Add xfburn; Add memory-deny-write-execute to common.inc; Update profi…

…les which were broken with changes to common.inc
chiraag-nataraj · Jul 21, 2018 · 3aa640d · 3aa640d
1 parent 879962f
commit 3aa640d
Show file tree

Hide file tree

Showing 26 changed files with 97 additions and 328 deletions.
diff --git a/Viber.profile b/Viber.profile
@@ -3,6 +3,7 @@ ignore private-opt
 ignore nodbus
 ignore net
 ignore machine-id
+ignore memory-deny-write-execute
 
 include ${HOME}/.config/firejail/common.inc
 include ${HOME}/.config/firejail/noexec-home.inc

diff --git a/amule.profile b/amule.profile
@@ -1,34 +1,14 @@
-# Firejail profile for amule
-# This file is overwritten after every install/update
-# Persistent local customizations
-include /etc/firejail/amule.local
-# Persistent global definitions
-include /etc/firejail/globals.local
+ignore net
 
-blacklist /boot
-blacklist /media
-blacklist /mnt
-blacklist /opt
-
-blacklist /usr/local/bin
-blacklist /usr/local/sbin
+include ${HOME}/.config/firejail/common.inc
+include ${HOME}/.config/firejail/noexec-home.inc
+include ${HOME}/.config/firejail/noexec-tmp.inc
 
 whitelist ${DOWNLOADS}
 whitelist ${HOME}/.aMule
 whitelist ${HOME}/.gtkrc-2.0
 whitelist ${HOME}/.gtkrc.mine
 whitelist ${HOME}/.themes
-include /etc/firejail/whitelist-common.inc
-
-caps.drop all
-ipc-namespace
-nogroups
-nonewprivs
-noroot
-seccomp
-shell none
 
 private-bin amule
-private-dev
-private-etc fonts,hosts
-private-tmp
+private-etc hosts,fonts,xdg,gtk-3.0,X11,localtime,nsswitch.conf,resolv.conf
diff --git a/blender.profile b/blender.profile
@@ -1,3 +1,5 @@
+ignore memory-deny-write-execute
+
 include ${HOME}/.config/firejail/common.inc
 include ${HOME}/.config/firejail/noexec-home.inc
 include ${HOME}/.config/firejail/noexec-tmp.inc

diff --git a/chromium.profile b/chromium.profile
@@ -4,6 +4,7 @@ ignore seccomp.block-secondary
 ignore nonewprivs
 ignore caps.drop
 ignore net
+ignore memory-deny-write-execute
 
 include ${HOME}/.config/firejail/common.inc
 include ${HOME}/.config/firejail/noexec-home.inc

diff --git a/common.inc b/common.inc
@@ -21,3 +21,4 @@ nodbus
 nou2f
 nogroups
 net none
+memory-deny-write-execute
diff --git a/dropbox.profile b/dropbox.profile
@@ -1,4 +1,5 @@
 ignore net
+ignore memory-deny-write-execute
 
 include ${HOME}/.config/firejail/common.inc
 include ${HOME}/.config/firejail/noexec-tmp.inc

diff --git a/emacs.profile b/emacs.profile
@@ -5,7 +5,7 @@ include ${HOME}/.config/firejail/common.inc
 include ${HOME}/.config/firejail/noexec-home.inc
 include ${HOME}/.config/firejail/noexec-tmp.inc
 
-private-bin emacs,emacs-gtk,gpg,gpg-agent,pinentry,pinentry-gtk2,epdfinfo,sh,7z,7za,gzip,tar,xz,ls,cp,ln,rm,df,bash,ispell,xelatex,tex,latex,pdflatex,xdvipdfmx,w3m,gnuplot,asy
+private-bin emacs,emacs-gtk,gpg,gpg-agent,pinentry,pinentry-gtk2,epdfinfo,sh,7z,7za,gzip,tar,xz,ls,cp,ln,rm,df,bash,ispell,xelatex,tex,latex,pdflatex,xdvipdfmx,w3m,gnuplot,asy,git
 private-etc emacs,alternatives,passwd,localtime,fonts
 
 whitelist /tmp/user/1000/
@@ -24,7 +24,6 @@ whitelist ${HOME}/texmf
 mkdir ${HOME}/emacs_tmp/
 whitelist ${HOME}/emacs_tmp
 
-memory-deny-write-execute
 keep-var-tmp
 writable-var
 writable-run-user

diff --git a/firefox.profile b/firefox.profile
@@ -2,6 +2,7 @@ ignore private-dev
 ignore nou2f
 ignore net
 ignore nodbus
+ignore memory-deny-write-execute
 
 include ${HOME}/.config/firejail/common.inc
 include ${HOME}/.config/firejail/noexec-home.inc

diff --git a/gimp.profile b/gimp.profile
@@ -12,4 +12,4 @@ whitelist ${HOME}/Pictures
 
 private-bin gimp,gimp-2.10,gimp-console,gimp-console-2.10,python2.7
 private-etc gimp,fonts,alternatives
-private-lib babl-0.1,gegl-0.4,libjson-glib-1.0.so.0,libwebp.so.6,libavformat.so.57,libumfpack.so.5,libSDL-1.2.so.0,libraw.so.16,libIlmImf-2_2.so.23,libavformat.so.57,libswscale.so.4,libgegl-sc-0.4.so,libgudev-1.0.so.0,libgimp-2.0.so.0,libgimpui-2.0.so.0
+private-lib babl-0.1,gegl-0.4,libjson-glib-1.0.so.0,libwebp.so.6,libavformat.so.57,libavformat.so.58,libumfpack.so.5,libSDL-1.2.so.0,libraw.so.16,libIlmImf-2_2.so.23,libavformat.so.57,libswscale.so.4,libswscale.so.5,libgegl-sc-0.4.so,libgudev-1.0.so.0,libgimp-2.0.so.0,libgimpui-2.0.so.0
diff --git a/hugin.profile b/hugin.profile
@@ -1,3 +1,5 @@
+ignore memory-deny-write-execute
+
 include ${HOME}/.config/firejail/common.inc
 include ${HOME}/.config/firejail/noexec-home.inc
 include ${HOME}/.config/firejail/noexec-tmp.inc

diff --git a/kdenlive.profile b/kdenlive.profile
@@ -1,32 +1,15 @@
-# Firejail profile for kdenlive
-# This file is overwritten after every install/update
-# Persistent local customizations
-include /etc/firejail/kdenlive.local
-# Persistent global definitions
-include /etc/firejail/globals.local
+ignore memory-deny-write-execute
+ignore nodbus
 
-blacklist /boot
-blacklist /media
-blacklist /mnt
-blacklist /opt
+include ${HOME}/.config/firejail/common.inc
+include ${HOME}/.config/firejail/noexec-home.inc
+include ${HOME}/.config/firejail/noexec-tmp.inc
 
 # Apparently these break kdenlive for some people - they work for me though?
-# whitelist ${DOWNLOADS}
-# whitelist ${HOME}/.config/
-# whitelist ${HOME}/Videos
-# whitelist ${HOME}/kdenlive
-whitelist /tmp/.X11-unix
-# DBus is forced to use an ordinary unix socket
-whitelist /tmp/dbus_session_socket
-include /etc/firejail/whitelist-common.inc
-
-caps.drop all
-net none
-nogroups
-noroot
-seccomp
-shell none
+whitelist ${HOME}/.config/
+whitelist ${HOME}/kdenlive
+whitelist ${DOWNLOADS}
+whitelist ${HOME}/Videos
 
 private-bin kdenlive,kdenlive_render,dbus-launch,melt,ffmpeg,ffplay,ffprobe,dvdauthor,genisoimage,vlc,xine,kdeinit5,kshell5,kdeinit5_shutdown,kdeinit5_wrapper,kdeinit4,kshell4,kdeinit4_shutdown,kdeinit4_wrapper
-private-dev
 private-etc fonts,alternatives,X11,pulse,passwd
diff --git a/libreoffice.profile b/libreoffice.profile
@@ -1,4 +1,5 @@
 ignore private-tmp
+ignore memory-deny-write-execute
 
 include ${HOME}/.config/firejail/common.inc
 include ${HOME}/.config/firejail/noexec-home.inc

diff --git a/lmms.profile b/lmms.profile
@@ -1,32 +1,11 @@
-# Firejail profile for lmms
-# This file is overwritten after every install/update
-# Persistent local customizations
-include /etc/firejail/lmms.local
-# Persistent global definitions
-include /etc/firejail/globals.local
-
-blacklist /boot
-blacklist /media
-blacklist /mnt
-blacklist /opt
+include ${HOME}/.config/firejail/common.inc
+include ${HOME}/.config/firejail/noexec-home.inc
+include ${HOME}/.config/firejail/noexec-tmp.inc
 
 whitelist ${DOWNLOADS}
-whitelist ${HOME}/.lmmsrc.xml
 whitelist ${HOME}/Music
+whitelist ${HOME}/.lmmsrc.xml
 whitelist ${HOME}/lmms
-whitelist /tmp/.X11-unix
-include /etc/firejail/whitelist-common.inc
 
-caps.drop all
-ipc-namespace
-net none
-nogroups
-noroot
-seccomp
-shell none
-
-private-dev
+private-bin lmms
 private-etc fonts,pulse
-
-noexec /home
-noexec /tmp
diff --git a/luminance-hdr.profile b/luminance-hdr.profile
@@ -1,34 +1,13 @@
-# Firejail profile for luminance-hdr
-# This file is overwritten after every install/update
-# Persistent local customizations
-include /etc/firejail/luminance-hdr.local
-# Persistent global definitions
-include /etc/firejail/globals.local
+ignore memory-deny-write-execute
 
-blacklist /boot
-blacklist /media
-blacklist /mnt
-blacklist /opt
+include ${HOME}/.config/firejail/common.inc
+include ${HOME}/.config/firejail/noexec-home.inc
+include ${HOME}/.config/firejail/noexec-tmp.inc
 
-whitelist ${HOME}/.LuminanceHDR
-whitelist ${HOME}/.config/Luminance
-whitelist ${HOME}/Downloads
 whitelist ${HOME}/Pictures
-whitelist /tmp/.X11-unix
-include /etc/firejail/whitelist-common.inc
-
-caps.drop all
-ipc-namespace
-net none
-nogroups
-noroot
-nosound
-seccomp
-shell none
+whitelist ${HOME}/Downloads
+whitelist ${HOME}/.LuminanceHDR
+whitelist ${HOME}/.config/Luminance HDR Development Team
 
 private-bin luminance-hdr,luminance-hdr-cli,align_image_stack
-private-dev
 private-etc fonts,X11,alternatives
-
-noexec ${HOME}
-noexec /tmp
diff --git a/mupdf.profile b/mupdf.profile
@@ -1,34 +1,9 @@
-# Firejail profile for mupdf
-# This file is overwritten after every install/update
-# Persistent local customizations
-include /etc/firejail/mupdf.local
-# Persistent global definitions
-include /etc/firejail/globals.local
-
-blacklist /boot
-blacklist /media
-blacklist /mnt
-blacklist /opt
-blacklist /usr/local/bin
+include ${HOME}/.config/firejail/common.inc
+include ${HOME}/.config/firejail/noexec-home.inc
+include ${HOME}/.config/firejail/noexec-tmp.inc
 
 whitelist ${DOWNLOADS}
 whitelist ${HOME}/Documents
-include /etc/firejail/whitelist-common.inc
-
-caps.drop all
-ipc-namespace
-net none
-nogroups
-noroot
-nosound
-seccomp
-shell none
 
-private-bin mupdf,sh,tempfile,rm
-private-dev
+private-bin mupdf,sh,tempfile,rm,expr
 private-etc alternatives,X11,fonts
-private-tmp
-read-only ${HOME}
-
-noexec ${HOME}
-noexec /tmp
diff --git a/openshot.profile b/openshot.profile
@@ -1,30 +1,12 @@
-# Firejail profile for openshot
-# This file is overwritten after every install/update
-# Persistent local customizations
-include /etc/firejail/openshot.local
-# Persistent global definitions
-include /etc/firejail/globals.local
+ignore memory-deny-write-execute
 
-blacklist /boot
-blacklist /media
-blacklist /mnt
-blacklist /opt
-blacklist /usr/local/bin
-blacklist /usr/local/sbin
+include ${HOME}/.config/firejail/common.inc
+include ${HOME}/.config/firejail/noexec-home.inc
+include ${HOME}/.config/firejail/noexec-tmp.inc
 
+whitelist ${HOME}/.openshot_qt/
 whitelist ${HOME}/.gtkrc-2.0
-whitelist ${HOME}/.gtkrc.mine
-whitelist ${HOME}/.openshot/
 whitelist ${HOME}/Downloads/
 whitelist ${HOME}/Videos/
-whitelist /tmp/.X11-unix
-include /etc/firejail/whitelist-common.inc
 
-caps.drop all
-noroot
-protocol unix
-seccomp
-shell none
-
-private-bin openshot,python
-private-dev
+private-bin openshot-qt,python3
diff --git a/pidgin.profile b/pidgin.profile
@@ -1,36 +1,17 @@
-# Firejail profile for pidgin
-# This file is overwritten after every install/update
-# Persistent local customizations
-include /etc/firejail/pidgin.local
-# Persistent global definitions
-include /etc/firejail/globals.local
+ignore net
 
-blacklist /boot
-blacklist /media
-blacklist /mnt
-blacklist /opt
+include ${HOME}/.config/firejail/common.inc
+include ${HOME}/.config/firejail/noexec-home.inc
+include ${HOME}/.config/firejail/noexec-tmp.inc
 
 whitelist ${DOWNLOADS}
+whitelist ${HOME}/.purple
 whitelist ${HOME}/.config/gtk-3.0
-whitelist ${HOME}/.config/pulse
 whitelist ${HOME}/.gtkrc-2.0
 whitelist ${HOME}/.gtkrc.mine
-whitelist ${HOME}/.pulse
-whitelist ${HOME}/.purple
 whitelist ${HOME}/.themes
-include /etc/firejail/whitelist-common.inc
-
-caps.drop all
-ipc-namespace
-nogroups
-noroot
-seccomp
-shell none
+whitelist ${HOME}/.pulse
+whitelist ${HOME}/.config/pulse
 
 private-bin pidgin
-private-dev
 private-etc X11,alternatives,resolv.conf,fonts,pulse
-private-tmp
-
-noexec ${HOME}
-noexec /tmp
diff --git a/qpdfview.profile b/qpdfview.profile
@@ -1,33 +1,12 @@
-# Firejail profile for qpdfview
-# This file is overwritten after every install/update
-# Persistent local customizations
-include /etc/firejail/qpdfview.local
-# Persistent global definitions
-include /etc/firejail/globals.local
+ignore memory-deny-write-execute
 
-blacklist /boot
-blacklist /media
-blacklist /mnt
-blacklist /opt
+include ${HOME}/.config/firejail/common.inc
+include ${HOME}/.config/firejail/noexec-home.inc
+include ${HOME}/.config/firejail/noexec-tmp.inc
 
 whitelist ${DOWNLOADS}
-whitelist ${HOME}/.config/qpdfview
 whitelist ${HOME}/Documents
-whitelist /tmp/.X11-unix
-include /etc/firejail/whitelist-common.inc
-
-caps.drop all
-ipc-namespace
-net none
-nogroups
-noroot
-nosound
-seccomp
-shell none
+whitelist ${HOME}/.config/qpdfview
 
-private-bin qpdfview
-private-dev
 private-etc fonts,X11,alternatives
-
-noexec ${HOME}
-noexec /tmp
+private-bin qpdfview