Profiles for gramps, newsboat and freeoffice (#2652)

* Update firecfg.config * Create gramps.profile * Update disable-programs.inc * Create newsboat.profile * Update disable-programs.inc * Update firecfg.config * Create freeoffice-planmaker * Create freeoffice-textmaker * Create freeoffice-presentations * Update disable-programs.inc * Update firecfg.config * Update newsboat.profile * Update newsboat.profile * Update gramps.profile * Update freeoffice-textmaker * Update freeoffice-planmaker * Update freeoffice-presentations * Update freeoffice-planmaker * Update freeoffice-presentations * Update freeoffice-textmaker * Rename freeoffice-planmaker to freeoffice-planmaker.profile * Rename freeoffice-presentations to freeoffice-presentations.profile * Rename freeoffice-textmaker to freeoffice-textmaker.profile * Update gramps.profile * Update freeoffice-planmaker.profile * Update freeoffice-presentations.profile * Update freeoffice-textmaker.profile * Update freeoffice-textmaker.profile * Update freeoffice-presentations.profile * Update newsboat.profile * Update gramps.profile * Update freeoffice-planmaker.profile * Update freeoffice-presentations.profile * Update freeoffice-textmaker.profile
author: curiosity-seeker <my-github@mailbox.org> 2019-04-17 07:00:13 +0000
committer: rusty-snake <print_hello_world+GitHub@protonmail.com> 2019-04-17 07:00:13 +0000
commit: 11edb11c0d1620f753d43b1676077793a169b2d1 (patch)
tree: 49a25d47d1600c188f175771f24b9ee18b385fa3
parent: Fix PostScript files opening in Evince (#2656) (diff)
download: firejail-11edb11c0d1620f753d43b1676077793a169b2d1.tar.gz
firejail-11edb11c0d1620f753d43b1676077793a169b2d1.tar.zst
firejail-11edb11c0d1620f753d43b1676077793a169b2d1.zip
7 files changed, 231 insertions, 0 deletions
diff --git a/etc/disable-programs.inc b/etc/disable-programs.inc
index 41c6eb53e..7e12b97b2 100644
--- a/etc/disable-programs.inc
+++ b/etc/disable-programs.inc
@@ -5,6 +5,7 @@ include disable-programs.local
 blacklist ${HOME}/Arduino
 blacklist ${HOME}/Monero/wallets
 blacklist ${HOME}/Nextcloud/Notes
+blacklist ${HOME}/SoftMaker
 blacklist ${HOME}/Standard Notes Backups
 blacklist ${HOME}/wallet.dat
 blacklist ${HOME}/.*coin
@@ -339,6 +340,7 @@ blacklist ${HOME}/.googleearth/Temp/
 blacklist ${HOME}/.googleearth/myplaces.backup.kml
 blacklist ${HOME}/.googleearth/myplaces.kml
 blacklist ${HOME}/.gradle
+blacklist ${HOME}/.gramps
 blacklist ${HOME}/.guayadeque
 blacklist ${HOME}/.hashcat
 blacklist ${HOME}/.hedgewars
@@ -549,6 +551,7 @@ blacklist ${HOME}/.multimc5
 blacklist ${HOME}/.nanorc
 blacklist ${HOME}/.netactview
 blacklist ${HOME}/.neverball
+blacklist ${HOME}/.newsboat
 blacklist ${HOME}/.nv
 blacklist ${HOME}/.nylas-mail
 blacklist ${HOME}/.opencity
diff --git a/etc/freeoffice-planmaker.profile b/etc/freeoffice-planmaker.profile
new file mode 100644
index 000000000..e00acb278
--- /dev/null
+++ b/etc/freeoffice-planmaker.profile
@@ -0,0 +1,40 @@
+# Firejail profile for freeoffice-planmaker
+# This file is overwritten after every install/update
+# Persistent local customizations
+include freeoffice-planmaker.local
+# Persistent global definitions
+include globals.local
+noblacklist ${HOME}/SoftMaker
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-passwdmgr.inc
+include disable-programs.inc
+# include disable-xdg.inc
+apparmor
+caps.drop all
+ipc-namespace
+net none
+no3d
+nodbus
+nodvd
+nogroups
+nonewprivs
+noroot
+notv
+nou2f
+novideo
+protocol unix,inet,inet6
+seccomp
+shell none
+tracelog
+private-cache
+private-dev
+private-tmp
diff --git a/etc/freeoffice-presentations.profile b/etc/freeoffice-presentations.profile
new file mode 100644
index 000000000..c71418cce
--- /dev/null
+++ b/etc/freeoffice-presentations.profile
@@ -0,0 +1,40 @@
+# Firejail profile for freeoffice-presentations
+# This file is overwritten after every install/update
+# Persistent local customizations
+include freeoffice-presentations.local
+# Persistent global definitions
+include globals.local
+noblacklist ${HOME}/SoftMaker
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-passwdmgr.inc
+include disable-programs.inc
+# include disable-xdg.inc
+apparmor
+caps.drop all
+ipc-namespace
+net none
+no3d
+nodbus
+nodvd
+nogroups
+nonewprivs
+noroot
+notv
+nou2f
+novideo
+protocol unix,inet,inet6
+seccomp
+shell none
+tracelog
+private-cache
+private-dev
+private-tmp
diff --git a/etc/freeoffice-textmaker.profile b/etc/freeoffice-textmaker.profile
new file mode 100644
index 000000000..0965cc70e
--- /dev/null
+++ b/etc/freeoffice-textmaker.profile
@@ -0,0 +1,40 @@
+# Firejail profile for freeoffice-textmaker
+# This file is overwritten after every install/update
+# Persistent local customizations
+include freeoffice-textmaker.local
+# Persistent global definitions
+include globals.local
+noblacklist ${HOME}/SoftMaker
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-passwdmgr.inc
+include disable-programs.inc
+# include disable-xdg.inc
+apparmor
+caps.drop all
+ipc-namespace
+net none
+no3d
+nodbus
+nodvd
+nogroups
+nonewprivs
+noroot
+notv
+nou2f
+novideo
+protocol unix,inet,inet6
+seccomp
+shell none
+tracelog
+private-cache
+private-dev
+private-tmp
diff --git a/etc/gramps.profile b/etc/gramps.profile
new file mode 100644
index 000000000..46337d269
--- /dev/null
+++ b/etc/gramps.profile
@@ -0,0 +1,55 @@
+# Firejail profile for gramps
+# Description: genealogy program
+# This file is overwritten after every install/update
+# Persistent local customizations
+include gramps.local
+# Persistent global definitions
+include globals.local
+noblacklist ${HOME}/.gramps
+# Allow python (blacklisted by disable-interpreters.inc)
+#noblacklist ${PATH}/python2*
+noblacklist ${PATH}/python3*
+#noblacklist /usr/lib/python2*
+noblacklist /usr/lib/python3*
+#noblacklist /usr/local/lib/python2*
+noblacklist /usr/local/lib/python3*
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-passwdmgr.inc
+include disable-programs.inc
+include disable-xdg.inc
+mkdir ${HOME}/.gramps
+whitelist ${HOME}/.gramps
+include whitelist-common.inc
+include whitelist-var-common.inc
+apparmor
+caps.drop all
+ipc-namespace
+netfilter
+no3d
+nodbus
+nodvd
+nogroups
+nonewprivs
+noroot
+nosound
+notv
+nou2f
+novideo
+protocol unix,inet,inet6
+seccomp
+shell none
+disable-mnt
+private-cache
+private-dev
+private-tmp
diff --git a/etc/newsboat.profile b/etc/newsboat.profile
new file mode 100644
index 000000000..0fed5bd06
--- /dev/null
+++ b/etc/newsboat.profile
@@ -0,0 +1,48 @@
+# Firejail profile for Newsboat
+# Description: RSS program
+# This file is overwritten after every install/update
+# Persistent local customizations
+include newsboat.local
+# Persistent global definitions
+include globals.local
+noblacklist ${HOME}/.newsboat
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-passwdmgr.inc
+include disable-programs.inc
+include disable-xdg.inc
+mkdir ${HOME}/.newsboat
+whitelist ${HOME}/.newsboat
+include whitelist-common.inc
+include whitelist-var-common.inc
+caps.drop all
+ipc-namespace
+netfilter
+no3d
+nodbus
+nodvd
+nogroups
+nonewprivs
+noroot
+notv
+nou2f
+novideo
+protocol inet,inet6
+seccomp
+shell none
+disable-mnt
+private-bin newsboat
+private-cache
+private-dev
+private-etc alternatives,ca-certificates,crypto-policies,pki,resolv.conf,ssl,terminfo
+private-tmp
+memory-deny-write-execute
diff --git a/src/firecfg/firecfg.config b/src/firecfg/firecfg.config
index 41b75ee81..44e8dc571 100644
--- a/src/firecfg/firecfg.config
+++ b/src/firecfg/firecfg.config
@@ -198,6 +198,9 @@ freeciv-gtk3
 freeciv-mp-gtk3
 freecol
 freemind
+freeoffice-planmaker
+freeoffice-presentations
+freeoffice-textmaker
 freshclam
 frozen-bubble
 gajim
@@ -254,6 +257,7 @@ gpa
 gpicview
 gpredict
 gradio
+gramps
 gthumb
 guayadeque
 gucharmap
@@ -385,6 +389,7 @@ netactview
 nethack
 netsurf
 neverball
+newsboat
 nheko
 nitroshare
 nitroshare-cli
author	curiosity-seeker <my-github@mailbox.org>	2019-04-17 07:00:13 +0000
committer	rusty-snake <print_hello_world+GitHub@protonmail.com>	2019-04-17 07:00:13 +0000
commit	11edb11c0d1620f753d43b1676077793a169b2d1 (patch)
tree	49a25d47d1600c188f175771f24b9ee18b385fa3
parent	Fix PostScript files opening in Evince (#2656) (diff)
download	firejail-11edb11c0d1620f753d43b1676077793a169b2d1.tar.gz firejail-11edb11c0d1620f753d43b1676077793a169b2d1.tar.zst firejail-11edb11c0d1620f753d43b1676077793a169b2d1.zip

diff --git a/etc/disable-programs.inc b/etc/disable-programs.inc index 41c6eb53e..7e12b97b2 100644 --- a/etc/disable-programs.inc +++ b/etc/disable-programs.inc
@@ -5,6 +5,7 @@ include disable-programs.local
5	blacklist ${HOME}/Arduino	5	blacklist ${HOME}/Arduino
6	blacklist ${HOME}/Monero/wallets	6	blacklist ${HOME}/Monero/wallets
7	blacklist ${HOME}/Nextcloud/Notes	7	blacklist ${HOME}/Nextcloud/Notes
		8	blacklist ${HOME}/SoftMaker
8	blacklist ${HOME}/Standard Notes Backups	9	blacklist ${HOME}/Standard Notes Backups
9	blacklist ${HOME}/wallet.dat	10	blacklist ${HOME}/wallet.dat
10	blacklist ${HOME}/.*coin	11	blacklist ${HOME}/.*coin
@@ -339,6 +340,7 @@ blacklist ${HOME}/.googleearth/Temp/
339	blacklist ${HOME}/.googleearth/myplaces.backup.kml	340	blacklist ${HOME}/.googleearth/myplaces.backup.kml
340	blacklist ${HOME}/.googleearth/myplaces.kml	341	blacklist ${HOME}/.googleearth/myplaces.kml
341	blacklist ${HOME}/.gradle	342	blacklist ${HOME}/.gradle
		343	blacklist ${HOME}/.gramps
342	blacklist ${HOME}/.guayadeque	344	blacklist ${HOME}/.guayadeque
343	blacklist ${HOME}/.hashcat	345	blacklist ${HOME}/.hashcat
344	blacklist ${HOME}/.hedgewars	346	blacklist ${HOME}/.hedgewars
@@ -549,6 +551,7 @@ blacklist ${HOME}/.multimc5
549	blacklist ${HOME}/.nanorc	551	blacklist ${HOME}/.nanorc
550	blacklist ${HOME}/.netactview	552	blacklist ${HOME}/.netactview
551	blacklist ${HOME}/.neverball	553	blacklist ${HOME}/.neverball
		554	blacklist ${HOME}/.newsboat
552	blacklist ${HOME}/.nv	555	blacklist ${HOME}/.nv
553	blacklist ${HOME}/.nylas-mail	556	blacklist ${HOME}/.nylas-mail
554	blacklist ${HOME}/.opencity	557	blacklist ${HOME}/.opencity


diff --git a/etc/freeoffice-planmaker.profile b/etc/freeoffice-planmaker.profile new file mode 100644 index 000000000..e00acb278 --- /dev/null +++ b/etc/freeoffice-planmaker.profile
@@ -0,0 +1,40 @@
		1	# Firejail profile for freeoffice-planmaker
		2	# This file is overwritten after every install/update
		3	# Persistent local customizations
		4	include freeoffice-planmaker.local
		5	# Persistent global definitions
		6	include globals.local
		7
		8	noblacklist ${HOME}/SoftMaker
		9
		10	include disable-common.inc
		11	include disable-devel.inc
		12	include disable-exec.inc
		13	include disable-interpreters.inc
		14	include disable-passwdmgr.inc
		15	include disable-programs.inc
		16	# include disable-xdg.inc
		17
		18	apparmor
		19	caps.drop all
		20	ipc-namespace
		21	net none
		22	no3d
		23	nodbus
		24	nodvd
		25	nogroups
		26	nonewprivs
		27	noroot
		28	notv
		29	nou2f
		30	novideo
		31	protocol unix,inet,inet6
		32	seccomp
		33	shell none
		34	tracelog
		35
		36	private-cache
		37	private-dev
		38	private-tmp
		39
		40


diff --git a/etc/freeoffice-presentations.profile b/etc/freeoffice-presentations.profile new file mode 100644 index 000000000..c71418cce --- /dev/null +++ b/etc/freeoffice-presentations.profile
@@ -0,0 +1,40 @@
		1	# Firejail profile for freeoffice-presentations
		2	# This file is overwritten after every install/update
		3	# Persistent local customizations
		4	include freeoffice-presentations.local
		5	# Persistent global definitions
		6	include globals.local
		7
		8	noblacklist ${HOME}/SoftMaker
		9
		10	include disable-common.inc
		11	include disable-devel.inc
		12	include disable-exec.inc
		13	include disable-interpreters.inc
		14	include disable-passwdmgr.inc
		15	include disable-programs.inc
		16	# include disable-xdg.inc
		17
		18	apparmor
		19	caps.drop all
		20	ipc-namespace
		21	net none
		22	no3d
		23	nodbus
		24	nodvd
		25	nogroups
		26	nonewprivs
		27	noroot
		28	notv
		29	nou2f
		30	novideo
		31	protocol unix,inet,inet6
		32	seccomp
		33	shell none
		34	tracelog
		35
		36	private-cache
		37	private-dev
		38	private-tmp
		39
		40


diff --git a/etc/freeoffice-textmaker.profile b/etc/freeoffice-textmaker.profile new file mode 100644 index 000000000..0965cc70e --- /dev/null +++ b/etc/freeoffice-textmaker.profile
@@ -0,0 +1,40 @@
		1	# Firejail profile for freeoffice-textmaker
		2	# This file is overwritten after every install/update
		3	# Persistent local customizations
		4	include freeoffice-textmaker.local
		5	# Persistent global definitions
		6	include globals.local
		7
		8	noblacklist ${HOME}/SoftMaker
		9
		10	include disable-common.inc
		11	include disable-devel.inc
		12	include disable-exec.inc
		13	include disable-interpreters.inc
		14	include disable-passwdmgr.inc
		15	include disable-programs.inc
		16	# include disable-xdg.inc
		17
		18	apparmor
		19	caps.drop all
		20	ipc-namespace
		21	net none
		22	no3d
		23	nodbus
		24	nodvd
		25	nogroups
		26	nonewprivs
		27	noroot
		28	notv
		29	nou2f
		30	novideo
		31	protocol unix,inet,inet6
		32	seccomp
		33	shell none
		34	tracelog
		35
		36	private-cache
		37	private-dev
		38	private-tmp
		39
		40


diff --git a/etc/gramps.profile b/etc/gramps.profile new file mode 100644 index 000000000..46337d269 --- /dev/null +++ b/etc/gramps.profile
@@ -0,0 +1,55 @@
		1	# Firejail profile for gramps
		2	# Description: genealogy program
		3	# This file is overwritten after every install/update
		4	# Persistent local customizations
		5	include gramps.local
		6	# Persistent global definitions
		7	include globals.local
		8
		9	noblacklist ${HOME}/.gramps
		10
		11	# Allow python (blacklisted by disable-interpreters.inc)
		12	#noblacklist ${PATH}/python2*
		13	noblacklist ${PATH}/python3*
		14	#noblacklist /usr/lib/python2*
		15	noblacklist /usr/lib/python3*
		16	#noblacklist /usr/local/lib/python2*
		17	noblacklist /usr/local/lib/python3*
		18
		19	include disable-common.inc
		20	include disable-devel.inc
		21	include disable-exec.inc
		22	include disable-interpreters.inc
		23	include disable-passwdmgr.inc
		24	include disable-programs.inc
		25	include disable-xdg.inc
		26
		27	mkdir ${HOME}/.gramps
		28	whitelist ${HOME}/.gramps
		29	include whitelist-common.inc
		30	include whitelist-var-common.inc
		31
		32	apparmor
		33	caps.drop all
		34	ipc-namespace
		35	netfilter
		36	no3d
		37	nodbus
		38	nodvd
		39	nogroups
		40	nonewprivs
		41	noroot
		42	nosound
		43	notv
		44	nou2f
		45	novideo
		46	protocol unix,inet,inet6
		47	seccomp
		48	shell none
		49
		50	disable-mnt
		51	private-cache
		52	private-dev
		53	private-tmp
		54
		55


diff --git a/etc/newsboat.profile b/etc/newsboat.profile new file mode 100644 index 000000000..0fed5bd06 --- /dev/null +++ b/etc/newsboat.profile
@@ -0,0 +1,48 @@
		1	# Firejail profile for Newsboat
		2	# Description: RSS program
		3	# This file is overwritten after every install/update
		4	# Persistent local customizations
		5	include newsboat.local
		6	# Persistent global definitions
		7	include globals.local
		8
		9	noblacklist ${HOME}/.newsboat
		10
		11	include disable-common.inc
		12	include disable-devel.inc
		13	include disable-exec.inc
		14	include disable-interpreters.inc
		15	include disable-passwdmgr.inc
		16	include disable-programs.inc
		17	include disable-xdg.inc
		18
		19	mkdir ${HOME}/.newsboat
		20	whitelist ${HOME}/.newsboat
		21	include whitelist-common.inc
		22	include whitelist-var-common.inc
		23
		24	caps.drop all
		25	ipc-namespace
		26	netfilter
		27	no3d
		28	nodbus
		29	nodvd
		30	nogroups
		31	nonewprivs
		32	noroot
		33	notv
		34	nou2f
		35	novideo
		36	protocol inet,inet6
		37	seccomp
		38	shell none
		39
		40	disable-mnt
		41	private-bin newsboat
		42	private-cache
		43	private-dev
		44	private-etc alternatives,ca-certificates,crypto-policies,pki,resolv.conf,ssl,terminfo
		45	private-tmp
		46
		47	memory-deny-write-execute
		48


diff --git a/src/firecfg/firecfg.config b/src/firecfg/firecfg.config index 41b75ee81..44e8dc571 100644 --- a/src/firecfg/firecfg.config +++ b/src/firecfg/firecfg.config
@@ -198,6 +198,9 @@ freeciv-gtk3
198	freeciv-mp-gtk3	198	freeciv-mp-gtk3
199	freecol	199	freecol
200	freemind	200	freemind
		201	freeoffice-planmaker
		202	freeoffice-presentations
		203	freeoffice-textmaker
201	freshclam	204	freshclam
202	frozen-bubble	205	frozen-bubble
203	gajim	206	gajim
@@ -254,6 +257,7 @@ gpa
254	gpicview	257	gpicview
255	gpredict	258	gpredict
256	gradio	259	gradio
		260	gramps
257	gthumb	261	gthumb
258	guayadeque	262	guayadeque
259	gucharmap	263	gucharmap
@@ -385,6 +389,7 @@ netactview
385	nethack	389	nethack
386	netsurf	390	netsurf
387	neverball	391	neverball
		392	newsboat
388	nheko	393	nheko
389	nitroshare	394	nitroshare
390	nitroshare-cli	395	nitroshare-cli