Commit 9be82205 authored by Lorenzo Faletra's avatar Lorenzo Faletra

Import Upstream version 0.9.52

parent 59e8b04a
all: apps man filters
MYLIBS = src/lib
APPS = src/firejail src/firemon src/firecfg src/libtrace src/libtracelog src/ftee src/faudit src/fnet src/fseccomp src/fcopy src/fldd src/libpostexecseccomp
APPS = src/firejail src/firemon src/firecfg src/fnetfilter src/libtrace src/libtracelog src/ftee src/faudit src/fnet src/fseccomp src/fbuilder src/fcopy src/fldd src/libpostexecseccomp
MANPAGES = firejail.1 firemon.1 firecfg.1 firejail-profile.5 firejail-login.5
SECCOMP_FILTERS = seccomp seccomp.debug seccomp.32 seccomp.64 seccomp.block_secondary seccomp.mdwx
......@@ -97,8 +97,10 @@ endif
install -c -m 0644 src/firecfg/firecfg.config $(DESTDIR)/$(libdir)/firejail/.
install -c -m 0755 src/faudit/faudit $(DESTDIR)/$(libdir)/firejail/.
install -c -m 0755 src/fnet/fnet $(DESTDIR)/$(libdir)/firejail/.
install -c -m 0755 src/fnetfilter/fnetfilter $(DESTDIR)/$(libdir)/firejail/.
install -c -m 0755 src/fcopy/fcopy $(DESTDIR)/$(libdir)/firejail/.
install -c -m 0755 src/fldd/fldd $(DESTDIR)/$(libdir)/firejail/.
install -c -m 0755 src/fbuilder/fbuilder $(DESTDIR)/$(libdir)/firejail/.
ifeq ($(HAVE_SECCOMP),-DHAVE_SECCOMP)
install -c -m 0755 src/fseccomp/fseccomp $(DESTDIR)/$(libdir)/firejail/.
install -c -m 0644 seccomp $(DESTDIR)/$(libdir)/firejail/.
......@@ -166,9 +168,11 @@ install-strip: all
strip src/ftee/ftee
strip src/faudit/faudit
strip src/fnet/fnet
strip src/fnetfilter/fnetfilter
strip src/fseccomp/fseccomp
strip src/fcopy/fcopy
strip src/fldd/fldd
strip src/fbuilder/fbuilder
$(MAKE) realinstall
uninstall:
......@@ -237,6 +241,9 @@ scan-build: clean
test-profiles:
cd test/profiles; ./profiles.sh | grep TESTING
test-private-lib:
cd test/private-lib; ./private-lib.sh | grep TESTING
test-apps:
cd test/apps; ./apps.sh | grep TESTING
......@@ -269,10 +276,13 @@ test-fs:
test-fcopy:
cd test/fcopy; ./fcopy.sh | grep TESTING
test: test-profiles test-fcopy test-fs test-utils test-sysutils test-environment test-apps test-apps-x11 test-apps-x11-xorg test-filters test-arguments
test-fnetfilter:
cd test/fnetfilter; ./fnetfilter.sh | grep TESTING
test: test-profiles test-private-lib test-fcopy test-fnetfilter test-fs test-utils test-sysutils test-environment test-apps test-apps-x11 test-apps-x11-xorg test-filters test-arguments
echo "TEST COMPLETE"
test-travis: test-profiles test-fcopy test-fs test-utils test-sysutils test-environment test-filters test-arguments
test-travis: test-profiles test-fcopy test-fnetfilter test-fs test-utils test-sysutils test-environment test-filters test-arguments
echo "TEST COMPLETE"
##########################################
......
......@@ -35,6 +35,8 @@ Maintainer:
Committers
- Fred-Barclay (https://github.com/Fred-Barclay)
- Reiner Herrmann (https://github.com/reinerh)
- smithsohu (https://github.com/smitsohu)
- SpotComms (https://github.com/SpotComms)
- startx2017 (https://github.com/startx2017) - 0.9.38-LTS and *bugfixes branches maintainer
- Topi Miettinen (https://github.com/topimiettinen)
- netblue30 (netblue30@yahoo.com)
......@@ -76,6 +78,8 @@ andrew160 (https://github.com/andrew160)
- profile and man pages fixes
announ (https://github.com/announ)
- mpv and youtube-dl profile fixes
Antonio Russo (https://github.com/aerusso)
- enumerate root directories in apparmor profile
Austin S. Hemmelgarn (https://github.com/Ferroin)
- unbound profile update
avoidr (https://github.com/avoidr)
......@@ -112,9 +116,15 @@ creideiki (https://github.com/creideiki)
- make the sandbox process reap all children
chiraag-nataraj (https://github.com/chiraag-nataraj)
- support for newer Xpra versions (2.1+)
- added Viber, amule, ardour5, brackets, calligra, cin, fetchmail profiles
- added freecad, google-earth, imagej, kdenlive, linphone, lmms profiles
- added macrofusion, mpd, natron, ricochet, shotcut, tor-browser-en profiles
- added tor, x-terminal-emulator, zart profiles
Christian Stadelmann (https://github.com/genodeftest)
- profile fixes
- evolution profile fix
Clayton Williams (https://github.com/gosre)
- addition of RLIMIT_AS
curiosity-seeker (https://github.com/curiosity-seeker)
- tightening unbound and dnscrypt-proxy profiles
- correct and tighten QuiteRss profile
......@@ -130,6 +140,9 @@ da2x (https://github.com/da2x)
- matched RPM license tag
Daan Bakker (https://github.com/dbakker)
- protect shell startup files
Danil Semelenov (https://github.com/sgtpep)
- blacklist the Electron Cash Wallet
- blacklist s3cmd and s3fs configs
Dara Adib (https://github.com/daradib)
- ssh profile fix
- evince profile fix
......@@ -241,12 +254,16 @@ Impyy (https://github.com/Impyy)
- added mumble profile
irregulator (https://github.com/irregulator)
- thunderbird profile fixes for debian stretch
Irvine (https://github.com/Irvinehimself)
- added conky profile
- added ping, bsdtar, makepkg (Arch), archaudit-report, cower (Arch) profiles
Ivan Kozik (https://github.com/ivan)
- speed up sandbox exit
Jaykishan Mutkawoa (https://github.com/jmutkawoa)
- cpio profile
James Elford (https://github.com/jelford)
- pass password manager support
- removed shell none from ssh-agent configuration, fixing the infinit loop
Jericho (https://github.com/attritionorg)
- spelling
Jesse Smith (https://github.com/slicer69)
......@@ -259,12 +276,19 @@ Joan Figueras (https://github.com/figue)
- added cyberfox profile
John Mullee (https://github.com/jmullee)
- fix empty-string assignment in whitelisting code
Jonas Heinrich (https://github.com/onny)
- added signal-desktop profile
- fixed franz profile
jrabe (https://github.com/jrabe)
- disallow access to kdbx files
- Epiphany profile
- Polari profile
- qTox profile
- X11 fixes
juan (https://github.com/nyancat18)
- fixed Kdenlive, Shotcut profiles
- new profiles for Cinelerra, Cliqz, Bluefish
- profile hardening
Kaan Genç (https://github.com/SeriousBug)
- dynamic allocation of noblacklist buffer
KellerFuchs (https://github.com/KellerFuchs)
......@@ -277,6 +301,8 @@ KellerFuchs (https://github.com/KellerFuchs)
- make ~/.local read-only
KOLANICH (https://github.com/KOLANICH)
- added symlink fixer fix_private-bin.py in contrib section
Kunal Mehta (https://github.com/legoktm)
- converted all links to https in manpages
laniakea64 (https://github.com/laniakea64)
- added fj-mkdeb.py script to build deb packages
Lari Rauno (https://github.com/tuutti)
......@@ -306,6 +332,8 @@ Mattias Wadman (https://github.com/wader)
- seccomp errno filter support
Matthew Gyurgyik (https://github.com/pyther)
- rpm spec and several fixes
melvinvermeeren (https://github.com/melvinvermeeren)
- added teamspeak3 profile
Michael Haas (https://github.com/mhaas)
- bugfixes
Mike Frysinger (vapier@gentoo.org)
......@@ -319,6 +347,8 @@ n1trux (https://github.com/n1trux)
netblue30 (netblue30@yahoo.com)
Niklas Haas (https://github.com/haasn)
- blacklisting for keybase.io's client
nyancat18 (https://github.com/nyancat18)
- added ardour4, dooble, karbon, krita profiles
Ondra Nekola (https://github.com/satai)
- allow firefox theming with non-global themes
Panzerfather (https://github.com/Panzerfather)
......@@ -342,6 +372,9 @@ Peter Hogg (https://github.com/pigmonkey)
- fixes for youtube-dl in mpv profile
Petter Reinholdtsen (pere@hungry.com)
- Opera profile patch
PharmaceuticalCobweb (https://github.com/PharmaceuticalCobweb)
- fix quiterss profile
- added profile for gnome-ring
pirate486743186 (https://github.com/pirate486743186)
- KMail profile
Pixel Fairy (https://github.com/xahare)
......@@ -413,8 +446,12 @@ smithsohu (https://github.com/smitsohu)
- improve server profiles, harden musescore
- snap profile cleanup
- tighten some capability sets further
- enhance mutt, goobox, baloo and clementine profiles
soredake (https://github.com/soredake)
- fix steam startup with >=llvm-4
- fix handling of STEAM_RUNTIME_PREFER_HOST_LIBRARIES in steam profile
- fix keepassxc.profile
- fix qtox.profile
SpotComms (https://github.com/SpotComms)
- added Bless, Gnome 2048, Gnome Calculator, Gnome Contacts, JD-GUI, Lollypop, MultiMC5 profiles
- added PDFSam, Pithos, and Xonotic profiles
......@@ -506,6 +543,10 @@ Topi Miettinen (https://github.com/topimiettinen)
- seccomp default list update
- improve loading of seccomp filter and memory-deny-write-execute feature
- private-lib feature
user1024 (user1024@tut.by)
- electron profile whitelisting
- fixed Rocket.Chat profile
- nheko profile
valoq (https://github.com/valoq)
- lots of profile fixes
- added support for /srv in --whitelist feature
......
firejail (0.9.50) baseline; urgency=low
firejail (0.9.52) baseline; urgency=low
* modif: --allow-private-blacklists was deprecated; blacklisting,
read-only, read-write, tmpfs and noexec are allowed in
private home directories
* modif: remount-proc-sys deprecated from firejail.config
* modif: follow-symlink-private-bin deprecated from firejail.config
* modif: --profile-path was deprecated
* enhancement: support Firejail user config directory in firecfg
* enhancement: disable DBus activation in firecfg
* enhancement; enumerate root directories in apparmor profile
* enhancement: /etc and /usr/share whitelisting support
* enhancement: globbing support for --private-bin
* feature: systemd-resolved integration
* feature: whitelisting /var directory in most profiles
* feature: GTK2, GTK3 and Qt4 private-lib support
* feature: --debug-private-lib
* feature: test deployment of private-lib for the following
applications: evince, galculator, gnome-calculator,
leafpad, mousepad, transmission-gtk, xcalc, xmr-stak-cpu,
atril, mate-color-select, tar, file, strings, gpicview,
eom, eog, gedit, pluma
* feature: --writable-run-user
* feature: --rlimit-as
* feature: --rlimit-cpu
* feature: --timeout
* feature: profile build tool (--build)
* feature: --netfilter.print
* feature: --netfilter6.print
* feature: netfilter template support
* new profiles: upstreamed many profiles from the following sources:
https://github.com/chiraag-nataraj/firejail-profiles,
https://github.com/nyancat18/fe,
https://aur.archlinux.org/packages/firejail-profiles.
* new profiles: terasology, surf, rocketchat, clamscan, clamdscan,
clamdtop, freshclam, xmr-stak-cpu, amule, ardour4, ardour5,
brackets, calligra, calligraauthor, calligraconverter, calligraflow,
calligraplan, calligraplanwork, calligrasheets, calligrastage,
calligrawords, cin, dooble, dooble-qt4, fetchmail, freecad, freecadcmd,
google-earth,imagej, karbon, kdenlive, krita, linphone, lmms, macrofusion,
mpd, natron, Natron, ricochet, shotcut, teamspeak3, tor, tor-browser-en,
Viber, x-terminal-emulator, zart, conky, arch-audit, ffmpeg, bluefish,
cinelerra, openshot-qt, pinta, uefitool, aosp, pdfmod, gnome-ring,
xcalc, zaproxy, kopete, cliqz, signal-desktop, kget, nheko, Enpass,
kwin_x11, krunner, ping, bsdtar, makepkg (Arch), archaudit-report
cower (Arch), kdeinit4
-- netblue30 <netblue30@yahoo.com> Thu, 7 Dec 2017 08:00:00 -0500
firejail (0.9.50~rc1) baseline; urgency=low
* release pending!
* modif: --output split in two commands, --output and --output-stderr
* feature: per-profile disable-mnt (--disable-mnt)
* feature: per-profile support to set X11 Xephyr screen size (--xephyr-screen)
......@@ -29,7 +78,7 @@ firejail (0.9.50) baseline; urgency=low
* new profiles: truecraft, gnome-twitch, tuxguitar, musescore, neverball
* new profiles: sqlitebrowse, Yandex Browser, minetest
* bugfixes
-- netblue30 <netblue30@yahoo.com> Thu, 7 Sep 2017 08:00:00 -0500
-- netblue30 <netblue30@yahoo.com> Mon, 12 Jun 2017 20:00:00 -0500
firejail (0.9.48) baseline; urgency=low
* modifs: whitelisted Transmission, Deluge, qBitTorrent, KTorrent;
......@@ -230,7 +279,7 @@ firejail (0.9.42) baseline; urgency=low
* feature: option to fix desktop files (firecfg --fix)
* compile time: Busybox support (--enable-busybox-workaround)
* compile time: disable overlayfs (--disable-overlayfs)
* compile time: disable whitlisting (--disable-whitelist)
* compile time: disable whitelisting (--disable-whitelist)
* compile time: disable global config (--disable-globalcfg)
* run time: enable/disable overlayfs (overlayfs yes/no)
* run time: enable/disable quiet as default (quiet-by-default yes/no)
......
#! /bin/sh
# Guess values for system-dependent variables and create Makefiles.
# Generated by GNU Autoconf 2.69 for firejail 0.9.50.
# Generated by GNU Autoconf 2.69 for firejail 0.9.52.
#
# Report bugs to <netblue30@yahoo.com>.
#
......@@ -580,8 +580,8 @@ MAKEFLAGS=
# Identity of this package.
PACKAGE_NAME='firejail'
PACKAGE_TARNAME='firejail'
PACKAGE_VERSION='0.9.50'
PACKAGE_STRING='firejail 0.9.50'
PACKAGE_VERSION='0.9.52'
PACKAGE_STRING='firejail 0.9.52'
PACKAGE_BUGREPORT='netblue30@yahoo.com'
PACKAGE_URL='http://firejail.wordpress.com'
......@@ -1276,7 +1276,7 @@ if test "$ac_init_help" = "long"; then
# Omit some internal or obsolete options to make the list less imposing.
# This message is too long to be a string in the A/UX 3.1 sh.
cat <<_ACEOF
\`configure' configures firejail 0.9.50 to adapt to many kinds of systems.
\`configure' configures firejail 0.9.52 to adapt to many kinds of systems.
Usage: $0 [OPTION]... [VAR=VALUE]...
......@@ -1338,7 +1338,7 @@ fi
if test -n "$ac_init_help"; then
case $ac_init_help in
short | recursive ) echo "Configuration of firejail 0.9.50:";;
short | recursive ) echo "Configuration of firejail 0.9.52:";;
esac
cat <<\_ACEOF
......@@ -1446,7 +1446,7 @@ fi
test -n "$ac_init_help" && exit $ac_status
if $ac_init_version; then
cat <<\_ACEOF
firejail configure 0.9.50
firejail configure 0.9.52
generated by GNU Autoconf 2.69
Copyright (C) 2012 Free Software Foundation, Inc.
......@@ -1748,7 +1748,7 @@ cat >config.log <<_ACEOF
This file contains any messages produced by compilers while
running configure, to aid debugging if configure makes a mistake.
It was created by firejail $as_me 0.9.50, which was
It was created by firejail $as_me 0.9.52, which was
generated by GNU Autoconf 2.69. Invocation command line was
$ $0 $@
......@@ -3823,7 +3823,7 @@ if test "$prefix" = /usr; then
sysconfdir="/etc"
fi
ac_config_files="$ac_config_files Makefile src/lib/Makefile src/fcopy/Makefile src/fnet/Makefile src/firejail/Makefile src/firemon/Makefile src/libtrace/Makefile src/libtracelog/Makefile src/firecfg/Makefile src/ftee/Makefile src/faudit/Makefile src/fseccomp/Makefile src/fldd/Makefile src/libpostexecseccomp/Makefile"
ac_config_files="$ac_config_files Makefile src/lib/Makefile src/fcopy/Makefile src/fnet/Makefile src/firejail/Makefile src/fnetfilter/Makefile src/firemon/Makefile src/libtrace/Makefile src/libtracelog/Makefile src/firecfg/Makefile src/fbuilder/Makefile src/ftee/Makefile src/faudit/Makefile src/fseccomp/Makefile src/fldd/Makefile src/libpostexecseccomp/Makefile"
cat >confcache <<\_ACEOF
# This file is a shell script that caches the results of configure
......@@ -4367,7 +4367,7 @@ cat >>$CONFIG_STATUS <<\_ACEOF || ac_write_fail=1
# report actual input values of CONFIG_FILES etc. instead of their
# values after options handling.
ac_log="
This file was extended by firejail $as_me 0.9.50, which was
This file was extended by firejail $as_me 0.9.52, which was
generated by GNU Autoconf 2.69. Invocation command line was
CONFIG_FILES = $CONFIG_FILES
......@@ -4421,7 +4421,7 @@ _ACEOF
cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1
ac_cs_config="`$as_echo "$ac_configure_args" | sed 's/^ //; s/[\\""\`\$]/\\\\&/g'`"
ac_cs_version="\\
firejail config.status 0.9.50
firejail config.status 0.9.52
configured by $0, generated by GNU Autoconf 2.69,
with options \\"\$ac_cs_config\\"
......@@ -4537,10 +4537,12 @@ do
"src/fcopy/Makefile") CONFIG_FILES="$CONFIG_FILES src/fcopy/Makefile" ;;
"src/fnet/Makefile") CONFIG_FILES="$CONFIG_FILES src/fnet/Makefile" ;;
"src/firejail/Makefile") CONFIG_FILES="$CONFIG_FILES src/firejail/Makefile" ;;
"src/fnetfilter/Makefile") CONFIG_FILES="$CONFIG_FILES src/fnetfilter/Makefile" ;;
"src/firemon/Makefile") CONFIG_FILES="$CONFIG_FILES src/firemon/Makefile" ;;
"src/libtrace/Makefile") CONFIG_FILES="$CONFIG_FILES src/libtrace/Makefile" ;;
"src/libtracelog/Makefile") CONFIG_FILES="$CONFIG_FILES src/libtracelog/Makefile" ;;
"src/firecfg/Makefile") CONFIG_FILES="$CONFIG_FILES src/firecfg/Makefile" ;;
"src/fbuilder/Makefile") CONFIG_FILES="$CONFIG_FILES src/fbuilder/Makefile" ;;
"src/ftee/Makefile") CONFIG_FILES="$CONFIG_FILES src/ftee/Makefile" ;;
"src/faudit/Makefile") CONFIG_FILES="$CONFIG_FILES src/faudit/Makefile" ;;
"src/fseccomp/Makefile") CONFIG_FILES="$CONFIG_FILES src/fseccomp/Makefile" ;;
......
AC_PREREQ([2.68])
AC_INIT(firejail, 0.9.50, netblue30@yahoo.com, , http://firejail.wordpress.com)
AC_INIT(firejail, 0.9.52, netblue30@yahoo.com, , http://firejail.wordpress.com)
AC_CONFIG_SRCDIR([src/firejail/main.c])
#AC_CONFIG_HEADERS([config.h])
......@@ -175,8 +175,8 @@ if test "$prefix" = /usr; then
sysconfdir="/etc"
fi
AC_OUTPUT(Makefile src/lib/Makefile src/fcopy/Makefile src/fnet/Makefile src/firejail/Makefile \
src/firemon/Makefile src/libtrace/Makefile src/libtracelog/Makefile src/firecfg/Makefile \
AC_OUTPUT(Makefile src/lib/Makefile src/fcopy/Makefile src/fnet/Makefile src/firejail/Makefile src/fnetfilter/Makefile \
src/firemon/Makefile src/libtrace/Makefile src/libtracelog/Makefile src/firecfg/Makefile src/fbuilder/Makefile \
src/ftee/Makefile src/faudit/Makefile src/fseccomp/Makefile src/fldd/Makefile src/libpostexecseccomp/Makefile)
echo
......
#!/bin/sh
# Purpose: Fetch, compile, and install firejail from GitHub source. For
# Debian-based distros only (Ubuntu, Mint, etc).
# Debian-based distros only (Ubuntu, Mint, etc).
set -e
git clone --depth=1 https://www.github.com/netblue30/firejail.git
git clone --depth=1 https://github.com/netblue30/firejail.git
cd firejail
./configure --prefix=/usr
make deb
......
......@@ -5,21 +5,21 @@ include /etc/firejail/0ad.local
# Persistent global definitions
include /etc/firejail/globals.local
noblacklist ~/.cache/0ad
noblacklist ~/.config/0ad
noblacklist ~/.local/share/0ad
noblacklist ${HOME}/.cache/0ad
noblacklist ${HOME}/.config/0ad
noblacklist ${HOME}/.local/share/0ad
include /etc/firejail/disable-common.inc
include /etc/firejail/disable-devel.inc
include /etc/firejail/disable-passwdmgr.inc
include /etc/firejail/disable-programs.inc
mkdir ~/.cache/0ad
mkdir ~/.config/0ad
mkdir ~/.local/share/0ad
whitelist ~/.cache/0ad
whitelist ~/.config/0ad
whitelist ~/.local/share/0ad
mkdir ${HOME}/.cache/0ad
mkdir ${HOME}/.config/0ad
mkdir ${HOME}/.local/share/0ad
whitelist ${HOME}/.cache/0ad
whitelist ${HOME}/.config/0ad
whitelist ${HOME}/.local/share/0ad
include /etc/firejail/whitelist-common.inc
caps.drop all
......
......@@ -5,14 +5,16 @@ include /etc/firejail/2048-qt.local
# Persistent global definitions
include /etc/firejail/globals.local
noblacklist ~/.config/2048-qt
noblacklist ~/.config/xiaoyong
noblacklist ${HOME}/.config/2048-qt
noblacklist ${HOME}/.config/xiaoyong
include /etc/firejail/disable-common.inc
include /etc/firejail/disable-devel.inc
include /etc/firejail/disable-passwdmgr.inc
include /etc/firejail/disable-programs.inc
include /etc/firejail/whitelist-var-common.inc
caps.drop all
netfilter
nodvd
......
......@@ -6,6 +6,7 @@ include /etc/firejail/7z.local
# Persistent global definitions
include /etc/firejail/globals.local
blacklist /run/user/*/bus
blacklist /tmp/.X11-unix
ignore noroot
......
......@@ -13,11 +13,11 @@ include /etc/firejail/disable-devel.inc
include /etc/firejail/disable-passwdmgr.inc
include /etc/firejail/disable-programs.inc
mkdir ~/.Mathematica
mkdir ~/.Wolfram Research
whitelist ~/.Mathematica
whitelist ~/.Wolfram Research
whitelist ~/Documents/Wolfram Mathematica
mkdir ${HOME}/.Mathematica
mkdir ${HOME}/.Wolfram Research
whitelist ${HOME}/.Mathematica
whitelist ${HOME}/.Wolfram Research
whitelist ${HOME}/Documents/Wolfram Mathematica
include /etc/firejail/whitelist-common.inc
caps.drop all
......
# Firejail profile alias for natron
# This file is overwritten after every install/update
# Redirect
include /etc/firejail/natron.profile
......@@ -6,8 +6,8 @@ include /etc/firejail/Thunar.local
include /etc/firejail/globals.local
noblacklist ${HOME}/.local/share/Trash
noblacklist ~/.config/Thunar
noblacklist ~/.config/xfce4/xfconf/xfce-perchannel-xml/thunar.xml
noblacklist ${HOME}/.config/Thunar
noblacklist ${HOME}/.config/xfce4/xfconf/xfce-perchannel-xml/thunar.xml
include /etc/firejail/disable-common.inc
include /etc/firejail/disable-devel.inc
......
# Firejail profile for Viber
# This file is overwritten after every install/update
# Persistent local customizations
include /etc/firejail/Viber.local
# Persistent global definitions
include /etc/firejail/globals.local
noblacklist ${HOME}/.ViberPC
include /etc/firejail/disable-common.inc
include /etc/firejail/disable-devel.inc
include /etc/firejail/disable-passwdmgr.inc
include /etc/firejail/disable-programs.inc
whitelist ${DOWNLOADS}
whitelist ${HOME}/.ViberPC
include /etc/firejail/whitelist-common.inc
caps.drop all
ipc-namespace
netfilter
nodvd
nogroups
nonewprivs
noroot
notv
protocol unix,inet,inet6
seccomp
shell none
disable-mnt
private-bin sh,bash,dig,awk,Viber
private-etc hosts,fonts,mailcap,resolv.conf,X11,pulse,alternatives,localtime,nsswitch.conf,ssl,proxychains.conf
private-tmp
noexec ${HOME}
noexec /tmp
......@@ -5,34 +5,34 @@ include /etc/firejail/abrowser.local
# Persistent global definitions
include /etc/firejail/globals.local
noblacklist ~/.cache/mozilla
noblacklist ~/.mozilla
noblacklist ~/.pki
noblacklist ${HOME}/.cache/mozilla
noblacklist ${HOME}/.mozilla
noblacklist ${HOME}/.pki
include /etc/firejail/disable-common.inc
include /etc/firejail/disable-devel.inc
include /etc/firejail/disable-programs.inc
mkdir ~/.cache/mozilla/abrowser
mkdir ~/.mozilla
mkdir ${HOME}/.cache/mozilla/abrowser
mkdir ${HOME}/.mozilla
whitelist ${DOWNLOADS}
whitelist ~/.cache/gnome-mplayer/plugin
whitelist ~/.cache/mozilla/abrowser
whitelist ~/.config/gnome-mplayer
whitelist ~/.config/pipelight-silverlight5.1
whitelist ~/.config/pipelight-widevine
whitelist ~/.keysnail.js
whitelist ~/.lastpass
whitelist ~/.mozilla
whitelist ~/.pentadactyl
whitelist ~/.pentadactylrc
whitelist ~/.pki
whitelist ~/.vimperator
whitelist ~/.vimperatorrc
whitelist ~/.wine-pipelight
whitelist ~/.wine-pipelight64