-
Notifications
You must be signed in to change notification settings - Fork 555
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
profile fixes for 0.9.52 (Ubuntu 18.04) in etc-fixes directory
- Loading branch information
netblue30
committed
May 13, 2018
1 parent
47bc443
commit 92be701
Showing
4 changed files
with
178 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,96 @@ | ||
# Firejail profile for firefox | ||
# This file is overwritten after every install/update | ||
# Persistent local customizations | ||
include /etc/firejail/firefox.local | ||
# Persistent global definitions | ||
include /etc/firejail/globals.local | ||
|
||
noblacklist ${HOME}/.cache/mozilla | ||
noblacklist ${HOME}/.config/okularpartrc | ||
noblacklist ${HOME}/.config/okularrc | ||
noblacklist ${HOME}/.config/qpdfview | ||
noblacklist ${HOME}/.kde/share/apps/kget | ||
noblacklist ${HOME}/.kde/share/apps/okular | ||
noblacklist ${HOME}/.kde/share/config/kgetrc | ||
noblacklist ${HOME}/.kde/share/config/okularpartrc | ||
noblacklist ${HOME}/.kde/share/config/okularrc | ||
noblacklist ${HOME}/.kde4/share/apps/kget | ||
noblacklist ${HOME}/.kde4/share/apps/okular | ||
noblacklist ${HOME}/.kde4/share/config/kgetrc | ||
noblacklist ${HOME}/.kde4/share/config/okularpartrc | ||
noblacklist ${HOME}/.kde4/share/config/okularrc | ||
# noblacklist ${HOME}/.local/share/gnome-shell/extensions | ||
noblacklist ${HOME}/.local/share/okular | ||
noblacklist ${HOME}/.local/share/qpdfview | ||
noblacklist ${HOME}/.mozilla | ||
noblacklist ${HOME}/.pki | ||
|
||
include /etc/firejail/disable-common.inc | ||
include /etc/firejail/disable-devel.inc | ||
include /etc/firejail/disable-programs.inc | ||
|
||
mkdir ${HOME}/.cache/mozilla/firefox | ||
mkdir ${HOME}/.mozilla | ||
mkdir ${HOME}/.pki | ||
whitelist ${DOWNLOADS} | ||
whitelist ${HOME}/.cache/gnome-mplayer/plugin | ||
whitelist ${HOME}/.cache/mozilla/firefox | ||
whitelist ${HOME}/.config/gnome-mplayer | ||
whitelist ${HOME}/.config/okularpartrc | ||
whitelist ${HOME}/.config/okularrc | ||
whitelist ${HOME}/.config/pipelight-silverlight5.1 | ||
whitelist ${HOME}/.config/pipelight-widevine | ||
whitelist ${HOME}/.config/qpdfview | ||
whitelist ${HOME}/.kde/share/apps/kget | ||
whitelist ${HOME}/.kde/share/apps/okular | ||
whitelist ${HOME}/.kde/share/config/kgetrc | ||
whitelist ${HOME}/.kde/share/config/okularpartrc | ||
whitelist ${HOME}/.kde/share/config/okularrc | ||
whitelist ${HOME}/.kde4/share/apps/kget | ||
whitelist ${HOME}/.kde4/share/apps/okular | ||
whitelist ${HOME}/.kde4/share/config/kgetrc | ||
whitelist ${HOME}/.kde4/share/config/okularpartrc | ||
whitelist ${HOME}/.kde4/share/config/okularrc | ||
whitelist ${HOME}/.keysnail.js | ||
whitelist ${HOME}/.lastpass | ||
whitelist ${HOME}/.local/share/gnome-shell/extensions | ||
whitelist ${HOME}/.local/share/okular | ||
whitelist ${HOME}/.local/share/qpdfview | ||
whitelist ${HOME}/.mozilla | ||
whitelist ${HOME}/.pentadactyl | ||
whitelist ${HOME}/.pentadactylrc | ||
whitelist ${HOME}/.pki | ||
whitelist ${HOME}/.vimperator | ||
whitelist ${HOME}/.vimperatorrc | ||
whitelist ${HOME}/.wine-pipelight | ||
whitelist ${HOME}/.wine-pipelight64 | ||
whitelist ${HOME}/.zotero | ||
whitelist ${HOME}/dwhelper | ||
include /etc/firejail/whitelist-common.inc | ||
include /etc/firejail/whitelist-var-common.inc | ||
|
||
caps.drop all | ||
# machine-id breaks pulse audio; it should work fine in setups where sound is not required | ||
#machine-id | ||
netfilter | ||
nodvd | ||
nogroups | ||
nonewprivs | ||
noroot | ||
notv | ||
protocol unix,inet,inet6,netlink | ||
#seccomp - replaced with seccomp.drop for Firefox 60 | ||
seccomp.drop @clock,@cpu-emulation,@debug,@module,@obsolete,@raw-io,@reboot,@resources,@swap,acct,add_key,bpf,fanotify_init,io_cancel,io_destroy,io_getevents,io_setup,io_submit,ioprio_set,kcmp,keyctl,mount,name_to_handle_at,nfsservctl,ni_syscall,open_by_handle_at,personality,pivot_root,process_vm_readv,ptrace,remap_file_pages,request_key,setdomainname,sethostname,syslog,umount,umount2,userfaultfd,vhangup,vmsplice | ||
shell none | ||
#tracelog - disabled for Firefox 60 | ||
|
||
disable-mnt | ||
# firefox requires a shell to launch on Arch. | ||
# private-bin firefox,which,sh,dbus-launch,dbus-send,env,bash | ||
private-dev | ||
# private-etc below works fine on most distributions. There are some problems on CentOS. | ||
# private-etc iceweasel,ca-certificates,ssl,machine-id,dconf,selinux,passwd,group,hostname,hosts,localtime,nsswitch.conf,resolv.conf,xdg,gtk-2.0,gtk-3.0,X11,pango,fonts,firefox,mime.types,mailcap,asound.conf,pulse | ||
private-tmp | ||
|
||
noexec ${HOME} | ||
noexec /tmp |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,44 @@ | ||
# Firejail profile for gedit | ||
# This file is overwritten after every install/update | ||
# Persistent local customizations | ||
include /etc/firejail/gedit.local | ||
# Persistent global definitions | ||
include /etc/firejail/globals.local | ||
|
||
# blacklist /run/user/*/bus - makes settings immutable | ||
|
||
noblacklist ${HOME}/.config/enchant | ||
noblacklist ${HOME}/.config/gedit | ||
noblacklist ${HOME}/.gitconfig | ||
|
||
include /etc/firejail/disable-common.inc | ||
# include /etc/firejail/disable-devel.inc | ||
include /etc/firejail/disable-passwdmgr.inc | ||
include /etc/firejail/disable-programs.inc | ||
|
||
include /etc/firejail/whitelist-var-common.inc | ||
|
||
caps.drop all | ||
# net none - makes settings immutable | ||
machine-id | ||
no3d | ||
nodvd | ||
nogroups | ||
nonewprivs | ||
noroot | ||
nosound | ||
notv | ||
novideo | ||
protocol unix | ||
seccomp | ||
shell none | ||
tracelog | ||
|
||
# private-bin gedit | ||
private-dev | ||
# private-etc fonts | ||
#private-lib gedit - disabled; problems when running "firejail gedit"; "firejail /usr/bin/gedit" works fine | ||
private-tmp | ||
|
||
noexec ${HOME} | ||
noexec /tmp |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,36 @@ | ||
# Firejail profile for libreoffice | ||
# This file is overwritten after every install/update | ||
# Persistent local customizations | ||
include /etc/firejail/libreoffice.local | ||
# Persistent global definitions | ||
include /etc/firejail/globals.local | ||
|
||
noblacklist ${HOME}/.java | ||
noblacklist /usr/local/sbin | ||
noblacklist ${HOME}/.config/libreoffice | ||
|
||
include /etc/firejail/disable-common.inc | ||
include /etc/firejail/disable-devel.inc | ||
include /etc/firejail/disable-passwdmgr.inc | ||
include /etc/firejail/disable-programs.inc | ||
|
||
include /etc/firejail/whitelist-var-common.inc | ||
|
||
caps.drop all | ||
machine-id | ||
netfilter | ||
nodvd | ||
nogroups | ||
#nonewprivs | ||
noroot | ||
notv | ||
#protocol unix,inet,inet6 | ||
#seccomp | ||
shell none | ||
#tracelog | ||
|
||
private-dev | ||
private-tmp | ||
|
||
noexec ${HOME} | ||
noexec /tmp |