From 96dd956c01e734e8aec007e9e0c13d6908f5fc11 Mon Sep 17 00:00:00 2001 From: jc_gargma Date: Sun, 4 Jul 2021 02:37:18 -0700 Subject: Many updates for firejail 0.9.66 --- PKGBUILD | 6 ++--- profiles/7kaa.profile | 2 ++ profiles/abook.profile | 2 ++ profiles/amfora.profile | 2 ++ profiles/antichamber.profile | 2 ++ profiles/calcurse.profile | 10 +++++++++ profiles/crusader-kings-ii.profile | 2 ++ profiles/crusader-kings-iii.profile | 2 ++ profiles/curl.local | 1 - profiles/digikam.local | 1 + profiles/dins-curse.profile | 2 ++ profiles/disable-programs.local | 4 ++-- profiles/divinity-original-sin-ee.profile | 2 ++ profiles/dolphin-emu.local | 16 ++++++++++--- profiles/dosbox.local | 11 +++++---- profiles/factorio.profile | 2 ++ profiles/fceux.profile | 4 ++-- profiles/firefox-common.local | 2 ++ profiles/firefox.local | 3 ++- profiles/freeciv-qt.profile | 16 +++++-------- profiles/generic-game.inc | 3 +++ profiles/generic-wine-game.inc | 2 ++ profiles/hearts-of-iron-iv.profile | 2 ++ profiles/into-the-breach.profile | 4 ++++ profiles/karbon.local | 1 + profiles/keepassxc.local | 15 +++++++------ profiles/kget.local | 1 + profiles/kmymoney.profile | 4 ++++ profiles/konqueror.profile | 3 +++ profiles/kristall.profile | 3 +++ profiles/krita.local | 2 ++ profiles/lgogdownloader.profile | 2 ++ profiles/mgba.profile | 10 ++++----- profiles/mocp.local | 2 ++ profiles/mount-and-blade-warband.profile | 2 ++ profiles/nyamp.profile | 3 +++ profiles/openmw-launcher.profile | 4 ---- profiles/openmw.local | 17 ++++++++++++++ profiles/openmw.profile | 30 ------------------------- profiles/openrct2.profile | 3 --- profiles/othercide.profile | 3 +-- profiles/pandora-first-contact.profile | 2 ++ profiles/pioneer.local | 11 ++++++--- profiles/poi.profile | 7 +++++- profiles/ppsspp.local | 8 +++---- profiles/qimv.profile | 2 ++ profiles/qtox.local | 8 ++++--- profiles/rtorrent.local | 4 +++- profiles/rtv.local | 6 ----- profiles/starbound.profile | 2 ++ profiles/strawberry.local | 37 +++---------------------------- profiles/tome4.profile | 2 ++ profiles/toxic.profile | 2 ++ profiles/unzip.local | 1 - profiles/vlc.local | 7 +++--- profiles/w3m.local | 12 ---------- profiles/weechat.local | 2 +- profiles/wesnoth.local | 4 ++-- profiles/x4-foundations.profile | 2 ++ 59 files changed, 175 insertions(+), 152 deletions(-) delete mode 100644 profiles/curl.local create mode 100644 profiles/karbon.local delete mode 100644 profiles/openmw-launcher.profile create mode 100644 profiles/openmw.local delete mode 100644 profiles/openmw.profile delete mode 100644 profiles/unzip.local diff --git a/PKGBUILD b/PKGBUILD index 4368bce..869a04c 100644 --- a/PKGBUILD +++ b/PKGBUILD @@ -1,15 +1,15 @@ # Maintainer: jc_gargma pkgname=firejail-profiles -pkgver=20210623 -pkgrel=2 +pkgver=20210704 +pkgrel=1 pkgdesc="Additional firejail profiles and locals" arch=('any') url="https://library.iserlohn-fortress.net/firejail-profiles.git" license=('GPLv3') depends=('firejail' 'hardened-malloc') source=(profiles.tar.gz) -b2sums=('57e3c4f64d5b5cff971ba218e1a52bd213c5164998e1d44ed6009a6d7eedd99f036e8f8ddc941e1d52396346f169a1e964bf743396516c12ada64c9033c86509') +b2sums=('161cda200f18d68666b590b0f8e29cbf7be1bc64944855bd5ed5c851c95ad37c79f69a37da8be28a3429a1186ad954fcd43f8f0e97add2c408fef42b9ca90243') package() { install --directory ${pkgdir}/etc/firejail diff --git a/profiles/7kaa.profile b/profiles/7kaa.profile index d996dfa..7e3f8c1 100644 --- a/profiles/7kaa.profile +++ b/profiles/7kaa.profile @@ -4,6 +4,8 @@ include 7kaa.local # Persistent global definitions include globals.local +ignore include disable-shell.inc + noblacklist ${HOME}/.local/share/7kfans.com mkdir ${HOME}/.local/share/7kfans.com diff --git a/profiles/abook.profile b/profiles/abook.profile index 85804ed..5ebcd86 100644 --- a/profiles/abook.profile +++ b/profiles/abook.profile @@ -15,6 +15,7 @@ include disable-exec.inc include disable-interpreters.inc include disable-passwdmgr.inc include disable-programs.inc +include disable-write-mnt.inc include disable-xdg.inc apparmor @@ -25,6 +26,7 @@ netfilter no3d nodvd nogroups +noinput nonewprivs noroot notv diff --git a/profiles/amfora.profile b/profiles/amfora.profile index fcbeb82..65da794 100644 --- a/profiles/amfora.profile +++ b/profiles/amfora.profile @@ -18,6 +18,7 @@ include disable-devel.inc include disable-interpreters.inc include disable-passwdmgr.inc include disable-programs.inc +include disable-write-mnt.inc include disable-xdg.inc mkdir ${HOME}/.config/amfora @@ -33,6 +34,7 @@ netfilter no3d nodvd nogroups +noinput nonewprivs noroot nosound diff --git a/profiles/antichamber.profile b/profiles/antichamber.profile index 09fe3ce..cc1136e 100644 --- a/profiles/antichamber.profile +++ b/profiles/antichamber.profile @@ -4,6 +4,8 @@ include antichamber.local # Persistent global definitions include globals.local +ignore include disable-shell.inc + whitelist ${HOME}/games/Antichamber read-only ${HOME}/games/Antichamber mkdir ${HOME}/.local/share/AlexanderBruce diff --git a/profiles/calcurse.profile b/profiles/calcurse.profile index f9649c5..250f153 100644 --- a/profiles/calcurse.profile +++ b/profiles/calcurse.profile @@ -4,6 +4,15 @@ include calcurse.local # Persistent global definitions include globals.local +include disable-common.inc +include disable-devel.inc +include disable-exec.inc +include disable-interpreters.inc +include disable-passwdmgr.inc +include disable-programs.inc +include disable-write-mnt.inc +include disable-xdg.inc + blacklist /tmp/.X11-unix blacklist ${RUNUSER}/wayland-* @@ -22,6 +31,7 @@ netfilter no3d nodvd nogroups +noinput nonewprivs noroot nosound diff --git a/profiles/crusader-kings-ii.profile b/profiles/crusader-kings-ii.profile index 47d1743..38d3916 100644 --- a/profiles/crusader-kings-ii.profile +++ b/profiles/crusader-kings-ii.profile @@ -4,6 +4,8 @@ include crusader-kings-ii.local # Persistent global definitions include globals.local +ignore include disable-shell.inc + noblacklist ${HOME}/games/Crusader Kings II noblacklist ${HOME}/.paradoxinteractive noblacklist ${HOME}/.paradoxinteractive/Crusader Kings II diff --git a/profiles/crusader-kings-iii.profile b/profiles/crusader-kings-iii.profile index af4abb6..4c30307 100644 --- a/profiles/crusader-kings-iii.profile +++ b/profiles/crusader-kings-iii.profile @@ -4,6 +4,8 @@ include crusader-kings-iii.local # Persistent global definitions include globals.local +ignore include disable-shell.inc + noblacklist ${HOME}/games/Crusader Kings III noblacklist ${HOME}/.local/share/Paradox Interactive noblacklist ${HOME}/.local/share/Paradox Interactive/Crusader Kings III diff --git a/profiles/curl.local b/profiles/curl.local deleted file mode 100644 index 1e31424..0000000 --- a/profiles/curl.local +++ /dev/null @@ -1 +0,0 @@ -machine-id diff --git a/profiles/digikam.local b/profiles/digikam.local index 09830a2..1658d72 100644 --- a/profiles/digikam.local +++ b/profiles/digikam.local @@ -1,6 +1,7 @@ ignore noblacklist ${HOME}/.kde/share/apps/digikam ignore noblacklist ${HOME}/.kde4/share/apps/digikam +ignore netfilter net none protocol unix # # seccomp breaks integrated file manager on kde applications diff --git a/profiles/dins-curse.profile b/profiles/dins-curse.profile index 39bbe69..7079096 100644 --- a/profiles/dins-curse.profile +++ b/profiles/dins-curse.profile @@ -4,6 +4,8 @@ include dins-curse.local # Persistent global definitions include globals.local +ignore include disable-shell.inc + noblacklist ${HOME}/.local/DinsCurse whitelist ${HOME}/games/Dins Curse diff --git a/profiles/disable-programs.local b/profiles/disable-programs.local index 49410f9..fc11926 100644 --- a/profiles/disable-programs.local +++ b/profiles/disable-programs.local @@ -2,6 +2,7 @@ blacklist ${HOME}/.aqbanking blacklist ${HOME}/.cache/kget blacklist ${HOME}/.cache/kontact blacklist ${HOME}/.cache/smolbote +blacklist ${HOME}/.config/cataclysm-bn blacklist ${HOME}/.config/cataclysm-dda blacklist ${HOME}/.config/kget_bittorrentfactory.rc blacklist ${HOME}/.config/kget_metalinkfactory.rc @@ -12,7 +13,6 @@ blacklist ${HOME}/.config/konq_history blacklist ${HOME}/.config/konquerorrc blacklist ${HOME}/.config/lgogdownloader blacklist ${HOME}/.config/iserlohn-fortress.net/nyamp -blacklist ${HOME}/.config/openmw blacklist ${HOME}/.config/openmw-wizardrc blacklist ${HOME}/.config/OpenRCT2 blacklist ${HOME}/.config/Proxy Studios @@ -34,6 +34,7 @@ blacklist ${HOME}/.local/DinsCurse blacklist ${HOME}/.local/share/7kfans.com blacklist ${HOME}/.local/share/Almost Human blacklist ${HOME}/.local/share/Almost Human/Legend of Grimrock +blacklist ${HOME}/.local/share/cataclysm-bn blacklist ${HOME}/.local/share/cataclysm-dda blacklist ${HOME}/.local/share/endless-sky blacklist ${HOME}/.local/share/Goldhawk Interactive @@ -46,7 +47,6 @@ blacklist ${HOME}/.local/share/korganizer blacklist ${HOME}/.local/share/maildir blacklist ${HOME}/.local/share/networkmanagement blacklist ${HOME}/.local/share/OpenRCT2 -blacklist ${HOME}/.local/share/openmw blacklist ${HOME}/.local/share/Paradox Interactive/Imperator blacklist ${HOME}/.local/share/sddm blacklist ${HOME}/.local/share/smolbote diff --git a/profiles/divinity-original-sin-ee.profile b/profiles/divinity-original-sin-ee.profile index 7b847fd..76db611 100644 --- a/profiles/divinity-original-sin-ee.profile +++ b/profiles/divinity-original-sin-ee.profile @@ -4,6 +4,8 @@ include divinity-original-sin-ee.local # Persistent global definitions include globals.local +ignore include disable-shell.inc + noblacklist ${HOME}/Larian Studios noblacklist ${HOME}/Larian Studios/Divinity Original Sin Enhanced Edition diff --git a/profiles/dolphin-emu.local b/profiles/dolphin-emu.local index 9972519..ce3e7b1 100644 --- a/profiles/dolphin-emu.local +++ b/profiles/dolphin-emu.local @@ -3,11 +3,21 @@ noblacklist ${HOME}/games/Emulators/GCNGAMES whitelist ${HOME}/games/Emulators/GCNGAMES read-only ${HOME}/games/Emulators/GCNGAMES -# machine-id, obs, and alsa don't get along +# # alsa audio will work with ipc-namespace, +# # but it hogs the alsa device from other applications +ignore ipc-namespace + +# # machine-id, obs, and alsa don't get along #ignore machine-id +ignore netfilter +net none + +# # noinput breaks joysticks +ignore noinput + protocol unix,netlink seccomp !name_to_handle_at -# private-dev breaks joysticks -#ignore private-dev +# # private-dev no longer breaks controllers +private-dev diff --git a/profiles/dosbox.local b/profiles/dosbox.local index 7e379f7..3f292bd 100644 --- a/profiles/dosbox.local +++ b/profiles/dosbox.local @@ -1,5 +1,7 @@ ignore noblacklist ${DOCUMENTS} +include disable-write-mnt.inc + whitelist ${HOME}/.dosbox whitelist ${HOME}/games/Emulators/DOSGAMES include whitelist-common.inc @@ -10,11 +12,8 @@ ignore nogroups net none protocol unix -#Breaks OMF +# # Breaks OMF ignore private-bin -#Breaks using controllers -ignore private-dev - -dbus-user none -dbus-system none +# # Breaks using controllers +ignore noinput diff --git a/profiles/factorio.profile b/profiles/factorio.profile index 3b168f4..ea999a5 100644 --- a/profiles/factorio.profile +++ b/profiles/factorio.profile @@ -11,4 +11,6 @@ whitelist ${HOME}/.local/share/factorio ignore memory-deny-write-execute +ignore noexec ${HOME} + include generic-game-networked.inc diff --git a/profiles/fceux.profile b/profiles/fceux.profile index b63b0b7..d573af7 100644 --- a/profiles/fceux.profile +++ b/profiles/fceux.profile @@ -15,8 +15,8 @@ include whitelist-common.inc seccomp !name_to_handle_at -# private-dev breaks joysticks -ignore private-dev +# noinput breaks joysticks +ignore noinput ignore memory-deny-write-execute diff --git a/profiles/firefox-common.local b/profiles/firefox-common.local index 0441b7e..e6fdada 100644 --- a/profiles/firefox-common.local +++ b/profiles/firefox-common.local @@ -1,4 +1,6 @@ include disable-passwdmgr.inc +include disable-shell.inc +include disable-write-mnt.inc include disable-xdg.inc ignore noblacklist ${HOME}/.pki ignore noblacklist ${HOME}/.local/share/pki diff --git a/profiles/firefox.local b/profiles/firefox.local index dd7afe1..e906eb8 100644 --- a/profiles/firefox.local +++ b/profiles/firefox.local @@ -33,7 +33,8 @@ private-etc resolv.conf #ignore noroot # # Use with hardened-malloc package -# This breaks firefox on polaris10 amdgpu for some reason +# This breaks firefox on some graphics cards +# polaris10 amdgpu env LD_PRELOAD=/usr/lib/libhardened_malloc.so ignore dbus-user filter diff --git a/profiles/freeciv-qt.profile b/profiles/freeciv-qt.profile index e1d7a5a..5aa23ea 100644 --- a/profiles/freeciv-qt.profile +++ b/profiles/freeciv-qt.profile @@ -6,22 +6,16 @@ include freeciv-qt.local # Persistent global definitions include globals.local -# No longer required? Test this. noblacklist ${PATH}/lua* -noblacklist /usr/lib/lua noblacklist /usr/include/lua* -noblacklist /usr/share/lua +noblacklist /usr/lib/liblua* +noblacklist /usr/lib/lua +noblacklist /usr/lib64/liblua* +noblacklist /usr/lib64/lua +noblacklist /usr/share/lua* noblacklist ${HOME}/.freeciv -include disable-common.inc -include disable-devel.inc -include disable-exec.inc -include disable-interpreters.inc -include disable-passwdmgr.inc -include disable-programs.inc -include disable-xdg.inc - # # alsa audio will work with ipc-namespace, # # but it hogs the alsa device from other applications ignore ipc-namespace diff --git a/profiles/generic-game.inc b/profiles/generic-game.inc index becdedd..43e72a0 100644 --- a/profiles/generic-game.inc +++ b/profiles/generic-game.inc @@ -8,6 +8,8 @@ include disable-exec.inc include disable-interpreters.inc include disable-passwdmgr.inc include disable-programs.inc +include disable-shell.inc +include disable-write-mnt.inc include disable-xdg.inc @@ -22,6 +24,7 @@ net none noautopulse nodvd nogroups +noinput nonewprivs noroot notv diff --git a/profiles/generic-wine-game.inc b/profiles/generic-wine-game.inc index 55676a7..27dc93a 100644 --- a/profiles/generic-wine-game.inc +++ b/profiles/generic-wine-game.inc @@ -16,6 +16,7 @@ include disable-exec.inc include disable-interpreters.inc include disable-passwdmgr.inc include disable-programs.inc +include disable-write-mnt.inc include disable-xdg.inc mkdir ${HOME}/.wine @@ -38,6 +39,7 @@ net none noautopulse nodvd nogroups +noinput nonewprivs noroot notv diff --git a/profiles/hearts-of-iron-iv.profile b/profiles/hearts-of-iron-iv.profile index 6749b14..49bb746 100644 --- a/profiles/hearts-of-iron-iv.profile +++ b/profiles/hearts-of-iron-iv.profile @@ -4,6 +4,8 @@ include hearts-of-iron-iv.local # Persistent global definitions include globals.local +ignore include disable-shell.inc + noblacklist ${HOME}/games/Hearts of Iron IV noblacklist ${HOME}/.local/share/Paradox Interactive noblacklist ${HOME}/.local/share/Paradox Interactive/Hearts of Iron IV diff --git a/profiles/into-the-breach.profile b/profiles/into-the-breach.profile index aacbfeb..f3b46e9 100644 --- a/profiles/into-the-breach.profile +++ b/profiles/into-the-breach.profile @@ -4,6 +4,8 @@ include into-the-breach.local # Persistent global definitions include globals.local +ignore include disable-shell.inc + noblacklist ${HOME}/.local/share/IntoTheBreach mkdir ${HOME}/.local/share/IntoTheBreach @@ -11,6 +13,8 @@ whitelist ${HOME}/.local/share/IntoTheBreach whitelist ${HOME}/games/Into The Breach read-only ${HOME}/games/Into The Breach +# noinput breaks controller support +ignore noinput protocol unix,netlink seccomp !name_to_handle_at diff --git a/profiles/karbon.local b/profiles/karbon.local new file mode 100644 index 0000000..62db817 --- /dev/null +++ b/profiles/karbon.local @@ -0,0 +1 @@ +ignore net none diff --git a/profiles/keepassxc.local b/profiles/keepassxc.local index b936393..6e9dbae 100644 --- a/profiles/keepassxc.local +++ b/profiles/keepassxc.local @@ -1,6 +1,13 @@ +ignore noblacklist ${HOME}/.config/BraveSoftware +ignore noblacklist ${HOME}/.config/chromium +ignore noblacklist ${HOME}/.config/google-chrome +ignore noblacklist ${HOME}/.config/vivaldi +ignore noblacklist ${HOME}/.local/share/torbrowser ignore noblacklist ${HOME}/.mozilla ignore noblacklist ${DOCUMENTS} +include disable-write-mnt.inc + mkdir ${HOME}/.cache/keepassxc mkdir ${HOME}/.config/keepassxc @@ -19,14 +26,8 @@ ignore net netfilter protocol unix -# # seccomp breaks integrated file manager on kde applications -# # due to syscall name_to_handle_at -#seccomp !name_to_handle_at - -tracelog - disable-mnt -private-bin keepassxc,dbus-launch +private-bin keepassxc,dbus-launch,keepassxc-cli,keepassxc-proxy private-etc fonts,ld.so.cache,localtime,machine-id,passwd # # dbus-user/system breaks systray support diff --git a/profiles/kget.local b/profiles/kget.local index c4252b2..801448a 100644 --- a/profiles/kget.local +++ b/profiles/kget.local @@ -9,6 +9,7 @@ noblacklist ${HOME}/.config/kget_metalinkfactory.rc noblacklist ${HOME}/.config/kget_multisegkiofactory.rc noblacklist ${VIDEOS} +include disable-write-mnt.inc include disable-xdg.inc whitelist ${DOWNLOADS} diff --git a/profiles/kmymoney.profile b/profiles/kmymoney.profile index d8b2ccd..05c75ce 100644 --- a/profiles/kmymoney.profile +++ b/profiles/kmymoney.profile @@ -15,6 +15,9 @@ include disable-devel.inc include disable-exec.inc include disable-passwdmgr.inc include disable-programs.inc +include disable-shell.inc +include disable-write-mnt.inc +include disable-xdg.inc mkdir ${HOME}/.aqbanking mkfile ${HOME}/.config/kmymoneyrc @@ -40,6 +43,7 @@ netfilter # no3d nodvd nogroups +noinput nonewprivs noroot nosound diff --git a/profiles/konqueror.profile b/profiles/konqueror.profile index 2334d3e..0c3cb07 100644 --- a/profiles/konqueror.profile +++ b/profiles/konqueror.profile @@ -22,6 +22,8 @@ include disable-exec.inc include disable-interpreters.inc include disable-passwdmgr.inc include disable-programs.inc +include disable-shell.inc +include disable-write-mnt.inc include disable-xdg.inc # whitelisting breaks writing to konquerorrc @@ -48,6 +50,7 @@ netfilter ignore no3d nodvd nogroups +noinput nonewprivs noroot notv diff --git a/profiles/kristall.profile b/profiles/kristall.profile index 4e570b2..b7e3691 100644 --- a/profiles/kristall.profile +++ b/profiles/kristall.profile @@ -15,6 +15,8 @@ include /etc/firejail/disable-devel.inc include /etc/firejail/disable-interpreters.inc include /etc/firejail/disable-passwdmgr.inc include /etc/firejail/disable-programs.inc +include /etc/firejail/disable-shell.inc +include /etc/firejail/disable-write-mnt.inc include /etc/firejail/disable-xdg.inc mkdir ${HOME}/.config/xqTechnologies @@ -32,6 +34,7 @@ machine-id netfilter nodvd nogroups +noinput nonewprivs noroot notv diff --git a/profiles/krita.local b/profiles/krita.local index cccb449..b02ba9d 100644 --- a/profiles/krita.local +++ b/profiles/krita.local @@ -4,8 +4,10 @@ ignore noblacklist /usr/local/lib/python3* # # ipc-namespace breaks menus ignore ipc-namespace + net none ignore netfilter + # # seccomp breaks integrated file manager on kde applications # # due to syscall name_to_handle_at seccomp !name_to_handle_at diff --git a/profiles/lgogdownloader.profile b/profiles/lgogdownloader.profile index 7723d1c..e78e347 100644 --- a/profiles/lgogdownloader.profile +++ b/profiles/lgogdownloader.profile @@ -17,6 +17,7 @@ include disable-exec.inc include disable-interpreters.inc include disable-passwdmgr.inc include disable-programs.inc +include disable-write-mnt.inc blacklist /tmp/.X11-unix @@ -33,6 +34,7 @@ netfilter no3d nodvd nogroups +noinput nonewprivs noroot nosound diff --git a/profiles/mgba.profile b/profiles/mgba.profile index dae77b6..f84044e 100644 --- a/profiles/mgba.profile +++ b/profiles/mgba.profile @@ -16,15 +16,15 @@ whitelist ${HOME}/games/Emulators/GBAGAMES read-only ${HOME}/games/Emulators/GBAGAMES include whitelist-common.inc -# name_to_handle_at required for kde file manager -# kcmp required for amdgpu -seccomp !name_to_handle_at,!kcmp +# # seccomp breaks integrated file manager on kde applications +# # due to syscall name_to_handle_at +seccomp !name_to_handle_at # netlink required for controller support protocol unix,netlink -# private-dev breaks controllers -ignore private-dev +# noinput breaks controllers +ignore noinput ignore memory-deny-write-execute diff --git a/profiles/mocp.local b/profiles/mocp.local index 323dbc1..e8d27d0 100644 --- a/profiles/mocp.local +++ b/profiles/mocp.local @@ -1,6 +1,8 @@ blacklist /tmp/.X11-unix blacklist ${RUNUSER}/wayland-* +include disable-write-mnt.inc + whitelist ${HOME}/.moc whitelist ${MUSIC} read-only ${MUSIC} diff --git a/profiles/mount-and-blade-warband.profile b/profiles/mount-and-blade-warband.profile index dd69f3d..bbe1919 100644 --- a/profiles/mount-and-blade-warband.profile +++ b/profiles/mount-and-blade-warband.profile @@ -4,6 +4,8 @@ include mount-and-blade-warband.local # Persistent global definitions include globals.local +ignore include disable-shell.inc + noblacklist ${HOME}/.mbwarband whitelist ${HOME}/games/Mount and Blade - Warband diff --git a/profiles/nyamp.profile b/profiles/nyamp.profile index b523155..a0fd602 100644 --- a/profiles/nyamp.profile +++ b/profiles/nyamp.profile @@ -13,6 +13,8 @@ include disable-exec.inc include disable-interpreters.inc include disable-passwdmgr.inc include disable-programs.inc +include disable-shell.inc +include disable-write-mnt.inc include disable-xdg.inc mkdir ${HOME}/.config/iserlohn-fortress.net @@ -30,6 +32,7 @@ net none no3d nodvd nogroups +noinput nonewprivs noroot notv diff --git a/profiles/openmw-launcher.profile b/profiles/openmw-launcher.profile deleted file mode 100644 index f922019..0000000 --- a/profiles/openmw-launcher.profile +++ /dev/null @@ -1,4 +0,0 @@ -# This file is overwritten after every install/update - -# Redirect -include openmw.profile diff --git a/profiles/openmw.local b/profiles/openmw.local new file mode 100644 index 0000000..3c6ddb4 --- /dev/null +++ b/profiles/openmw.local @@ -0,0 +1,17 @@ +noblacklist ${HOME}/.config/openmw-wizardrc + +whitelist ${HOME}/.config +mkfile ${HOME}/.config/openmw-wizardrc +whitelist ${HOME}/.config/openmw-wizardrc +read-only ${HOME}/.local/share/openmw/mods +ignore whitelist /usr/share/openmw +whitelist /usr/share/games/openmw + +# # alsa audio will work with ipc-namespace, +# # but it hogs the alsa device from other applications +ignore ipc-namespace +seccomp !name_to_handle_at + +ignore private-opt none + +ignore memory-deny-write-execute diff --git a/profiles/openmw.profile b/profiles/openmw.profile deleted file mode 100644 index db331ca..0000000 --- a/profiles/openmw.profile +++ /dev/null @@ -1,30 +0,0 @@ -# This file is overwritten after every install/update -# Persistent local customizations -include openmw.local -# Persistent global definitions -include globals.local - -noblacklist ${HOME}/.config/openmw-wizardrc -noblacklist ${HOME}/.config/openmw -noblacklist ${HOME}/.local/share/openmw - -include whitelist-common.inc - -whitelist ${HOME}/.config -mkfile ${HOME}/.config/openmw-wizardrc -whitelist ${HOME}/.config/openmw-wizardrc -mkdir ${HOME}/.config/openmw -whitelist ${HOME}/.config/openmw -mkdir ${HOME}/.local/share/openmw -whitelist ${HOME}/.local/share/openmw -whitelist ${HOME}/games/Morrowind -read-only ${HOME}/games/Morrowind - -protocol unix,netlink -seccomp !name_to_handle_at - -private-etc asound.conf,group,localtime,machine-id,openmw,pulse - -ignore memory-deny-write-execute - -include generic-game.inc diff --git a/profiles/openrct2.profile b/profiles/openrct2.profile index 8c50325..3dc130b 100644 --- a/profiles/openrct2.profile +++ b/profiles/openrct2.profile @@ -5,12 +5,9 @@ include openrct2.local include globals.local noblacklist ${HOME}/.config/OpenRCT2 -noblacklist ${HOME}/.local/share/OpenRCT2 mkdir ${HOME}/.config/OpenRCT2 whitelist ${HOME}/.config/OpenRCT2 -whitelist ${HOME}/games/RollerCoaster Tycoon 2 -read-only ${HOME}/games/RollerCoaster Tycoon 2 seccomp !name_to_handle_at diff --git a/profiles/othercide.profile b/profiles/othercide.profile index 1469c27..c904949 100644 --- a/profiles/othercide.profile +++ b/profiles/othercide.profile @@ -14,9 +14,8 @@ seccomp !name_to_handle_at # Uncomment these for controller support -#ignore net none #protocol unix,inet,inet6,netlink -#ignore private-dev +#ignore noinput ignore memory-deny-write-execute diff --git a/profiles/pandora-first-contact.profile b/profiles/pandora-first-contact.profile index e53fa31..a6e5a28 100644 --- a/profiles/pandora-first-contact.profile +++ b/profiles/pandora-first-contact.profile @@ -4,6 +4,8 @@ include pandora.local # Persistent global definitions include globals.local +ignore include disable-shell.inc + noblacklist ${HOME}/.config/Proxy Studios noblacklist ${HOME}/.config/Proxy Studios/Pandora diff --git a/profiles/pioneer.local b/profiles/pioneer.local index 69758a9..85d0e7f 100644 --- a/profiles/pioneer.local +++ b/profiles/pioneer.local @@ -1,12 +1,17 @@ +noblacklist ${PATH}/lua* +noblacklist /usr/include/lua* +noblacklist /usr/lib/liblua* +noblacklist /usr/lib/lua +noblacklist /usr/lib64/liblua* +noblacklist /usr/lib64/lua +noblacklist /usr/share/lua* + # # alsa audio will work with ipc-namespace, # # but it hogs the alsa device from other applications ignore ipc-namespace machine-id -# # no3d breaks gpu rendering -ignore no3d seccomp !name_to_handle_at -private-bin pioneer private-etc asound.conf,group,localtime,machine-id,pulse ignore memory-deny-write-execute diff --git a/profiles/poi.profile b/profiles/poi.profile index 5bfb9b4..6b133ae 100644 --- a/profiles/poi.profile +++ b/profiles/poi.profile @@ -15,6 +15,8 @@ include /etc/firejail/disable-devel.inc include /etc/firejail/disable-interpreters.inc include /etc/firejail/disable-passwdmgr.inc include /etc/firejail/disable-programs.inc +include /etc/firejail/disable-shell.inc +include /etc/firejail/disable-write-mnt.inc include /etc/firejail/disable-xdg.inc mkdir ${HOME}/.cache/smolbote @@ -52,6 +54,9 @@ nodvd ## nogroups - The program can only see the current user's main group. Always applied if the program is run as root. nogroups +## noinput - Disable access to /dev/input devices. ie, accelerometers, controllers, joysticks, infrared receivers, etc. +noinput + ## nownewprivs - Prevents Child processes from requesting additional priviledges. If --seccomp is enabled, --nonewprivs is redundant. nonewprivs @@ -90,7 +95,7 @@ disable-mnt # breaks if installed to /usr/local private-bin bash,poi -## private-dev - Create a virtual /dev directory. Only dri, null, full, zero, tty, pts, ptmx, random, snd, urandom, video, log and shm devices are available. +## private-dev - Create a virtual /dev directory. Only dri, full, log, input, null, ptmx, pts, random, shm, snd, tty, urandom, video, and zero devices are available. private-dev ## private-etc - Creates a virtual /etc directory containing only temporary copies of the following files and directories. diff --git a/profiles/ppsspp.local b/profiles/ppsspp.local index ae1ac13..bc75bbf 100644 --- a/profiles/ppsspp.local +++ b/profiles/ppsspp.local @@ -1,10 +1,10 @@ whitelist ${HOME}/games/Emulators/PSPGAMES -whitelist ${HOME}/.config/ppsspp +read-only ${HOME}/games/Emulators/PSPGAMES # machine-id, obs, and alsa don't get along #ignore machine-id -ignore netfilter -net none - seccomp !name_to_handle_at + +# # private-dev no longer breaks controllers +private-dev diff --git a/profiles/qimv.profile b/profiles/qimv.profile index e3a7500..f243b20 100644 --- a/profiles/qimv.profile +++ b/profiles/qimv.profile @@ -17,6 +17,7 @@ include disable-interpreters.inc include disable-passwdmgr.inc include disable-programs.inc include disable-shell.inc +include disable-write-mnt.inc #include whitelist-common.inc #include whitelist-var-common.inc @@ -28,6 +29,7 @@ net none # no3d nodvd nogroups +noinput nonewprivs noroot nosound diff --git a/profiles/qtox.local b/profiles/qtox.local index b7870f4..70c0e66 100644 --- a/profiles/qtox.local +++ b/profiles/qtox.local @@ -13,7 +13,9 @@ seccomp !name_to_handle_at # # mdwe breaks qtox ignore memory-deny-write-execute -private-bin qtox,dbus-launch +# # qtox requires anotehr binary lately, but I do not know which +# private-bin qtox,dbus-launch +ignore private-bin private-etc asound.conf,fonts,group,ld.so.cache,localtime,machine-id,passwd,pulse,resolv.conf # nodbus breaks qtox appearing in the systray @@ -21,6 +23,6 @@ ignore dbus-user none ignore dbus-system none # # Use with hardened-malloc package -# This breaks qtox on polaris10 amdgpu for some reason -# And on aruba radeon +# This breaks qtox on some graphics cards +# polaris10 amdgpu, aruba radeon env LD_PRELOAD=/usr/lib/libhardened_malloc.so diff --git a/profiles/rtorrent.local b/profiles/rtorrent.local index 7af0444..ed8a4d6 100644 --- a/profiles/rtorrent.local +++ b/profiles/rtorrent.local @@ -3,6 +3,7 @@ noblacklist ${HOME}/.rtorrent.rc whitelist ${HOME}/rtorrent whitelist ${HOME}/.rtorrent.rc +include disable-write-mnt.inc include disable-xdg.inc ipc-namespace @@ -21,5 +22,6 @@ dbus-user none dbus-system none # # Use with hardened-malloc package -# This breaks rtorrent on aruba radeon for some reason +# This breaks rtorrent on some graphics cards +# aruba radeon env LD_PRELOAD=/usr/lib/libhardened_malloc.so diff --git a/profiles/rtv.local b/profiles/rtv.local index 6b66c04..7b53030 100644 --- a/profiles/rtv.local +++ b/profiles/rtv.local @@ -1,9 +1,3 @@ -noblacklist ${HOME}/.config/rtv - -mkdir ${HOME}/.config/rtv -whitelist ${HOME}/.config/rtv -whitelist ${HOME}/.local/share/rtv - ipc-namespace protocol inet,inet6 diff --git a/profiles/starbound.profile b/profiles/starbound.profile index 36e59dd..cae94bd 100644 --- a/profiles/starbound.profile +++ b/profiles/starbound.profile @@ -4,6 +4,8 @@ include starbound.local # Persistent global definitions include globals.local +ignore include disable-shell.inc + whitelist ${HOME}/games/Starbound read-only ${HOME}/games/Starbound mkdir ${HOME}/games/Starbound/game/storage diff --git a/profiles/strawberry.local b/profiles/strawberry.local index cf3da43..a605392 100644 --- a/profiles/strawberry.local +++ b/profiles/strawberry.local @@ -1,45 +1,14 @@ -# This file is overwritten after every install/update -# Persistent local customizations -include strawberry.local -# Persistent global definitions -include globals.local - -#noblacklist ${HOME}/.cache/strawberry -noblacklist ${HOME}/.config/strawberry -noblacklist ${HOME}/.local/share/strawberry -noblacklist ${MUSIC} -#whitelist ${HOME}/.cache/strawberry +whitelist ${HOME}/.cache/strawberry whitelist ${HOME}/.config/strawberry whitelist ${HOME}/.local/share/strawberry whitelist ${MUSIC} -include disable-common.inc -include disable-devel.inc -include disable-exec.inc -include disable-interpreters.inc -include disable-passwdmgr.inc -include disable-programs.inc -include disable-xdg.inc +include disable-shell.inc +include disable-write-mnt.inc -include whitelist-var-common.inc include whitelist-common.inc -caps.drop all #net none -netfilter -nonewprivs -noroot -notv -nou2f -novideo protocol unix,inet,inet6 -# blacklisting of ioprio_set system calls breaks strawberry -seccomp !ioprio -shell none -tracelog -# disable-mnt -private-cache -private-dev private-etc asound.conf,group,localtime,machine-id,pulse,resolv.conf -private-tmp diff --git a/profiles/tome4.profile b/profiles/tome4.profile index 7a6e3b4..ced0cbd 100644 --- a/profiles/tome4.profile +++ b/profiles/tome4.profile @@ -4,6 +4,8 @@ include tome4.local # Persistent global definitions include globals.local +ignore include disable-shell.inc + noblacklist ${PATH}/lua* noblacklist /usr/lib/lua noblacklist /usr/include/lua* diff --git a/profiles/toxic.profile b/profiles/toxic.profile index 8b6bd53..33d0cde 100644 --- a/profiles/toxic.profile +++ b/profiles/toxic.profile @@ -13,6 +13,7 @@ include disable-exec.inc include disable-interpreters.inc include disable-passwdmgr.inc include disable-programs.inc +include disable-write-mnt.inc include disable-xdg.inc mkdir ${HOME}/.config/tox @@ -31,6 +32,7 @@ netfilter no3d nodvd nogroups +noinput nonewprivs noroot notv diff --git a/profiles/unzip.local b/profiles/unzip.local deleted file mode 100644 index 16050b4..0000000 --- a/profiles/unzip.local +++ /dev/null @@ -1 +0,0 @@ -noblacklist ${HOME}/packages/games/GOGLibrary diff --git a/profiles/vlc.local b/profiles/vlc.local index b57bc82..2785bb6 100644 --- a/profiles/vlc.local +++ b/profiles/vlc.local @@ -23,14 +23,13 @@ ignore ipc-namespace # # seccomp breaks integrated file manager on kde applications # # due to syscall name_to_handle_at -# # kcmp syscall required by amdgpu hardware acceleration -seccomp !name_to_handle_at,!kcmp +seccomp !name_to_handle_at dbus-user none dbus-system none -# private-dev breaks lirc support -#ignore private-dev +# # noinput breaks lirc support +# ignore noinput # Allow paths for custom lirc config #whitelist ${HOME}/.lircrc diff --git a/profiles/w3m.local b/profiles/w3m.local index d925ca3..53edfe2 100644 --- a/profiles/w3m.local +++ b/profiles/w3m.local @@ -1,16 +1,4 @@ -mkdir ${HOME}/.w3m -whitelist ${HOME}/.w3m - -ipc-namespace -machine-id protocol inet,inet6 -disable-mnt - -memory-deny-write-execute - -dbus-user none -dbus-system none - # # Use with hardened-malloc package env LD_PRELOAD=/usr/lib/libhardened_malloc.so diff --git a/profiles/weechat.local b/profiles/weechat.local index b9185ff..38d8565 100644 --- a/profiles/weechat.local +++ b/profiles/weechat.local @@ -13,6 +13,7 @@ include disable-exec.inc include disable-interpreters.inc include disable-passwdmgr.inc include disable-programs.inc +include disable-write-mnt.inc include disable-xdg.inc whitelist ${HOME}/.weechat @@ -22,7 +23,6 @@ whitelist ${HOME}/.weechat ignore ipc-namespace machine-id no3d -nodvd nogroups # nosound nou2f diff --git a/profiles/wesnoth.local b/profiles/wesnoth.local index 6a17869..171c05a 100644 --- a/profiles/wesnoth.local +++ b/profiles/wesnoth.local @@ -13,6 +13,8 @@ ignore mkdir ${HOME}/.cache/wesnoth ignore whitelist ${HOME}/.cache/wesnoth include disable-exec.inc +include disable-shell.inc +include disable-write-mnt.inc include disable-xdg.inc # # alsa audio will work with ipc-namespace, @@ -23,8 +25,6 @@ ignore net netfilter ignore no3d nogroups -novideo -protocol unix,inet,inet6 shell none tracelog diff --git a/profiles/x4-foundations.profile b/profiles/x4-foundations.profile index eec47ee..e60b8c9 100644 --- a/profiles/x4-foundations.profile +++ b/profiles/x4-foundations.profile @@ -4,6 +4,8 @@ include x4-foundations.local # Persistent global definitions include globals.local +ignore include disable-shell.inc + noblacklist ${HOME}/.config/EgoSoft noblacklist ${HOME}/.config/EgoSoft/X4 -- cgit v1.2.1