From 777ae32ba6e5bb302edec339f29ee40d1143af33 Mon Sep 17 00:00:00 2001 From: 51x <51x@keemail.me> Date: Sun, 12 May 2019 14:11:43 +0100 Subject: [PATCH] fj --- firejail_profiles/0ad.profile | 31 +++ firejail_profiles/7z.profile | 9 + firejail_profiles/Cyberfox.profile | 3 + firejail_profiles/Mathematica.profile | 20 ++ firejail_profiles/Telegram.profile | 2 + firejail_profiles/abrowser.profile | 50 +++++ firejail_profiles/atom-beta.profile | 20 ++ firejail_profiles/atom.profile | 20 ++ firejail_profiles/atril.profile | 21 +++ firejail_profiles/audacious.profile | 11 ++ firejail_profiles/audacity.profile | 21 +++ firejail_profiles/aweather.profile | 25 +++ firejail_profiles/bitlbee.profile | 14 ++ firejail_profiles/brave.profile | 18 ++ firejail_profiles/cherrytree.profile | 19 ++ firejail_profiles/chromium-browser.profile | 2 + firejail_profiles/chromium.profile | 31 +++ firejail_profiles/claws-mail.profile | 24 +++ firejail_profiles/clementine.profile | 11 ++ firejail_profiles/cmus.profile | 18 ++ firejail_profiles/conkeror.profile | 24 +++ firejail_profiles/corebird.profile | 12 ++ firejail_profiles/cpio.profile | 21 +++ firejail_profiles/cyberfox.profile | 50 +++++ firejail_profiles/deadbeef.profile | 13 ++ firejail_profiles/default.profile | 15 ++ firejail_profiles/deluge.profile | 20 ++ firejail_profiles/dillo.profile | 23 +++ firejail_profiles/disable-common.inc | 177 ++++++++++++++++++ firejail_profiles/disable-devel.inc | 66 +++++++ firejail_profiles/disable-passwdmgr.inc | 10 + firejail_profiles/disable-programs.inc | 167 +++++++++++++++++ firejail_profiles/dnscrypt-proxy.profile | 14 ++ firejail_profiles/dnsmasq.profile | 17 ++ firejail_profiles/dosbox.profile | 21 +++ firejail_profiles/dropbox.profile | 21 +++ firejail_profiles/emacs.profile | 17 ++ firejail_profiles/empathy.profile | 10 + firejail_profiles/eog.profile | 23 +++ firejail_profiles/eom.profile | 21 +++ firejail_profiles/epiphany.profile | 23 +++ firejail_profiles/evince.profile | 18 ++ firejail_profiles/evolution.profile | 25 +++ firejail_profiles/fbreader.profile | 21 +++ firejail_profiles/feh.profile | 21 +++ firejail_profiles/file.profile | 16 ++ firejail_profiles/filezilla.profile | 22 +++ firejail_profiles/firefox-esr.profile | 2 + firejail_profiles/firefox.profile | 50 +++++ firejail_profiles/firejail.config | 81 ++++++++ firejail_profiles/flashpeak-slimjet.profile | 39 ++++ firejail_profiles/flowblade.profile | 13 ++ firejail_profiles/franz.profile | 24 +++ firejail_profiles/gajim.profile | 33 ++++ firejail_profiles/gimp.profile | 18 ++ firejail_profiles/git.profile | 26 +++ firejail_profiles/gitter.profile | 20 ++ firejail_profiles/gnome-chess.profile | 22 +++ firejail_profiles/gnome-mplayer.profile | 17 ++ firejail_profiles/google-chrome-beta.profile | 27 +++ .../google-chrome-stable.profile | 2 + .../google-chrome-unstable.profile | 27 +++ firejail_profiles/google-chrome.profile | 28 +++ .../google-play-music-desktop-player.profile | 18 ++ firejail_profiles/gpredict.profile | 25 +++ firejail_profiles/gtar.profile | 3 + firejail_profiles/gthumb.profile | 21 +++ firejail_profiles/gwenview.profile | 21 +++ firejail_profiles/gzip.profile | 12 ++ firejail_profiles/hedgewars.profile | 22 +++ firejail_profiles/hexchat.profile | 28 +++ firejail_profiles/icecat.profile | 51 +++++ firejail_profiles/icedove.profile | 18 ++ firejail_profiles/iceweasel.profile | 2 + firejail_profiles/inkscape.profile | 18 ++ firejail_profiles/inox.profile | 24 +++ firejail_profiles/jitsi.profile | 17 ++ firejail_profiles/keepass.profile | 22 +++ firejail_profiles/keepassx.profile | 23 +++ firejail_profiles/kmail.profile | 19 ++ firejail_profiles/konversation.profile | 15 ++ firejail_profiles/less.profile | 9 + firejail_profiles/libreoffice.profile | 19 ++ firejail_profiles/localc.profile | 5 + firejail_profiles/lodraw.profile | 5 + firejail_profiles/loffice.profile | 5 + firejail_profiles/lofromtemplate.profile | 5 + firejail_profiles/login.users | 14 ++ firejail_profiles/loimpress.profile | 5 + firejail_profiles/lomath.profile | 5 + firejail_profiles/loweb.profile | 5 + firejail_profiles/lowriter.profile | 5 + firejail_profiles/luminance-hdr.profile | 21 +++ firejail_profiles/lxterminal.profile | 11 ++ firejail_profiles/mathematica.profile | 2 + firejail_profiles/mcabber.profile | 21 +++ firejail_profiles/midori.profile | 13 ++ firejail_profiles/mpv.profile | 18 ++ firejail_profiles/mupdf.profile | 29 +++ firejail_profiles/mupen64plus.profile | 20 ++ firejail_profiles/mutt.profile | 40 ++++ firejail_profiles/netsurf.profile | 30 +++ firejail_profiles/nolocal.net | 26 +++ firejail_profiles/okular.profile | 24 +++ firejail_profiles/openbox.profile | 11 ++ firejail_profiles/openshot.profile | 13 ++ firejail_profiles/opera-beta.profile | 25 +++ firejail_profiles/opera.profile | 28 +++ firejail_profiles/palemoon.profile | 57 ++++++ firejail_profiles/parole.profile | 16 ++ firejail_profiles/pidgin.profile | 21 +++ firejail_profiles/pix.profile | 23 +++ firejail_profiles/polari.profile | 25 +++ firejail_profiles/psi-plus.profile | 23 +++ firejail_profiles/qbittorrent.profile | 20 ++ firejail_profiles/qpdfview.profile | 22 +++ firejail_profiles/qtox.profile | 23 +++ firejail_profiles/quassel.profile | 11 ++ firejail_profiles/quiterss.profile | 29 +++ firejail_profiles/qutebrowser.profile | 22 +++ firejail_profiles/ranger.profile | 24 +++ firejail_profiles/rhythmbox.profile | 19 ++ firejail_profiles/rtorrent.profile | 19 ++ firejail_profiles/seamonkey-bin.profile | 3 + firejail_profiles/seamonkey.profile | 48 +++++ firejail_profiles/server.profile | 16 ++ firejail_profiles/skype.profile | 12 ++ firejail_profiles/skypeforlinux.profile | 11 ++ firejail_profiles/slack.profile | 30 +++ firejail_profiles/snap.profile | 14 ++ firejail_profiles/soffice.profile | 5 + firejail_profiles/spotify.profile | 31 +++ firejail_profiles/ssh.profile | 16 ++ firejail_profiles/steam.profile | 14 ++ firejail_profiles/stellarium.profile | 28 +++ firejail_profiles/strings.profile | 10 + firejail_profiles/synfigstudio.profile | 17 ++ firejail_profiles/tar.profile | 18 ++ firejail_profiles/telegram.profile | 13 ++ firejail_profiles/thunderbird.profile | 18 ++ firejail_profiles/totem.profile | 15 ++ firejail_profiles/transmission-gtk.profile | 23 +++ firejail_profiles/transmission-qt.profile | 22 +++ firejail_profiles/uget-gtk.profile | 25 +++ firejail_profiles/unbound.profile | 13 ++ firejail_profiles/unrar.profile | 17 ++ firejail_profiles/unzip.profile | 16 ++ firejail_profiles/uudeview.profile | 15 ++ firejail_profiles/vim.profile | 17 ++ firejail_profiles/virtualbox.profile | 12 ++ firejail_profiles/vivaldi-beta.profile | 2 + firejail_profiles/vivaldi.profile | 23 +++ firejail_profiles/vlc.profile | 20 ++ firejail_profiles/warzone2100.profile | 26 +++ firejail_profiles/webserver.net | 30 +++ firejail_profiles/weechat-curses.profile | 2 + firejail_profiles/weechat.profile | 15 ++ firejail_profiles/wesnoth.profile | 27 +++ firejail_profiles/whitelist-common.inc | 40 ++++ firejail_profiles/wine.profile | 14 ++ firejail_profiles/xchat.profile | 14 ++ firejail_profiles/xpdf.profile | 21 +++ firejail_profiles/xplayer.profile | 22 +++ firejail_profiles/xreader.profile | 23 +++ firejail_profiles/xviewer.profile | 20 ++ firejail_profiles/xz.profile | 3 + firejail_profiles/xzdec.profile | 12 ++ firejail_profiles/zathura.profile | 20 ++ linux_hardening.txt | 2 +- 169 files changed, 3628 insertions(+), 1 deletion(-) create mode 100644 firejail_profiles/0ad.profile create mode 100644 firejail_profiles/7z.profile create mode 100644 firejail_profiles/Cyberfox.profile create mode 100644 firejail_profiles/Mathematica.profile create mode 100644 firejail_profiles/Telegram.profile create mode 100644 firejail_profiles/abrowser.profile create mode 100644 firejail_profiles/atom-beta.profile create mode 100644 firejail_profiles/atom.profile create mode 100644 firejail_profiles/atril.profile create mode 100644 firejail_profiles/audacious.profile create mode 100644 firejail_profiles/audacity.profile create mode 100644 firejail_profiles/aweather.profile create mode 100644 firejail_profiles/bitlbee.profile create mode 100644 firejail_profiles/brave.profile create mode 100644 firejail_profiles/cherrytree.profile create mode 100644 firejail_profiles/chromium-browser.profile create mode 100644 firejail_profiles/chromium.profile create mode 100644 firejail_profiles/claws-mail.profile create mode 100644 firejail_profiles/clementine.profile create mode 100644 firejail_profiles/cmus.profile create mode 100644 firejail_profiles/conkeror.profile create mode 100644 firejail_profiles/corebird.profile create mode 100644 firejail_profiles/cpio.profile create mode 100644 firejail_profiles/cyberfox.profile create mode 100644 firejail_profiles/deadbeef.profile create mode 100644 firejail_profiles/default.profile create mode 100644 firejail_profiles/deluge.profile create mode 100644 firejail_profiles/dillo.profile create mode 100644 firejail_profiles/disable-common.inc create mode 100644 firejail_profiles/disable-devel.inc create mode 100644 firejail_profiles/disable-passwdmgr.inc create mode 100644 firejail_profiles/disable-programs.inc create mode 100644 firejail_profiles/dnscrypt-proxy.profile create mode 100644 firejail_profiles/dnsmasq.profile create mode 100644 firejail_profiles/dosbox.profile create mode 100644 firejail_profiles/dropbox.profile create mode 100644 firejail_profiles/emacs.profile create mode 100644 firejail_profiles/empathy.profile create mode 100644 firejail_profiles/eog.profile create mode 100644 firejail_profiles/eom.profile create mode 100644 firejail_profiles/epiphany.profile create mode 100644 firejail_profiles/evince.profile create mode 100644 firejail_profiles/evolution.profile create mode 100644 firejail_profiles/fbreader.profile create mode 100644 firejail_profiles/feh.profile create mode 100644 firejail_profiles/file.profile create mode 100644 firejail_profiles/filezilla.profile create mode 100644 firejail_profiles/firefox-esr.profile create mode 100644 firejail_profiles/firefox.profile create mode 100644 firejail_profiles/firejail.config create mode 100644 firejail_profiles/flashpeak-slimjet.profile create mode 100644 firejail_profiles/flowblade.profile create mode 100644 firejail_profiles/franz.profile create mode 100644 firejail_profiles/gajim.profile create mode 100644 firejail_profiles/gimp.profile create mode 100644 firejail_profiles/git.profile create mode 100644 firejail_profiles/gitter.profile create mode 100644 firejail_profiles/gnome-chess.profile create mode 100644 firejail_profiles/gnome-mplayer.profile create mode 100644 firejail_profiles/google-chrome-beta.profile create mode 100644 firejail_profiles/google-chrome-stable.profile create mode 100644 firejail_profiles/google-chrome-unstable.profile create mode 100644 firejail_profiles/google-chrome.profile create mode 100644 firejail_profiles/google-play-music-desktop-player.profile create mode 100644 firejail_profiles/gpredict.profile create mode 100644 firejail_profiles/gtar.profile create mode 100644 firejail_profiles/gthumb.profile create mode 100644 firejail_profiles/gwenview.profile create mode 100644 firejail_profiles/gzip.profile create mode 100644 firejail_profiles/hedgewars.profile create mode 100644 firejail_profiles/hexchat.profile create mode 100644 firejail_profiles/icecat.profile create mode 100644 firejail_profiles/icedove.profile create mode 100644 firejail_profiles/iceweasel.profile create mode 100644 firejail_profiles/inkscape.profile create mode 100644 firejail_profiles/inox.profile create mode 100644 firejail_profiles/jitsi.profile create mode 100644 firejail_profiles/keepass.profile create mode 100644 firejail_profiles/keepassx.profile create mode 100644 firejail_profiles/kmail.profile create mode 100644 firejail_profiles/konversation.profile create mode 100644 firejail_profiles/less.profile create mode 100644 firejail_profiles/libreoffice.profile create mode 100644 firejail_profiles/localc.profile create mode 100644 firejail_profiles/lodraw.profile create mode 100644 firejail_profiles/loffice.profile create mode 100644 firejail_profiles/lofromtemplate.profile create mode 100644 firejail_profiles/login.users create mode 100644 firejail_profiles/loimpress.profile create mode 100644 firejail_profiles/lomath.profile create mode 100644 firejail_profiles/loweb.profile create mode 100644 firejail_profiles/lowriter.profile create mode 100644 firejail_profiles/luminance-hdr.profile create mode 100644 firejail_profiles/lxterminal.profile create mode 100644 firejail_profiles/mathematica.profile create mode 100644 firejail_profiles/mcabber.profile create mode 100644 firejail_profiles/midori.profile create mode 100644 firejail_profiles/mpv.profile create mode 100644 firejail_profiles/mupdf.profile create mode 100644 firejail_profiles/mupen64plus.profile create mode 100644 firejail_profiles/mutt.profile create mode 100644 firejail_profiles/netsurf.profile create mode 100644 firejail_profiles/nolocal.net create mode 100644 firejail_profiles/okular.profile create mode 100644 firejail_profiles/openbox.profile create mode 100644 firejail_profiles/openshot.profile create mode 100644 firejail_profiles/opera-beta.profile create mode 100644 firejail_profiles/opera.profile create mode 100644 firejail_profiles/palemoon.profile create mode 100644 firejail_profiles/parole.profile create mode 100644 firejail_profiles/pidgin.profile create mode 100644 firejail_profiles/pix.profile create mode 100644 firejail_profiles/polari.profile create mode 100644 firejail_profiles/psi-plus.profile create mode 100644 firejail_profiles/qbittorrent.profile create mode 100644 firejail_profiles/qpdfview.profile create mode 100644 firejail_profiles/qtox.profile create mode 100644 firejail_profiles/quassel.profile create mode 100644 firejail_profiles/quiterss.profile create mode 100644 firejail_profiles/qutebrowser.profile create mode 100644 firejail_profiles/ranger.profile create mode 100644 firejail_profiles/rhythmbox.profile create mode 100644 firejail_profiles/rtorrent.profile create mode 100644 firejail_profiles/seamonkey-bin.profile create mode 100644 firejail_profiles/seamonkey.profile create mode 100644 firejail_profiles/server.profile create mode 100644 firejail_profiles/skype.profile create mode 100644 firejail_profiles/skypeforlinux.profile create mode 100644 firejail_profiles/slack.profile create mode 100644 firejail_profiles/snap.profile create mode 100644 firejail_profiles/soffice.profile create mode 100644 firejail_profiles/spotify.profile create mode 100644 firejail_profiles/ssh.profile create mode 100644 firejail_profiles/steam.profile create mode 100644 firejail_profiles/stellarium.profile create mode 100644 firejail_profiles/strings.profile create mode 100644 firejail_profiles/synfigstudio.profile create mode 100644 firejail_profiles/tar.profile create mode 100644 firejail_profiles/telegram.profile create mode 100644 firejail_profiles/thunderbird.profile create mode 100644 firejail_profiles/totem.profile create mode 100644 firejail_profiles/transmission-gtk.profile create mode 100644 firejail_profiles/transmission-qt.profile create mode 100644 firejail_profiles/uget-gtk.profile create mode 100644 firejail_profiles/unbound.profile create mode 100644 firejail_profiles/unrar.profile create mode 100644 firejail_profiles/unzip.profile create mode 100644 firejail_profiles/uudeview.profile create mode 100644 firejail_profiles/vim.profile create mode 100644 firejail_profiles/virtualbox.profile create mode 100644 firejail_profiles/vivaldi-beta.profile create mode 100644 firejail_profiles/vivaldi.profile create mode 100644 firejail_profiles/vlc.profile create mode 100644 firejail_profiles/warzone2100.profile create mode 100644 firejail_profiles/webserver.net create mode 100644 firejail_profiles/weechat-curses.profile create mode 100644 firejail_profiles/weechat.profile create mode 100644 firejail_profiles/wesnoth.profile create mode 100644 firejail_profiles/whitelist-common.inc create mode 100644 firejail_profiles/wine.profile create mode 100644 firejail_profiles/xchat.profile create mode 100644 firejail_profiles/xpdf.profile create mode 100644 firejail_profiles/xplayer.profile create mode 100644 firejail_profiles/xreader.profile create mode 100644 firejail_profiles/xviewer.profile create mode 100644 firejail_profiles/xz.profile create mode 100644 firejail_profiles/xzdec.profile create mode 100644 firejail_profiles/zathura.profile diff --git a/firejail_profiles/0ad.profile b/firejail_profiles/0ad.profile new file mode 100644 index 0000000..1e7c068 --- /dev/null +++ b/firejail_profiles/0ad.profile @@ -0,0 +1,31 @@ +# Firejail profile for 0ad. +noblacklist ~/.cache/0ad +noblacklist ~/.config/0ad +noblacklist ~/.local/share/0ad +include /etc/firejail/disable-common.inc +include /etc/firejail/disable-devel.inc +include /etc/firejail/disable-passwdmgr.inc +include /etc/firejail/disable-programs.inc + +# Whitelists +mkdir ~/.cache/0ad +whitelist ~/.cache/0ad + +mkdir ~/.config/0ad +whitelist ~/.config/0ad + +mkdir ~/.local/share/0ad +whitelist ~/.local/share/0ad + +caps.drop all +netfilter +nogroups +nonewprivs +noroot +protocol unix,inet,inet6 +seccomp +shell none +tracelog + +private-dev +private-tmp diff --git a/firejail_profiles/7z.profile b/firejail_profiles/7z.profile new file mode 100644 index 0000000..0cb72ff --- /dev/null +++ b/firejail_profiles/7z.profile @@ -0,0 +1,9 @@ +# 7zip crompression tool profile +quiet +ignore noroot +include /etc/firejail/default.profile +tracelog +net none +shell none +private-dev +nosound diff --git a/firejail_profiles/Cyberfox.profile b/firejail_profiles/Cyberfox.profile new file mode 100644 index 0000000..1f74606 --- /dev/null +++ b/firejail_profiles/Cyberfox.profile @@ -0,0 +1,3 @@ +# Firejail profile for Cyberfox (based on Mozilla Firefox) + +include /etc/firejail/cyberfox.profile diff --git a/firejail_profiles/Mathematica.profile b/firejail_profiles/Mathematica.profile new file mode 100644 index 0000000..e719f07 --- /dev/null +++ b/firejail_profiles/Mathematica.profile @@ -0,0 +1,20 @@ +# Mathematica profile +noblacklist ${HOME}/.Mathematica +noblacklist ${HOME}/.Wolfram Research + +mkdir ~/.Mathematica +whitelist ~/.Mathematica +mkdir ~/.Wolfram Research +whitelist ~/.Wolfram Research +whitelist ~/Documents/Wolfram Mathematica +include /etc/firejail/whitelist-common.inc + +include /etc/firejail/disable-common.inc +include /etc/firejail/disable-programs.inc +include /etc/firejail/disable-devel.inc +include /etc/firejail/disable-passwdmgr.inc + +caps.drop all +nonewprivs +noroot +seccomp diff --git a/firejail_profiles/Telegram.profile b/firejail_profiles/Telegram.profile new file mode 100644 index 0000000..2e0f978 --- /dev/null +++ b/firejail_profiles/Telegram.profile @@ -0,0 +1,2 @@ +# Telegram IRC profile +include /etc/firejail/telegram.profile diff --git a/firejail_profiles/abrowser.profile b/firejail_profiles/abrowser.profile new file mode 100644 index 0000000..4aa18aa --- /dev/null +++ b/firejail_profiles/abrowser.profile @@ -0,0 +1,50 @@ +# Firejail profile for Abrowser + +noblacklist ~/.mozilla +noblacklist ~/.cache/mozilla +include /etc/firejail/disable-common.inc +include /etc/firejail/disable-programs.inc +include /etc/firejail/disable-devel.inc + +caps.drop all +netfilter +nonewprivs +noroot +protocol unix,inet,inet6,netlink +seccomp +tracelog + +whitelist ${DOWNLOADS} +mkdir ~/.mozilla +whitelist ~/.mozilla +mkdir ~/.cache/mozilla/abrowser +whitelist ~/.cache/mozilla/abrowser +whitelist ~/dwhelper +whitelist ~/.zotero +whitelist ~/.vimperatorrc +whitelist ~/.vimperator +whitelist ~/.pentadactylrc +whitelist ~/.pentadactyl +whitelist ~/.keysnail.js +whitelist ~/.config/gnome-mplayer +whitelist ~/.cache/gnome-mplayer/plugin +whitelist ~/.pki + +# lastpass, keepassx +whitelist ~/.keepassx +whitelist ~/.config/keepassx +whitelist ~/keepassx.kdbx +whitelist ~/.lastpass +whitelist ~/.config/lastpass + + +#silverlight +whitelist ~/.wine-pipelight +whitelist ~/.wine-pipelight64 +whitelist ~/.config/pipelight-widevine +whitelist ~/.config/pipelight-silverlight5.1 + +include /etc/firejail/whitelist-common.inc + +# experimental features +#private-etc passwd,group,hostname,hosts,localtime,nsswitch.conf,resolv.conf,gtk-2.0,pango,fonts,iceweasel,firefox,adobe,mime.types,mailcap,asound.conf,pulse diff --git a/firejail_profiles/atom-beta.profile b/firejail_profiles/atom-beta.profile new file mode 100644 index 0000000..9a8d938 --- /dev/null +++ b/firejail_profiles/atom-beta.profile @@ -0,0 +1,20 @@ +# Firejail profile for Atom Beta. +noblacklist ~/.atom +noblacklist ~/.config/Atom + +include /etc/firejail/disable-common.inc +include /etc/firejail/disable-programs.inc +include /etc/firejail/disable-passwdmgr.inc + +caps.drop all +netfilter +nonewprivs +nogroups +noroot +nosound +protocol unix,inet,inet6,netlink +seccomp +shell none + +private-dev +private-tmp diff --git a/firejail_profiles/atom.profile b/firejail_profiles/atom.profile new file mode 100644 index 0000000..3cb8684 --- /dev/null +++ b/firejail_profiles/atom.profile @@ -0,0 +1,20 @@ +# Firejail profile for Atom. +noblacklist ~/.atom +noblacklist ~/.config/Atom + +include /etc/firejail/disable-common.inc +include /etc/firejail/disable-programs.inc +include /etc/firejail/disable-passwdmgr.inc + +caps.drop all +netfilter +nonewprivs +nogroups +noroot +nosound +protocol unix,inet,inet6,netlink +seccomp +shell none + +private-dev +private-tmp diff --git a/firejail_profiles/atril.profile b/firejail_profiles/atril.profile new file mode 100644 index 0000000..d9e10b0 --- /dev/null +++ b/firejail_profiles/atril.profile @@ -0,0 +1,21 @@ +# Atril profile +noblacklist ~/.config/atril +noblacklist ~/.local/share +include /etc/firejail/disable-common.inc +include /etc/firejail/disable-programs.inc +include /etc/firejail/disable-devel.inc +include /etc/firejail/disable-passwdmgr.inc + +caps.drop all +nonewprivs +nogroups +noroot +nosound +protocol unix +seccomp +shell none +tracelog + +private-bin atril, atril-previewer, atril-thumbnailer +private-dev +private-tmp diff --git a/firejail_profiles/audacious.profile b/firejail_profiles/audacious.profile new file mode 100644 index 0000000..e527521 --- /dev/null +++ b/firejail_profiles/audacious.profile @@ -0,0 +1,11 @@ +# Audacious media player profile +include /etc/firejail/disable-common.inc +include /etc/firejail/disable-programs.inc +include /etc/firejail/disable-devel.inc +include /etc/firejail/disable-passwdmgr.inc + +caps.drop all +nonewprivs +noroot +protocol unix,inet,inet6 +seccomp diff --git a/firejail_profiles/audacity.profile b/firejail_profiles/audacity.profile new file mode 100644 index 0000000..be3fac9 --- /dev/null +++ b/firejail_profiles/audacity.profile @@ -0,0 +1,21 @@ +# Audacity profile +noblacklist ~/.audacity-data + +include /etc/firejail/disable-common.inc +include /etc/firejail/disable-devel.inc +include /etc/firejail/disable-passwdmgr.inc +include /etc/firejail/disable-programs.inc + +caps.drop all +netfilter +nonewprivs +nogroups +noroot +protocol unix +seccomp +shell none +tracelog + +private-bin audacity +private-dev +private-tmp diff --git a/firejail_profiles/aweather.profile b/firejail_profiles/aweather.profile new file mode 100644 index 0000000..4e5c36f --- /dev/null +++ b/firejail_profiles/aweather.profile @@ -0,0 +1,25 @@ +# Firejail profile for aweather. +noblacklist ~/.config/aweather +include /etc/firejail/disable-common.inc +include /etc/firejail/disable-devel.inc +include /etc/firejail/disable-passwdmgr.inc +include /etc/firejail/disable-programs.inc + +# Whitelist +mkdir ~/.config/aweather +whitelist ~/.config/aweather + +caps.drop all +netfilter +nonewprivs +nogroups +noroot +nosound +protocol unix,inet,inet6 +seccomp +shell none +tracelog + +private-bin aweather +private-dev +private-tmp diff --git a/firejail_profiles/bitlbee.profile b/firejail_profiles/bitlbee.profile new file mode 100644 index 0000000..87d2e84 --- /dev/null +++ b/firejail_profiles/bitlbee.profile @@ -0,0 +1,14 @@ +# BitlBee instant messaging profile +noblacklist /sbin +noblacklist /usr/sbin +include /etc/firejail/disable-common.inc +include /etc/firejail/disable-programs.inc + +netfilter +nonewprivs +private +private-dev +protocol unix,inet,inet6 +seccomp +nosound +read-write /var/lib/bitlbee diff --git a/firejail_profiles/brave.profile b/firejail_profiles/brave.profile new file mode 100644 index 0000000..4fc3a5b --- /dev/null +++ b/firejail_profiles/brave.profile @@ -0,0 +1,18 @@ +# Profile for Brave browser + +noblacklist ~/.config/brave +include /etc/firejail/disable-common.inc +include /etc/firejail/disable-programs.inc +include /etc/firejail/disable-devel.inc + +caps.drop all +netfilter +nonewprivs +noroot +protocol unix,inet,inet6,netlink +seccomp + +whitelist ${DOWNLOADS} + +mkdir ~/.config/brave +whitelist ~/.config/brave diff --git a/firejail_profiles/cherrytree.profile b/firejail_profiles/cherrytree.profile new file mode 100644 index 0000000..ec6d0d6 --- /dev/null +++ b/firejail_profiles/cherrytree.profile @@ -0,0 +1,19 @@ +# cherrytree note taking application +noblacklist /usr/bin/python2* +noblacklist /usr/lib/python3* +noblacklist ${HOME}/.config/cherrytree +include /etc/firejail/disable-common.inc +include /etc/firejail/disable-programs.inc +include /etc/firejail/disable-devel.inc +include /etc/firejail/disable-passwdmgr.inc + +caps.drop all +netfilter +nonewprivs +noroot +nosound +seccomp +protocol unix,inet,inet6,netlink +tracelog + + diff --git a/firejail_profiles/chromium-browser.profile b/firejail_profiles/chromium-browser.profile new file mode 100644 index 0000000..d989b73 --- /dev/null +++ b/firejail_profiles/chromium-browser.profile @@ -0,0 +1,2 @@ +# Chromium browser profile +include /etc/firejail/chromium.profile diff --git a/firejail_profiles/chromium.profile b/firejail_profiles/chromium.profile new file mode 100644 index 0000000..4109af9 --- /dev/null +++ b/firejail_profiles/chromium.profile @@ -0,0 +1,31 @@ +# Chromium browser profile +noblacklist ~/.config/chromium +noblacklist ~/.cache/chromium +include /etc/firejail/disable-common.inc +include /etc/firejail/disable-programs.inc + +# chromium is distributed with a perl script on Arch +# include /etc/firejail/disable-devel.inc +# + +netfilter + +whitelist ${DOWNLOADS} +mkdir ~/.config/chromium +whitelist ~/.config/chromium +mkdir ~/.cache/chromium +whitelist ~/.cache/chromium +mkdir ~/.pki +whitelist ~/.pki + +# lastpass, keepassx +whitelist ~/.keepassx +whitelist ~/.config/keepassx +whitelist ~/keepassx.kdbx +whitelist ~/.lastpass +whitelist ~/.config/lastpass + +# specific to Arch +whitelist ~/.config/chromium-flags.conf + +include /etc/firejail/whitelist-common.inc diff --git a/firejail_profiles/claws-mail.profile b/firejail_profiles/claws-mail.profile new file mode 100644 index 0000000..1b6d2f6 --- /dev/null +++ b/firejail_profiles/claws-mail.profile @@ -0,0 +1,24 @@ +# claws-mail profile + +noblacklist ~/.claws-mail +noblacklist ~/.signature +noblacklist ~/.gnupg + +include /etc/firejail/disable-common.inc +include /etc/firejail/disable-programs.inc +include /etc/firejail/disable-devel.inc +include /etc/firejail/disable-passwdmgr.inc + +caps.drop all +netfilter +nonewprivs +noroot +nogroups +nosound +protocol unix,inet,inet6 +seccomp +shell none + +private-dev +private-tmp + diff --git a/firejail_profiles/clementine.profile b/firejail_profiles/clementine.profile new file mode 100644 index 0000000..5ce0853 --- /dev/null +++ b/firejail_profiles/clementine.profile @@ -0,0 +1,11 @@ +# Clementine media player profile +include /etc/firejail/disable-common.inc +include /etc/firejail/disable-programs.inc +include /etc/firejail/disable-devel.inc +include /etc/firejail/disable-passwdmgr.inc + +caps.drop all +nonewprivs +noroot +protocol unix,inet,inet6 +seccomp diff --git a/firejail_profiles/cmus.profile b/firejail_profiles/cmus.profile new file mode 100644 index 0000000..2e2a694 --- /dev/null +++ b/firejail_profiles/cmus.profile @@ -0,0 +1,18 @@ +# cmus profile +noblacklist ${HOME}/.config/cmus + +include /etc/firejail/disable-common.inc +include /etc/firejail/disable-programs.inc +include /etc/firejail/disable-devel.inc +include /etc/firejail/disable-passwdmgr.inc + +caps.drop all +netfilter +nonewprivs +noroot +protocol unix,inet,inet6 +seccomp + +private-bin cmus +private-etc group +shell none diff --git a/firejail_profiles/conkeror.profile b/firejail_profiles/conkeror.profile new file mode 100644 index 0000000..e82eeec --- /dev/null +++ b/firejail_profiles/conkeror.profile @@ -0,0 +1,24 @@ +# Firejail profile for Conkeror web browser profile +noblacklist ${HOME}/.conkeror.mozdev.org +include /etc/firejail/disable-common.inc +include /etc/firejail/disable-programs.inc + +caps.drop all +netfilter +nonewprivs +noroot +protocol unix,inet,inet6 +seccomp + +whitelist ~/.conkeror.mozdev.org +whitelist ~/Downloads +whitelist ~/dwhelper +whitelist ~/.zotero +whitelist ~/.lastpass +whitelist ~/.gtkrc-2.0 +whitelist ~/.vimperatorrc +whitelist ~/.vimperator +whitelist ~/.pentadactylrc +whitelist ~/.pentadactyl +whitelist ~/.conkerorrc +include /etc/firejail/whitelist-common.inc diff --git a/firejail_profiles/corebird.profile b/firejail_profiles/corebird.profile new file mode 100644 index 0000000..077ae30 --- /dev/null +++ b/firejail_profiles/corebird.profile @@ -0,0 +1,12 @@ +# Firejail corebird profile + +include /etc/firejail/disable-common.inc +include /etc/firejail/disable-programs.inc +include /etc/firejail/disable-devel.inc +include /etc/firejail/disable-passwdmgr.inc + +caps.drop all +netfilter +noroot +protocol unix,inet,inet6 +seccomp diff --git a/firejail_profiles/cpio.profile b/firejail_profiles/cpio.profile new file mode 100644 index 0000000..519bd24 --- /dev/null +++ b/firejail_profiles/cpio.profile @@ -0,0 +1,21 @@ +# cpio profile +# /sbin and /usr/sbin are visible inside the sandbox +# /boot is not visible and /var is heavily modified +quiet +noblacklist /sbin +noblacklist /usr/sbin +include /etc/firejail/disable-common.inc +include /etc/firejail/disable-programs.inc +include /etc/firejail/disable-passwdmgr.inc + +private-dev +seccomp +caps.drop all +net none +shell none +tracelog +net none +nosound + + + diff --git a/firejail_profiles/cyberfox.profile b/firejail_profiles/cyberfox.profile new file mode 100644 index 0000000..ae487fa --- /dev/null +++ b/firejail_profiles/cyberfox.profile @@ -0,0 +1,50 @@ +# Firejail profile for Cyberfox (based on Mozilla Firefox) + +noblacklist ~/.8pecxstudios +noblacklist ~/.cache/8pecxstudios +include /etc/firejail/disable-common.inc +include /etc/firejail/disable-programs.inc +include /etc/firejail/disable-devel.inc + +caps.drop all +netfilter +nonewprivs +noroot +protocol unix,inet,inet6,netlink +seccomp +tracelog + +whitelist ${DOWNLOADS} +mkdir ~/.8pecxstudios +whitelist ~/.8pecxstudios +mkdir ~/.cache/8pecxstudios +whitelist ~/.cache/8pecxstudios +whitelist ~/dwhelper +whitelist ~/.zotero +whitelist ~/.vimperatorrc +whitelist ~/.vimperator +whitelist ~/.pentadactylrc +whitelist ~/.pentadactyl +whitelist ~/.keysnail.js +whitelist ~/.config/gnome-mplayer +whitelist ~/.cache/gnome-mplayer/plugin +whitelist ~/.pki + +# lastpass, keepassx +whitelist ~/.keepassx +whitelist ~/.config/keepassx +whitelist ~/keepassx.kdbx +whitelist ~/.lastpass +whitelist ~/.config/lastpass + + +#silverlight +whitelist ~/.wine-pipelight +whitelist ~/.wine-pipelight64 +whitelist ~/.config/pipelight-widevine +whitelist ~/.config/pipelight-silverlight5.1 + +include /etc/firejail/whitelist-common.inc + +# experimental features +#private-etc passwd,group,hostname,hosts,localtime,nsswitch.conf,resolv.conf,gtk-2.0,pango,fonts,iceweasel,firefox,adobe,mime.types,mailcap,asound.conf,pulse diff --git a/firejail_profiles/deadbeef.profile b/firejail_profiles/deadbeef.profile new file mode 100644 index 0000000..04abd0a --- /dev/null +++ b/firejail_profiles/deadbeef.profile @@ -0,0 +1,13 @@ +# DeaDBeeF media player profile +noblacklist ${HOME}/.config/deadbeef + +include /etc/firejail/disable-common.inc +include /etc/firejail/disable-programs.inc +include /etc/firejail/disable-devel.inc +include /etc/firejail/disable-passwdmgr.inc + +caps.drop all +nonewprivs +noroot +protocol unix,inet,inet6 +seccomp diff --git a/firejail_profiles/default.profile b/firejail_profiles/default.profile new file mode 100644 index 0000000..a2de726 --- /dev/null +++ b/firejail_profiles/default.profile @@ -0,0 +1,15 @@ +################################ +# Generic GUI application profile +################################ +include /etc/firejail/disable-common.inc +include /etc/firejail/disable-programs.inc +include /etc/firejail/disable-passwdmgr.inc + +#blacklist ${HOME}/.wine + +caps.drop all +netfilter +nonewprivs +noroot +protocol unix,inet,inet6 +seccomp diff --git a/firejail_profiles/deluge.profile b/firejail_profiles/deluge.profile new file mode 100644 index 0000000..c6ddec3 --- /dev/null +++ b/firejail_profiles/deluge.profile @@ -0,0 +1,20 @@ +# deluge bittorrernt client profile +include /etc/firejail/disable-common.inc +include /etc/firejail/disable-programs.inc +# deluge is using python on Debian +#include /etc/firejail/disable-devel.inc +include /etc/firejail/disable-passwdmgr.inc + +caps.drop all +netfilter +nonewprivs +noroot +nosound +protocol unix,inet,inet6 +seccomp + +shell none +#private-bin deluge,sh,python,uname +private-dev +private-tmp + diff --git a/firejail_profiles/dillo.profile b/firejail_profiles/dillo.profile new file mode 100644 index 0000000..2ddd363 --- /dev/null +++ b/firejail_profiles/dillo.profile @@ -0,0 +1,23 @@ +# Firejail profile for Dillo web browser + +noblacklist ~/.dillo +include /etc/firejail/disable-common.inc +include /etc/firejail/disable-programs.inc +include /etc/firejail/disable-devel.inc +include /etc/firejail/disable-passwdmgr.inc + +caps.drop all +netfilter +nonewprivs +noroot +protocol unix,inet,inet6 +seccomp +tracelog + +whitelist ${DOWNLOADS} +mkdir ~/.dillo +whitelist ~/.dillo +mkdir ~/.fltk +whitelist ~/.fltk + +include /etc/firejail/whitelist-common.inc diff --git a/firejail_profiles/disable-common.inc b/firejail_profiles/disable-common.inc new file mode 100644 index 0000000..ebe98b6 --- /dev/null +++ b/firejail_profiles/disable-common.inc @@ -0,0 +1,177 @@ +# Local customizations come here +include /etc/firejail/disable-common.local + +# History files in $HOME +blacklist-nolog ${HOME}/.history +blacklist-nolog ${HOME}/.*_history +blacklist ${HOME}/.local/share/systemd +blacklist-nolog ${HOME}/.adobe +blacklist-nolog ${HOME}/.macromedia +read-only ${HOME}/.local/share/applications + +# X11 session autostart +blacklist ${HOME}/.xinitrc +blacklist ${HOME}/.xprofile +blacklist ${HOME}/.config/autostart +blacklist /etc/xdg/autostart +blacklist ${HOME}/.kde4/Autostart +blacklist ${HOME}/.kde4/share/autostart +blacklist ${HOME}/.kde/Autostart +blacklist ${HOME}/.kde/share/autostart +blacklist ${HOME}/.config/plasma-workspace/shutdown +blacklist ${HOME}/.config/plasma-workspace/env +blacklist ${HOME}/.config/lxsession/LXDE/autostart +blacklist ${HOME}/.fluxbox/startup +blacklist ${HOME}/.config/openbox/autostart +blacklist ${HOME}/.config/openbox/environment +blacklist ${HOME}/.gnomerc +blacklist /etc/X11/Xsession.d/ + +# VirtualBox +blacklist ${HOME}/.VirtualBox +blacklist ${HOME}/VirtualBox VMs +blacklist ${HOME}/.config/VirtualBox + +# VeraCrypt +blacklist ${PATH}/veracrypt +blacklist ${PATH}/veracrypt-uninstall.sh +blacklist /usr/share/veracrypt +blacklist /usr/share/applications/veracrypt.* +blacklist /usr/share/pixmaps/veracrypt.* +blacklist ${HOME}/.VeraCrypt + +# var +blacklist /var/spool/cron +blacklist /var/spool/anacron +blacklist /var/run/acpid.socket +blacklist /var/run/minissdpd.sock +blacklist /var/run/rpcbind.sock +blacklist /var/run/mysqld/mysqld.sock +blacklist /var/run/mysql/mysqld.sock +blacklist /var/lib/mysqld/mysql.sock +blacklist /var/lib/mysql/mysql.sock +blacklist /var/run/docker.sock + +# etc +blacklist /etc/cron.* +blacklist /etc/profile.d +blacklist /etc/rc.local +blacklist /etc/anacrontab + +# General startup files +read-only ${HOME}/.xinitrc +read-only ${HOME}/.xserverrc +read-only ${HOME}/.profile + +# Shell startup files +read-only ${HOME}/.antigen +read-only ${HOME}/.bash_login +read-only ${HOME}/.bashrc +read-only ${HOME}/.bash_profile +read-only ${HOME}/.bash_logout +read-only ${HOME}/.zsh.d +read-only ${HOME}/.zshenv +read-only ${HOME}/.zshrc +read-only ${HOME}/.zshrc.local +read-only ${HOME}/.zlogin +read-only ${HOME}/.zprofile +read-only ${HOME}/.zlogout +read-only ${HOME}/.zsh_files +read-only ${HOME}/.tcshrc +read-only ${HOME}/.cshrc +read-only ${HOME}/.csh_files +read-only ${HOME}/.profile + +# Initialization files that allow arbitrary command execution +read-only ${HOME}/.caffrc +read-only ${HOME}/.dotfiles +read-only ${HOME}/dotfiles +read-only ${HOME}/.mailcap +read-only ${HOME}/.exrc +read-only ${HOME}/_exrc +read-only ${HOME}/.vimrc +read-only ${HOME}/_vimrc +read-only ${HOME}/.gvimrc +read-only ${HOME}/_gvimrc +read-only ${HOME}/.vim +read-only ${HOME}/.emacs +read-only ${HOME}/.emacs.d +read-only ${HOME}/.nano +read-only ${HOME}/.tmux.conf +read-only ${HOME}/.iscreenrc +read-only ${HOME}/.muttrc +read-only ${HOME}/.mutt/muttrc +read-only ${HOME}/.msmtprc +read-only ${HOME}/.reportbugrc +read-only ${HOME}/.xmonad +read-only ${HOME}/.xscreensaver + +# The user ~/bin directory can override commands such as ls +read-only ${HOME}/bin + +# top secret +blacklist ${HOME}/.ssh +blacklist ${HOME}/.cert +blacklist ${HOME}/.gnome2/keyrings +blacklist ${HOME}/.kde4/share/apps/kwallet +blacklist ${HOME}/.kde/share/apps/kwallet +blacklist ${HOME}/.local/share/kwalletd +blacklist ${HOME}/.config/keybase +blacklist ${HOME}/.netrc +blacklist ${HOME}/.gnupg +blacklist ${HOME}/.caff +blacklist ${HOME}/.smbcredentials +blacklist ${HOME}/*.kdbx +blacklist ${HOME}/*.kdb +blacklist ${HOME}/*.key +blacklist ${HOME}/.muttrc +blacklist ${HOME}/.mutt/muttrc +blacklist ${HOME}/.msmtprc +blacklist /etc/shadow +blacklist /etc/gshadow +blacklist /etc/passwd- +blacklist /etc/group- +blacklist /etc/shadow- +blacklist /etc/gshadow- +blacklist /etc/passwd+ +blacklist /etc/group+ +blacklist /etc/shadow+ +blacklist /etc/gshadow+ +blacklist /etc/ssh +blacklist /var/backup + +# system management +blacklist ${PATH}/umount +blacklist ${PATH}/mount +blacklist ${PATH}/fusermount +blacklist ${PATH}/su +blacklist ${PATH}/sudo +blacklist ${PATH}/xinput +blacklist ${PATH}/evtest +blacklist ${PATH}/xev +blacklist ${PATH}/strace +blacklist ${PATH}/nc +blacklist ${PATH}/ncat + +# system directories +blacklist /sbin +blacklist /usr/sbin +blacklist /usr/local/sbin + +# prevent lxterminal connecting to an existing lxterminal session +blacklist /tmp/.lxterminal-socket* + +# disable terminals running as server resulting in sandbox escape +blacklist ${PATH}/gnome-terminal +blacklist ${PATH}/gnome-terminal.wrapper +blacklist ${PATH}/xfce4-terminal +blacklist ${PATH}/xfce4-terminal.wrapper +blacklist ${PATH}/mate-terminal +blacklist ${PATH}/mate-terminal.wrapper +blacklist ${PATH}/lilyterm +blacklist ${PATH}/pantheon-terminal +blacklist ${PATH}/roxterm +blacklist ${PATH}/roxterm-config +blacklist ${PATH}/terminix +blacklist ${PATH}/urxvtc +blacklist ${PATH}/urxvtcd diff --git a/firejail_profiles/disable-devel.inc b/firejail_profiles/disable-devel.inc new file mode 100644 index 0000000..07fc392 --- /dev/null +++ b/firejail_profiles/disable-devel.inc @@ -0,0 +1,66 @@ +# Local customizations come here +include /etc/firejail/disable-devel.local + +# development tools + +# GCC +blacklist /usr/include +#blacklist /usr/lib/gcc - seems to create problems on Gentoo +blacklist /usr/bin/gcc* +blacklist /usr/bin/cpp* +blacklist /usr/bin/c9* +blacklist /usr/bin/c8* +blacklist /usr/bin/c++* +blacklist /usr/bin/as +blacklist /usr/bin/ld +blacklist /usr/bin/gdb +blacklist /usr/bin/g++* +blacklist /usr/bin/x86_64-linux-gnu-g++* +blacklist /usr/bin/x86_64-linux-gnu-gcc* +blacklist /usr/bin/x86_64-unknown-linux-gnu-g++* +blacklist /usr/bin/x86_64-unknown-linux-gnu-gcc* + +# clang/llvm +blacklist /usr/bin/clang* +blacklist /usr/bin/llvm* +blacklist /usr/bin/lldb* +blacklist /usr/lib/llvm* + +# tcc - Tiny C Compiler +blacklist /usr/bin/tcc +blacklist /usr/bin/x86_64-tcc +blacklist /usr/lib/tcc + +# Valgrind +blacklist /usr/bin/valgrind* +blacklist /usr/lib/valgrind + +# Perl +blacklist /usr/bin/perl +blacklist /usr/bin/cpan* +blacklist /usr/share/perl* +blacklist /usr/lib/perl* + +# PHP +blacklist /usr/bin/php* +blacklist /usr/share/php* +blacklist /usr/lib/php* + +# Ruby +blacklist /usr/bin/ruby +blacklist /usr/lib/ruby + +# Programs using python: deluge, firefox addons, filezilla, cherrytree, xchat, hexchat, libreoffice +# Python 2 +#blacklist /usr/bin/python2* +#blacklist /usr/lib/python2* +#blacklist /usr/local/lib/python2* +#blacklist /usr/include/python2* +#blacklist /usr/share/python2* +# +# Python 3 +#blacklist /usr/bin/python3* +#blacklist /usr/lib/python3* +#blacklist /usr/local/lib/python3* +#blacklist /usr/share/python3* +#blacklist /usr/include/python3* diff --git a/firejail_profiles/disable-passwdmgr.inc b/firejail_profiles/disable-passwdmgr.inc new file mode 100644 index 0000000..dbf2603 --- /dev/null +++ b/firejail_profiles/disable-passwdmgr.inc @@ -0,0 +1,10 @@ +# Local customizations come here +include /etc/firejail/disable-passwdmgr.local + +blacklist ${HOME}/.pki/nssdb +blacklist ${HOME}/.lastpass +blacklist ${HOME}/.keepassx +blacklist ${HOME}/.password-store +blacklist ${HOME}/keepassx.kdbx +blacklist ${HOME}/.config/keepassx + diff --git a/firejail_profiles/disable-programs.inc b/firejail_profiles/disable-programs.inc new file mode 100644 index 0000000..d72ff97 --- /dev/null +++ b/firejail_profiles/disable-programs.inc @@ -0,0 +1,167 @@ +# Local customizations come here +include /etc/firejail/disable-programs.local + +# various programs +blacklist ${HOME}/.Atom +blacklist ${HOME}/.remmina +blacklist ${HOME}/.tconn +blacklist ${HOME}/.FBReader +blacklist ${HOME}/.wine +blacklist ${HOME}/.Mathematica +blacklist ${HOME}/.Wolfram Research +blacklist ${HOME}/.stellarium +blacklist ${HOME}/.config/Atom +blacklist ${HOME}/.config/gthumb +blacklist ${HOME}/.config/mupen64plus +blacklist ${HOME}/.config/transmission +blacklist ${HOME}/.config/uGet +blacklist ${HOME}/.config/Gpredict +blacklist ${HOME}/.config/aweather +blacklist ${HOME}/.config/stellarium +blacklist ${HOME}/.config/atril +blacklist ${HOME}/.config/xreader +blacklist ${HOME}/.config/xviewer +blacklist ${HOME}/.config/libreoffice +blacklist ${HOME}/.config/pix +blacklist ${HOME}/.config/mate/eom +blacklist ${HOME}/.kde/share/apps/okular +blacklist ${HOME}/.kde/share/config/okularrc +blacklist ${HOME}/.kde/share/config/okularpartrc +blacklist ${HOME}/.kde/share/apps/gwenview +blacklist ${HOME}/.kde/share/config/gwenviewrc +blacklist ${HOME}/.config/qpdfview +blacklist ${HOME}/.config/Luminance +blacklist ${HOME}/.config/synfig +blacklist ${HOME}/.synfig +blacklist ${HOME}/.inkscape +blacklist ${HOME}/.gimp* +blacklist ${HOME}/.config/zathura +blacklist ${HOME}/.config/cherrytree +blacklist ${HOME}/.xpdfrc +blacklist ${HOME}/.openshot +blacklist ${HOME}/.openshot_qt +blacklist ${HOME}/.flowblade +blacklist ${HOME}/.config/flowblade +blacklist ${HOME}/.config/eog + + +# Media players +blacklist ${HOME}/.config/cmus +blacklist ${HOME}/.config/deadbeef +blacklist ${HOME}/.config/spotify +blacklist ${HOME}/.config/vlc +blacklist ${HOME}/.config/mpv +blacklist ${HOME}/.config/totem +blacklist ${HOME}/.config/xplayer +blacklist ${HOME}/.audacity-data + +# HTTP / FTP / Mail +blacklist ${HOME}/.icedove +blacklist ${HOME}/.thunderbird +blacklist ${HOME}/.sylpheed-2.0 +blacklist ${HOME}/.config/midori +blacklist ${HOME}/.mozilla +blacklist ${HOME}/.config/chromium +blacklist ${HOME}/.config/google-chrome +blacklist ${HOME}/.config/google-chrome-beta +blacklist ${HOME}/.config/google-chrome-unstable +blacklist ${HOME}/.config/opera +blacklist ${HOME}/.config/opera-beta +blacklist ${HOME}/.opera +blacklist ${HOME}/.config/vivaldi +blacklist ${HOME}/.filezilla +blacklist ${HOME}/.config/filezilla +blacklist ${HOME}/.dillo +blacklist ${HOME}/.conkeror.mozdev.org +blacklist ${HOME}/.config/epiphany +blacklist ${HOME}/.config/slimjet +blacklist ${HOME}/.config/qutebrowser +blacklist ${HOME}/.8pecxstudios +blacklist ${HOME}/.config/brave +blacklist ${HOME}/.config/inox +blacklist ${HOME}/.muttrc +blacklist ${HOME}/.mutt +blacklist ${HOME}/.mutt/muttrc +blacklist ${HOME}/.msmtprc +blacklist ${HOME}/.config/evolution +blacklist ${HOME}/.local/share/evolution +blacklist ${HOME}/.cache/evolution + +# Instant Messaging +blacklist ${HOME}/.config/hexchat +blacklist ${HOME}/.mcabber +blacklist ${HOME}/.mcabberrc +blacklist ${HOME}/.purple +blacklist ${HOME}/.config/psi+ +blacklist ${HOME}/.retroshare +blacklist ${HOME}/.weechat +blacklist ${HOME}/.config/xchat +blacklist ${HOME}/.Skype +blacklist ${HOME}/.config/skypeforlinux +blacklist ${HOME}/.config/tox +blacklist ${HOME}/.TelegramDesktop +blacklist ${HOME}/.config/Gitter +blacklist ${HOME}/.config/Franz +blacklist ${HOME}/.jitsi +blacklist ${HOME}/.config/Slack +blacklist ${HOME}/.cache/gajim +blacklist ${HOME}/.local/share/gajim +blacklist ${HOME}/.config/gajim + +# Games +blacklist ${HOME}/.hedgewars +blacklist ${HOME}/.steam +blacklist ${HOME}/.config/wesnoth +blacklist ${HOME}/.config/0ad +blacklist ${HOME}/.warzone2100-3.1 +blacklist ${HOME}/.dosbox + +# Cryptocoins +blacklist ${HOME}/.*coin +blacklist ${HOME}/.electrum* +blacklist ${HOME}/wallet.dat + +# git, subversion +blacklist ${HOME}/.subversion +blacklist ${HOME}/.gitconfig +blacklist ${HOME}/.git-credential-cache + +# cache +blacklist ${HOME}/.cache/mozilla +blacklist ${HOME}/.cache/chromium +blacklist ${HOME}/.cache/google-chrome +blacklist ${HOME}/.cache/google-chrome-beta +blacklist ${HOME}/.cache/google-chrome-unstable +blacklist ${HOME}/.cache/opera +blacklist ${HOME}/.cache/opera-beta +blacklist ${HOME}/.cache/vivaldi +blacklist ${HOME}/.cache/epiphany +blacklist ${HOME}/.cache/slimjet +blacklist ${HOME}/.cache/qutebrowser +blacklist ${HOME}/.cache/spotify +blacklist ${HOME}/.cache/thunderbird +blacklist ${HOME}/.cache/icedove +blacklist ${HOME}/.cache/transmission +blacklist ${HOME}/.cache/wesnoth +blacklist ${HOME}/.cache/0ad +blacklist ${HOME}/.cache/8pecxstudios +blacklist ${HOME}/.cache/xreader +blacklist ${HOME}/.cache/Franz + +# share +blacklist ${HOME}/.local/share/epiphany +blacklist ${HOME}/.local/share/mupen64plus +blacklist ${HOME}/.local/share/spotify +blacklist ${HOME}/.local/share/steam +blacklist ${HOME}/.local/share/wesnoth +blacklist ${HOME}/.local/share/0ad +blacklist ${HOME}/.local/share/xplayer +blacklist ${HOME}/.local/share/totem +blacklist ${HOME}/.local/share/psi+ +blacklist ${HOME}/.local/share/pix +blacklist ${HOME}/.local/share/gnome-chess +blacklist ${HOME}/.local/share/qpdfview +blacklist ${HOME}/.local/share/zathura + +# ssh +blacklist /tmp/ssh-* diff --git a/firejail_profiles/dnscrypt-proxy.profile b/firejail_profiles/dnscrypt-proxy.profile new file mode 100644 index 0000000..926b8bf --- /dev/null +++ b/firejail_profiles/dnscrypt-proxy.profile @@ -0,0 +1,14 @@ +# security profile for dnscrypt-proxy +noblacklist /sbin +noblacklist /usr/sbin +include /etc/firejail/disable-common.inc +include /etc/firejail/disable-programs.inc +include /etc/firejail/disable-devel.inc +include /etc/firejail/disable-passwdmgr.inc + +private +private-dev +nosound +no3d +seccomp.drop mount,umount2,ptrace,kexec_load,kexec_file_load,open_by_handle_at,init_module,finit_module,delete_module,iopl,ioperm,swapon,swapoff,syslog,process_vm_readv,process_vm_writev,sysfs,_sysctl,adjtimex,clock_adjtime,lookup_dcookie,perf_event_open,fanotify_init,kcmp,add_key,request_key,keyctl,uselib,acct,modify_ldt,pivot_root,io_setup,io_destroy,io_getevents,io_submit,io_cancel,remap_file_pages,mbind,get_mempolicy,set_mempolicy,migrate_pages,move_pages,vmsplice,perf_event_open + diff --git a/firejail_profiles/dnsmasq.profile b/firejail_profiles/dnsmasq.profile new file mode 100644 index 0000000..3bd43f1 --- /dev/null +++ b/firejail_profiles/dnsmasq.profile @@ -0,0 +1,17 @@ +# dnsmasq profile +noblacklist /sbin +noblacklist /usr/sbin +include /etc/firejail/disable-common.inc +include /etc/firejail/disable-programs.inc +include /etc/firejail/disable-passwdmgr.inc +include /etc/firejail/disable-devel.inc + +caps +netfilter +nonewprivs +private +private-dev +nosound +no3d +protocol unix,inet,inet6,netlink +seccomp diff --git a/firejail_profiles/dosbox.profile b/firejail_profiles/dosbox.profile new file mode 100644 index 0000000..45fbb71 --- /dev/null +++ b/firejail_profiles/dosbox.profile @@ -0,0 +1,21 @@ +# Firejail profile for dosbox +noblacklist ~/.dosbox + +include /etc/firejail/disable-common.inc +include /etc/firejail/disable-programs.inc +include /etc/firejail/disable-devel.inc +include /etc/firejail/disable-passwdmgr.inc + +caps.drop all +netfilter +nogroups +nonewprivs +noroot +protocol unix,inet,inet6 +seccomp +shell none +tracelog + +private-bin dosbox +private-dev +private-tmp diff --git a/firejail_profiles/dropbox.profile b/firejail_profiles/dropbox.profile new file mode 100644 index 0000000..40efd62 --- /dev/null +++ b/firejail_profiles/dropbox.profile @@ -0,0 +1,21 @@ +# dropbox profile +noblacklist ~/.config/autostart +include /etc/firejail/disable-common.inc +include /etc/firejail/disable-programs.inc +include /etc/firejail/disable-passwdmgr.inc + +caps +nonewprivs +noroot +protocol unix,inet,inet6 +seccomp + +mkdir ~/Dropbox +whitelist ~/Dropbox +mkdir ~/.dropbox +whitelist ~/.dropbox +mkdir ~/.dropbox-dist +whitelist ~/.dropbox-dist + +mkfile ~/.config/autostart/dropbox.desktop +whitelist ~/.config/autostart/dropbox.desktop diff --git a/firejail_profiles/emacs.profile b/firejail_profiles/emacs.profile new file mode 100644 index 0000000..cbdba77 --- /dev/null +++ b/firejail_profiles/emacs.profile @@ -0,0 +1,17 @@ +# emacs profile + +noblacklist ~/.emacs +noblacklist ~/.emacs.d + +include /etc/firejail/disable-common.inc +include /etc/firejail/disable-programs.inc +include /etc/firejail/disable-passwdmgr.inc + + +caps.drop all +netfilter +nonewprivs +noroot +nogroups +protocol unix,inet,inet6 +seccomp diff --git a/firejail_profiles/empathy.profile b/firejail_profiles/empathy.profile new file mode 100644 index 0000000..3711008 --- /dev/null +++ b/firejail_profiles/empathy.profile @@ -0,0 +1,10 @@ +# Empathy instant messaging profile +include /etc/firejail/disable-common.inc +include /etc/firejail/disable-programs.inc +include /etc/firejail/disable-devel.inc + +caps.drop all +netfilter +nonewprivs +protocol unix,inet,inet6 +seccomp diff --git a/firejail_profiles/eog.profile b/firejail_profiles/eog.profile new file mode 100644 index 0000000..32b54a0 --- /dev/null +++ b/firejail_profiles/eog.profile @@ -0,0 +1,23 @@ +# eog (gnome image viewer) profile + +noblacklist ~/.config/eog + +include /etc/firejail/disable-common.inc +include /etc/firejail/disable-programs.inc +include /etc/firejail/disable-devel.inc +include /etc/firejail/disable-passwdmgr.inc + +caps.drop all +netfilter +nonewprivs +noroot +nogroups +protocol unix +seccomp +shell none + +private-bin eog +private-dev +private-etc fonts +private-tmp + diff --git a/firejail_profiles/eom.profile b/firejail_profiles/eom.profile new file mode 100644 index 0000000..dfcea82 --- /dev/null +++ b/firejail_profiles/eom.profile @@ -0,0 +1,21 @@ +# Firejail profile for Eye of Mate (eom) +noblacklist ~/.config/mate/eom + +include /etc/firejail/disable-common.inc +include /etc/firejail/disable-programs.inc +include /etc/firejail/disable-devel.inc +include /etc/firejail/disable-passwdmgr.inc + +caps.drop all +nogroups +nonewprivs +noroot +nosound +protocol unix +seccomp +shell none +tracelog + +private-bin eom +private-dev +private-tmp diff --git a/firejail_profiles/epiphany.profile b/firejail_profiles/epiphany.profile new file mode 100644 index 0000000..0e898f0 --- /dev/null +++ b/firejail_profiles/epiphany.profile @@ -0,0 +1,23 @@ +# Epiphany browser profile +noblacklist ${HOME}/.config/epiphany +noblacklist ${HOME}/.cache/epiphany +noblacklist ${HOME}/.local/share/epiphany + +include /etc/firejail/disable-common.inc +include /etc/firejail/disable-programs.inc +include /etc/firejail/disable-devel.inc + +whitelist ${DOWNLOADS} +mkdir ${HOME}/.local/share/epiphany +whitelist ${HOME}/.local/share/epiphany +mkdir ${HOME}/.config/epiphany +whitelist ${HOME}/.config/epiphany +mkdir ${HOME}/.cache/epiphany +whitelist ${HOME}/.cache/epiphany +include /etc/firejail/whitelist-common.inc + +caps.drop all +netfilter +nonewprivs +protocol unix,inet,inet6 +seccomp diff --git a/firejail_profiles/evince.profile b/firejail_profiles/evince.profile new file mode 100644 index 0000000..894c7c7 --- /dev/null +++ b/firejail_profiles/evince.profile @@ -0,0 +1,18 @@ +# evince pdf reader profile +include /etc/firejail/disable-common.inc +include /etc/firejail/disable-programs.inc +include /etc/firejail/disable-devel.inc +include /etc/firejail/disable-passwdmgr.inc + +caps.drop all +nogroups +nonewprivs +noroot +nosound +protocol unix +seccomp +shell none +tracelog + +private-bin evince,evince-previewer,evince-thumbnailer +private-dev diff --git a/firejail_profiles/evolution.profile b/firejail_profiles/evolution.profile new file mode 100644 index 0000000..cf58164 --- /dev/null +++ b/firejail_profiles/evolution.profile @@ -0,0 +1,25 @@ +# evolution profile + +noblacklist ~/.config/evolution +noblacklist ~/.local/share/evolution +noblacklist ~/.cache/evolution +noblacklist ~/.pki +noblacklist ~/.pki/nssdb +noblacklist ~/.gnupg + +include /etc/firejail/disable-common.inc +include /etc/firejail/disable-programs.inc +include /etc/firejail/disable-devel.inc +include /etc/firejail/disable-passwdmgr.inc + +caps.drop all +netfilter +nonewprivs +noroot +nogroups +protocol unix,inet,inet6 +seccomp +shell none + +private-dev +private-tmp diff --git a/firejail_profiles/fbreader.profile b/firejail_profiles/fbreader.profile new file mode 100644 index 0000000..de31ce8 --- /dev/null +++ b/firejail_profiles/fbreader.profile @@ -0,0 +1,21 @@ +# fbreader ebook reader profile +noblacklist ${HOME}/.FBReader + +include /etc/firejail/disable-common.inc +include /etc/firejail/disable-programs.inc +include /etc/firejail/disable-devel.inc +include /etc/firejail/disable-passwdmgr.inc + +caps.drop all +netfilter +nonewprivs +noroot +nosound +protocol unix,inet,inet6 +seccomp + +shell none +private-bin fbreader,FBReader +whitelist /tmp/.X11-unix +private-dev +nosound diff --git a/firejail_profiles/feh.profile b/firejail_profiles/feh.profile new file mode 100644 index 0000000..5fcb6bf --- /dev/null +++ b/firejail_profiles/feh.profile @@ -0,0 +1,21 @@ +# feh image viewer profile +include /etc/firejail/disable-common.inc +include /etc/firejail/disable-programs.inc +include /etc/firejail/disable-devel.inc +include /etc/firejail/disable-passwdmgr.inc + +caps.drop all +seccomp +protocol unix +netfilter +net none +nonewprivs +noroot +nogroups +nosound +shell none + +private-bin feh +whitelist /tmp/.X11-unix +private-dev +private-etc feh diff --git a/firejail_profiles/file.profile b/firejail_profiles/file.profile new file mode 100644 index 0000000..2e54030 --- /dev/null +++ b/firejail_profiles/file.profile @@ -0,0 +1,16 @@ +# file profile +quiet +ignore noroot +include /etc/firejail/default.profile + +tracelog +net none +shell none +private-bin file +private-etc magic.mgc,magic,localtime +hostname file +private-dev +nosound +no3d +blacklist /tmp/.X11-unix + diff --git a/firejail_profiles/filezilla.profile b/firejail_profiles/filezilla.profile new file mode 100644 index 0000000..551c17a --- /dev/null +++ b/firejail_profiles/filezilla.profile @@ -0,0 +1,22 @@ +# FileZilla ftp profile +noblacklist ${HOME}/.filezilla +noblacklist ${HOME}/.config/filezilla + +include /etc/firejail/disable-common.inc +include /etc/firejail/disable-programs.inc +include /etc/firejail/disable-devel.inc + +caps.drop all +netfilter +nonewprivs +noroot +nosound +protocol unix,inet,inet6 +seccomp + +shell none +private-bin filezilla,uname,sh,python,lsb_release,fzputtygen,fzsftp +whitelist /tmp/.X11-unix +private-dev +nosound + diff --git a/firejail_profiles/firefox-esr.profile b/firejail_profiles/firefox-esr.profile new file mode 100644 index 0000000..d2fde9a --- /dev/null +++ b/firejail_profiles/firefox-esr.profile @@ -0,0 +1,2 @@ +# Firejail profile for Mozilla Firefox ESR +include /etc/firejail/firefox.profile diff --git a/firejail_profiles/firefox.profile b/firejail_profiles/firefox.profile new file mode 100644 index 0000000..170d0fe --- /dev/null +++ b/firejail_profiles/firefox.profile @@ -0,0 +1,50 @@ +# Firejail profile for Mozilla Firefox (Iceweasel in Debian) + +noblacklist ~/.mozilla +noblacklist ~/.cache/mozilla +include /etc/firejail/disable-common.inc +include /etc/firejail/disable-programs.inc +include /etc/firejail/disable-devel.inc + +caps.drop all +netfilter +nonewprivs +noroot +protocol unix,inet,inet6,netlink +seccomp +tracelog + +whitelist ${DOWNLOADS} +mkdir ~/.mozilla +whitelist ~/.mozilla +mkdir ~/.cache/mozilla/firefox +whitelist ~/.cache/mozilla/firefox +whitelist ~/dwhelper +whitelist ~/.zotero +whitelist ~/.vimperatorrc +whitelist ~/.vimperator +whitelist ~/.pentadactylrc +whitelist ~/.pentadactyl +whitelist ~/.keysnail.js +whitelist ~/.config/gnome-mplayer +whitelist ~/.cache/gnome-mplayer/plugin +whitelist ~/.pki + +# lastpass, keepassx +whitelist ~/.keepassx +whitelist ~/.config/keepassx +whitelist ~/keepassx.kdbx +whitelist ~/.lastpass +whitelist ~/.config/lastpass + + +#silverlight +whitelist ~/.wine-pipelight +whitelist ~/.wine-pipelight64 +whitelist ~/.config/pipelight-widevine +whitelist ~/.config/pipelight-silverlight5.1 + +include /etc/firejail/whitelist-common.inc + +# experimental features +#private-etc passwd,group,hostname,hosts,localtime,nsswitch.conf,resolv.conf,gtk-2.0,pango,fonts,iceweasel,firefox,adobe,mime.types,mailcap,asound.conf,pulse diff --git a/firejail_profiles/firejail.config b/firejail_profiles/firejail.config new file mode 100644 index 0000000..2ea767f --- /dev/null +++ b/firejail_profiles/firejail.config @@ -0,0 +1,81 @@ +# This is Firejail system-wide configuration file, see firejail-config(5) for +# more information. The file contains keyword-argument pairs, one per line. +# Most features are enabled by default. Use 'yes' or 'no' as configuration +# values. + +# Enable or disable bind support, default enabled. +# bind yes + +# Enable or disable chroot support, default enabled. +# chroot yes + +# Use chroot for desktop programs, default enabled. The sandbox will have full +# access to system's /dev directory in order to allow video acceleration, +# and it will harden the rest of the chroot tree. +# chroot-desktop yes + +# Enable or disable file transfer support, default enabled. +# file-transfer yes + +# Force use of nonewprivs. This mitigates the possibility of +# a user abusing firejail's features to trick a privileged (suid +# or file capabilities) process into loading code or configuration +# that is partially under their control. Default disabled. +# force-nonewprivs no + +# Enable or disable networking features, default enabled. +# network yes + +# Enable or disable overlayfs features, default enabled. +# overlayfs yes + +# Remove /usr/local directories from private-bin list, default disabled. +# private-bin-no-local no + +# Enable or disable private-home feature, default enabled +# private-home yes + +# Enable --quiet as default every time the sandbox is started. Default disabled. +# quiet-by-default no + +# Remount /proc and /sys inside the sandbox, default enabled. +# remount-proc-sys yes + +# Enable or disable restricted network support, default disabled. If enabled, +# networking features should also be enabled (network yes). +# Restricted networking grants access to --interface, --net=ethXXX and +# --netfilter only to root user. Regular users are only allowed --net=none. +# restricted-network no + +# Change default netfilter configuration. When using --netfilter option without +# a file argument, the default filter is hardcoded (see man 1 firejail). This +# configuration entry allows the user to change the default by specifying +# a file containing the filter configuration. The filter file format is the +# format of iptables-save and iptable-restore commands. Example: +# netfilter-default /etc/iptables.iptables.rules + +# Enable or disable seccomp support, default enabled. +# seccomp yes + +# Enable or disable user namespace support, default enabled. +# userns yes + +# Enable or disable whitelisting support, default enabled. +# whitelist yes + +# Enable or disable X11 sandboxing support, default enabled. +# x11 yes + +# Screen size for --x11=xephyr, default 800x600. Run /usr/bin/xrandr for +# a full list of resolutions available on your specific setup. +# xephyr-screen 640x480 +# xephyr-screen 800x600 +# xephyr-screen 1024x768 +# xephyr-screen 1280x1024 + +# Firejail window title in Xephyr, default enabled. +# xephyr-window-title yes + +# Xephyr command extra parameters. None by default, and the declaration is commented out. +# xephyr-extra-params -keybd ephyr,,,xkbmodel=evdev +# xephyr-extra-params -grayscale diff --git a/firejail_profiles/flashpeak-slimjet.profile b/firejail_profiles/flashpeak-slimjet.profile new file mode 100644 index 0000000..7e0eb48 --- /dev/null +++ b/firejail_profiles/flashpeak-slimjet.profile @@ -0,0 +1,39 @@ +# SlimJet browser profile +# This is a whitelisted profile, the internal browser sandbox +# is disabled because it requires sudo password. The command +# to run it is as follows: +# +# firejail flashpeak-slimjet --no-sandbox +# +noblacklist ~/.config/slimjet +noblacklist ~/.cache/slimjet +include /etc/firejail/disable-common.inc +include /etc/firejail/disable-programs.inc + +# chromium is distributed with a perl script on Arch +# include /etc/firejail/disable-devel.inc +# + +caps.drop all +netfilter +nonewprivs +noroot +protocol unix,inet,inet6,netlink +seccomp + +whitelist ${DOWNLOADS} +mkdir ~/.config/slimjet +whitelist ~/.config/slimjet +mkdir ~/.cache/slimjet +whitelist ~/.cache/slimjet +mkdir ~/.pki +whitelist ~/.pki + +# lastpass, keepassx +whitelist ~/.keepassx +whitelist ~/.config/keepassx +whitelist ~/keepassx.kdbx +whitelist ~/.lastpass +whitelist ~/.config/lastpass + +include /etc/firejail/whitelist-common.inc diff --git a/firejail_profiles/flowblade.profile b/firejail_profiles/flowblade.profile new file mode 100644 index 0000000..e1ec291 --- /dev/null +++ b/firejail_profiles/flowblade.profile @@ -0,0 +1,13 @@ +# OpenShot profile +noblacklist ${HOME}/.flowblade +noblacklist ${HOME}/.config/flowblade +include /etc/firejail/disable-common.inc +include /etc/firejail/disable-programs.inc +include /etc/firejail/disable-passwdmgr.inc + +caps.drop all +netfilter +nonewprivs +noroot +protocol unix,inet,inet6,netlink +seccomp diff --git a/firejail_profiles/franz.profile b/firejail_profiles/franz.profile new file mode 100644 index 0000000..3cb7942 --- /dev/null +++ b/firejail_profiles/franz.profile @@ -0,0 +1,24 @@ +# Franz profile +noblacklist ~/.config/Franz +noblacklist ~/.cache/Franz +include /etc/firejail/disable-common.inc +include /etc/firejail/disable-programs.inc +include /etc/firejail/disable-devel.inc + +caps.drop all +seccomp +protocol unix,inet,inet6,netlink +netfilter +#tracelog +nonewprivs +noroot + +whitelist ${DOWNLOADS} +mkdir ~/.config/Franz +whitelist ~/.config/Franz +mkdir ~/.cache/Franz +whitelist ~/.cache/Franz +mkdir ~/.pki +whitelist ~/.pki + +include /etc/firejail/whitelist-common.inc diff --git a/firejail_profiles/gajim.profile b/firejail_profiles/gajim.profile new file mode 100644 index 0000000..04902a7 --- /dev/null +++ b/firejail_profiles/gajim.profile @@ -0,0 +1,33 @@ +# Firejail profile for Gajim + +mkdir ${HOME}/.cache/gajim +mkdir ${HOME}/.local/share/gajim +mkdir ${HOME}/.config/gajim +mkdir ${HOME}/Downloads + +# Allow the local python 2.7 site packages, in case any plugins are using these +mkdir ${HOME}/.local/lib/python2.7/site-packages/ +whitelist ${HOME}/.local/lib/python2.7/site-packages/ +read-only ${HOME}/.local/lib/python2.7/site-packages/ + +whitelist ${HOME}/.cache/gajim +whitelist ${HOME}/.local/share/gajim +whitelist ${HOME}/.config/gajim +whitelist ${HOME}/Downloads + +include /etc/firejail/disable-common.inc +include /etc/firejail/disable-passwdmgr.inc +include /etc/firejail/disable-programs.inc +include /etc/firejail/disable-devel.inc + +caps.drop all +netfilter +nonewprivs +nogroups +noroot +protocol unix,inet,inet6 +seccomp +shell none + +#private-bin python2.7 gajim +private-dev diff --git a/firejail_profiles/gimp.profile b/firejail_profiles/gimp.profile new file mode 100644 index 0000000..23361b7 --- /dev/null +++ b/firejail_profiles/gimp.profile @@ -0,0 +1,18 @@ +# gimp +noblacklist ${HOME}/.gimp* +include /etc/firejail/disable-common.inc +include /etc/firejail/disable-programs.inc +include /etc/firejail/disable-passwdmgr.inc + +caps.drop all +netfilter +nonewprivs +noroot +protocol unix +seccomp +private-dev +private-tmp +noexec ${HOME} +noexec /tmp +nogroups +nosound diff --git a/firejail_profiles/git.profile b/firejail_profiles/git.profile new file mode 100644 index 0000000..abd49cb --- /dev/null +++ b/firejail_profiles/git.profile @@ -0,0 +1,26 @@ +# git profile +quiet +noblacklist ~/.gitconfig +noblacklist ~/.ssh +noblacklist ~/.gnupg +noblacklist ~/.emacs +noblacklist ~/.emacs.d +noblacklist ~/.viminfo +noblacklist ~/.vim + +include /etc/firejail/disable-common.inc +include /etc/firejail/disable-programs.inc +include /etc/firejail/disable-passwdmgr.inc + + +caps.drop all +netfilter +nonewprivs +noroot +nogroups +nosound +protocol unix,inet,inet6 +seccomp +shell none + +private-dev diff --git a/firejail_profiles/gitter.profile b/firejail_profiles/gitter.profile new file mode 100644 index 0000000..f43f5f1 --- /dev/null +++ b/firejail_profiles/gitter.profile @@ -0,0 +1,20 @@ +# Firejail profile for Gitter +noblacklist ~/.config/Gitter +include /etc/firejail/disable-common.inc +include /etc/firejail/disable-passwdmgr.inc +include /etc/firejail/disable-programs.inc +include /etc/firejail/disable-devel.inc + +caps.drop all +netfilter +nogroups +nonewprivs +noroot +nosound +protocol unix,inet,inet6,netlink +seccomp +shell none + +private-bin gitter +private-dev +private-tmp diff --git a/firejail_profiles/gnome-chess.profile b/firejail_profiles/gnome-chess.profile new file mode 100644 index 0000000..297f7e6 --- /dev/null +++ b/firejail_profiles/gnome-chess.profile @@ -0,0 +1,22 @@ +# Firejail profile for gnome-chess +noblacklist /.local/share/gnome-chess + +include /etc/firejail/disable-common.inc +include /etc/firejail/disable-devel.inc +include /etc/firejail/disable-programs.inc +include /etc/firejail/disable-passwdmgr.inc + +caps.drop all +nogroups +nonewprivs +noroot +nosound +protocol unix +seccomp +shell none +tracelog + +private-bin fairymax,gnome-chess,hoichess +private-dev +private-etc fonts,gnome-chess +private-tmp diff --git a/firejail_profiles/gnome-mplayer.profile b/firejail_profiles/gnome-mplayer.profile new file mode 100644 index 0000000..1b0fc98 --- /dev/null +++ b/firejail_profiles/gnome-mplayer.profile @@ -0,0 +1,17 @@ +# GNOME MPlayer profile +include /etc/firejail/disable-common.inc +include /etc/firejail/disable-programs.inc +include /etc/firejail/disable-devel.inc +include /etc/firejail/disable-passwdmgr.inc + +caps.drop all +nogroups +nonewprivs +noroot +protocol unix,inet,inet6 +seccomp +shell none + +private-bin gnome-mplayer +private-dev +private-tmp diff --git a/firejail_profiles/google-chrome-beta.profile b/firejail_profiles/google-chrome-beta.profile new file mode 100644 index 0000000..fe87027 --- /dev/null +++ b/firejail_profiles/google-chrome-beta.profile @@ -0,0 +1,27 @@ +# Google Chrome beta browser profile +noblacklist ~/.config/google-chrome-beta +noblacklist ~/.cache/google-chrome-beta +include /etc/firejail/disable-common.inc +include /etc/firejail/disable-programs.inc + +# chromium is distributed with a perl script on Arch +# include /etc/firejail/disable-devel.inc +# + +netfilter + +whitelist ${DOWNLOADS} +mkdir ~/.config/google-chrome-beta +whitelist ~/.config/google-chrome-beta +mkdir ~/.cache/google-chrome-beta +whitelist ~/.cache/google-chrome-beta +mkdir ~/.pki +whitelist ~/.pki +include /etc/firejail/whitelist-common.inc + +# lastpass, keepassx +whitelist ~/.keepassx +whitelist ~/.config/keepassx +whitelist ~/keepassx.kdbx +whitelist ~/.lastpass +whitelist ~/.config/lastpass diff --git a/firejail_profiles/google-chrome-stable.profile b/firejail_profiles/google-chrome-stable.profile new file mode 100644 index 0000000..78c8ca6 --- /dev/null +++ b/firejail_profiles/google-chrome-stable.profile @@ -0,0 +1,2 @@ +# Google Chrome browser profile +include /etc/firejail/google-chrome.profile diff --git a/firejail_profiles/google-chrome-unstable.profile b/firejail_profiles/google-chrome-unstable.profile new file mode 100644 index 0000000..f6680ac --- /dev/null +++ b/firejail_profiles/google-chrome-unstable.profile @@ -0,0 +1,27 @@ +# Google Chrome unstable browser profile +noblacklist ~/.config/google-chrome-unstable +noblacklist ~/.cache/google-chrome-unstable +include /etc/firejail/disable-common.inc +include /etc/firejail/disable-programs.inc + +# chromium is distributed with a perl script on Arch +# include /etc/firejail/disable-devel.inc +# + +netfilter + +whitelist ${DOWNLOADS} +mkdir ~/.config/google-chrome-unstable +whitelist ~/.config/google-chrome-unstable +mkdir ~/.cache/google-chrome-unstable +whitelist ~/.cache/google-chrome-unstable +mkdir ~/.pki +whitelist ~/.pki +include /etc/firejail/whitelist-common.inc + +# lastpass, keepassx +whitelist ~/.keepassx +whitelist ~/.config/keepassx +whitelist ~/keepassx.kdbx +whitelist ~/.lastpass +whitelist ~/.config/lastpass diff --git a/firejail_profiles/google-chrome.profile b/firejail_profiles/google-chrome.profile new file mode 100644 index 0000000..a9fcebe --- /dev/null +++ b/firejail_profiles/google-chrome.profile @@ -0,0 +1,28 @@ +# Google Chrome browser profile +noblacklist ~/.config/google-chrome +noblacklist ~/.cache/google-chrome +include /etc/firejail/disable-common.inc +include /etc/firejail/disable-programs.inc + +# chromium is distributed with a perl script on Arch +# include /etc/firejail/disable-devel.inc +# + +netfilter + +whitelist ${DOWNLOADS} +mkdir ~/.config/google-chrome +whitelist ~/.config/google-chrome +mkdir ~/.cache/google-chrome +whitelist ~/.cache/google-chrome +mkdir ~/.pki +whitelist ~/.pki +include /etc/firejail/whitelist-common.inc + +# lastpass, keepassx +whitelist ~/.keepassx +whitelist ~/.config/keepassx +whitelist ~/keepassx.kdbx +whitelist ~/.lastpass +whitelist ~/.config/lastpass + diff --git a/firejail_profiles/google-play-music-desktop-player.profile b/firejail_profiles/google-play-music-desktop-player.profile new file mode 100644 index 0000000..b4cf8d9 --- /dev/null +++ b/firejail_profiles/google-play-music-desktop-player.profile @@ -0,0 +1,18 @@ +# Google Play Music desktop player profile +noblacklist ~/.config/Google Play Music Desktop Player + +include /etc/firejail/disable-common.inc +include /etc/firejail/disable-programs.inc +include /etc/firejail/disable-devel.inc +include /etc/firejail/disable-passwdmgr.inc + +caps.drop all +nonewprivs +noroot +netfilter +protocol unix,inet,inet6,netlink +seccomp + +#whitelist ~/.pulse +#whitelist ~/.config/pulse +whitelist ~/.config/Google Play Music Desktop Player diff --git a/firejail_profiles/gpredict.profile b/firejail_profiles/gpredict.profile new file mode 100644 index 0000000..353ecce --- /dev/null +++ b/firejail_profiles/gpredict.profile @@ -0,0 +1,25 @@ +# Firejail profile for gpredict. +noblacklist ~/.config/Gpredict +include /etc/firejail/disable-common.inc +include /etc/firejail/disable-devel.inc +include /etc/firejail/disable-passwdmgr.inc +include /etc/firejail/disable-programs.inc + +# Whitelist +mkdir ~/.config/Gpredict +whitelist ~/.config/Gpredict + +caps.drop all +netfilter +nonewprivs +nogroups +noroot +nosound +protocol unix,inet,inet6 +seccomp +shell none +tracelog + +private-bin gpredict +private-dev +private-tmp diff --git a/firejail_profiles/gtar.profile b/firejail_profiles/gtar.profile new file mode 100644 index 0000000..2f675cd --- /dev/null +++ b/firejail_profiles/gtar.profile @@ -0,0 +1,3 @@ +# gtar profile +quiet +include /etc/firejail/tar.profile diff --git a/firejail_profiles/gthumb.profile b/firejail_profiles/gthumb.profile new file mode 100644 index 0000000..3ffd10a --- /dev/null +++ b/firejail_profiles/gthumb.profile @@ -0,0 +1,21 @@ +# gthumb profile +noblacklist ${HOME}/.config/gthumb + +include /etc/firejail/disable-common.inc +include /etc/firejail/disable-programs.inc +include /etc/firejail/disable-devel.inc +include /etc/firejail/disable-passwdmgr.inc + +caps.drop all +nogroups +nonewprivs +noroot +nosound +protocol unix +seccomp +shell none +tracelog + +private-bin gthumb +whitelist /tmp/.X11-unix +private-dev diff --git a/firejail_profiles/gwenview.profile b/firejail_profiles/gwenview.profile new file mode 100644 index 0000000..67f10c4 --- /dev/null +++ b/firejail_profiles/gwenview.profile @@ -0,0 +1,21 @@ +# KDE gwenview profile +noblacklist ~/.kde/share/apps/gwenview +noblacklist ~/.kde/share/config/gwenviewrc +include /etc/firejail/disable-common.inc +include /etc/firejail/disable-programs.inc +include /etc/firejail/disable-devel.inc +include /etc/firejail/disable-passwdmgr.inc + +caps.drop all +nonewprivs +noroot +nogroups +private-dev +protocol unix +seccomp +nosound + +#Experimental: +#shell none +#private-bin gwenview +#private-etc X11 diff --git a/firejail_profiles/gzip.profile b/firejail_profiles/gzip.profile new file mode 100644 index 0000000..5e73969 --- /dev/null +++ b/firejail_profiles/gzip.profile @@ -0,0 +1,12 @@ +# gzip profile +quiet +ignore noroot +include /etc/firejail/default.profile +tracelog +net none +shell none +blacklist /tmp/.X11-unix +private-dev +nosound +no3d + diff --git a/firejail_profiles/hedgewars.profile b/firejail_profiles/hedgewars.profile new file mode 100644 index 0000000..7910b7e --- /dev/null +++ b/firejail_profiles/hedgewars.profile @@ -0,0 +1,22 @@ +# whitelist profile for Hedgewars (game) +noblacklist ${HOME}/.hedgewars + +include /etc/firejail/disable-common.inc +include /etc/firejail/disable-programs.inc +include /etc/firejail/disable-devel.inc +include /etc/firejail/disable-passwdmgr.inc + +caps.drop all +netfilter +nogroups +nonewprivs +noroot +seccomp +tracelog + +private-dev +private-tmp + +mkdir ~/.hedgewars +whitelist ~/.hedgewars +include /etc/firejail/whitelist-common.inc diff --git a/firejail_profiles/hexchat.profile b/firejail_profiles/hexchat.profile new file mode 100644 index 0000000..5cefe45 --- /dev/null +++ b/firejail_profiles/hexchat.profile @@ -0,0 +1,28 @@ +# HexChat instant messaging profile +# Currently in testing (may not work for all users) +noblacklist ${HOME}/.config/hexchat +#noblacklist /usr/lib/python2* +#noblacklist /usr/lib/python3* +include /etc/firejail/disable-common.inc +include /etc/firejail/disable-programs.inc +include /etc/firejail/disable-devel.inc + +caps.drop all +netfilter +nogroups +nonewprivs +noroot +nosound +protocol unix,inet,inet6 +seccomp +shell none +tracelog + +mkdir ~/.config/hexchat +whitelist ~/.config/hexchat +include /etc/firejail/whitelist-common.inc + +private-bin hexchat +#debug note: private-bin requires perl, python, etc on some systems +private-dev +private-tmp diff --git a/firejail_profiles/icecat.profile b/firejail_profiles/icecat.profile new file mode 100644 index 0000000..2f8e2df --- /dev/null +++ b/firejail_profiles/icecat.profile @@ -0,0 +1,51 @@ +# Firejail profile for GNU Icecat + +noblacklist ~/.mozilla +noblacklist ~/.cache/mozilla +include /etc/firejail/disable-common.inc +include /etc/firejail/disable-programs.inc +include /etc/firejail/disable-devel.inc + +caps.drop all +netfilter +nonewprivs +noroot +protocol unix,inet,inet6,netlink +seccomp +tracelog + +whitelist ${DOWNLOADS} +mkdir ~/.mozilla +whitelist ~/.mozilla +mkdir ~/.cache/mozilla/icecat +whitelist ~/.cache/mozilla/icecat +whitelist ~/dwhelper +whitelist ~/.zotero +whitelist ~/.vimperatorrc +whitelist ~/.vimperator +whitelist ~/.pentadactylrc +whitelist ~/.pentadactyl +whitelist ~/.keysnail.js +whitelist ~/.config/gnome-mplayer +whitelist ~/.cache/gnome-mplayer/plugin +whitelist ~/.pki + +# lastpass, keepassx +whitelist ~/.keepassx +whitelist ~/.config/keepassx +whitelist ~/keepassx.kdbx +whitelist ~/.lastpass +whitelist ~/.config/lastpass + + +#silverlight +whitelist ~/.wine-pipelight +whitelist ~/.wine-pipelight64 +whitelist ~/.config/pipelight-widevine +whitelist ~/.config/pipelight-silverlight5.1 + +include /etc/firejail/whitelist-common.inc + +# experimental features +#private-etc passwd,group,hostname,hosts,localtime,nsswitch.conf,resolv.conf,gtk-2.0,pango,fonts,iceweasel,firefox,adobe,mime.types,mailcap,asound.conf,pulse + diff --git a/firejail_profiles/icedove.profile b/firejail_profiles/icedove.profile new file mode 100644 index 0000000..2325475 --- /dev/null +++ b/firejail_profiles/icedove.profile @@ -0,0 +1,18 @@ +# Firejail profile for Mozilla Thunderbird (Icedove in Debian Stable) +# Users have icedove set to open a browser by clicking a link in an email +# We are not allowed to blacklist browser-specific directories + +noblacklist ~/.gnupg +mkdir ~/.gnupg +whitelist ~/.gnupg + +noblacklist ~/.icedove +mkdir ~/.icedove +whitelist ~/.icedove + +noblacklist ~/.cache/icedove +mkdir ~/.cache/icedove +whitelist ~/.cache/icedove + +include /etc/firejail/firefox.profile + diff --git a/firejail_profiles/iceweasel.profile b/firejail_profiles/iceweasel.profile new file mode 100644 index 0000000..e9b3284 --- /dev/null +++ b/firejail_profiles/iceweasel.profile @@ -0,0 +1,2 @@ +# Firejail profile for Mozilla Firefox (Iceweasel in Debian) +include /etc/firejail/firefox.profile diff --git a/firejail_profiles/inkscape.profile b/firejail_profiles/inkscape.profile new file mode 100644 index 0000000..cf885fb --- /dev/null +++ b/firejail_profiles/inkscape.profile @@ -0,0 +1,18 @@ +# inkscape +noblacklist ${HOME}/.inkscape +include /etc/firejail/disable-common.inc +include /etc/firejail/disable-programs.inc +include /etc/firejail/disable-passwdmgr.inc + +caps.drop all +netfilter +nonewprivs +noroot +protocol unix +seccomp +private-dev +private-tmp +noexec ${HOME} +noexec /tmp +nogroups +nosound diff --git a/firejail_profiles/inox.profile b/firejail_profiles/inox.profile new file mode 100644 index 0000000..49d2f28 --- /dev/null +++ b/firejail_profiles/inox.profile @@ -0,0 +1,24 @@ +# Inox browser profile +noblacklist ~/.config/inox +noblacklist ~/.cache/inox +include /etc/firejail/disable-common.inc +include /etc/firejail/disable-programs.inc + +netfilter + +whitelist ${DOWNLOADS} +mkdir ~/.config/inox +whitelist ~/.config/inox +mkdir ~/.cache/inox +whitelist ~/.cache/inox +mkdir ~/.pki +whitelist ~/.pki + +# lastpass, keepassx +whitelist ~/.keepassx +whitelist ~/.config/keepassx +whitelist ~/keepassx.kdbx +whitelist ~/.lastpass +whitelist ~/.config/lastpass + +include /etc/firejail/whitelist-common.inc diff --git a/firejail_profiles/jitsi.profile b/firejail_profiles/jitsi.profile new file mode 100644 index 0000000..c61158f --- /dev/null +++ b/firejail_profiles/jitsi.profile @@ -0,0 +1,17 @@ +# Firejail profile for jitsi +noblacklist ~/.jitsi +include /etc/firejail/disable-common.inc +include /etc/firejail/disable-devel.inc +include /etc/firejail/disable-passwdmgr.inc +include /etc/firejail/disable-programs.inc + +caps.drop all +nonewprivs +nogroups +noroot +protocol unix,inet,inet6 +seccomp +shell none +tracelog + +private-tmp diff --git a/firejail_profiles/keepass.profile b/firejail_profiles/keepass.profile new file mode 100644 index 0000000..23f9a7b --- /dev/null +++ b/firejail_profiles/keepass.profile @@ -0,0 +1,22 @@ +# keepass password manager profile + +noblacklist ${HOME}/.config/keepass +noblacklist ${HOME}/.keepass + +include /etc/firejail/disable-common.inc +include /etc/firejail/disable-programs.inc +include /etc/firejail/disable-devel.inc +include /etc/firejail/disable-passwdmgr.inc + +caps.drop all +nogroups +nonewprivs +noroot +nosound +protocol unix,inet,inet6 +seccomp +netfilter +shell none + +private-tmp +private-dev diff --git a/firejail_profiles/keepassx.profile b/firejail_profiles/keepassx.profile new file mode 100644 index 0000000..415160d --- /dev/null +++ b/firejail_profiles/keepassx.profile @@ -0,0 +1,23 @@ +# keepassx password manager profile + +noblacklist ${HOME}/.config/keepassx +noblacklist ${HOME}/.keepassx +noblacklist ${HOME}/keepassx.kdbx + +include /etc/firejail/disable-common.inc +include /etc/firejail/disable-programs.inc +include /etc/firejail/disable-devel.inc +include /etc/firejail/disable-passwdmgr.inc + +caps.drop all +nogroups +nonewprivs +noroot +nosound +protocol unix +seccomp +netfilter +shell none + +private-tmp +private-dev diff --git a/firejail_profiles/kmail.profile b/firejail_profiles/kmail.profile new file mode 100644 index 0000000..8c8fd18 --- /dev/null +++ b/firejail_profiles/kmail.profile @@ -0,0 +1,19 @@ +# kmail profile +noblacklist ${HOME}/.gnupg + +include /etc/firejail/disable-common.inc +include /etc/firejail/disable-programs.inc +include /etc/firejail/disable-devel.inc +include /etc/firejail/disable-passwdmgr.inc + +caps.drop all +netfilter +nonewprivs +nogroups +noroot +protocol unix,inet,inet6,netlink +seccomp +tracelog + +private-dev +private-tmp diff --git a/firejail_profiles/konversation.profile b/firejail_profiles/konversation.profile new file mode 100644 index 0000000..e9546fd --- /dev/null +++ b/firejail_profiles/konversation.profile @@ -0,0 +1,15 @@ +# Firejail konversation profile + +include /etc/firejail/disable-common.inc +include /etc/firejail/disable-programs.inc +include /etc/firejail/disable-devel.inc +include /etc/firejail/disable-passwdmgr.inc + +caps.drop all +netfilter +nogroups +noroot +seccomp +protocol unix,inet,inet6 + +private-tmp diff --git a/firejail_profiles/less.profile b/firejail_profiles/less.profile new file mode 100644 index 0000000..6dfae02 --- /dev/null +++ b/firejail_profiles/less.profile @@ -0,0 +1,9 @@ +# less profile +quiet +ignore noroot +include /etc/firejail/default.profile +tracelog +net none +shell none +private-dev +nosound diff --git a/firejail_profiles/libreoffice.profile b/firejail_profiles/libreoffice.profile new file mode 100644 index 0000000..d6aceb7 --- /dev/null +++ b/firejail_profiles/libreoffice.profile @@ -0,0 +1,19 @@ +# Firejail profile for LibreOffice +noblacklist ~/.config/libreoffice +noblacklist /usr/local/sbin +include /etc/firejail/disable-common.inc +include /etc/firejail/disable-programs.inc +include /etc/firejail/disable-devel.inc +include /etc/firejail/disable-passwdmgr.inc + +caps.drop all +netfilter +nogroups +nonewprivs +noroot +protocol unix,inet,inet6 +seccomp +tracelog + +private-dev +# whitelist /tmp/.X11-unix/ diff --git a/firejail_profiles/localc.profile b/firejail_profiles/localc.profile new file mode 100644 index 0000000..fecd088 --- /dev/null +++ b/firejail_profiles/localc.profile @@ -0,0 +1,5 @@ +################################ +# LibreOffice profile +################################ +include /etc/firejail/libreoffice.profile + diff --git a/firejail_profiles/lodraw.profile b/firejail_profiles/lodraw.profile new file mode 100644 index 0000000..fecd088 --- /dev/null +++ b/firejail_profiles/lodraw.profile @@ -0,0 +1,5 @@ +################################ +# LibreOffice profile +################################ +include /etc/firejail/libreoffice.profile + diff --git a/firejail_profiles/loffice.profile b/firejail_profiles/loffice.profile new file mode 100644 index 0000000..fecd088 --- /dev/null +++ b/firejail_profiles/loffice.profile @@ -0,0 +1,5 @@ +################################ +# LibreOffice profile +################################ +include /etc/firejail/libreoffice.profile + diff --git a/firejail_profiles/lofromtemplate.profile b/firejail_profiles/lofromtemplate.profile new file mode 100644 index 0000000..fecd088 --- /dev/null +++ b/firejail_profiles/lofromtemplate.profile @@ -0,0 +1,5 @@ +################################ +# LibreOffice profile +################################ +include /etc/firejail/libreoffice.profile + diff --git a/firejail_profiles/login.users b/firejail_profiles/login.users new file mode 100644 index 0000000..bc6ac4b --- /dev/null +++ b/firejail_profiles/login.users @@ -0,0 +1,14 @@ +# /etc/firejail/login.users - restricted user shell configuration +# +# Each user entry consists of a user name and firejail +# program arguments: +# +# user name: arguments +# +# For example: +# +# netblue:--net=none --protocol=unix +# +# The extra arguments are inserted into program command line if firejail +# was started as a login shell. + diff --git a/firejail_profiles/loimpress.profile b/firejail_profiles/loimpress.profile new file mode 100644 index 0000000..fecd088 --- /dev/null +++ b/firejail_profiles/loimpress.profile @@ -0,0 +1,5 @@ +################################ +# LibreOffice profile +################################ +include /etc/firejail/libreoffice.profile + diff --git a/firejail_profiles/lomath.profile b/firejail_profiles/lomath.profile new file mode 100644 index 0000000..fecd088 --- /dev/null +++ b/firejail_profiles/lomath.profile @@ -0,0 +1,5 @@ +################################ +# LibreOffice profile +################################ +include /etc/firejail/libreoffice.profile + diff --git a/firejail_profiles/loweb.profile b/firejail_profiles/loweb.profile new file mode 100644 index 0000000..fecd088 --- /dev/null +++ b/firejail_profiles/loweb.profile @@ -0,0 +1,5 @@ +################################ +# LibreOffice profile +################################ +include /etc/firejail/libreoffice.profile + diff --git a/firejail_profiles/lowriter.profile b/firejail_profiles/lowriter.profile new file mode 100644 index 0000000..fecd088 --- /dev/null +++ b/firejail_profiles/lowriter.profile @@ -0,0 +1,5 @@ +################################ +# LibreOffice profile +################################ +include /etc/firejail/libreoffice.profile + diff --git a/firejail_profiles/luminance-hdr.profile b/firejail_profiles/luminance-hdr.profile new file mode 100644 index 0000000..6e059ea --- /dev/null +++ b/firejail_profiles/luminance-hdr.profile @@ -0,0 +1,21 @@ +# luminance-hdr +noblacklist ${HOME}/.config/Luminance +include /etc/firejail/disable-common.inc +include /etc/firejail/disable-programs.inc +include /etc/firejail/disable-passwdmgr.inc + +caps.drop all +netfilter +protocol unix +nonewprivs +noroot +seccomp +shell none +tracelog +private-tmp +private-dev +noexec ${HOME} +noexec /tmp +nogroups +nosound +ipc-namespace diff --git a/firejail_profiles/lxterminal.profile b/firejail_profiles/lxterminal.profile new file mode 100644 index 0000000..d1d0b8a --- /dev/null +++ b/firejail_profiles/lxterminal.profile @@ -0,0 +1,11 @@ +# lxterminal (LXDE) profile + +include /etc/firejail/disable-common.inc +include /etc/firejail/disable-programs.inc +include /etc/firejail/disable-passwdmgr.inc + +caps.drop all +netfilter +protocol unix,inet,inet6 +seccomp +#noroot - somehow this breaks on Debian Jessie! diff --git a/firejail_profiles/mathematica.profile b/firejail_profiles/mathematica.profile new file mode 100644 index 0000000..9410054 --- /dev/null +++ b/firejail_profiles/mathematica.profile @@ -0,0 +1,2 @@ +# Mathematica profile +include /etc/firejail/Mathematica.profile diff --git a/firejail_profiles/mcabber.profile b/firejail_profiles/mcabber.profile new file mode 100644 index 0000000..48b46db --- /dev/null +++ b/firejail_profiles/mcabber.profile @@ -0,0 +1,21 @@ +# mcabber profile +noblacklist ${HOME}/.mcabber +noblacklist ${HOME}/.mcabberrc + +include /etc/firejail/disable-common.inc +include /etc/firejail/disable-programs.inc +include /etc/firejail/disable-devel.inc +include /etc/firejail/disable-passwdmgr.inc + +caps.drop all +netfilter +nonewprivs +noroot +protocol inet,inet6 +seccomp + +private-bin mcabber +private-etc null +private-dev +shell none +nosound diff --git a/firejail_profiles/midori.profile b/firejail_profiles/midori.profile new file mode 100644 index 0000000..046c45d --- /dev/null +++ b/firejail_profiles/midori.profile @@ -0,0 +1,13 @@ +# Midori browser profile +noblacklist ${HOME}/.config/midori +include /etc/firejail/disable-common.inc +include /etc/firejail/disable-programs.inc +include /etc/firejail/disable-devel.inc + +caps.drop all +netfilter +nonewprivs +# noroot - noroot break midori on Ubuntu 14.04 +protocol unix,inet,inet6 +seccomp + diff --git a/firejail_profiles/mpv.profile b/firejail_profiles/mpv.profile new file mode 100644 index 0000000..80f8de5 --- /dev/null +++ b/firejail_profiles/mpv.profile @@ -0,0 +1,18 @@ +# mpv media player profile +noblacklist ${HOME}/.config/mpv + +include /etc/firejail/disable-common.inc +include /etc/firejail/disable-programs.inc +include /etc/firejail/disable-devel.inc +include /etc/firejail/disable-passwdmgr.inc + +caps.drop all +netfilter +nonewprivs +noroot +protocol unix,inet,inet6 +seccomp + +# to test +shell none +private-bin mpv,youtube-dl,python2.7 diff --git a/firejail_profiles/mupdf.profile b/firejail_profiles/mupdf.profile new file mode 100644 index 0000000..c1c4980 --- /dev/null +++ b/firejail_profiles/mupdf.profile @@ -0,0 +1,29 @@ +# mupdf reader profile +include /etc/firejail/disable-common.inc +include /etc/firejail/disable-programs.inc +include /etc/firejail/disable-devel.inc +include /etc/firejail/disable-passwdmgr.inc + +caps.drop all +nogroups +nonewprivs +noroot +nosound +protocol unix +seccomp +netfilter +shell none +tracelog + +private-tmp +private-dev +private-etc fonts + +# mupdf will never write anything +read-only ${HOME} + +# +# Experimental: +# +#seccomp.keep access,arch_prctl,brk,clone,close,connect,execve,exit_group,fchmod,fchown,fcntl,fstat,futex,getcwd,getpeername,getrlimit,getsockname,getsockopt,lseek,lstat,mlock,mmap,mprotect,mremap,munmap,nanosleep,open,poll,prctl,read,recvfrom,recvmsg,restart_syscall,rt_sigaction,rt_sigprocmask,select,sendmsg,set_robust_list,set_tid_address,setresgid,setresuid,shmat,shmctl,shmget,shutdown,socket,stat,sysinfo,uname,unshare,wait4,write,writev +# private-bin mupdf,sh,tempfile,rm diff --git a/firejail_profiles/mupen64plus.profile b/firejail_profiles/mupen64plus.profile new file mode 100644 index 0000000..acb13e6 --- /dev/null +++ b/firejail_profiles/mupen64plus.profile @@ -0,0 +1,20 @@ +# mupen64plus profile +# manually whitelist ROM files +noblacklist ${HOME}/.config/mupen64plus +noblacklist ${HOME}/.local/share/mupen64plus + +include /etc/firejail/disable-common.inc +include /etc/firejail/disable-programs.inc +include /etc/firejail/disable-devel.inc +include /etc/firejail/disable-passwdmgr.inc + +mkdir ${HOME}/.local/share/mupen64plus +whitelist ${HOME}/.local/share/mupen64plus/ +mkdir ${HOME}/.config/mupen64plus +whitelist ${HOME}/.config/mupen64plus/ + +caps.drop all +net none +nonewprivs +noroot +seccomp diff --git a/firejail_profiles/mutt.profile b/firejail_profiles/mutt.profile new file mode 100644 index 0000000..b532ded --- /dev/null +++ b/firejail_profiles/mutt.profile @@ -0,0 +1,40 @@ +# mutt email client profile + +noblacklist ~/.muttrc +noblacklist ~/.mutt +noblacklist ~/.mutt/muttrc +noblacklist ~/.mailcap +noblacklist ~/.gnupg +noblacklist ~/.mail +noblacklist ~/.Mail +noblacklist ~/mail +noblacklist ~/Mail +noblacklist ~/sent +noblacklist ~/postponed +noblacklist ~/.cache/mutt +noblacklist ~/.w3m +noblacklist ~/.elinks +noblacklist ~/.vim +noblacklist ~/.vimrc +noblacklist ~/.viminfo +noblacklist ~/.emacs +noblacklist ~/.emacs.d +noblacklist ~/.signature +noblacklist ~/.bogofilter + +include /etc/firejail/disable-common.inc +include /etc/firejail/disable-programs.inc +include /etc/firejail/disable-passwdmgr.inc +include /etc/firejail/disable-devel.inc + +caps.drop all +netfilter +nogroups +nonewprivs +noroot +nosound +protocol unix,inet,inet6 +seccomp +shell none + +private-dev diff --git a/firejail_profiles/netsurf.profile b/firejail_profiles/netsurf.profile new file mode 100644 index 0000000..1ed2163 --- /dev/null +++ b/firejail_profiles/netsurf.profile @@ -0,0 +1,30 @@ +# Firejail profile for Mozilla Firefox (Iceweasel in Debian) + +noblacklist ~/.config/netsurf +noblacklist ~/.cache/netsurf +include /etc/firejail/disable-common.inc +include /etc/firejail/disable-programs.inc +include /etc/firejail/disable-devel.inc + +caps.drop all +netfilter +nonewprivs +noroot +protocol unix,inet,inet6,netlink +seccomp +tracelog + +whitelist ${DOWNLOADS} +mkdir ~/.config/netsurf +whitelist ~/.config/netsurf +mkdir ~/.cache/netsurf +whitelist ~/.cache/netsurf + +# lastpass, keepassx +whitelist ~/.keepassx +whitelist ~/.config/keepassx +whitelist ~/keepassx.kdbx +whitelist ~/.lastpass +whitelist ~/.config/lastpass + +include /etc/firejail/whitelist-common.inc diff --git a/firejail_profiles/nolocal.net b/firejail_profiles/nolocal.net new file mode 100644 index 0000000..9fa7854 --- /dev/null +++ b/firejail_profiles/nolocal.net @@ -0,0 +1,26 @@ +*filter +:INPUT DROP [0:0] +:FORWARD DROP [0:0] +:OUTPUT ACCEPT [0:0] + +################################################################### +# Client filter rejecting local network traffic, with the exception of +# DNS traffic +# +# Usage: +# firejail --net=eth0 --netfilter=/etc/firejail/nolocal.net firefox +# +################################################################### + + +-A INPUT -i lo -j ACCEPT +-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT +-A INPUT -p icmp --icmp-type destination-unreachable -j ACCEPT +-A INPUT -p icmp --icmp-type time-exceeded -j ACCEPT +-A INPUT -p icmp --icmp-type echo-request -j ACCEPT + +-A OUTPUT -p udp --dport 53 -j ACCEPT +-A OUTPUT -d 192.168.0.0/16 -j DROP +-A OUTPUT -d 10.0.0.0/8 -j DROP +-A OUTPUT -d 172.16.0.0/12 -j DROP +COMMIT diff --git a/firejail_profiles/okular.profile b/firejail_profiles/okular.profile new file mode 100644 index 0000000..df142cc --- /dev/null +++ b/firejail_profiles/okular.profile @@ -0,0 +1,24 @@ +# KDE okular profile +noblacklist ~/.kde/share/apps/okular +noblacklist ~/.kde/share/config/okularrc +noblacklist ~/.kde/share/config/okularpartrc +read-only ~/.kde/share/config/kdeglobals +include /etc/firejail/disable-common.inc +include /etc/firejail/disable-programs.inc +include /etc/firejail/disable-devel.inc +include /etc/firejail/disable-passwdmgr.inc + +caps.drop all +nonewprivs +nogroups +noroot +private-dev +protocol unix +seccomp +nosound + +#Experimental: +#net none +#shell none +#private-bin okular,kbuildsycoca4,kbuildsycoca5 +#private-etc X11 diff --git a/firejail_profiles/openbox.profile b/firejail_profiles/openbox.profile new file mode 100644 index 0000000..f812768 --- /dev/null +++ b/firejail_profiles/openbox.profile @@ -0,0 +1,11 @@ +####################################### +# OpenBox window manager profile +# - all applications started in OpenBox will run in this profile +####################################### +include /etc/firejail/disable-common.inc + +caps.drop all +netfilter +noroot +protocol unix,inet,inet6 +seccomp diff --git a/firejail_profiles/openshot.profile b/firejail_profiles/openshot.profile new file mode 100644 index 0000000..f12bd7d --- /dev/null +++ b/firejail_profiles/openshot.profile @@ -0,0 +1,13 @@ +# OpenShot profile +noblacklist ${HOME}/.openshot +noblacklist ${HOME}/.openshot_qt +include /etc/firejail/disable-common.inc +include /etc/firejail/disable-programs.inc +include /etc/firejail/disable-passwdmgr.inc + +caps.drop all +netfilter +nonewprivs +noroot +protocol unix,inet,inet6,netlink +seccomp diff --git a/firejail_profiles/opera-beta.profile b/firejail_profiles/opera-beta.profile new file mode 100644 index 0000000..12c91c7 --- /dev/null +++ b/firejail_profiles/opera-beta.profile @@ -0,0 +1,25 @@ +# Opera-beta browser profile +noblacklist ~/.config/opera-beta +noblacklist ~/.cache/opera-beta +include /etc/firejail/disable-common.inc +include /etc/firejail/disable-programs.inc +include /etc/firejail/disable-devel.inc + +netfilter + +whitelist ${DOWNLOADS} +mkdir ~/.config/opera-beta +whitelist ~/.config/opera-beta +mkdir ~/.cache/opera-beta +whitelist ~/.cache/opera-beta +mkdir ~/.pki +whitelist ~/.pki +include /etc/firejail/whitelist-common.inc + +# lastpass, keepassx +whitelist ~/.keepassx +whitelist ~/.config/keepassx +whitelist ~/keepassx.kdbx +whitelist ~/.lastpass +whitelist ~/.config/lastpass + diff --git a/firejail_profiles/opera.profile b/firejail_profiles/opera.profile new file mode 100644 index 0000000..e0c89a1 --- /dev/null +++ b/firejail_profiles/opera.profile @@ -0,0 +1,28 @@ +# Opera browser profile +noblacklist ~/.config/opera +noblacklist ~/.cache/opera +noblacklist ~/.opera +include /etc/firejail/disable-common.inc +include /etc/firejail/disable-programs.inc +include /etc/firejail/disable-devel.inc + +netfilter + +whitelist ${DOWNLOADS} +mkdir ~/.config/opera +whitelist ~/.config/opera +mkdir ~/.cache/opera +whitelist ~/.cache/opera +mkdir ~/.opera +whitelist ~/.opera +mkdir ~/.pki +whitelist ~/.pki +include /etc/firejail/whitelist-common.inc + +# lastpass, keepassx +whitelist ~/.keepassx +whitelist ~/.config/keepassx +whitelist ~/keepassx.kdbx +whitelist ~/.lastpass +whitelist ~/.config/lastpass + diff --git a/firejail_profiles/palemoon.profile b/firejail_profiles/palemoon.profile new file mode 100644 index 0000000..71deec6 --- /dev/null +++ b/firejail_profiles/palemoon.profile @@ -0,0 +1,57 @@ +# Firejail profile for Pale Moon +noblacklist ~/.moonchild productions/pale moon +noblacklist ~/.cache/moonchild productions/pale moon +include /etc/firejail/disable-common.inc +include /etc/firejail/disable-programs.inc +include /etc/firejail/disable-devel.inc +include /etc/firejail/whitelist-common.inc + +whitelist ${DOWNLOADS} +mkdir ~/.moonchild productions +whitelist ~/.moonchild productions +mkdir ~/.cache/moonchild productions/pale moon +whitelist ~/.cache/moonchild productions/pale moon + +caps.drop all +netfilter +nogroups +nonewprivs +noroot +protocol unix,inet,inet6,netlink +seccomp +shell none +tracelog + +private-bin palemoon +private-tmp + +# These are uncommented in the Firefox profile. If you run into trouble you may +# want to uncomment (some of) them. +#whitelist ~/dwhelper +#whitelist ~/.zotero +#whitelist ~/.vimperatorrc +#whitelist ~/.vimperator +#whitelist ~/.pentadactylrc +#whitelist ~/.pentadactyl +#whitelist ~/.keysnail.js +#whitelist ~/.config/gnome-mplayer +#whitelist ~/.cache/gnome-mplayer/plugin +#whitelist ~/.pki + +# For silverlight +#whitelist ~/.wine-pipelight +#whitelist ~/.wine-pipelight64 +#whitelist ~/.config/pipelight-widevine +#whitelist ~/.config/pipelight-silverlight5.1 + + +# lastpass, keepassx +whitelist ~/.keepassx +whitelist ~/.config/keepassx +whitelist ~/keepassx.kdbx +whitelist ~/.lastpass +whitelist ~/.config/lastpass + +# experimental features +#private-etc passwd,group,hostname,hosts,localtime,nsswitch.conf,resolv.conf,gtk-2.0,pango,fonts,iceweasel,firefox,adobe,mime.types,mailcap,asound.conf,pulse +#private-dev (disabled for now as it will interfere with webcam use in palemoon) diff --git a/firejail_profiles/parole.profile b/firejail_profiles/parole.profile new file mode 100644 index 0000000..1440a9e --- /dev/null +++ b/firejail_profiles/parole.profile @@ -0,0 +1,16 @@ +# Profile for Parole, the default XFCE4 media player +include /etc/firejail/disable-common.inc +include /etc/firejail/disable-programs.inc +include /etc/firejail/disable-devel.inc +include /etc/firejail/disable-passwdmgr.inc + +private-etc passwd,group,fonts +private-bin parole,dbus-launch + +caps.drop all +netfilter +nonewprivs +noroot +protocol unix,inet,inet6 +seccomp +shell none diff --git a/firejail_profiles/pidgin.profile b/firejail_profiles/pidgin.profile new file mode 100644 index 0000000..47be2b6 --- /dev/null +++ b/firejail_profiles/pidgin.profile @@ -0,0 +1,21 @@ +# Pidgin profile +noblacklist ${HOME}/.purple + +include /etc/firejail/disable-common.inc +include /etc/firejail/disable-devel.inc +include /etc/firejail/disable-passwdmgr.inc +include /etc/firejail/disable-programs.inc + +caps.drop all +netfilter +nonewprivs +nogroups +noroot +protocol unix,inet,inet6 +seccomp +shell none +tracelog + +private-bin pidgin +private-dev +private-tmp diff --git a/firejail_profiles/pix.profile b/firejail_profiles/pix.profile new file mode 100644 index 0000000..80c05fd --- /dev/null +++ b/firejail_profiles/pix.profile @@ -0,0 +1,23 @@ +# Firejail profile for pix +noblacklist ${HOME}/.config/pix +noblacklist ${HOME}/.local/share/pix + +include /etc/firejail/disable-common.inc +include /etc/firejail/disable-programs.inc +include /etc/firejail/disable-devel.inc +include /etc/firejail/disable-passwdmgr.inc + +caps.drop all +nonewprivs +nogroups +noroot +nosound +protocol unix +seccomp +shell none +tracelog + +private-bin pix +whitelist /tmp/.X11-unix +private-dev + diff --git a/firejail_profiles/polari.profile b/firejail_profiles/polari.profile new file mode 100644 index 0000000..ac9530c --- /dev/null +++ b/firejail_profiles/polari.profile @@ -0,0 +1,25 @@ +# Polari IRC profile +include /etc/firejail/disable-common.inc +include /etc/firejail/disable-programs.inc +include /etc/firejail/disable-devel.inc + +mkdir ${HOME}/.local/share/Empathy +whitelist ${HOME}/.local/share/Empathy +mkdir ${HOME}/.local/share/telepathy +whitelist ${HOME}/.local/share/telepathy +mkdir ${HOME}/.local/share/TpLogger +whitelist ${HOME}/.local/share/TpLogger +mkdir ${HOME}/.config/telepathy-account-widgets +whitelist ${HOME}/.config/telepathy-account-widgets +mkdir ${HOME}/.cache/telepathy +whitelist ${HOME}/.cache/telepathy +mkdir ${HOME}/.purple +whitelist ${HOME}/.purple +include /etc/firejail/whitelist-common.inc + +caps.drop all +netfilter +nonewprivs +noroot +protocol unix,inet,inet6 +seccomp diff --git a/firejail_profiles/psi-plus.profile b/firejail_profiles/psi-plus.profile new file mode 100644 index 0000000..22c5baf --- /dev/null +++ b/firejail_profiles/psi-plus.profile @@ -0,0 +1,23 @@ +# Firejail profile for Psi+ + +noblacklist ${HOME}/.config/psi+ +noblacklist ${HOME}/.local/share/psi+ +include /etc/firejail/disable-common.inc +include /etc/firejail/disable-programs.inc +include /etc/firejail/disable-passwdmgr.inc + +whitelist ${DOWNLOADS} +mkdir ~/.config/psi+ +whitelist ~/.config/psi+ +mkdir ~/.local/share/psi+ +whitelist ~/.local/share/psi+ +mkdir ~/.cache/psi+ +whitelist ~/.cache/psi+ + +include /etc/firejail/whitelist-common.inc + +caps.drop all +netfilter +noroot +protocol unix,inet,inet6 +seccomp diff --git a/firejail_profiles/qbittorrent.profile b/firejail_profiles/qbittorrent.profile new file mode 100644 index 0000000..138b6db --- /dev/null +++ b/firejail_profiles/qbittorrent.profile @@ -0,0 +1,20 @@ +# qbittorrent bittorrent profile +include /etc/firejail/disable-common.inc +include /etc/firejail/disable-programs.inc +include /etc/firejail/disable-devel.inc +include /etc/firejail/disable-passwdmgr.inc + +caps.drop all +netfilter +nonewprivs +noroot +nosound +protocol unix,inet,inet6 +seccomp + +# there are some problems with "Open destination folder", see bug #536 +#shell none +#private-bin qbittorrent +whitelist /tmp/.X11-unix +private-dev +nosound diff --git a/firejail_profiles/qpdfview.profile b/firejail_profiles/qpdfview.profile new file mode 100644 index 0000000..07ea173 --- /dev/null +++ b/firejail_profiles/qpdfview.profile @@ -0,0 +1,22 @@ +# qpdfview profile +noblacklist ${HOME}/.config/qpdfview +noblacklist ${HOME}/.local/share/qpdfview + +include /etc/firejail/disable-common.inc +include /etc/firejail/disable-programs.inc +include /etc/firejail/disable-devel.inc +include /etc/firejail/disable-passwdmgr.inc + +caps.drop all +nogroups +nonewprivs +noroot +nosound +protocol unix +seccomp +shell none +tracelog + +private-bin qpdfview +private-tmp +private-dev diff --git a/firejail_profiles/qtox.profile b/firejail_profiles/qtox.profile new file mode 100644 index 0000000..9274870 --- /dev/null +++ b/firejail_profiles/qtox.profile @@ -0,0 +1,23 @@ +# qTox instant messaging profile +noblacklist ${HOME}/.config/tox +include /etc/firejail/disable-common.inc +include /etc/firejail/disable-programs.inc +include /etc/firejail/disable-devel.inc +include /etc/firejail/disable-passwdmgr.inc + +mkdir ${HOME}/.config/tox +whitelist ${HOME}/.config/tox +whitelist ${DOWNLOADS} + +caps.drop all +netfilter +nonewprivs +nogroups +noroot +protocol unix,inet,inet6 +seccomp +shell none +tracelog + +private-bin qtox +private-tmp diff --git a/firejail_profiles/quassel.profile b/firejail_profiles/quassel.profile new file mode 100644 index 0000000..f92dfeb --- /dev/null +++ b/firejail_profiles/quassel.profile @@ -0,0 +1,11 @@ +# Quassel IRC profile +include /etc/firejail/disable-common.inc +include /etc/firejail/disable-programs.inc +include /etc/firejail/disable-devel.inc + +caps.drop all +nonewprivs +noroot +netfilter +protocol unix,inet,inet6 +seccomp diff --git a/firejail_profiles/quiterss.profile b/firejail_profiles/quiterss.profile new file mode 100644 index 0000000..2ab5d8a --- /dev/null +++ b/firejail_profiles/quiterss.profile @@ -0,0 +1,29 @@ +include /etc/firejail/disable-common.inc +include /etc/firejail/disable-programs.inc +include /etc/firejail/disable-passwdmgr.inc +include /etc/firejail/disable-devel.inc + +whitelist ${HOME}/quiterssfeeds.opml +mkdir ~/.config/QuiteRss +whitelist ${HOME}/.config/QuiteRss/ +whitelist ${HOME}/.config/QuiteRssrc +mkdir ~/.local/share +whitelist ${HOME}/.local/share/ +mkdir ~/.cache/QuiteRss +whitelist ${HOME}/.cache/QuiteRss + +caps.drop all +netfilter +nonewprivs +nogroups +noroot +private-bin quiterss +private-dev +nosound +#private-etc X11,ssl +protocol unix,inet,inet6 +seccomp +shell none +tracelog + +include /etc/firejail/whitelist-common.inc diff --git a/firejail_profiles/qutebrowser.profile b/firejail_profiles/qutebrowser.profile new file mode 100644 index 0000000..0efb7b6 --- /dev/null +++ b/firejail_profiles/qutebrowser.profile @@ -0,0 +1,22 @@ +# Firejail profile for Qutebrowser (Qt5-Webkit+Python) browser + +noblacklist ~/.config/qutebrowser +noblacklist ~/.cache/qutebrowser +include /etc/firejail/disable-common.inc +include /etc/firejail/disable-programs.inc +include /etc/firejail/disable-devel.inc + +caps.drop all +netfilter +nonewprivs +noroot +protocol unix,inet,inet6,netlink +seccomp +tracelog + +whitelist ${DOWNLOADS} +mkdir ~/.config/qutebrowser +whitelist ~/.config/qutebrowser +mkdir ~/.cache/qutebrowser +whitelist ~/.cache/qutebrowser +include /etc/firejail/whitelist-common.inc diff --git a/firejail_profiles/ranger.profile b/firejail_profiles/ranger.profile new file mode 100644 index 0000000..a040cd6 --- /dev/null +++ b/firejail_profiles/ranger.profile @@ -0,0 +1,24 @@ +# ranger file manager profile +noblacklist /usr/bin/perl +#noblacklist /usr/bin/cpan* +noblacklist /usr/share/perl* +noblacklist /usr/lib/perl* + +include /etc/firejail/disable-common.inc +include /etc/firejail/disable-programs.inc +include /etc/firejail/disable-devel.inc +include /etc/firejail/disable-passwdmgr.inc + +caps.drop all +netfilter +net none +nonewprivs +noroot +nogroups +protocol unix +seccomp +nosound + +private-tmp +private-dev + diff --git a/firejail_profiles/rhythmbox.profile b/firejail_profiles/rhythmbox.profile new file mode 100644 index 0000000..0e8527a --- /dev/null +++ b/firejail_profiles/rhythmbox.profile @@ -0,0 +1,19 @@ +# Rhythmbox media player profile +include /etc/firejail/disable-common.inc +include /etc/firejail/disable-programs.inc +include /etc/firejail/disable-devel.inc +include /etc/firejail/disable-passwdmgr.inc + +caps.drop all +nogroups +netfilter +nonewprivs +noroot +protocol unix,inet,inet6 +seccomp +shell none +tracelog + +private-bin rhythmbox +private-dev +private-tmp diff --git a/firejail_profiles/rtorrent.profile b/firejail_profiles/rtorrent.profile new file mode 100644 index 0000000..15df2c3 --- /dev/null +++ b/firejail_profiles/rtorrent.profile @@ -0,0 +1,19 @@ +# rtorrent bittorrent profile +include /etc/firejail/disable-common.inc +include /etc/firejail/disable-programs.inc +include /etc/firejail/disable-devel.inc +include /etc/firejail/disable-passwdmgr.inc + +caps.drop all +netfilter +nonewprivs +noroot +nosound +protocol unix,inet,inet6 +seccomp + +shell none +private-bin rtorrent +whitelist /tmp/.X11-unix +private-dev +nosound diff --git a/firejail_profiles/seamonkey-bin.profile b/firejail_profiles/seamonkey-bin.profile new file mode 100644 index 0000000..fff8c12 --- /dev/null +++ b/firejail_profiles/seamonkey-bin.profile @@ -0,0 +1,3 @@ +# Firejail profile for Seamonkey based off Mozilla Firefox +include /etc/firejail/seamonkey.profile + diff --git a/firejail_profiles/seamonkey.profile b/firejail_profiles/seamonkey.profile new file mode 100644 index 0000000..b981d95 --- /dev/null +++ b/firejail_profiles/seamonkey.profile @@ -0,0 +1,48 @@ +# Firejail profile for Seamoneky based off Mozilla Firefox +noblacklist ~/.mozilla +noblacklist ~/.cache/mozilla +include /etc/firejail/disable-common.inc +include /etc/firejail/disable-programs.inc +include /etc/firejail/disable-devel.inc + +caps.drop all +netfilter +nonewprivs +noroot +protocol unix,inet,inet6,netlink +seccomp +tracelog + +whitelist ${DOWNLOADS} +mkdir ~/.mozilla/seamonkey +whitelist ~/.mozilla/seamonkey +mkdir ~/.cache/mozilla/seamonkey +whitelist ~/.cache/mozilla/seamonkey +whitelist ~/dwhelper +whitelist ~/.zotero +whitelist ~/.lastpass +whitelist ~/.vimperatorrc +whitelist ~/.vimperator +whitelist ~/.pentadactylrc +whitelist ~/.pentadactyl +whitelist ~/.keysnail.js +whitelist ~/.config/gnome-mplayer +whitelist ~/.cache/gnome-mplayer/plugin +whitelist ~/.pki +include /etc/firejail/whitelist-common.inc + +# lastpass, keepassx +whitelist ~/.keepassx +whitelist ~/.config/keepassx +whitelist ~/keepassx.kdbx +whitelist ~/.lastpass +whitelist ~/.config/lastpass + +#silverlight +whitelist ~/.wine-pipelight +whitelist ~/.wine-pipelight64 +whitelist ~/.config/pipelight-widevine +whitelist ~/.config/pipelight-silverlight5.1 + +# experimental features +#private-etc passwd,group,hostname,hosts,localtime,nsswitch.conf,resolv.conf,gtk-2.0,pango,fonts,iceweasel,firefox,adobe,mime.types,mailcap,asound.conf,pulse diff --git a/firejail_profiles/server.profile b/firejail_profiles/server.profile new file mode 100644 index 0000000..22cef0a --- /dev/null +++ b/firejail_profiles/server.profile @@ -0,0 +1,16 @@ +# generic server profile +# it allows /sbin and /usr/sbin directories - this is where servers are installed +noblacklist /sbin +noblacklist /usr/sbin +include /etc/firejail/disable-common.inc +include /etc/firejail/disable-programs.inc +include /etc/firejail/disable-passwdmgr.inc + +private +private-dev +nosound +no3d +private-tmp +blacklist /tmp/.X11-unix +seccomp + diff --git a/firejail_profiles/skype.profile b/firejail_profiles/skype.profile new file mode 100644 index 0000000..9cbcd51 --- /dev/null +++ b/firejail_profiles/skype.profile @@ -0,0 +1,12 @@ +# Skype profile +noblacklist ${HOME}/.Skype +include /etc/firejail/disable-common.inc +include /etc/firejail/disable-programs.inc +include /etc/firejail/disable-devel.inc + +caps.drop all +netfilter +nonewprivs +noroot +protocol unix,inet,inet6 +seccomp diff --git a/firejail_profiles/skypeforlinux.profile b/firejail_profiles/skypeforlinux.profile new file mode 100644 index 0000000..3f0a274 --- /dev/null +++ b/firejail_profiles/skypeforlinux.profile @@ -0,0 +1,11 @@ +# skypeforlinux profile +noblacklist ${HOME}/.config/skypeforlinux +include /etc/firejail/disable-common.inc +include /etc/firejail/disable-programs.inc +include /etc/firejail/disable-passwdmgr.inc + +caps.drop all +netfilter +noroot +seccomp +protocol unix,inet,inet6,netlink diff --git a/firejail_profiles/slack.profile b/firejail_profiles/slack.profile new file mode 100644 index 0000000..1009f7e --- /dev/null +++ b/firejail_profiles/slack.profile @@ -0,0 +1,30 @@ +noblacklist ${HOME}/.config/Slack +noblacklist ${HOME}/Downloads + +include /etc/firejail/disable-common.inc +include /etc/firejail/disable-programs.inc +include /etc/firejail/disable-devel.inc +include /etc/firejail/disable-passwdmgr.inc + +mkdir ${HOME}/.config +mkdir ${HOME}/.config/Slack +whitelist ${HOME}/.config/Slack +whitelist ${HOME}/Downloads + +protocol unix,inet,inet6,netlink +private-dev +private-tmp +private-etc fonts,resolv.conf,ld.so.conf,ld.so.cache,localtime +name slack +blacklist /var + +include /etc/firejail/whitelist-common.inc + +caps.drop all +seccomp +netfilter +nonewprivs +nogroups +noroot +shell none +private-bin slack diff --git a/firejail_profiles/snap.profile b/firejail_profiles/snap.profile new file mode 100644 index 0000000..270fdf1 --- /dev/null +++ b/firejail_profiles/snap.profile @@ -0,0 +1,14 @@ +################################ +# Generic Ubuntu snap application profile +################################ +include /etc/firejail/disable-common.inc +include /etc/firejail/disable-programs.inc +include /etc/firejail/disable-passwdmgr.inc + +whitelist ~/snap +whitelist ${DOWNLOADS} +include /etc/firejail/whitelist-common.inc + +caps.keep chown,sys_admin + + diff --git a/firejail_profiles/soffice.profile b/firejail_profiles/soffice.profile new file mode 100644 index 0000000..fecd088 --- /dev/null +++ b/firejail_profiles/soffice.profile @@ -0,0 +1,5 @@ +################################ +# LibreOffice profile +################################ +include /etc/firejail/libreoffice.profile + diff --git a/firejail_profiles/spotify.profile b/firejail_profiles/spotify.profile new file mode 100644 index 0000000..73d427d --- /dev/null +++ b/firejail_profiles/spotify.profile @@ -0,0 +1,31 @@ +# Spotify media player profile +noblacklist ${HOME}/.config/spotify +noblacklist ${HOME}/.cache/spotify +noblacklist ${HOME}/.local/share/spotify +include /etc/firejail/disable-common.inc +include /etc/firejail/disable-programs.inc +include /etc/firejail/disable-devel.inc +include /etc/firejail/disable-passwdmgr.inc + +# Whitelist the folders needed by Spotify - This is more restrictive +# than a blacklist though, but this is all spotify requires for +# streaming audio +mkdir ${HOME}/.config/spotify +whitelist ${HOME}/.config/spotify +mkdir ${HOME}/.local/share/spotify +whitelist ${HOME}/.local/share/spotify +mkdir ${HOME}/.cache/spotify +whitelist ${HOME}/.cache/spotify +include /etc/firejail/whitelist-common.inc + +caps.drop all +netfilter +nogroups +nonewprivs +noroot +protocol unix,inet,inet6,netlink +seccomp +shell none + +#private-bin spotify +private-dev diff --git a/firejail_profiles/ssh.profile b/firejail_profiles/ssh.profile new file mode 100644 index 0000000..b7a8ed2 --- /dev/null +++ b/firejail_profiles/ssh.profile @@ -0,0 +1,16 @@ +# ssh client +quiet +noblacklist ~/.ssh +noblacklist /tmp/ssh-* +noblacklist /etc/ssh + +include /etc/firejail/disable-common.inc +include /etc/firejail/disable-programs.inc +include /etc/firejail/disable-passwdmgr.inc + +caps.drop all +netfilter +nonewprivs +noroot +protocol unix,inet,inet6 +seccomp diff --git a/firejail_profiles/steam.profile b/firejail_profiles/steam.profile new file mode 100644 index 0000000..5dc5e80 --- /dev/null +++ b/firejail_profiles/steam.profile @@ -0,0 +1,14 @@ +# Steam profile (applies to games/apps launched from Steam as well) +noblacklist ${HOME}/.steam +noblacklist ${HOME}/.local/share/steam +include /etc/firejail/disable-common.inc +include /etc/firejail/disable-programs.inc +include /etc/firejail/disable-devel.inc +include /etc/firejail/disable-passwdmgr.inc + +caps.drop all +netfilter +nonewprivs +noroot +protocol unix,inet,inet6,netlink +seccomp diff --git a/firejail_profiles/stellarium.profile b/firejail_profiles/stellarium.profile new file mode 100644 index 0000000..d57c9e5 --- /dev/null +++ b/firejail_profiles/stellarium.profile @@ -0,0 +1,28 @@ +# Firejail profile for Stellarium. +noblacklist ~/.stellarium +noblacklist ~/.config/stellarium +include /etc/firejail/disable-common.inc +include /etc/firejail/disable-devel.inc +include /etc/firejail/disable-passwdmgr.inc +include /etc/firejail/disable-programs.inc + +# Whitelist +mkdir ~/.stellarium +whitelist ~/.stellarium +mkdir ~/.config/stellarium +whitelist ~/.config/stellarium + +caps.drop all +netfilter +nogroups +nonewprivs +noroot +nosound +protocol unix,inet,inet6,netlink +seccomp +shell none +tracelog + +private-bin stellarium +private-dev +private-tmp diff --git a/firejail_profiles/strings.profile b/firejail_profiles/strings.profile new file mode 100644 index 0000000..f99a650 --- /dev/null +++ b/firejail_profiles/strings.profile @@ -0,0 +1,10 @@ +# strings profile +quiet +ignore noroot +include /etc/firejail/default.profile +tracelog +net none +shell none +private-dev +nosound + diff --git a/firejail_profiles/synfigstudio.profile b/firejail_profiles/synfigstudio.profile new file mode 100644 index 0000000..d46467b --- /dev/null +++ b/firejail_profiles/synfigstudio.profile @@ -0,0 +1,17 @@ +# synfigstudio +noblacklist ${HOME}/.config/synfig +noblacklist ${HOME}/.synfig +include /etc/firejail/disable-common.inc +include /etc/firejail/disable-programs.inc +include /etc/firejail/disable-passwdmgr.inc + +caps.drop all +netfilter +nonewprivs +noroot +protocol unix +seccomp +private-dev +private-tmp +noexec ${HOME} +noexec /tmp diff --git a/firejail_profiles/tar.profile b/firejail_profiles/tar.profile new file mode 100644 index 0000000..663ac38 --- /dev/null +++ b/firejail_profiles/tar.profile @@ -0,0 +1,18 @@ +# tar profile +quiet +ignore noroot +include /etc/firejail/default.profile + +tracelog +net none +shell none + +# support compressed archives +private-bin sh,tar,gtar,compress,gzip,lzma,xz,bzip2,lbzip2,lzip,lzop +private-dev +nosound +no3d +private-etc passwd,group,localtime +hostname tar +blacklist /tmp/.X11-unix + diff --git a/firejail_profiles/telegram.profile b/firejail_profiles/telegram.profile new file mode 100644 index 0000000..8e91e42 --- /dev/null +++ b/firejail_profiles/telegram.profile @@ -0,0 +1,13 @@ +# Telegram IRC profile +noblacklist ${HOME}/.TelegramDesktop +include /etc/firejail/disable-common.inc +include /etc/firejail/disable-programs.inc +include /etc/firejail/disable-devel.inc + +caps.drop all +netfilter +nonewprivs +noroot +protocol unix,inet,inet6 +seccomp + diff --git a/firejail_profiles/thunderbird.profile b/firejail_profiles/thunderbird.profile new file mode 100644 index 0000000..5db50da --- /dev/null +++ b/firejail_profiles/thunderbird.profile @@ -0,0 +1,18 @@ +# Firejail profile for Mozilla Thunderbird +# Users have thunderbird set to open a browser by clicking a link in an email +# We are not allowed to blacklist browser-specific directories + +noblacklist ~/.gnupg +mkdir ~/.gnupg +whitelist ~/.gnupg + +noblacklist ~/.thunderbird +mkdir ~/.thunderbird +whitelist ~/.thunderbird + +noblacklist ~/.cache/thunderbird +mkdir ~/.cache/thunderbird +whitelist ~/.cache/thunderbird + +include /etc/firejail/firefox.profile + diff --git a/firejail_profiles/totem.profile b/firejail_profiles/totem.profile new file mode 100644 index 0000000..252b469 --- /dev/null +++ b/firejail_profiles/totem.profile @@ -0,0 +1,15 @@ +# Totem media player profile +noblacklist ~/.config/totem +noblacklist ~/.local/share/totem + +include /etc/firejail/disable-common.inc +include /etc/firejail/disable-programs.inc +include /etc/firejail/disable-devel.inc +include /etc/firejail/disable-passwdmgr.inc + +caps.drop all +nonewprivs +noroot +netfilter +protocol unix,inet,inet6 +seccomp diff --git a/firejail_profiles/transmission-gtk.profile b/firejail_profiles/transmission-gtk.profile new file mode 100644 index 0000000..0cfa4fc --- /dev/null +++ b/firejail_profiles/transmission-gtk.profile @@ -0,0 +1,23 @@ +# transmission-gtk bittorrent profile +noblacklist ${HOME}/.config/transmission +noblacklist ${HOME}/.cache/transmission + +include /etc/firejail/disable-common.inc +include /etc/firejail/disable-programs.inc +include /etc/firejail/disable-devel.inc +include /etc/firejail/disable-passwdmgr.inc + +caps.drop all +netfilter +nonewprivs +noroot +nosound +protocol unix,inet,inet6 +seccomp +shell none +tracelog + +private-bin transmission-gtk +whitelist /tmp/.X11-unix +private-dev + diff --git a/firejail_profiles/transmission-qt.profile b/firejail_profiles/transmission-qt.profile new file mode 100644 index 0000000..754211a --- /dev/null +++ b/firejail_profiles/transmission-qt.profile @@ -0,0 +1,22 @@ +# transmission-qt bittorrent profile +noblacklist ${HOME}/.config/transmission +noblacklist ${HOME}/.cache/transmission + +include /etc/firejail/disable-common.inc +include /etc/firejail/disable-programs.inc +include /etc/firejail/disable-devel.inc +include /etc/firejail/disable-passwdmgr.inc + +caps.drop all +netfilter +nonewprivs +noroot +nosound +protocol unix,inet,inet6 +seccomp +tracelog + +shell none +private-bin transmission-qt +whitelist /tmp/.X11-unix +private-dev diff --git a/firejail_profiles/uget-gtk.profile b/firejail_profiles/uget-gtk.profile new file mode 100644 index 0000000..522b4bd --- /dev/null +++ b/firejail_profiles/uget-gtk.profile @@ -0,0 +1,25 @@ +# uGet profile +noblacklist ${HOME}/.config/uGet + +include /etc/firejail/disable-common.inc +include /etc/firejail/disable-programs.inc +include /etc/firejail/disable-devel.inc + +caps.drop all +netfilter +nonewprivs +noroot +protocol unix,inet,inet6 +seccomp + +whitelist ${DOWNLOADS} +mkdir ~/.config/uGet +whitelist ~/.config/uGet +include /etc/firejail/whitelist-common.inc + +shell none +private-bin uget-gtk +whitelist /tmp/.X11-unix +private-dev +nosound + diff --git a/firejail_profiles/unbound.profile b/firejail_profiles/unbound.profile new file mode 100644 index 0000000..5e2cb5f --- /dev/null +++ b/firejail_profiles/unbound.profile @@ -0,0 +1,13 @@ +# security profile for unbound (https://unbound.net) +noblacklist /sbin +noblacklist /usr/sbin +include /etc/firejail/disable-common.inc +include /etc/firejail/disable-programs.inc +include /etc/firejail/disable-devel.inc +include /etc/firejail/disable-passwdmgr.inc + +private +private-dev +nosound +seccomp.drop mount,umount2,ptrace,kexec_load,kexec_file_load,open_by_handle_at,init_module,finit_module,delete_module,iopl,ioperm,swapon,swapoff,syslog,process_vm_readv,process_vm_writev,sysfs,_sysctl,adjtimex,clock_adjtime,lookup_dcookie,perf_event_open,fanotify_init,kcmp,add_key,request_key,keyctl,uselib,acct,modify_ldt,pivot_root,io_setup,io_destroy,io_getevents,io_submit,io_cancel,remap_file_pages,mbind,get_mempolicy,set_mempolicy,migrate_pages,move_pages,vmsplice,perf_event_open + diff --git a/firejail_profiles/unrar.profile b/firejail_profiles/unrar.profile new file mode 100644 index 0000000..f29d1b5 --- /dev/null +++ b/firejail_profiles/unrar.profile @@ -0,0 +1,17 @@ +# unrar profile +quiet +ignore noroot +include /etc/firejail/default.profile + +tracelog +net none +shell none +private-bin unrar +private-dev +nosound +no3d +private-etc passwd,group,localtime +hostname unrar +private-tmp +blacklist /tmp/.X11-unix + diff --git a/firejail_profiles/unzip.profile b/firejail_profiles/unzip.profile new file mode 100644 index 0000000..0722485 --- /dev/null +++ b/firejail_profiles/unzip.profile @@ -0,0 +1,16 @@ +# unzip profile +quiet +ignore noroot +include /etc/firejail/default.profile + +tracelog +net none +shell none +private-bin unzip +private-etc passwd,group,localtime +hostname unzip +private-dev +nosound +no3d +blacklist /tmp/.X11-unix + diff --git a/firejail_profiles/uudeview.profile b/firejail_profiles/uudeview.profile new file mode 100644 index 0000000..8ea9d51 --- /dev/null +++ b/firejail_profiles/uudeview.profile @@ -0,0 +1,15 @@ +# uudeview profile +quiet +ignore noroot +include /etc/firejail/default.profile + +tracelog +net none +shell none +private-bin uudeview +private-dev +private-etc nonexisting_fakefile_for_empty_etc +hostname uudeview +nosound +uudeview + diff --git a/firejail_profiles/vim.profile b/firejail_profiles/vim.profile new file mode 100644 index 0000000..3c1fefe --- /dev/null +++ b/firejail_profiles/vim.profile @@ -0,0 +1,17 @@ +# vim profile + +noblacklist ~/.vim +noblacklist ~/.vimrc +noblacklist ~/.viminfo + +include /etc/firejail/disable-common.inc +include /etc/firejail/disable-programs.inc +include /etc/firejail/disable-passwdmgr.inc + +caps.drop all +netfilter +nonewprivs +noroot +nogroups +protocol unix,inet,inet6 +seccomp diff --git a/firejail_profiles/virtualbox.profile b/firejail_profiles/virtualbox.profile new file mode 100644 index 0000000..148b7ef --- /dev/null +++ b/firejail_profiles/virtualbox.profile @@ -0,0 +1,12 @@ +# VirtualBox profile + +noblacklist ${HOME}/.VirtualBox +noblacklist ${HOME}/VirtualBox VMs +noblacklist ${HOME}/.config/VirtualBox +include /etc/firejail/disable-common.inc +include /etc/firejail/disable-programs.inc +include /etc/firejail/disable-passwdmgr.inc + +caps.drop all + + diff --git a/firejail_profiles/vivaldi-beta.profile b/firejail_profiles/vivaldi-beta.profile new file mode 100644 index 0000000..5426c4a --- /dev/null +++ b/firejail_profiles/vivaldi-beta.profile @@ -0,0 +1,2 @@ +# Vivaldi Beta browser profile +include /etc/firejail/vivaldi.profile diff --git a/firejail_profiles/vivaldi.profile b/firejail_profiles/vivaldi.profile new file mode 100644 index 0000000..08b0468 --- /dev/null +++ b/firejail_profiles/vivaldi.profile @@ -0,0 +1,23 @@ +# Vivaldi browser profile +noblacklist ~/.config/vivaldi +noblacklist ~/.cache/vivaldi +include /etc/firejail/disable-common.inc +include /etc/firejail/disable-programs.inc +include /etc/firejail/disable-devel.inc + +netfilter + +whitelist ${DOWNLOADS} +mkdir ~/.config/vivaldi +whitelist ~/.config/vivaldi +mkdir ~/.cache/vivaldi +whitelist ~/.cache/vivaldi +include /etc/firejail/whitelist-common.inc + +# lastpass, keepassx +whitelist ~/.keepassx +whitelist ~/.config/keepassx +whitelist ~/keepassx.kdbx +whitelist ~/.lastpass +whitelist ~/.config/lastpass + diff --git a/firejail_profiles/vlc.profile b/firejail_profiles/vlc.profile new file mode 100644 index 0000000..2fd763f --- /dev/null +++ b/firejail_profiles/vlc.profile @@ -0,0 +1,20 @@ +# VLC media player profile +noblacklist ${HOME}/.config/vlc + +include /etc/firejail/disable-common.inc +include /etc/firejail/disable-programs.inc +include /etc/firejail/disable-devel.inc +include /etc/firejail/disable-passwdmgr.inc + +caps.drop all +netfilter +nogroups +nonewprivs +noroot +protocol unix,inet,inet6,netlink +seccomp +shell none + +private-bin vlc,cvlc,nvlc,rvlc,qvlc,svlc +private-dev +private-tmp diff --git a/firejail_profiles/warzone2100.profile b/firejail_profiles/warzone2100.profile new file mode 100644 index 0000000..7c7efad --- /dev/null +++ b/firejail_profiles/warzone2100.profile @@ -0,0 +1,26 @@ +# Firejail profile for warzone2100 +# Currently supports warzone2100-3.1 +noblacklist ~/.warzone2100-3.1 +include /etc/firejail/disable-common.inc +include /etc/firejail/disable-devel.inc +include /etc/firejail/disable-passwdmgr.inc +include /etc/firejail/disable-programs.inc + +# Whitelist +mkdir ~/.warzone2100-3.1 +whitelist ~/.warzone2100-3.1 + +# Call these options +caps.drop all +netfilter +nogroups +nonewprivs +noroot +protocol unix,inet,inet6,netlink +seccomp +shell none +tracelog + +private-bin warzone2100 +private-dev +private-tmp diff --git a/firejail_profiles/webserver.net b/firejail_profiles/webserver.net new file mode 100644 index 0000000..d165e6f --- /dev/null +++ b/firejail_profiles/webserver.net @@ -0,0 +1,30 @@ +*filter +:INPUT DROP [0:0] +:FORWARD DROP [0:0] +:OUTPUT DROP [0:0] + +################################################################### +# Simple webserver filter +# +# Usage: +# firejail --net=eth0 --ip=192.168.1.105 --netfilter=/etc/firejail/webserver.net /etc/init.d/apache2 start +# firejail --net=eth0 --ip=192.168.1.105 --netfilter=/etc/firejail/webserver.net /etc/init.d/nginx start +# +################################################################### + +# allow webserver traffic +-A INPUT -p tcp --dport 80 -m state --state NEW,ESTABLISHED -j ACCEPT +-A OUTPUT -p tcp --sport 80 -m state --state ESTABLISHED -j ACCEPT +-A INPUT -p tcp --dport 443 -m state --state NEW,ESTABLISHED -j ACCEPT +-A OUTPUT -p tcp --sport 443 -m state --state ESTABLISHED -j ACCEPT + +# allow incoming ping +-A INPUT -p icmp --icmp-type echo-request -j ACCEPT +-A OUTPUT -p icmp --icmp-type echo-reply -j ACCEPT + +# allow outgoing DNS +-A OUTPUT -p udp --dport 53 -j ACCEPT +-A INPUT -p udp --sport 53 -j ACCEPT + +COMMIT + diff --git a/firejail_profiles/weechat-curses.profile b/firejail_profiles/weechat-curses.profile new file mode 100644 index 0000000..4a92f0b --- /dev/null +++ b/firejail_profiles/weechat-curses.profile @@ -0,0 +1,2 @@ +# Weechat IRC profile (Debian) +include /etc/firejail/weechat.profile diff --git a/firejail_profiles/weechat.profile b/firejail_profiles/weechat.profile new file mode 100644 index 0000000..4100612 --- /dev/null +++ b/firejail_profiles/weechat.profile @@ -0,0 +1,15 @@ +# Weechat IRC profile +noblacklist ${HOME}/.weechat +include /etc/firejail/disable-common.inc +include /etc/firejail/disable-programs.inc + +caps.drop all +netfilter +nonewprivs +noroot +protocol unix,inet,inet6 +seccomp + +# no private-bin support for various reasons: +# Plugins loaded: alias, aspell, charset, exec, fifo, guile, irc, +# logger, lua, perl, python, relay, ruby, script, tcl, trigger, xferloading plugins \ No newline at end of file diff --git a/firejail_profiles/wesnoth.profile b/firejail_profiles/wesnoth.profile new file mode 100644 index 0000000..2ddb59d --- /dev/null +++ b/firejail_profiles/wesnoth.profile @@ -0,0 +1,27 @@ +# Whitelist-based profile for "Battle for Wesnoth" (game). +noblacklist ${HOME}/.config/wesnoth +noblacklist ${HOME}/.cache/wesnoth +noblacklist ${HOME}/.local/share/wesnoth + +include /etc/firejail/disable-common.inc +include /etc/firejail/disable-programs.inc +include /etc/firejail/disable-devel.inc +include /etc/firejail/disable-passwdmgr.inc + +caps.drop all +nonewprivs +noroot +protocol unix,inet,inet6 +seccomp + +private-dev + +whitelist /tmp/.X11-unix + +mkdir ${HOME}/.local/share/wesnoth +mkdir ${HOME}/.config/wesnoth +mkdir ${HOME}/.cache/wesnoth +whitelist ${HOME}/.local/share/wesnoth +whitelist ${HOME}/.config/wesnoth +whitelist ${HOME}/.cache/wesnoth +include /etc/firejail/whitelist-common.inc diff --git a/firejail_profiles/whitelist-common.inc b/firejail_profiles/whitelist-common.inc new file mode 100644 index 0000000..a3ba768 --- /dev/null +++ b/firejail_profiles/whitelist-common.inc @@ -0,0 +1,40 @@ +# Local customizations come here +include /etc/firejail/whitelist-common.local + +# common whitelist for all profiles + +whitelist ~/.XCompose +whitelist ~/.config/mimeapps.list +whitelist ~/.icons +whitelist ~/.config/user-dirs.dirs +read-only ~/.config/user-dirs.dirs +whitelist ~/.asoundrc +whitelist ~/.config/Trolltech.conf + +# fonts +whitelist ~/.fonts +whitelist ~/.fonts.d +whitelist ~/.fontconfig +whitelist ~/.fonts.conf +whitelist ~/.fonts.conf.d +whitelist ~/.config/fontconfig +whitelist ~/.cache/fontconfig + +# gtk +whitelist ~/.gtkrc +whitelist ~/.gtkrc-2.0 +whitelist ~/.config/gtk-2.0 +whitelist ~/.config/gtk-3.0 +whitelist ~/.themes +whitelist ~/.kde/share/config/gtkrc +whitelist ~/.kde/share/config/gtkrc-2.0 + +# dconf +mkdir ~/.config/dconf +whitelist ~/.config/dconf + +# qt/kde +whitelist ~/.config/kdeglobals +whitelist ~/.kde/share/config/oxygenrc +whitelist ~/.kde/share/config/kdeglobals +whitelist ~/.kde/share/icons diff --git a/firejail_profiles/wine.profile b/firejail_profiles/wine.profile new file mode 100644 index 0000000..18e5346 --- /dev/null +++ b/firejail_profiles/wine.profile @@ -0,0 +1,14 @@ +# wine profile +noblacklist ${HOME}/.steam +noblacklist ${HOME}/.local/share/steam +noblacklist ${HOME}/.wine + +include /etc/firejail/disable-common.inc +include /etc/firejail/disable-programs.inc +include /etc/firejail/disable-devel.inc + +caps.drop all +netfilter +nonewprivs +noroot +seccomp diff --git a/firejail_profiles/xchat.profile b/firejail_profiles/xchat.profile new file mode 100644 index 0000000..1f2865c --- /dev/null +++ b/firejail_profiles/xchat.profile @@ -0,0 +1,14 @@ +# XChat IRC profile +noblacklist ${HOME}/.config/xchat + +include /etc/firejail/disable-common.inc +include /etc/firejail/disable-programs.inc +include /etc/firejail/disable-devel.inc + +caps.drop all +nonewprivs +noroot +protocol unix,inet,inet6 +seccomp + +# private-bin requires perl, python, etc. diff --git a/firejail_profiles/xpdf.profile b/firejail_profiles/xpdf.profile new file mode 100644 index 0000000..e036fba --- /dev/null +++ b/firejail_profiles/xpdf.profile @@ -0,0 +1,21 @@ +################################ +# xpdf application profile +################################ +noblacklist ${HOME}/.xpdfrc +include /etc/firejail/disable-common.inc +include /etc/firejail/disable-programs.inc +include /etc/firejail/disable-passwdmgr.inc + +caps.drop all +shell none +nonewprivs +noroot +protocol unix +seccomp +private-dev +private-tmp +net none + + + + diff --git a/firejail_profiles/xplayer.profile b/firejail_profiles/xplayer.profile new file mode 100644 index 0000000..54d5ed8 --- /dev/null +++ b/firejail_profiles/xplayer.profile @@ -0,0 +1,22 @@ +# Xplayer profile +noblacklist ~/.config/xplayer +noblacklist ~/.local/share/xplayer + +include /etc/firejail/disable-common.inc +include /etc/firejail/disable-programs.inc +include /etc/firejail/disable-devel.inc +include /etc/firejail/disable-passwdmgr.inc + +caps.drop all +netfilter +nonewprivs +nogroups +noroot +protocol unix,inet,inet6 +seccomp +shell none +tracelog + +private-bin xplayer,xplayer-audio-preview,xplayer-video-thumbnailer +private-dev +private-tmp diff --git a/firejail_profiles/xreader.profile b/firejail_profiles/xreader.profile new file mode 100644 index 0000000..d2a000b --- /dev/null +++ b/firejail_profiles/xreader.profile @@ -0,0 +1,23 @@ +# Xreader profile +noblacklist ~/.config/xreader +noblacklist ~/.cache/xreader +noblacklist ~/.local/share + +include /etc/firejail/disable-common.inc +include /etc/firejail/disable-programs.inc +include /etc/firejail/disable-devel.inc +include /etc/firejail/disable-passwdmgr.inc + +caps.drop all +nogroups +nonewprivs +noroot +nosound +protocol unix +seccomp +shell none +tracelog + +private-bin xreader, xreader-previewer, xreader-thumbnailer +private-dev +private-tmp diff --git a/firejail_profiles/xviewer.profile b/firejail_profiles/xviewer.profile new file mode 100644 index 0000000..cbb59d1 --- /dev/null +++ b/firejail_profiles/xviewer.profile @@ -0,0 +1,20 @@ +noblacklist ~/.config/xviewer + +include /etc/firejail/disable-common.inc +include /etc/firejail/disable-programs.inc +include /etc/firejail/disable-devel.inc +include /etc/firejail/disable-passwdmgr.inc + +caps.drop all +nogroups +nonewprivs +noroot +nosound +protocol unix +seccomp +shell none +tracelog + +private-dev +private-bin xviewer +private-tmp diff --git a/firejail_profiles/xz.profile b/firejail_profiles/xz.profile new file mode 100644 index 0000000..5b29f73 --- /dev/null +++ b/firejail_profiles/xz.profile @@ -0,0 +1,3 @@ +# xz profile +quiet +include /etc/firejail/cpio.profile diff --git a/firejail_profiles/xzdec.profile b/firejail_profiles/xzdec.profile new file mode 100644 index 0000000..a9d027c --- /dev/null +++ b/firejail_profiles/xzdec.profile @@ -0,0 +1,12 @@ +# xzdec profile +quiet +ignore noroot +include /etc/firejail/default.profile +tracelog +net none +shell none +blacklist /tmp/.X11-unix +private-dev +nosound +no3d + diff --git a/firejail_profiles/zathura.profile b/firejail_profiles/zathura.profile new file mode 100644 index 0000000..7093c52 --- /dev/null +++ b/firejail_profiles/zathura.profile @@ -0,0 +1,20 @@ +# zathura document viewer profile +noblacklist ~/.config/zathura +noblacklist ~/.local/share/zathura +include /etc/firejail/disable-common.inc +include /etc/firejail/disable-programs.inc +include /etc/firejail/disable-devel.inc +include /etc/firejail/disable-passwdmgr.inc + +caps.drop all +seccomp +protocol unix +netfilter +nonewprivs +noroot +nogroups +nosound +shell none + +private-bin zathura +private-dev diff --git a/linux_hardening.txt b/linux_hardening.txt index 9019f0a..6257390 100644 --- a/linux_hardening.txt +++ b/linux_hardening.txt @@ -32,7 +32,7 @@ Debian hardening points for workstations # https://wiki.debian.org/AppArmor/HowToUse # https://help.ubuntu.com/12.04/serverguide/apparmor.html apt-get update - apt-get install apparmor apparmor-profiles apparmor-utils apparmor-profiles-extra apparmor-easyprof -y + apt-get install apparmor apparmor-profiles apparmor-utils apparmor-profiles-extra apparmor-easyprof firejail -y sed -i -e 's/GRUB_CMDLINE_LINUX_DEFAULT="/&security=apparmor /' /etc/default/grub sed -e 's/GRUB_TIMEOUT=5/GRUB_TIMEOUT=1/' /etc/default/grub update-grub