add first profiles

default.profile

@@ -0,0 +1,15 @@
+################################
+# Generic GUI application profile
+################################
+include /etc/firejail/disable-common.inc
+include /etc/firejail/disable-programs.inc
+include /etc/firejail/disable-passwdmgr.inc
+
+#blacklist ${HOME}/.wine
+
+caps.drop all
+netfilter
+nonewprivs
+noroot
+protocol unix,inet,inet6
+seccomp

disable-common.inc

@@ -0,0 +1,171 @@
+# History files in $HOME
+blacklist-nolog ${HOME}/.history
+blacklist-nolog ${HOME}/.*_history
+blacklist ${HOME}/.local/share/systemd
+blacklist-nolog ${HOME}/.adobe
+blacklist-nolog ${HOME}/.macromedia
+read-only ${HOME}/.local/share/applications
+
+# X11 session autostart
+blacklist ${HOME}/.xinitrc
+blacklist ${HOME}/.xprofile
+blacklist ${HOME}/.config/autostart
+blacklist /etc/xdg/autostart
+blacklist ${HOME}/.kde4/Autostart
+blacklist ${HOME}/.kde4/share/autostart
+blacklist ${HOME}/.kde/Autostart
+blacklist ${HOME}/.kde/share/autostart
+blacklist ${HOME}/.config/plasma-workspace/shutdown
+blacklist ${HOME}/.config/plasma-workspace/env
+blacklist ${HOME}/.config/lxsession/LXDE/autostart
+blacklist ${HOME}/.fluxbox/startup
+blacklist ${HOME}/.config/openbox/autostart
+blacklist ${HOME}/.config/openbox/environment
+blacklist ${HOME}/.gnomerc
+blacklist /etc/X11/Xsession.d/
+
+# VirtualBox
+blacklist ${HOME}/.VirtualBox
+blacklist ${HOME}/VirtualBox VMs
+blacklist ${HOME}/.config/VirtualBox
+
+# VeraCrypt
+blacklist ${PATH}/veracrypt
+blacklist ${PATH}/veracrypt-uninstall.sh
+blacklist /usr/share/veracrypt
+blacklist /usr/share/applications/veracrypt.*
+blacklist /usr/share/pixmaps/veracrypt.*
+blacklist ${HOME}/.VeraCrypt
+
+# var
+blacklist /var/spool/cron
+blacklist /var/spool/anacron
+blacklist /var/run/acpid.socket
+blacklist /var/run/minissdpd.sock
+blacklist /var/run/rpcbind.sock
+blacklist /var/run/mysqld/mysqld.sock
+blacklist /var/run/mysql/mysqld.sock
+blacklist /var/lib/mysqld/mysql.sock
+blacklist /var/lib/mysql/mysql.sock
+blacklist /var/run/docker.sock
+
+# etc
+blacklist /etc/cron.*
+blacklist /etc/profile.d
+blacklist /etc/rc.local
+blacklist /etc/anacrontab
+
+# General startup files
+read-only ${HOME}/.xinitrc
+read-only ${HOME}/.xserverrc
+read-only ${HOME}/.profile
+
+# Shell startup files
+read-only ${HOME}/.antigen
+read-only ${HOME}/.bash_login
+read-only ${HOME}/.bashrc
+read-only ${HOME}/.bash_profile
+read-only ${HOME}/.bash_logout
+read-only ${HOME}/.zsh.d
+read-only ${HOME}/.zshenv
+read-only ${HOME}/.zshrc
+read-only ${HOME}/.zshrc.local
+read-only ${HOME}/.zlogin
+read-only ${HOME}/.zprofile
+read-only ${HOME}/.zlogout
+read-only ${HOME}/.zsh_files
+read-only ${HOME}/.tcshrc
+read-only ${HOME}/.cshrc
+read-only ${HOME}/.csh_files
+read-only ${HOME}/.profile
+
+# Initialization files that allow arbitrary command execution
+read-only ${HOME}/.caffrc
+read-only ${HOME}/.dotfiles
+read-only ${HOME}/dotfiles
+read-only ${HOME}/.mailcap
+read-only ${HOME}/.exrc
+read-only ${HOME}/_exrc
+read-only ${HOME}/.vimrc
+read-only ${HOME}/_vimrc
+read-only ${HOME}/.gvimrc
+read-only ${HOME}/_gvimrc
+read-only ${HOME}/.vim
+read-only ${HOME}/.emacs
+read-only ${HOME}/.emacs.d
+read-only ${HOME}/.nano
+read-only ${HOME}/.tmux.conf
+read-only ${HOME}/.iscreenrc
+read-only ${HOME}/.muttrc
+read-only ${HOME}/.mutt/muttrc
+read-only ${HOME}/.msmtprc
+read-only ${HOME}/.reportbugrc
+read-only ${HOME}/.xmonad
+read-only ${HOME}/.xscreensaver
+
+# The user ~/bin directory can override commands such as ls
+read-only ${HOME}/bin
+
+# top secret
+blacklist ${HOME}/.ssh
+blacklist ${HOME}/.cert
+blacklist ${HOME}/.gnome2/keyrings
+blacklist ${HOME}/.kde4/share/apps/kwallet
+blacklist ${HOME}/.kde/share/apps/kwallet
+blacklist ${HOME}/.local/share/kwalletd
+blacklist ${HOME}/.config/keybase
+blacklist ${HOME}/.netrc
+blacklist ${HOME}/.gnupg
+blacklist ${HOME}/.caff
+blacklist ${HOME}/.smbcredentials
+blacklist ${HOME}/*.kdbx
+blacklist ${HOME}/*.kdb
+blacklist ${HOME}/*.key
+blacklist /etc/shadow
+blacklist /etc/gshadow
+blacklist /etc/passwd-
+blacklist /etc/group-
+blacklist /etc/shadow-
+blacklist /etc/gshadow-
+blacklist /etc/passwd+
+blacklist /etc/group+
+blacklist /etc/shadow+
+blacklist /etc/gshadow+
+blacklist /etc/ssh
+blacklist /var/backup
+
+# system management
+blacklist ${PATH}/umount
+blacklist ${PATH}/mount
+blacklist ${PATH}/fusermount
+blacklist ${PATH}/su
+blacklist ${PATH}/sudo
+blacklist ${PATH}/xinput
+blacklist ${PATH}/evtest
+blacklist ${PATH}/xev
+blacklist ${PATH}/strace
+blacklist ${PATH}/nc
+blacklist ${PATH}/ncat
+
+# system directories	
+blacklist /sbin
+blacklist /usr/sbin
+blacklist /usr/local/sbin
+
+# prevent lxterminal connecting to an existing lxterminal session
+blacklist /tmp/.lxterminal-socket*
+
+# disable terminals running as server resulting in sandbox escape
+blacklist ${PATH}/gnome-terminal
+blacklist ${PATH}/gnome-terminal.wrapper
+blacklist ${PATH}/xfce4-terminal
+blacklist ${PATH}/xfce4-terminal.wrapper
+blacklist ${PATH}/mate-terminal
+blacklist ${PATH}/mate-terminal.wrapper
+blacklist ${PATH}/lilyterm
+blacklist ${PATH}/pantheon-terminal
+blacklist ${PATH}/roxterm
+blacklist ${PATH}/roxterm-config
+blacklist ${PATH}/terminix
+blacklist ${PATH}/urxvtc
+blacklist ${PATH}/urxvtcd

disable-devel.inc

@@ -0,0 +1,63 @@
+# development tools
+
+# GCC
+blacklist /usr/include
+blacklist /usr/lib/gcc
+blacklist /usr/bin/gcc*
+blacklist /usr/bin/cpp*
+blacklist /usr/bin/c9*
+blacklist /usr/bin/c8*
+blacklist /usr/bin/c++*
+blacklist /usr/bin/as
+blacklist /usr/bin/ld
+blacklist /usr/bin/gdb
+blacklist /usr/bin/g++*
+blacklist /usr/bin/x86_64-linux-gnu-g++*
+blacklist /usr/bin/x86_64-linux-gnu-gcc*
+blacklist /usr/bin/x86_64-unknown-linux-gnu-g++*
+blacklist /usr/bin/x86_64-unknown-linux-gnu-gcc*
+
+# clang/llvm
+blacklist /usr/bin/clang*
+blacklist /usr/bin/llvm*
+blacklist /usb/bin/lldb*
+blacklist /usr/lib/llvm*
+
+# tcc - Tiny C Compiler
+blacklist /usr/bin/tcc
+blacklist /usr/bin/x86_64-tcc
+blacklist /usr/lib/tcc
+
+# Valgrind
+blacklist /usr/bin/valgrind*
+blacklist /usr/lib/valgrind
+
+# Perl
+blacklist /usr/bin/perl
+blacklist /usr/bin/cpan*
+blacklist /usr/share/perl*
+blacklist /usr/lib/perl*
+
+# PHP
+blacklist /usr/bin/php*
+blacklist /usr/share/php*
+blacklist /usr/lib/php*
+
+# Ruby
+blacklist /usr/bin/ruby
+blacklist /usr/lib/ruby
+
+# Programs using python: deluge, firefox addons, filezilla, cherrytree, xchat, hexchat, libreoffice
+# Python 2
+#blacklist /usr/bin/python2*
+#blacklist /usr/lib/python2*
+#blacklist /usr/local/lib/python2*
+#blacklist /usr/include/python2*
+#blacklist /usr/share/python2*
+#
+# Python 3
+#blacklist /usr/bin/python3*
+#blacklist /usr/lib/python3*
+#blacklist /usr/local/lib/python3*
+#blacklist /usr/share/python3*
+#blacklist /usr/include/python3*

disable-passwdmgr.inc

@@ -0,0 +1,7 @@
+blacklist ${HOME}/.pki/nssdb
+blacklist ${HOME}/.lastpass
+blacklist ${HOME}/.keepassx
+blacklist ${HOME}/.password-store
+blacklist ${HOME}/keepassx.kdbx
+blacklist ${HOME}/.config/keepassx
+

disable-programs.inc

@@ -0,0 +1,140 @@
+# various programs
+blacklist ${HOME}/.Atom
+blacklist ${HOME}/.remmina
+blacklist ${HOME}/.tconn
+blacklist ${HOME}/.FBReader
+blacklist ${HOME}/.wine
+blacklist ${HOME}/.Mathematica
+blacklist ${HOME}/.Wolfram Research
+blacklist ${HOME}/.stellarium
+blacklist ${HOME}/.config/Atom
+blacklist ${HOME}/.config/gthumb
+blacklist ${HOME}/.config/mupen64plus
+blacklist ${HOME}/.config/transmission
+blacklist ${HOME}/.config/uGet
+blacklist ${HOME}/.config/Gpredict
+blacklist ${HOME}/.config/aweather
+blacklist ${HOME}/.config/stellarium
+blacklist ${HOME}/.config/atril
+blacklist ${HOME}/.config/xreader
+blacklist ${HOME}/.config/xviewer
+blacklist ${HOME}/.config/libreoffice
+blacklist ${HOME}/.config/pix
+blacklist ${HOME}/.config/mate/eom
+blacklist ${HOME}/.kde/share/apps/okular
+blacklist ${HOME}/.kde/share/config/okularrc
+blacklist ${HOME}/.kde/share/config/okularpartrc
+blacklist ${HOME}/.kde/share/apps/gwenview
+blacklist ${HOME}/.kde/share/config/gwenviewrc
+
+# Media players
+blacklist ${HOME}/.config/cmus
+blacklist ${HOME}/.config/deadbeef
+blacklist ${HOME}/.config/spotify
+blacklist ${HOME}/.config/vlc
+blacklist ${HOME}/.config/mpv
+blacklist ${HOME}/.config/totem
+blacklist ${HOME}/.config/xplayer
+blacklist ${HOME}/.audacity-data
+
+# HTTP / FTP / Mail
+blacklist ${HOME}/.icedove
+blacklist ${HOME}/.thunderbird
+blacklist ${HOME}/.sylpheed-2.0
+blacklist ${HOME}/.config/midori
+blacklist ${HOME}/.mozilla
+blacklist ${HOME}/.config/chromium
+blacklist ${HOME}/.config/google-chrome
+blacklist ${HOME}/.config/google-chrome-beta
+blacklist ${HOME}/.config/google-chrome-unstable
+blacklist ${HOME}/.config/opera
+blacklist ${HOME}/.config/opera-beta
+blacklist ${HOME}/.opera
+blacklist ${HOME}/.config/vivaldi
+blacklist ${HOME}/.filezilla
+blacklist ${HOME}/.config/filezilla
+blacklist ${HOME}/.dillo
+blacklist ${HOME}/.conkeror.mozdev.org
+blacklist ${HOME}/.config/epiphany
+blacklist ${HOME}/.config/slimjet
+blacklist ${HOME}/.config/qutebrowser
+blacklist ${HOME}/.8pecxstudios
+blacklist ${HOME}/.config/brave
+blacklist ${HOME}/.config/inox
+
+# Instant Messaging
+blacklist ${HOME}/.config/hexchat
+blacklist ${HOME}/.mcabber
+blacklist ${HOME}/.mcabberrc
+blacklist ${HOME}/.purple
+blacklist ${HOME}/.config/psi+
+blacklist ${HOME}/.retroshare
+blacklist ${HOME}/.weechat
+blacklist ${HOME}/.config/xchat
+blacklist ${HOME}/.Skype
+blacklist ${HOME}/.config/skypeforlinux
+blacklist ${HOME}/.config/tox
+blacklist ${HOME}/.TelegramDesktop
+blacklist ${HOME}/.config/Gitter
+blacklist ${HOME}/.config/Franz
+blacklist ${HOME}/.jitsi
+blacklist ${HOME}/.config/Slack
+blacklist ${HOME}/.cache/gajim
+blacklist ${HOME}/.local/share/gajim
+blacklist ${HOME}/.config/gajim
+
+# Games
+blacklist ${HOME}/.hedgewars
+blacklist ${HOME}/.steam
+blacklist ${HOME}/.config/wesnoth
+blacklist ${HOME}/.config/0ad
+blacklist ${HOME}/.warzone2100-3.1
+blacklist ${HOME}/.dosbox
+
+# Cryptocoins
+blacklist ${HOME}/.*coin
+blacklist ${HOME}/.electrum*
+blacklist ${HOME}/wallet.dat
+
+# git, subversion
+blacklist ${HOME}/.subversion
+blacklist ${HOME}/.gitconfig
+blacklist ${HOME}/.git-credential-cache
+
+# cache
+blacklist ${HOME}/.cache/mozilla
+blacklist ${HOME}/.cache/chromium
+blacklist ${HOME}/.cache/google-chrome
+blacklist ${HOME}/.cache/google-chrome-beta
+blacklist ${HOME}/.cache/google-chrome-unstable
+blacklist ${HOME}/.cache/opera
+blacklist ${HOME}/.cache/opera-beta
+blacklist ${HOME}/.cache/vivaldi
+blacklist ${HOME}/.cache/epiphany
+blacklist ${HOME}/.cache/slimjet
+blacklist ${HOME}/.cache/qutebrowser
+blacklist ${HOME}/.cache/spotify
+blacklist ${HOME}/.cache/thunderbird
+blacklist ${HOME}/.cache/icedove
+blacklist ${HOME}/.cache/transmission
+blacklist ${HOME}/.cache/wesnoth
+blacklist ${HOME}/.cache/0ad
+blacklist ${HOME}/.cache/8pecxstudios
+blacklist ${HOME}/.cache/xreader
+blacklist ${HOME}/.cache/Franz
+
+# share
+blacklist ${HOME}/.local/share/epiphany
+blacklist ${HOME}/.local/share/mupen64plus
+blacklist ${HOME}/.local/share/spotify
+blacklist ${HOME}/.local/share/steam
+blacklist ${HOME}/.local/share/wesnoth
+blacklist ${HOME}/.local/share/0ad
+blacklist ${HOME}/.local/share/xplayer
+blacklist ${HOME}/.local/share/totem
+blacklist ${HOME}/.local/share/psi+
+blacklist ${HOME}/.local/share/pix
+blacklist ${HOME}/.local/share/gnome-chess
+
+# ssh
+blacklist /tmp/ssh-*

firefox.profile

@@ -0,0 +1,30 @@
+# Firejail profile for Mozilla Firefox (Iceweasel in Debian)
+
+noblacklist ~/.mozilla
+noblacklist ~/.cache/mozilla
+include /etc/firejail/disable-common.inc
+include /etc/firejail/disable-programs.inc
+include /etc/firejail/disable-devel.inc
+
+caps.drop all
+netfilter
+nonewprivs
+noroot
+protocol unix,inet,inet6,netlink
+seccomp
+tracelog
+
+whitelist ${DOWNLOADS}
+mkdir ~/MozInbox
+whitelist ~/MozInbox
+mkdir ~/.mozilla
+whitelist ~/.mozilla
+mkdir ~/.cache/mozilla/firefox
+whitelist ~/.cache/mozilla/firefox
+whitelist ~/dwhelper
+whitelist ~/.pki
+
+include /etc/firejail/whitelist-common.inc
+
+# experimental features
+#private-etc passwd,group,hostname,hosts,localtime,nsswitch.conf,resolv.conf,gtk-2.0,pango,fonts,iceweasel,firefox,adobe,mime.types,mailcap,asound.conf,pulse

firejail.config

@@ -0,0 +1,78 @@
+# This is Firejail system-wide configuration file, see firejail-config(5) for
+# more information. The file contains keyword-argument pairs, one per line.
+# Most features are enabled by default. Use 'yes' or 'no' as configuration
+# values.
+
+# Enable or disable bind support, default enabled.
+# bind yes
+
+# Enable or disable chroot support, default enabled.
+# chroot yes
+
+# Use chroot for desktop programs, default enabled. The sandbox will have full
+# access to system's /dev directory in order to allow video acceleration,
+# and it will harden the rest of the chroot tree.
+# chroot-desktop yes
+
+# Enable or disable file transfer support, default enabled.
+# file-transfer yes
+
+# Force use of nonewprivs.  This mitigates the possibility of
+# a user abusing firejail's features to trick a privileged (suid
+# or file capabilities) process into loading code or configuration
+# that is partially under their control.  Default disabled.
+# force-nonewprivs no
+
+# Enable or disable networking features, default enabled.
+# network yes
+
+# Enable or disable overlayfs features, default enabled.
+# overlayfs yes
+
+# Enable or disable private-home feature, default enabled
+# private-home yes
+
+# Enable --quiet as default every time the sandbox is started. Default disabled.
+# quiet-by-default no
+
+# Remount /proc and /sys inside the sandbox, default enabled.
+# remount-proc-sys yes
+
+# Enable or disable restricted network support, default disabled. If enabled,
+# networking features should also be enabled (network yes).
+# Restricted networking grants access to --interface, --net=ethXXX and
+# --netfilter only to root user. Regular users are only allowed --net=none.
+# restricted-network no
+
+# Change default netfilter configuration. When using --netfilter option without
+# a file argument, the default filter is hardcoded (see man 1 firejail). This
+# configuration entry allows the user to change the default by specifying
+# a file containing the filter configuration. The filter file format is the
+# format of  iptables-save  and iptable-restore commands. Example:
+# netfilter-default /etc/iptables.iptables.rules
+
+# Enable or disable seccomp support, default enabled.
+# seccomp yes
+
+# Enable or disable user namespace support, default enabled.
+# userns yes
+
+# Enable or disable whitelisting support, default enabled.
+# whitelist yes
+
+# Enable or disable X11 sandboxing support, default enabled.
+# x11 yes
+
+# Screen size for --x11=xephyr, default 800x600. Run /usr/bin/xrandr for
+# a full list of resolutions available on your specific setup.
+# xephyr-screen 640x480
+# xephyr-screen 800x600
+# xephyr-screen 1024x768
+# xephyr-screen 1280x1024
+
+# Firejail window title in Xephyr, default enabled.
+# xephyr-window-title yes
+
+# Xephyr command extra parameters. None by default, and the declaration is commented out.
+# xephyr-extra-params -keybd ephyr,,,xkbmodel=evdev
+# xephyr-extra-params -grayscale

login.users

@@ -0,0 +1,14 @@
+# /etc/firejail/login.users - restricted user shell configuration
+#
+# Each user entry consists of a user name and firejail
+# program arguments:
+#
+#       user name: arguments
+#
+# For example:
+#
+#       netblue:--net=none --protocol=unix
+#
+# The extra arguments are inserted into program command line if firejail
+# was started as a login shell.
+

sxiv.profile

@@ -0,0 +1,18 @@
+# sxiv image viewer profile
+include /etc/firejail/disable-common.inc
+include /etc/firejail/disable-programs.inc
+include /etc/firejail/disable-devel.inc
+include /etc/firejail/disable-passwdmgr.inc
+
+caps.drop all
+nonewprivs
+nogroups
+noroot
+nosound
+protocol unix
+seccomp
+
+shell none
+private-bin sxiv
+whitelist /tmp/.X11-unix
+private-dev

whitelist-common.inc

@@ -0,0 +1,31 @@
+# common whitelist for all profiles
+
+whitelist ~/.XCompose
+whitelist ~/.config/mimeapps.list
+whitelist ~/.icons
+whitelist ~/.config/user-dirs.dirs
+read-only ~/.config/user-dirs.dirs
+whitelist ~/.asoundrc
+whitelist ~/.config/Trolltech.conf
+
+# fonts
+whitelist ~/.fonts
+whitelist ~/.fonts.d
+whitelist ~/.fontconfig
+whitelist ~/.fonts.conf
+whitelist ~/.fonts.conf.d
+whitelist ~/.config/fontconfig
+whitelist ~/.cache/fontconfig
+
+# gtk
+whitelist ~/.gtkrc
+whitelist ~/.gtkrc-2.0
+whitelist ~/.config/gtk-2.0
+whitelist ~/.config/gtk-3.0
+whitelist ~/.themes
+whitelist ~/.kde/share/config/gtkrc
+whitelist ~/.kde/share/config/gtkrc-2.0
+
+# dconf
+mkdir ~/.config/dconf
+whitelist ~/.config/dconf

zathura.profile

@@ -0,0 +1,18 @@
+# evince pdf reader profile
+include /etc/firejail/disable-common.inc
+include /etc/firejail/disable-programs.inc
+include /etc/firejail/disable-devel.inc
+include /etc/firejail/disable-passwdmgr.inc
+
+caps.drop all
+nonewprivs
+nogroups
+noroot
+nosound
+protocol unix
+seccomp
+
+shell none
+private-bin zathura
+whitelist /tmp/.X11-unix
+private-dev