51x 3 years ago
parent
commit
777ae32ba6
  1. 31
      firejail_profiles/0ad.profile
  2. 9
      firejail_profiles/7z.profile
  3. 3
      firejail_profiles/Cyberfox.profile
  4. 20
      firejail_profiles/Mathematica.profile
  5. 2
      firejail_profiles/Telegram.profile
  6. 50
      firejail_profiles/abrowser.profile
  7. 20
      firejail_profiles/atom-beta.profile
  8. 20
      firejail_profiles/atom.profile
  9. 21
      firejail_profiles/atril.profile
  10. 11
      firejail_profiles/audacious.profile
  11. 21
      firejail_profiles/audacity.profile
  12. 25
      firejail_profiles/aweather.profile
  13. 14
      firejail_profiles/bitlbee.profile
  14. 18
      firejail_profiles/brave.profile
  15. 19
      firejail_profiles/cherrytree.profile
  16. 2
      firejail_profiles/chromium-browser.profile
  17. 31
      firejail_profiles/chromium.profile
  18. 24
      firejail_profiles/claws-mail.profile
  19. 11
      firejail_profiles/clementine.profile
  20. 18
      firejail_profiles/cmus.profile
  21. 24
      firejail_profiles/conkeror.profile
  22. 12
      firejail_profiles/corebird.profile
  23. 21
      firejail_profiles/cpio.profile
  24. 50
      firejail_profiles/cyberfox.profile
  25. 13
      firejail_profiles/deadbeef.profile
  26. 15
      firejail_profiles/default.profile
  27. 20
      firejail_profiles/deluge.profile
  28. 23
      firejail_profiles/dillo.profile
  29. 177
      firejail_profiles/disable-common.inc
  30. 66
      firejail_profiles/disable-devel.inc
  31. 10
      firejail_profiles/disable-passwdmgr.inc
  32. 167
      firejail_profiles/disable-programs.inc
  33. 14
      firejail_profiles/dnscrypt-proxy.profile
  34. 17
      firejail_profiles/dnsmasq.profile
  35. 21
      firejail_profiles/dosbox.profile
  36. 21
      firejail_profiles/dropbox.profile
  37. 17
      firejail_profiles/emacs.profile
  38. 10
      firejail_profiles/empathy.profile
  39. 23
      firejail_profiles/eog.profile
  40. 21
      firejail_profiles/eom.profile
  41. 23
      firejail_profiles/epiphany.profile
  42. 18
      firejail_profiles/evince.profile
  43. 25
      firejail_profiles/evolution.profile
  44. 21
      firejail_profiles/fbreader.profile
  45. 21
      firejail_profiles/feh.profile
  46. 16
      firejail_profiles/file.profile
  47. 22
      firejail_profiles/filezilla.profile
  48. 2
      firejail_profiles/firefox-esr.profile
  49. 50
      firejail_profiles/firefox.profile
  50. 81
      firejail_profiles/firejail.config
  51. 39
      firejail_profiles/flashpeak-slimjet.profile
  52. 13
      firejail_profiles/flowblade.profile
  53. 24
      firejail_profiles/franz.profile
  54. 33
      firejail_profiles/gajim.profile
  55. 18
      firejail_profiles/gimp.profile
  56. 26
      firejail_profiles/git.profile
  57. 20
      firejail_profiles/gitter.profile
  58. 22
      firejail_profiles/gnome-chess.profile
  59. 17
      firejail_profiles/gnome-mplayer.profile
  60. 27
      firejail_profiles/google-chrome-beta.profile
  61. 2
      firejail_profiles/google-chrome-stable.profile
  62. 27
      firejail_profiles/google-chrome-unstable.profile
  63. 28
      firejail_profiles/google-chrome.profile
  64. 18
      firejail_profiles/google-play-music-desktop-player.profile
  65. 25
      firejail_profiles/gpredict.profile
  66. 3
      firejail_profiles/gtar.profile
  67. 21
      firejail_profiles/gthumb.profile
  68. 21
      firejail_profiles/gwenview.profile
  69. 12
      firejail_profiles/gzip.profile
  70. 22
      firejail_profiles/hedgewars.profile
  71. 28
      firejail_profiles/hexchat.profile
  72. 51
      firejail_profiles/icecat.profile
  73. 18
      firejail_profiles/icedove.profile
  74. 2
      firejail_profiles/iceweasel.profile
  75. 18
      firejail_profiles/inkscape.profile
  76. 24
      firejail_profiles/inox.profile
  77. 17
      firejail_profiles/jitsi.profile
  78. 22
      firejail_profiles/keepass.profile
  79. 23
      firejail_profiles/keepassx.profile
  80. 19
      firejail_profiles/kmail.profile
  81. 15
      firejail_profiles/konversation.profile
  82. 9
      firejail_profiles/less.profile
  83. 19
      firejail_profiles/libreoffice.profile
  84. 5
      firejail_profiles/localc.profile
  85. 5
      firejail_profiles/lodraw.profile
  86. 5
      firejail_profiles/loffice.profile
  87. 5
      firejail_profiles/lofromtemplate.profile
  88. 14
      firejail_profiles/login.users
  89. 5
      firejail_profiles/loimpress.profile
  90. 5
      firejail_profiles/lomath.profile
  91. 5
      firejail_profiles/loweb.profile
  92. 5
      firejail_profiles/lowriter.profile
  93. 21
      firejail_profiles/luminance-hdr.profile
  94. 11
      firejail_profiles/lxterminal.profile
  95. 2
      firejail_profiles/mathematica.profile
  96. 21
      firejail_profiles/mcabber.profile
  97. 13
      firejail_profiles/midori.profile
  98. 18
      firejail_profiles/mpv.profile
  99. 29
      firejail_profiles/mupdf.profile
  100. 20
      firejail_profiles/mupen64plus.profile
  101. Some files were not shown because too many files have changed in this diff Show More

31
firejail_profiles/0ad.profile

@ -0,0 +1,31 @@ @@ -0,0 +1,31 @@
# Firejail profile for 0ad.
noblacklist ~/.cache/0ad
noblacklist ~/.config/0ad
noblacklist ~/.local/share/0ad
include /etc/firejail/disable-common.inc
include /etc/firejail/disable-devel.inc
include /etc/firejail/disable-passwdmgr.inc
include /etc/firejail/disable-programs.inc
# Whitelists
mkdir ~/.cache/0ad
whitelist ~/.cache/0ad
mkdir ~/.config/0ad
whitelist ~/.config/0ad
mkdir ~/.local/share/0ad
whitelist ~/.local/share/0ad
caps.drop all
netfilter
nogroups
nonewprivs
noroot
protocol unix,inet,inet6
seccomp
shell none
tracelog
private-dev
private-tmp

9
firejail_profiles/7z.profile

@ -0,0 +1,9 @@ @@ -0,0 +1,9 @@
# 7zip crompression tool profile
quiet
ignore noroot
include /etc/firejail/default.profile
tracelog
net none
shell none
private-dev
nosound

3
firejail_profiles/Cyberfox.profile

@ -0,0 +1,3 @@ @@ -0,0 +1,3 @@
# Firejail profile for Cyberfox (based on Mozilla Firefox)
include /etc/firejail/cyberfox.profile

20
firejail_profiles/Mathematica.profile

@ -0,0 +1,20 @@ @@ -0,0 +1,20 @@
# Mathematica profile
noblacklist ${HOME}/.Mathematica
noblacklist ${HOME}/.Wolfram Research
mkdir ~/.Mathematica
whitelist ~/.Mathematica
mkdir ~/.Wolfram Research
whitelist ~/.Wolfram Research
whitelist ~/Documents/Wolfram Mathematica
include /etc/firejail/whitelist-common.inc
include /etc/firejail/disable-common.inc
include /etc/firejail/disable-programs.inc
include /etc/firejail/disable-devel.inc
include /etc/firejail/disable-passwdmgr.inc
caps.drop all
nonewprivs
noroot
seccomp

2
firejail_profiles/Telegram.profile

@ -0,0 +1,2 @@ @@ -0,0 +1,2 @@
# Telegram IRC profile
include /etc/firejail/telegram.profile

50
firejail_profiles/abrowser.profile

@ -0,0 +1,50 @@ @@ -0,0 +1,50 @@
# Firejail profile for Abrowser
noblacklist ~/.mozilla
noblacklist ~/.cache/mozilla
include /etc/firejail/disable-common.inc
include /etc/firejail/disable-programs.inc
include /etc/firejail/disable-devel.inc
caps.drop all
netfilter
nonewprivs
noroot
protocol unix,inet,inet6,netlink
seccomp
tracelog
whitelist ${DOWNLOADS}
mkdir ~/.mozilla
whitelist ~/.mozilla
mkdir ~/.cache/mozilla/abrowser
whitelist ~/.cache/mozilla/abrowser
whitelist ~/dwhelper
whitelist ~/.zotero
whitelist ~/.vimperatorrc
whitelist ~/.vimperator
whitelist ~/.pentadactylrc
whitelist ~/.pentadactyl
whitelist ~/.keysnail.js
whitelist ~/.config/gnome-mplayer
whitelist ~/.cache/gnome-mplayer/plugin
whitelist ~/.pki
# lastpass, keepassx
whitelist ~/.keepassx
whitelist ~/.config/keepassx
whitelist ~/keepassx.kdbx
whitelist ~/.lastpass
whitelist ~/.config/lastpass
#silverlight
whitelist ~/.wine-pipelight
whitelist ~/.wine-pipelight64
whitelist ~/.config/pipelight-widevine
whitelist ~/.config/pipelight-silverlight5.1
include /etc/firejail/whitelist-common.inc
# experimental features
#private-etc passwd,group,hostname,hosts,localtime,nsswitch.conf,resolv.conf,gtk-2.0,pango,fonts,iceweasel,firefox,adobe,mime.types,mailcap,asound.conf,pulse

20
firejail_profiles/atom-beta.profile

@ -0,0 +1,20 @@ @@ -0,0 +1,20 @@
# Firejail profile for Atom Beta.
noblacklist ~/.atom
noblacklist ~/.config/Atom
include /etc/firejail/disable-common.inc
include /etc/firejail/disable-programs.inc
include /etc/firejail/disable-passwdmgr.inc
caps.drop all
netfilter
nonewprivs
nogroups
noroot
nosound
protocol unix,inet,inet6,netlink
seccomp
shell none
private-dev
private-tmp

20
firejail_profiles/atom.profile

@ -0,0 +1,20 @@ @@ -0,0 +1,20 @@
# Firejail profile for Atom.
noblacklist ~/.atom
noblacklist ~/.config/Atom
include /etc/firejail/disable-common.inc
include /etc/firejail/disable-programs.inc
include /etc/firejail/disable-passwdmgr.inc
caps.drop all
netfilter
nonewprivs
nogroups
noroot
nosound
protocol unix,inet,inet6,netlink
seccomp
shell none
private-dev
private-tmp

21
firejail_profiles/atril.profile

@ -0,0 +1,21 @@ @@ -0,0 +1,21 @@
# Atril profile
noblacklist ~/.config/atril
noblacklist ~/.local/share
include /etc/firejail/disable-common.inc
include /etc/firejail/disable-programs.inc
include /etc/firejail/disable-devel.inc
include /etc/firejail/disable-passwdmgr.inc
caps.drop all
nonewprivs
nogroups
noroot
nosound
protocol unix
seccomp
shell none
tracelog
private-bin atril, atril-previewer, atril-thumbnailer
private-dev
private-tmp

11
firejail_profiles/audacious.profile

@ -0,0 +1,11 @@ @@ -0,0 +1,11 @@
# Audacious media player profile
include /etc/firejail/disable-common.inc
include /etc/firejail/disable-programs.inc
include /etc/firejail/disable-devel.inc
include /etc/firejail/disable-passwdmgr.inc
caps.drop all
nonewprivs
noroot
protocol unix,inet,inet6
seccomp

21
firejail_profiles/audacity.profile

@ -0,0 +1,21 @@ @@ -0,0 +1,21 @@
# Audacity profile
noblacklist ~/.audacity-data
include /etc/firejail/disable-common.inc
include /etc/firejail/disable-devel.inc
include /etc/firejail/disable-passwdmgr.inc
include /etc/firejail/disable-programs.inc
caps.drop all
netfilter
nonewprivs
nogroups
noroot
protocol unix
seccomp
shell none
tracelog
private-bin audacity
private-dev
private-tmp

25
firejail_profiles/aweather.profile

@ -0,0 +1,25 @@ @@ -0,0 +1,25 @@
# Firejail profile for aweather.
noblacklist ~/.config/aweather
include /etc/firejail/disable-common.inc
include /etc/firejail/disable-devel.inc
include /etc/firejail/disable-passwdmgr.inc
include /etc/firejail/disable-programs.inc
# Whitelist
mkdir ~/.config/aweather
whitelist ~/.config/aweather
caps.drop all
netfilter
nonewprivs
nogroups
noroot
nosound
protocol unix,inet,inet6
seccomp
shell none
tracelog
private-bin aweather
private-dev
private-tmp

14
firejail_profiles/bitlbee.profile

@ -0,0 +1,14 @@ @@ -0,0 +1,14 @@
# BitlBee instant messaging profile
noblacklist /sbin
noblacklist /usr/sbin
include /etc/firejail/disable-common.inc
include /etc/firejail/disable-programs.inc
netfilter
nonewprivs
private
private-dev
protocol unix,inet,inet6
seccomp
nosound
read-write /var/lib/bitlbee

18
firejail_profiles/brave.profile

@ -0,0 +1,18 @@ @@ -0,0 +1,18 @@
# Profile for Brave browser
noblacklist ~/.config/brave
include /etc/firejail/disable-common.inc
include /etc/firejail/disable-programs.inc
include /etc/firejail/disable-devel.inc
caps.drop all
netfilter
nonewprivs
noroot
protocol unix,inet,inet6,netlink
seccomp
whitelist ${DOWNLOADS}
mkdir ~/.config/brave
whitelist ~/.config/brave

19
firejail_profiles/cherrytree.profile

@ -0,0 +1,19 @@ @@ -0,0 +1,19 @@
# cherrytree note taking application
noblacklist /usr/bin/python2*
noblacklist /usr/lib/python3*
noblacklist ${HOME}/.config/cherrytree
include /etc/firejail/disable-common.inc
include /etc/firejail/disable-programs.inc
include /etc/firejail/disable-devel.inc
include /etc/firejail/disable-passwdmgr.inc
caps.drop all
netfilter
nonewprivs
noroot
nosound
seccomp
protocol unix,inet,inet6,netlink
tracelog

2
firejail_profiles/chromium-browser.profile

@ -0,0 +1,2 @@ @@ -0,0 +1,2 @@
# Chromium browser profile
include /etc/firejail/chromium.profile

31
firejail_profiles/chromium.profile

@ -0,0 +1,31 @@ @@ -0,0 +1,31 @@
# Chromium browser profile
noblacklist ~/.config/chromium
noblacklist ~/.cache/chromium
include /etc/firejail/disable-common.inc
include /etc/firejail/disable-programs.inc
# chromium is distributed with a perl script on Arch
# include /etc/firejail/disable-devel.inc
#
netfilter
whitelist ${DOWNLOADS}
mkdir ~/.config/chromium
whitelist ~/.config/chromium
mkdir ~/.cache/chromium
whitelist ~/.cache/chromium
mkdir ~/.pki
whitelist ~/.pki
# lastpass, keepassx
whitelist ~/.keepassx
whitelist ~/.config/keepassx
whitelist ~/keepassx.kdbx
whitelist ~/.lastpass
whitelist ~/.config/lastpass
# specific to Arch
whitelist ~/.config/chromium-flags.conf
include /etc/firejail/whitelist-common.inc

24
firejail_profiles/claws-mail.profile

@ -0,0 +1,24 @@ @@ -0,0 +1,24 @@
# claws-mail profile
noblacklist ~/.claws-mail
noblacklist ~/.signature
noblacklist ~/.gnupg
include /etc/firejail/disable-common.inc
include /etc/firejail/disable-programs.inc
include /etc/firejail/disable-devel.inc
include /etc/firejail/disable-passwdmgr.inc
caps.drop all
netfilter
nonewprivs
noroot
nogroups
nosound
protocol unix,inet,inet6
seccomp
shell none
private-dev
private-tmp

11
firejail_profiles/clementine.profile

@ -0,0 +1,11 @@ @@ -0,0 +1,11 @@
# Clementine media player profile
include /etc/firejail/disable-common.inc
include /etc/firejail/disable-programs.inc
include /etc/firejail/disable-devel.inc
include /etc/firejail/disable-passwdmgr.inc
caps.drop all
nonewprivs
noroot
protocol unix,inet,inet6
seccomp

18
firejail_profiles/cmus.profile

@ -0,0 +1,18 @@ @@ -0,0 +1,18 @@
# cmus profile
noblacklist ${HOME}/.config/cmus
include /etc/firejail/disable-common.inc
include /etc/firejail/disable-programs.inc
include /etc/firejail/disable-devel.inc
include /etc/firejail/disable-passwdmgr.inc
caps.drop all
netfilter
nonewprivs
noroot
protocol unix,inet,inet6
seccomp
private-bin cmus
private-etc group
shell none

24
firejail_profiles/conkeror.profile

@ -0,0 +1,24 @@ @@ -0,0 +1,24 @@
# Firejail profile for Conkeror web browser profile
noblacklist ${HOME}/.conkeror.mozdev.org
include /etc/firejail/disable-common.inc
include /etc/firejail/disable-programs.inc
caps.drop all
netfilter
nonewprivs
noroot
protocol unix,inet,inet6
seccomp
whitelist ~/.conkeror.mozdev.org
whitelist ~/Downloads
whitelist ~/dwhelper
whitelist ~/.zotero
whitelist ~/.lastpass
whitelist ~/.gtkrc-2.0
whitelist ~/.vimperatorrc
whitelist ~/.vimperator
whitelist ~/.pentadactylrc
whitelist ~/.pentadactyl
whitelist ~/.conkerorrc
include /etc/firejail/whitelist-common.inc

12
firejail_profiles/corebird.profile

@ -0,0 +1,12 @@ @@ -0,0 +1,12 @@
# Firejail corebird profile
include /etc/firejail/disable-common.inc
include /etc/firejail/disable-programs.inc
include /etc/firejail/disable-devel.inc
include /etc/firejail/disable-passwdmgr.inc
caps.drop all
netfilter
noroot
protocol unix,inet,inet6
seccomp

21
firejail_profiles/cpio.profile

@ -0,0 +1,21 @@ @@ -0,0 +1,21 @@
# cpio profile
# /sbin and /usr/sbin are visible inside the sandbox
# /boot is not visible and /var is heavily modified
quiet
noblacklist /sbin
noblacklist /usr/sbin
include /etc/firejail/disable-common.inc
include /etc/firejail/disable-programs.inc
include /etc/firejail/disable-passwdmgr.inc
private-dev
seccomp
caps.drop all
net none
shell none
tracelog
net none
nosound

50
firejail_profiles/cyberfox.profile

@ -0,0 +1,50 @@ @@ -0,0 +1,50 @@
# Firejail profile for Cyberfox (based on Mozilla Firefox)
noblacklist ~/.8pecxstudios
noblacklist ~/.cache/8pecxstudios
include /etc/firejail/disable-common.inc
include /etc/firejail/disable-programs.inc
include /etc/firejail/disable-devel.inc
caps.drop all
netfilter
nonewprivs
noroot
protocol unix,inet,inet6,netlink
seccomp
tracelog
whitelist ${DOWNLOADS}
mkdir ~/.8pecxstudios
whitelist ~/.8pecxstudios
mkdir ~/.cache/8pecxstudios
whitelist ~/.cache/8pecxstudios
whitelist ~/dwhelper
whitelist ~/.zotero
whitelist ~/.vimperatorrc
whitelist ~/.vimperator
whitelist ~/.pentadactylrc
whitelist ~/.pentadactyl
whitelist ~/.keysnail.js
whitelist ~/.config/gnome-mplayer
whitelist ~/.cache/gnome-mplayer/plugin
whitelist ~/.pki
# lastpass, keepassx
whitelist ~/.keepassx
whitelist ~/.config/keepassx
whitelist ~/keepassx.kdbx
whitelist ~/.lastpass
whitelist ~/.config/lastpass
#silverlight
whitelist ~/.wine-pipelight
whitelist ~/.wine-pipelight64
whitelist ~/.config/pipelight-widevine
whitelist ~/.config/pipelight-silverlight5.1
include /etc/firejail/whitelist-common.inc
# experimental features
#private-etc passwd,group,hostname,hosts,localtime,nsswitch.conf,resolv.conf,gtk-2.0,pango,fonts,iceweasel,firefox,adobe,mime.types,mailcap,asound.conf,pulse

13
firejail_profiles/deadbeef.profile

@ -0,0 +1,13 @@ @@ -0,0 +1,13 @@
# DeaDBeeF media player profile
noblacklist ${HOME}/.config/deadbeef
include /etc/firejail/disable-common.inc
include /etc/firejail/disable-programs.inc
include /etc/firejail/disable-devel.inc
include /etc/firejail/disable-passwdmgr.inc
caps.drop all
nonewprivs
noroot
protocol unix,inet,inet6
seccomp

15
firejail_profiles/default.profile

@ -0,0 +1,15 @@ @@ -0,0 +1,15 @@
################################
# Generic GUI application profile
################################
include /etc/firejail/disable-common.inc
include /etc/firejail/disable-programs.inc
include /etc/firejail/disable-passwdmgr.inc
#blacklist ${HOME}/.wine
caps.drop all
netfilter
nonewprivs
noroot
protocol unix,inet,inet6
seccomp

20
firejail_profiles/deluge.profile

@ -0,0 +1,20 @@ @@ -0,0 +1,20 @@
# deluge bittorrernt client profile
include /etc/firejail/disable-common.inc
include /etc/firejail/disable-programs.inc
# deluge is using python on Debian
#include /etc/firejail/disable-devel.inc
include /etc/firejail/disable-passwdmgr.inc
caps.drop all
netfilter
nonewprivs
noroot
nosound
protocol unix,inet,inet6
seccomp
shell none
#private-bin deluge,sh,python,uname
private-dev
private-tmp

23
firejail_profiles/dillo.profile

@ -0,0 +1,23 @@ @@ -0,0 +1,23 @@
# Firejail profile for Dillo web browser
noblacklist ~/.dillo
include /etc/firejail/disable-common.inc
include /etc/firejail/disable-programs.inc
include /etc/firejail/disable-devel.inc
include /etc/firejail/disable-passwdmgr.inc
caps.drop all
netfilter
nonewprivs
noroot
protocol unix,inet,inet6
seccomp
tracelog
whitelist ${DOWNLOADS}
mkdir ~/.dillo
whitelist ~/.dillo
mkdir ~/.fltk
whitelist ~/.fltk
include /etc/firejail/whitelist-common.inc

177
firejail_profiles/disable-common.inc

@ -0,0 +1,177 @@ @@ -0,0 +1,177 @@
# Local customizations come here
include /etc/firejail/disable-common.local
# History files in $HOME
blacklist-nolog ${HOME}/.history
blacklist-nolog ${HOME}/.*_history
blacklist ${HOME}/.local/share/systemd
blacklist-nolog ${HOME}/.adobe
blacklist-nolog ${HOME}/.macromedia
read-only ${HOME}/.local/share/applications
# X11 session autostart
blacklist ${HOME}/.xinitrc
blacklist ${HOME}/.xprofile
blacklist ${HOME}/.config/autostart
blacklist /etc/xdg/autostart
blacklist ${HOME}/.kde4/Autostart
blacklist ${HOME}/.kde4/share/autostart
blacklist ${HOME}/.kde/Autostart
blacklist ${HOME}/.kde/share/autostart
blacklist ${HOME}/.config/plasma-workspace/shutdown
blacklist ${HOME}/.config/plasma-workspace/env
blacklist ${HOME}/.config/lxsession/LXDE/autostart
blacklist ${HOME}/.fluxbox/startup
blacklist ${HOME}/.config/openbox/autostart
blacklist ${HOME}/.config/openbox/environment
blacklist ${HOME}/.gnomerc
blacklist /etc/X11/Xsession.d/
# VirtualBox
blacklist ${HOME}/.VirtualBox
blacklist ${HOME}/VirtualBox VMs
blacklist ${HOME}/.config/VirtualBox
# VeraCrypt
blacklist ${PATH}/veracrypt
blacklist ${PATH}/veracrypt-uninstall.sh
blacklist /usr/share/veracrypt
blacklist /usr/share/applications/veracrypt.*
blacklist /usr/share/pixmaps/veracrypt.*
blacklist ${HOME}/.VeraCrypt
# var
blacklist /var/spool/cron
blacklist /var/spool/anacron
blacklist /var/run/acpid.socket
blacklist /var/run/minissdpd.sock
blacklist /var/run/rpcbind.sock
blacklist /var/run/mysqld/mysqld.sock
blacklist /var/run/mysql/mysqld.sock
blacklist /var/lib/mysqld/mysql.sock
blacklist /var/lib/mysql/mysql.sock
blacklist /var/run/docker.sock
# etc
blacklist /etc/cron.*
blacklist /etc/profile.d
blacklist /etc/rc.local
blacklist /etc/anacrontab
# General startup files
read-only ${HOME}/.xinitrc
read-only ${HOME}/.xserverrc
read-only ${HOME}/.profile
# Shell startup files
read-only ${HOME}/.antigen
read-only ${HOME}/.bash_login
read-only ${HOME}/.bashrc
read-only ${HOME}/.bash_profile
read-only ${HOME}/.bash_logout
read-only ${HOME}/.zsh.d
read-only ${HOME}/.zshenv
read-only ${HOME}/.zshrc
read-only ${HOME}/.zshrc.local
read-only ${HOME}/.zlogin
read-only ${HOME}/.zprofile
read-only ${HOME}/.zlogout
read-only ${HOME}/.zsh_files
read-only ${HOME}/.tcshrc
read-only ${HOME}/.cshrc
read-only ${HOME}/.csh_files
read-only ${HOME}/.profile
# Initialization files that allow arbitrary command execution
read-only ${HOME}/.caffrc
read-only ${HOME}/.dotfiles
read-only ${HOME}/dotfiles
read-only ${HOME}/.mailcap
read-only ${HOME}/.exrc
read-only ${HOME}/_exrc
read-only ${HOME}/.vimrc
read-only ${HOME}/_vimrc
read-only ${HOME}/.gvimrc
read-only ${HOME}/_gvimrc
read-only ${HOME}/.vim
read-only ${HOME}/.emacs
read-only ${HOME}/.emacs.d
read-only ${HOME}/.nano
read-only ${HOME}/.tmux.conf
read-only ${HOME}/.iscreenrc
read-only ${HOME}/.muttrc
read-only ${HOME}/.mutt/muttrc
read-only ${HOME}/.msmtprc
read-only ${HOME}/.reportbugrc
read-only ${HOME}/.xmonad
read-only ${HOME}/.xscreensaver
# The user ~/bin directory can override commands such as ls
read-only ${HOME}/bin
# top secret
blacklist ${HOME}/.ssh
blacklist ${HOME}/.cert
blacklist ${HOME}/.gnome2/keyrings
blacklist ${HOME}/.kde4/share/apps/kwallet
blacklist ${HOME}/.kde/share/apps/kwallet
blacklist ${HOME}/.local/share/kwalletd
blacklist ${HOME}/.config/keybase
blacklist ${HOME}/.netrc
blacklist ${HOME}/.gnupg
blacklist ${HOME}/.caff
blacklist ${HOME}/.smbcredentials
blacklist ${HOME}/*.kdbx
blacklist ${HOME}/*.kdb
blacklist ${HOME}/*.key
blacklist ${HOME}/.muttrc
blacklist ${HOME}/.mutt/muttrc
blacklist ${HOME}/.msmtprc
blacklist /etc/shadow
blacklist /etc/gshadow
blacklist /etc/passwd-
blacklist /etc/group-
blacklist /etc/shadow-
blacklist /etc/gshadow-
blacklist /etc/passwd+
blacklist /etc/group+
blacklist /etc/shadow+
blacklist /etc/gshadow+
blacklist /etc/ssh
blacklist /var/backup
# system management
blacklist ${PATH}/umount
blacklist ${PATH}/mount
blacklist ${PATH}/fusermount
blacklist ${PATH}/su
blacklist ${PATH}/sudo
blacklist ${PATH}/xinput
blacklist ${PATH}/evtest
blacklist ${PATH}/xev
blacklist ${PATH}/strace
blacklist ${PATH}/nc
blacklist ${PATH}/ncat
# system directories
blacklist /sbin
blacklist /usr/sbin
blacklist /usr/local/sbin
# prevent lxterminal connecting to an existing lxterminal session
blacklist /tmp/.lxterminal-socket*
# disable terminals running as server resulting in sandbox escape
blacklist ${PATH}/gnome-terminal
blacklist ${PATH}/gnome-terminal.wrapper
blacklist ${PATH}/xfce4-terminal
blacklist ${PATH}/xfce4-terminal.wrapper
blacklist ${PATH}/mate-terminal
blacklist ${PATH}/mate-terminal.wrapper
blacklist ${PATH}/lilyterm
blacklist ${PATH}/pantheon-terminal
blacklist ${PATH}/roxterm
blacklist ${PATH}/roxterm-config
blacklist ${PATH}/terminix
blacklist ${PATH}/urxvtc
blacklist ${PATH}/urxvtcd

66
firejail_profiles/disable-devel.inc

@ -0,0 +1,66 @@ @@ -0,0 +1,66 @@
# Local customizations come here
include /etc/firejail/disable-devel.local
# development tools
# GCC
blacklist /usr/include
#blacklist /usr/lib/gcc - seems to create problems on Gentoo
blacklist /usr/bin/gcc*
blacklist /usr/bin/cpp*
blacklist /usr/bin/c9*
blacklist /usr/bin/c8*
blacklist /usr/bin/c++*
blacklist /usr/bin/as
blacklist /usr/bin/ld
blacklist /usr/bin/gdb
blacklist /usr/bin/g++*
blacklist /usr/bin/x86_64-linux-gnu-g++*
blacklist /usr/bin/x86_64-linux-gnu-gcc*
blacklist /usr/bin/x86_64-unknown-linux-gnu-g++*
blacklist /usr/bin/x86_64-unknown-linux-gnu-gcc*
# clang/llvm
blacklist /usr/bin/clang*
blacklist /usr/bin/llvm*
blacklist /usr/bin/lldb*
blacklist /usr/lib/llvm*
# tcc - Tiny C Compiler
blacklist /usr/bin/tcc
blacklist /usr/bin/x86_64-tcc
blacklist /usr/lib/tcc
# Valgrind
blacklist /usr/bin/valgrind*
blacklist /usr/lib/valgrind
# Perl
blacklist /usr/bin/perl
blacklist /usr/bin/cpan*
blacklist /usr/share/perl*
blacklist /usr/lib/perl*
# PHP
blacklist /usr/bin/php*
blacklist /usr/share/php*
blacklist /usr/lib/php*
# Ruby
blacklist /usr/bin/ruby
blacklist /usr/lib/ruby
# Programs using python: deluge, firefox addons, filezilla, cherrytree, xchat, hexchat, libreoffice
# Python 2
#blacklist /usr/bin/python2*
#blacklist /usr/lib/python2*
#blacklist /usr/local/lib/python2*
#blacklist /usr/include/python2*
#blacklist /usr/share/python2*
#
# Python 3
#blacklist /usr/bin/python3*
#blacklist /usr/lib/python3*
#blacklist /usr/local/lib/python3*
#blacklist /usr/share/python3*
#blacklist /usr/include/python3*

10
firejail_profiles/disable-passwdmgr.inc

@ -0,0 +1,10 @@ @@ -0,0 +1,10 @@
# Local customizations come here
include /etc/firejail/disable-passwdmgr.local
blacklist ${HOME}/.pki/nssdb
blacklist ${HOME}/.lastpass
blacklist ${HOME}/.keepassx
blacklist ${HOME}/.password-store
blacklist ${HOME}/keepassx.kdbx
blacklist ${HOME}/.config/keepassx

167
firejail_profiles/disable-programs.inc

@ -0,0 +1,167 @@ @@ -0,0 +1,167 @@
# Local customizations come here
include /etc/firejail/disable-programs.local
# various programs
blacklist ${HOME}/.Atom
blacklist ${HOME}/.remmina
blacklist ${HOME}/.tconn
blacklist ${HOME}/.FBReader
blacklist ${HOME}/.wine
blacklist ${HOME}/.Mathematica
blacklist ${HOME}/.Wolfram Research
blacklist ${HOME}/.stellarium
blacklist ${HOME}/.config/Atom
blacklist ${HOME}/.config/gthumb
blacklist ${HOME}/.config/mupen64plus
blacklist ${HOME}/.config/transmission
blacklist ${HOME}/.config/uGet
blacklist ${HOME}/.config/Gpredict
blacklist ${HOME}/.config/aweather
blacklist ${HOME}/.config/stellarium
blacklist ${HOME}/.config/atril
blacklist ${HOME}/.config/xreader
blacklist ${HOME}/.config/xviewer
blacklist ${HOME}/.config/libreoffice
blacklist ${HOME}/.config/pix
blacklist ${HOME}/.config/mate/eom
blacklist ${HOME}/.kde/share/apps/okular
blacklist ${HOME}/.kde/share/config/okularrc
blacklist ${HOME}/.kde/share/config/okularpartrc
blacklist ${HOME}/.kde/share/apps/gwenview
blacklist ${HOME}/.kde/share/config/gwenviewrc
blacklist ${HOME}/.config/qpdfview
blacklist ${HOME}/.config/Luminance
blacklist ${HOME}/.config/synfig
blacklist ${HOME}/.synfig
blacklist ${HOME}/.inkscape
blacklist ${HOME}/.gimp*
blacklist ${HOME}/.config/zathura
blacklist ${HOME}/.config/cherrytree
blacklist ${HOME}/.xpdfrc
blacklist ${HOME}/.openshot
blacklist ${HOME}/.openshot_qt
blacklist ${HOME}/.flowblade
blacklist ${HOME}/.config/flowblade
blacklist ${HOME}/.config/eog
# Media players
blacklist ${HOME}/.config/cmus
blacklist ${HOME}/.config/deadbeef
blacklist ${HOME}/.config/spotify
blacklist ${HOME}/.config/vlc
blacklist ${HOME}/.config/mpv
blacklist ${HOME}/.config/totem
blacklist ${HOME}/.config/xplayer
blacklist ${HOME}/.audacity-data
# HTTP / FTP / Mail
blacklist ${HOME}/.icedove
blacklist ${HOME}/.thunderbird
blacklist ${HOME}/.sylpheed-2.0
blacklist ${HOME}/.config/midori
blacklist ${HOME}/.mozilla
blacklist ${HOME}/.config/chromium
blacklist ${HOME}/.config/google-chrome
blacklist ${HOME}/.config/google-chrome-beta
blacklist ${HOME}/.config/google-chrome-unstable
blacklist ${HOME}/.config/opera
blacklist ${HOME}/.config/opera-beta
blacklist ${HOME}/.opera
blacklist ${HOME}/.config/vivaldi
blacklist ${HOME}/.filezilla
blacklist ${HOME}/.config/filezilla
blacklist ${HOME}/.dillo
blacklist ${HOME}/.conkeror.mozdev.org
blacklist ${HOME}/.config/epiphany
blacklist ${HOME}/.config/slimjet
blacklist ${HOME}/.config/qutebrowser
blacklist ${HOME}/.8pecxstudios
blacklist ${HOME}/.config/brave
blacklist ${HOME}/.config/inox
blacklist ${HOME}/.muttrc
blacklist ${HOME}/.mutt
blacklist ${HOME}/.mutt/muttrc
blacklist ${HOME}/.msmtprc
blacklist ${HOME}/.config/evolution
blacklist ${HOME}/.local/share/evolution
blacklist ${HOME}/.cache/evolution
# Instant Messaging
blacklist ${HOME}/.config/hexchat
blacklist ${HOME}/.mcabber
blacklist ${HOME}/.mcabberrc
blacklist ${HOME}/.purple
blacklist ${HOME}/.config/psi+
blacklist ${HOME}/.retroshare
blacklist ${HOME}/.weechat
blacklist ${HOME}/.config/xchat
blacklist ${HOME}/.Skype
blacklist ${HOME}/.config/skypeforlinux
blacklist ${HOME}/.config/tox
blacklist ${HOME}/.TelegramDesktop
blacklist ${HOME}/.config/Gitter
blacklist ${HOME}/.config/Franz
blacklist ${HOME}/.jitsi
blacklist ${HOME}/.config/Slack
blacklist ${HOME}/.cache/gajim
blacklist ${HOME}/.local/share/gajim
blacklist ${HOME}/.config/gajim
# Games
blacklist ${HOME}/.hedgewars
blacklist ${HOME}/.steam
blacklist ${HOME}/.config/wesnoth
blacklist ${HOME}/.config/0ad
blacklist ${HOME}/.warzone2100-3.1
blacklist ${HOME}/.dosbox
# Cryptocoins
blacklist ${HOME}/.*coin
blacklist ${HOME}/.electrum*
blacklist ${HOME}/wallet.dat
# git, subversion
blacklist ${HOME}/.subversion
blacklist ${HOME}/.gitconfig
blacklist ${HOME}/.git-credential-cache
# cache
blacklist ${HOME}/.cache/mozilla
blacklist ${HOME}/.cache/chromium
blacklist ${HOME}/.cache/google-chrome
blacklist ${HOME}/.cache/google-chrome-beta
blacklist ${HOME}/.cache/google-chrome-unstable
blacklist ${HOME}/.cache/opera
blacklist ${HOME}/.cache/opera-beta
blacklist ${HOME}/.cache/vivaldi
blacklist ${HOME}/.cache/epiphany
blacklist ${HOME}/.cache/slimjet
blacklist ${HOME}/.cache/qutebrowser
blacklist ${HOME}/.cache/spotify
blacklist ${HOME}/.cache/thunderbird
blacklist ${HOME}/.cache/icedove
blacklist ${HOME}/.cache/transmission
blacklist ${HOME}/.cache/wesnoth
blacklist ${HOME}/.cache/0ad
blacklist ${HOME}/.cache/8pecxstudios
blacklist ${HOME}/.cache/xreader
blacklist ${HOME}/.cache/Franz
# share
blacklist ${HOME}/.local/share/epiphany
blacklist ${HOME}/.local/share/mupen64plus
blacklist ${HOME}/.local/share/spotify
blacklist ${HOME}/.local/share/steam
blacklist ${HOME}/.local/share/wesnoth
blacklist ${HOME}/.local/share/0ad
blacklist ${HOME}/.local/share/xplayer
blacklist ${HOME}/.local/share/totem
blacklist ${HOME}/.local/share/psi+
blacklist ${HOME}/.local/share/pix
blacklist ${HOME}/.local/share/gnome-chess
blacklist ${HOME}/.local/share/qpdfview
blacklist ${HOME}/.local/share/zathura
# ssh
blacklist /tmp/ssh-*

14
firejail_profiles/dnscrypt-proxy.profile

@ -0,0 +1,14 @@ @@ -0,0 +1,14 @@
# security profile for dnscrypt-proxy
noblacklist /sbin
noblacklist /usr/sbin
include /etc/firejail/disable-common.inc
include /etc/firejail/disable-programs.inc
include /etc/firejail/disable-devel.inc
include /etc/firejail/disable-passwdmgr.inc
private
private-dev
nosound
no3d
seccomp.drop mount,umount2,ptrace,kexec_load,kexec_file_load,open_by_handle_at,init_module,finit_module,delete_module,iopl,ioperm,swapon,swapoff,syslog,process_vm_readv,process_vm_writev,sysfs,_sysctl,adjtimex,clock_adjtime,lookup_dcookie,perf_event_open,fanotify_init,kcmp,add_key,request_key,keyctl,uselib,acct,modify_ldt,pivot_root,io_setup,io_destroy,io_getevents,io_submit,io_cancel,remap_file_pages,mbind,get_mempolicy,set_mempolicy,migrate_pages,move_pages,vmsplice,perf_event_open

17
firejail_profiles/dnsmasq.profile

@ -0,0 +1,17 @@ @@ -0,0 +1,17 @@
# dnsmasq profile
noblacklist /sbin
noblacklist /usr/sbin
include /etc/firejail/disable-common.inc
include /etc/firejail/disable-programs.inc
include /etc/firejail/disable-passwdmgr.inc
include /etc/firejail/disable-devel.inc
caps
netfilter
nonewprivs
private
private-dev
nosound
no3d
protocol unix,inet,inet6,netlink
seccomp

21
firejail_profiles/dosbox.profile

@ -0,0 +1,21 @@ @@ -0,0 +1,21 @@
# Firejail profile for dosbox
noblacklist ~/.dosbox
include /etc/firejail/disable-common.inc
include /etc/firejail/disable-programs.inc
include /etc/firejail/disable-devel.inc
include /etc/firejail/disable-passwdmgr.inc
caps.drop all
netfilter
nogroups
nonewprivs
noroot
protocol unix,inet,inet6
seccomp
shell none
tracelog
private-bin dosbox
private-dev
private-tmp

21
firejail_profiles/dropbox.profile

@ -0,0 +1,21 @@ @@ -0,0 +1,21 @@
# dropbox profile
noblacklist ~/.config/autostart
include /etc/firejail/disable-common.inc
include /etc/firejail/disable-programs.inc
include /etc/firejail/disable-passwdmgr.inc
caps
nonewprivs
noroot
protocol unix,inet,inet6
seccomp
mkdir ~/Dropbox
whitelist ~/Dropbox
mkdir ~/.dropbox
whitelist ~/.dropbox
mkdir ~/.dropbox-dist
whitelist ~/.dropbox-dist
mkfile ~/.config/autostart/dropbox.desktop
whitelist ~/.config/autostart/dropbox.desktop

17
firejail_profiles/emacs.profile

@ -0,0 +1,17 @@ @@ -0,0 +1,17 @@
# emacs profile
noblacklist ~/.emacs
noblacklist ~/.emacs.d
include /etc/firejail/disable-common.inc
include /etc/firejail/disable-programs.inc
include /etc/firejail/disable-passwdmgr.inc
caps.drop all
netfilter
nonewprivs
noroot
nogroups
protocol unix,inet,inet6
seccomp

10
firejail_profiles/empathy.profile

@ -0,0 +1,10 @@ @@ -0,0 +1,10 @@
# Empathy instant messaging profile
include /etc/firejail/disable-common.inc
include /etc/firejail/disable-programs.inc
include /etc/firejail/disable-devel.inc
caps.drop all
netfilter
nonewprivs
protocol unix,inet,inet6
seccomp

23
firejail_profiles/eog.profile

@ -0,0 +1,23 @@ @@ -0,0 +1,23 @@
# eog (gnome image viewer) profile
noblacklist ~/.config/eog
include /etc/firejail/disable-common.inc
include /etc/firejail/disable-programs.inc
include /etc/firejail/disable-devel.inc
include /etc/firejail/disable-passwdmgr.inc
caps.drop all
netfilter
nonewprivs
noroot
nogroups
protocol unix
seccomp
shell none
private-bin eog
private-dev
private-etc fonts
private-tmp

21
firejail_profiles/eom.profile

@ -0,0 +1,21 @@ @@ -0,0 +1,21 @@
# Firejail profile for Eye of Mate (eom)
noblacklist ~/.config/mate/eom
include /etc/firejail/disable-common.inc
include /etc/firejail/disable-programs.inc
include /etc/firejail/disable-devel.inc
include /etc/firejail/disable-passwdmgr.inc
caps.drop all
nogroups
nonewprivs
noroot
nosound
protocol unix
seccomp
shell none
tracelog
private-bin eom
private-dev
private-tmp

23
firejail_profiles/epiphany.profile

@ -0,0 +1,23 @@ @@ -0,0 +1,23 @@
# Epiphany browser profile
noblacklist ${HOME}/.config/epiphany
noblacklist ${HOME}/.cache/epiphany
noblacklist ${HOME}/.local/share/epiphany
include /etc/firejail/disable-common.inc
include /etc/firejail/disable-programs.inc
include /etc/firejail/disable-devel.inc
whitelist ${DOWNLOADS}
mkdir ${HOME}/.local/share/epiphany
whitelist ${HOME}/.local/share/epiphany
mkdir ${HOME}/.config/epiphany
whitelist ${HOME}/.config/epiphany
mkdir ${HOME}/.cache/epiphany
whitelist ${HOME}/.cache/epiphany
include /etc/firejail/whitelist-common.inc
caps.drop all
netfilter
nonewprivs
protocol unix,inet,inet6
seccomp

18
firejail_profiles/evince.profile

@ -0,0 +1,18 @@ @@ -0,0 +1,18 @@
# evince pdf reader profile
include /etc/firejail/disable-common.inc
include /etc/firejail/disable-programs.inc
include /etc/firejail/disable-devel.inc
include /etc/firejail/disable-passwdmgr.inc
caps.drop all
nogroups
nonewprivs
noroot
nosound
protocol unix
seccomp
shell none
tracelog
private-bin evince,evince-previewer,evince-thumbnailer
private-dev

25
firejail_profiles/evolution.profile

@ -0,0 +1,25 @@ @@ -0,0 +1,25 @@
# evolution profile
noblacklist ~/.config/evolution
noblacklist ~/.local/share/evolution
noblacklist ~/.cache/evolution
noblacklist ~/.pki
noblacklist ~/.pki/nssdb
noblacklist ~/.gnupg
include /etc/firejail/disable-common.inc
include /etc/firejail/disable-programs.inc
include /etc/firejail/disable-devel.inc
include /etc/firejail/disable-passwdmgr.inc
caps.drop all
netfilter
nonewprivs
noroot
nogroups
protocol unix,inet,inet6
seccomp
shell none
private-dev
private-tmp

21
firejail_profiles/fbreader.profile

@ -0,0 +1,21 @@ @@ -0,0 +1,21 @@
# fbreader ebook reader profile
noblacklist ${HOME}/.FBReader
include /etc/firejail/disable-common.inc
include /etc/firejail/disable-programs.inc
include /etc/firejail/disable-devel.inc
include /etc/firejail/disable-passwdmgr.inc
caps.drop all
netfilter
nonewprivs
noroot
nosound
protocol unix,inet,inet6
seccomp
shell none
private-bin fbreader,FBReader
whitelist /tmp/.X11-unix
private-dev
nosound

21
firejail_profiles/feh.profile

@ -0,0 +1,21 @@ @@ -0,0 +1,21 @@
# feh image viewer profile
include /etc/firejail/disable-common.inc
include /etc/firejail/disable-programs.inc
include /etc/firejail/disable-devel.inc
include /etc/firejail/disable-passwdmgr.inc
caps.drop all
seccomp
protocol unix
netfilter
net none
nonewprivs
noroot
nogroups
nosound
shell none
private-bin feh
whitelist /tmp/.X11-unix
private-dev
private-etc feh

16
firejail_profiles/file.profile

@ -0,0 +1,16 @@ @@ -0,0 +1,16 @@
# file profile
quiet
ignore noroot
include /etc/firejail/default.profile
tracelog
net none
shell none
private-bin file
private-etc magic.mgc,magic,localtime
hostname file
private-dev
nosound
no3d
blacklist /tmp/.X11-unix

22
firejail_profiles/filezilla.profile

@ -0,0 +1,22 @@ @@ -0,0 +1,22 @@
# FileZilla ftp profile
noblacklist ${HOME}/.filezilla
noblacklist ${HOME}/.config/filezilla
include /etc/firejail/disable-common.inc
include /etc/firejail/disable-programs.inc
include /etc/firejail/disable-devel.inc
caps.drop all
netfilter
nonewprivs
noroot
nosound
protocol unix,inet,inet6
seccomp
shell none
private-bin filezilla,uname,sh,python,lsb_release,fzputtygen,fzsftp
whitelist /tmp/.X11-unix
private-dev
nosound

2
firejail_profiles/firefox-esr.profile

@ -0,0 +1,2 @@ @@ -0,0 +1,2 @@
# Firejail profile for Mozilla Firefox ESR
include /etc/firejail/firefox.profile

50
firejail_profiles/firefox.profile

@ -0,0 +1,50 @@ @@ -0,0 +1,50 @@
# Firejail profile for Mozilla Firefox (Iceweasel in Debian)
noblacklist ~/.mozilla
noblacklist ~/.cache/mozilla
include /etc/firejail/disable-common.inc
include /etc/firejail/disable-programs.inc
include /etc/firejail/disable-devel.inc
caps.drop all
netfilter
nonewprivs
noroot
protocol unix,inet,inet6,netlink
seccomp
tracelog
whitelist ${DOWNLOADS}
mkdir ~/.mozilla
whitelist ~/.mozilla
mkdir ~/.cache/mozilla/firefox
whitelist ~/.cache/mozilla/firefox
whitelist ~/dwhelper
whitelist ~/.zotero
whitelist ~/.vimperatorrc
whitelist ~/.vimperator
whitelist ~/.pentadactylrc
whitelist ~/.pentadactyl
whitelist ~/.keysnail.js
whitelist ~/.config/gnome-mplayer
whitelist ~/.cache/gnome-mplayer/plugin
whitelist ~/.pki
# lastpass, keepassx
whitelist ~/.keepassx
whitelist ~/.config/keepassx
whitelist ~/keepassx.kdbx
whitelist ~/.lastpass
whitelist ~/.config/lastpass
#silverlight
whitelist ~/.wine-pipelight
whitelist ~/.wine-pipelight64
whitelist ~/.config/pipelight-widevine
whitelist ~/.config/pipelight-silverlight5.1
include /etc/firejail/whitelist-common.inc
# experimental features
#private-etc passwd,group,hostname,hosts,localtime,nsswitch.conf,resolv.conf,gtk-2.0,pango,fonts,iceweasel,firefox,adobe,mime.types,mailcap,asound.conf,pulse

81
firejail_profiles/firejail.config

@ -0,0 +1,81 @@ @@ -0,0 +1,81 @@
# This is Firejail system-wide configuration file, see firejail-config(5) for
# more information. The file contains keyword-argument pairs, one per line.
# Most features are enabled by default. Use 'yes' or 'no' as configuration
# values.
# Enable or disable bind support, default enabled.
# bind yes
# Enable or disable chroot support, default enabled.
# chroot yes
# Use chroot for desktop programs, default enabled. The sandbox will have full
# access to system's /dev directory in order to allow video acceleration,
# and it will harden the rest of the chroot tree.
# chroot-desktop yes
# Enable or disable file transfer support, default enabled.
# file-transfer yes
# Force use of nonewprivs. This mitigates the possibility of
# a user abusing firejail's features to trick a privileged (suid
# or file capabilities) process into loading code or configuration
# that is partially under their control. Default disabled.
# force-nonewprivs no
# Enable or disable networking features, default enabled.
# network yes
# Enable or disable overlayfs features, default enabled.
# overlayfs yes
# Remove /usr/local directories from private-bin list, default disabled.
# private-bin-no-local no
# Enable or disable private-home feature, default enabled
# private-home yes
# Enable --quiet as default every time the sandbox is started. Default disabled.
# quiet-by-default no
# Remount /proc and /sys inside the sandbox, default enabled.
# remount-proc-sys yes
# Enable or disable restricted network support, default disabled. If enabled,
# networking features should also be enabled (network yes).
# Restricted networking grants access to --interface, --net=ethXXX and
# --netfilter only to root user. Regular users are only allowed --net=none.
# restricted-network no
# Change default netfilter configuration. When using --netfilter option without
# a file argument, the default filter is hardcoded (see man 1 firejail). This
# configuration entry allows the user to change the default by specifying
# a file containing the filter configuration. The filter file format is the
# format of iptables-save and iptable-restore commands. Example:
# netfilter-default /etc/iptables.iptables.rules
# Enable or disable seccomp support, default enabled.
# seccomp yes
# Enable or disable user namespace support, default enabled.
# userns yes
# Enable or disable whitelisting support, default enabled.
# whitelist yes
# Enable or disable X11 sandboxing support, default enabled.
# x11 yes
# Screen size for --x11=xephyr, default 800x600. Run /usr/bin/xrandr for
# a full list of resolutions available on your specific setup.
# xephyr-screen 640x480
# xephyr-screen 800x600
# xephyr-screen 1024x768
# xephyr-screen 1280x1024
# Firejail window title in Xephyr, default enabled.
# xephyr-window-title yes
# Xephyr command extra parameters. None by default, and the declaration is commented out.
# xephyr-extra-params -keybd ephyr,,,xkbmodel=evdev
# xephyr-extra-params -grayscale

39
firejail_profiles/flashpeak-slimjet.profile

@ -0,0 +1,39 @@ @@ -0,0 +1,39 @@
# SlimJet browser profile
# This is a whitelisted profile, the internal browser sandbox
# is disabled because it requires sudo password. The command
# to run it is as follows:
#
# firejail flashpeak-slimjet --no-sandbox
#
noblacklist ~/.config/slimjet
noblacklist ~/.cache/slimjet
include /etc/firejail/disable-common.inc
include /etc/firejail/disable-programs.inc
# chromium is distributed with a perl script on Arch
# include /etc/firejail/disable-devel.inc
#
caps.drop all
netfilter
nonewprivs
noroot
protocol unix,inet,inet6,netlink
seccomp
whitelist ${DOWNLOADS}
mkdir ~/.config/slimjet
whitelist ~/.config/slimjet
mkdir ~/.cache/slimjet
whitelist ~/.cache/slimjet
mkdir ~/.pki
whitelist ~/.pki
# lastpass, keepassx
whitelist ~/.keepassx
whitelist ~/.config/keepassx
whitelist ~/keepassx.kdbx
whitelist ~/.lastpass
whitelist ~/.config/lastpass
include /etc/firejail/whitelist-common.inc

13
firejail_profiles/flowblade.profile

@ -0,0 +1,13 @@ @@ -0,0 +1,13 @@
# OpenShot profile
noblacklist ${HOME}/.flowblade
noblacklist ${HOME}/.config/flowblade
include /etc/firejail/disable-common.inc
include /etc/firejail/disable-programs.inc
include /etc/firejail/disable-passwdmgr.inc
caps.drop all
netfilter
nonewprivs
noroot
protocol unix,inet,inet6,netlink
seccomp

24
firejail_profiles/franz.profile

@ -0,0 +1,24 @@ @@ -0,0 +1,24 @@
# Franz profile
noblacklist ~/.config/Franz
noblacklist ~/.cache/Franz
include /etc/firejail/disable-common.inc
include /etc/firejail/disable-programs.inc
include /etc/firejail/disable-devel.inc
caps.drop all
seccomp
protocol unix,inet,inet6,netlink
netfilter
#tracelog
nonewprivs
noroot
whitelist ${DOWNLOADS}
mkdir ~/.config/Franz
whitelist ~/.config/Franz
mkdir ~/.cache/Franz
whitelist ~/.cache/Franz
mkdir ~/.pki
whitelist ~/.pki
include /etc/firejail/whitelist-common.inc

33
firejail_profiles/gajim.profile

@ -0,0 +1,33 @@ @@ -0,0 +1,33 @@
# Firejail profile for Gajim