include /etc/firejail/whitelist-common.inc

12
firejail_profiles/corebird.profile 100644
View File

@ -0,0 +1,12 @@
# Firejail corebird profile
include /etc/firejail/disable-common.inc
include /etc/firejail/disable-programs.inc
include /etc/firejail/disable-devel.inc
include /etc/firejail/disable-passwdmgr.inc
caps.drop all
netfilter
noroot
protocol unix,inet,inet6
seccomp

21
firejail_profiles/cpio.profile 100644
View File

@ -0,0 +1,21 @@
# cpio profile
# /sbin and /usr/sbin are visible inside the sandbox
# /boot is not visible and /var is heavily modified
quiet
noblacklist /sbin
noblacklist /usr/sbin
include /etc/firejail/disable-common.inc
include /etc/firejail/disable-programs.inc
include /etc/firejail/disable-passwdmgr.inc
private-dev
seccomp
caps.drop all
net none
shell none
tracelog
net none
nosound

50
firejail_profiles/cyberfox.profile 100644
View File

@ -0,0 +1,50 @@
# Firejail profile for Cyberfox (based on Mozilla Firefox)
noblacklist ~/.8pecxstudios
noblacklist ~/.cache/8pecxstudios
include /etc/firejail/disable-common.inc
include /etc/firejail/disable-programs.inc
include /etc/firejail/disable-devel.inc
caps.drop all
netfilter
nonewprivs
noroot
protocol unix,inet,inet6,netlink
seccomp
tracelog
whitelist ${DOWNLOADS}
mkdir ~/.8pecxstudios
whitelist ~/.8pecxstudios
mkdir ~/.cache/8pecxstudios
whitelist ~/.cache/8pecxstudios
whitelist ~/dwhelper
whitelist ~/.zotero
whitelist ~/.vimperatorrc
whitelist ~/.vimperator
whitelist ~/.pentadactylrc
whitelist ~/.pentadactyl
whitelist ~/.keysnail.js
whitelist ~/.config/gnome-mplayer
whitelist ~/.cache/gnome-mplayer/plugin
whitelist ~/.pki
# lastpass, keepassx
whitelist ~/.keepassx
whitelist ~/.config/keepassx
whitelist ~/keepassx.kdbx
whitelist ~/.lastpass
whitelist ~/.config/lastpass
#silverlight
whitelist ~/.wine-pipelight
whitelist ~/.wine-pipelight64
whitelist ~/.config/pipelight-widevine
whitelist ~/.config/pipelight-silverlight5.1
include /etc/firejail/whitelist-common.inc
# experimental features
#private-etc passwd,group,hostname,hosts,localtime,nsswitch.conf,resolv.conf,gtk-2.0,pango,fonts,iceweasel,firefox,adobe,mime.types,mailcap,asound.conf,pulse

13
firejail_profiles/deadbeef.profile 100644
View File

@ -0,0 +1,13 @@
# DeaDBeeF media player profile
noblacklist ${HOME}/.config/deadbeef
include /etc/firejail/disable-common.inc
include /etc/firejail/disable-programs.inc
include /etc/firejail/disable-devel.inc
include /etc/firejail/disable-passwdmgr.inc
caps.drop all
nonewprivs
noroot
protocol unix,inet,inet6
seccomp

15
firejail_profiles/default.profile 100644
View File

@ -0,0 +1,15 @@
################################
# Generic GUI application profile
################################
include /etc/firejail/disable-common.inc
include /etc/firejail/disable-programs.inc
include /etc/firejail/disable-passwdmgr.inc
#blacklist ${HOME}/.wine
caps.drop all
netfilter
nonewprivs
noroot
protocol unix,inet,inet6
seccomp

20
firejail_profiles/deluge.profile 100644
View File

@ -0,0 +1,20 @@
# deluge bittorrernt client profile
include /etc/firejail/disable-common.inc
include /etc/firejail/disable-programs.inc
# deluge is using python on Debian
#include /etc/firejail/disable-devel.inc
include /etc/firejail/disable-passwdmgr.inc
caps.drop all
netfilter
nonewprivs
noroot
nosound
protocol unix,inet,inet6
seccomp
shell none
#private-bin deluge,sh,python,uname
private-dev
private-tmp

23
firejail_profiles/dillo.profile 100644
View File

@ -0,0 +1,23 @@
# Firejail profile for Dillo web browser
noblacklist ~/.dillo
include /etc/firejail/disable-common.inc
include /etc/firejail/disable-programs.inc
include /etc/firejail/disable-devel.inc
include /etc/firejail/disable-passwdmgr.inc
caps.drop all
netfilter
nonewprivs
noroot
protocol unix,inet,inet6
seccomp
tracelog
whitelist ${DOWNLOADS}
mkdir ~/.dillo
whitelist ~/.dillo
mkdir ~/.fltk
whitelist ~/.fltk
include /etc/firejail/whitelist-common.inc

177
firejail_profiles/disable-common.inc 100644
View File

@ -0,0 +1,177 @@
# Local customizations come here
include /etc/firejail/disable-common.local
# History files in $HOME
blacklist-nolog ${HOME}/.history
blacklist-nolog ${HOME}/.*_history
blacklist ${HOME}/.local/share/systemd
blacklist-nolog ${HOME}/.adobe
blacklist-nolog ${HOME}/.macromedia
read-only ${HOME}/.local/share/applications
# X11 session autostart
blacklist ${HOME}/.xinitrc
blacklist ${HOME}/.xprofile
blacklist ${HOME}/.config/autostart
blacklist /etc/xdg/autostart
blacklist ${HOME}/.kde4/Autostart
blacklist ${HOME}/.kde4/share/autostart
blacklist ${HOME}/.kde/Autostart
blacklist ${HOME}/.kde/share/autostart
blacklist ${HOME}/.config/plasma-workspace/shutdown
blacklist ${HOME}/.config/plasma-workspace/env
blacklist ${HOME}/.config/lxsession/LXDE/autostart
blacklist ${HOME}/.fluxbox/startup
blacklist ${HOME}/.config/openbox/autostart
blacklist ${HOME}/.config/openbox/environment
blacklist ${HOME}/.gnomerc
blacklist /etc/X11/Xsession.d/
# VirtualBox
blacklist ${HOME}/.VirtualBox
blacklist ${HOME}/VirtualBox VMs
blacklist ${HOME}/.config/VirtualBox
# VeraCrypt
blacklist ${PATH}/veracrypt
blacklist ${PATH}/veracrypt-uninstall.sh
blacklist /usr/share/veracrypt
blacklist /usr/share/applications/veracrypt.*
blacklist /usr/share/pixmaps/veracrypt.*
blacklist ${HOME}/.VeraCrypt
# var
blacklist /var/spool/cron
blacklist /var/spool/anacron
blacklist /var/run/acpid.socket
blacklist /var/run/minissdpd.sock
blacklist /var/run/rpcbind.sock
blacklist /var/run/mysqld/mysqld.sock
blacklist /var/run/mysql/mysqld.sock
blacklist /var/lib/mysqld/mysql.sock
blacklist /var/lib/mysql/mysql.sock
blacklist /var/run/docker.sock
# etc
blacklist /etc/cron.*
blacklist /etc/profile.d
blacklist /etc/rc.local
blacklist /etc/anacrontab
# General startup files
read-only ${HOME}/.xinitrc
read-only ${HOME}/.xserverrc
read-only ${HOME}/.profile
# Shell startup files
read-only ${HOME}/.antigen
read-only ${HOME}/.bash_login
read-only ${HOME}/.bashrc
read-only ${HOME}/.bash_profile
read-only ${HOME}/.bash_logout
read-only ${HOME}/.zsh.d
read-only ${HOME}/.zshenv
read-only ${HOME}/.zshrc
read-only ${HOME}/.zshrc.local
read-only ${HOME}/.zlogin
read-only ${HOME}/.zprofile
read-only ${HOME}/.zlogout
read-only ${HOME}/.zsh_files
read-only ${HOME}/.tcshrc
read-only ${HOME}/.cshrc
read-only ${HOME}/.csh_files
read-only ${HOME}/.profile
# Initialization files that allow arbitrary command execution
read-only ${HOME}/.caffrc
read-only ${HOME}/.dotfiles
read-only ${HOME}/dotfiles
read-only ${HOME}/.mailcap
read-only ${HOME}/.exrc
read-only ${HOME}/_exrc
read-only ${HOME}/.vimrc
read-only ${HOME}/_vimrc
read-only ${HOME}/.gvimrc
read-only ${HOME}/_gvimrc
read-only ${HOME}/.vim
read-only ${HOME}/.emacs
read-only ${HOME}/.emacs.d
read-only ${HOME}/.nano
read-only ${HOME}/.tmux.conf
read-only ${HOME}/.iscreenrc
read-only ${HOME}/.muttrc
read-only ${HOME}/.mutt/muttrc
read-only ${HOME}/.msmtprc
read-only ${HOME}/.reportbugrc
read-only ${HOME}/.xmonad
read-only ${HOME}/.xscreensaver
# The user ~/bin directory can override commands such as ls
read-only ${HOME}/bin
# top secret
blacklist ${HOME}/.ssh
blacklist ${HOME}/.cert
blacklist ${HOME}/.gnome2/keyrings
blacklist ${HOME}/.kde4/share/apps/kwallet
blacklist ${HOME}/.kde/share/apps/kwallet
blacklist ${HOME}/.local/share/kwalletd
blacklist ${HOME}/.config/keybase
blacklist ${HOME}/.netrc
blacklist ${HOME}/.gnupg
blacklist ${HOME}/.caff
blacklist ${HOME}/.smbcredentials
blacklist ${HOME}/*.kdbx
blacklist ${HOME}/*.kdb
blacklist ${HOME}/*.key
blacklist ${HOME}/.muttrc
blacklist ${HOME}/.mutt/muttrc
blacklist ${HOME}/.msmtprc
blacklist /etc/shadow
blacklist /etc/gshadow
blacklist /etc/passwd-
blacklist /etc/group-
blacklist /etc/shadow-
blacklist /etc/gshadow-
blacklist /etc/passwd+
blacklist /etc/group+
blacklist /etc/shadow+
blacklist /etc/gshadow+
blacklist /etc/ssh
blacklist /var/backup
# system management
blacklist ${PATH}/umount
blacklist ${PATH}/mount
blacklist ${PATH}/fusermount
blacklist ${PATH}/su
blacklist ${PATH}/sudo
blacklist ${PATH}/xinput
blacklist ${PATH}/evtest
blacklist ${PATH}/xev
blacklist ${PATH}/strace
blacklist ${PATH}/nc
blacklist ${PATH}/ncat
# system directories
blacklist /sbin
blacklist /usr/sbin
blacklist /usr/local/sbin
# prevent lxterminal connecting to an existing lxterminal session
blacklist /tmp/.lxterminal-socket*
# disable terminals running as server resulting in sandbox escape
blacklist ${PATH}/gnome-terminal
blacklist ${PATH}/gnome-terminal.wrapper
blacklist ${PATH}/xfce4-terminal
blacklist ${PATH}/xfce4-terminal.wrapper
blacklist ${PATH}/mate-terminal
blacklist ${PATH}/mate-terminal.wrapper
blacklist ${PATH}/lilyterm
blacklist ${PATH}/pantheon-terminal
blacklist ${PATH}/roxterm
blacklist ${PATH}/roxterm-config
blacklist ${PATH}/terminix
blacklist ${PATH}/urxvtc
blacklist ${PATH}/urxvtcd

66
firejail_profiles/disable-devel.inc 100644
View File

@ -0,0 +1,66 @@
# Local customizations come here
include /etc/firejail/disable-devel.local
# development tools
# GCC
blacklist /usr/include
#blacklist /usr/lib/gcc - seems to create problems on Gentoo
blacklist /usr/bin/gcc*
blacklist /usr/bin/cpp*
blacklist /usr/bin/c9*
blacklist /usr/bin/c8*
blacklist /usr/bin/c++*
blacklist /usr/bin/as
blacklist /usr/bin/ld
blacklist /usr/bin/gdb
blacklist /usr/bin/g++*
blacklist /usr/bin/x86_64-linux-gnu-g++*
blacklist /usr/bin/x86_64-linux-gnu-gcc*
blacklist /usr/bin/x86_64-unknown-linux-gnu-g++*
blacklist /usr/bin/x86_64-unknown-linux-gnu-gcc*
# clang/llvm
blacklist /usr/bin/clang*
blacklist /usr/bin/llvm*
blacklist /usr/bin/lldb*
blacklist /usr/lib/llvm*
# tcc - Tiny C Compiler
blacklist /usr/bin/tcc
blacklist /usr/bin/x86_64-tcc
blacklist /usr/lib/tcc
# Valgrind
blacklist /usr/bin/valgrind*
blacklist /usr/lib/valgrind
# Perl
blacklist /usr/bin/perl
blacklist /usr/bin/cpan*
blacklist /usr/share/perl*
blacklist /usr/lib/perl*
# PHP
blacklist /usr/bin/php*
blacklist /usr/share/php*
blacklist /usr/lib/php*
# Ruby
blacklist /usr/bin/ruby
blacklist /usr/lib/ruby
# Programs using python: deluge, firefox addons, filezilla, cherrytree, xchat, hexchat, libreoffice
# Python 2
#blacklist /usr/bin/python2*
#blacklist /usr/lib/python2*
#blacklist /usr/local/lib/python2*
#blacklist /usr/include/python2*
#blacklist /usr/share/python2*
#
# Python 3
#blacklist /usr/bin/python3*
#blacklist /usr/lib/python3*
#blacklist /usr/local/lib/python3*
#blacklist /usr/share/python3*
#blacklist /usr/include/python3*

10
firejail_profiles/disable-passwdmgr.inc 100644
View File

@ -0,0 +1,10 @@
# Local customizations come here
include /etc/firejail/disable-passwdmgr.local
blacklist ${HOME}/.pki/nssdb
blacklist ${HOME}/.lastpass
blacklist ${HOME}/.keepassx
blacklist ${HOME}/.password-store
blacklist ${HOME}/keepassx.kdbx
blacklist ${HOME}/.config/keepassx

167
firejail_profiles/disable-programs.inc 100644
View File

@ -0,0 +1,167 @@
# Local customizations come here
include /etc/firejail/disable-programs.local
# various programs
blacklist ${HOME}/.Atom
blacklist ${HOME}/.remmina
blacklist ${HOME}/.tconn
blacklist ${HOME}/.FBReader
blacklist ${HOME}/.wine
blacklist ${HOME}/.Mathematica
blacklist ${HOME}/.Wolfram Research
blacklist ${HOME}/.stellarium
blacklist ${HOME}/.config/Atom
blacklist ${HOME}/.config/gthumb
blacklist ${HOME}/.config/mupen64plus
blacklist ${HOME}/.config/transmission
blacklist ${HOME}/.config/uGet
blacklist ${HOME}/.config/Gpredict
blacklist ${HOME}/.config/aweather
blacklist ${HOME}/.config/stellarium
blacklist ${HOME}/.config/atril
blacklist ${HOME}/.config/xreader
blacklist ${HOME}/.config/xviewer
blacklist ${HOME}/.config/libreoffice
blacklist ${HOME}/.config/pix
blacklist ${HOME}/.config/mate/eom
blacklist ${HOME}/.kde/share/apps/okular
blacklist ${HOME}/.kde/share/config/okularrc
blacklist ${HOME}/.kde/share/config/okularpartrc
blacklist ${HOME}/.kde/share/apps/gwenview
blacklist ${HOME}/.kde/share/config/gwenviewrc
blacklist ${HOME}/.config/qpdfview
blacklist ${HOME}/.config/Luminance
blacklist ${HOME}/.config/synfig
blacklist ${HOME}/.synfig
blacklist ${HOME}/.inkscape
blacklist ${HOME}/.gimp*
blacklist ${HOME}/.config/zathura
blacklist ${HOME}/.config/cherrytree
blacklist ${HOME}/.xpdfrc
blacklist ${HOME}/.openshot
blacklist ${HOME}/.openshot_qt
blacklist ${HOME}/.flowblade
blacklist ${HOME}/.config/flowblade
blacklist ${HOME}/.config/eog
# Media players
blacklist ${HOME}/.config/cmus
blacklist ${HOME}/.config/deadbeef
blacklist ${HOME}/.config/spotify
blacklist ${HOME}/.config/vlc
blacklist ${HOME}/.config/mpv
blacklist ${HOME}/.config/totem
blacklist ${HOME}/.config/xplayer
blacklist ${HOME}/.audacity-data
# HTTP / FTP / Mail
blacklist ${HOME}/.icedove
blacklist ${HOME}/.thunderbird
blacklist ${HOME}/.sylpheed-2.0
blacklist ${HOME}/.config/midori
blacklist ${HOME}/.mozilla
blacklist ${HOME}/.config/chromium
blacklist ${HOME}/.config/google-chrome
blacklist ${HOME}/.config/google-chrome-beta
blacklist ${HOME}/.config/google-chrome-unstable
blacklist ${HOME}/.config/opera
blacklist ${HOME}/.config/opera-beta
blacklist ${HOME}/.opera
blacklist ${HOME}/.config/vivaldi
blacklist ${HOME}/.filezilla
blacklist ${HOME}/.config/filezilla
blacklist ${HOME}/.dillo
blacklist ${HOME}/.conkeror.mozdev.org
blacklist ${HOME}/.config/epiphany
blacklist ${HOME}/.config/slimjet
blacklist ${HOME}/.config/qutebrowser
blacklist ${HOME}/.8pecxstudios
blacklist ${HOME}/.config/brave
blacklist ${HOME}/.config/inox
blacklist ${HOME}/.muttrc
blacklist ${HOME}/.mutt
blacklist ${HOME}/.mutt/muttrc
blacklist ${HOME}/.msmtprc
blacklist ${HOME}/.config/evolution
blacklist ${HOME}/.local/share/evolution
blacklist ${HOME}/.cache/evolution
# Instant Messaging
blacklist ${HOME}/.config/hexchat
blacklist ${HOME}/.mcabber
blacklist ${HOME}/.mcabberrc
blacklist ${HOME}/.purple
blacklist ${HOME}/.config/psi+
blacklist ${HOME}/.retroshare
blacklist ${HOME}/.weechat
blacklist ${HOME}/.config/xchat
blacklist ${HOME}/.Skype
blacklist ${HOME}/.config/skypeforlinux
blacklist ${HOME}/.config/tox
blacklist ${HOME}/.TelegramDesktop
blacklist ${HOME}/.config/Gitter
blacklist ${HOME}/.config/Franz
blacklist ${HOME}/.jitsi
blacklist ${HOME}/.config/Slack
blacklist ${HOME}/.cache/gajim
blacklist ${HOME}/.local/share/gajim
blacklist ${HOME}/.config/gajim
# Games
blacklist ${HOME}/.hedgewars
blacklist ${HOME}/.steam
blacklist ${HOME}/.config/wesnoth
blacklist ${HOME}/.config/0ad
blacklist ${HOME}/.warzone2100-3.1
blacklist ${HOME}/.dosbox
# Cryptocoins
blacklist ${HOME}/.*coin
blacklist ${HOME}/.electrum*
blacklist ${HOME}/wallet.dat
# git, subversion
blacklist ${HOME}/.subversion
blacklist ${HOME}/.gitconfig
blacklist ${HOME}/.git-credential-cache
# cache
blacklist ${HOME}/.cache/mozilla
blacklist ${HOME}/.cache/chromium
blacklist ${HOME}/.cache/google-chrome
blacklist ${HOME}/.cache/google-chrome-beta
blacklist ${HOME}/.cache/google-chrome-unstable
blacklist ${HOME}/.cache/opera
blacklist ${HOME}/.cache/opera-beta
blacklist ${HOME}/.cache/vivaldi
blacklist ${HOME}/.cache/epiphany
blacklist ${HOME}/.cache/slimjet
blacklist ${HOME}/.cache/qutebrowser
blacklist ${HOME}/.cache/spotify
blacklist ${HOME}/.cache/thunderbird
blacklist ${HOME}/.cache/icedove
blacklist ${HOME}/.cache/transmission
blacklist ${HOME}/.cache/wesnoth
blacklist ${HOME}/.cache/0ad
blacklist ${HOME}/.cache/8pecxstudios
blacklist ${HOME}/.cache/xreader
blacklist ${HOME}/.cache/Franz
# share
blacklist ${HOME}/.local/share/epiphany
blacklist ${HOME}/.local/share/mupen64plus
blacklist ${HOME}/.local/share/spotify
blacklist ${HOME}/.local/share/steam
blacklist ${HOME}/.local/share/wesnoth
blacklist ${HOME}/.local/share/0ad
blacklist ${HOME}/.local/share/xplayer
blacklist ${HOME}/.local/share/totem
blacklist ${HOME}/.local/share/psi+
blacklist ${HOME}/.local/share/pix
blacklist ${HOME}/.local/share/gnome-chess
blacklist ${HOME}/.local/share/qpdfview
blacklist ${HOME}/.local/share/zathura
# ssh
blacklist /tmp/ssh-*

14
firejail_profiles/dnscrypt-proxy.profile 100644
View File

@ -0,0 +1,14 @@
# security profile for dnscrypt-proxy
noblacklist /sbin
noblacklist /usr/sbin
include /etc/firejail/disable-common.inc
include /etc/firejail/disable-programs.inc
include /etc/firejail/disable-devel.inc
include /etc/firejail/disable-passwdmgr.inc
private
private-dev
nosound
no3d
seccomp.drop mount,umount2,ptrace,kexec_load,kexec_file_load,open_by_handle_at,init_module,finit_module,delete_module,iopl,ioperm,swapon,swapoff,syslog,process_vm_readv,process_vm_writev,sysfs,_sysctl,adjtimex,clock_adjtime,lookup_dcookie,perf_event_open,fanotify_init,kcmp,add_key,request_key,keyctl,uselib,acct,modify_ldt,pivot_root,io_setup,io_destroy,io_getevents,io_submit,io_cancel,remap_file_pages,mbind,get_mempolicy,set_mempolicy,migrate_pages,move_pages,vmsplice,perf_event_open

17
firejail_profiles/dnsmasq.profile 100644
View File

@ -0,0 +1,17 @@
# dnsmasq profile
noblacklist /sbin
noblacklist /usr/sbin
include /etc/firejail/disable-common.inc
include /etc/firejail/disable-programs.inc
include /etc/firejail/disable-passwdmgr.inc
include /etc/firejail/disable-devel.inc
caps
netfilter
nonewprivs
private
private-dev
nosound
no3d
protocol unix,inet,inet6,netlink
seccomp

21
firejail_profiles/dosbox.profile 100644
View File

@ -0,0 +1,21 @@
# Firejail profile for dosbox
noblacklist ~/.dosbox
include /etc/firejail/disable-common.inc
include /etc/firejail/disable-programs.inc
include /etc/firejail/disable-devel.inc
include /etc/firejail/disable-passwdmgr.inc
caps.drop all
netfilter
nogroups
nonewprivs
noroot
protocol unix,inet,inet6
seccomp
shell none
tracelog
private-bin dosbox
private-dev
private-tmp

21
firejail_profiles/dropbox.profile 100644
View File

@ -0,0 +1,21 @@
# dropbox profile
noblacklist ~/.config/autostart
include /etc/firejail/disable-common.inc
include /etc/firejail/disable-programs.inc
include /etc/firejail/disable-passwdmgr.inc
caps
nonewprivs
noroot
protocol unix,inet,inet6
seccomp
mkdir ~/Dropbox
whitelist ~/Dropbox
mkdir ~/.dropbox
whitelist ~/.dropbox
mkdir ~/.dropbox-dist
whitelist ~/.dropbox-dist
mkfile ~/.config/autostart/dropbox.desktop
whitelist ~/.config/autostart/dropbox.desktop

17
firejail_profiles/emacs.profile 100644
View File

@ -0,0 +1,17 @@
# emacs profile
noblacklist ~/.emacs
noblacklist ~/.emacs.d
include /etc/firejail/disable-common.inc
include /etc/firejail/disable-programs.inc
include /etc/firejail/disable-passwdmgr.inc
caps.drop all
netfilter
nonewprivs
noroot
nogroups
protocol unix,inet,inet6
seccomp

10
firejail_profiles/empathy.profile 100644
View File

@ -0,0 +1,10 @@
# Empathy instant messaging profile
include /etc/firejail/disable-common.inc
include /etc/firejail/disable-programs.inc
include /etc/firejail/disable-devel.inc
caps.drop all
netfilter
nonewprivs
protocol unix,inet,inet6
seccomp

23
firejail_profiles/eog.profile 100644
View File

@ -0,0 +1,23 @@
# eog (gnome image viewer) profile
noblacklist ~/.config/eog
include /etc/firejail/disable-common.inc
include /etc/firejail/disable-programs.inc
include /etc/firejail/disable-devel.inc
include /etc/firejail/disable-passwdmgr.inc
caps.drop all
netfilter
nonewprivs
noroot
nogroups
protocol unix
seccomp
shell none
private-bin eog
private-dev
private-etc fonts
private-tmp

21
firejail_profiles/eom.profile 100644
View File

@ -0,0 +1,21 @@
# Firejail profile for Eye of Mate (eom)
noblacklist ~/.config/mate/eom
include /etc/firejail/disable-common.inc
include /etc/firejail/disable-programs.inc
include /etc/firejail/disable-devel.inc
include /etc/firejail/disable-passwdmgr.inc
caps.drop all
nogroups
nonewprivs
noroot
nosound
protocol unix
seccomp
shell none
tracelog
private-bin eom
private-dev
private-tmp

23
firejail_profiles/epiphany.profile 100644
View File

@ -0,0 +1,23 @@
# Epiphany browser profile
noblacklist ${HOME}/.config/epiphany
noblacklist ${HOME}/.cache/epiphany
noblacklist ${HOME}/.local/share/epiphany
include /etc/firejail/disable-common.inc
include /etc/firejail/disable-programs.inc
include /etc/firejail/disable-devel.inc
whitelist ${DOWNLOADS}
mkdir ${HOME}/.local/share/epiphany
whitelist ${HOME}/.local/share/epiphany
mkdir ${HOME}/.config/epiphany
whitelist ${HOME}/.config/epiphany
mkdir ${HOME}/.cache/epiphany
whitelist ${HOME}/.cache/epiphany
include /etc/firejail/whitelist-common.inc
caps.drop all
netfilter
nonewprivs
protocol unix,inet,inet6
seccomp

18
firejail_profiles/evince.profile 100644
View File

@ -0,0 +1,18 @@
# evince pdf reader profile
include /etc/firejail/disable-common.inc
include /etc/firejail/disable-programs.inc
include /etc/firejail/disable-devel.inc
include /etc/firejail/disable-passwdmgr.inc
caps.drop all
nogroups
nonewprivs
noroot
nosound
protocol unix
seccomp
shell none
tracelog
private-bin evince,evince-previewer,evince-thumbnailer
private-dev

25
firejail_profiles/evolution.profile 100644
View File

@ -0,0 +1,25 @@
# evolution profile
noblacklist ~/.config/evolution
noblacklist ~/.local/share/evolution
noblacklist ~/.cache/evolution
noblacklist ~/.pki
noblacklist ~/.pki/nssdb
noblacklist ~/.gnupg
include /etc/firejail/disable-common.inc
include /etc/firejail/disable-programs.inc
include /etc/firejail/disable-devel.inc
include /etc/firejail/disable-passwdmgr.inc
caps.drop all
netfilter
nonewprivs
noroot
nogroups
protocol unix,inet,inet6
seccomp
shell none
private-dev
private-tmp

21
firejail_profiles/fbreader.profile 100644
View File

@ -0,0 +1,21 @@
# fbreader ebook reader profile
noblacklist ${HOME}/.FBReader
include /etc/firejail/disable-common.inc
include /etc/firejail/disable-programs.inc
include /etc/firejail/disable-devel.inc
include /etc/firejail/disable-passwdmgr.inc
caps.drop all
netfilter
nonewprivs
noroot
nosound
protocol unix,inet,inet6
seccomp
shell none
private-bin fbreader,FBReader
whitelist /tmp/.X11-unix
private-dev
nosound

21
firejail_profiles/feh.profile 100644
View File

@ -0,0 +1,21 @@
# feh image viewer profile
include /etc/firejail/disable-common.inc
include /etc/firejail/disable-programs.inc
include /etc/firejail/disable-devel.inc
include /etc/firejail/disable-passwdmgr.inc
caps.drop all
seccomp
protocol unix
netfilter
net none
nonewprivs
noroot
nogroups
nosound
shell none
private-bin feh
whitelist /tmp/.X11-unix
private-dev
private-etc feh

16
firejail_profiles/file.profile 100644
View File

@ -0,0 +1,16 @@
# file profile
quiet
ignore noroot
include /etc/firejail/default.profile
tracelog
net none
shell none
private-bin file
private-etc magic.mgc,magic,localtime
hostname file
private-dev
nosound
no3d
blacklist /tmp/.X11-unix

22
firejail_profiles/filezilla.profile 100644
View File

@ -0,0 +1,22 @@
# FileZilla ftp profile
noblacklist ${HOME}/.filezilla
noblacklist ${HOME}/.config/filezilla
include /etc/firejail/disable-common.inc
include /etc/firejail/disable-programs.inc
include /etc/firejail/disable-devel.inc
caps.drop all
netfilter
nonewprivs
noroot
nosound
protocol unix,inet,inet6
seccomp
shell none
private-bin filezilla,uname,sh,python,lsb_release,fzputtygen,fzsftp
whitelist /tmp/.X11-unix
private-dev
nosound

2
firejail_profiles/firefox-esr.profile 100644
View File

@ -0,0 +1,2 @@
# Firejail profile for Mozilla Firefox ESR
include /etc/firejail/firefox.profile

50
firejail_profiles/firefox.profile 100644
View File

@ -0,0 +1,50 @@
# Firejail profile for Mozilla Firefox (Iceweasel in Debian)
noblacklist ~/.mozilla
noblacklist ~/.cache/mozilla
include /etc/firejail/disable-common.inc
include /etc/firejail/disable-programs.inc
include /etc/firejail/disable-devel.inc
caps.drop all
netfilter
nonewprivs
noroot
protocol unix,inet,inet6,netlink
seccomp
tracelog
whitelist ${DOWNLOADS}
mkdir ~/.mozilla
whitelist ~/.mozilla
mkdir ~/.cache/mozilla/firefox
whitelist ~/.cache/mozilla/firefox
whitelist ~/dwhelper
whitelist ~/.zotero
whitelist ~/.vimperatorrc
whitelist ~/.vimperator
whitelist ~/.pentadactylrc
whitelist ~/.pentadactyl
whitelist ~/.keysnail.js
whitelist ~/.config/gnome-mplayer
whitelist ~/.cache/gnome-mplayer/plugin
whitelist ~/.pki
# lastpass, keepassx
whitelist ~/.keepassx
whitelist ~/.config/keepassx
whitelist ~/keepassx.kdbx
whitelist ~/.lastpass
whitelist ~/.config/lastpass
#silverlight
whitelist ~/.wine-pipelight
whitelist ~/.wine-pipelight64
whitelist ~/.config/pipelight-widevine
whitelist ~/.config/pipelight-silverlight5.1
include /etc/firejail/whitelist-common.inc
# experimental features
#private-etc passwd,group,hostname,hosts,localtime,nsswitch.conf,resolv.conf,gtk-2.0,pango,fonts,iceweasel,firefox,adobe,mime.types,mailcap,asound.conf,pulse

81
firejail_profiles/firejail.config 100644
View File

@ -0,0 +1,81 @@
# This is Firejail system-wide configuration file, see firejail-config(5) for
# more information. The file contains keyword-argument pairs, one per line.
# Most features are enabled by default. Use 'yes' or 'no' as configuration
# values.
# Enable or disable bind support, default enabled.
# bind yes
# Enable or disable chroot support, default enabled.
# chroot yes
# Use chroot for desktop programs, default enabled. The sandbox will have full
# access to system's /dev directory in order to allow video acceleration,
# and it will harden the rest of the chroot tree.
# chroot-desktop yes
# Enable or disable file transfer support, default enabled.
# file-transfer yes
# Force use of nonewprivs. This mitigates the possibility of
# a user abusing firejail's features to trick a privileged (suid
# or file capabilities) process into loading code or configuration
# that is partially under their control. Default disabled.
# force-nonewprivs no
# Enable or disable networking features, default enabled.
# network yes
# Enable or disable overlayfs features, default enabled.
# overlayfs yes
# Remove /usr/local directories from private-bin list, default disabled.
# private-bin-no-local no
# Enable or disable private-home feature, default enabled
# private-home yes
# Enable --quiet as default every time the sandbox is started. Default disabled.
# quiet-by-default no
# Remount /proc and /sys inside the sandbox, default enabled.
# remount-proc-sys yes
# Enable or disable restricted network support, default disabled. If enabled,
# networking features should also be enabled (network yes).
# Restricted networking grants access to --interface, --net=ethXXX and
# --netfilter only to root user. Regular users are only allowed --net=none.
# restricted-network no
# Change default netfilter configuration. When using --netfilter option without
# a file argument, the default filter is hardcoded (see man 1 firejail). This
# configuration entry allows the user to change the default by specifying
# a file containing the filter configuration. The filter file format is the
# format of iptables-save and iptable-restore commands. Example:
# netfilter-default /etc/iptables.iptables.rules
# Enable or disable seccomp support, default enabled.
# seccomp yes
# Enable or disable user namespace support, default enabled.
# userns yes
# Enable or disable whitelisting support, default enabled.
# whitelist yes
# Enable or disable X11 sandboxing support, default enabled.
# x11 yes
# Screen size for --x11=xephyr, default 800x600. Run /usr/bin/xrandr for
# a full list of resolutions available on your specific setup.
# xephyr-screen 640x480
# xephyr-screen 800x600
# xephyr-screen 1024x768
# xephyr-screen 1280x1024
# Firejail window title in Xephyr, default enabled.
# xephyr-window-title yes
# Xephyr command extra parameters. None by default, and the declaration is commented out.
# xephyr-extra-params -keybd ephyr,,,xkbmodel=evdev
# xephyr-extra-params -grayscale

39
firejail_profiles/flashpeak-slimjet.profile 100644
View File

@ -0,0 +1,39 @@
# SlimJet browser profile
# This is a whitelisted profile, the internal browser sandbox
# is disabled because it requires sudo password. The command
# to run it is as follows:
#
# firejail flashpeak-slimjet --no-sandbox
#
noblacklist ~/.config/slimjet
noblacklist ~/.cache/slimjet
include /etc/firejail/disable-common.inc
include /etc/firejail/disable-programs.inc
# chromium is distributed with a perl script on Arch
# include /etc/firejail/disable-devel.inc
#
caps.drop all
netfilter
nonewprivs
noroot
protocol unix,inet,inet6,netlink
seccomp
whitelist ${DOWNLOADS}
mkdir ~/.config/slimjet
whitelist ~/.config/slimjet
mkdir ~/.cache/slimjet
whitelist ~/.cache/slimjet
mkdir ~/.pki
whitelist ~/.pki
# lastpass, keepassx
whitelist ~/.keepassx
whitelist ~/.config/keepassx
whitelist ~/keepassx.kdbx
whitelist ~/.lastpass
whitelist ~/.config/lastpass
include /etc/firejail/whitelist-common.inc

13
firejail_profiles/flowblade.profile 100644
View File

@ -0,0 +1,13 @@
# OpenShot profile
noblacklist ${HOME}/.flowblade
noblacklist ${HOME}/.config/flowblade
include /etc/firejail/disable-common.inc
include /etc/firejail/disable-programs.inc
include /etc/firejail/disable-passwdmgr.inc
caps.drop all
netfilter
nonewprivs
noroot
protocol unix,inet,inet6,netlink
seccomp

24
firejail_profiles/franz.profile 100644
View File

@ -0,0 +1,24 @@
# Franz profile
noblacklist ~/.config/Franz
noblacklist ~/.cache/Franz
include /etc/firejail/disable-common.inc
include /etc/firejail/disable-programs.inc
include /etc/firejail/disable-devel.inc
caps.drop all
seccomp
protocol unix,inet,inet6,netlink
netfilter
#tracelog
nonewprivs
noroot
whitelist ${DOWNLOADS}
mkdir ~/.config/Franz
whitelist ~/.config/Franz
mkdir ~/.cache/Franz
whitelist ~/.cache/Franz
mkdir ~/.pki
whitelist ~/.pki
include /etc/firejail/whitelist-common.inc

33
firejail_profiles/gajim.profile 100644
View File

@ -0,0 +1,33 @@
# Firejail profile for Gajim
mkdir ${HOME}/.cache/gajim
mkdir ${HOME}/.local/share/gajim
mkdir ${HOME}/.config/gajim
mkdir ${HOME}/Downloads
# Allow the local python 2.7 site packages, in case any plugins are using these
mkdir ${HOME}/.local/lib/python2.7/site-packages/
whitelist ${HOME}/.local/lib/python2.7/site-packages/
read-only ${HOME}/.local/lib/python2.7/site-packages/
whitelist ${HOME}/.cache/gajim
whitelist ${HOME}/.local/share/gajim
whitelist ${HOME}/.config/gajim
whitelist ${HOME}/Downloads
include /etc/firejail/disable-common.inc
include /etc/firejail/disable-passwdmgr.inc
include /etc/firejail/disable-programs.inc
include /etc/firejail/disable-devel.inc
caps.drop all
netfilter
nonewprivs
nogroups
noroot
protocol unix,inet,inet6
seccomp
shell none
#private-bin python2.7 gajim
private-dev

18
firejail_profiles/gimp.profile 100644
View File

@ -0,0 +1,18 @@
# gimp
noblacklist ${HOME}/.gimp*
include /etc/firejail/disable-common.inc
include /etc/firejail/disable-programs.inc
include /etc/firejail/disable-passwdmgr.inc
caps.drop all
netfilter
nonewprivs
noroot
protocol unix
seccomp
private-dev
private-tmp
noexec ${HOME}
noexec /tmp
nogroups
nosound

26
firejail_profiles/git.profile 100644
View File

@ -0,0 +1,26 @@
# git profile
quiet
noblacklist ~/.gitconfig
noblacklist ~/.ssh
noblacklist ~/.gnupg
noblacklist ~/.emacs
noblacklist ~/.emacs.d
noblacklist ~/.viminfo
noblacklist ~/.vim
include /etc/firejail/disable-common.inc
include /etc/firejail/disable-programs.inc
include /etc/firejail/disable-passwdmgr.inc
caps.drop all
netfilter
nonewprivs
noroot
nogroups
nosound
protocol unix,inet,inet6
seccomp
shell none
private-dev

20
firejail_profiles/gitter.profile 100644
View File

@ -0,0 +1,20 @@
# Firejail profile for Gitter
noblacklist ~/.config/Gitter
include /etc/firejail/disable-common.inc
include /etc/firejail/disable-passwdmgr.inc
include /etc/firejail/disable-programs.inc
include /etc/firejail/disable-devel.inc
caps.drop all
netfilter
nogroups
nonewprivs
noroot
nosound
protocol unix,inet,inet6,netlink
seccomp
shell none
private-bin gitter
private-dev
private-tmp

22
firejail_profiles/gnome-chess.profile 100644
View File

@ -0,0 +1,22 @@
# Firejail profile for gnome-chess
noblacklist /.local/share/gnome-chess
include /etc/firejail/disable-common.inc
include /etc/firejail/disable-devel.inc
include /etc/firejail/disable-programs.inc
include /etc/firejail/disable-passwdmgr.inc
caps.drop all
nogroups
nonewprivs
noroot
nosound
protocol unix
seccomp
shell none
tracelog
private-bin fairymax,gnome-chess,hoichess
private-dev
private-etc fonts,gnome-chess
private-tmp

17
firejail_profiles/gnome-mplayer.profile 100644
View File

@ -0,0 +1,17 @@
# GNOME MPlayer profile
include /etc/firejail/disable-common.inc
include /etc/firejail/disable-programs.inc
include /etc/firejail/disable-devel.inc
include /etc/firejail/disable-passwdmgr.inc
caps.drop all
nogroups
nonewprivs
noroot
protocol unix,inet,inet6
seccomp
shell none
private-bin gnome-mplayer
private-dev
private-tmp

27
firejail_profiles/google-chrome-beta.profile 100644
View File

@ -0,0 +1,27 @@
# Google Chrome beta browser profile
noblacklist ~/.config/google-chrome-beta
noblacklist ~/.cache/google-chrome-beta
include /etc/firejail/disable-common.inc
include /etc/firejail/disable-programs.inc
# chromium is distributed with a perl script on Arch
# include /etc/firejail/disable-devel.inc
#
netfilter
whitelist ${DOWNLOADS}
mkdir ~/.config/google-chrome-beta
whitelist ~/.config/google-chrome-beta
mkdir ~/.cache/google-chrome-beta
whitelist ~/.cache/google-chrome-beta
mkdir ~/.pki
whitelist ~/.pki
include /etc/firejail/whitelist-common.inc
# lastpass, keepassx
whitelist ~/.keepassx
whitelist ~/.config/keepassx
whitelist ~/keepassx.kdbx
whitelist ~/.lastpass
whitelist ~/.config/lastpass

2
firejail_profiles/google-chrome-stable.profile 100644
View File

@ -0,0 +1,2 @@
# Google Chrome browser profile
include /etc/firejail/google-chrome.profile

27
firejail_profiles/google-chrome-unstable.profile 100644
View File

@ -0,0 +1,27 @@
# Google Chrome unstable browser profile
noblacklist ~/.config/google-chrome-unstable
noblacklist ~/.cache/google-chrome-unstable
include /etc/firejail/disable-common.inc
include /etc/firejail/disable-programs.inc
# chromium is distributed with a perl script on Arch
# include /etc/firejail/disable-devel.inc
#
netfilter
whitelist ${DOWNLOADS}
mkdir ~/.config/google-chrome-unstable
whitelist ~/.config/google-chrome-unstable
mkdir ~/.cache/google-chrome-unstable
whitelist ~/.cache/google-chrome-unstable
mkdir ~/.pki
whitelist ~/.pki
include /etc/firejail/whitelist-common.inc
# lastpass, keepassx
whitelist ~/.keepassx
whitelist ~/.config/keepassx
whitelist ~/keepassx.kdbx
whitelist ~/.lastpass
whitelist ~/.config/lastpass

28
firejail_profiles/google-chrome.profile 100644
View File

@ -0,0 +1,28 @@
# Google Chrome browser profile
noblacklist ~/.config/google-chrome
noblacklist ~/.cache/google-chrome
include /etc/firejail/disable-common.inc
include /etc/firejail/disable-programs.inc
# chromium is distributed with a perl script on Arch
# include /etc/firejail/disable-devel.inc
#
netfilter
whitelist ${DOWNLOADS}
mkdir ~/.config/google-chrome
whitelist ~/.config/google-chrome
mkdir ~/.cache/google-chrome
whitelist ~/.cache/google-chrome
mkdir ~/.pki
whitelist ~/.pki
include /etc/firejail/whitelist-common.inc
# lastpass, keepassx
whitelist ~/.keepassx
whitelist ~/.config/keepassx
whitelist ~/keepassx.kdbx
whitelist ~/.lastpass
whitelist ~/.config/lastpass

18
firejail_profiles/google-play-music-desktop-player.profile 100644
View File

@ -0,0 +1,18 @@
# Google Play Music desktop player profile
noblacklist ~/.config/Google Play Music Desktop Player
include /etc/firejail/disable-common.inc
include /etc/firejail/disable-programs.inc
include /etc/firejail/disable-devel.inc
include /etc/firejail/disable-passwdmgr.inc
caps.drop all
nonewprivs
noroot
netfilter
protocol unix,inet,inet6,netlink
seccomp
#whitelist ~/.pulse
#whitelist ~/.config/pulse
whitelist ~/.config/Google Play Music Desktop Player

25
firejail_profiles/gpredict.profile 100644
View File

@ -0,0 +1,25 @@
# Firejail profile for gpredict.
noblacklist ~/.config/Gpredict
include /etc/firejail/disable-common.inc
include /etc/firejail/disable-devel.inc
include /etc/firejail/disable-passwdmgr.inc
include /etc/firejail/disable-programs.inc
# Whitelist
mkdir ~/.config/Gpredict
whitelist ~/.config/Gpredict
caps.drop all
netfilter
nonewprivs
nogroups
noroot
nosound
protocol unix,inet,inet6
seccomp
shell none
tracelog
private-bin gpredict
private-dev
private-tmp

3
firejail_profiles/gtar.profile 100644
View File

@ -0,0 +1,3 @@
# gtar profile
quiet
include /etc/firejail/tar.profile

21
firejail_profiles/gthumb.profile 100644
View File

@ -0,0 +1,21 @@
# gthumb profile
noblacklist ${HOME}/.config/gthumb
include /etc/firejail/disable-common.inc
include /etc/firejail/disable-programs.inc
include /etc/firejail/disable-devel.inc
include /etc/firejail/disable-passwdmgr.inc
caps.drop all
nogroups
nonewprivs
noroot
nosound
protocol unix
seccomp
shell none
tracelog
private-bin gthumb
whitelist /tmp/.X11-unix
private-dev

21
firejail_profiles/gwenview.profile 100644
View File

@ -0,0 +1,21 @@
# KDE gwenview profile
noblacklist ~/.kde/share/apps/gwenview
noblacklist ~/.kde/share/config/gwenviewrc
include /etc/firejail/disable-common.inc
include /etc/firejail/disable-programs.inc
include /etc/firejail/disable-devel.inc
include /etc/firejail/disable-passwdmgr.inc
caps.drop all
nonewprivs
noroot
nogroups
private-dev
protocol unix
seccomp
nosound
#Experimental:
#shell none
#private-bin gwenview
#private-etc X11

12
firejail_profiles/gzip.profile 100644
View File

@ -0,0 +1,12 @@
# gzip profile
quiet
ignore noroot
include /etc/firejail/default.profile
tracelog
net none
shell none
blacklist /tmp/.X11-unix
private-dev
nosound
no3d

22
firejail_profiles/hedgewars.profile 100644
View File

@ -0,0 +1,22 @@
# whitelist profile for Hedgewars (game)
noblacklist ${HOME}/.hedgewars
include /etc/firejail/disable-common.inc
include /etc/firejail/disable-programs.inc
include /etc/firejail/disable-devel.inc
include /etc/firejail/disable-passwdmgr.inc
caps.drop all
netfilter
nogroups
nonewprivs
noroot
seccomp
tracelog
private-dev
private-tmp
mkdir ~/.hedgewars
whitelist ~/.hedgewars
include /etc/firejail/whitelist-common.inc

28
firejail_profiles/hexchat.profile 100644
View File

@ -0,0 +1,28 @@
# HexChat instant messaging profile
# Currently in testing (may not work for all users)
noblacklist ${HOME}/.config/hexchat
#noblacklist /usr/lib/python2*
#noblacklist /usr/lib/python3*
include /etc/firejail/disable-common.inc
include /etc/firejail/disable-programs.inc
include /etc/firejail/disable-devel.inc
caps.drop all
netfilter
nogroups
nonewprivs
noroot
nosound
protocol unix,inet,inet6
seccomp
shell none
tracelog
mkdir ~/.config/hexchat
whitelist ~/.config/hexchat
include /etc/firejail/whitelist-common.inc
private-bin hexchat
#debug note: private-bin requires perl, python, etc on some systems
private-dev
private-tmp

51
firejail_profiles/icecat.profile 100644
View File

@ -0,0 +1,51 @@
# Firejail profile for GNU Icecat
noblacklist ~/.mozilla
noblacklist ~/.cache/mozilla
include /etc/firejail/disable-common.inc
include /etc/firejail/disable-programs.inc
include /etc/firejail/disable-devel.inc
caps.drop all
netfilter
nonewprivs
noroot
protocol unix,inet,inet6,netlink
seccomp
tracelog
whitelist ${DOWNLOADS}
mkdir ~/.mozilla
whitelist ~/.mozilla
mkdir ~/.cache/mozilla/icecat
whitelist ~/.cache/mozilla/icecat
whitelist ~/dwhelper
whitelist ~/.zotero
whitelist ~/.vimperatorrc
whitelist ~/.vimperator
whitelist ~/.pentadactylrc
whitelist ~/.pentadactyl
whitelist ~/.keysnail.js
whitelist ~/.config/gnome-mplayer
whitelist ~/.cache/gnome-mplayer/plugin
whitelist ~/.pki
# lastpass, keepassx
whitelist ~/.keepassx
whitelist ~/.config/keepassx
whitelist ~/keepassx.kdbx
whitelist ~/.lastpass
whitelist ~/.config/lastpass
#silverlight
whitelist ~/.wine-pipelight
whitelist ~/.wine-pipelight64
whitelist ~/.config/pipelight-widevine
whitelist ~/.config/pipelight-silverlight5.1
include /etc/firejail/whitelist-common.inc
# experimental features
#private-etc passwd,group,hostname,hosts,localtime,nsswitch.conf,resolv.conf,gtk-2.0,pango,fonts,iceweasel,firefox,adobe,mime.types,mailcap,asound.conf,pulse

18
firejail_profiles/icedove.profile 100644
View File

@ -0,0 +1,18 @@
# Firejail profile for Mozilla Thunderbird (Icedove in Debian Stable)
# Users have icedove set to open a browser by clicking a link in an email
# We are not allowed to blacklist browser-specific directories
noblacklist ~/.gnupg
mkdir ~/.gnupg
whitelist ~/.gnupg
noblacklist ~/.icedove
mkdir ~/.icedove
whitelist ~/.icedove
noblacklist ~/.cache/icedove
mkdir ~/.cache/icedove
whitelist ~/.cache/icedove
include /etc/firejail/firefox.profile

2
firejail_profiles/iceweasel.profile 100644
View File

@ -0,0 +1,2 @@
# Firejail profile for Mozilla Firefox (Iceweasel in Debian)
include /etc/firejail/firefox.profile

18
firejail_profiles/inkscape.profile 100644
View File

@ -0,0 +1,18 @@
# inkscape
noblacklist ${HOME}/.inkscape
include /etc/firejail/disable-common.inc
include /etc/firejail/disable-programs.inc
include /etc/firejail/disable-passwdmgr.inc
caps.drop all
netfilter
nonewprivs
noroot
protocol unix
seccomp
private-dev
private-tmp
noexec ${HOME}
noexec /tmp
nogroups
nosound

24
firejail_profiles/inox.profile 100644
View File

@ -0,0 +1,24 @@
# Inox browser profile
noblacklist ~/.config/inox
noblacklist ~/.cache/inox
include /etc/firejail/disable-common.inc
include /etc/firejail/disable-programs.inc
netfilter
whitelist ${DOWNLOADS}
mkdir ~/.config/inox
whitelist ~/.config/inox
mkdir ~/.cache/inox
whitelist ~/.cache/inox
mkdir ~/.pki
whitelist ~/.pki
# lastpass, keepassx
whitelist ~/.keepassx
whitelist ~/.config/keepassx
whitelist ~/keepassx.kdbx
whitelist ~/.lastpass
whitelist ~/.config/lastpass
include /etc/firejail/whitelist-common.inc

17
firejail_profiles/jitsi.profile 100644
View File

@ -0,0 +1,17 @@
# Firejail profile for jitsi
noblacklist ~/.jitsi
include /etc/firejail/disable-common.inc
include /etc/firejail/disable-devel.inc
include /etc/firejail/disable-passwdmgr.inc
include /etc/firejail/disable-programs.inc
caps.drop all
nonewprivs
nogroups
noroot
protocol unix,inet,inet6
seccomp
shell none
tracelog
private-tmp

22
firejail_profiles/keepass.profile 100644
View File

@ -0,0 +1,22 @@
# keepass password manager profile
noblacklist ${HOME}/.config/keepass
noblacklist ${HOME}/.keepass
include /etc/firejail/disable-common.inc
include /etc/firejail/disable-programs.inc
include /etc/firejail/disable-devel.inc
include /etc/firejail/disable-passwdmgr.inc
caps.drop all
nogroups
nonewprivs
noroot
nosound
protocol unix,inet,inet6
seccomp
netfilter
shell none
private-tmp
private-dev

23
firejail_profiles/keepassx.profile 100644
View File

@ -0,0 +1,23 @@
# keepassx password manager profile
noblacklist ${HOME}/.config/keepassx
noblacklist ${HOME}/.keepassx
noblacklist ${HOME}/keepassx.kdbx
include /etc/firejail/disable-common.inc
include /etc/firejail/disable-programs.inc
include /etc/firejail/disable-devel.inc
include /etc/firejail/disable-passwdmgr.inc
caps.drop all
nogroups
nonewprivs
noroot
nosound
protocol unix
seccomp
netfilter
shell none
private-tmp
private-dev

19
firejail_profiles/kmail.profile 100644
View File

@ -0,0 +1,19 @@
# kmail profile
noblacklist ${HOME}/.gnupg
include /etc/firejail/disable-common.inc
include /etc/firejail/disable-programs.inc
include /etc/firejail/disable-devel.inc
include /etc/firejail/disable-passwdmgr.inc
caps.drop all
netfilter
nonewprivs
nogroups
noroot
protocol unix,inet,inet6,netlink
seccomp
tracelog
private-dev
private-tmp

15
firejail_profiles/konversation.profile 100644
View File

@ -0,0 +1,15 @@
# Firejail konversation profile
include /etc/firejail/disable-common.inc
include /etc/firejail/disable-programs.inc
include /etc/firejail/disable-devel.inc
include /etc/firejail/disable-passwdmgr.inc
caps.drop all
netfilter
nogroups
noroot
seccomp
protocol unix,inet,inet6
private-tmp

9
firejail_profiles/less.profile 100644
View File

@ -0,0 +1,9 @@
# less profile
quiet
ignore noroot
include /etc/firejail/default.profile
tracelog
net none
shell none
private-dev
nosound

19
firejail_profiles/libreoffice.profile 100644
View File

@ -0,0 +1,19 @@
# Firejail profile for LibreOffice
noblacklist ~/.config/libreoffice
noblacklist /usr/local/sbin
include /etc/firejail/disable-common.inc
include /etc/firejail/disable-programs.inc
include /etc/firejail/disable-devel.inc
include /etc/firejail/disable-passwdmgr.inc
caps.drop all
netfilter
nogroups
nonewprivs
noroot
protocol unix,inet,inet6
seccomp
tracelog
private-dev
# whitelist /tmp/.X11-unix/

5
firejail_profiles/localc.profile 100644
View File

@ -0,0 +1,5 @@
################################
# LibreOffice profile
################################
include /etc/firejail/libreoffice.profile

5
firejail_profiles/lodraw.profile 100644
View File

@ -0,0 +1,5 @@
################################
# LibreOffice profile
################################
include /etc/firejail/libreoffice.profile

5
firejail_profiles/loffice.profile 100644
View File

@ -0,0 +1,5 @@
################################
# LibreOffice profile
################################
include /etc/firejail/libreoffice.profile

5
firejail_profiles/lofromtemplate.profile 100644
View File

@ -0,0 +1,5 @@
################################
# LibreOffice profile
################################
include /etc/firejail/libreoffice.profile

14
firejail_profiles/login.users 100644
View File

@ -0,0 +1,14 @@
# /etc/firejail/login.users - restricted user shell configuration
#
# Each user entry consists of a user name and firejail
# program arguments:
#
# user name: arguments
#
# For example:
#
# netblue:--net=none --protocol=unix
#
# The extra arguments are inserted into program command line if firejail
# was started as a login shell.

5
firejail_profiles/loimpress.profile 100644
View File

@ -0,0 +1,5 @@
################################
# LibreOffice profile
################################
include /etc/firejail/libreoffice.profile

5
firejail_profiles/lomath.profile 100644
View File

@ -0,0 +1,5 @@
################################
# LibreOffice profile
################################
include /etc/firejail/libreoffice.profile

5
firejail_profiles/loweb.profile 100644
View File

@ -0,0 +1,5 @@
################################
# LibreOffice profile
################################
include /etc/firejail/libreoffice.profile

5
firejail_profiles/lowriter.profile 100644
View File

@ -0,0 +1,5 @@
################################
# LibreOffice profile
################################
include /etc/firejail/libreoffice.profile

21
firejail_profiles/luminance-hdr.profile 100644
View File

@ -0,0 +1,21 @@
# luminance-hdr
noblacklist ${HOME}/.config/Luminance
include /etc/firejail/disable-common.inc
include /etc/firejail/disable-programs.inc
include /etc/firejail/disable-passwdmgr.inc
caps.drop all
netfilter
protocol unix
nonewprivs
noroot
seccomp
shell none
tracelog
private-tmp
private-dev
noexec ${HOME}
noexec /tmp
nogroups
nosound
ipc-namespace

11
firejail_profiles/lxterminal.profile 100644
View File

@ -0,0 +1,11 @@
# lxterminal (LXDE) profile
include /etc/firejail/disable-common.inc
include /etc/firejail/disable-programs.inc
include /etc/firejail/disable-passwdmgr.inc
caps.drop all
netfilter
protocol unix,inet,inet6
seccomp
#noroot - somehow this breaks on Debian Jessie!

2
firejail_profiles/mathematica.profile 100644
View File

@ -0,0 +1,2 @@
# Mathematica profile
include /etc/firejail/Mathematica.profile

21
firejail_profiles/mcabber.profile 100644
View File

@ -0,0 +1,21 @@
# mcabber profile
noblacklist ${HOME}/.mcabber
noblacklist ${HOME}/.mcabberrc
include /etc/firejail/disable-common.inc
include /etc/firejail/disable-programs.inc
include /etc/firejail/disable-devel.inc
include /etc/firejail/disable-passwdmgr.inc
caps.drop all
netfilter
nonewprivs
noroot
protocol inet,inet6
seccomp
private-bin mcabber
private-etc null
private-dev
shell none
nosound

13
firejail_profiles/midori.profile 100644
View File

@ -0,0 +1,13 @@
# Midori browser profile
noblacklist ${HOME}/.config/midori
include /etc/firejail/disable-common.inc
include /etc/firejail/disable-programs.inc
include /etc/firejail/disable-devel.inc
caps.drop all
netfilter
nonewprivs
# noroot - noroot break midori on Ubuntu 14.04
protocol unix,inet,inet6
seccomp

18
firejail_profiles/mpv.profile 100644
View File

@ -0,0 +1,18 @@
# mpv media player profile
noblacklist ${HOME}/.config/mpv
include /etc/firejail/disable-common.inc
include /etc/firejail/disable-programs.inc
include /etc/firejail/disable-devel.inc
include /etc/firejail/disable-passwdmgr.inc
caps.drop all
netfilter
nonewprivs
noroot
protocol unix,inet,inet6
seccomp
# to test
shell none
private-bin mpv,youtube-dl,python2.7

29
firejail_profiles/mupdf.profile 100644
View File

@ -0,0 +1,29 @@
# mupdf reader profile
include /etc/firejail/disable-common.inc
include /etc/firejail/disable-programs.inc
include /etc/firejail/disable-devel.inc
include /etc/firejail/disable-passwdmgr.inc
caps.drop all
nogroups
nonewprivs
noroot
nosound
protocol unix
seccomp
netfilter
shell none
tracelog
private-tmp
private-dev
private-etc fonts
# mupdf will never write anything
read-only ${HOME}
#
# Experimental:
#
#seccomp.keep access,arch_prctl,brk,clone,close,connect,execve,exit_group,fchmod,fchown,fcntl,fstat,futex,getcwd,getpeername,getrlimit,getsockname,getsockopt,lseek,lstat,mlock,mmap,mprotect,mremap,munmap,nanosleep,open,poll,prctl,read,recvfrom,recvmsg,restart_syscall,rt_sigaction,rt_sigprocmask,select,sendmsg,set_robust_list,set_tid_address,setresgid,setresuid,shmat,shmctl,shmget,shutdown,socket,stat,sysinfo,uname,unshare,wait4,write,writev
# private-bin mupdf,sh,tempfile,rm

20
firejail_profiles/mupen64plus.profile 100644
View File

@ -0,0 +1,20 @@
# mupen64plus profile
# manually whitelist ROM files
noblacklist ${HOME}/.config/mupen64plus
noblacklist ${HOME}/.local/share/mupen64plus
include /etc/firejail/disable-common.inc
include /etc/firejail/disable-programs.inc
include /etc/firejail/disable-devel.inc
include /etc/firejail/disable-passwdmgr.inc
mkdir ${HOME}/.local/share/mupen64plus
whitelist ${HOME}/.local/share/mupen64plus/
mkdir ${HOME}/.config/mupen64plus
whitelist ${HOME}/.config/mupen64plus/
caps.drop all
net none
nonewprivs
noroot
seccomp

Some files were not shown because too many files have changed in this diff Show More