add new profile: shotwell (#3889)

* new profile: shotwell

* Create shotwell.profile

* new profile: shotwell

* add shotwell blacklists

4 files changed, 64 insertions, 1 deletions

diff --git a/README.md b/README.md
index 69c08ac02..14ba66e98 100644
--- a/README.md
+++ b/README.md
@@ -195,4 +195,4 @@ Stats:
 
 ### New profiles:
 
-spectacle, chromium-browser-privacy, gtk-straw-viewer, gtk-youtube-viewer, gtk2-youtube-viewer, gtk3-youtube-viewer, straw-viewer, lutris, dolphin-emu, authenticator-rs, servo, tutanota-desktop, npm, marker, yarn, lsar, unar, agetpkg, mdr
+spectacle, chromium-browser-privacy, gtk-straw-viewer, gtk-youtube-viewer, gtk2-youtube-viewer, gtk3-youtube-viewer, straw-viewer, lutris, dolphin-emu, authenticator-rs, servo, tutanota-desktop, npm, marker, yarn, lsar, unar, agetpkg, mdr, shotwell
diff --git a/etc/inc/disable-programs.inc b/etc/inc/disable-programs.inc
index 74cbfbcbe..9c98ea79a 100644
--- a/etc/inc/disable-programs.inc
+++ b/etc/inc/disable-programs.inc
@@ -710,6 +710,7 @@ blacklist ${HOME}/.local/share/remmina
 blacklist ${HOME}/.local/share/rhythmbox
 blacklist ${HOME}/.local/share/rtv
 blacklist ${HOME}/.local/share/scribus
+blacklist ${HOME}/.local/share/shotwell
 blacklist ${HOME}/.local/share/signal-cli
 blacklist ${HOME}/.local/share/sink
 blacklist ${HOME}/.local/share/smuxi
@@ -994,6 +995,7 @@ blacklist ${HOME}/.cache/qBittorrent
 blacklist ${HOME}/.cache/qupzilla
 blacklist ${HOME}/.cache/qutebrowser
 blacklist ${HOME}/.cache/rhythmbox
+blacklist ${HOME}/.cache/shotwell
 blacklist ${HOME}/.cache/simple-scan
 blacklist ${HOME}/.cache/slimjet
 blacklist ${HOME}/.cache/smuxi
diff --git a/etc/profile-m-z/shotwell.profile b/etc/profile-m-z/shotwell.profile
new file mode 100644
index 000000000..749029530
--- /dev/null
+++ b/etc/profile-m-z/shotwell.profile
@@ -0,0 +1,60 @@
+# Firejail profile for shotwell
+# Description: A digital photo organizer designed for the GNOME desktop environment
+# This file is overwritten after every install/update
+# Persistent local customizations
+include shotwell.local
+# Persistent global definitions
+include globals.local
+
+noblacklist ${HOME}/.cache/shotwell
+noblacklist ${HOME}/.local/share/shotwell
+
+noblacklist ${PICTURES}
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-passwdmgr.inc
+include disable-programs.inc
+include disable-shell.inc
+include disable-xdg.inc
+
+mkdir ${HOME}/.cache/shotwell
+mkdir ${HOME}/.local/share/shotwell
+whitelist ${HOME}/.cache/shotwell
+whitelist ${HOME}/.local/share/shotwell
+whitelist ${PICTURES}
+include whitelist-common.inc
+include whitelist-runuser-common.inc
+include whitelist-usr-share-common.inc
+include whitelist-var-common.inc
+
+apparmor
+caps.drop all
+machine-id
+netfilter
+nodvd
+nogroups
+nonewprivs
+noroot
+nosound
+notv
+nou2f
+novideo
+protocol unix
+seccomp
+shell none
+tracelog
+
+private-bin shotwell
+private-cache
+private-dev
+private-etc alternatives,fonts,machine-id
+private-opt none
+private-tmp
+
+dbus-user filter
+dbus-user.own org.gnome.Shotwell
+dbus-user.talk ca.desrt.dconf
+dbus-user.talk org.gtk.vfs.UDisks2VolumeMonitor
+dbus-system none
diff --git a/src/firecfg/firecfg.config b/src/firecfg/firecfg.config
index 3ebf6fca9..e705008a5 100644
--- a/src/firecfg/firecfg.config
+++ b/src/firecfg/firecfg.config
@@ -663,6 +663,7 @@ secret-tool
 shellcheck
 shortwave
 shotcut
+shotwell
 signal-cli
 signal-desktop
 silentarmy