178 lines
4.7 KiB
PHP
178 lines
4.7 KiB
PHP
# Local customizations come here
|
|
include /etc/firejail/disable-common.local
|
|
|
|
# History files in $HOME
|
|
blacklist-nolog ${HOME}/.history
|
|
blacklist-nolog ${HOME}/.*_history
|
|
blacklist ${HOME}/.local/share/systemd
|
|
blacklist-nolog ${HOME}/.adobe
|
|
blacklist-nolog ${HOME}/.macromedia
|
|
read-only ${HOME}/.local/share/applications
|
|
|
|
# X11 session autostart
|
|
blacklist ${HOME}/.xinitrc
|
|
blacklist ${HOME}/.xprofile
|
|
blacklist ${HOME}/.config/autostart
|
|
blacklist /etc/xdg/autostart
|
|
blacklist ${HOME}/.kde4/Autostart
|
|
blacklist ${HOME}/.kde4/share/autostart
|
|
blacklist ${HOME}/.kde/Autostart
|
|
blacklist ${HOME}/.kde/share/autostart
|
|
blacklist ${HOME}/.config/plasma-workspace/shutdown
|
|
blacklist ${HOME}/.config/plasma-workspace/env
|
|
blacklist ${HOME}/.config/lxsession/LXDE/autostart
|
|
blacklist ${HOME}/.fluxbox/startup
|
|
blacklist ${HOME}/.config/openbox/autostart
|
|
blacklist ${HOME}/.config/openbox/environment
|
|
blacklist ${HOME}/.gnomerc
|
|
blacklist /etc/X11/Xsession.d/
|
|
|
|
# VirtualBox
|
|
blacklist ${HOME}/.VirtualBox
|
|
blacklist ${HOME}/VirtualBox VMs
|
|
blacklist ${HOME}/.config/VirtualBox
|
|
|
|
# VeraCrypt
|
|
blacklist ${PATH}/veracrypt
|
|
blacklist ${PATH}/veracrypt-uninstall.sh
|
|
blacklist /usr/share/veracrypt
|
|
blacklist /usr/share/applications/veracrypt.*
|
|
blacklist /usr/share/pixmaps/veracrypt.*
|
|
blacklist ${HOME}/.VeraCrypt
|
|
|
|
# var
|
|
blacklist /var/spool/cron
|
|
blacklist /var/spool/anacron
|
|
blacklist /var/run/acpid.socket
|
|
blacklist /var/run/minissdpd.sock
|
|
blacklist /var/run/rpcbind.sock
|
|
blacklist /var/run/mysqld/mysqld.sock
|
|
blacklist /var/run/mysql/mysqld.sock
|
|
blacklist /var/lib/mysqld/mysql.sock
|
|
blacklist /var/lib/mysql/mysql.sock
|
|
blacklist /var/run/docker.sock
|
|
|
|
# etc
|
|
blacklist /etc/cron.*
|
|
blacklist /etc/profile.d
|
|
blacklist /etc/rc.local
|
|
blacklist /etc/anacrontab
|
|
|
|
# General startup files
|
|
read-only ${HOME}/.xinitrc
|
|
read-only ${HOME}/.xserverrc
|
|
read-only ${HOME}/.profile
|
|
|
|
# Shell startup files
|
|
read-only ${HOME}/.antigen
|
|
read-only ${HOME}/.bash_login
|
|
read-only ${HOME}/.bashrc
|
|
read-only ${HOME}/.bash_profile
|
|
read-only ${HOME}/.bash_logout
|
|
read-only ${HOME}/.zsh.d
|
|
read-only ${HOME}/.zshenv
|
|
read-only ${HOME}/.zshrc
|
|
read-only ${HOME}/.zshrc.local
|
|
read-only ${HOME}/.zlogin
|
|
read-only ${HOME}/.zprofile
|
|
read-only ${HOME}/.zlogout
|
|
read-only ${HOME}/.zsh_files
|
|
read-only ${HOME}/.tcshrc
|
|
read-only ${HOME}/.cshrc
|
|
read-only ${HOME}/.csh_files
|
|
read-only ${HOME}/.profile
|
|
|
|
# Initialization files that allow arbitrary command execution
|
|
read-only ${HOME}/.caffrc
|
|
read-only ${HOME}/.dotfiles
|
|
read-only ${HOME}/dotfiles
|
|
read-only ${HOME}/.mailcap
|
|
read-only ${HOME}/.exrc
|
|
read-only ${HOME}/_exrc
|
|
read-only ${HOME}/.vimrc
|
|
read-only ${HOME}/_vimrc
|
|
read-only ${HOME}/.gvimrc
|
|
read-only ${HOME}/_gvimrc
|
|
read-only ${HOME}/.vim
|
|
read-only ${HOME}/.emacs
|
|
read-only ${HOME}/.emacs.d
|
|
read-only ${HOME}/.nano
|
|
read-only ${HOME}/.tmux.conf
|
|
read-only ${HOME}/.iscreenrc
|
|
read-only ${HOME}/.muttrc
|
|
read-only ${HOME}/.mutt/muttrc
|
|
read-only ${HOME}/.msmtprc
|
|
read-only ${HOME}/.reportbugrc
|
|
read-only ${HOME}/.xmonad
|
|
read-only ${HOME}/.xscreensaver
|
|
|
|
# The user ~/bin directory can override commands such as ls
|
|
read-only ${HOME}/bin
|
|
|
|
# top secret
|
|
blacklist ${HOME}/.ssh
|
|
blacklist ${HOME}/.cert
|
|
blacklist ${HOME}/.gnome2/keyrings
|
|
blacklist ${HOME}/.kde4/share/apps/kwallet
|
|
blacklist ${HOME}/.kde/share/apps/kwallet
|
|
blacklist ${HOME}/.local/share/kwalletd
|
|
blacklist ${HOME}/.config/keybase
|
|
blacklist ${HOME}/.netrc
|
|
blacklist ${HOME}/.gnupg
|
|
blacklist ${HOME}/.caff
|
|
blacklist ${HOME}/.smbcredentials
|
|
blacklist ${HOME}/*.kdbx
|
|
blacklist ${HOME}/*.kdb
|
|
blacklist ${HOME}/*.key
|
|
blacklist ${HOME}/.muttrc
|
|
blacklist ${HOME}/.mutt/muttrc
|
|
blacklist ${HOME}/.msmtprc
|
|
blacklist /etc/shadow
|
|
blacklist /etc/gshadow
|
|
blacklist /etc/passwd-
|
|
blacklist /etc/group-
|
|
blacklist /etc/shadow-
|
|
blacklist /etc/gshadow-
|
|
blacklist /etc/passwd+
|
|
blacklist /etc/group+
|
|
blacklist /etc/shadow+
|
|
blacklist /etc/gshadow+
|
|
blacklist /etc/ssh
|
|
blacklist /var/backup
|
|
|
|
# system management
|
|
blacklist ${PATH}/umount
|
|
blacklist ${PATH}/mount
|
|
blacklist ${PATH}/fusermount
|
|
blacklist ${PATH}/su
|
|
blacklist ${PATH}/sudo
|
|
blacklist ${PATH}/xinput
|
|
blacklist ${PATH}/evtest
|
|
blacklist ${PATH}/xev
|
|
blacklist ${PATH}/strace
|
|
blacklist ${PATH}/nc
|
|
blacklist ${PATH}/ncat
|
|
|
|
# system directories
|
|
blacklist /sbin
|
|
blacklist /usr/sbin
|
|
blacklist /usr/local/sbin
|
|
|
|
# prevent lxterminal connecting to an existing lxterminal session
|
|
blacklist /tmp/.lxterminal-socket*
|
|
|
|
# disable terminals running as server resulting in sandbox escape
|
|
blacklist ${PATH}/gnome-terminal
|
|
blacklist ${PATH}/gnome-terminal.wrapper
|
|
blacklist ${PATH}/xfce4-terminal
|
|
blacklist ${PATH}/xfce4-terminal.wrapper
|
|
blacklist ${PATH}/mate-terminal
|
|
blacklist ${PATH}/mate-terminal.wrapper
|
|
blacklist ${PATH}/lilyterm
|
|
blacklist ${PATH}/pantheon-terminal
|
|
blacklist ${PATH}/roxterm
|
|
blacklist ${PATH}/roxterm-config
|
|
blacklist ${PATH}/terminix
|
|
blacklist ${PATH}/urxvtc
|
|
blacklist ${PATH}/urxvtcd
|