From 6ea485a808c1bc86cdbff55b99b5e5e9e03ab65b Mon Sep 17 00:00:00 2001 From: jc_gargma Date: Sun, 18 Oct 2020 20:54:47 -0700 Subject: Updated for firejail 0.9.64-rc1 --- PKGBUILD | 4 +-- profiles/0ad.local | 2 -- profiles/abook.profile | 49 +++++++++++++++++++++++++ profiles/calcurse.profile | 7 +++- profiles/disable-programs.local | 6 +--- profiles/dolphin-emu.profile | 30 ++++++++++++++++ profiles/dosbox.local | 4 ++- profiles/firefox.local | 7 +++- profiles/generic-game.inc | 4 ++- profiles/generic-wine-game.inc | 6 +++- profiles/gwenview.local | 4 ++- profiles/karbon.profile | 5 ++- profiles/keepassxc.local | 19 ++++++++-- profiles/kget.local | 6 ++-- profiles/kmymoney.profile | 4 ++- profiles/konqueror.profile | 4 ++- profiles/konversation.local | 9 ++++- profiles/ktorrent.local | 4 ++- profiles/lgogdownloader.profile | 4 ++- profiles/mocp.local | 19 ++++++++++ profiles/mocp.profile | 51 -------------------------- profiles/mount-and-blade-ii.profile | 9 +++++ profiles/mount-and-blade-warband.profile | 3 ++ profiles/newsboat.local | 2 +- profiles/nyamp.profile | 4 ++- profiles/okular.local | 4 ++- profiles/pioneer.local | 3 ++ profiles/poi.profile | 5 +-- profiles/ppsspp.local | 10 ++++++ profiles/qtox.local | 3 -- profiles/rtv.local | 17 +++++++++ profiles/rtv.profile | 61 -------------------------------- profiles/strawberry.local | 45 +++++++++++++++++++++++ profiles/strawberry.profile | 45 ----------------------- profiles/toxic.profile | 4 ++- profiles/vlc.local | 22 ++++++++---- profiles/w3m.local | 4 ++- profiles/weechat.local | 4 ++- profiles/wesnoth.local | 4 ++- profiles/wget.local | 2 -- profiles/wine.local | 1 + profiles/x4-foundations.profile | 3 ++ profiles/xcom-2.profile | 3 ++ profiles/youtube-dl.local | 2 -- 44 files changed, 303 insertions(+), 205 deletions(-) create mode 100644 profiles/abook.profile create mode 100644 profiles/dolphin-emu.profile create mode 100644 profiles/mocp.local delete mode 100644 profiles/mocp.profile create mode 100644 profiles/ppsspp.local create mode 100644 profiles/rtv.local delete mode 100644 profiles/rtv.profile create mode 100644 profiles/strawberry.local delete mode 100644 profiles/strawberry.profile diff --git a/PKGBUILD b/PKGBUILD index 3c7c001..9309e81 100644 --- a/PKGBUILD +++ b/PKGBUILD @@ -1,7 +1,7 @@ # Maintainer: jc_gargma pkgname=firejail-profiles -pkgver=20201012 +pkgver=20201018 pkgrel=1 pkgdesc="Additional firejail profiles and locals" arch=('any') @@ -9,7 +9,7 @@ url="https://library.iserlohn-fortress.net/firejail-profiles.git" license=('GPLv3') depends=('firejail' 'hardened-malloc') source=(profiles.tar.gz) -b2sums=('a9c31ca046b8cd59cf3ae69cd71480c14d0654eb25608354a05a3e8d91c0acb9ae83f8ed2759d24495625e8c42463da413ffad8d87277a68aa2d338267c5eecb') +b2sums=('e570686f4bfdc9cee3b7169c9fec3b043606071f9ded1ce3c81b68e6a5486897f0e176ee7b7b256ad41b07fa6e446625cbdbbb7e5785d9382506ceb8a17ebfd6') package() { install --directory ${pkgdir}/etc/firejail diff --git a/profiles/0ad.local b/profiles/0ad.local index c5e5982..dc9c78f 100644 --- a/profiles/0ad.local +++ b/profiles/0ad.local @@ -1,3 +1 @@ include disable-xdg.inc - -private-cache diff --git a/profiles/abook.profile b/profiles/abook.profile new file mode 100644 index 0000000..85804ed --- /dev/null +++ b/profiles/abook.profile @@ -0,0 +1,49 @@ +# Firejail profile for abook +# Description: A powerful & easy to use console audio player +# This file is overwritten after every install/update +quiet +# Persistent local customizations +include abook.local +# Persistent global definitions +include globals.local + +noblacklist ${HOME}/.abook + +include disable-common.inc +include disable-devel.inc +include disable-exec.inc +include disable-interpreters.inc +include disable-passwdmgr.inc +include disable-programs.inc +include disable-xdg.inc + +apparmor +caps.drop all +ipc-namespace +machine-id +netfilter +no3d +nodvd +nogroups +nonewprivs +noroot +notv +nou2f +novideo +protocol unix +seccomp +shell none +tracelog + +private-bin abook,nano +private-cache +private-dev +private-etc group +private-tmp + +dbus-user none +dbus-system none + +memory-deny-write-execute +read-only ${HOME} +read-write ${HOME}/.abook diff --git a/profiles/calcurse.profile b/profiles/calcurse.profile index 2bdde1a..f9649c5 100644 --- a/profiles/calcurse.profile +++ b/profiles/calcurse.profile @@ -4,6 +4,9 @@ include calcurse.local # Persistent global definitions include globals.local +blacklist /tmp/.X11-unix +blacklist ${RUNUSER}/wayland-* + noblacklist ${HOME}/.config/calcurse noblacklist ${HOME}/.local/share/calcurse mkdir ${HOME}/.config/calcurse @@ -17,7 +20,6 @@ machine-id net none netfilter no3d -nodbus nodvd nogroups nonewprivs @@ -40,3 +42,6 @@ private-tmp # # Use with hardened-malloc package env LD_PRELOAD=/usr/lib/libhardened_malloc.so + +dbus-user none +dbus-system none diff --git a/profiles/disable-programs.local b/profiles/disable-programs.local index 0f49812..81b82c5 100644 --- a/profiles/disable-programs.local +++ b/profiles/disable-programs.local @@ -17,7 +17,6 @@ blacklist ${HOME}/.config/openmw-wizardrc blacklist ${HOME}/.config/OpenRCT2 blacklist ${HOME}/.config/Proxy Studios blacklist ${HOME}/.config/Proxy Studios/Pandora -blacklist ${HOME}/.config/rtv blacklist ${HOME}/.config/smolbote blacklist ${HOME}/.config/StardewValley blacklist ${HOME}/.config/unity3d @@ -35,7 +34,6 @@ blacklist ${HOME}/.local/share/Almost Human blacklist ${HOME}/.local/share/Almost Human/Legend of Grimrock blacklist ${HOME}/.local/share/cataclysm-dda blacklist ${HOME}/.local/share/endless-sky -blacklist ${HOME}/.local/share/FasterThanLight blacklist ${HOME}/.local/share/Goldhawk Interactive blacklist ${HOME}/.local/share/kaddressbook blacklist ${HOME}/.local/share/klipper @@ -47,7 +45,6 @@ blacklist ${HOME}/.local/share/maildir blacklist ${HOME}/.local/share/networkmanagement blacklist ${HOME}/.local/share/OpenRCT2 blacklist ${HOME}/.local/share/openmw -blacklist ${HOME}/.local/share/Paradox Interactive blacklist ${HOME}/.local/share/Paradox Interactive/Imperator blacklist ${HOME}/.local/share/sddm blacklist ${HOME}/.local/share/smolbote @@ -56,8 +53,7 @@ blacklist ${HOME}/.local/share/wineprefixes/SanctuaryRPG blacklist ${HOME}/.local/share/wineprefixes/SimCity4 blacklist ${HOME}/.local/share/wineprefixes/StarCitizen blacklist ${HOME}/.local/share/wineprefixes/Warframe -blacklist ${HOME}/.mbwarband -blacklist ${HOME}/.moc +blacklist ${HOME}/.paradoxinteractive/Crusader Kings II blacklist ${HOME}/.renpy blacklist ${HOME}/.t4-engine blacklist ${HOME}/applications/tor-browser_en-US diff --git a/profiles/dolphin-emu.profile b/profiles/dolphin-emu.profile new file mode 100644 index 0000000..74ba6c3 --- /dev/null +++ b/profiles/dolphin-emu.profile @@ -0,0 +1,30 @@ +# This file is overwritten after every install/update +# Persistent local customizations +include dolphin-emu.local +# Persistent global definitions +include globals.local + +noblacklist ${HOME}/.config/dolphin-emu +noblacklist ${HOME}/.local/share/dolphin-emu +noblacklist ${HOME}/games/Emulators/GCNGAMES + +mkdir ${HOME}/.config/dolphin-emu +mkdir ${HOME}/.local/share/dolphin-emu +whitelist ${HOME}/.config/dolphin-emu +whitelist ${HOME}/.local/share/dolphin-emu +whitelist ${HOME}/games/Emulators/GCNGAMES +read-only ${HOME}/games/Emulators/GCNGAMES +include whitelist-common.inc + +# machine-id, obs, and alsa don't get along +#ignore machine-id + +protocol unix,netlink +seccomp !name_to_handle_at + +# private-dev breaks joysticks +ignore private-dev + +ignore memory-deny-write-execute + +include generic-game.inc diff --git a/profiles/dosbox.local b/profiles/dosbox.local index fcfbe11..7e379f7 100644 --- a/profiles/dosbox.local +++ b/profiles/dosbox.local @@ -8,7 +8,6 @@ ignore netfilter # # nogroups breaks alsa audio when using fluidsynth for midi ignore nogroups net none -nodbus protocol unix #Breaks OMF @@ -16,3 +15,6 @@ ignore private-bin #Breaks using controllers ignore private-dev + +dbus-user none +dbus-system none diff --git a/profiles/firefox.local b/profiles/firefox.local index 36d2a32..dd7afe1 100644 --- a/profiles/firefox.local +++ b/profiles/firefox.local @@ -28,9 +28,14 @@ private-etc resolv.conf # # Use for GTK_USE_PORTAL=1 support on KDE #private-etc machine-id,passwd,resolv.conf -#ignore nodbus +#ignore dbus-user none +#ignore dbus-system none #ignore noroot # # Use with hardened-malloc package # This breaks firefox on polaris10 amdgpu for some reason env LD_PRELOAD=/usr/lib/libhardened_malloc.so + +ignore dbus-user filter +ignore dbus-user.own org.mozilla.firefox.* +ignore dbus-user.own org.mpris.MediaPlayer2.firefox.* diff --git a/profiles/generic-game.inc b/profiles/generic-game.inc index 5f9c16d..becdedd 100644 --- a/profiles/generic-game.inc +++ b/profiles/generic-game.inc @@ -20,7 +20,6 @@ net none # # no3d breaks gpu rendering # no3d noautopulse -nodbus nodvd nogroups nonewprivs @@ -40,3 +39,6 @@ private-etc asound.conf,group,localtime,machine-id,pulse private-tmp memory-deny-write-execute + +dbus-user none +dbus-system none diff --git a/profiles/generic-wine-game.inc b/profiles/generic-wine-game.inc index 81ffe04..1ed2b27 100644 --- a/profiles/generic-wine-game.inc +++ b/profiles/generic-wine-game.inc @@ -5,6 +5,7 @@ include generic-wine-game.local noblacklist ${HOME}/.wine noblacklist ${HOME}/.config/q4wine noblacklist ${HOME}/.local/share/wineprefixes +noblacklist /tmp/.wine-* # with >=llvm-4 mesa drivers need llvm stuff noblacklist /usr/lib/llvm* @@ -24,6 +25,7 @@ whitelist ${HOME}/.wine whitelist ${HOME}/.config/q4wine # whitelist ${HOME}/.local/share/wineprefixes/bottle-name-here whitelist ${HOME}/.local/share/wineprefixes/zz_c +whitelist /tmp/.wine-* caps.drop all # # alsa audio will work with ipc-namespace, @@ -34,7 +36,6 @@ net none # # no3d breaks gpu rendering # no3d noautopulse -nodbus nodvd nogroups nonewprivs @@ -54,3 +55,6 @@ private-etc asound.conf,group,localtime,machine-id,passwd,pulse private-tmp memory-deny-write-execute + +dbus-user none +dbus-system none diff --git a/profiles/gwenview.local b/profiles/gwenview.local index 1c82bfd..93fa39c 100644 --- a/profiles/gwenview.local +++ b/profiles/gwenview.local @@ -5,7 +5,9 @@ ignore noblacklist ${HOME}/.kde4/share/config/gwenviewrc net none ignore netfilter -nodbus # # seccomp breaks integrated file manager on kde applications # # due to syscall name_to_handle_at seccomp !name_to_handle_at + +dbus-user none +dbus-system none diff --git a/profiles/karbon.profile b/profiles/karbon.profile index 330753c..e6b451a 100644 --- a/profiles/karbon.profile +++ b/profiles/karbon.profile @@ -10,6 +10,7 @@ ignore noexec ${HOME} noblacklist ${HOME}/.config/karbonrc noblacklist ${HOME}/.local/share/karbon +noblacklist ${HOME}/.local/share/kxmlgui5/karbon noblacklist ${DOCUMENTS} noblacklist ${PICTURES} @@ -33,7 +34,6 @@ caps.drop all ignore ipc-namespace # net none netfilter -# nodbus nodvd nogroups nonewprivs @@ -51,3 +51,6 @@ shell none private-cache private-dev private-tmp + +# dbus-user none +# dbus-system none diff --git a/profiles/keepassxc.local b/profiles/keepassxc.local index 65b4300..23d2118 100644 --- a/profiles/keepassxc.local +++ b/profiles/keepassxc.local @@ -1,7 +1,11 @@ ignore noblacklist ${HOME}/.mozilla ignore noblacklist ${DOCUMENTS} +mkdir ${HOME}/.cache/keepassxc +mkdir ${HOME}/.config/keepassxc + whitelist ${HOME}/.keepassxc +whitelist ${HOME}/.cache/keepassxc whitelist ${HOME}/.config/keepassxc whitelist ${HOME}/.config/keepassxcrc include whitelist-common.inc @@ -9,9 +13,6 @@ include whitelist-common.inc # # no3d breaks decryption for some reason ignore no3d -# # nodbus breaks systray support -ignore nodbus - # # machine-id and net=none breaks systray support with openrc/eudev ignore machine-id ignore net @@ -27,3 +28,15 @@ tracelog disable-mnt private-bin keepassxc,dbus-launch private-etc fonts,ld.so.cache,localtime,machine-id,passwd + +# # dbus-user/system breaks systray support +ignore dbus-user none +ignore dbus-system none + +ignore dbus-user.talk com.canonical.Unity.Session +ignore dbus-user.talk org.freedesktop.ScreenSaver +ignore dbus-user.talk org.freedesktop.login1.Manager +ignore dbus-user.talk org.freedesktop.login1.Session +ignore dbus-user.talk org.gnome.ScreenSaver +ignore dbus-user.talk org.gnome.SessionManager +ignore dbus-user.talk org.gnome.SessionManager.Presence diff --git a/profiles/kget.local b/profiles/kget.local index 0ac7a0a..c4252b2 100644 --- a/profiles/kget.local +++ b/profiles/kget.local @@ -26,8 +26,6 @@ include whitelist-common.inc # ipc-namespace # # no3d breaks gpu accelerated rendering ignore no3d -# # nodbus breaks systray support -ignore nodbus # machine-id protocol unix,inet,netlink # # seccomp breaks integrated file manager on kde applications @@ -39,3 +37,7 @@ disable-mnt private-bin bash,dbus-launch,kget,kdeinit5 private-cache private-etc ca-certificates,fonts,localtime,machine-id,passwd,resolv.conf,ssl,xdg + +# # dbus-user/system breaks systray support +ignore dbus-user none +ignore dbus-system none diff --git a/profiles/kmymoney.profile b/profiles/kmymoney.profile index 1e3b266..d8b2ccd 100644 --- a/profiles/kmymoney.profile +++ b/profiles/kmymoney.profile @@ -38,7 +38,6 @@ net none netfilter # # no3d breaks gpu accelerated rendering # no3d -nodbus nodvd nogroups nonewprivs @@ -62,3 +61,6 @@ private-etc fonts,localtime private-tmp # memory-deny-write-execute + +dbus-user none +dbus-system none diff --git a/profiles/konqueror.profile b/profiles/konqueror.profile index 5739120..2334d3e 100644 --- a/profiles/konqueror.profile +++ b/profiles/konqueror.profile @@ -46,7 +46,6 @@ ignore ipc-namespace ignore machine-id netfilter ignore no3d -ignore nodbus nodvd nogroups nonewprivs @@ -70,3 +69,6 @@ private-etc asound.conf,ca-certificates,group,machine-id,passwd,resolv.conf,ssl ignore private-tmp ignore memory-deny-write-execute + +# dbus-user none +# dbus-system none diff --git a/profiles/konversation.local b/profiles/konversation.local index 26bceed..2b8386b 100644 --- a/profiles/konversation.local +++ b/profiles/konversation.local @@ -7,12 +7,19 @@ include whitelist-common.inc whitelist ${HOME}/.config whitelist ${HOME}/.config/konversationrc +whitelist ${HOME}/.config/konversationrc.notifyrc + +mkdir ${HOME}/.local/share/konversation +mkdir ${HOME}/.local/share/kxmlgui5/konversation whitelist ${HOME}/.local/share/konversation +whitelist ${HOME}/.local/share/kxmlgui5/konversation # ipc-namespace machine-id -nodbus protocol unix,inet private-bin konversation,keditbookmarks private-etc asound.conf,group,machine-id,pulse,resolv.conf + +dbus-user none +dbus-system none diff --git a/profiles/ktorrent.local b/profiles/ktorrent.local index 1655d6f..515398b 100644 --- a/profiles/ktorrent.local +++ b/profiles/ktorrent.local @@ -18,7 +18,6 @@ include disable-xdg.inc whitelist ${HOME}/.config whitelist ${HOME}/torrents -ignore nodbus # # machine-id breaks systray support ignore machine-id protocol unix,inet,netlink @@ -34,3 +33,6 @@ private-etc ca-certificates,fonts,machine-id,passwd,resolv.conf,ssl,xdg # # Use with hardened-malloc package env LD_PRELOAD=/usr/lib/libhardened_malloc.so + +# ignore dbus-user none +# ignore dbus-system none diff --git a/profiles/lgogdownloader.profile b/profiles/lgogdownloader.profile index a0eadea..7723d1c 100644 --- a/profiles/lgogdownloader.profile +++ b/profiles/lgogdownloader.profile @@ -31,7 +31,6 @@ caps.drop all ipc-namespace netfilter no3d -nodbus nodvd nogroups nonewprivs @@ -49,3 +48,6 @@ private-bin lgogdownloader private-dev private-etc ca-certificates,pki,resolv.conf,ssl private-tmp + +dbus-user none +dbus-system none diff --git a/profiles/mocp.local b/profiles/mocp.local new file mode 100644 index 0000000..323dbc1 --- /dev/null +++ b/profiles/mocp.local @@ -0,0 +1,19 @@ +blacklist /tmp/.X11-unix +blacklist ${RUNUSER}/wayland-* + +whitelist ${HOME}/.moc +whitelist ${MUSIC} +read-only ${MUSIC} + +# # alsa audio will work with ipc-namespace, +# # but it hogs the alsa device from other applications +ignore ipc-namespace +machine-id +ignore netfilter +net none + +protocol unix + +disable-mnt +private-bin moc,mocp +private-etc asound.conf,group,localtime,machine-id diff --git a/profiles/mocp.profile b/profiles/mocp.profile deleted file mode 100644 index 84ac1d0..0000000 --- a/profiles/mocp.profile +++ /dev/null @@ -1,51 +0,0 @@ -# This file is overwritten after every install/update -# Persistent local customizations -include mocp.local -# Persistent global definitions -include globals.local - -noblacklist ${HOME}/.moc -noblacklist ${MUSIC} - -blacklist /tmp/.X11-unix - -include disable-common.inc -include disable-devel.inc -include disable-exec.inc -include disable-interpreters.inc -include disable-passwdmgr.inc -include disable-programs.inc -include disable-xdg.inc - -whitelist ${HOME}/.moc -whitelist ${MUSIC} -read-only ${MUSIC} - -caps.drop all -# # alsa audio will work with ipc-namespace, -# # but it hogs the alsa device from other applications -ignore ipc-namespace -machine-id -net none -no3d -nodbus -nodvd -nogroups -nonewprivs -noroot -notv -nou2f -novideo -protocol unix -seccomp -shell none -tracelog - -disable-mnt -private-bin moc,mocp -private-cache -private-dev -private-etc asound.conf,group,localtime,machine-id -private-tmp - -memory-deny-write-execute diff --git a/profiles/mount-and-blade-ii.profile b/profiles/mount-and-blade-ii.profile index 64e5869..4e7e5a4 100644 --- a/profiles/mount-and-blade-ii.profile +++ b/profiles/mount-and-blade-ii.profile @@ -7,8 +7,17 @@ include globals.local noblacklist ${HOME}/.local/share/wineprefixes/MountAndBladeBannerlord whitelist ${HOME}/.local/share/wineprefixes/MountAndBladeBannerlord mkfile ${HOME}/.local/share/wineprefixes/MountAndBladeBannerlord/drive_c/GOG Games/Mount And Blade II Bannerlord/bin/Win64_Shipping_Client/Bannerlord.dxvk-cache +mkfile ${HOME}/.local/share/wineprefixes/MountAndBladeBannerlord/drive_c/GOG Games/Mount And Blade II Bannerlord/bin/Win64_Shipping_Client/Bannerlord_d3d11.log +mkfile ${HOME}/.local/share/wineprefixes/MountAndBladeBannerlord/drive_c/GOG Games/Mount And Blade II Bannerlord/bin/Win64_Shipping_Client/Bannerlord_dxgi.log +mkfile ${HOME}/.local/share/wineprefixes/MountAndBladeBannerlord/drive_c/GOG Games/Mount And Blade II Bannerlord/bin/Win64_Shipping_Client/imgui.ini read-only ${HOME}/.local/share/wineprefixes/MountAndBladeBannerlord/drive_c/GOG Games/Mount And Blade II Bannerlord read-write ${HOME}/.local/share/wineprefixes/MountAndBladeBannerlord/drive_c/GOG Games/Mount And Blade II Bannerlord/bin/Win64_Shipping_Client/Bannerlord.dxvk-cache +read-write ${HOME}/.local/share/wineprefixes/MountAndBladeBannerlord/drive_c/GOG Games/Mount And Blade II Bannerlord/bin/Win64_Shipping_Client/Bannerlord_d3d11.log +read-write ${HOME}/.local/share/wineprefixes/MountAndBladeBannerlord/drive_c/GOG Games/Mount And Blade II Bannerlord/bin/Win64_Shipping_Client/Bannerlord_dxgi.log +read-write ${HOME}/.local/share/wineprefixes/MountAndBladeBannerlord/drive_c/GOG Games/Mount And Blade II Bannerlord/bin/Win64_Shipping_Client/imgui.ini + +# machine-id, obs, and alsa don't get along +#ignore machine-id # MB2 requires seccomp and ptrace seccomp !name_to_handle_at,!ptrace diff --git a/profiles/mount-and-blade-warband.profile b/profiles/mount-and-blade-warband.profile index 5a57141..dd69f3d 100644 --- a/profiles/mount-and-blade-warband.profile +++ b/profiles/mount-and-blade-warband.profile @@ -11,6 +11,9 @@ read-only ${HOME}/games/Mount and Blade - Warband mkdir ${HOME}/.mbwarband whitelist ${HOME}/.mbwarband +# machine-id, obs, and alsa don't get along +#ignore machine-id + seccomp !name_to_handle_at ignore memory-deny-write-execute diff --git a/profiles/newsboat.local b/profiles/newsboat.local index e61a692..e100217 100644 --- a/profiles/newsboat.local +++ b/profiles/newsboat.local @@ -5,6 +5,7 @@ whitelist ${HOME}/.w3m include allow-perl.inc blacklist /tmp/.X11-unix +blacklist ${RUNUSER}/wayland-* ignore private-bin private-etc alternatives,ca-certificates,crypto-policies,login.defs,pki,passwd,resolv.conf,ssl,terminfo @@ -19,5 +20,4 @@ private-etc alternatives,ca-certificates,crypto-policies,login.defs,pki,passwd,r # # Use with hardened-malloc package # env LD_PRELOAD=/usr/lib/libhardened_malloc.so - tracelog diff --git a/profiles/nyamp.profile b/profiles/nyamp.profile index 876b869..b523155 100644 --- a/profiles/nyamp.profile +++ b/profiles/nyamp.profile @@ -28,7 +28,6 @@ caps.drop all # machine-id net none no3d -nodbus nodvd nogroups nonewprivs @@ -50,3 +49,6 @@ private-etc fonts,machine-id private-tmp memory-deny-write-execute + +dbus-user none +dbus-system none diff --git a/profiles/okular.local b/profiles/okular.local index 0252f33..a0c3551 100644 --- a/profiles/okular.local +++ b/profiles/okular.local @@ -8,10 +8,12 @@ ignore noblacklist ${HOME}/.kde4/share/config/okularrc net none # no3d -nodbus # # seccomp breaks integrated file manager on kde applications # # due to syscall name_to_handle_at seccomp !name_to_handle_at private-cache private-tmp + +dbus-user none +dbus-system none diff --git a/profiles/pioneer.local b/profiles/pioneer.local index 4838164..69758a9 100644 --- a/profiles/pioneer.local +++ b/profiles/pioneer.local @@ -10,3 +10,6 @@ private-bin pioneer private-etc asound.conf,group,localtime,machine-id,pulse ignore memory-deny-write-execute + +ignore dbus-user none +ignore dbus-system none diff --git a/profiles/poi.profile b/profiles/poi.profile index 43e3739..5bfb9b4 100644 --- a/profiles/poi.profile +++ b/profiles/poi.profile @@ -42,8 +42,9 @@ caps.drop all ## netfilter - Creates a simple but restrictive iptables firewall for any --net device created. Does nothing if --net is not used. netfilter -## nodbus - Disable access to dbus. -nodbus +## dbus-user/system none - Disable access to dbus. +dbus-user none +dbus-system none ## nodvd - Disable access to optical disk drives. nodvd diff --git a/profiles/ppsspp.local b/profiles/ppsspp.local new file mode 100644 index 0000000..ae1ac13 --- /dev/null +++ b/profiles/ppsspp.local @@ -0,0 +1,10 @@ +whitelist ${HOME}/games/Emulators/PSPGAMES +whitelist ${HOME}/.config/ppsspp + +# machine-id, obs, and alsa don't get along +#ignore machine-id + +ignore netfilter +net none + +seccomp !name_to_handle_at diff --git a/profiles/qtox.local b/profiles/qtox.local index a70b3ff..8c49e0a 100644 --- a/profiles/qtox.local +++ b/profiles/qtox.local @@ -2,9 +2,6 @@ # # but it hogs the alsa device from other applications ignore ipc-namespace -# # Breaks systray support -ignore nodbus - # # qtox can make use of a webcam for calls # # comment this if you intend to do so novideo diff --git a/profiles/rtv.local b/profiles/rtv.local new file mode 100644 index 0000000..6b66c04 --- /dev/null +++ b/profiles/rtv.local @@ -0,0 +1,17 @@ +noblacklist ${HOME}/.config/rtv + +mkdir ${HOME}/.config/rtv +whitelist ${HOME}/.config/rtv +whitelist ${HOME}/.local/share/rtv + +ipc-namespace +protocol inet,inet6 + +# private-bin rtv,python,sh,xdg-settings +private-etc ca-certificates,resolv.conf,ssl +private-tmp + +# memory-deny-write-execute + +# # Use with hardened-malloc package +env LD_PRELOAD=/usr/lib/libhardened_malloc.so diff --git a/profiles/rtv.profile b/profiles/rtv.profile deleted file mode 100644 index e7b7ac0..0000000 --- a/profiles/rtv.profile +++ /dev/null @@ -1,61 +0,0 @@ -# This file is overwritten after every install/update -# Persistent local customizations -include rtv.local -# Persistent global definitions -include globals.local - -blacklist /tmp/.X11-unix - -noblacklist ${PATH}/python2* -noblacklist /usr/include/python2* -noblacklist /usr/lib/python2* -noblacklist /usr/local/lib/python2* -noblacklist /usr/share/python2* -noblacklist ${PATH}/python3* -noblacklist /usr/include/python3* -noblacklist /usr/lib/python3* -noblacklist /usr/local/lib/python3* -noblacklist /usr/share/python3* -noblacklist ${HOME}/.config/rtv - -include disable-common.inc -include disable-devel.inc -include disable-exec.inc -include disable-interpreters.inc -include disable-passwdmgr.inc -include disable-programs.inc -include disable-xdg.inc - -mkdir ${HOME}/.config/rtv -whitelist ${HOME}/.config/rtv - -caps.drop all -ipc-namespace -machine-id -netfilter -no3d -nodbus -nodvd -nogroups -nonewprivs -noroot -nosound -notv -nou2f -novideo -protocol inet,inet6 -seccomp -shell none -tracelog - -disable-mnt -# private-bin rtv,python -private-cache -private-dev -private-etc ca-certificates,resolv.conf,ssl -private-tmp - -# memory-deny-write-execute - -# # Use with hardened-malloc package -env LD_PRELOAD=/usr/lib/libhardened_malloc.so diff --git a/profiles/strawberry.local b/profiles/strawberry.local new file mode 100644 index 0000000..cf3da43 --- /dev/null +++ b/profiles/strawberry.local @@ -0,0 +1,45 @@ +# This file is overwritten after every install/update +# Persistent local customizations +include strawberry.local +# Persistent global definitions +include globals.local + +#noblacklist ${HOME}/.cache/strawberry +noblacklist ${HOME}/.config/strawberry +noblacklist ${HOME}/.local/share/strawberry +noblacklist ${MUSIC} +#whitelist ${HOME}/.cache/strawberry +whitelist ${HOME}/.config/strawberry +whitelist ${HOME}/.local/share/strawberry +whitelist ${MUSIC} + +include disable-common.inc +include disable-devel.inc +include disable-exec.inc +include disable-interpreters.inc +include disable-passwdmgr.inc +include disable-programs.inc +include disable-xdg.inc + +include whitelist-var-common.inc +include whitelist-common.inc + +caps.drop all +#net none +netfilter +nonewprivs +noroot +notv +nou2f +novideo +protocol unix,inet,inet6 +# blacklisting of ioprio_set system calls breaks strawberry +seccomp !ioprio +shell none +tracelog + +# disable-mnt +private-cache +private-dev +private-etc asound.conf,group,localtime,machine-id,pulse,resolv.conf +private-tmp diff --git a/profiles/strawberry.profile b/profiles/strawberry.profile deleted file mode 100644 index cf3da43..0000000 --- a/profiles/strawberry.profile +++ /dev/null @@ -1,45 +0,0 @@ -# This file is overwritten after every install/update -# Persistent local customizations -include strawberry.local -# Persistent global definitions -include globals.local - -#noblacklist ${HOME}/.cache/strawberry -noblacklist ${HOME}/.config/strawberry -noblacklist ${HOME}/.local/share/strawberry -noblacklist ${MUSIC} -#whitelist ${HOME}/.cache/strawberry -whitelist ${HOME}/.config/strawberry -whitelist ${HOME}/.local/share/strawberry -whitelist ${MUSIC} - -include disable-common.inc -include disable-devel.inc -include disable-exec.inc -include disable-interpreters.inc -include disable-passwdmgr.inc -include disable-programs.inc -include disable-xdg.inc - -include whitelist-var-common.inc -include whitelist-common.inc - -caps.drop all -#net none -netfilter -nonewprivs -noroot -notv -nou2f -novideo -protocol unix,inet,inet6 -# blacklisting of ioprio_set system calls breaks strawberry -seccomp !ioprio -shell none -tracelog - -# disable-mnt -private-cache -private-dev -private-etc asound.conf,group,localtime,machine-id,pulse,resolv.conf -private-tmp diff --git a/profiles/toxic.profile b/profiles/toxic.profile index 32254e7..15203b6 100644 --- a/profiles/toxic.profile +++ b/profiles/toxic.profile @@ -29,7 +29,6 @@ caps.drop all ignore ipc-namespace netfilter no3d -nodbus nodvd nogroups nonewprivs @@ -52,3 +51,6 @@ private-tmp memory-deny-write-execute # writable-run-user + +dbus-user none +dbus-system none diff --git a/profiles/vlc.local b/profiles/vlc.local index ed7d779..d7094d9 100644 --- a/profiles/vlc.local +++ b/profiles/vlc.local @@ -1,17 +1,27 @@ ignore noblacklist ${HOME}/.cache/vlc +noblacklist ${MUSIC} +noblacklist ${PICTURES} +noblacklist ${VIDEOS} + +include disable-xdg.inc + +whitelist ${MUSIC} +whitelist ${PICTURES} +whitelist ${VIDEOS} + +read-only ${DOWNLOADS} +read-only ${MUSIC} +read-only ${PICTURES} +read-only ${VIDEOS} # # alsa audio will work with ipc-namespace, # # but it hogs the alsa device from other applications ignore ipc-namespace -nodbus # # seccomp breaks integrated file manager on kde applications # # due to syscall name_to_handle_at # # kcmp syscall requied by amdgpu hardware acceleration seccomp !name_to_handle_at,!kcmp -read-only ${DOWNLOADS} -read-only ${MUSIC} -noblacklist ${PICTURES} -read-only ${PICTURES} -read-only ${VIDEOS} +dbus-user none +dbus-system none diff --git a/profiles/w3m.local b/profiles/w3m.local index 684515f..d925ca3 100644 --- a/profiles/w3m.local +++ b/profiles/w3m.local @@ -3,12 +3,14 @@ whitelist ${HOME}/.w3m ipc-namespace machine-id -nodbus protocol inet,inet6 disable-mnt memory-deny-write-execute +dbus-user none +dbus-system none + # # Use with hardened-malloc package env LD_PRELOAD=/usr/lib/libhardened_malloc.so diff --git a/profiles/weechat.local b/profiles/weechat.local index ca330f7..b9185ff 100644 --- a/profiles/weechat.local +++ b/profiles/weechat.local @@ -22,7 +22,6 @@ whitelist ${HOME}/.weechat ignore ipc-namespace machine-id no3d -nodbus nodvd nogroups # nosound @@ -38,3 +37,6 @@ private-etc asound.conf,ca-certificates,machine-id,resolv.conf,ssl private-tmp # memory-deny-write-execute + +dbus-user none +dbus-system none diff --git a/profiles/wesnoth.local b/profiles/wesnoth.local index ca69a8c..6a17869 100644 --- a/profiles/wesnoth.local +++ b/profiles/wesnoth.local @@ -22,7 +22,6 @@ machine-id ignore net netfilter ignore no3d -nodbus nogroups novideo protocol unix,inet,inet6 @@ -35,3 +34,6 @@ private-cache private-etc asound.conf,fonts,group,localtime,machine-id,pulse,resolv.conf ignore memory-deny-write-execute + +dbus-user none +dbus-system none diff --git a/profiles/wget.local b/profiles/wget.local index 311e23d..53edfe2 100644 --- a/profiles/wget.local +++ b/profiles/wget.local @@ -1,5 +1,3 @@ -machine-id -nodbus protocol inet,inet6 # # Use with hardened-malloc package diff --git a/profiles/wine.local b/profiles/wine.local index d3210eb..d2b5003 100644 --- a/profiles/wine.local +++ b/profiles/wine.local @@ -9,6 +9,7 @@ mkdir ${HOME}/.local/share/wineprefixes whitelist ${HOME}/.wine whitelist ${HOME}/.config/q4wine whitelist ${HOME}/.local/share/wineprefixes +whitelist /tmp/.wine-* machine-id diff --git a/profiles/x4-foundations.profile b/profiles/x4-foundations.profile index 3bc3b4e..eec47ee 100644 --- a/profiles/x4-foundations.profile +++ b/profiles/x4-foundations.profile @@ -13,6 +13,9 @@ whitelist ${HOME}/.config/EgoSoft/X4 whitelist ${HOME}/games/X-4 Foundations read-only ${HOME}/games/X-4 Foundations +# machine-id, obs, and alsa don't get along +#ignore machine-id + protocol unix,netlink seccomp !name_to_handle_at diff --git a/profiles/xcom-2.profile b/profiles/xcom-2.profile index 6d27ea6..8e874b1 100644 --- a/profiles/xcom-2.profile +++ b/profiles/xcom-2.profile @@ -7,6 +7,9 @@ include globals.local noblacklist ${HOME}/.local/share/wineprefixes/XCOM2 whitelist ${HOME}/.local/share/wineprefixes/XCOM2 +# machine-id, obs, and alsa don't get along +#ignore machine-id + # XCOM requires the ptrace syscall or the launcher will crash seccomp !name_to_handle_at,!ptrace diff --git a/profiles/youtube-dl.local b/profiles/youtube-dl.local index 0576904..ee436ee 100644 --- a/profiles/youtube-dl.local +++ b/profiles/youtube-dl.local @@ -1,5 +1,3 @@ -blacklist /tmp/.X11-unix - protocol inet,inet6 # # None of that pip garbage -- cgit v1.2.1