add firejail profiles
This commit is contained in:
parent
67d1870ca5
commit
55b57c0341
|
@ -0,0 +1,34 @@
|
||||||
|
# Firejail profile for brave
|
||||||
|
# Description: Web browser that blocks ads and trackers by default.
|
||||||
|
# This file is overwritten after every install/update
|
||||||
|
# Persistent local customizations
|
||||||
|
include brave.local
|
||||||
|
# Persistent global definitions
|
||||||
|
include globals.local
|
||||||
|
|
||||||
|
# noexec /tmp is included in chromium-common.profile and breaks Brave
|
||||||
|
ignore noexec /tmp
|
||||||
|
|
||||||
|
noblacklist ${HOME}/.cache/BraveSoftware
|
||||||
|
noblacklist ${HOME}/.config/BraveSoftware
|
||||||
|
noblacklist ${HOME}/.config/brave
|
||||||
|
noblacklist ${HOME}/.config/brave-flags.conf
|
||||||
|
# brave uses gpg for built-in password manager
|
||||||
|
noblacklist ${HOME}/.gnupg
|
||||||
|
noblacklist ${HOME}/dl
|
||||||
|
|
||||||
|
mkdir ${HOME}/.cache/BraveSoftware
|
||||||
|
mkdir ${HOME}/.config/BraveSoftware
|
||||||
|
mkdir ${HOME}/.config/brave
|
||||||
|
whitelist ${HOME}/.cache/BraveSoftware
|
||||||
|
whitelist ${HOME}/.config/BraveSoftware
|
||||||
|
whitelist ${HOME}/.config/brave
|
||||||
|
whitelist ${HOME}/.config/brave-flags.conf
|
||||||
|
whitelist ${HOME}/.gnupg
|
||||||
|
whitelist ${HOME}/dl
|
||||||
|
|
||||||
|
# Brave sandbox needs read access to /proc/config.gz
|
||||||
|
noblacklist /proc/config.gz
|
||||||
|
|
||||||
|
# Redirect
|
||||||
|
include chromium-common.profile
|
|
@ -0,0 +1,23 @@
|
||||||
|
# Firejail profile for discord
|
||||||
|
# This file is overwritten after every install/update
|
||||||
|
# Persistent local customizations
|
||||||
|
include discord.local
|
||||||
|
# Persistent global definitions
|
||||||
|
include globals.local
|
||||||
|
|
||||||
|
noblacklist ${HOME}/.config/discord
|
||||||
|
noblacklist ${HOME}/pix/keyboards
|
||||||
|
noblacklist ${HOME}/pix/memes
|
||||||
|
noblacklist ${HOME}/pix/screengrabs
|
||||||
|
|
||||||
|
mkdir ${HOME}/.config/discord
|
||||||
|
whitelist ${HOME}/.config/discord
|
||||||
|
whitelist ${HOME}/pix/memes
|
||||||
|
whitelist ${HOME}/pix/sreengrabs
|
||||||
|
whitelist ${HOME}/pix/keyboards
|
||||||
|
|
||||||
|
private-bin discord
|
||||||
|
private-opt discord
|
||||||
|
|
||||||
|
# Redirect
|
||||||
|
include discord-common.profile
|
|
@ -0,0 +1,60 @@
|
||||||
|
# Firejail profile for firefox-common
|
||||||
|
# This file is overwritten after every install/update
|
||||||
|
# Persistent local customizations
|
||||||
|
include firefox-common.local
|
||||||
|
# Persistent global definitions
|
||||||
|
# added by caller profile
|
||||||
|
#include globals.local
|
||||||
|
|
||||||
|
# noexec ${HOME} breaks DRM binaries.
|
||||||
|
?BROWSER_ALLOW_DRM: ignore noexec ${HOME}
|
||||||
|
|
||||||
|
# Uncomment the following line (or put it in your firefox-common.local) to allow access to common programs/addons/plugins.
|
||||||
|
#include firefox-common-addons.inc
|
||||||
|
|
||||||
|
noblacklist ${HOME}/.pki
|
||||||
|
noblacklist ${HOME}/.local/share/pki
|
||||||
|
|
||||||
|
include disable-common.inc
|
||||||
|
include disable-devel.inc
|
||||||
|
include disable-exec.inc
|
||||||
|
include disable-interpreters.inc
|
||||||
|
include disable-programs.inc
|
||||||
|
|
||||||
|
mkdir ${HOME}/.pki
|
||||||
|
mkdir ${HOME}/.local/share/pki
|
||||||
|
whitelist ${HOME}/dl
|
||||||
|
whitelist ${HOME}/.pki
|
||||||
|
whitelist ${HOME}/.local/share/pki
|
||||||
|
include whitelist-common.inc
|
||||||
|
include whitelist-var-common.inc
|
||||||
|
|
||||||
|
apparmor
|
||||||
|
caps.drop all
|
||||||
|
# machine-id breaks pulse audio; it should work fine in setups where sound is not required.
|
||||||
|
#machine-id
|
||||||
|
netfilter
|
||||||
|
nodvd
|
||||||
|
nogroups
|
||||||
|
nonewprivs
|
||||||
|
# noroot breaks GTK_USE_PORTAL=1 usage, see https://github.com/netblue30/firejail/issues/2506.
|
||||||
|
noroot
|
||||||
|
notv
|
||||||
|
?BROWSER_DISABLE_U2F: nou2f
|
||||||
|
protocol unix,inet,inet6,netlink
|
||||||
|
# The below seccomp configuration still permits chroot syscall. See https://github.com/netblue30/firejail/issues/2506 for possible workarounds.
|
||||||
|
seccomp !chroot
|
||||||
|
shell none
|
||||||
|
# Disable tracelog, it breaks or causes major issues with many firefox based browsers, see https://github.com/netblue30/firejail/issues/1930.
|
||||||
|
#tracelog
|
||||||
|
|
||||||
|
disable-mnt
|
||||||
|
?BROWSER_DISABLE_U2F: private-dev
|
||||||
|
# private-etc below works fine on most distributions. There are some problems on CentOS.
|
||||||
|
#private-etc alternatives,asound.conf,ca-certificates,crypto-policies,dconf,fonts,group,gtk-2.0,gtk-3.0,hostname,hosts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,localtime,machine-id,mailcap,mime.types,nsswitch.conf,pango,passwd,pki,pulse,resolv.conf,selinux,ssl,X11,xdg
|
||||||
|
private-tmp
|
||||||
|
|
||||||
|
# breaks various desktop integration features
|
||||||
|
# among other things global menus, native notifications, Gnome connector, KDE connect and power management on KDE Plasma
|
||||||
|
dbus-user none
|
||||||
|
dbus-system none
|
|
@ -0,0 +1,43 @@
|
||||||
|
# Firejail profile for kdenlive
|
||||||
|
# Description: Non-linear video editor
|
||||||
|
# This file is overwritten after every install/update
|
||||||
|
# Persistent local customizations
|
||||||
|
include kdenlive.local
|
||||||
|
# Persistent global definitions
|
||||||
|
include globals.local
|
||||||
|
|
||||||
|
ignore noexec ${HOME}
|
||||||
|
|
||||||
|
noblacklist ${HOME}/.cache/kdenlive
|
||||||
|
noblacklist ${HOME}/.config/kdenliverc
|
||||||
|
noblacklist ${HOME}/.local/share/kdenlive
|
||||||
|
noblacklist ${HOME}/.local/share/kxmlgui5/kdenlive
|
||||||
|
noblacklist ${HOME}/dox
|
||||||
|
whitelist ${HOME}/dox
|
||||||
|
|
||||||
|
include disable-common.inc
|
||||||
|
include disable-devel.inc
|
||||||
|
include disable-exec.inc
|
||||||
|
include disable-interpreters.inc
|
||||||
|
include disable-passwdmgr.inc
|
||||||
|
include disable-programs.inc
|
||||||
|
|
||||||
|
#apparmor
|
||||||
|
caps.drop all
|
||||||
|
# net none
|
||||||
|
nodvd
|
||||||
|
nogroups
|
||||||
|
nonewprivs
|
||||||
|
noroot
|
||||||
|
notv
|
||||||
|
nou2f
|
||||||
|
protocol unix,netlink
|
||||||
|
seccomp
|
||||||
|
shell none
|
||||||
|
|
||||||
|
private-bin dbus-launch,dvdauthor,ffmpeg,ffplay,ffprobe,genisoimage,kdeinit4,kdeinit4_shutdown,kdeinit4_wrapper,kdeinit5,kdeinit5_shutdown,kdeinit5_wrapper,kdenlive,kdenlive_render,kshell4,kshell5,melt,mlt-melt,vlc,xine
|
||||||
|
private-dev
|
||||||
|
# private-etc alternatives,fonts,kde4rc,kde5rc,ld.so.cache,machine-id,passwd,pulse,X11,xdg
|
||||||
|
|
||||||
|
# dbus-user none
|
||||||
|
# dbus-system none
|
|
@ -0,0 +1,53 @@
|
||||||
|
# Firejail profile for libreoffice
|
||||||
|
# Description: Office productivity suite
|
||||||
|
# This file is overwritten after every install/update
|
||||||
|
# Persistent local customizations
|
||||||
|
include libreoffice.local
|
||||||
|
# Persistent global definitions
|
||||||
|
include globals.local
|
||||||
|
|
||||||
|
noblacklist /usr/local/sbin
|
||||||
|
noblacklist ${HOME}/.config/libreoffice
|
||||||
|
noblacklist ${HOME}/dox
|
||||||
|
whitelist ${HOME}/dox
|
||||||
|
|
||||||
|
# libreoffice uses java for some certain operations
|
||||||
|
# comment if you don't care about java functionality
|
||||||
|
# Allow java (blacklisted by disable-devel.inc)
|
||||||
|
include allow-java.inc
|
||||||
|
|
||||||
|
include disable-common.inc
|
||||||
|
include disable-devel.inc
|
||||||
|
include disable-exec.inc
|
||||||
|
include disable-passwdmgr.inc
|
||||||
|
include disable-programs.inc
|
||||||
|
|
||||||
|
include whitelist-var-common.inc
|
||||||
|
|
||||||
|
# ubuntu 18.04 comes with its own apparmor profile, but it is not in enforce mode.
|
||||||
|
# comment the next line to use the ubuntu profile instead of firejail's apparmor profile
|
||||||
|
#apparmor
|
||||||
|
caps.drop all
|
||||||
|
netfilter
|
||||||
|
nodvd
|
||||||
|
nogroups
|
||||||
|
# comment nonewprivs when using the ubuntu 18.04/debian 10 apparmor profile
|
||||||
|
#nonewprivs
|
||||||
|
noroot
|
||||||
|
notv
|
||||||
|
nou2f
|
||||||
|
novideo
|
||||||
|
# comment the protocol line when using the ubuntu 18.04/debian 10 apparmor profile
|
||||||
|
protocol unix,inet,inet6
|
||||||
|
# comment seccomp when using the ubuntu 18.04/debian 10 apparmor profile
|
||||||
|
seccomp
|
||||||
|
shell none
|
||||||
|
# comment tracelog when using the ubuntu 18.04/debian 10 apparmor profile
|
||||||
|
tracelog
|
||||||
|
|
||||||
|
private-dev
|
||||||
|
private-tmp
|
||||||
|
|
||||||
|
dbus-system none
|
||||||
|
|
||||||
|
join-or-start libreoffice
|
|
@ -0,0 +1,50 @@
|
||||||
|
# Firejail profile for Newsboat
|
||||||
|
# Description: RSS program
|
||||||
|
# This file is overwritten after every install/update
|
||||||
|
# Persistent local customizations
|
||||||
|
include newsboat.local
|
||||||
|
# Persistent global definitions
|
||||||
|
include globals.local
|
||||||
|
|
||||||
|
noblacklist ${HOME}/.config/newsboat
|
||||||
|
|
||||||
|
include disable-common.inc
|
||||||
|
include disable-devel.inc
|
||||||
|
include disable-exec.inc
|
||||||
|
include disable-interpreters.inc
|
||||||
|
include disable-passwdmgr.inc
|
||||||
|
include disable-programs.inc
|
||||||
|
include disable-xdg.inc
|
||||||
|
|
||||||
|
mkdir ${HOME}/.config/newsboat
|
||||||
|
whitelist ${HOME}/.config/newsboat
|
||||||
|
include whitelist-common.inc
|
||||||
|
include whitelist-runuser-common.inc
|
||||||
|
include whitelist-var-common.inc
|
||||||
|
|
||||||
|
caps.drop all
|
||||||
|
ipc-namespace
|
||||||
|
netfilter
|
||||||
|
no3d
|
||||||
|
nodvd
|
||||||
|
nogroups
|
||||||
|
nonewprivs
|
||||||
|
noroot
|
||||||
|
notv
|
||||||
|
nou2f
|
||||||
|
novideo
|
||||||
|
protocol inet,inet6
|
||||||
|
seccomp
|
||||||
|
shell none
|
||||||
|
|
||||||
|
disable-mnt
|
||||||
|
private-bin newsboat
|
||||||
|
private-cache
|
||||||
|
private-dev
|
||||||
|
private-etc alternatives,ca-certificates,crypto-policies,pki,resolv.conf,ssl,terminfo
|
||||||
|
private-tmp
|
||||||
|
|
||||||
|
dbus-user none
|
||||||
|
dbus-system none
|
||||||
|
|
||||||
|
memory-deny-write-execute
|
|
@ -0,0 +1,56 @@
|
||||||
|
# Firejail profile for transmission-common
|
||||||
|
# Description: Fast, easy and free BitTorrent client
|
||||||
|
# This file is overwritten after every install/update
|
||||||
|
# Persistent local customizations
|
||||||
|
include transmission-common.local
|
||||||
|
# Persistent global definitions
|
||||||
|
# added by caller profile
|
||||||
|
#include globals.local
|
||||||
|
|
||||||
|
noblacklist ${HOME}/.cache/transmission
|
||||||
|
noblacklist ${HOME}/.config/transmission
|
||||||
|
noblacklist ${HOME}/dox/torrents
|
||||||
|
|
||||||
|
include disable-common.inc
|
||||||
|
include disable-devel.inc
|
||||||
|
include disable-exec.inc
|
||||||
|
include disable-interpreters.inc
|
||||||
|
include disable-passwdmgr.inc
|
||||||
|
include disable-programs.inc
|
||||||
|
|
||||||
|
mkdir ${HOME}/.cache/transmission
|
||||||
|
mkdir ${HOME}/.config/transmission
|
||||||
|
mkdir ${HOME}/dox/torrents
|
||||||
|
whitelist ${DOWNLOADS}
|
||||||
|
whitelist ${HOME}/.cache/transmission
|
||||||
|
whitelist ${HOME}/.config/transmission
|
||||||
|
whitelist ${HOME}/dox/torrents
|
||||||
|
include whitelist-common.inc
|
||||||
|
include whitelist-usr-share-common.inc
|
||||||
|
include whitelist-var-common.inc
|
||||||
|
|
||||||
|
apparmor
|
||||||
|
caps.drop all
|
||||||
|
machine-id
|
||||||
|
netfilter
|
||||||
|
nodvd
|
||||||
|
nonewprivs
|
||||||
|
noroot
|
||||||
|
nosound
|
||||||
|
notv
|
||||||
|
nou2f
|
||||||
|
novideo
|
||||||
|
protocol unix,inet,inet6
|
||||||
|
seccomp
|
||||||
|
shell none
|
||||||
|
tracelog
|
||||||
|
|
||||||
|
private-cache
|
||||||
|
private-dev
|
||||||
|
private-lib
|
||||||
|
private-tmp
|
||||||
|
|
||||||
|
dbus-user none
|
||||||
|
dbus-system none
|
||||||
|
|
||||||
|
memory-deny-write-execute
|
|
@ -0,0 +1,50 @@
|
||||||
|
# Firejail profile for virtualbox
|
||||||
|
# Description: x86 virtualization solution
|
||||||
|
# This file is overwritten after every install/update
|
||||||
|
# Persistent local customizations
|
||||||
|
include virtualbox.local
|
||||||
|
# Persistent global definitions
|
||||||
|
include globals.local
|
||||||
|
|
||||||
|
noblacklist ${HOME}/.VirtualBox
|
||||||
|
noblacklist ${HOME}/.config/VirtualBox
|
||||||
|
noblacklist ${HOME}/VirtualBox VMs
|
||||||
|
# noblacklist /usr/bin/virtualbox
|
||||||
|
noblacklist /usr/lib/virtualbox
|
||||||
|
noblacklist /usr/lib64/virtualbox
|
||||||
|
|
||||||
|
include disable-common.inc
|
||||||
|
include disable-devel.inc
|
||||||
|
include disable-exec.inc
|
||||||
|
include disable-interpreters.inc
|
||||||
|
include disable-passwdmgr.inc
|
||||||
|
include disable-programs.inc
|
||||||
|
include disable-xdg.inc
|
||||||
|
|
||||||
|
mkdir ${HOME}/.config/VirtualBox
|
||||||
|
mkdir ${HOME}/VirtualBox VMs
|
||||||
|
whitelist ${HOME}/.config/VirtualBox
|
||||||
|
whitelist ${HOME}/VirtualBox VMs
|
||||||
|
whitelist ${DOWNLOADS}
|
||||||
|
whitelist /usr/share/virtualbox
|
||||||
|
include whitelist-common.inc
|
||||||
|
include whitelist-runuser-common.inc
|
||||||
|
include whitelist-usr-share-common.inc
|
||||||
|
include whitelist-var-common.inc
|
||||||
|
|
||||||
|
# For host-only network sys_admin is needed. See https://github.com/netblue30/firejail/issues/2868#issuecomment-518647630
|
||||||
|
|
||||||
|
caps.keep net_raw,sys_nice
|
||||||
|
netfilter
|
||||||
|
nodvd
|
||||||
|
#nogroups
|
||||||
|
notv
|
||||||
|
shell none
|
||||||
|
tracelog
|
||||||
|
|
||||||
|
#disable-mnt
|
||||||
|
private-cache
|
||||||
|
private-etc alsa,asound.conf,ca-certificates,conf.d,crypto-policies,dconf,fonts,hostname,hosts,ld.so.cache,localtime,machine-id,pki,pulse,resolv.conf,ssl
|
||||||
|
|
||||||
|
dbus-user none
|
||||||
|
dbus-system none
|
|
@ -0,0 +1,53 @@
|
||||||
|
# Firejail profile for vlc
|
||||||
|
# Description: Multimedia player and streamer
|
||||||
|
# This file is overwritten after every install/update
|
||||||
|
# Persistent local customizations
|
||||||
|
include vlc.local
|
||||||
|
# Persistent global definitions
|
||||||
|
include globals.local
|
||||||
|
|
||||||
|
noblacklist ${HOME}/.cache/vlc
|
||||||
|
noblacklist ${HOME}/.config/vlc
|
||||||
|
noblacklist ${HOME}/.local/share/vlc
|
||||||
|
noblacklist ${HOME}/vidz
|
||||||
|
|
||||||
|
include disable-common.inc
|
||||||
|
include disable-devel.inc
|
||||||
|
include disable-exec.inc
|
||||||
|
include disable-interpreters.inc
|
||||||
|
include disable-passwdmgr.inc
|
||||||
|
include disable-programs.inc
|
||||||
|
|
||||||
|
read-only ${DESKTOP}
|
||||||
|
mkdir ${HOME}/.cache/vlc
|
||||||
|
mkdir ${HOME}/.config/vlc
|
||||||
|
mkdir ${HOME}/.local/share/vlc
|
||||||
|
whitelist ${HOME}/.cache/vlc
|
||||||
|
whitelist ${HOME}/.config/vlc
|
||||||
|
whitelist ${HOME}/.local/share/vlc
|
||||||
|
whitelist ${HOME}/vidz
|
||||||
|
include whitelist-common.inc
|
||||||
|
include whitelist-players.inc
|
||||||
|
include whitelist-var-common.inc
|
||||||
|
|
||||||
|
#apparmor - on Ubuntu 18.04 it refuses to start without dbus access
|
||||||
|
caps.drop all
|
||||||
|
netfilter
|
||||||
|
nogroups
|
||||||
|
nonewprivs
|
||||||
|
noroot
|
||||||
|
nou2f
|
||||||
|
protocol unix,inet,inet6,netlink
|
||||||
|
seccomp
|
||||||
|
shell none
|
||||||
|
|
||||||
|
private-bin cvlc,nvlc,qvlc,rvlc,svlc,vlc
|
||||||
|
private-dev
|
||||||
|
private-tmp
|
||||||
|
|
||||||
|
# dbus needed for MPRIS
|
||||||
|
# dbus-user none
|
||||||
|
# dbus-system none
|
||||||
|
|
||||||
|
# mdwe is disabled due to breaking hardware accelerated decoding
|
||||||
|
#memory-deny-write-execute
|
|
@ -0,0 +1 @@
|
||||||
|
protocol unix,inet,inet6,netlink\nignore seccomp\nseccomp \x21chroot
|
Loading…
Reference in New Issue