add firejail profiles
This commit is contained in:
parent
67d1870ca5
commit
55b57c0341
|
@ -0,0 +1,34 @@
|
|||
# Firejail profile for brave
|
||||
# Description: Web browser that blocks ads and trackers by default.
|
||||
# This file is overwritten after every install/update
|
||||
# Persistent local customizations
|
||||
include brave.local
|
||||
# Persistent global definitions
|
||||
include globals.local
|
||||
|
||||
# noexec /tmp is included in chromium-common.profile and breaks Brave
|
||||
ignore noexec /tmp
|
||||
|
||||
noblacklist ${HOME}/.cache/BraveSoftware
|
||||
noblacklist ${HOME}/.config/BraveSoftware
|
||||
noblacklist ${HOME}/.config/brave
|
||||
noblacklist ${HOME}/.config/brave-flags.conf
|
||||
# brave uses gpg for built-in password manager
|
||||
noblacklist ${HOME}/.gnupg
|
||||
noblacklist ${HOME}/dl
|
||||
|
||||
mkdir ${HOME}/.cache/BraveSoftware
|
||||
mkdir ${HOME}/.config/BraveSoftware
|
||||
mkdir ${HOME}/.config/brave
|
||||
whitelist ${HOME}/.cache/BraveSoftware
|
||||
whitelist ${HOME}/.config/BraveSoftware
|
||||
whitelist ${HOME}/.config/brave
|
||||
whitelist ${HOME}/.config/brave-flags.conf
|
||||
whitelist ${HOME}/.gnupg
|
||||
whitelist ${HOME}/dl
|
||||
|
||||
# Brave sandbox needs read access to /proc/config.gz
|
||||
noblacklist /proc/config.gz
|
||||
|
||||
# Redirect
|
||||
include chromium-common.profile
|
|
@ -0,0 +1,23 @@
|
|||
# Firejail profile for discord
|
||||
# This file is overwritten after every install/update
|
||||
# Persistent local customizations
|
||||
include discord.local
|
||||
# Persistent global definitions
|
||||
include globals.local
|
||||
|
||||
noblacklist ${HOME}/.config/discord
|
||||
noblacklist ${HOME}/pix/keyboards
|
||||
noblacklist ${HOME}/pix/memes
|
||||
noblacklist ${HOME}/pix/screengrabs
|
||||
|
||||
mkdir ${HOME}/.config/discord
|
||||
whitelist ${HOME}/.config/discord
|
||||
whitelist ${HOME}/pix/memes
|
||||
whitelist ${HOME}/pix/sreengrabs
|
||||
whitelist ${HOME}/pix/keyboards
|
||||
|
||||
private-bin discord
|
||||
private-opt discord
|
||||
|
||||
# Redirect
|
||||
include discord-common.profile
|
|
@ -0,0 +1,60 @@
|
|||
# Firejail profile for firefox-common
|
||||
# This file is overwritten after every install/update
|
||||
# Persistent local customizations
|
||||
include firefox-common.local
|
||||
# Persistent global definitions
|
||||
# added by caller profile
|
||||
#include globals.local
|
||||
|
||||
# noexec ${HOME} breaks DRM binaries.
|
||||
?BROWSER_ALLOW_DRM: ignore noexec ${HOME}
|
||||
|
||||
# Uncomment the following line (or put it in your firefox-common.local) to allow access to common programs/addons/plugins.
|
||||
#include firefox-common-addons.inc
|
||||
|
||||
noblacklist ${HOME}/.pki
|
||||
noblacklist ${HOME}/.local/share/pki
|
||||
|
||||
include disable-common.inc
|
||||
include disable-devel.inc
|
||||
include disable-exec.inc
|
||||
include disable-interpreters.inc
|
||||
include disable-programs.inc
|
||||
|
||||
mkdir ${HOME}/.pki
|
||||
mkdir ${HOME}/.local/share/pki
|
||||
whitelist ${HOME}/dl
|
||||
whitelist ${HOME}/.pki
|
||||
whitelist ${HOME}/.local/share/pki
|
||||
include whitelist-common.inc
|
||||
include whitelist-var-common.inc
|
||||
|
||||
apparmor
|
||||
caps.drop all
|
||||
# machine-id breaks pulse audio; it should work fine in setups where sound is not required.
|
||||
#machine-id
|
||||
netfilter
|
||||
nodvd
|
||||
nogroups
|
||||
nonewprivs
|
||||
# noroot breaks GTK_USE_PORTAL=1 usage, see https://github.com/netblue30/firejail/issues/2506.
|
||||
noroot
|
||||
notv
|
||||
?BROWSER_DISABLE_U2F: nou2f
|
||||
protocol unix,inet,inet6,netlink
|
||||
# The below seccomp configuration still permits chroot syscall. See https://github.com/netblue30/firejail/issues/2506 for possible workarounds.
|
||||
seccomp !chroot
|
||||
shell none
|
||||
# Disable tracelog, it breaks or causes major issues with many firefox based browsers, see https://github.com/netblue30/firejail/issues/1930.
|
||||
#tracelog
|
||||
|
||||
disable-mnt
|
||||
?BROWSER_DISABLE_U2F: private-dev
|
||||
# private-etc below works fine on most distributions. There are some problems on CentOS.
|
||||
#private-etc alternatives,asound.conf,ca-certificates,crypto-policies,dconf,fonts,group,gtk-2.0,gtk-3.0,hostname,hosts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,localtime,machine-id,mailcap,mime.types,nsswitch.conf,pango,passwd,pki,pulse,resolv.conf,selinux,ssl,X11,xdg
|
||||
private-tmp
|
||||
|
||||
# breaks various desktop integration features
|
||||
# among other things global menus, native notifications, Gnome connector, KDE connect and power management on KDE Plasma
|
||||
dbus-user none
|
||||
dbus-system none
|
|
@ -0,0 +1,43 @@
|
|||
# Firejail profile for kdenlive
|
||||
# Description: Non-linear video editor
|
||||
# This file is overwritten after every install/update
|
||||
# Persistent local customizations
|
||||
include kdenlive.local
|
||||
# Persistent global definitions
|
||||
include globals.local
|
||||
|
||||
ignore noexec ${HOME}
|
||||
|
||||
noblacklist ${HOME}/.cache/kdenlive
|
||||
noblacklist ${HOME}/.config/kdenliverc
|
||||
noblacklist ${HOME}/.local/share/kdenlive
|
||||
noblacklist ${HOME}/.local/share/kxmlgui5/kdenlive
|
||||
noblacklist ${HOME}/dox
|
||||
whitelist ${HOME}/dox
|
||||
|
||||
include disable-common.inc
|
||||
include disable-devel.inc
|
||||
include disable-exec.inc
|
||||
include disable-interpreters.inc
|
||||
include disable-passwdmgr.inc
|
||||
include disable-programs.inc
|
||||
|
||||
#apparmor
|
||||
caps.drop all
|
||||
# net none
|
||||
nodvd
|
||||
nogroups
|
||||
nonewprivs
|
||||
noroot
|
||||
notv
|
||||
nou2f
|
||||
protocol unix,netlink
|
||||
seccomp
|
||||
shell none
|
||||
|
||||
private-bin dbus-launch,dvdauthor,ffmpeg,ffplay,ffprobe,genisoimage,kdeinit4,kdeinit4_shutdown,kdeinit4_wrapper,kdeinit5,kdeinit5_shutdown,kdeinit5_wrapper,kdenlive,kdenlive_render,kshell4,kshell5,melt,mlt-melt,vlc,xine
|
||||
private-dev
|
||||
# private-etc alternatives,fonts,kde4rc,kde5rc,ld.so.cache,machine-id,passwd,pulse,X11,xdg
|
||||
|
||||
# dbus-user none
|
||||
# dbus-system none
|
|
@ -0,0 +1,53 @@
|
|||
# Firejail profile for libreoffice
|
||||
# Description: Office productivity suite
|
||||
# This file is overwritten after every install/update
|
||||
# Persistent local customizations
|
||||
include libreoffice.local
|
||||
# Persistent global definitions
|
||||
include globals.local
|
||||
|
||||
noblacklist /usr/local/sbin
|
||||
noblacklist ${HOME}/.config/libreoffice
|
||||
noblacklist ${HOME}/dox
|
||||
whitelist ${HOME}/dox
|
||||
|
||||
# libreoffice uses java for some certain operations
|
||||
# comment if you don't care about java functionality
|
||||
# Allow java (blacklisted by disable-devel.inc)
|
||||
include allow-java.inc
|
||||
|
||||
include disable-common.inc
|
||||
include disable-devel.inc
|
||||
include disable-exec.inc
|
||||
include disable-passwdmgr.inc
|
||||
include disable-programs.inc
|
||||
|
||||
include whitelist-var-common.inc
|
||||
|
||||
# ubuntu 18.04 comes with its own apparmor profile, but it is not in enforce mode.
|
||||
# comment the next line to use the ubuntu profile instead of firejail's apparmor profile
|
||||
#apparmor
|
||||
caps.drop all
|
||||
netfilter
|
||||
nodvd
|
||||
nogroups
|
||||
# comment nonewprivs when using the ubuntu 18.04/debian 10 apparmor profile
|
||||
#nonewprivs
|
||||
noroot
|
||||
notv
|
||||
nou2f
|
||||
novideo
|
||||
# comment the protocol line when using the ubuntu 18.04/debian 10 apparmor profile
|
||||
protocol unix,inet,inet6
|
||||
# comment seccomp when using the ubuntu 18.04/debian 10 apparmor profile
|
||||
seccomp
|
||||
shell none
|
||||
# comment tracelog when using the ubuntu 18.04/debian 10 apparmor profile
|
||||
tracelog
|
||||
|
||||
private-dev
|
||||
private-tmp
|
||||
|
||||
dbus-system none
|
||||
|
||||
join-or-start libreoffice
|
|
@ -0,0 +1,50 @@
|
|||
# Firejail profile for Newsboat
|
||||
# Description: RSS program
|
||||
# This file is overwritten after every install/update
|
||||
# Persistent local customizations
|
||||
include newsboat.local
|
||||
# Persistent global definitions
|
||||
include globals.local
|
||||
|
||||
noblacklist ${HOME}/.config/newsboat
|
||||
|
||||
include disable-common.inc
|
||||
include disable-devel.inc
|
||||
include disable-exec.inc
|
||||
include disable-interpreters.inc
|
||||
include disable-passwdmgr.inc
|
||||
include disable-programs.inc
|
||||
include disable-xdg.inc
|
||||
|
||||
mkdir ${HOME}/.config/newsboat
|
||||
whitelist ${HOME}/.config/newsboat
|
||||
include whitelist-common.inc
|
||||
include whitelist-runuser-common.inc
|
||||
include whitelist-var-common.inc
|
||||
|
||||
caps.drop all
|
||||
ipc-namespace
|
||||
netfilter
|
||||
no3d
|
||||
nodvd
|
||||
nogroups
|
||||
nonewprivs
|
||||
noroot
|
||||
notv
|
||||
nou2f
|
||||
novideo
|
||||
protocol inet,inet6
|
||||
seccomp
|
||||
shell none
|
||||
|
||||
disable-mnt
|
||||
private-bin newsboat
|
||||
private-cache
|
||||
private-dev
|
||||
private-etc alternatives,ca-certificates,crypto-policies,pki,resolv.conf,ssl,terminfo
|
||||
private-tmp
|
||||
|
||||
dbus-user none
|
||||
dbus-system none
|
||||
|
||||
memory-deny-write-execute
|
|
@ -0,0 +1,56 @@
|
|||
# Firejail profile for transmission-common
|
||||
# Description: Fast, easy and free BitTorrent client
|
||||
# This file is overwritten after every install/update
|
||||
# Persistent local customizations
|
||||
include transmission-common.local
|
||||
# Persistent global definitions
|
||||
# added by caller profile
|
||||
#include globals.local
|
||||
|
||||
noblacklist ${HOME}/.cache/transmission
|
||||
noblacklist ${HOME}/.config/transmission
|
||||
noblacklist ${HOME}/dox/torrents
|
||||
|
||||
include disable-common.inc
|
||||
include disable-devel.inc
|
||||
include disable-exec.inc
|
||||
include disable-interpreters.inc
|
||||
include disable-passwdmgr.inc
|
||||
include disable-programs.inc
|
||||
|
||||
mkdir ${HOME}/.cache/transmission
|
||||
mkdir ${HOME}/.config/transmission
|
||||
mkdir ${HOME}/dox/torrents
|
||||
whitelist ${DOWNLOADS}
|
||||
whitelist ${HOME}/.cache/transmission
|
||||
whitelist ${HOME}/.config/transmission
|
||||
whitelist ${HOME}/dox/torrents
|
||||
include whitelist-common.inc
|
||||
include whitelist-usr-share-common.inc
|
||||
include whitelist-var-common.inc
|
||||
|
||||
apparmor
|
||||
caps.drop all
|
||||
machine-id
|
||||
netfilter
|
||||
nodvd
|
||||
nonewprivs
|
||||
noroot
|
||||
nosound
|
||||
notv
|
||||
nou2f
|
||||
novideo
|
||||
protocol unix,inet,inet6
|
||||
seccomp
|
||||
shell none
|
||||
tracelog
|
||||
|
||||
private-cache
|
||||
private-dev
|
||||
private-lib
|
||||
private-tmp
|
||||
|
||||
dbus-user none
|
||||
dbus-system none
|
||||
|
||||
memory-deny-write-execute
|
|
@ -0,0 +1,50 @@
|
|||
# Firejail profile for virtualbox
|
||||
# Description: x86 virtualization solution
|
||||
# This file is overwritten after every install/update
|
||||
# Persistent local customizations
|
||||
include virtualbox.local
|
||||
# Persistent global definitions
|
||||
include globals.local
|
||||
|
||||
noblacklist ${HOME}/.VirtualBox
|
||||
noblacklist ${HOME}/.config/VirtualBox
|
||||
noblacklist ${HOME}/VirtualBox VMs
|
||||
# noblacklist /usr/bin/virtualbox
|
||||
noblacklist /usr/lib/virtualbox
|
||||
noblacklist /usr/lib64/virtualbox
|
||||
|
||||
include disable-common.inc
|
||||
include disable-devel.inc
|
||||
include disable-exec.inc
|
||||
include disable-interpreters.inc
|
||||
include disable-passwdmgr.inc
|
||||
include disable-programs.inc
|
||||
include disable-xdg.inc
|
||||
|
||||
mkdir ${HOME}/.config/VirtualBox
|
||||
mkdir ${HOME}/VirtualBox VMs
|
||||
whitelist ${HOME}/.config/VirtualBox
|
||||
whitelist ${HOME}/VirtualBox VMs
|
||||
whitelist ${DOWNLOADS}
|
||||
whitelist /usr/share/virtualbox
|
||||
include whitelist-common.inc
|
||||
include whitelist-runuser-common.inc
|
||||
include whitelist-usr-share-common.inc
|
||||
include whitelist-var-common.inc
|
||||
|
||||
# For host-only network sys_admin is needed. See https://github.com/netblue30/firejail/issues/2868#issuecomment-518647630
|
||||
|
||||
caps.keep net_raw,sys_nice
|
||||
netfilter
|
||||
nodvd
|
||||
#nogroups
|
||||
notv
|
||||
shell none
|
||||
tracelog
|
||||
|
||||
#disable-mnt
|
||||
private-cache
|
||||
private-etc alsa,asound.conf,ca-certificates,conf.d,crypto-policies,dconf,fonts,hostname,hosts,ld.so.cache,localtime,machine-id,pki,pulse,resolv.conf,ssl
|
||||
|
||||
dbus-user none
|
||||
dbus-system none
|
|
@ -0,0 +1,53 @@
|
|||
# Firejail profile for vlc
|
||||
# Description: Multimedia player and streamer
|
||||
# This file is overwritten after every install/update
|
||||
# Persistent local customizations
|
||||
include vlc.local
|
||||
# Persistent global definitions
|
||||
include globals.local
|
||||
|
||||
noblacklist ${HOME}/.cache/vlc
|
||||
noblacklist ${HOME}/.config/vlc
|
||||
noblacklist ${HOME}/.local/share/vlc
|
||||
noblacklist ${HOME}/vidz
|
||||
|
||||
include disable-common.inc
|
||||
include disable-devel.inc
|
||||
include disable-exec.inc
|
||||
include disable-interpreters.inc
|
||||
include disable-passwdmgr.inc
|
||||
include disable-programs.inc
|
||||
|
||||
read-only ${DESKTOP}
|
||||
mkdir ${HOME}/.cache/vlc
|
||||
mkdir ${HOME}/.config/vlc
|
||||
mkdir ${HOME}/.local/share/vlc
|
||||
whitelist ${HOME}/.cache/vlc
|
||||
whitelist ${HOME}/.config/vlc
|
||||
whitelist ${HOME}/.local/share/vlc
|
||||
whitelist ${HOME}/vidz
|
||||
include whitelist-common.inc
|
||||
include whitelist-players.inc
|
||||
include whitelist-var-common.inc
|
||||
|
||||
#apparmor - on Ubuntu 18.04 it refuses to start without dbus access
|
||||
caps.drop all
|
||||
netfilter
|
||||
nogroups
|
||||
nonewprivs
|
||||
noroot
|
||||
nou2f
|
||||
protocol unix,inet,inet6,netlink
|
||||
seccomp
|
||||
shell none
|
||||
|
||||
private-bin cvlc,nvlc,qvlc,rvlc,svlc,vlc
|
||||
private-dev
|
||||
private-tmp
|
||||
|
||||
# dbus needed for MPRIS
|
||||
# dbus-user none
|
||||
# dbus-system none
|
||||
|
||||
# mdwe is disabled due to breaking hardware accelerated decoding
|
||||
#memory-deny-write-execute
|
|
@ -0,0 +1 @@
|
|||
protocol unix,inet,inet6,netlink\nignore seccomp\nseccomp \x21chroot
|
Loading…
Reference in New Issue