makepkg profile for Arch platform, #1642

author: netblue30 <netblue30@yahoo.com> 2017-11-15 08:14:46 -0500
committer: netblue30 <netblue30@yahoo.com> 2017-11-15 08:14:46 -0500
commit: d0ae074854181d2900b2e8fc6fe5e963c0763a38 (patch)
tree: e6e2a04502284942e425acf1e99d3d7e370928da
parent: testing (diff)
download: firejail-d0ae074854181d2900b2e8fc6fe5e963c0763a38.tar.gz
firejail-d0ae074854181d2900b2e8fc6fe5e963c0763a38.tar.zst
firejail-d0ae074854181d2900b2e8fc6fe5e963c0763a38.zip
3 files changed, 60 insertions, 2 deletions
diff --git a/README.md b/README.md
index a6140fbbd..fc809a7c2 100644
--- a/README.md
+++ b/README.md
@@ -236,7 +236,7 @@ imagej, karbon, kdenlive, krita, linphone, lmms, macrofusion, mpd, natron, Natro
 ricochet, shotcut, teamspeak3, tor, tor-browser-en, Viber, x-terminal-emulator, zart,
 conky, arch-audit, ffmpeg, bluefish, cliqz, cinelerra, openshot-qt, pinta, uefitool,
 aosp, pdfmod, gnome-ring, signal-desktop, xcalc, zaproxy, kopete, kget, nheko, Enpass,
-kwin_x11, krunner, ping, bsdtar
+kwin_x11, krunner, ping, bsdtar, makepkg (Arch), 
 Upstreamed many profiles from the following sources: https://github.com/chiraag-nataraj/firejail-profiles,
 https://github.com/nyancat18/fe, and https://aur.archlinux.org/packages/firejail-profiles.
diff --git a/RELNOTES b/RELNOTES
index ab6b5733e..8010c0bfc 100644
--- a/RELNOTES
+++ b/RELNOTES
@@ -41,7 +41,7 @@ firejail (0.9.51) baseline; urgency=low
      Viber, x-terminal-emulator, zart, conky, arch-audit, ffmpeg, bluefish,
      cinelerra, openshot-qt, pinta, uefitool, aosp, pdfmod, gnome-ring,
      xcalc, zaproxy, kopete, cliqz, signal-desktop, kget, nheko, Enpass,
-      kwin_x11, krunner, ping, bsdtar
+      kwin_x11, krunner, ping, bsdtar, makepkg (Arch)
 -- netblue30 <netblue30@yahoo.com>  Thu, 9 Nov 2017 08:00:00 -0500
diff --git a/etc/makepkg.profile b/etc/makepkg.profile
new file mode 100644
index 000000000..96846592d
--- /dev/null
+++ b/etc/makepkg.profile
@@ -0,0 +1,58 @@
+# Firejail profile for makepkg
+# This file is overwritten after every install/update
+# Note: see this Arch forum discussion https://bbs.archlinux.org/viewtopic.php?pid=1743138
+# for potential issues and their solutions when Firejailing makepkg
+# This profile could be significantly strengthened by adding the following to makepkg.local
+# whitelist ~/<Your Build Folder>
+# whitelist ~/.gnupg
+quiet
+# Persistent local customizations
+include /etc/firejail/makepkg.local
+# Persistent global definitions
+include /etc/firejail/globals.local
+# Enable severely restricted access to ${HOME}/.gnupg
+noblacklist ~/.gnupg
+read-only ~/.gnupg/gpg.conf
+read-only ~/.gnupg/trustdb.gpg
+read-only ~/.gnupg/pubring.kbx
+blacklist ~/.gnupg/random_seed
+blacklist ~/.gnupg/pubring.kbx~
+blacklist ~/.gnupg/private-keys-v1.d
+blacklist ~/.gnupg/crls.d
+blacklist ~/.gnupg/openpgp-revocs.d
+# Need to be able to read /var/lib/pacman, {Note no capabilities so automatically read-only}
+noblacklist /var/lib/pacman
+include /etc/firejail/disable-common.inc
+include /etc/firejail/disable-passwdmgr.inc
+include /etc/firejail/disable-programs.inc
+caps.drop all
+ipc-namespace
+netfilter
+no3d
+nodvd
+nogroups
+nonewprivs
+# noroot is only disabled to allow the creation of kernel headers from an official pckgbuild.
+#noroot
+nosound
+notv
+novideo
+protocol unix,inet,inet6
+seccomp
+shell none
+disable-mnt
+private-tmp
+memory-deny-write-execute
+noexec ${HOME}
+noexec /tmp
author	netblue30 <netblue30@yahoo.com>	2017-11-15 08:14:46 -0500
committer	netblue30 <netblue30@yahoo.com>	2017-11-15 08:14:46 -0500
commit	d0ae074854181d2900b2e8fc6fe5e963c0763a38 (patch)
tree	e6e2a04502284942e425acf1e99d3d7e370928da
parent	testing (diff)
download	firejail-d0ae074854181d2900b2e8fc6fe5e963c0763a38.tar.gz firejail-d0ae074854181d2900b2e8fc6fe5e963c0763a38.tar.zst firejail-d0ae074854181d2900b2e8fc6fe5e963c0763a38.zip

diff --git a/README.md b/README.md index a6140fbbd..fc809a7c2 100644 --- a/README.md +++ b/README.md
@@ -236,7 +236,7 @@ imagej, karbon, kdenlive, krita, linphone, lmms, macrofusion, mpd, natron, Natro
236	ricochet, shotcut, teamspeak3, tor, tor-browser-en, Viber, x-terminal-emulator, zart,	236	ricochet, shotcut, teamspeak3, tor, tor-browser-en, Viber, x-terminal-emulator, zart,
237	conky, arch-audit, ffmpeg, bluefish, cliqz, cinelerra, openshot-qt, pinta, uefitool,	237	conky, arch-audit, ffmpeg, bluefish, cliqz, cinelerra, openshot-qt, pinta, uefitool,
238	aosp, pdfmod, gnome-ring, signal-desktop, xcalc, zaproxy, kopete, kget, nheko, Enpass,	238	aosp, pdfmod, gnome-ring, signal-desktop, xcalc, zaproxy, kopete, kget, nheko, Enpass,
239	kwin_x11, krunner, ping, bsdtar	239	kwin_x11, krunner, ping, bsdtar, makepkg (Arch),
240		240
241	Upstreamed many profiles from the following sources: https://github.com/chiraag-nataraj/firejail-profiles,	241	Upstreamed many profiles from the following sources: https://github.com/chiraag-nataraj/firejail-profiles,
242	https://github.com/nyancat18/fe, and https://aur.archlinux.org/packages/firejail-profiles.	242	https://github.com/nyancat18/fe, and https://aur.archlinux.org/packages/firejail-profiles.


diff --git a/RELNOTES b/RELNOTES index ab6b5733e..8010c0bfc 100644 --- a/RELNOTES +++ b/RELNOTES
@@ -41,7 +41,7 @@ firejail (0.9.51) baseline; urgency=low
41	Viber, x-terminal-emulator, zart, conky, arch-audit, ffmpeg, bluefish,	41	Viber, x-terminal-emulator, zart, conky, arch-audit, ffmpeg, bluefish,
42	cinelerra, openshot-qt, pinta, uefitool, aosp, pdfmod, gnome-ring,	42	cinelerra, openshot-qt, pinta, uefitool, aosp, pdfmod, gnome-ring,
43	xcalc, zaproxy, kopete, cliqz, signal-desktop, kget, nheko, Enpass,	43	xcalc, zaproxy, kopete, cliqz, signal-desktop, kget, nheko, Enpass,
44	kwin_x11, krunner, ping, bsdtar	44	kwin_x11, krunner, ping, bsdtar, makepkg (Arch)
45		45
46	-- netblue30 <netblue30@yahoo.com> Thu, 9 Nov 2017 08:00:00 -0500	46	-- netblue30 <netblue30@yahoo.com> Thu, 9 Nov 2017 08:00:00 -0500
47		47


diff --git a/etc/makepkg.profile b/etc/makepkg.profile new file mode 100644 index 000000000..96846592d --- /dev/null +++ b/etc/makepkg.profile
@@ -0,0 +1,58 @@
		1	# Firejail profile for makepkg
		2	# This file is overwritten after every install/update
		3
		4	# Note: see this Arch forum discussion https://bbs.archlinux.org/viewtopic.php?pid=1743138
		5	# for potential issues and their solutions when Firejailing makepkg
		6
		7	# This profile could be significantly strengthened by adding the following to makepkg.local
		8	# whitelist ~/<Your Build Folder>
		9	# whitelist ~/.gnupg
		10
		11	quiet
		12	# Persistent local customizations
		13	include /etc/firejail/makepkg.local
		14	# Persistent global definitions
		15	include /etc/firejail/globals.local
		16
		17
		18	# Enable severely restricted access to ${HOME}/.gnupg
		19	noblacklist ~/.gnupg
		20	read-only ~/.gnupg/gpg.conf
		21	read-only ~/.gnupg/trustdb.gpg
		22	read-only ~/.gnupg/pubring.kbx
		23	blacklist ~/.gnupg/random_seed
		24	blacklist ~/.gnupg/pubring.kbx~
		25	blacklist ~/.gnupg/private-keys-v1.d
		26	blacklist ~/.gnupg/crls.d
		27	blacklist ~/.gnupg/openpgp-revocs.d
		28
		29
		30	# Need to be able to read /var/lib/pacman, {Note no capabilities so automatically read-only}
		31	noblacklist /var/lib/pacman
		32
		33	include /etc/firejail/disable-common.inc
		34	include /etc/firejail/disable-passwdmgr.inc
		35	include /etc/firejail/disable-programs.inc
		36
		37	caps.drop all
		38	ipc-namespace
		39	netfilter
		40	no3d
		41	nodvd
		42	nogroups
		43	nonewprivs
		44	# noroot is only disabled to allow the creation of kernel headers from an official pckgbuild.
		45	#noroot
		46	nosound
		47	notv
		48	novideo
		49	protocol unix,inet,inet6
		50	seccomp
		51	shell none
		52
		53	disable-mnt
		54	private-tmp
		55
		56	memory-deny-write-execute
		57	noexec ${HOME}
		58	noexec /tmp