Various profiles (#3561)

* Various profiles Initial * Various fixes # 1 Removed blacklist,no3d; added icon flatpak paths;sorting;added space
author: kortewegdevries <kortewegdevries@protonmail.ch> 2020-09-02 10:34:14 +0000
committer: GitHub <noreply@github.com> 2020-09-02 10:34:14 +0000
commit: a5e2b31c6263665854a449552649f6538f35a9fc (patch)
tree: f3e678f5137906f226a7f1b0d5002fa80e8d93b2
parent: Merge branch 'master' of https://github.com/netblue30/firejail (diff)
download: firejail-a5e2b31c6263665854a449552649f6538f35a9fc.tar.gz
firejail-a5e2b31c6263665854a449552649f6538f35a9fc.tar.zst
firejail-a5e2b31c6263665854a449552649f6538f35a9fc.zip
6 files changed, 237 insertions, 0 deletions
diff --git a/etc/inc/disable-programs.inc b/etc/inc/disable-programs.inc
index e5dd9cb59..92cde6d56 100644
--- a/etc/inc/disable-programs.inc
+++ b/etc/inc/disable-programs.inc
@@ -258,6 +258,7 @@ blacklist ${HOME}/.config/katerc
 blacklist ${HOME}/.config/kateschemarc
 blacklist ${HOME}/.config/katesyntaxhighlightingrc
 blacklist ${HOME}/.config/katevirc
+blacklist ${HOME}/.config/kazam
 blacklist ${HOME}/.config/kdeconnect
 blacklist ${HOME}/.config/kdenliverc
 blacklist ${HOME}/.config/kfindrc
@@ -312,6 +313,7 @@ blacklist ${HOME}/.config/nuclear
 blacklist ${HOME}/.config/obs-studio
 blacklist ${HOME}/.config/okularpartrc
 blacklist ${HOME}/.config/okularrc
+blacklist ${HOME}/.config/onboard
 blacklist ${HOME}/.config/onionshare
 blacklist ${HOME}/.config/onlyoffice
 blacklist ${HOME}/.config/opera
diff --git a/etc/profile-a-l/kazam.profile b/etc/profile-a-l/kazam.profile
new file mode 100644
index 000000000..9899ff195
--- /dev/null
+++ b/etc/profile-a-l/kazam.profile
@@ -0,0 +1,54 @@
+# Firejail profile for kazam
+# Description: Screen capture tool
+# This file is overwritten after every install/update
+# Persistent local customizations
+include kazam.local
+# Persistent global definitions
+include globals.local
+ignore noexec ${HOME}
+noblacklist ${PICTURES}
+noblacklist ${VIDEOS}
+noblacklist ${HOME}/.config/kazam
+include allow-python2.inc 
+include allow-python3.inc 
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc 
+include disable-interpreters.inc
+include disable-programs.inc
+include disable-passwdmgr.inc
+include disable-shell.inc
+include disable-xdg.inc
+whitelist /usr/share/kazam
+include whitelist-runuser-common.inc 
+include whitelist-usr-share-common.inc
+include whitelist-var-common.inc
+apparmor
+caps.drop all
+net none
+nodvd
+nogroups
+nonewprivs
+noroot
+notv
+nou2f
+novideo
+protocol unix
+seccomp
+shell none
+tracelog
+disable-mnt
+# private-bin kazam,python*
+private-cache
+private-dev
+private-etc alsa,alternatives,asound.conf,dconf,fonts,gtk-2.0,gtk-3.0,machine-id,pulse,selinux,X11,xdg
+private-tmp
+dbus-system none
diff --git a/etc/profile-m-z/menulibre.profile b/etc/profile-m-z/menulibre.profile
new file mode 100644
index 000000000..f029e4696
--- /dev/null
+++ b/etc/profile-m-z/menulibre.profile
@@ -0,0 +1,65 @@
+# Firejail profile for menulibre
+# Description: Create desktop and menu launchers easily
+# This file is overwritten after every install/update
+# Persistent local customizations
+include menulibre.local
+# Persistent global definitions
+include globals.local
+include allow-python2.inc
+include allow-python3.inc
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc 
+include disable-interpreters.inc
+include disable-programs.inc
+include disable-passwdmgr.inc
+include disable-xdg.inc
+# Whitelist your system icon directory,varies by distro
+whitelist /usr/share/app-info
+whitelist /usr/share/desktop-directories
+whitelist /usr/share/icons
+whitelist /usr/share/menulibre
+whitelist /var/lib/app-info/icons
+# Flatpak desktop directory
+whitelist /var/lib/flatpak/exports/share/applications
+whitelist /var/lib/flatpak/exports/share/icons
+# Snap desktop directory
+include whitelist-runuser-common.inc 
+include whitelist-usr-share-common.inc
+include whitelist-var-common.inc
+apparmor
+caps.drop all
+machine-id
+net none
+nodvd
+no3d
+nogroups
+nonewprivs
+noroot
+nosound
+notv
+nou2f
+novideo
+protocol unix
+seccomp
+shell none
+tracelog
+disable-mnt
+private-cache
+private-dev
+private-etc alternatives,dconf,fonts,gtk-3.0,locale.alias,locale.conf,mime.types,nsswitch.conf,passwd,pki,selinux,X11,xdg
+private-tmp
+dbus-user none
+dbus-system none
+read-write ${HOME}/.config/menus
+read-write ${HOME}/.gnome/apps
+read-write ${HOME}/.local/share/applications
+read-write ${HOME}/.local/share/flatpak/exports
diff --git a/etc/profile-m-z/musictube.profile b/etc/profile-m-z/musictube.profile
new file mode 100644
index 000000000..955df698d
--- /dev/null
+++ b/etc/profile-m-z/musictube.profile
@@ -0,0 +1,57 @@
+# Firejail profile for musictube
+# Description: Stream music 
+# This file is overwritten after every install/update
+# Persistent local customizations
+include musictube.local
+# Persistent global definitions
+include globals.local
+noblacklist ${HOME}/.cache/Flavio Tordini
+noblacklist ${HOME}/.config/Flavio Tordini
+noblacklist ${HOME}/.local/share/Flavio Tordini
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-passwdmgr.inc
+include disable-programs.inc
+include disable-shell.inc 
+include disable-xdg.inc
+mkdir ${HOME}/.cache/Flavio Tordini
+mkdir ${HOME}/.config/Flavio Tordini
+mkdir ${HOME}/.local/share/Flavio Tordini
+whitelist ${HOME}/.cache/Flavio Tordini
+whitelist ${HOME}/.config/Flavio Tordini
+whitelist ${HOME}/.local/share/Flavio Tordini
+whitelist /usr/share/musictube
+include whitelist-common.inc 
+include whitelist-runuser-common.inc 
+include whitelist-usr-share-common.inc
+include whitelist-var-common.inc
+apparmor
+caps.drop all
+netfilter
+nodvd
+nogroups
+nonewprivs
+noroot
+notv
+nou2f
+novideo
+protocol unix,inet,inet6,netlink
+seccomp
+shell none
+tracelog
+disable-mnt
+private-bin musictube
+private-cache
+private-dev
+private-etc alsa,alternatives,asound.conf,ca-certificates,crypto-policies,drirc,fonts,gtk-2.0,gtk-3.0,host.conf,hostname,hosts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,machine-id,mime.types,nsswitch.conf,pki,pulse,resolv.conf,selinux,ssl,X11,xdg
+private-tmp
+dbus-user none
+dbus-system none
diff --git a/etc/profile-m-z/onboard.profile b/etc/profile-m-z/onboard.profile
new file mode 100644
index 000000000..3a235a677
--- /dev/null
+++ b/etc/profile-m-z/onboard.profile
@@ -0,0 +1,55 @@
+# Firejail profile for onboard
+# Description: On-screen keyboard
+# This file is overwritten after every install/update
+# Persistent local customizations
+include onboard.local
+# Persistent global definitions
+include globals.local
+noblacklist ${HOME}/.config/onboard
+include allow-python2.inc
+include allow-python3.inc
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc 
+include disable-interpreters.inc
+include disable-programs.inc
+include disable-passwdmgr.inc
+include disable-shell.inc
+include disable-xdg.inc
+mkdir ${HOME}/.config/onboard
+whitelist ${HOME}/.config/onboard
+whitelist /usr/share/onboard
+include whitelist-common.inc 
+include whitelist-usr-share-common.inc
+include whitelist-runuser-common.inc 
+include whitelist-var-common.inc
+apparmor
+caps.drop all
+machine-id
+net none
+nodvd
+no3d
+nogroups
+nonewprivs
+noroot
+notv
+nou2f
+novideo
+protocol unix
+seccomp
+shell none
+tracelog
+disable-mnt
+private-cache
+private-bin onboard,python*,tput
+private-dev
+private-etc alternatives,dbus-1,dconf,fonts,gtk-2.0,gtk-3.0,locale,locale.alias,locale.conf,mime.types,selinux,X11,xdg
+private-tmp
+dbus-system none
diff --git a/src/firecfg/firecfg.config b/src/firecfg/firecfg.config
index 0574daae6..ce2c6995e 100644
--- a/src/firecfg/firecfg.config
+++ b/src/firecfg/firecfg.config
@@ -373,6 +373,7 @@ kalgebra
 kalgebramobile
 karbon
 kate
+kazam
 kcalc
 # kdeinit4
 kdenlive
@@ -455,6 +456,7 @@ megaglest_editor
 meld
 mencoder
 mendeleydesktop
+menulibre
 meteo-qt
 midori
 min
@@ -502,6 +504,7 @@ mupdf-x11-curl
 mupen64plus
 muraster
 musescore
+musictube
 musixmatch
 mutool
 mutt
@@ -534,6 +537,7 @@ ocenaudio
 odt2txt
 oggsplt
 okular
+onboard
 onionshare-gui
 ooffice
 ooviewdoc
author	kortewegdevries <kortewegdevries@protonmail.ch>	2020-09-02 10:34:14 +0000
committer	GitHub <noreply@github.com>	2020-09-02 10:34:14 +0000
commit	a5e2b31c6263665854a449552649f6538f35a9fc (patch)
tree	f3e678f5137906f226a7f1b0d5002fa80e8d93b2
parent	Merge branch 'master' of https://github.com/netblue30/firejail (diff)
download	firejail-a5e2b31c6263665854a449552649f6538f35a9fc.tar.gz firejail-a5e2b31c6263665854a449552649f6538f35a9fc.tar.zst firejail-a5e2b31c6263665854a449552649f6538f35a9fc.zip

diff --git a/etc/inc/disable-programs.inc b/etc/inc/disable-programs.inc index e5dd9cb59..92cde6d56 100644 --- a/etc/inc/disable-programs.inc +++ b/etc/inc/disable-programs.inc
@@ -258,6 +258,7 @@ blacklist ${HOME}/.config/katerc
258	blacklist ${HOME}/.config/kateschemarc	258	blacklist ${HOME}/.config/kateschemarc
259	blacklist ${HOME}/.config/katesyntaxhighlightingrc	259	blacklist ${HOME}/.config/katesyntaxhighlightingrc
260	blacklist ${HOME}/.config/katevirc	260	blacklist ${HOME}/.config/katevirc
		261	blacklist ${HOME}/.config/kazam
261	blacklist ${HOME}/.config/kdeconnect	262	blacklist ${HOME}/.config/kdeconnect
262	blacklist ${HOME}/.config/kdenliverc	263	blacklist ${HOME}/.config/kdenliverc
263	blacklist ${HOME}/.config/kfindrc	264	blacklist ${HOME}/.config/kfindrc
@@ -312,6 +313,7 @@ blacklist ${HOME}/.config/nuclear
312	blacklist ${HOME}/.config/obs-studio	313	blacklist ${HOME}/.config/obs-studio
313	blacklist ${HOME}/.config/okularpartrc	314	blacklist ${HOME}/.config/okularpartrc
314	blacklist ${HOME}/.config/okularrc	315	blacklist ${HOME}/.config/okularrc
		316	blacklist ${HOME}/.config/onboard
315	blacklist ${HOME}/.config/onionshare	317	blacklist ${HOME}/.config/onionshare
316	blacklist ${HOME}/.config/onlyoffice	318	blacklist ${HOME}/.config/onlyoffice
317	blacklist ${HOME}/.config/opera	319	blacklist ${HOME}/.config/opera


diff --git a/etc/profile-a-l/kazam.profile b/etc/profile-a-l/kazam.profile new file mode 100644 index 000000000..9899ff195 --- /dev/null +++ b/etc/profile-a-l/kazam.profile
@@ -0,0 +1,54 @@
		1	# Firejail profile for kazam
		2	# Description: Screen capture tool
		3	# This file is overwritten after every install/update
		4	# Persistent local customizations
		5	include kazam.local
		6	# Persistent global definitions
		7	include globals.local
		8
		9	ignore noexec ${HOME}
		10
		11	noblacklist ${PICTURES}
		12	noblacklist ${VIDEOS}
		13	noblacklist ${HOME}/.config/kazam
		14
		15	include allow-python2.inc
		16	include allow-python3.inc
		17
		18	include disable-common.inc
		19	include disable-devel.inc
		20	include disable-exec.inc
		21	include disable-interpreters.inc
		22	include disable-programs.inc
		23	include disable-passwdmgr.inc
		24	include disable-shell.inc
		25	include disable-xdg.inc
		26
		27	whitelist /usr/share/kazam
		28	include whitelist-runuser-common.inc
		29	include whitelist-usr-share-common.inc
		30	include whitelist-var-common.inc
		31
		32	apparmor
		33	caps.drop all
		34	net none
		35	nodvd
		36	nogroups
		37	nonewprivs
		38	noroot
		39	notv
		40	nou2f
		41	novideo
		42	protocol unix
		43	seccomp
		44	shell none
		45	tracelog
		46
		47	disable-mnt
		48	# private-bin kazam,python*
		49	private-cache
		50	private-dev
		51	private-etc alsa,alternatives,asound.conf,dconf,fonts,gtk-2.0,gtk-3.0,machine-id,pulse,selinux,X11,xdg
		52	private-tmp
		53
		54	dbus-system none


diff --git a/etc/profile-m-z/menulibre.profile b/etc/profile-m-z/menulibre.profile new file mode 100644 index 000000000..f029e4696 --- /dev/null +++ b/etc/profile-m-z/menulibre.profile
@@ -0,0 +1,65 @@
		1	# Firejail profile for menulibre
		2	# Description: Create desktop and menu launchers easily
		3	# This file is overwritten after every install/update
		4	# Persistent local customizations
		5	include menulibre.local
		6	# Persistent global definitions
		7	include globals.local
		8
		9	include allow-python2.inc
		10	include allow-python3.inc
		11
		12	include disable-common.inc
		13	include disable-devel.inc
		14	include disable-exec.inc
		15	include disable-interpreters.inc
		16	include disable-programs.inc
		17	include disable-passwdmgr.inc
		18	include disable-xdg.inc
		19
		20	# Whitelist your system icon directory,varies by distro
		21	whitelist /usr/share/app-info
		22	whitelist /usr/share/desktop-directories
		23	whitelist /usr/share/icons
		24	whitelist /usr/share/menulibre
		25	whitelist /var/lib/app-info/icons
		26	# Flatpak desktop directory
		27	whitelist /var/lib/flatpak/exports/share/applications
		28	whitelist /var/lib/flatpak/exports/share/icons
		29	# Snap desktop directory
		30
		31	include whitelist-runuser-common.inc
		32	include whitelist-usr-share-common.inc
		33	include whitelist-var-common.inc
		34
		35	apparmor
		36	caps.drop all
		37	machine-id
		38	net none
		39	nodvd
		40	no3d
		41	nogroups
		42	nonewprivs
		43	noroot
		44	nosound
		45	notv
		46	nou2f
		47	novideo
		48	protocol unix
		49	seccomp
		50	shell none
		51	tracelog
		52
		53	disable-mnt
		54	private-cache
		55	private-dev
		56	private-etc alternatives,dconf,fonts,gtk-3.0,locale.alias,locale.conf,mime.types,nsswitch.conf,passwd,pki,selinux,X11,xdg
		57	private-tmp
		58
		59	dbus-user none
		60	dbus-system none
		61
		62	read-write ${HOME}/.config/menus
		63	read-write ${HOME}/.gnome/apps
		64	read-write ${HOME}/.local/share/applications
		65	read-write ${HOME}/.local/share/flatpak/exports


diff --git a/etc/profile-m-z/musictube.profile b/etc/profile-m-z/musictube.profile new file mode 100644 index 000000000..955df698d --- /dev/null +++ b/etc/profile-m-z/musictube.profile
@@ -0,0 +1,57 @@
		1	# Firejail profile for musictube
		2	# Description: Stream music
		3	# This file is overwritten after every install/update
		4	# Persistent local customizations
		5	include musictube.local
		6	# Persistent global definitions
		7	include globals.local
		8
		9	noblacklist ${HOME}/.cache/Flavio Tordini
		10	noblacklist ${HOME}/.config/Flavio Tordini
		11	noblacklist ${HOME}/.local/share/Flavio Tordini
		12
		13	include disable-common.inc
		14	include disable-devel.inc
		15	include disable-exec.inc
		16	include disable-interpreters.inc
		17	include disable-passwdmgr.inc
		18	include disable-programs.inc
		19	include disable-shell.inc
		20	include disable-xdg.inc
		21
		22	mkdir ${HOME}/.cache/Flavio Tordini
		23	mkdir ${HOME}/.config/Flavio Tordini
		24	mkdir ${HOME}/.local/share/Flavio Tordini
		25	whitelist ${HOME}/.cache/Flavio Tordini
		26	whitelist ${HOME}/.config/Flavio Tordini
		27	whitelist ${HOME}/.local/share/Flavio Tordini
		28	whitelist /usr/share/musictube
		29	include whitelist-common.inc
		30	include whitelist-runuser-common.inc
		31	include whitelist-usr-share-common.inc
		32	include whitelist-var-common.inc
		33
		34	apparmor
		35	caps.drop all
		36	netfilter
		37	nodvd
		38	nogroups
		39	nonewprivs
		40	noroot
		41	notv
		42	nou2f
		43	novideo
		44	protocol unix,inet,inet6,netlink
		45	seccomp
		46	shell none
		47	tracelog
		48
		49	disable-mnt
		50	private-bin musictube
		51	private-cache
		52	private-dev
		53	private-etc alsa,alternatives,asound.conf,ca-certificates,crypto-policies,drirc,fonts,gtk-2.0,gtk-3.0,host.conf,hostname,hosts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,machine-id,mime.types,nsswitch.conf,pki,pulse,resolv.conf,selinux,ssl,X11,xdg
		54	private-tmp
		55
		56	dbus-user none
		57	dbus-system none


diff --git a/etc/profile-m-z/onboard.profile b/etc/profile-m-z/onboard.profile new file mode 100644 index 000000000..3a235a677 --- /dev/null +++ b/etc/profile-m-z/onboard.profile
@@ -0,0 +1,55 @@
		1	# Firejail profile for onboard
		2	# Description: On-screen keyboard
		3	# This file is overwritten after every install/update
		4	# Persistent local customizations
		5	include onboard.local
		6	# Persistent global definitions
		7	include globals.local
		8
		9	noblacklist ${HOME}/.config/onboard
		10
		11	include allow-python2.inc
		12	include allow-python3.inc
		13
		14	include disable-common.inc
		15	include disable-devel.inc
		16	include disable-exec.inc
		17	include disable-interpreters.inc
		18	include disable-programs.inc
		19	include disable-passwdmgr.inc
		20	include disable-shell.inc
		21	include disable-xdg.inc
		22
		23	mkdir ${HOME}/.config/onboard
		24	whitelist ${HOME}/.config/onboard
		25	whitelist /usr/share/onboard
		26	include whitelist-common.inc
		27	include whitelist-usr-share-common.inc
		28	include whitelist-runuser-common.inc
		29	include whitelist-var-common.inc
		30
		31	apparmor
		32	caps.drop all
		33	machine-id
		34	net none
		35	nodvd
		36	no3d
		37	nogroups
		38	nonewprivs
		39	noroot
		40	notv
		41	nou2f
		42	novideo
		43	protocol unix
		44	seccomp
		45	shell none
		46	tracelog
		47
		48	disable-mnt
		49	private-cache
		50	private-bin onboard,python*,tput
		51	private-dev
		52	private-etc alternatives,dbus-1,dconf,fonts,gtk-2.0,gtk-3.0,locale,locale.alias,locale.conf,mime.types,selinux,X11,xdg
		53	private-tmp
		54
		55	dbus-system none


diff --git a/src/firecfg/firecfg.config b/src/firecfg/firecfg.config index 0574daae6..ce2c6995e 100644 --- a/src/firecfg/firecfg.config +++ b/src/firecfg/firecfg.config
@@ -373,6 +373,7 @@ kalgebra
373	kalgebramobile	373	kalgebramobile
374	karbon	374	karbon
375	kate	375	kate
		376	kazam
376	kcalc	377	kcalc
377	# kdeinit4	378	# kdeinit4
378	kdenlive	379	kdenlive
@@ -455,6 +456,7 @@ megaglest_editor
455	meld	456	meld
456	mencoder	457	mencoder
457	mendeleydesktop	458	mendeleydesktop
		459	menulibre
458	meteo-qt	460	meteo-qt
459	midori	461	midori
460	min	462	min
@@ -502,6 +504,7 @@ mupdf-x11-curl
502	mupen64plus	504	mupen64plus
503	muraster	505	muraster
504	musescore	506	musescore
		507	musictube
505	musixmatch	508	musixmatch
506	mutool	509	mutool
507	mutt	510	mutt
@@ -534,6 +537,7 @@ ocenaudio
534	odt2txt	537	odt2txt
535	oggsplt	538	oggsplt
536	okular	539	okular
		540	onboard
537	onionshare-gui	541	onionshare-gui
538	ooffice	542	ooffice
539	ooviewdoc	543	ooviewdoc