├── .gitignores ├── README.mdwn ├── chromium.json ├── chronion.json ├── coyim-whitelist.seccomp ├── coyim.json ├── electrum-whitelist.seccomp ├── electrum.json ├── eog-whitelist.seccomp ├── eog.json ├── evince-blacklist.seccomp ├── evince-whitelist.seccomp ├── evince.json ├── firefox.json ├── futex-consts-x64.seccomp ├── gajim.json ├── generic-blacklist.seccomp ├── google-chrome.json ├── hexchat-whitelist.seccomp ├── hexchat.json ├── libreoffice-whitelist.seccomp ├── libreoffice.json ├── liferea.json ├── mpv-whitelist.seccomp ├── mpv.json ├── onioncircuits.json ├── onionshare-gui-whitelist.seccomp ├── onionshare-gui.json ├── pidgin-whitelist.seccomp ├── pidgin.json ├── pond.json ├── ricochet-whitelist.seccomp ├── ricochet.json ├── shotwell.json ├── thunderbird-whitelist.seccomp ├── thunderbird.json ├── torbrowser-launcher-whitelist.seccomp ├── torbrowser-launcher.json ├── vlc-whitelist.seccomp └── vlc.json /.gitignores: -------------------------------------------------------------------------------- 1 | *~ 2 | -------------------------------------------------------------------------------- /README.mdwn: -------------------------------------------------------------------------------- 1 | # Subgraph OZ Profiles 2 | 3 | This repository contains a curated set of OZ profiles for [Subgraph OS](https://subgraph.com/sgos/). 4 | 5 | ## Building 6 | 7 | 8 | ``` 9 | # To build the Debian package: 10 | git clone -b debian https://github.com/subgraph/subgraph-oz-profiles.git 11 | cd subgraph-oz-profiles 12 | # To build from stable 13 | gbp buildpackage -us -uc 14 | # To build the latest tag 15 | gbp buildpackage -us -uc --git-upstream-tree=master 16 | ``` 17 | -------------------------------------------------------------------------------- /chromium.json: -------------------------------------------------------------------------------- 1 | { 2 | "name": "chromium" 3 | , "path": "/usr/bin/chromium" 4 | , "reject_user_args": true 5 | , "default_params": [ 6 | "--disable-background-mode" 7 | , "--disable-device-discovery" 8 | , "--disable-gpu" 9 | , "--incognito" 10 | , "file:///usr/share/sgos/landing/clearnet.html" 11 | ] 12 | , "xserver": { 13 | "enabled": true 14 | , "audio_mode": "pulseaudio" 15 | , "tray_icon":"/usr/share/icons/hicolor/256x256/apps/chromium.png" 16 | , "notifications": true 17 | } 18 | , "networking":{ 19 | "type": "bridge" 20 | , "bridge": "clear" 21 | } 22 | , "whitelist": [ 23 | {"path": "/etc/chromium.d/", "read_only": true, "ignore": true} 24 | 25 | , {"path": "/var/run/NetworkManager/", "target": "/run/resolvconf/", "force": true} 26 | , {"path": "/usr/lib/chromium/chrome-sandbox", "allow_suid": true, "force": true} 27 | 28 | , {"path": "${HOME}/.config/chromium", "can_create": true} 29 | ] 30 | , "shared_folders": [ 31 | "${XDG_DOWNLOAD_DIR}" 32 | ] 33 | , "blacklist": [ 34 | {"path":"/run/resolvconf/private-dhcp"} 35 | ,{"path":"/run/resolvconf/devices"} 36 | 37 | ] 38 | , "environment": [ 39 | ] 40 | , "seccomp": { 41 | "mode":"disabled" 42 | } 43 | } 44 | -------------------------------------------------------------------------------- /chronion.json: -------------------------------------------------------------------------------- 1 | { 2 | "name": "chronion" 3 | , "path": "/usr/bin/chronion" 4 | , "reject_user_args": true 5 | , "default_params": [ 6 | "file:///usr/share/sgos/landing/chronion.html" 7 | ] 8 | , "xserver": { 9 | "enabled": true 10 | , "audio_mode": "pulseaudio" 11 | , "tray_icon":"/usr/share/icons/hicolor/256x256/apps/chronion.png" 12 | , "notifications": true 13 | } 14 | , "networking":{ 15 | "type":"empty" 16 | , "sockets": [ 17 | {"type":"client", "proto":"tcp", "port":9050} 18 | ] 19 | } 20 | , "whitelist": [ 21 | {"path": "/etc/chromium.d/", "read_only": true, "ignore": true} 22 | , {"path": "/usr/share/chronion/default-flags", "target": "/etc/chromium.d/default-flags", "read_only": true, "force": true} 23 | , {"path": "/usr/share/chronion/master_preferences", "target": "/usr/share/chromium/master_preferences", "read_only": true, "force": true} 24 | , {"path": "/usr/lib/chromium/chrome-sandbox", "allow_suid": true, "force": true} 25 | , {"path": "/var/lib/dpkg/status", "read_only": true} 26 | , {"path": "/var/lib/dpkg/updates/", "read_only": true} 27 | , {"path": "/var/lib/dpkg/diversions", "read_only": true} 28 | 29 | , {"path": "${HOME}/.config/chronion", "target": "${HOME}/.config/chromium", "can_create": true} 30 | ] 31 | , "shared_folders": [ 32 | "${XDG_DOWNLOAD_DIR}" 33 | ] 34 | , "blacklist": [ 35 | ] 36 | , "environment": [ 37 | ] 38 | , "seccomp": { 39 | "mode":"disabled" 40 | } 41 | } 42 | -------------------------------------------------------------------------------- /coyim-whitelist.seccomp: -------------------------------------------------------------------------------- 1 | TCGETS=0x5401 2 | 3 | mincore:1 4 | recvmsg:1 5 | poll:1 6 | select:1 7 | futex: arg1 == 129 || arg1 == 0 || arg1 == 1 || arg1 == 128 8 | writev:1 9 | read:1 10 | write:1 11 | stat:1 12 | mmap:1 13 | open:1 14 | close:1 15 | access:1 16 | mprotect:1 17 | epoll_wait:1 18 | fstat:1 19 | rt_sigaction:1 20 | getcwd:1 21 | sched_yield:1 22 | fstatfs:1 23 | getrandom:1 24 | munmap:1 25 | brk:1 26 | rt_sigprocmask:1 27 | sendmsg:1 28 | sigaltstack:1 29 | set_robust_list:1 30 | clone:1 31 | fcntl: arg1 == F_GETFL || arg1 == F_SETFL || arg1 == F_SETFD || arg1 == F_GETFD 32 | fadvise64: 1 33 | socket: arg0 == AF_INET || arg0 == AF_INET6 || arg0 == AF_UNIX 34 | uname:1 35 | clock_gettime:1 36 | gettimeofday:1 37 | tkill: 1 38 | nanosleep: 1 39 | tgkill: 1 40 | getpid: 1 41 | lstat: 1 42 | execve:1 43 | getuid:1 44 | prctl: arg0 == PR_SET_NAME || arg0 == PR_SET_PDEATHSIG 45 | getdents:1 46 | bind:1 47 | pwrite64:1 48 | unlink:1 49 | sysinfo:1 50 | rename:1 51 | getrlimit:1 52 | epoll_create1:1 53 | exit_group:1 54 | mremap:1 55 | shmat:1 56 | shmdt:1 57 | listen:1 58 | epoll_ctl:1 59 | getsockopt:1 60 | restart_syscall:1 61 | set_tid_address:1 62 | ioctl: arg1 == TCGETS 63 | pipe2:1 64 | eventfd2:1 65 | setsockopt: (arg1 == SOL_SOCKET && (arg2 == SO_BROADCAST || arg2 == SO_DEBUG || arg2 == SO_ATTACH_FILTER)) || (arg1 == IPPROTO_TCP && arg2 == TCP_NODELAY) || (arg1 == SOL_IPV6 && arg2 == IPV6_V6ONLY) 66 | pipe:1 67 | shmget:1 68 | rt_sigreturn:1 69 | statfs:1 70 | sched_getaffinity:1 71 | getresgid:1 72 | inotify_init1:1 73 | link:1 74 | socketpair:1 75 | setrlimit:1 76 | chmod:1 77 | unlinkat:1 78 | shutdown:1 79 | shmctl:1 80 | renameat:1 81 | arch_prctl:1 82 | newfstatat:1 83 | lseek:1 84 | inotify_add_watch:1 85 | inotify_rm_watch:1 86 | kill:1 87 | getpeername:1 88 | getsockname:1 89 | geteuid:1 90 | capget:1 91 | madvise:1 92 | gettid:1 93 | getresuid:1 94 | connect:1 95 | recvfrom:1 96 | chdir:1 97 | setsid:1 98 | accept4:1 99 | getrusage:1 100 | dup2:1 101 | wait4:1 102 | getegid:1 103 | openat:1 104 | clock_getres:1 105 | mkdir:1 106 | sendto:1 107 | exit:1 108 | fallocate:1 109 | fsync:1 110 | getgid:1 111 | mkdirat:1 112 | readlink:1 113 | -------------------------------------------------------------------------------- /coyim.json: -------------------------------------------------------------------------------- 1 | { 2 | "path": "/usr/bin/coyim" 3 | , "xserver": { 4 | "enabled": true 5 | , "tray_icon":"/usr/share/icons/Faenza-Darker/actions/scalable/im-message-new.svg" 6 | , "enable_tray": false 7 | , "enable_notifications": true 8 | } 9 | , "networking":{ 10 | "type":"empty" 11 | , "sockets": [ 12 | {"type":"client", "proto":"tcp", "port":9050} 13 | ] 14 | } 15 | , "whitelist": [ 16 | {"path":"${HOME}/.config/coyim", "can_create": true} 17 | , {"path":"/var/lib/oz/cells.d/coyim-whitelist.seccomp", "read_only": true} 18 | , {"path": "${HOME}/.config/coyim/dconf", "target": "${HOME}/.config/dconf", "read_only": false, "can_create": true} 19 | ] 20 | , "blacklist": [ 21 | ] 22 | , "environment": [ 23 | ] 24 | , "seccomp": { 25 | "mode":"whitelist" 26 | , "whitelist":"/var/lib/oz/cells.d/coyim-whitelist.seccomp" 27 | , "enforce": true 28 | } 29 | } 30 | -------------------------------------------------------------------------------- /electrum-whitelist.seccomp: -------------------------------------------------------------------------------- 1 | TCGETS=0x5401 2 | FIONREAD=0x541B 3 | 4 | FUTEX_WAIT=0 5 | FUTEX_WAKE=1 6 | FUTEX_FD=2 7 | FUTEX_REQUEUE=3 8 | FUTEX_CMP_REQUEUE=4 9 | FUTEX_WAKE_OP=5 10 | FUTEX_LOCK_PI=6 11 | FUTEX_UNLOCK_PI=7 12 | FUTEX_TRYLOCK_PI=8 13 | FUTEX_WAIT_BITSET=9 14 | FUTEX_WAKE_BITSET=10 15 | FUTEX_WAIT_REQUEUE_PI=11 16 | FUTEX_CMP_REQUEUE_PI=12 17 | 18 | FUTEX_PRIVATE_FLAG=128 19 | FUTEX_CLOCK_REALTIME=256 20 | FUTEX_CMD_MASK=~(FUTEX_PRIVATE_FLAG | FUTEX_CLOCK_REALTIME) 21 | 22 | FUTEX_WAIT_PRIVATE=(FUTEX_WAIT | FUTEX_PRIVATE_FLAG) 23 | FUTEX_WAKE_PRIVATE=(FUTEX_WAKE | FUTEX_PRIVATE_FLAG) 24 | FUTEX_REQUEUE_PRIVATE=(FUTEX_REQUEUE | FUTEX_PRIVATE_FLAG) 25 | FUTEX_CMP_REQUEUE_PRIVATE=(FUTEX_CMP_REQUEUE | FUTEX_PRIVATE_FLAG) 26 | FUTEX_WAKE_OP_PRIVATE=(FUTEX_WAKE_OP | FUTEX_PRIVATE_FLAG) 27 | FUTEX_LOCK_PI_PRIVATE=(FUTEX_LOCK_PI | FUTEX_PRIVATE_FLAG) 28 | FUTEX_UNLOCK_PI_PRIVATE=(FUTEX_UNLOCK_PI | FUTEX_PRIVATE_FLAG) 29 | FUTEX_TRYLOCK_PI_PRIVATE=(FUTEX_TRYLOCK_PI | FUTEX_PRIVATE_FLAG) 30 | FUTEX_WAIT_BITSET_PRIVATE=(FUTEX_WAIT_BITSET | FUTEX_PRIVATE_FLAG) 31 | FUTEX_WAKE_BITSET_PRIVATE=(FUTEX_WAKE_BITSET | FUTEX_PRIVATE_FLAG) 32 | FUTEX_WAIT_REQUEUE_PI_PRIVATE=(FUTEX_WAIT_REQUEUE_PI | FUTEX_PRIVATE_FLAG) 33 | FUTEX_CMP_REQUEUE_PI_PRIVATE=(FUTEX_CMP_REQUEUE_PI | FUTEX_PRIVATE_FLAG) 34 | 35 | open:1 36 | read:1 37 | fstat:1 38 | stat:1 39 | recvmsg:1 40 | select:1 41 | mprotect:1 42 | poll:1 43 | lseek:1 44 | close:1 45 | futex: (arg1 == FUTEX_WAKE|FUTEX_PRIVATE_FLAG) || (arg1 == FUTEX_WAKE|FUTEX_TRYLOCK_PI|FUTEX_WAIT_BITSET|FUTEX_PRIVATE_FLAG|FUTEX_CLOCK_REALTIME) || (arg1 == FUTEX_WAIT_PRIVATE) || (arg1 == FUTEX_CMP_REQUEUE_PRIVATE) || (arg1 == FUTEX_WAKE_OP_PRIVATE) 46 | writev:1 47 | mmap:1 48 | access:1 49 | lstat:1 50 | write:1 51 | ioctl: (arg1 == TCGETS) || (arg1 == FIONREAD) 52 | fcntl: (arg1 == F_DUPFD) || (arg1 == F_GETFD) || (arg1 == F_SETFD) || (arg1 == F_GETFL) || (arg1 == F_SETFL) || (arg1 == F_SETLKW) 53 | brk:1 54 | socket: (arg0 == AF_UNIX && arg1 &? SOCK_STREAM && arg2 == IPPROTO_IP) || (arg0 == AF_INET && arg1 &? SOCK_STREAM && arg2 == IPPROTO_IP) || (arg0 == AF_INET && arg1 &? SOCK_STREAM && arg2 == IPPROTO_TCP) || (arg0 == AF_INET && arg1 &? SOCK_DGRAM && arg2 == IPPROTO_IP) || (arg0 == AF_INET6 && arg1 &? SOCK_DGRAM && arg2 == IPPROTO_IP) || (arg0 == AF_NETLINK && arg1 == SOCK_RAW && arg2 == IPPROTO_IP) || (arg0 == AF_INET6 && arg1 &? SOCK_STREAM && arg2 == IPPROTO_IP) 55 | munmap:1 56 | connect:1 57 | sendto:1 58 | recvfrom:1 59 | rt_sigaction:1 60 | getdents:1 61 | fstatfs:1 62 | uname:1 63 | sendmmsg:1 64 | unlink:1 65 | set_robust_list:1 66 | clone:1 67 | getsockname:1 68 | getpeername:1 69 | setsockopt: (arg1 == SOL_SOCKET && (arg2 == SO_REUSEADDR || arg2 == SO_KEEPALIVE)) 70 | getsockopt:1 71 | madvise:1 72 | exit:1 73 | sendmsg:1 74 | link:1 75 | bind:1 76 | fadvise64:1 77 | readlink:1 78 | statfs:1 79 | geteuid:1 80 | shmctl:1 81 | dup:1 82 | dup2:1 83 | shmget:1 84 | getrandom:1 85 | shutdown:1 86 | arch_prctl:1 87 | setrlimit:1 88 | exit_group:1 89 | shmat:1 90 | restart_syscall:1 91 | shmdt:1 92 | rename:1 93 | rt_sigprocmask:1 94 | eventfd2:1 95 | wait4:1 96 | getuid:1 97 | getresgid:1 98 | getresuid:1 99 | pipe2:1 100 | fsync:1 101 | sched_yield:1 102 | getrlimit:1 103 | inotify_init1:1 104 | inotify_rm_watch:1 105 | sched_get_priority_min:1 106 | sched_get_priority_max:1 107 | sched_setscheduler:1 108 | mremap:1 109 | chmod:1 110 | getgid:1 111 | ftruncate:1 112 | clock_getres:1 113 | getegid:1 114 | pipe:1 115 | set_tid_address:1 116 | sysinfo:1 117 | prctl: arg0 == PR_SET_NAME 118 | getcwd:1 119 | listen:1 120 | mkdir:1 121 | getpid:1 122 | getppid:1 123 | getrusage:1 124 | execve:1 125 | vfork:1 126 | clock_gettime: 1 127 | gettimeofday: 1 128 | -------------------------------------------------------------------------------- /electrum.json: -------------------------------------------------------------------------------- 1 | { 2 | "name": "electrum" 3 | , "path": "/usr/bin/electrum" 4 | , "xserver": { 5 | "enabled": true 6 | , "enable_tray": false 7 | , "tray_icon":"/usr/share/pixmaps/electrum.png" 8 | , "enable_notifications": true 9 | } 10 | , "networking":{ 11 | "type":"empty" 12 | , "sockets": [ 13 | {"type":"client", "proto":"tcp", "port":9050} 14 | ] 15 | } 16 | , "whitelist": [ 17 | {"path":"${HOME}/.electrum", "can_create":true} 18 | ] 19 | , "blacklist": [ 20 | ] 21 | , "environment": [ 22 | ] 23 | , "seccomp": { 24 | "mode":"blacklist" 25 | ,"enforce":true 26 | } 27 | } 28 | -------------------------------------------------------------------------------- /eog-whitelist.seccomp: -------------------------------------------------------------------------------- 1 | TCGETS=0x5401 2 | 3 | recvmsg: 1 4 | poll: 1 5 | writev: 1 6 | futex: arg1 == 129 || arg1 == 128 7 | read: 1 8 | write: 1 9 | stat: 1 10 | open: 1 11 | close: 1 12 | fstat: 1 13 | mmap: 1 14 | access: 1 15 | mprotect: 1 16 | sendmsg: 1 17 | lstat: 1 18 | munmap: 1 19 | lseek: 1 20 | brk: 1 21 | getdents: 1 22 | fstatfs: 1 23 | eventfd2: 1 24 | sendto: 1 25 | recvfrom: 1 26 | fcntl: arg1 == F_GETFL || arg1 == F_SETFL || arg1 == F_SETFD || arg1 == F_GETFD 27 | getuid: 1 28 | uname: 1 29 | statfs: 1 30 | shmctl: 1 31 | shmat: 1 32 | shmget: 1 33 | geteuid: 1 34 | getegid: 1 35 | shmdt: 1 36 | set_robust_list: 1 37 | fadvise64: 1 38 | inotify_add_watch: 1 39 | chmod: 1 40 | ioctl: arg1 == 1074041865 || arg1 == TCGETS 41 | restart_syscall:1 42 | arch_prctl: 1 43 | bind: 1 44 | chdir: 1 45 | clock_getres: 1 46 | clone: 1 47 | connect: 1 48 | dup: 1 49 | dup2: 1 50 | execve: 1 51 | exit: 1 52 | exit_group: 1 53 | fallocate: 1 54 | setrlimit: 1 55 | flistxattr: 1 56 | fsync: 1 57 | getcwd: 1 58 | getpeername: 1 59 | getpid: 1 60 | getresgid: 1 61 | getresuid: 1 62 | getrlimit: 1 63 | getrusage: 1 64 | getsockname: 1 65 | getxattr: 1 66 | inotify_init1: 1 67 | inotify_rm_watch: 1 68 | lchown: 1 69 | lgetxattr: 1 70 | link: 1 71 | listxattr: 1 72 | madvise: 1 73 | mincore: 1 74 | mkdir: 1 75 | mremap: 1 76 | openat: 1 77 | sysinfo:1 78 | pipe: 1 79 | pipe2: 1 80 | prctl: 1 81 | pread64: 1 82 | pwrite64: 1 83 | epoll_create1: 1 84 | getsockopt: 1 85 | epoll_wait: 1 86 | epoll_ctl: 1 87 | kill: 1 88 | socketpair: 1 89 | setsid: 1 90 | capget: 1 91 | listen: 1 92 | newfstatat: 1 93 | accept4: 1 94 | readlink: 1 95 | rename: 1 96 | rmdir: 1 97 | rt_sigaction: 1 98 | rt_sigprocmask: 1 99 | sched_getaffinity: 1 100 | select: 1 101 | setsockopt: 1 102 | set_tid_address: 1 103 | shutdown: 1 104 | sigaltstack: 1 105 | socket: arg0 == AF_UNIX 106 | splice: 1 107 | tgkill: 1 108 | unlink: 1 109 | utimes: 1 110 | wait4: 1 111 | #Print to file 112 | fchmod:1 113 | getrandom:1 114 | clock_gettime: 1 115 | gettimeofday: 1 116 | -------------------------------------------------------------------------------- /eog.json: -------------------------------------------------------------------------------- 1 | { 2 | "name": "eog" 3 | , "path": "/usr/bin/eog" 4 | , "allow_files": true 5 | , "xserver": { 6 | "enabled": true 7 | , "enable_tray": false 8 | , "tray_icon":"/usr/share/icons/hicolor/scalable/apps/eog.svg" 9 | } 10 | , "networking":{ 11 | "type":"empty" 12 | } 13 | , "whitelist": [ 14 | {"path":"/var/lib/oz/cells.d/eog-whitelist.seccomp", "read_only": true} 15 | ] 16 | , "blacklist": [ 17 | ] 18 | , "environment": [ 19 | {"name":"GTK_THEME", "value":"Adwaita:dark"} 20 | , {"name":"GTK2_RC_FILES", "value":"/usr/share/themes/Darklooks/gtk-2.0/gtkrc"} 21 | ] 22 | , "seccomp": { 23 | "mode":"whitelist" 24 | , "enforce": true 25 | , "whitelist":"/var/lib/oz/cells.d/eog-whitelist.seccomp" 26 | } 27 | } 28 | -------------------------------------------------------------------------------- /evince-blacklist.seccomp: -------------------------------------------------------------------------------- 1 | acct: 1 2 | add_key: 1 3 | delete_module: 1 4 | finit_module: 1 5 | get_mempolicy: 1 6 | get_robust_list: 1 7 | init_module: 1 8 | io_cancel: 1 9 | io_destroy: 1 10 | io_getevents: 1 11 | ioperm: 1 12 | iopl: 1 13 | io_setup: 1 14 | kexec_load: 1 15 | keyctl: 1 16 | mbind: 1 17 | migrate_pages: 1 18 | modify_ldt: 1 19 | mount: 1 20 | move_pages: 1 21 | open_by_handle_at: 1 22 | perf_event_open: 1 23 | personality: 1 24 | pivot_root: 1 25 | ptrace: 1 26 | quotactl: 1 27 | remap_file_pages: 1 28 | request_key: 1 29 | set_mempolicy: 1 30 | #set_robust_list: 1 31 | set_thread_area: 1 32 | swapoff: 1 33 | swapon: 1 34 | syslog: 1 35 | umount2: 1 36 | unshare: 1 37 | uselib: 1 38 | vmsplice: 1 39 | -------------------------------------------------------------------------------- /evince-whitelist.seccomp: -------------------------------------------------------------------------------- 1 | recvmsg: 1 2 | poll: 1 3 | futex: arg1 == 129 || arg1 == 128 || arg1 == 1 || arg1 == 0 4 | read: 1 5 | writev: 1 6 | write: 1 7 | pread64: 1 8 | stat: 1 9 | lstat: 1 10 | mprotect: 1 11 | mincore: 1 12 | open: 1 13 | close: 1 14 | mmap: 1 15 | fstat: 1 16 | access: 1 17 | sendmsg: 1 18 | rt_sigaction: 1 19 | munmap: 1 20 | eventfd2: 1 21 | lseek: 1 22 | brk: 1 23 | select: 1 24 | fstatfs: 1 25 | nanosleep:1 26 | getdents: 1 27 | fcntl: arg1 == F_GETFL || arg1 == F_SETFL || arg1 == F_SETFD || arg1 == F_GETFD 28 | set_robust_list: 1 29 | clone: 1 30 | recvfrom: 1 31 | sendto: 1 32 | rt_sigprocmask: 1 33 | madvise: 1 34 | exit: 1 35 | socket: arg0 == AF_UNIX || arg0 == AF_INET || arg0 == AF_INET6 36 | fadvise64: 1 37 | geteuid: 1 38 | sigaltstack: 1 39 | statfs: 1 40 | connect: 1 41 | inotify_add_watch: 1 42 | getegid: 1 43 | shmat: 1 44 | shmctl: 1 45 | shmdt: 1 46 | shmget: 1 47 | epoll_wait: 1 48 | gettid: 1 49 | pwrite64: 1 50 | rt_sigreturn: 1 51 | prctl: arg0 == PR_SET_NAME || arg0 == PR_SET_PDEATHSIG 52 | kill: 1 53 | setsid: 1 54 | listen: 1 55 | capget: 1 56 | accept4: 1 57 | getsockopt: 1 58 | setrlimit: 1 59 | restart_syscall: 1 60 | newfstatat: 1 61 | epoll_ctl: 1 62 | epoll_create1: 1 63 | arch_prctl: 1 64 | bind: 1 65 | chdir: 1 66 | chmod: 1 67 | clock_getres: 1 68 | dup: 1 69 | dup2: 1 70 | execve: 1 71 | exit_group: 1 72 | fallocate: 1 73 | sysinfo:1 74 | flistxattr: 1 75 | fsync: 1 76 | getgid: 1 77 | getrandom: 1 78 | getcwd: 1 79 | getpeername: 1 80 | getpid: 1 81 | getresgid: 1 82 | getresuid: 1 83 | getrlimit: 1 84 | getrusage: 1 85 | getsockname: 1 86 | getuid: 1 87 | getxattr: 1 88 | inotify_init1: 1 89 | inotify_rm_watch: 1 90 | ioctl: 1 91 | lchown: 1 92 | lgetxattr: 1 93 | link: 1 94 | listxattr: 1 95 | mkdir: 1 96 | mremap: 1 97 | openat: 1 98 | pipe: 1 99 | pipe2: 1 100 | readlink: 1 101 | rename: 1 102 | rmdir: 1 103 | sched_getaffinity: 1 104 | setsockopt: 1 105 | set_tid_address: 1 106 | shutdown: 1 107 | socketpair: 1 108 | splice: 1 109 | tgkill: 1 110 | uname: 1 111 | unlink: 1 112 | utimes: 1 113 | wait4: 1 114 | clock_gettime: 1 115 | gettimeofday: 1 116 | -------------------------------------------------------------------------------- /evince.json: -------------------------------------------------------------------------------- 1 | { 2 | "name": "evince" 3 | , "path": "/usr/bin/evince" 4 | , "paths": [ 5 | "/usr/bin/evince-thumbnailer" 6 | , "/usr/bin/evince-previewer" 7 | ] 8 | , "allow_files": true 9 | , "xserver": { 10 | "enabled": true 11 | , "enable_tray": false 12 | , "tray_icon":"/usr/share/icons/hicolor/256x256/apps/evince.png" 13 | } 14 | , "networking":{ 15 | "type":"empty" 16 | } 17 | , "whitelist": [ 18 | {"path":"/var/lib/oz/cells.d/evince-whitelist.seccomp", "read_only": true} 19 | , {"path":"/var/lib/oz/cells.d/evince-blacklist.seccomp", "read_only": true} 20 | ] 21 | , "blacklist": [ 22 | ] 23 | , "environment": [ 24 | {"name":"GTK_THEME", "value":"Adwaita:dark"} 25 | , {"name":"GTK2_RC_FILES", "value":"/usr/share/themes/Darklooks/gtk-2.0/gtkrc"} 26 | ] 27 | , "seccomp": { 28 | "mode":"whitelist" 29 | , "enforce": true 30 | , "whitelist":"/var/lib/oz/cells.d/evince-whitelist.seccomp" 31 | , "blacklist":"/var/lib/oz/cells.d/evince-blacklist.seccomp" 32 | } 33 | } 34 | -------------------------------------------------------------------------------- /firefox.json: -------------------------------------------------------------------------------- 1 | { 2 | "name": "firefox" 3 | , "path": "/usr/bin/firefox" 4 | , "xserver": { 5 | "enabled": true 6 | , "audio_mode": "pulseaudio" 7 | , "enable_tray": false 8 | , "tray_icon": "/usr/share/icons/hicolor/128x128/apps/firefox-esr.png" 9 | } 10 | , "networking": { 11 | "type": "empty" 12 | , "sockets": [ 13 | {"type":"client", "proto":"tcp", "port":9050} 14 | ] 15 | } 16 | , "whitelist": [ 17 | {"path": "/etc/xul-ext/", "read_only": true, "ignore": true} 18 | , {"path": "/etc/firefox-esr", "read_only": true, "ignore": true} 19 | 20 | , {"path": "/var/lib/oz/cells.d/firefox.json", "read_only": true} 21 | 22 | , {"_path": "${HOME}/.cache/mozilla", "can_create": true} 23 | , {"path": "${HOME}/.mozilla", "can_create": true} 24 | ] 25 | , "shared_folders": [ 26 | "${XDG_DOWNLOAD_DIR}" 27 | ] 28 | , "blacklist": [ 29 | ] 30 | , "environment": [ 31 | ] 32 | , "seccomp": { 33 | "mode": "blacklist" 34 | , "enforce": true 35 | } 36 | } 37 | -------------------------------------------------------------------------------- /futex-consts-x64.seccomp: -------------------------------------------------------------------------------- 1 | FUTEX_WAIT=0 2 | FUTEX_WAKE=1 3 | FUTEX_FD=2 4 | FUTEX_REQUEUE=3 5 | FUTEX_CMP_REQUEUE=4 6 | FUTEX_WAKE_OP=5 7 | FUTEX_LOCK_PI=6 8 | FUTEX_UNLOCK_PI=7 9 | FUTEX_TRYLOCK_PI=8 10 | FUTEX_WAIT_BITSET=9 11 | FUTEX_WAKE_BITSET=10 12 | FUTEX_WAIT_REQUEUE_PI=11 13 | FUTEX_CMP_REQUEUE_PI=12 14 | 15 | FUTEX_PRIVATE_FLAG=128 16 | FUTEX_CLOCK_REALTIME=256 17 | FUTEX_CMD_MASK=~(FUTEX_PRIVATE_FLAG | FUTEX_CLOCK_REALTIME) 18 | 19 | FUTEX_WAIT_PRIVATE=(FUTEX_WAIT | FUTEX_PRIVATE_FLAG) 20 | FUTEX_WAKE_PRIVATE=(FUTEX_WAKE | FUTEX_PRIVATE_FLAG) 21 | FUTEX_REQUEUE_PRIVATE=(FUTEX_REQUEUE | FUTEX_PRIVATE_FLAG) 22 | FUTEX_CMP_REQUEUE_PRIVATE=(FUTEX_CMP_REQUEUE | FUTEX_PRIVATE_FLAG) 23 | FUTEX_WAKE_OP_PRIVATE=(FUTEX_WAKE_OP | FUTEX_PRIVATE_FLAG) 24 | FUTEX_LOCK_PI_PRIVATE=(FUTEX_LOCK_PI | FUTEX_PRIVATE_FLAG) 25 | FUTEX_UNLOCK_PI_PRIVATE=(FUTEX_UNLOCK_PI | FUTEX_PRIVATE_FLAG) 26 | FUTEX_TRYLOCK_PI_PRIVATE=(FUTEX_TRYLOCK_PI | FUTEX_PRIVATE_FLAG) 27 | FUTEX_WAIT_BITSET_PRIVATE=(FUTEX_WAIT_BITSET | FUTEX_PRIVATE_FLAG) 28 | FUTEX_WAKE_BITSET_PRIVATE=(FUTEX_WAKE_BITSET | FUTEX_PRIVATE_FLAG) 29 | FUTEX_WAIT_REQUEUE_PI_PRIVATE=(FUTEX_WAIT_REQUEUE_PI | FUTEX_PRIVATE_FLAG) 30 | FUTEX_CMP_REQUEUE_PI_PRIVATE=(FUTEX_CMP_REQUEUE_PI | FUTEX_PRIVATE_FLAG) 31 | 32 | 33 | -------------------------------------------------------------------------------- /gajim.json: -------------------------------------------------------------------------------- 1 | { 2 | "name": "gajim" 3 | , "path": "/usr/bin/gajim" 4 | , "paths": [ 5 | "/usr/bin/gajim-history-manager" 6 | , "/usr/bin/gajim-remote" 7 | ] 8 | , "xserver": { 9 | "enabled": true 10 | , "enable_tray": false 11 | , "tray_icon":"/usr/share/icons/gnome-colors-common/scalable/apps/gajim.svg" 12 | , "enable_notifications": true 13 | } 14 | , "networking":{ 15 | "type":"empty" 16 | , "sockets": [ 17 | {"type":"client", "proto":"tcp", "port":9050} 18 | ] 19 | } 20 | , "whitelist": [ 21 | {"path":"/run/user/${UID}/keyring/control"} 22 | , {"path":"${HOME}/.local/share/gajim", "can_create":true} 23 | , {"path":"${HOME}/.cache/gajim", "can_create":true} 24 | , {"path":"${HOME}/.config/gajim", "can_create":true} 25 | , {"path":"${HOME}/.local/share/keyrings", "ignore":true} 26 | ] 27 | , "shared_folders": [ 28 | "${XDG_DOWNLOAD_DIR}" 29 | ] 30 | , "blacklist": [ 31 | ] 32 | , "environment": [ 33 | {"name":"GNOME_KEYRING_SOCKET", "value":"/run/user/1000/keyring/control"} 34 | , {"name":"GNOME_KEYRING_PID", "value":"6"} 35 | ] 36 | , "seccomp": { 37 | "mode":"blacklist" 38 | , "enforce": true 39 | } 40 | } 41 | -------------------------------------------------------------------------------- /generic-blacklist.seccomp: -------------------------------------------------------------------------------- 1 | acct: 1 2 | add_key: 1 3 | delete_module: 1 4 | finit_module: 1 5 | get_mempolicy: 1 6 | init_module: 1 7 | io_cancel: 1 8 | io_destroy: 1 9 | io_getevents: 1 10 | ioperm: 1 11 | iopl: 1 12 | io_setup: 1 13 | kexec_load: 1 14 | keyctl: 1 15 | mbind: 1 16 | migrate_pages: 1 17 | modify_ldt: 1 18 | mount: 1 19 | move_pages: 1 20 | open_by_handle_at: 1 21 | perf_event_open: 1 22 | #personality: 1 23 | pivot_root: 1 24 | ptrace: 1 25 | #quotactl: 1 26 | remap_file_pages: 1 27 | request_key: 1 28 | set_mempolicy: 1 29 | get_robust_list: 1 30 | #set_robust_list: 1 31 | set_thread_area: 1 32 | swapoff: 1 33 | swapon: 1 34 | syslog: 1 35 | umount2: 1 36 | unshare: 1 37 | uselib: 1 38 | vmsplice: 1 39 | -------------------------------------------------------------------------------- /google-chrome.json: -------------------------------------------------------------------------------- 1 | { 2 | "name": "google-chrome-stable" 3 | , "path": "/usr/bin/google-chrome-stable" 4 | , "reject_user_args": true 5 | , "default_params": [ 6 | "--disable-background-mode" 7 | , "--disable-device-discovery" 8 | , "--disable-gpu" 9 | , "--incognito" 10 | , "file:///var/lib/sgos/news/news.html" 11 | ] 12 | , "xserver": { 13 | "enabled": true 14 | , "audio_mode": "pulseaudio" 15 | , "enable_tray": false 16 | , "tray_icon":"/usr/share/icons/hicolor/256x256/apps/google-chrome.png" 17 | , "notifications": true 18 | } 19 | , "networking":{ 20 | "type":"bridge" 21 | ,"bridge":"clear" 22 | } 23 | , "whitelist": [ 24 | {"path": "/var/lib/sgos/news/", "ignore":true} 25 | , {"path": "/opt/google/chrome/", "read_only": true, "allow_suid": true, "force": true} 26 | , {"path": "${HOME}/.config/google-chrome", "can_create": true} 27 | , {"path": "/var/run/NetworkManager/", "target": "/run/resolvconf/", "force": true} 28 | ] 29 | , "shared_folders": [ 30 | "${XDG_DOWNLOAD_DIR}" 31 | ] 32 | , "blacklist": [ 33 | {"path": "/run/resolvconf/private-dhcp"} 34 | ] 35 | , "environment": [ 36 | ] 37 | , "seccomp": { 38 | "mode":"disabled" 39 | } 40 | } 41 | -------------------------------------------------------------------------------- /hexchat-whitelist.seccomp: -------------------------------------------------------------------------------- 1 | TCGETS=0x5401 2 | 3 | FUTEX_WAIT=0 4 | FUTEX_WAKE=1 5 | FUTEX_FD=2 6 | FUTEX_REQUEUE=3 7 | FUTEX_CMP_REQUEUE=4 8 | FUTEX_WAKE_OP=5 9 | FUTEX_LOCK_PI=6 10 | FUTEX_UNLOCK_PI=7 11 | FUTEX_TRYLOCK_PI=8 12 | FUTEX_WAIT_BITSET=9 13 | FUTEX_WAKE_BITSET=10 14 | FUTEX_WAIT_REQUEUE_PI=11 15 | FUTEX_CMP_REQUEUE_PI=12 16 | 17 | FUTEX_PRIVATE_FLAG=128 18 | FUTEX_CLOCK_REALTIME=256 19 | FUTEX_CMD_MASK=~(FUTEX_PRIVATE_FLAG | FUTEX_CLOCK_REALTIME) 20 | 21 | FUTEX_WAIT_PRIVATE=(FUTEX_WAIT | FUTEX_PRIVATE_FLAG) 22 | FUTEX_WAKE_PRIVATE=(FUTEX_WAKE | FUTEX_PRIVATE_FLAG) 23 | FUTEX_REQUEUE_PRIVATE=(FUTEX_REQUEUE | FUTEX_PRIVATE_FLAG) 24 | FUTEX_CMP_REQUEUE_PRIVATE=(FUTEX_CMP_REQUEUE | FUTEX_PRIVATE_FLAG) 25 | FUTEX_WAKE_OP_PRIVATE=(FUTEX_WAKE_OP | FUTEX_PRIVATE_FLAG) 26 | FUTEX_LOCK_PI_PRIVATE=(FUTEX_LOCK_PI | FUTEX_PRIVATE_FLAG) 27 | FUTEX_UNLOCK_PI_PRIVATE=(FUTEX_UNLOCK_PI | FUTEX_PRIVATE_FLAG) 28 | FUTEX_TRYLOCK_PI_PRIVATE=(FUTEX_TRYLOCK_PI | FUTEX_PRIVATE_FLAG) 29 | FUTEX_WAIT_BITSET_PRIVATE=(FUTEX_WAIT_BITSET | FUTEX_PRIVATE_FLAG) 30 | FUTEX_WAKE_BITSET_PRIVATE=(FUTEX_WAKE_BITSET | FUTEX_PRIVATE_FLAG) 31 | FUTEX_WAIT_REQUEUE_PI_PRIVATE=(FUTEX_WAIT_REQUEUE_PI | FUTEX_PRIVATE_FLAG) 32 | FUTEX_CMP_REQUEUE_PI_PRIVATE=(FUTEX_CMP_REQUEUE_PI | FUTEX_PRIVATE_FLAG) 33 | 34 | recvmsg:1 35 | poll:1 36 | stat:1 37 | writev:1 38 | open:1 39 | read:1 40 | access:1 41 | futex: arg1 == FUTEX_WAIT || arg1 == 129 || arg1 == 128 42 | mmap:1 43 | close:1 44 | fstat:1 45 | brk:1 46 | mprotect:1 47 | munmap:1 48 | fstatfs:1 49 | lseek:1 50 | sendmsg:1 51 | getdents:1 52 | fcntl: arg1 == 3 || arg1 == 4 || arg1 == 2 || arg1 == 1 53 | sendto:1 54 | fadvise64:1 55 | recvfrom:1 56 | mkdir:1 57 | eventfd2:1 58 | uname:1 59 | socket: arg0 == 1 || arg0 == 2 || arg0 == 10 || (arg0 == 16 && arg2 == 0) 60 | lstat:1 61 | rt_sigaction:1 62 | connect:1 63 | flock:1 64 | shmctl:1 65 | shmget:1 66 | shmat:1 67 | getsockname:1 68 | ioctl: arg1 == TCGETS 69 | gettimeofday:1 70 | rt_sigprocmask:1 71 | getuid:1 72 | select:1 73 | execve:1 74 | getpeername:1 75 | clock_getres:1 76 | bind:1 77 | getegid:1 78 | getresuid:1 79 | shmdt:1 80 | setsockopt: (arg1 == SOL_SOCKET && (arg2 == SO_REUSEADDR || arg2 == SO_KEEPALIVE)) 81 | pipe:1 82 | geteuid:1 83 | clone:1 84 | prctl: arg0 == 15 85 | chmod:1 86 | link:1 87 | rename:1 88 | arch_prctl:1 89 | statfs:1 90 | exit_group:1 91 | wait4:1 92 | set_robust_list:1 93 | getresgid:1 94 | setuid:1 95 | mremap:1 96 | nanosleep:1 97 | set_tid_address:1 98 | getrlimit:1 99 | write:1 100 | unlink:1 101 | kill:1 102 | openat:1 103 | sysinfo:1 104 | dup:1 105 | readlink:1 106 | exit:1 107 | clock_gettime:1 108 | restart_syscall:1 109 | getrusage:1 110 | # Following for about/contents modal 111 | dup2:1 112 | inotify_init1:1 113 | inotify_rm_watch:1 114 | inotify_add_watch:1 115 | pipe2:1 116 | madvise:1 117 | sendmmsg:1 118 | fchmod:1 119 | fsync:1 120 | fchown:1 121 | getcwd:1 122 | getpid:1 123 | getrandom:1 124 | # OTR plugin 125 | umask:1 126 | rt_sigreturn:1 127 | -------------------------------------------------------------------------------- /hexchat.json: -------------------------------------------------------------------------------- 1 | { 2 | "path": "/usr/bin/hexchat" 3 | , "default_params": ["--no-plugins"] 4 | , "xserver": { 5 | "enabled": true 6 | , "enable_tray": false 7 | , "tray_icon": "/usr/share/icons/hicolor/scalable/apps/hexchat.svg" 8 | , "enable_notifications": true 9 | } 10 | , "networking":{ 11 | "type":"empty" 12 | , "sockets": [ 13 | {"type":"client", "proto":"tcp", "port":9050} 14 | ] 15 | } 16 | , "whitelist": [ 17 | {"path":"${HOME}/.config/hexchat", "can_create":true} 18 | 19 | , {"path":"/var/lib/oz/cells.d/hexchat.json", "read_only": true} 20 | , {"path":"/var/lib/oz/cells.d/hexchat-whitelist.seccomp", "read_only": true} 21 | ] 22 | , "blacklist": [ 23 | ] 24 | , "seccomp": { 25 | "mode":"whitelist" 26 | , "enforce": true 27 | , "whitelist": "/var/lib/oz/cells.d/hexchat-whitelist.seccomp" 28 | } 29 | } 30 | -------------------------------------------------------------------------------- /libreoffice-whitelist.seccomp: -------------------------------------------------------------------------------- 1 | SO_REUSEPORT=15 2 | SOL_NETLINK=270 3 | NETLINK_PKTINFO=3 4 | 5 | recvmsg:1 6 | poll:1 7 | writev:1 8 | lstat:1 9 | access:1 10 | open:1 11 | futex: arg1 == 129 || arg1 == 128 || arg1 == 393 || arg1 == 133 || arg1 == 132 || arg1 == 0 || arg1 == 1 || arg1 == 137 12 | read:1 13 | close:1 14 | fstat:1 15 | pread64:1 16 | write:1 17 | mmap:1 18 | stat:1 19 | munmap:1 20 | mprotect:1 21 | lseek:1 22 | recvfrom:1 23 | getuid:1 24 | brk:1 25 | getdents:1 26 | mkdir:1 27 | getcwd:1 28 | pwrite64:1 29 | fcntl: arg1 == 0 || arg1 == 2 || arg1 == 1 || arg1 == 3 || arg1 == 4 || arg1 == 6 || arg1 == 7 30 | fstatfs:1 31 | uname:1 32 | clone:1 33 | madvise:1 34 | set_robust_list:1 35 | sendmsg:1 36 | rt_sigaction:1 37 | ioctl: arg1 == 21505 || arg1 == 21523 38 | exit:1 39 | unlink:1 40 | rename:1 41 | fsync:1 42 | socket: arg0 == AF_UNIX || arg0 == AF_INET || arg0 == AF_INET6 || (arg0 == AF_NETLINK && arg2 == 0) 43 | eventfd2:1 44 | connect:1 45 | dup2:1 46 | fallocate:1 47 | clock_gettime:1 48 | getrandom:1 49 | chmod:1 50 | fadvise64:1 51 | inotify_rm_watch:1 52 | kill:1 53 | rt_sigreturn:1 54 | execve:1 55 | statfs:1 56 | getpeername:1 57 | getresgid:1 58 | newfstatat:1 59 | readlink:1 60 | epoll_create1:1 61 | sched_yield:1 62 | shmctl:1 63 | ppoll:1 64 | capget:1 65 | geteuid:1 66 | shutdown:1 67 | getgid:1 68 | getppid:1 69 | exit_group:1 70 | wait4:1 71 | openat:1 72 | bind:1 73 | setrlimit:1 74 | mremap:1 75 | getresuid:1 76 | fchdir:1 77 | link:1 78 | chdir:1 79 | getegid:1 80 | sysinfo:1 81 | pipe2:1 82 | sched_getaffinity:1 83 | symlink:1 84 | lgetxattr:1 85 | sendto:1 86 | shmat:1 87 | epoll_ctl:1 88 | listen:1 89 | mincore:1 90 | accept:1 91 | select:1 92 | ftruncate:1 93 | sigaltstack:1 94 | socketpair:1 95 | faccessat:1 96 | getrlimit:1 97 | setsockopt: (arg1 == SOL_SOCKET && (arg2 == SO_REUSEADDR || arg2 == SO_REUSEPORT)) || (arg1 == SOL_TCP && (arg2 == TCP_NODELAY)) || (arg1 == SOL_NETLINK && (arg2 == NETLINK_PKTINFO)) 98 | shmget:1 99 | epoll_wait:1 100 | restart_syscall:1 101 | setsid:1 102 | rmdir:1 103 | getsockname:1 104 | clock_getres:1 105 | getrusage:1 106 | pipe:1 107 | prctl: arg0 == 15 108 | accept4:1 109 | getsockopt:1 110 | set_tid_address:1 111 | gettid:1 112 | getpid:1 113 | inotify_init1:1 114 | rt_sigprocmask:1 115 | nanosleep:1 116 | inotify_add_watch:1 117 | arch_prctl:1 118 | shmdt:1 119 | clock_gettime: 1 120 | gettimeofday: 1 121 | -------------------------------------------------------------------------------- /libreoffice.json: -------------------------------------------------------------------------------- 1 | { 2 | "name": "libreoffice" 3 | , "path": "/usr/bin/libreoffice" 4 | , "paths": [ 5 | "/usr/bin/lowriter" 6 | , "/usr/bin/lobase" 7 | , "/usr/bin/localc" 8 | , "/usr/share/libreoffice/bin/lo-xlate-lang" 9 | , "/usr/bin/loffice" 10 | , "/usr/bin/unopkg" 11 | , "/usr/bin/lofromtemplate" 12 | , "/usr/bin/soffice" 13 | , "/usr/bin/lodraw" 14 | , "/usr/bin/loimpress" 15 | , "/usr/bin/lomath" 16 | , "/usr/bin/loweb" 17 | , "/usr/bin/lowriter" 18 | ] 19 | , "_unused": [ 20 | "/usr/share/libreoffice/bin/lo-xlate-lang" 21 | ] 22 | , "allow_files": true 23 | , "xserver": { 24 | "enabled": true 25 | , "enable_tray": false 26 | , "tray_icon":"/usr/share/icons/gnome/scalable/apps/libreoffice-startcenter.svg" 27 | , "window_icon":"/usr/share/icons/gnome/scalable/apps/libreoffice-startcenter.svg" 28 | } 29 | , "networking":{ 30 | "type":"empty" 31 | } 32 | , "whitelist": [ 33 | {"path": "/etc/libreoffice/", "read_only": true, "ignore": true} 34 | , {"path": "${HOME}/.config/libreoffice", "can_create": true} 35 | 36 | , {"path":"/var/lib/oz/cells.d/libreoffice-whitelist.seccomp", "read_only": true} 37 | ] 38 | , "shared_folders": [ 39 | "${XDG_DOCUMENTS_DIR}" 40 | ] 41 | , "seccomp": { 42 | "mode":"whitelist" 43 | , "whitelist":"/var/lib/oz/cells.d/libreoffice-whitelist.seccomp" 44 | , "enforce": true 45 | } 46 | } 47 | -------------------------------------------------------------------------------- /liferea.json: -------------------------------------------------------------------------------- 1 | { 2 | "path": "/usr/bin/liferea" 3 | , "_wrapper": "/usr/bin/torify" 4 | , "xserver": { 5 | "enabled": true 6 | , "enable_tray": false 7 | , "tray_icon":"/usr/share/icons/hicolor/scalable/apps/liferea.svg" 8 | } 9 | , "networking":{ 10 | "type":"empty" 11 | , "sockets": [ 12 | {"type":"client", "proto":"tcp", "port":9050} 13 | ] 14 | } 15 | , "whitelist": [ 16 | {"path":"/run/resolvconf"} 17 | 18 | , {"path":"${HOME}/.local/share/liferea", "can_create":true} 19 | , {"path":"${HOME}/.cache/liferea", "can_create":true} 20 | , {"path":"${HOME}/.config/liferea", "can_create":true} 21 | 22 | , {"path":"${HOME}/.config/dconf"} 23 | , {"path":"${HOME}/.cache/dconf"} 24 | , {"path":"/run/user/${UID}/dconf"} 25 | ] 26 | , "blacklist": [ 27 | ] 28 | , "environment": [ 29 | ] 30 | , "seccomp": { 31 | "mode":"blacklist" 32 | , "enforce": true 33 | } 34 | } 35 | -------------------------------------------------------------------------------- /mpv-whitelist.seccomp: -------------------------------------------------------------------------------- 1 | TIOCGWINSZ=0x5413 2 | TIOCGPGRP=21519 3 | TCGETS=0x5401 4 | FIONREAD=0x541B 5 | 6 | FUTEX_WAIT=0 7 | FUTEX_WAKE=1 8 | FUTEX_FD=2 9 | FUTEX_REQUEUE=3 10 | FUTEX_CMP_REQUEUE=4 11 | FUTEX_WAKE_OP=5 12 | FUTEX_LOCK_PI=6 13 | FUTEX_UNLOCK_PI=7 14 | FUTEX_TRYLOCK_PI=8 15 | FUTEX_WAIT_BITSET=9 16 | FUTEX_WAKE_BITSET=10 17 | FUTEX_WAIT_REQUEUE_PI=11 18 | FUTEX_CMP_REQUEUE_PI=12 19 | 20 | FUTEX_PRIVATE_FLAG=128 21 | FUTEX_CLOCK_REALTIME=256 22 | FUTEX_CMD_MASK=~(FUTEX_PRIVATE_FLAG | FUTEX_CLOCK_REALTIME) 23 | 24 | FUTEX_WAIT_PRIVATE=(FUTEX_WAIT | FUTEX_PRIVATE_FLAG) 25 | FUTEX_WAKE_PRIVATE=(FUTEX_WAKE | FUTEX_PRIVATE_FLAG) 26 | FUTEX_REQUEUE_PRIVATE=(FUTEX_REQUEUE | FUTEX_PRIVATE_FLAG) 27 | FUTEX_CMP_REQUEUE_PRIVATE=(FUTEX_CMP_REQUEUE | FUTEX_PRIVATE_FLAG) 28 | FUTEX_WAKE_OP_PRIVATE=(FUTEX_WAKE_OP | FUTEX_PRIVATE_FLAG) 29 | FUTEX_LOCK_PI_PRIVATE=(FUTEX_LOCK_PI | FUTEX_PRIVATE_FLAG) 30 | FUTEX_UNLOCK_PI_PRIVATE=(FUTEX_UNLOCK_PI | FUTEX_PRIVATE_FLAG) 31 | FUTEX_TRYLOCK_PI_PRIVATE=(FUTEX_TRYLOCK_PI | FUTEX_PRIVATE_FLAG) 32 | FUTEX_WAIT_BITSET_PRIVATE=(FUTEX_WAIT_BITSET | FUTEX_PRIVATE_FLAG) 33 | FUTEX_WAKE_BITSET_PRIVATE=(FUTEX_WAKE_BITSET | FUTEX_PRIVATE_FLAG) 34 | FUTEX_WAIT_REQUEUE_PI_PRIVATE=(FUTEX_WAIT_REQUEUE_PI | FUTEX_PRIVATE_FLAG) 35 | FUTEX_CMP_REQUEUE_PI_PRIVATE=(FUTEX_CMP_REQUEUE_PI | FUTEX_PRIVATE_FLAG) 36 | 37 | clock_gettime:1 38 | futex: (arg1 == FUTEX_WAKE_PRIVATE) || (arg1 == FUTEX_WAIT_PRIVATE) || (arg1 == FUTEX_CMP_REQUEUE_PRIVATE) || (arg1 == FUTEX_WAIT_BITSET_PRIVATE|FUTEX_CLOCK_REALTIME) || (arg1 == FUTEX_WAKE_OP_PRIVATE) || (arg1 == FUTEX_LOCK_PI_PRIVATE) || (arg1 == FUTEX_UNLOCK_PI_PRIVATE) || (arg1 == FUTEX_UNLOCK_PI) || (arg1 == FUTEX_WAIT) || (arg1 == FUTEX_WAIT_REQUEUE_PI_PRIVATE) || (arg1 == FUTEX_CMP_REQUEUE_PI_PRIVATE) 39 | select:1 40 | getpid:1 41 | ioctl: (arg1 == TCGETS) || (arg1 == TIOCGPGRP) || (arg1 == TIOCGWINSZ) || (arg1 == 1074029664) || (arg1 == 1074291721) || (arg1 == 1074291822) || (arg1 == 1074553951) || (arg1 == 1075864669) || (arg1 == 1077961833) || (arg1 == 2148557923) || (arg1 == 3221775447) || (arg1 == 3221775469) || (arg1 == 3222037549) || (arg1 == 3222037606) || (arg1 == 3222299718) || (arg1 == 3222299739) || (arg1 == 3222299745) || (arg1 == 3222299748) || (arg1 == 3222299761) || (arg1 == 3222824050) || (arg1 == 3223872606) 42 | write:1 43 | read:1 44 | poll:1 45 | recvmsg:1 46 | sendto:1 47 | epoll_wait:1 48 | lseek:1 49 | mprotect:1 50 | mremap:1 51 | #mprotect: (arg2 == PROT_NONE) || (arg2 == PROT_WRITE) 52 | mmap: 1 53 | nanosleep:1 54 | close:1 55 | open:1 56 | fstat:1 57 | writev:1 58 | access:1 59 | rt_sigaction:1 60 | stat:1 61 | fcntl: (arg1 == F_DUPFD) || (arg1 == F_GETFD) || (arg1 == F_SETFD) || (arg1 == F_GETFL) || (arg1 == F_SETFL) || (arg1 == F_SETLKW) 62 | brk:1 63 | dup2:1 64 | munmap:1 65 | fstatfs:1 66 | clone:1 67 | exit_group:1 68 | wait4:1 69 | epoll_ctl:1 70 | epoll_create1:1 71 | inotify_init1:1 72 | getrlimit:1 73 | rt_sigprocmask:1 74 | set_robust_list:1 75 | arch_prctl:1 76 | set_tid_address:1 77 | recvfrom:1 78 | newfstatat:1 79 | pipe:1 80 | statfs:1 81 | geteuid:1 82 | inotify_add_watch:1 83 | connect:1 84 | socket: arg0 == AF_UNIX && ((arg1 == SOCK_STREAM && arg2 == IPPROTO_IP) || (arg1 &? SOCK_STREAM && arg2 == 0)) 85 | getsockname:1 86 | sendmsg:1 87 | getdents:1 88 | accept4:1 89 | chdir:1 90 | listen:1 91 | bind:1 92 | capget:1 93 | gettid:1 94 | setsid:1 95 | uname:1 96 | readlink:1 97 | getpeername:1 98 | shutdown:1 99 | madvise:1 100 | exit:1 101 | getuid:1 102 | getppid:1 103 | fadvise64:1 104 | setsockopt: (arg1 == SOL_SOCKET && arg2 == SO_SNDBUF) || (arg1 == SOL_SOCKET && arg2 == SO_RCVBUF) || (arg1 == SOL_SOCKET && arg2 == SO_PRIORITY) || (arg1 == SOL_SOCKET && arg2 == SO_PASSCRED) 105 | clock_getres:1 106 | getresgid:1 107 | getresuid:1 108 | prctl: arg0 == PR_SET_NAME 109 | splice:1 110 | pipe2:1 111 | getgid:1 112 | memfd_create:1 113 | ftruncate:1 114 | socketpair:1 115 | faccessat:1 116 | lstat:1 117 | umask:1 118 | rename:1 119 | link:1 120 | unlink:1 121 | mkdir:1 122 | getsockopt:1 123 | # arg1 == SOL_SOCKET && arg2 == SO_ERROR 124 | restart_syscall:1 125 | getegid:1 126 | sched_getaffinity:1 127 | getpgrp:1 128 | getcwd:1 129 | getrandom:1 130 | chmod:1 131 | mincore:1 132 | sysinfo:1 133 | execve:1 134 | -------------------------------------------------------------------------------- /mpv.json: -------------------------------------------------------------------------------- 1 | { 2 | "path": "/usr/bin/mpv" 3 | , "allow_files": true 4 | , "xserver": { 5 | "enabled": true 6 | , "enable_tray": false 7 | , "tray_icon":"/usr/share/icons/hicolor/scalable/apps/mpv.svg" 8 | , "audio_mode": "pulseaudio" 9 | } 10 | , "networking":{ 11 | "type":"empty" 12 | } 13 | , "whitelist": [ 14 | {"path": "/etc/mpv", "read_only": true, "ignore": true} 15 | , {"path": "/var/lib/oz/cells.d/mpv-whitelist.seccomp", "read_only": true} 16 | , {"path": "${HOME}/.config/mpv", "can_create": true} 17 | ] 18 | , "blacklist": [ 19 | ] 20 | , "seccomp": { 21 | "mode":"whitelist" 22 | , "whitelist":"/var/lib/oz/cells.d/mpv-whitelist.seccomp" 23 | , "enforce": true 24 | , "debug": true 25 | } 26 | } 27 | -------------------------------------------------------------------------------- /onioncircuits.json: -------------------------------------------------------------------------------- 1 | { 2 | "name": "onioncircuits" 3 | , "path": "/usr/bin/onioncircuits" 4 | , "_watchdog": ["onioncircuits"] 5 | , "xserver": { 6 | "enabled": true 7 | , "enable_tray": false 8 | } 9 | , "networking":{ 10 | "type": "empty" 11 | , "sockets": [ 12 | {"type": "client", "proto": "tcp", "port": 9050} 13 | , {"type": "client", "proto": "tcp2unix", "port": 9051, "destination": "/var/run/roflcoptor/onioncircuits.socket"} 14 | ] 15 | } 16 | , "whitelist": [] 17 | , "environment": [] 18 | , "seccomp": { 19 | "mode": "blacklist" 20 | , "enforce": true 21 | } 22 | } 23 | -------------------------------------------------------------------------------- /onionshare-gui-whitelist.seccomp: -------------------------------------------------------------------------------- 1 | TCGETS=0x5401 2 | FIONREAD=0x541B 3 | 4 | FUTEX_WAIT=0 5 | FUTEX_WAKE=1 6 | FUTEX_FD=2 7 | FUTEX_REQUEUE=3 8 | FUTEX_CMP_REQUEUE=4 9 | FUTEX_WAKE_OP=5 10 | FUTEX_LOCK_PI=6 11 | FUTEX_UNLOCK_PI=7 12 | FUTEX_TRYLOCK_PI=8 13 | FUTEX_WAIT_BITSET=9 14 | FUTEX_WAKE_BITSET=10 15 | FUTEX_WAIT_REQUEUE_PI=11 16 | FUTEX_CMP_REQUEUE_PI=12 17 | 18 | FUTEX_PRIVATE_FLAG=128 19 | FUTEX_CLOCK_REALTIME=256 20 | FUTEX_CMD_MASK=~(FUTEX_PRIVATE_FLAG | FUTEX_CLOCK_REALTIME) 21 | 22 | FUTEX_WAIT_PRIVATE=(FUTEX_WAIT | FUTEX_PRIVATE_FLAG) 23 | FUTEX_WAKE_PRIVATE=(FUTEX_WAKE | FUTEX_PRIVATE_FLAG) 24 | FUTEX_REQUEUE_PRIVATE=(FUTEX_REQUEUE | FUTEX_PRIVATE_FLAG) 25 | FUTEX_CMP_REQUEUE_PRIVATE=(FUTEX_CMP_REQUEUE | FUTEX_PRIVATE_FLAG) 26 | FUTEX_WAKE_OP_PRIVATE=(FUTEX_WAKE_OP | FUTEX_PRIVATE_FLAG) 27 | FUTEX_LOCK_PI_PRIVATE=(FUTEX_LOCK_PI | FUTEX_PRIVATE_FLAG) 28 | FUTEX_UNLOCK_PI_PRIVATE=(FUTEX_UNLOCK_PI | FUTEX_PRIVATE_FLAG) 29 | FUTEX_TRYLOCK_PI_PRIVATE=(FUTEX_TRYLOCK_PI | FUTEX_PRIVATE_FLAG) 30 | FUTEX_WAIT_BITSET_PRIVATE=(FUTEX_WAIT_BITSET | FUTEX_PRIVATE_FLAG) 31 | FUTEX_WAKE_BITSET_PRIVATE=(FUTEX_WAKE_BITSET | FUTEX_PRIVATE_FLAG) 32 | FUTEX_WAIT_REQUEUE_PI_PRIVATE=(FUTEX_WAIT_REQUEUE_PI | FUTEX_PRIVATE_FLAG) 33 | FUTEX_CMP_REQUEUE_PI_PRIVATE=(FUTEX_CMP_REQUEUE_PI | FUTEX_PRIVATE_FLAG) 34 | 35 | recvmsg:1 36 | open:1 37 | poll:1 38 | read:1 39 | stat:1 40 | fstat:1 41 | writev:1 42 | close:1 43 | access:1 44 | mmap:1 45 | write:1 46 | mprotect:1 47 | futex: (arg1 &? FUTEX_WAKE) || (arg1 &? FUTEX_WAIT) || (arg1 == FUTEX_CMP_REQUEUE|FUTEX_PRIVATE_FLAG) 48 | lstat:1 49 | lseek:1 50 | brk:1 51 | munmap:1 52 | rt_sigaction:1 53 | fstatfs:1 54 | fcntl: (arg1 == 1030) || (arg1 == F_DUPFD) || (arg1 == F_GETFD) || (arg1 == F_SETFD) || (arg1 == F_GETFL) || (arg1 == F_SETFL) || (arg1 == F_SETLKW) || (arg1 == F_SETLK) 55 | getdents:1 56 | sendmsg:1 57 | uname:1 58 | socket: (arg0 == AF_UNIX && arg1 &? SOCK_STREAM && arg2 == IPPROTO_IP) || (arg0 == AF_INET && arg1 &? SOCK_STREAM && arg2 == IPPROTO_IP) || (arg0 == AF_INET && arg1 &? SOCK_STREAM && arg2 == IPPROTO_TCP) || (arg0 == AF_INET && arg1 == SOCK_DGRAM|SOCK_NONBLOCK && arg2 == IPPROTO_IP) 59 | fadvise64:1 60 | connect:1 61 | recvfrom:1 62 | sendto:1 63 | readlink:1 64 | geteuid:1 65 | statfs:1 66 | getsockname:1 67 | shmctl:1 68 | shmget:1 69 | dup2:1 70 | unlink:1 71 | mkdir:1 72 | link:1 73 | rename:1 74 | clone:1 75 | shmat:1 76 | ioctl: arg1 == TCGETS || arg1 == FIONREAD || arg1 == 21585 77 | set_robust_list:1 78 | exit_group:1 79 | prctl: arg0 == PR_SET_NAME 80 | arch_prctl:1 81 | vfork:1 82 | setrlimit:1 83 | chmod:1 84 | accept:1 85 | getegid:1 86 | shutdown:1 87 | wait4:1 88 | dup:1 89 | getuid:1 90 | inotify_rm_watch:1 91 | inotify_add_watch:1 92 | getpeername:1 93 | shmdt:1 94 | getgid:1 95 | madvise:1 96 | setresgid:1 97 | pipe:1 98 | accept4:1 99 | getrlimit:1 100 | eventfd2:1 101 | getresgid:1 102 | inotify_init1:1 103 | clock_getres:1 104 | exit:1 105 | sched_get_priority_max:1 106 | setresuid:1 107 | pipe2:1 108 | select:1 109 | listen:1 110 | sched_yield:1 111 | sched_get_priority_min:1 112 | ftruncate:1 113 | rt_sigreturn:1 114 | getresuid:1 115 | getcwd:1 116 | getdents:1 117 | getdents64:1 118 | getrandom:1 119 | fdatasync:1 120 | setsockopt:(arg1 == SOL_SOCKET && arg2 == SO_REUSEADDR) || (arg1 == SOL_TCP && arg2 == TCP_NODELAY) 121 | set_tid_address:1 122 | mremap:1 123 | sched_setscheduler:1 124 | bind:1 125 | sysinfo:1 126 | flock:1 127 | rt_sigprocmask:1 128 | sigaltstack:1 129 | restart_syscall:1 130 | tgkill:1 131 | getrusage:1 132 | getppid:1 133 | getpid:1 134 | getsockopt:1 135 | execve:1 136 | clock_gettime: 1 137 | gettimeofday: 1 138 | -------------------------------------------------------------------------------- /onionshare-gui.json: -------------------------------------------------------------------------------- 1 | { 2 | "name": "onionshare-gui" 3 | , "path": "/usr/bin/onionshare-gui" 4 | , "_watchdog": ["onionshare-gui"] 5 | , "allow_files": true 6 | , "xserver": { 7 | "enabled": true 8 | , "enable_tray": false 9 | , "tray_icon": "/usr/share/icons/hicolor/scalable/apps/xterm-color.svg" 10 | , "window_icon": "/usr/share/icons/hicolor/scalable/apps/xterm-color.svg" 11 | } 12 | , "networking":{ 13 | "type": "empty" 14 | , "sockets": [ 15 | {"type": "client", "proto": "tcp2unix", "port": 9051, "destination": "/var/run/roflcoptor/onionshare.socket"} 16 | ] 17 | } 18 | , "external_forwarders": [ 19 | {"name":"dynamic-onionshare-server", "dynamic":true, "multi":true, "proto":"tcp", "targethost":"127.0.0.1", "extproto":"unix", "socketowner":"debian-tor"} 20 | ] 21 | , "whitelist": [ 22 | {"path": "/var/lib/oz/cells.d/onionshare-gui-whitelist.seccomp"} 23 | ] 24 | , "environment": [] 25 | , "seccomp": { 26 | "mode": "whitelist" 27 | , "whitelist":"/var/lib/oz/cells.d/onionshare-gui-whitelist.seccomp" 28 | , "enforce": true 29 | } 30 | } 31 | 32 | -------------------------------------------------------------------------------- /pidgin-whitelist.seccomp: -------------------------------------------------------------------------------- 1 | mincore: 1 2 | tgkill: 1 3 | alarm: 1 4 | fadvise64: 1 5 | nanosleep: 1 6 | rt_sigreturn:1 7 | execve:1 8 | capget:1 9 | getrusage:1 10 | sendto:1 11 | fstatfs:1 12 | fstat:1 13 | gettid:1 14 | lstat:1 15 | dup:1 16 | socketpair:1 17 | pipe2:1 18 | unlink:1 19 | shmget:1 20 | kill:1 21 | setrlimit:1 22 | eventfd2:1 23 | rename:1 24 | getresuid:1 25 | readlinkat:1 26 | clock_gettime:1 27 | mremap:1 28 | poll:1 29 | getdents:1 30 | wait4:1 31 | setsockopt: arg1 == SOL_SOCKET && (arg2 == SO_ATTACH_FILTER || arg2 == SO_PASSCRED || arg2 == SO_TYPE || arg2 == SO_DEBUG || arg2 == SO_PRIORITY) 32 | exit:1 33 | statfs:1 34 | bind:1 35 | getsockname:1 36 | chmod:1 37 | fchmod:1 38 | epoll_wait:1 39 | getegid:1 40 | flock:1 41 | getsockopt:1 42 | sched_getaffinity:1 43 | sendmmsg:1 44 | readlink:1 45 | mprotect:1 46 | rt_sigprocmask:1 47 | openat:1 48 | listen:1 49 | capset:1 50 | mmap:1 51 | write:1 52 | setpriority:1 53 | access:1 54 | getuid:1 55 | recvfrom:1 56 | uname:1 57 | exit_group:1 58 | sysinfo:1 59 | getrandom:1 60 | set_tid_address:1 61 | rt_sigaction:1 62 | pipe:1 63 | link:1 64 | shmat:1 65 | shmdt:1 66 | arch_prctl:1 67 | lseek:1 68 | stat:1 69 | ioctl: arg1 == 21505 || arg1 == 35090 70 | fsync:1 71 | getpeername:1 72 | fcntl: arg1 == F_GETFD || arg1 == F_SETFD || arg1 == F_GETFL || arg1 == F_SETFL || arg1 == F_SETLKW 73 | connect:1 74 | name_to_handle_at:1 75 | madvise:1 76 | shmctl:1 77 | brk:1 78 | timerfd_create:1 79 | epoll_create1:1 80 | getgid:1 81 | shutdown:1 82 | personality:1 83 | dup2:1 84 | writev:1 85 | recvmsg:1 86 | setsid:1 87 | setresgid:1 88 | open:1 89 | socket: arg0 == AF_UNIX || arg0 == AF_INET || (arg0 == AF_NETLINK && arg2 == 0) 90 | mkdir:1 91 | geteuid:1 92 | setresuid:1 93 | set_robust_list:1 94 | sched_setscheduler:1 95 | chdir:1 96 | prctl: arg0 == PR_SET_NAME || arg0 == PR_GET_TIMERSLACK || arg0 == PR_GET_NAME 97 | clock_getres:1 98 | ppoll:1 99 | getrlimit:1 100 | inotify_add_watch:1 101 | getppid:1 102 | munmap:1 103 | accept4:1 104 | sendmsg:1 105 | close:1 106 | epoll_ctl:1 107 | clone:1 108 | getresgid:1 109 | newfstatat:1 110 | select:1 111 | futex: arg1 == 129 || arg1 == 128 || arg1 == 0 || arg1 == 134 || arg1 == 135 || arg1 == 133 112 | inotify_init1:1 113 | umask:1 114 | ftruncate:1 115 | read:1 116 | gettimeofday: 1 117 | -------------------------------------------------------------------------------- /pidgin.json: -------------------------------------------------------------------------------- 1 | { 2 | "path": "/usr/bin/pidgin" 3 | , "xserver": { 4 | "enabled": true 5 | , "enable_tray": false 6 | , "tray_icon":"/usr/share/icons/gnome-colors-common/scalable/apps/pidgin-menu.svg" 7 | } 8 | , "networking":{ 9 | "type":"empty" 10 | , "sockets": [ 11 | {"type":"client", "proto":"tcp", "port":9050} 12 | ] 13 | } 14 | , "whitelist": [ 15 | {"path": "/etc/purple/", "read_only": true, "ignore": true} 16 | , {"path": "/var/lib/oz/cells.d/pidgin.json", "read_only": true} 17 | , {"path": "/var/lib/oz/cells.d/pidgin-whitelist.seccomp", "read_only": true} 18 | 19 | , {"path": "${HOME}/.purple", "can_create": true} 20 | ] 21 | , "shared_folders": [ 22 | "${XDG_DOWNLOAD_DIR}" 23 | ] 24 | , "environment": [ 25 | ] 26 | , "seccomp": { 27 | "mode":"blacklist" 28 | , "enforce": true 29 | } 30 | } 31 | -------------------------------------------------------------------------------- /pond.json: -------------------------------------------------------------------------------- 1 | { 2 | "name": "pond" 3 | , "path": "/usr/local/bin/pond-client" 4 | , "xserver": { 5 | "enabled": true 6 | , "enable_tray": false 7 | , "tray_icon":"/usr/share/icons/gnome-colors-common/scalable/apps/office-mail.svg" 8 | , "window_icon":"/usr/share/icons/gnome-colors-common/scalable/apps/office-mail.svg" 9 | } 10 | , "networking":{ 11 | "type":"empty" 12 | , "sockets": [ 13 | {"type":"client", "proto":"tcp", "port":9050} 14 | , {"type":"client", "proto":"tcp", "port":30003} 15 | ] 16 | } 17 | , "whitelist": [ 18 | {"path":"${HOME}/.pond", "can_create":true} 19 | ] 20 | , "blacklist": [ 21 | ] 22 | , "environment": [ 23 | {"name":"TOR_SKIP_LAUNCH"} 24 | , {"name":"TOR_SOCKS_HOST"} 25 | , {"name":"TOR_SOCKS_PORT"} 26 | ] 27 | , "seccomp": { 28 | "mode":"blacklist" 29 | , "enforce": true 30 | } 31 | } 32 | -------------------------------------------------------------------------------- /ricochet-whitelist.seccomp: -------------------------------------------------------------------------------- 1 | FIONREAD=0x541B 2 | 3 | FUTEX_WAIT=0 4 | FUTEX_WAKE=1 5 | FUTEX_FD=2 6 | FUTEX_REQUEUE=3 7 | FUTEX_CMP_REQUEUE=4 8 | FUTEX_WAKE_OP=5 9 | FUTEX_LOCK_PI=6 10 | FUTEX_UNLOCK_PI=7 11 | FUTEX_TRYLOCK_PI=8 12 | FUTEX_WAIT_BITSET=9 13 | FUTEX_WAKE_BITSET=10 14 | FUTEX_WAIT_REQUEUE_PI=11 15 | FUTEX_CMP_REQUEUE_PI=12 16 | 17 | FUTEX_PRIVATE_FLAG=128 18 | FUTEX_CLOCK_REALTIME=256 19 | FUTEX_CMD_MASK=~(FUTEX_PRIVATE_FLAG | FUTEX_CLOCK_REALTIME) 20 | 21 | FUTEX_WAIT_PRIVATE=(FUTEX_WAIT | FUTEX_PRIVATE_FLAG) 22 | FUTEX_WAKE_PRIVATE=(FUTEX_WAKE | FUTEX_PRIVATE_FLAG) 23 | FUTEX_REQUEUE_PRIVATE=(FUTEX_REQUEUE | FUTEX_PRIVATE_FLAG) 24 | FUTEX_CMP_REQUEUE_PRIVATE=(FUTEX_CMP_REQUEUE | FUTEX_PRIVATE_FLAG) 25 | FUTEX_WAKE_OP_PRIVATE=(FUTEX_WAKE_OP | FUTEX_PRIVATE_FLAG) 26 | FUTEX_LOCK_PI_PRIVATE=(FUTEX_LOCK_PI | FUTEX_PRIVATE_FLAG) 27 | FUTEX_UNLOCK_PI_PRIVATE=(FUTEX_UNLOCK_PI | FUTEX_PRIVATE_FLAG) 28 | FUTEX_TRYLOCK_PI_PRIVATE=(FUTEX_TRYLOCK_PI | FUTEX_PRIVATE_FLAG) 29 | FUTEX_WAIT_BITSET_PRIVATE=(FUTEX_WAIT_BITSET | FUTEX_PRIVATE_FLAG) 30 | FUTEX_WAKE_BITSET_PRIVATE=(FUTEX_WAKE_BITSET | FUTEX_PRIVATE_FLAG) 31 | FUTEX_WAIT_REQUEUE_PI_PRIVATE=(FUTEX_WAIT_REQUEUE_PI | FUTEX_PRIVATE_FLAG) 32 | FUTEX_CMP_REQUEUE_PI_PRIVATE=(FUTEX_CMP_REQUEUE_PI | FUTEX_PRIVATE_FLAG) 33 | 34 | ioctl: (arg1 == TCGETS) || (arg1 == FIONREAD) || (arg1 == 35111) || (arg1 == 1074029664) || (arg1 == 1074291721) || (arg1 == 1074291822) || (arg1 == 1074553951) || (arg1 == 1075864669) || (arg1 == 1077961833) || (arg1 == 2148557923) || (arg1 == 3221775447) || (arg1 == 3221775469) || (arg1 == 3222037549) || (arg1 == 3222037606) || (arg1 == 3222299718) || (arg1 == 3222299739) || (arg1 == 3222299745) || (arg1 == 3222299748) || (arg1 == 3222299761) || (arg1 == 3222824050) || (arg1 == 3223872606) 35 | poll:1 36 | recvmsg:1 37 | write:1 38 | read:1 39 | futex: arg1 == FUTEX_CMP_REQUEUE_PRIVATE || arg1 == FUTEX_LOCK_PI_PRIVATE || arg1 == FUTEX_UNLOCK_PI_PRIVATE || arg1 == FUTEX_WAIT || arg1 == FUTEX_WAIT_BITSET_PRIVATE || arg1 == FUTEX_WAIT_PRIVATE || arg1 == FUTEX_WAKE_OP_PRIVATE || arg1 == FUTEX_WAKE_PRIVATE || arg1 == FUTEX_WAIT_BITSET_PRIVATE|FUTEX_CLOCK_REALTIME || arg1 == FUTEX_UNLOCK_PI || arg1 == FUTEX_WAKE 40 | writev:1 41 | sendmsg:1 42 | stat:1 43 | close:1 44 | setrlimit:1 45 | mprotect:1 46 | mmap:1 47 | open:1 48 | access:1 49 | fstat:1 50 | mincore:1 51 | munmap:1 52 | brk:1 53 | lstat:1 54 | memfd_create:1 55 | ftruncate:1 56 | fcntl: (arg1 == F_DUPFD) || (arg1 == F_GETFD) || (arg1 == F_SETFD) || (arg1 == F_GETFL) || (arg1 == F_SETFL) || (arg1 == F_SETLK) || (arg1 == F_SETLKW) 57 | rt_sigaction:1 58 | getcwd:1 59 | fstatfs:1 60 | ppoll:1 61 | select:1 62 | sendto:1 63 | recvfrom:1 64 | socket: (arg0 == AF_UNIX && arg1 == SOCK_STREAM && arg2 == IPPROTO_IP) || (arg0 == AF_INET && arg1 &? SOCK_STREAM && arg2 == IPPROTO_TCP) || (arg0 == AF_INET && arg1 == SOCK_DGRAM && arg2 == IPPROTO_IP) || (arg0 == AF_INET && arg1 &? SOCK_STREAM && arg2 == IPPROTO_IP) || (arg0 == AF_INET6 && arg1 &? SOCK_STREAM && arg2 == IPPROTO_TCP) || (arg0 == AF_NETLINK && arg1 == SOCK_RAW && arg2 == IPPROTO_IP) || (arg0 == AF_UNIX && arg1 &? SOCK_STREAM && arg2 == 0) || (arg0 == AF_INET && arg1 &? SOCK_DGRAM && arg2 == IPPROTO_UDP) || (arg0 == AF_UNIX && arg1 &? SOCK_DGRAM) || (arg0 == AF_NETLINK && arg1 &? SOCK_RAW && arg2 == 15) 65 | dup3:1 66 | waitid:1 67 | lseek:1 68 | newfstatat:1 69 | getdents:1 70 | getsockname:1 71 | rt_sigprocmask:1 72 | set_robust_list:1 73 | clone:1 74 | socketpair:1 75 | accept4:1 76 | connect:1 77 | pselect6:1 78 | uname:1 79 | personality:1 80 | statfs:1 81 | eventfd2:1 82 | fadvise64:1 83 | geteuid:1 84 | bind:1 85 | getuid:1 86 | sigaltstack:1 87 | epoll_wait:1 88 | readlinkat:1 89 | getrandom:1 90 | setsockopt: (arg1 == 1 && arg2 == SO_REUSEADDR) || (arg1 == 1 && arg2 == SO_BROADCAST) || (arg1 == 1 && arg2 == SO_SNDBUF) || (arg1 == 1 && arg2 == SO_RCVBUF) || (arg1 == 1 && arg2 == SO_OOBINLINE) || (arg1 == 1 && arg2 == SO_PRIORITY) || (arg1 == 1 && arg2 == SO_PASSCRED) || (arg1 == 1 && arg2 == 26) 91 | mkdir:1 92 | rmdir:1 93 | link:1 94 | getpeername:1 95 | prctl: arg0 == PR_SET_NAME || arg0 == PR_SET_DUMPABLE || arg0 == PR_GET_TIMERSLACK || arg0 == PR_GET_NAME 96 | dup2:1 97 | exit_group:1 98 | kill:1 99 | fdatasync:1 100 | shmctl:1 101 | name_to_handle_at:1 102 | sched_setscheduler:1 103 | rt_sigsuspend:1 104 | mremap:1 105 | inotify_add_watch:1 106 | gettid:1 107 | restart_syscall:1 108 | umask:1 109 | madvise:1 110 | capget:1 111 | exit:1 112 | arch_prctl:1 113 | epoll_create:1 114 | setpriority:1 115 | shmat:1 116 | shmget:1 117 | rename:1 118 | getsockopt:1 119 | chmod:1 120 | pipe2:1 121 | wait4:1 122 | readlink:1 123 | unlink:1 124 | shmdt:1 125 | pipe:1 126 | set_tid_address:1 127 | getegid:1 128 | getrlimit:1 129 | openat:1 130 | flock:1 131 | getresuid:1 132 | getgid:1 133 | shutdown:1 134 | getresgid:1 135 | getpid:1 136 | getppid:1 137 | setresuid:1 138 | capset:1 139 | setresgid:1 140 | sysinfo:1 141 | inotify_init1:1 142 | getgroups:1 143 | clock_getres:1 144 | clock_gettime:1 145 | chdir:1 146 | epoll_ctl:1 147 | epoll_create1:1 148 | sched_getaffinity:1 149 | getrusage:1 150 | setsid:1 151 | listen:1 152 | inotify_rm_watch:1 153 | execve:1 154 | gettimeofday: 1 155 | -------------------------------------------------------------------------------- /ricochet.json: -------------------------------------------------------------------------------- 1 | { 2 | "name": "ricochet" 3 | , "path": "/usr/bin/ricochet" 4 | , "_watchdog": ["ricochet"] 5 | , "xserver": { 6 | "enabled": true 7 | , "enable_tray": false 8 | , "tray_icon": "/usr/share/icons/hicolor/scalable/apps/ricochet.svg" 9 | , "window_icon": "/usr/share/icons/hicolor/scalable/apps/ricochet.svg" 10 | } 11 | , "networking":{ 12 | "type": "empty" 13 | , "sockets": [ 14 | {"type": "client", "proto": "tcp", "port": 9050} 15 | , {"type": "client", "proto": "tcp2unix", "port": 9051, "destination": "/var/run/roflcoptor/ricochet.socket"} 16 | ] 17 | } 18 | , "whitelist": [ 19 | {"path": "${HOME}/.config/ricochet", "can_create": true} 20 | , {"path": "${HOME}/.local/share/Ricochet", "can_create": true} 21 | , {"path": "/var/lib/oz/cells.d/ricochet-whitelist.seccomp"} 22 | ] 23 | , "environment": [ 24 | {"name":"TOR_SKIP_LAUNCH"} 25 | , {"name":"TOR_SOCKS_HOST"} 26 | , {"name":"TOR_SOCKS_PORT"} 27 | , {"name":"TOR_CONTROL_HOST"} 28 | , {"name":"TOR_CONTROL_PORT"} 29 | , {"name":"TOR_CONTROL_PASSWD"} 30 | , {"name":"TOR_CONTROL_AUTHENTICATE"} 31 | , {"name":"TOR_CONTROL_COOKIE_AUTH_FILE"} 32 | ] 33 | , "external_forwarders": [ 34 | {"name":"dynamic-ricochet-server", "dynamic":true, "multi":true, "proto":"tcp", "targethost":"127.0.0.1", "extproto":"unix", "socketowner":"debian-tor"} 35 | ] 36 | , "seccomp": { 37 | "mode": "whitelist" 38 | , "enforce": true 39 | , "whitelist":"/var/lib/oz/cells.d/ricochet-whitelist.seccomp" 40 | } 41 | } 42 | -------------------------------------------------------------------------------- /shotwell.json: -------------------------------------------------------------------------------- 1 | { 2 | "name": "shotwell" 3 | , "path": "/usr/bin/shotwell" 4 | , "allow_files": true 5 | , "xserver": { 6 | "enabled": true 7 | , "enable_tray": false 8 | , "tray_icon":"/usr/share/icons/hicolor/scalable/apps/shotwell.svg" 9 | } 10 | , "networking":{ 11 | "type":"empty" 12 | } 13 | , "whitelist": [ 14 | {"path": "${HOME}/.local/share/shotwell/", "can_create": true} 15 | ] 16 | , "shared_folders": [ 17 | "${XDG_PICTURES_DIR}" 18 | ] 19 | , "environment": [ 20 | {"name":"GTK_THEME", "value":"Adwaita:dark"} 21 | , {"name":"GTK2_RC_FILES", "value":"/usr/share/themes/Darklooks/gtk-2.0/gtkrc"} 22 | ] 23 | , "seccomp": { 24 | "mode":"blacklist" 25 | , "enforce": true 26 | } 27 | } 28 | -------------------------------------------------------------------------------- /thunderbird-whitelist.seccomp: -------------------------------------------------------------------------------- 1 | TIOCGPGRP=21519 2 | TCGETS=0x5401 3 | FIONREAD=0x541B 4 | SOL_NETLINK=270 5 | NETLINK_PKTINFO=3 6 | 7 | read: 1 8 | lseek: 1 9 | # futex: FUTEX_CMP_REQUEUE_PRIVATE || FUTEX_WAIT || FUTEX_WAKE || FUTEX_WAIT_BITSET_PRIVATE|FUTEX_CLOCK_REALTIME || FUTEX_WAIT_PRIVATE || FUTEX_WAKE_OP_PRIVATE || FUTEX_WAKE_PRIVATE || FUTEX_WAIT_BITSET_PRIVATE 10 | futex[-EPERM]: arg1 == 0 || arg1 == 1 || arg1 == 128 || arg1 == 129 || arg1 == 132 || arg1 == 133 || arg1 == 393 || arg1 == 137 11 | recvmsg: 1 12 | poll: 1 13 | writev: 1 14 | madvise: 1 15 | write: 1 16 | open: 1 17 | close: 1 18 | mmap: 1 19 | stat: 1 20 | recvfrom: 1 21 | gettid: 1 22 | access: 1 23 | times: 1 24 | munmap: 1 25 | lstat: 1 26 | mprotect: 1 27 | fcntl: 1 28 | gettimeofday: 1 29 | getdents: 1 30 | pread64:1 31 | getrusage: 1 32 | set_robust_list: 1 33 | clone: 1 34 | setpriority: 1 35 | getpriority: 1 36 | rt_sigaction: 1 37 | wait4: 1 38 | sched_yield:1 39 | seccomp:1 40 | pselect6:1 41 | clock_gettime:1 42 | getpid:1 43 | getppid:1 44 | getpgrp:1 45 | mremap: 1 46 | pwrite64:1 47 | mincore: 1 48 | alarm: 1 49 | nanosleep: 1 50 | fadvise64: 1 51 | inotify_init: 1 52 | accept4: 1 53 | newfstatat: 1 54 | readlinkat: 1 55 | rt_sigreturn: 1 56 | getrandom: 1 57 | prctl: arg0 == PR_SET_NAME || arg0 == PR_GET_NAME || arg0 == PR_GET_TIMERSLACK || arg0 == PR_SET_SECCOMP || arg0 == PR_SET_DUMPABLE 58 | mlock: 1 59 | fdatasync: 1 60 | capget: 1 61 | capset: 1 62 | sigaltstack: 1 63 | chdir: 1 64 | kill: 1 65 | listen: 1 66 | accept: 1 67 | name_to_handle_at: 1 68 | personality: 1 69 | ppoll: 1 70 | sched_setscheduler: 1 71 | setresgid: 1 72 | setresuid: 1 73 | setrlimit: 1 74 | setsid: 1 75 | fallocate: 1 76 | tgkill: 1 77 | dup: 1 78 | dup2: 1 79 | brk: 1 80 | exit: 1 81 | unshare: 1 82 | geteuid: 1 83 | getegid: 1 84 | fstat: 1 85 | mkdir: 1 86 | unlink: 1 87 | symlink: 1 88 | readlink: 1 89 | getrlimit: 1 90 | arch_prctl: 1 91 | pipe: 1 92 | uname: 1 93 | faccessat: 1 94 | exit_group: 1 95 | memfd_create:1 96 | sysinfo:1 97 | bind: 1 98 | chmod: 1 99 | clock_getres: 1 100 | connect: 1 101 | epoll_create: 1 102 | epoll_create1: 1 103 | epoll_ctl: 1 104 | epoll_wait: 1 105 | eventfd2: 1 106 | execve: 1 107 | fchmod: 1 108 | fstatfs: 1 109 | fsync: 1 110 | ftruncate: 1 111 | getcwd: 1 112 | getgid: 1 113 | getpeername: 1 114 | getresgid: 1 115 | getresuid: 1 116 | getsockname: 1 117 | getsockopt: 1 118 | getuid: 1 119 | inotify_add_watch: 1 120 | inotify_init1: 1 121 | inotify_rm_watch: 1 122 | # ioctl: FIONREAD 123 | ioctl: arg1 == TCGETS || arg1 == FIONREAD || arg1 == TIOCGPGRP 124 | link: 1 125 | openat: 1 126 | pipe2: 1 127 | quotactl: 1 128 | readahead: 1 129 | rename: 1 130 | restart_syscall: 1 131 | rt_sigprocmask: 1 132 | sched_getaffinity: 1 133 | select: 1 134 | sendmsg: 1 135 | sendto: 1 136 | setsockopt: (arg1 == SOL_TCP && (arg2 == TCP_NODELAY || arg2 == TCP_KEEPCNT || arg2 == TCP_KEEPIDLE || arg2 == TCP_KEEPINTVL || arg2 == TCP_KEEPIDLE)) || (arg1 == SOL_SOCKET && (arg2 == SO_PRIORITY || arg2 == SO_ATTACH_FILTER || arg2 == SO_PASSCRED || arg2 == SO_KEEPALIVE)) || (arg1 == SOL_NETLINK && arg2 == NETLINK_PKTINFO) 137 | splice: 1 138 | set_tid_address: 1 139 | shmat: 1 140 | shmctl: 1 141 | shmdt: 1 142 | shmget: 1 143 | shutdown: 1 144 | socketpair: 1 145 | getpgrp: 1 146 | getppid: 1 147 | statfs: 1 148 | rt_tgsigqueueinfo: 1 149 | umask: 1 150 | utime: 1 151 | socket: arg0 == AF_UNIX || arg0 == AF_INET || arg0 == AF_INET6 || (arg0 == AF_NETLINK && arg2 == 0) 152 | rmdir: 1 153 | -------------------------------------------------------------------------------- /thunderbird.json: -------------------------------------------------------------------------------- 1 | { 2 | "path": "/usr/bin/thunderbird" 3 | , "paths": [ 4 | "/usr/bin/icedove" 5 | ] 6 | , "xserver": { 7 | "enabled": true 8 | , "enable_tray": false 9 | , "tray_icon": "/usr/share/icons/hicolor/scalable/apps/thunderbird.svg" 10 | } 11 | , "networking":{ 12 | "type": "empty" 13 | , "sockets": [ 14 | {"type":"client", "proto":"tcp", "port":9050} 15 | ] 16 | } 17 | , "whitelist": [ 18 | {"path": "/etc/thunderbird/", "read_only": true, "ignore": true} 19 | , {"path": "/etc/xul-ext/", "read_only": true, "ignore": true} 20 | 21 | , {"path": "/run/user/${UID}/gnupg/S.gpg-agent.extra", "target": "/run/user/${UID}/gnupg/S.gpg-agent", "read_only":true, "force": true} 22 | , {"path": "/run/user/${UID}/gnupg/S.dirmngr", "read_only":true} 23 | 24 | , {"path":"${HOME}/.cache/thunderbird", "can_create":true} 25 | 26 | , {"path":"${HOME}/.gnupg/pubring.gpg", "read_only":true, "ignore":true} 27 | , {"path":"${HOME}/.gnupg/pubring.kbx", "read_only":true, "ignore":true} 28 | , {"path":"${HOME}/.gnupg/trustdb.gpg", "ignore": true} 29 | , {"path":"${HOME}/.gnupg/gpg-agent.conf", "read_only": true, "force":true, "ignore": true} 30 | , {"path":"${HOME}/.gnupg/gpg.conf", "read_only": true, "force":true, "ignore":true} 31 | 32 | , {"path":"${HOME}/.thunderbird", "can_create":true} 33 | , {"path":"${HOME}/.icedove", "ignore":true} 34 | 35 | , {"path":"/var/lib/oz/cells.d/thunderbird-whitelist.seccomp", "read_only": true} 36 | , {"path":"/var/lib/oz/cells.d/thunderbird.json", "read_only": true} 37 | ] 38 | , "shared_folders": [ 39 | "${XDG_DOWNLOAD_DIR}" 40 | ] 41 | , "environment": [ 42 | {"name":"GPG_AGENT_INFO"} 43 | , {"name":"GNOME_KEYRING_CONTROL"} 44 | , {"name":"GNOME_KEYRING_PID", "value":"1"} 45 | ] 46 | , "seccomp": { 47 | "mode":"whitelist" 48 | , "whitelist":"/var/lib/oz/cells.d/thunderbird-whitelist.seccomp" 49 | , "enforce": true 50 | } 51 | } 52 | -------------------------------------------------------------------------------- /torbrowser-launcher-whitelist.seccomp: -------------------------------------------------------------------------------- 1 | TIOCGPGRP=21519 2 | # futex: FUTEX_CMP_REQUEUE_PRIVATE || FUTEX_LOCK_PI_PRIVATE || FUTEX_UNLOCK_PI_PRIVATE || FUTEX_WAIT || FUTEX_WAIT_BITSET_PRIVATE|FUTEX_CLOCK_REALTIME || FUTEX_WAIT_PRIVATE || FUTEX_WAKE || FUTEX_WAKE_OP_PRIVATE || FUTEX_WAKE_PRIVATE || FUTEX_WAIT_BITSET_PRIVATE || FUTEX_UNLOCK_PI 3 | futex: arg1 == 0 || arg1 == 128 || arg1 == 129 || arg1 == 132 || arg1 == 133 || arg1 == 393 || arg1 == 134 || arg1 == 1 || arg1 == 135 || arg1 == 139 || arg1 == 140 || arg1 == 137 || arg1 == 7 4 | lseek: 1 5 | open: 1 6 | read: 1 7 | stat: 1 8 | close: 1 9 | mmap: 1 10 | write: 1 11 | access: 1 12 | recvmsg: 1 13 | poll: 1 14 | madvise: arg2 == 4 15 | munmap: 1 16 | mprotect: 1 17 | lstat: 1 18 | getdents: 1 19 | writev: 1 20 | rt_sigaction: 1 21 | fcntl: 1 22 | brk: 1 23 | # ioctl: FIONREAD || TCGETS 24 | ioctl: arg1 == 0x541b || arg1 == 21505 || arg1 == TIOCGPGRP 25 | rt_sigprocmask: 1 26 | pread64: 1 27 | seccomp:1 28 | unshare:1 29 | gettimeofday:1 30 | creat:1 31 | fchdir:1 32 | utimes:1 33 | sigaltstack:1 34 | sched_yield:1 35 | mincore: 1 36 | alarm: 1 37 | nanosleep: 1 38 | vfork: 1 39 | mlock: 1 40 | clock_gettime: 1 41 | getpgrp: 1 42 | getppid: 1 43 | getpid: 1 44 | fchown: 1 45 | prctl: arg0 == PR_SET_NAME || arg0 == PR_GET_NAME || arg0 == PR_GET_TIMERSLACK || arg0 == PR_SET_SECCOMP || arg0 == 38 46 | epoll_create1: 1 47 | readlinkat: 1 48 | getrandom: 1 49 | accept4: 1 50 | newfstatat: 1 51 | select: 1 52 | memfd_create:1 53 | execve: 1 54 | fstat: 1 55 | set_tid_address: 1 56 | set_robust_list: 1 57 | getrusage: 1 58 | readlink: 1 59 | readahead: 1 60 | arch_prctl: 1 61 | pwrite64: 1 62 | fdatasync: 1 63 | getpriority: 1 64 | gettid: 1 65 | exit_group: 1 66 | fstatfs: 1 67 | unlink: 1 68 | exit: 1 69 | dup2: 1 70 | dup: 1 71 | uname: 1 72 | getuid: 1 73 | geteuid: 1 74 | getgid: 1 75 | getegid: 1 76 | fsync: 1 77 | getrlimit: 1 78 | mkdir: 1 79 | connect: 1 80 | statfs: 1 81 | getsockname: 1 82 | getpeername: 1 83 | pipe: 1 84 | chmod: 1 85 | chdir: 1 86 | setsid: 1 87 | rmdir: 1 88 | splice: 1 89 | restart_syscall: 1 90 | recvfrom: 1 91 | sendto: 1 92 | setsockopt: (arg1 == SOL_SOCKET && (arg2 == SO_KEEPALIVE || arg2 == SO_PASSCRED || arg2 == SO_SNDBUF || arg2 == SO_PRIORITY || arg2 == SO_RCVBUF)) || (arg1 == SOL_TCP && (arg2 == TCP_KEEPCNT || arg2 == TCP_KEEPIDLE || arg2 == TCP_KEEPINTVL || arg2 == TCP_NODELAY)) 93 | quotactl: 1 94 | ppoll: 1 95 | openat: 1 96 | epoll_wait: 1 97 | clone: 1 98 | wait4: 1 99 | link: 1 100 | rename: 1 101 | setpriority: 1 102 | tgkill: 1 103 | fadvise64: 1 104 | fallocate: 1 105 | getsockopt: 1 106 | sysinfo: 1 107 | sched_getaffinity: 1 108 | inotify_add_watch: 1 109 | eventfd2: 1 110 | inotify_init1: 1 111 | shmdt: 1 112 | shmat: 1 113 | shmctl: 1 114 | shmget: 1 115 | rt_sigreturn: 1 116 | getcwd: 1 117 | sendmsg: 1 118 | getresuid: 1 119 | ftruncate: 1 120 | umask: 1 121 | getresgid: 1 122 | epoll_ctl: 1 123 | epoll_create: 1 124 | socketpair: 1 125 | symlink: 1 126 | utime: 1 127 | shutdown: 1 128 | mremap: 1 129 | bind: 1 130 | name_to_handle_at: 1 131 | pipe2: 1 132 | fchmod: 1 133 | kill: 1 134 | listen: 1 135 | setrlimit: 1 136 | clock_getres: 1 137 | sched_setscheduler: 1 138 | capset: 1 139 | personality: 1 140 | setresuid: 1 141 | setresgid: 1 142 | capget: 1 143 | getdents64: 1 144 | inotify_rm_watch: 1 145 | socket: arg0 == AF_UNIX || arg0 == AF_INET || arg0 == AF_INET6 || (arg0 == AF_NETLINK && arg2 == 0) 146 | -------------------------------------------------------------------------------- /torbrowser-launcher.json: -------------------------------------------------------------------------------- 1 | { 2 | "path": "/usr/bin/torbrowser-launcher" 3 | , "watchdog": ["start-tor-browser", "firefox"] 4 | , "auto_shutdown":"no" 5 | , "allowed_groups": ["debian-tor"] 6 | , "xserver": { 7 | "enabled": true 8 | , "enable_tray": false 9 | , "tray_icon":"/usr/share/pixmaps/torbrowser.png" 10 | , "audio_mode": "pulseaudio" 11 | } 12 | , "networking":{ 13 | "type":"empty" 14 | , "sockets": [ 15 | {"type":"client", "proto":"tcp", "port":9050} 16 | , {"type": "client", "proto": "tcp2unix", "port": 9051, "destination": "/var/run/roflcoptor/tbb.socket"} 17 | ] 18 | } 19 | , "whitelist": [ 20 | {"path":"${HOME}/.local/share/torbrowser", "can_create":true} 21 | , {"path":"${HOME}/.config/torbrowser", "can_create":true} 22 | , {"path":"/var/lib/oz/cells.d/torbrowser-launcher-whitelist.seccomp", "read_only": true} 23 | ] 24 | , "shared_folders": [ 25 | "${XDG_DOWNLOAD_DIR}" 26 | ] 27 | , "environment": [ 28 | {"name":"TOR_SKIP_LAUNCH"} 29 | , {"name":"TOR_SOCKS_HOST"} 30 | , {"name":"TOR_SOCKS_PORT"} 31 | , {"name":"TOR_CONTROL_HOST"} 32 | , {"name":"TOR_CONTROL_PORT"} 33 | , {"name":"TOR_CONTROL_PASSWD"} 34 | , {"name":"TOR_CONTROL_AUTHENTICATE"} 35 | , {"name":"TOR_CONTROL_COOKIE_AUTH_FILE"} 36 | ] 37 | , "seccomp": { 38 | "mode":"whitelist" 39 | , "whitelist":"/var/lib/oz/cells.d/torbrowser-launcher-whitelist.seccomp" 40 | , "enforce": true 41 | } 42 | } 43 | -------------------------------------------------------------------------------- /vlc-whitelist.seccomp: -------------------------------------------------------------------------------- 1 | futex: arg1 == 129 || arg1 == 134 || arg1 == 135 || arg1 == 139 || arg1 == 140 || arg1 == 128 || arg1 == 393 || arg1 == 133 || arg1 == 132 || arg1 == 137 || arg1 == 0 || arg1 == 7 2 | read:1 3 | poll:1 4 | write:1 5 | recvmsg:1 6 | writev:1 7 | mprotect:1 8 | epoll_wait:1 9 | epoll_ctl:1 10 | clock_nanosleep:1 11 | stat:1 12 | sendmsg:1 13 | mmap:1 14 | fstat:1 15 | fcntl: arg1 == F_SETFD || arg1 == F_GETFL || arg1 == F_GETFD || arg1 == F_SETFL || arg1 == F_SETLK || arg1 == F_SETLKW || arg1 == F_DUPFD 16 | getdents:1 17 | fstatfs:1 18 | rt_sigprocmask:1 19 | ioctl: arg1 == 21505 || arg1 == 2147771394 || arg1 == 2148557923 || arg1 == 3222299718 || arg1 == 3222299739 || arg1 == 3222299745 || arg1 == 1074291721 || arg1 == 3222299761 || arg1 == 3222824050 || arg1 == 21531 || arg1 == 3223872606 || arg1 == 1074553951 || arg1 == 3221775469 || arg1 == 3222299748 || arg1 == 1074029664 || arg1 == 1077961833 || arg1 == 3222299659 || arg1 == 3222299746 || arg1 == 1075864669 || arg1 == 25688 || arg1 == 3222037606 || arg1 == 3221775447 || arg1 == 1074291822 20 | sendto:1 21 | recvfrom:1 22 | set_robust_list:1 23 | fadvise64:1 24 | clone:1 25 | connect:1 26 | socket:1 27 | shmctl:1 28 | brk:1 29 | uname:1 30 | accept4:1 31 | getsockname:1 32 | dup3:1 33 | shmat:1 34 | getrusage:1 35 | name_to_handle_at:1 36 | openat:1 37 | rt_sigreturn:1 38 | select:1 39 | mremap:1 40 | faccessat:1 41 | dup2:1 42 | getpid:1 43 | getppid:1 44 | bind:1 45 | wait4:1 46 | exit_group:1 47 | memfd_create:1 48 | pipe:1 49 | link:1 50 | sysinfo:1 51 | chdir:1 52 | mkdir:1 53 | umask:1 54 | execve:1 55 | getrlimit:1 56 | unlink:1 57 | getgid:1 58 | fdatasync:1 59 | access:1 60 | arch_prctl:1 61 | rt_sigaction:1 62 | epoll_create1:1 63 | prctl: arg0 == PR_SET_NAME 64 | sched_getaffinity:1 65 | lseek:1 66 | gettid:1 67 | listen:1 68 | newfstatat:1 69 | chmod:1 70 | nanosleep:1 71 | shmget:1 72 | sched_get_priority_max:1 73 | inotify_rm_watch:1 74 | getresuid:1 75 | rename:1 76 | open:1 77 | close:1 78 | munmap:1 79 | getresgid:1 80 | eventfd2:1 81 | alarm:1 82 | setsockopt: arg1 == SOL_SOCKET && (arg2 == SO_PRIORITY || arg2 == SO_RCVBUF || arg2 == SO_SNDBUF || arg2 == SO_PASSCRED) 83 | readlinkat:1 84 | flock:1 85 | tgkill:1 86 | pipe2:1 87 | getrandom:1 88 | exit:1 89 | clock_getres:1 90 | kill:1 91 | capget:1 92 | socketpair:1 93 | shmdt:1 94 | sched_setscheduler:1 95 | setsid:1 96 | inotify_add_watch:1 97 | madvise:1 98 | geteuid:1 99 | shutdown:1 100 | getuid:1 101 | getpeername:1 102 | ftruncate:1 103 | set_tid_address:1 104 | statfs:1 105 | getsockopt:1 106 | lstat:1 107 | rt_sigtimedwait:1 108 | readlink:1 109 | getegid:1 110 | getcwd:1 111 | inotify_init1:1 112 | sched_get_priority_min:1 113 | #chdir:1 114 | #epoll_create1:1 115 | #socket: arg0 == AF_UNIX 116 | restart_syscall:1 117 | symlink:1 118 | rt_sigsuspend:1 119 | personality:1 120 | clock_gettime: 1 121 | gettimeofday: 1 122 | -------------------------------------------------------------------------------- /vlc.json: -------------------------------------------------------------------------------- 1 | { 2 | "path": "/usr/bin/vlc" 3 | , "allow_files": true 4 | , "xserver": { 5 | "enabled": true 6 | , "enable_tray": false 7 | , "tray_icon":"/usr/share/icons/hicolor/128x128/apps/vlc.png" 8 | , "audio_mode": "pulseaudio" 9 | } 10 | , "networking":{ 11 | "type":"empty" 12 | } 13 | , "whitelist": [ 14 | {"path":"${HOME}/.config/vlc", "can_create":true} 15 | , {"path":"/var/lib/oz/cells.d/vlc-whitelist.seccomp", "read_only":true} 16 | ] 17 | , "blacklist": [ 18 | ] 19 | , "seccomp": { 20 | "mode":"whitelist" 21 | , "whitelist": "/var/lib/oz/cells.d/vlc-whitelist.seccomp" 22 | , "enforce": true 23 | } 24 | } 25 | --------------------------------------------------------------------------------