profile fixes for 0.9.52 (Ubuntu 18.04) in etc-fixes directory

README.md

@@ -93,6 +93,8 @@ If you keep additional Firejail security profiles in a public repository, please
 * https://github.com/triceratops1/fe
 
 Use this issue to request new profiles: [#1139](https://github.com/netblue30/firejail/issues/1139)
+
+We also keep a list of fixes for previous released versions in etc-fixes directory.
 `````
 
 `````

etc-fixes/0.9.52/firefox.profile

@@ -0,0 +1,96 @@
+# Firejail profile for firefox
+# This file is overwritten after every install/update
+# Persistent local customizations
+include /etc/firejail/firefox.local
+# Persistent global definitions
+include /etc/firejail/globals.local
+
+noblacklist ${HOME}/.cache/mozilla
+noblacklist ${HOME}/.config/okularpartrc
+noblacklist ${HOME}/.config/okularrc
+noblacklist ${HOME}/.config/qpdfview
+noblacklist ${HOME}/.kde/share/apps/kget
+noblacklist ${HOME}/.kde/share/apps/okular
+noblacklist ${HOME}/.kde/share/config/kgetrc
+noblacklist ${HOME}/.kde/share/config/okularpartrc
+noblacklist ${HOME}/.kde/share/config/okularrc
+noblacklist ${HOME}/.kde4/share/apps/kget
+noblacklist ${HOME}/.kde4/share/apps/okular
+noblacklist ${HOME}/.kde4/share/config/kgetrc
+noblacklist ${HOME}/.kde4/share/config/okularpartrc
+noblacklist ${HOME}/.kde4/share/config/okularrc
+# noblacklist ${HOME}/.local/share/gnome-shell/extensions
+noblacklist ${HOME}/.local/share/okular
+noblacklist ${HOME}/.local/share/qpdfview
+noblacklist ${HOME}/.mozilla
+noblacklist ${HOME}/.pki
+
+include /etc/firejail/disable-common.inc
+include /etc/firejail/disable-devel.inc
+include /etc/firejail/disable-programs.inc
+
+mkdir ${HOME}/.cache/mozilla/firefox
+mkdir ${HOME}/.mozilla
+mkdir ${HOME}/.pki
+whitelist ${DOWNLOADS}
+whitelist ${HOME}/.cache/gnome-mplayer/plugin
+whitelist ${HOME}/.cache/mozilla/firefox
+whitelist ${HOME}/.config/gnome-mplayer
+whitelist ${HOME}/.config/okularpartrc
+whitelist ${HOME}/.config/okularrc
+whitelist ${HOME}/.config/pipelight-silverlight5.1
+whitelist ${HOME}/.config/pipelight-widevine
+whitelist ${HOME}/.config/qpdfview
+whitelist ${HOME}/.kde/share/apps/kget
+whitelist ${HOME}/.kde/share/apps/okular
+whitelist ${HOME}/.kde/share/config/kgetrc
+whitelist ${HOME}/.kde/share/config/okularpartrc
+whitelist ${HOME}/.kde/share/config/okularrc
+whitelist ${HOME}/.kde4/share/apps/kget
+whitelist ${HOME}/.kde4/share/apps/okular
+whitelist ${HOME}/.kde4/share/config/kgetrc
+whitelist ${HOME}/.kde4/share/config/okularpartrc
+whitelist ${HOME}/.kde4/share/config/okularrc
+whitelist ${HOME}/.keysnail.js
+whitelist ${HOME}/.lastpass
+whitelist ${HOME}/.local/share/gnome-shell/extensions
+whitelist ${HOME}/.local/share/okular
+whitelist ${HOME}/.local/share/qpdfview
+whitelist ${HOME}/.mozilla
+whitelist ${HOME}/.pentadactyl
+whitelist ${HOME}/.pentadactylrc
+whitelist ${HOME}/.pki
+whitelist ${HOME}/.vimperator
+whitelist ${HOME}/.vimperatorrc
+whitelist ${HOME}/.wine-pipelight
+whitelist ${HOME}/.wine-pipelight64
+whitelist ${HOME}/.zotero
+whitelist ${HOME}/dwhelper
+include /etc/firejail/whitelist-common.inc
+include /etc/firejail/whitelist-var-common.inc
+
+caps.drop all
+# machine-id breaks pulse audio; it should work fine in setups where sound is not required
+#machine-id
+netfilter
+nodvd
+nogroups
+nonewprivs
+noroot
+notv
+protocol unix,inet,inet6,netlink
+#seccomp - replaced with seccomp.drop for Firefox 60
+seccomp.drop @clock,@cpu-emulation,@debug,@module,@obsolete,@raw-io,@reboot,@resources,@swap,acct,add_key,bpf,fanotify_init,io_cancel,io_destroy,io_getevents,io_setup,io_submit,ioprio_set,kcmp,keyctl,mount,name_to_handle_at,nfsservctl,ni_syscall,open_by_handle_at,personality,pivot_root,process_vm_readv,ptrace,remap_file_pages,request_key,setdomainname,sethostname,syslog,umount,umount2,userfaultfd,vhangup,vmsplice
+shell none
+#tracelog - disabled for Firefox 60
+
+disable-mnt
+# firefox requires a shell to launch on Arch.
+# private-bin firefox,which,sh,dbus-launch,dbus-send,env,bash
+private-dev
+# private-etc below works fine on most distributions. There are some problems on CentOS.
+# private-etc iceweasel,ca-certificates,ssl,machine-id,dconf,selinux,passwd,group,hostname,hosts,localtime,nsswitch.conf,resolv.conf,xdg,gtk-2.0,gtk-3.0,X11,pango,fonts,firefox,mime.types,mailcap,asound.conf,pulse
+private-tmp
+
+noexec ${HOME}
+noexec /tmp

etc-fixes/0.9.52/gedit.profile

@@ -0,0 +1,44 @@
+# Firejail profile for gedit
+# This file is overwritten after every install/update
+# Persistent local customizations
+include /etc/firejail/gedit.local
+# Persistent global definitions
+include /etc/firejail/globals.local
+
+# blacklist /run/user/*/bus - makes settings immutable
+
+noblacklist ${HOME}/.config/enchant
+noblacklist ${HOME}/.config/gedit
+noblacklist ${HOME}/.gitconfig
+
+include /etc/firejail/disable-common.inc
+# include /etc/firejail/disable-devel.inc
+include /etc/firejail/disable-passwdmgr.inc
+include /etc/firejail/disable-programs.inc
+
+include /etc/firejail/whitelist-var-common.inc
+
+caps.drop all
+# net none - makes settings immutable
+machine-id
+no3d
+nodvd
+nogroups
+nonewprivs
+noroot
+nosound
+notv
+novideo
+protocol unix
+seccomp
+shell none
+tracelog
+
+# private-bin gedit
+private-dev
+# private-etc fonts
+#private-lib gedit - disabled; problems when running "firejail gedit"; "firejail /usr/bin/gedit" works fine
+private-tmp
+
+noexec ${HOME}
+noexec /tmp

etc-fixes/0.9.52/libreoffice.profile

@@ -0,0 +1,36 @@
+# Firejail profile for libreoffice
+# This file is overwritten after every install/update
+# Persistent local customizations
+include /etc/firejail/libreoffice.local
+# Persistent global definitions
+include /etc/firejail/globals.local
+
+noblacklist ${HOME}/.java
+noblacklist /usr/local/sbin
+noblacklist ${HOME}/.config/libreoffice
+
+include /etc/firejail/disable-common.inc
+include /etc/firejail/disable-devel.inc
+include /etc/firejail/disable-passwdmgr.inc
+include /etc/firejail/disable-programs.inc
+
+include /etc/firejail/whitelist-var-common.inc
+
+caps.drop all
+machine-id
+netfilter
+nodvd
+nogroups
+#nonewprivs
+noroot
+notv
+#protocol unix,inet,inet6
+#seccomp
+shell none
+#tracelog
+
+private-dev
+private-tmp
+
+noexec ${HOME}
+noexec /tmp