diff --git a/README.md b/README.md index bc8ed26f03d..5c07954e956 100644 --- a/README.md +++ b/README.md @@ -196,4 +196,4 @@ gnome-screenshot, ripperX, sound-juicer, iagno, com.github.dahenson.agenda, gnom penguin-command, x2goclient, frogatto, gnome-mines, gnome-nibbles, lightsoff, ts3client_runscript.sh, warmux, ferdi, abiword, four-in-a-row, gnome-mahjongg, gnome-robots, gnome-sudoku, gnome-taquin, gnome-tetravex, blobwars, gravity-beams-and-evaporating-stars, hyperrogue, jumpnbump-menu, jumpnbump, magicor, mindless, mirrormagic, mrrescue, scorched3d-wrapper, scorchwentbonkers, -seahorse-adventures, wordwarvi, xbill, gnome-klotski, five-or-more, swell-foop, fdns, jitsi-meet-desktop, nicontine, steam-runtime, apostrophe, quadrapassel, dino-im, strawberry, hitori, bijiben, gnote, gnubik, ZeGrapher, gapplication +seahorse-adventures, wordwarvi, xbill, gnome-klotski, five-or-more, swell-foop, fdns, jitsi-meet-desktop, nicontine, steam-runtime, apostrophe, quadrapassel, dino-im, strawberry, hitori, bijiben, gnote, gnubik, ZeGrapher, gapplication, xonotic-sdl-wrapper, openarena_ded diff --git a/RELNOTES b/RELNOTES index a06f3b23a9e..1f0ee532660 100644 --- a/RELNOTES +++ b/RELNOTES @@ -36,7 +36,8 @@ firejail (0.9.63) baseline; urgency=low * new profiles: seahorse-adventures, wordwarvi, xbill, gnome-klotski * new profiles: swell-foop, fdns, five-or-more, steam-runtime, jitsi-meet-desktop * new profiles: nicotine, plv, mocp, apostrophe, quadrapassel, dino-im, strawberry - * new profiles: hitori, bijiben, gnote, gnubik, ZeGrapher, gapplication + * new profiles: hitori, bijiben, gnote, gnubik, ZeGrapher, xonotic-sdl-wrapper + * new profiles: gapplication, openarena_ded -- netblue30 Tue, 21 Apr 2020 08:00:00 -0500 firejail (0.9.62) baseline; urgency=low diff --git a/etc/profile-a-l/flameshot.profile b/etc/profile-a-l/flameshot.profile index 207f8707486..7c41417ec44 100644 --- a/etc/profile-a-l/flameshot.profile +++ b/etc/profile-a-l/flameshot.profile @@ -8,6 +8,7 @@ include flameshot.local include globals.local noblacklist ${PICTURES} +noblacklist ${HOME}/.config/Dharkael include disable-common.inc include disable-devel.inc @@ -18,7 +19,13 @@ include disable-programs.inc include disable-shell.inc include disable-xdg.inc +#whitelist ${PICTURES} +#whitelist ${HOME}/.config/Dharkael +whitelist /usr/share/flameshot +#include whitelist-common.inc include whitelist-runuser-common.inc +include whitelist-usr-share-common.inc +include whitelist-var-common.inc caps.drop all ipc-namespace @@ -35,13 +42,15 @@ novideo protocol unix,inet,inet6 seccomp shell none +tracelog disable-mnt private-bin flameshot private-cache -private-etc alternatives,ca-certificates,crypto-policies,fonts,ld.so.conf,pki,resolv.conf,ssl +private-etc alternatives,ca-certificates,crypto-policies,fonts,ld.so.conf,machine-id,pki,resolv.conf,ssl private-dev private-tmp -# dbus-user none -# dbus-system none +dbus-user filter +dbus-user.own org.dharkael.Flameshot +dbus-system none diff --git a/etc/profile-a-l/frogatto.profile b/etc/profile-a-l/frogatto.profile index 06f13e8c6c5..653272499ff 100644 --- a/etc/profile-a-l/frogatto.profile +++ b/etc/profile-a-l/frogatto.profile @@ -20,6 +20,7 @@ mkdir ${HOME}/.frogatto whitelist ${HOME}/.frogatto whitelist /usr/share/frogatto include whitelist-common.inc +include whitelist-runuser-common.inc include whitelist-usr-share-common.inc include whitelist-var-common.inc diff --git a/etc/profile-a-l/ghostwriter.profile b/etc/profile-a-l/ghostwriter.profile index d7b46263d85..5bb410278f5 100644 --- a/etc/profile-a-l/ghostwriter.profile +++ b/etc/profile-a-l/ghostwriter.profile @@ -24,6 +24,7 @@ whitelist /usr/share/ghostwriter whitelist /usr/share/mozilla-dicts whitelist /usr/share/texlive whitelist /usr/share/pandoc* +include whitelist-runuser-common.inc include whitelist-usr-share-common.inc apparmor diff --git a/etc/profile-a-l/gnome-latex.profile b/etc/profile-a-l/gnome-latex.profile index ea4151137e1..eb5e9ec4085 100644 --- a/etc/profile-a-l/gnome-latex.profile +++ b/etc/profile-a-l/gnome-latex.profile @@ -49,3 +49,5 @@ private-cache private-dev # passwd,login.defs,firejail are a temporary workaround for #2877 and can be removed once it is fixed private-etc alternatives,dconf,fonts,gtk-3.0,latexmk.conf,login.defs,passwd,texlive + +dbus-system none diff --git a/etc/profile-a-l/keepassxc.profile b/etc/profile-a-l/keepassxc.profile index d1893e41284..6e35299be74 100644 --- a/etc/profile-a-l/keepassxc.profile +++ b/etc/profile-a-l/keepassxc.profile @@ -23,6 +23,17 @@ include disable-programs.inc include disable-shell.inc include disable-xdg.inc +# You can enable whitelisting for keepassxc by uncommenting (or adding to you keepassxc.local) the following lines. +# If you do so, you MUST store your database under ${HOME}/Documents/KeePassXC/foo.kdbx +#mkdir ${HOME}/Documents/KeePassXC +#whitelist ${HOME}/Documents/KeePassXC +# Needed for KeePassXC-Browser +#mkfile ${HOME}/.mozilla/native-messaging-hosts/org.keepassxc.keepassxc_browser.json +#whitelist ${HOME}/.mozilla/native-messaging-hosts/org.keepassxc.keepassxc_browser.json +#mkdir ${HOME}/.config/keepassxc +#whitelist ${HOME}/.config/keepassxc +#include whitelist-common.inc + whitelist /usr/share/keepassxc include whitelist-usr-share-common.inc include whitelist-var-common.inc diff --git a/etc/profile-m-z/minetest.profile b/etc/profile-m-z/minetest.profile index fa7d9edb0d2..1da430ce6ed 100644 --- a/etc/profile-m-z/minetest.profile +++ b/etc/profile-m-z/minetest.profile @@ -6,6 +6,9 @@ include minetest.local # Persistent global definitions include globals.local +# In order to save in-game screenshots to a persistent location edit ~/.minetest/minetest.conf: +# screenshot_path = /home//.minetest/screenshots + noblacklist ${HOME}/.cache/minetest noblacklist ${HOME}/.minetest diff --git a/etc/profile-m-z/openarena.profile b/etc/profile-m-z/openarena.profile index 3b15a6e42e5..45682fc3125 100644 --- a/etc/profile-m-z/openarena.profile +++ b/etc/profile-m-z/openarena.profile @@ -16,30 +16,35 @@ include disable-passwdmgr.inc include disable-programs.inc include disable-xdg.inc +mkdir ${HOME}/.openarena +whitelist ${HOME}/.openarena +whitelist /usr/share/openarena +include whitelist-common.inc +include whitelist-runuser-common.inc +include whitelist-usr-share-common.in include whitelist-var-common.inc apparmor caps.drop all -# ipc-namespace -# netfilter -# nodvd -# nogroups +netfilter +nodvd +nogroups nonewprivs noroot notv -# nou2f +nou2f novideo protocol unix,inet,inet6,netlink seccomp shell none -# tracelog +tracelog -# disable-mnt -# private-bin openarena +disable-mnt +private-bin bash,cut,glxinfo,grep,head,openarena,openarena_ded,quake3,zenity private-cache private-dev -# private-etc drirc,machine-id,openal,passwd,selinux,udev,xdg +private-etc drirc,machine-id,openal,passwd,selinux,udev,xdg private-tmp -# dbus-user none -# dbus-system none +dbus-user none +dbus-system none diff --git a/etc/profile-m-z/openarena_ded.profile b/etc/profile-m-z/openarena_ded.profile new file mode 100644 index 00000000000..c529e7e1183 --- /dev/null +++ b/etc/profile-m-z/openarena_ded.profile @@ -0,0 +1,5 @@ +# Firejail profile alias for openarena +# This file is overwritten after every install/update + +# Redirect +include openarena.profile diff --git a/etc/profile-m-z/tremulous.profile b/etc/profile-m-z/tremulous.profile index 66a536008a8..67463a999b6 100644 --- a/etc/profile-m-z/tremulous.profile +++ b/etc/profile-m-z/tremulous.profile @@ -19,7 +19,10 @@ include disable-xdg.inc mkdir ${HOME}/.tremulous whitelist ${HOME}/.tremulous +whitelist /usr/share/tremulous include whitelist-common.inc +include whitelist-runuser-common.inc +include whitelist-usr-share-common.inc include whitelist-var-common.inc caps.drop all diff --git a/etc/profile-m-z/xonotic-sdl-wrapper.profile b/etc/profile-m-z/xonotic-sdl-wrapper.profile new file mode 100644 index 00000000000..6f0c7cf4cc4 --- /dev/null +++ b/etc/profile-m-z/xonotic-sdl-wrapper.profile @@ -0,0 +1,6 @@ +# Firejail profile alias for xonotic +# This file is overwritten after every install/update +include xonotic-sdl-wrapper.local + +# Redirect +include xonotic.profile diff --git a/etc/profile-m-z/xonotic.profile b/etc/profile-m-z/xonotic.profile index 949988c3b37..aa8cc7d0ef6 100644 --- a/etc/profile-m-z/xonotic.profile +++ b/etc/profile-m-z/xonotic.profile @@ -14,12 +14,17 @@ include disable-exec.inc include disable-interpreters.inc include disable-passwdmgr.inc include disable-programs.inc +include disable-xdg.inc mkdir ${HOME}/.xonotic whitelist ${HOME}/.xonotic +whitelist /usr/share/xonotic include whitelist-common.inc +include whitelist-runuser-common.inc +include whitelist-usr-share-common.inc include whitelist-var-common.inc +apparmor caps.drop all netfilter nodvd @@ -32,12 +37,17 @@ novideo protocol unix,inet,inet6 seccomp shell none +tracelog disable-mnt -private-bin bash,blind-id,darkplaces-glx,darkplaces-sdl,dirname,grep,ldd,netstat,ps,readlink,sh,uname,xonotic,xonotic-glx,xonotic-linux32-dedicated,xonotic-linux32-glx,xonotic-linux32-sdl,xonotic-linux64-dedicated,xonotic-linux64-glx,xonotic-linux64-sdl,xonotic-sdl +private-cache +private-bin basename,bash,blind-id,cut,darkplaces-glx,darkplaces-sdl,dirname,glxinfo,grep,head,ldd,netstat,ps,readlink,sed,sh,uname,xonotic,xonotic-glx,xonotic-linux32-dedicated,xonotic-linux32-glx,xonotic-linux32-sdl,xonotic-linux64-dedicated,xonotic-linux64-glx,xonotic-linux64-sdl,xonotic-sdl,xonotic-sdl-wrapper,zenity private-dev private-etc alternatives,asound.conf,ca-certificates,crypto-policies,drirc,fonts,group,host.conf,hostname,hosts,ld.so.cache,ld.so.preload,localtime,machine-id,nsswitch.conf,passwd,pki,pulse,resolv.conf,ssl private-tmp dbus-user none dbus-system none + +read-only ${HOME} +read-write ${HOME}/.xonotic diff --git a/src/firecfg/firecfg.config b/src/firecfg/firecfg.config index 34f6bf49779..6c377949841 100644 --- a/src/firecfg/firecfg.config +++ b/src/firecfg/firecfg.config @@ -522,6 +522,7 @@ ooffice ooviewdoc open-invaders openarena +openarena_ded opencity openclonk openoffice.org @@ -783,6 +784,7 @@ xmr-stak xonotic xonotic-glx xonotic-sdl +xonotic-sdl-wrapper xournal xpdf xplayer