Commit 55938d07 authored by smitsohu's avatar smitsohu

disable non-abstract session bus address

systematically blacklist /run/user/*/bus in all profiles with
'net none'. targets distros like Fedora
parent 162d5355
......@@ -6,6 +6,7 @@ include /etc/firejail/7z.local
# Persistent global definitions
include /etc/firejail/globals.local
blacklist /run/user/*/bus
blacklist /tmp/.X11-unix
ignore noroot
......
......@@ -6,6 +6,7 @@ include /etc/firejail/apktool.local
# Persistent global definitions
include /etc/firejail/globals.local
blacklist /run/user/*/bus
include /etc/firejail/disable-common.inc
include /etc/firejail/disable-passwdmgr.inc
......
......@@ -5,6 +5,7 @@ include /etc/firejail/ardour5.local
# Persistent global definitions
include /etc/firejail/globals.local
blacklist /run/user/*/bus
noblacklist ${HOME}/.config/ardour4
noblacklist ${HOME}/.config/ardour5
......
......@@ -5,6 +5,8 @@ include /etc/firejail/atom.local
# Persistent global definitions
include /etc/firejail/globals.local
# blacklist /run/user/*/bus
noblacklist ~/.atom
noblacklist ~/.config/Atom
......@@ -13,6 +15,7 @@ include /etc/firejail/disable-passwdmgr.inc
include /etc/firejail/disable-programs.inc
caps.drop all
# net none
netfilter
nodvd
nogroups
......@@ -23,7 +26,6 @@ notv
novideo
protocol unix,inet,inet6,netlink
seccomp
# net none
shell none
private-dev
......
......@@ -5,6 +5,8 @@ include /etc/firejail/audacity.local
# Persistent global definitions
include /etc/firejail/globals.local
blacklist /run/user/*/bus
noblacklist ~/.audacity-data
include /etc/firejail/disable-common.inc
......
......@@ -5,6 +5,7 @@ include /etc/firejail/baobab.local
# Persistent global definitions
include /etc/firejail/globals.local
blacklist /run/user/*/bus
include /etc/firejail/disable-common.inc
include /etc/firejail/disable-devel.inc
......
......@@ -5,6 +5,7 @@ include /etc/firejail/bleachbit.local
# Persistent global definitions
include /etc/firejail/globals.local
blacklist /run/user/*/bus
include /etc/firejail/disable-common.inc
include /etc/firejail/disable-devel.inc
......
......@@ -5,6 +5,8 @@ include /etc/firejail/bless.local
# Persistent global definitions
include /etc/firejail/globals.local
blacklist /run/user/*/bus
noblacklist ${HOME}/.config/bless
include /etc/firejail/disable-common.inc
......
......@@ -5,6 +5,7 @@ include /etc/firejail/bluefish.local
# Persistent global definitions
include /etc/firejail/globals.local
blacklist /run/user/*/bus
include /etc/firejail/disable-common.inc
include /etc/firejail/disable-devel.inc
......
......@@ -5,6 +5,8 @@ include /etc/firejail/calligra.local
# Persistent global definitions
include /etc/firejail/globals.local
blacklist /run/user/*/bus
include /etc/firejail/disable-common.inc
include /etc/firejail/disable-devel.inc
include /etc/firejail/disable-passwdmgr.inc
......
......@@ -7,7 +7,11 @@ include /etc/firejail/globals.local
# We can't blacklist much since catfish
# is for finding files/content
blacklist /run/user/*/bus
noblacklist ~/.config/catfish
include /etc/firejail/disable-common.inc
# include /etc/firejail/disable-devel.inc
include /etc/firejail/disable-passwdmgr.inc
......
......@@ -5,6 +5,8 @@ include /etc/firejail/cin.local
# Persistent global definitions
include /etc/firejail/globals.local
blacklist /run/user/*/bus
noblacklist ${HOME}/.bcast5
include /etc/firejail/disable-common.inc
......
......@@ -6,6 +6,7 @@ include /etc/firejail/clamav.local
# Persistent global definitions
include /etc/firejail/globals.local
blacklist /run/user/*/bus
caps.drop all
ipc-namespace
......
......@@ -6,6 +6,7 @@ include /etc/firejail/cpio.local
# Persistent global definitions
include /etc/firejail/globals.local
blacklist /run/user/*/bus
blacklist /tmp/.X11-unix
noblacklist /sbin
......
......@@ -6,6 +6,7 @@ include /etc/firejail/dex2jar.local
# Persistent global definitions
include /etc/firejail/globals.local
blacklist /run/user/*/bus
include /etc/firejail/disable-common.inc
include /etc/firejail/disable-devel.inc
......
......@@ -5,6 +5,8 @@ include /etc/firejail/dia.local
# Persistent global definitions
include /etc/firejail/globals.local
blacklist /run/user/*/bus
noblacklist ~/.dia
include /etc/firejail/disable-common.inc
......
......@@ -5,6 +5,7 @@ include /etc/firejail/display.local
# Persistent global definitions
include /etc/firejail/globals.local
blacklist /run/user/*/bus
include /etc/firejail/disable-common.inc
include /etc/firejail/disable-devel.inc
......
# Firejail profile alias for calibre
# This file is overwritten after every install/update
blacklist /run/user/*/bus
net none
......
......@@ -5,6 +5,7 @@ include /etc/firejail/engrampa.local
# Persistent global definitions
include /etc/firejail/globals.local
# blacklist /run/user/*/bus - makes settings immutable
include /etc/firejail/disable-common.inc
include /etc/firejail/disable-devel.inc
......
......@@ -5,6 +5,8 @@ include /etc/firejail/eog.local
# Persistent global definitions
include /etc/firejail/globals.local
# blacklist /run/user/*/bus - makes settings immutable
noblacklist ~/.Steam
noblacklist ~/.config/eog
noblacklist ~/.local/share/Trash
......
......@@ -5,6 +5,8 @@ include /etc/firejail/eom.local
# Persistent global definitions
include /etc/firejail/globals.local
# blacklist /run/user/*/bus - makes settings immutable
noblacklist ~/.Steam
noblacklist ~/.config/mate/eom
noblacklist ~/.local/share/Trash
......
......@@ -5,6 +5,8 @@ include /etc/firejail/etr.local
# Persistent global definitions
include /etc/firejail/globals.local
blacklist /run/user/*/bus
noblacklist ~/.etr
include /etc/firejail/disable-common.inc
......
......@@ -5,6 +5,8 @@ include /etc/firejail/evince.local
# Persistent global definitions
include /etc/firejail/globals.local
# blacklist /run/user/*/bus
noblacklist ~/.config/evince
include /etc/firejail/disable-common.inc
......
......@@ -6,6 +6,7 @@ include /etc/firejail/exiftool.local
# Persistent global definitions
include /etc/firejail/globals.local
blacklist /run/user/*/bus
blacklist /tmp/.X11-unix
noblacklist /usr/bin/perl
......
......@@ -5,6 +5,7 @@ include /etc/firejail/feh.local
# Persistent global definitions
include /etc/firejail/globals.local
blacklist /run/user/*/bus
include /etc/firejail/disable-common.inc
include /etc/firejail/disable-devel.inc
......
......@@ -6,6 +6,8 @@ include /etc/firejail/ffmpeg.local
# Persistent global definitions
include /etc/firejail/globals.local
blacklist /run/user/*/bus
include /etc/firejail/disable-common.inc
include /etc/firejail/disable-devel.inc
include /etc/firejail/disable-passwdmgr.inc
......
......@@ -5,6 +5,7 @@ include /etc/firejail/file-roller.local
# Persistent global definitions
include /etc/firejail/globals.local
# blacklist /run/user/*/bus - makes settings immutable
include /etc/firejail/disable-common.inc
include /etc/firejail/disable-devel.inc
......
......@@ -6,6 +6,7 @@ include /etc/firejail/file.local
# Persistent global definitions
include /etc/firejail/globals.local
blacklist /run/user/*/bus
blacklist /tmp/.X11-unix
include /etc/firejail/disable-common.inc
......
......@@ -5,6 +5,7 @@ include /etc/firejail/freecad.local
# Persistent global definitions
include /etc/firejail/globals.local
blacklist /run/user/*/bus
noblacklist ${HOME}/.config/FreeCAD
......
......@@ -5,6 +5,8 @@ include /etc/firejail/frozen-bubble.local
# Persistent global definitions
include /etc/firejail/globals.local
blacklist /run/user/*/bus
noblacklist ~/.frozen-bubble
include /etc/firejail/disable-common.inc
......
......@@ -5,6 +5,8 @@ include /etc/firejail/galculator.local
# Persistent global definitions
include /etc/firejail/globals.local
blacklist /run/user/*/bus
noblacklist ~/.config/galculator
include /etc/firejail/disable-common.inc
......
......@@ -5,6 +5,7 @@ include /etc/firejail/gedit.local
# Persistent global definitions
include /etc/firejail/globals.local
# blacklist /run/user/*/bus - makes settings immutable
noblacklist ${HOME}/.config/enchant
noblacklist ${HOME}/.config/gedit
......
......@@ -5,6 +5,8 @@ include /etc/firejail/gimp.local
# Persistent global definitions
include /etc/firejail/globals.local
blacklist /run/user/*/bus
noblacklist ${HOME}/.gimp*
include /etc/firejail/disable-common.inc
......
......@@ -5,6 +5,8 @@ include /etc/firejail/gpicview.local
# Persistent global definitions
include /etc/firejail/globals.local
blacklist /run/user/*/bus
noblacklist ~/.config/gpicview
include /etc/firejail/disable-common.inc
......
......@@ -6,6 +6,7 @@ include /etc/firejail/gzip.local
# Persistent global definitions
include /etc/firejail/globals.local
blacklist /run/user/*/bus
blacklist /tmp/.X11-unix
ignore noroot
......
......@@ -6,6 +6,8 @@ include /etc/firejail/hashcat.local
# Persistent global definitions
include /etc/firejail/globals.local
blacklist /run/user/*/bus
noblacklist ${HOME}/.hashcat
noblacklist /usr/include
......
......@@ -5,6 +5,7 @@ include /etc/firejail/highlight.local
# Persistent global definitions
include /etc/firejail/globals.local
blacklist /run/user/*/bus
blacklist /tmp/.X11-unix
include /etc/firejail/disable-common.inc
......
......@@ -5,6 +5,8 @@ include /etc/firejail/hugin.local
# Persistent global definitions
include /etc/firejail/globals.local
blacklist /run/user/*/bus
noblacklist ${HOME}/.hugin
include /etc/firejail/disable-common.inc
......
......@@ -5,6 +5,7 @@ include /etc/firejail/imagej.local
# Persistent global definitions
include /etc/firejail/globals.local
blacklist /run/user/*/bus
noblacklist ${HOME}/.imagej
......
......@@ -5,6 +5,7 @@ include /etc/firejail/img2txt.local
# Persistent global definitions
include /etc/firejail/globals.local
blacklist /run/user/*/bus
include /etc/firejail/disable-common.inc
include /etc/firejail/disable-devel.inc
......
......@@ -5,6 +5,8 @@ include /etc/firejail/jd-gui.local
# Persistent global definitions
include /etc/firejail/globals.local
blacklist /run/user/*/bus
noblacklist ${HOME}/.config/jd-gui.cfg
noblacklist ${HOME}/.java
......
......@@ -5,6 +5,7 @@ include /etc/firejail/kdenlive.local
# Persistent global definitions
include /etc/firejail/globals.local
blacklist /run/user/*/bus
include /etc/firejail/disable-common.inc
include /etc/firejail/disable-devel.inc
......
......@@ -5,6 +5,8 @@ include /etc/firejail/keepassx.local
# Persistent global definitions
include /etc/firejail/globals.local
blacklist /run/user/*/bus
noblacklist ${HOME}/*.kdb
noblacklist ${HOME}/*.kdbx
noblacklist ${HOME}/.config/keepassx
......
......@@ -5,6 +5,8 @@ include /etc/firejail/keepassxc.local
# Persistent global definitions
include /etc/firejail/globals.local
blacklist /run/user/*/bus
noblacklist ${HOME}/*.kdb
noblacklist ${HOME}/*.kdbx
noblacklist ${HOME}/.config/keepassxc
......
......@@ -5,6 +5,7 @@ include /etc/firejail/krita.local
# Persistent global definitions
include /etc/firejail/globals.local
blacklist /run/user/*/bus
include /etc/firejail/disable-common.inc
include /etc/firejail/disable-devel.inc
......
......@@ -6,6 +6,7 @@ include /etc/firejail/less.local
# Persistent global definitions
include /etc/firejail/globals.local
blacklist /run/user/*/bus
blacklist /tmp/.X11-unix
ignore noroot
......
......@@ -5,6 +5,7 @@ include /etc/firejail/lmms.local
# Persistent global definitions
include /etc/firejail/globals.local
blacklist /run/user/*/bus
noblacklist ${HOME}/.lmmsrc.xml
......
......@@ -5,6 +5,7 @@ include /etc/firejail/macrofusion.local
# Persistent global definitions
include /etc/firejail/globals.local
blacklist /run/user/*/bus
noblacklist ${HOME}/.config/mfusion
......
......@@ -5,6 +5,8 @@ include /etc/firejail/mate-calc.local
# Persistent global definitions
include /etc/firejail/globals.local
blacklist /run/user/*/bus
noblacklist ${HOME}/.config/mate-calc
include /etc/firejail/disable-common.inc
......
......@@ -5,6 +5,7 @@ include /etc/firejail/mediainfo.local
# Persistent global definitions
include /etc/firejail/globals.local
blacklist /run/user/*/bus
blacklist /tmp/.X11-unix
include /etc/firejail/disable-common.inc
......
......@@ -5,6 +5,8 @@ include /etc/firejail/meld.local
# Persistent global definitions
include /etc/firejail/globals.local
blacklist /run/user/*/bus
noblacklist ${HOME}/.local/share/meld
include /etc/firejail/disable-common.inc
......
......@@ -5,6 +5,7 @@ include /etc/firejail/mupdf.local
# Persistent global definitions
include /etc/firejail/globals.local
blacklist /run/user/*/bus
include /etc/firejail/disable-common.inc
include /etc/firejail/disable-devel.inc
......
......@@ -5,6 +5,8 @@ include /etc/firejail/mupen64plus.local
# Persistent global definitions
include /etc/firejail/globals.local
blacklist /run/user/*/bus
noblacklist ${HOME}/.config/mupen64plus
noblacklist ${HOME}/.local/share/mupen64plus
......
......@@ -5,6 +5,7 @@ include /etc/firejail/natron.local
# Persistent global definitions
include /etc/firejail/globals.local
blacklist /run/user/*/bus
noblacklist ${HOME}/.Natron
noblacklist ${HOME}/.cache/INRIA/Natron
......@@ -17,7 +18,7 @@ include /etc/firejail/disable-passwdmgr.inc
include /etc/firejail/disable-programs.inc
caps.drop all
netfilter
net none
nodvd
nogroups
nonewprivs
......@@ -26,7 +27,6 @@ notv
protocol unix,inet,inet6
seccomp
shell none
net none
private-bin natron,Natron,NatronRenderer
......
......@@ -5,6 +5,7 @@ include /etc/firejail/odt2txt.local
# Persistent global definitions
include /etc/firejail/globals.local
blacklist /run/user/*/bus
blacklist /tmp/.X11-unix
include /etc/firejail/disable-common.inc
......
......@@ -5,6 +5,8 @@ include /etc/firejail/open-invaders.local
# Persistent global definitions
include /etc/firejail/globals.local
blacklist /run/user/*/bus
noblacklist ~/.openinvaders
include /etc/firejail/disable-common.inc
......
......@@ -5,6 +5,8 @@ include /etc/firejail/pcmanfm.local
# Persistent global definitions
include /etc/firejail/globals.local
# blacklist /run/user/*/bus
noblacklist ${HOME}/.local/share/Trash
noblacklist ~/.config/libfm
noblacklist ~/.config/pcmanfm
......
......@@ -5,6 +5,7 @@ include /etc/firejail/pdfmod.local
# Persistent global definitions
include /etc/firejail/globals.local
blacklist /run/user/*/bus
noblacklist ${HOME}/.cache/pdfmod
noblacklist ${HOME}/.config/pdfmod
......
......@@ -5,6 +5,8 @@ include /etc/firejail/pdfsam.local
# Persistent global definitions
include /etc/firejail/globals.local
blacklist /run/user/*/bus
noblacklist ${HOME}/.java
include /etc/firejail/disable-common.inc
......
......@@ -5,6 +5,7 @@ include /etc/firejail/pdftotext.local
# Persistent global definitions
include /etc/firejail/globals.local
blacklist /run/user/*/bus
blacklist /tmp/.X11-unix
include /etc/firejail/disable-common.inc
......
......@@ -5,6 +5,8 @@ include /etc/firejail/peek.local
# Persistent global definitions
include /etc/firejail/globals.local
blacklist /run/user/*/bus
noblacklist ${HOME}/.cache/peek
include /etc/firejail/disable-common.inc
......
......@@ -5,6 +5,8 @@ include /etc/firejail/pingus.local
# Persistent global definitions
include /etc/firejail/globals.local
blacklist /run/user/*/bus
noblacklist ~/.pingus
include /etc/firejail/disable-common.inc
......
......@@ -5,6 +5,7 @@ include /etc/firejail/pinta.local
# Persistent global definitions
include /etc/firejail/globals.local
blacklist /run/user/*/bus
noblacklist ${HOME}/.config/Pinta
......
......@@ -5,6 +5,8 @@ include /etc/firejail/pluma.local
# Persistent global definitions
include /etc/firejail/globals.local
# blacklist /run/user/*/bus - makes settings immutable
noblacklist ${HOME}/.config/pluma
include /etc/firejail/disable-common.inc
......
......@@ -5,6 +5,8 @@ include /etc/firejail/ranger.local
# Persistent global definitions
include /etc/firejail/globals.local
blacklist /run/user/*/bus
# noblacklist /usr/bin/cpan*
noblacklist /usr/bin/perl
noblacklist /usr/lib/perl*
......
......@@ -5,6 +5,8 @@ include /etc/firejail/scribus.local
# Persistent global definitions
include /etc/firejail/globals.local
blacklist /run/user/*/bus
# Support for PDF readers comes with Scribus 1.5 and higher
noblacklist ~/.config/okularpartrc
noblacklist ~/.config/okularrc
......
......@@ -6,6 +6,7 @@ include /etc/firejail/sdat2img.local
# Persistent global definitions
include /etc/firejail/globals.local
blacklist /run/user/*/bus
include /etc/firejail/disable-common.inc
include /etc/firejail/disable-devel.inc
......
......@@ -5,6 +5,7 @@ include /etc/firejail/shotcut.local
# Persistent global definitions
include /etc/firejail/globals.local
blacklist /run/user/*/bus
noblacklist ${HOME}/.config/Meltytech
......
......@@ -5,6 +5,8 @@ include /etc/firejail/simutrans.local
# Persistent global definitions
include /etc/firejail/globals.local
blacklist /run/user/*/bus
noblacklist ~/.simutrans
include /etc/firejail/disable-common.inc
......
......@@ -5,6 +5,7 @@ include /etc/firejail/skanlite.local
# Persistent global definitions
include /etc/firejail/globals.local
# blacklist /run/user/*/bus
include /etc/firejail/disable-common.inc
include /etc/firejail/disable-devel.inc
......
......@@ -5,6 +5,7 @@ include /etc/firejail/soundconverter.local
# Persistent global definitions
include /etc/firejail/globals.local
blacklist /run/user/*/bus
include /etc/firejail/disable-common.inc
include /etc/firejail/disable-devel.inc
......
......@@ -5,6 +5,8 @@ include /etc/firejail/sqlitebrowser.local
# Persistent global definitions
include /etc/firejail/globals.local
blacklist /run/user/*/bus
noblacklist ${HOME}/.config/sqlitebrowser
include /etc/firejail/disable-common.inc
......
......@@ -6,6 +6,7 @@ include /etc/firejail/strings.local
# Persistent global definitions
include /etc/firejail/globals.local
blacklist /run/user/*/bus
blacklist /tmp/.X11-unix
ignore noroot
......
......@@ -5,6 +5,8 @@ include /etc/firejail/supertux2.local
# Persistent global definitions
include /etc/firejail/globals.local
blacklist /run/user/*/bus
noblacklist ~/.local/share/supertux2
include /etc/firejail/disable-common.inc
......
......@@ -5,6 +5,8 @@ include /etc/firejail/synfigstudio.local
# Persistent global definitions
include /etc/firejail/globals.local
blacklist /run/user/*/bus