harden peek; update README.md; add gnome-sound-…

…recorder to firecfg.config
author: rusty-snake <41237666+rusty-snake@users.noreply.github.com> 2020-10-23 14:06:37 +0200
committer: rusty-snake <41237666+rusty-snake@users.noreply.github.com> 2020-10-23 14:06:37 +0200
commit: 582ae38e811a7a768d2cfbcf93e711ebbc984e07 (patch)
tree: f290de320d79ced20ee3e194e91e12cab0d0baea
parent: Merge pull request #3683 from jmetrius/vlc-aacs-fix (diff)
download: firejail-582ae38e811a7a768d2cfbcf93e711ebbc984e07.tar.gz
firejail-582ae38e811a7a768d2cfbcf93e711ebbc984e07.tar.zst
firejail-582ae38e811a7a768d2cfbcf93e711ebbc984e07.zip
4 files changed, 25 insertions, 15 deletions
diff --git a/README.md b/README.md
index 2bb05a872..6bc24cfbb 100644
--- a/README.md
+++ b/README.md
@@ -154,9 +154,9 @@ We also keep a list of profile fixes for previous released versions in [etc-fixe
 `````
 `````
-## Latest released version: 0.9.62
+## Latest released version: 0.9.64
-## Current development version: 0.9.63
+## Current development version: 0.9.65
 ### Profile Statistics
@@ -191,12 +191,3 @@ Stats:
 ### New profiles:
-gfeeds, firefox-x11, tvbrowser, rtv, clipgrab, gnome-passwordsafe, bibtex, gummi, latex, pdflatex, tex, wpp, wpspdf, wps, et,
-multimc, gnome-hexgl, com.github.johnfactotum.Foliate, desktopeditors, impressive, mupdf-gl, mupdf-x11, mupdf-x11-curl,
-muraster, mutool, planmaker18, planmaker18free, presentations18, presentations18free, textmaker18, textmaker18free, teams, xournal,
-gnome-screenshot, ripperX, sound-juicer, iagno, com.github.dahenson.agenda, gnome-pomodoro, gnome-todo, kmplayer,
-penguin-command, x2goclient, frogatto, gnome-mines, gnome-nibbles, lightsoff, ts3client_runscript.sh, warmux, ferdi, abiword,
-four-in-a-row, gnome-mahjongg, gnome-robots, gnome-sudoku, gnome-taquin, gnome-tetravex, blobwars, gravity-beams-and-evaporating-stars,
-hyperrogue, jumpnbump-menu, jumpnbump, magicor, mindless, mirrormagic, mrrescue, scorched3d-wrapper, scorchwentbonkers,
-seahorse-adventures, wordwarvi, xbill, gnome-klotski, five-or-more, swell-foop, fdns, jitsi-meet-desktop, nicontine, steam-runtime, apostrophe, quadrapassel, dino-im, strawberry, hitori, bijiben, gnote, gnubik, ZeGrapher, gapplication, xonotic-sdl-wrapper, openarena_ded, cawbird, freetube, homebank, mattermost-desktop, newsflash, com.gitlab.newsflash, element-desktop, sushi, xfce4-screenshooter, org.gnome.NautilusPreviewer, lyx, minitube, nuclear, mtpaint, minecraft-launcher, gnome-calendar, vmware, git-cola, otter-browser, kazam, menulibre, musictube, onboard, fractal, mirage, quaternion, spectral, man, psi, smuxi-frontend-gnome, balsa, kube, trojita, cola, twitch, youtube, youtubemusic-nativefier, ytmdesktop, dbus-send, notify-send, qrencode,
-xournalpp, chromium-freeworld, equalx
diff --git a/etc/inc/disable-programs.inc b/etc/inc/disable-programs.inc
index a7ce7ed8a..42d690c94 100644
--- a/etc/inc/disable-programs.inc
+++ b/etc/inc/disable-programs.inc
@@ -68,7 +68,6 @@ blacklist ${HOME}/.cliqz
 blacklist ${HOME}/.clonk
 blacklist ${HOME}/.config/0ad
 blacklist ${HOME}/.config/2048-qt
-blacklist ${HOME}/.config/aacs
 blacklist ${HOME}/.config/Atom
 blacklist ${HOME}/.config/Audaciousrc
 blacklist ${HOME}/.config/Authenticator
@@ -143,6 +142,7 @@ blacklist ${HOME}/.config/Wire
 blacklist ${HOME}/.config/Youtube
 blacklist ${HOME}/.config/Zeal
 blacklist ${HOME}/.config/ZeGrapher Project
+blacklist ${HOME}/.config/aacs
 blacklist ${HOME}/.config/abiword
 blacklist ${HOME}/.config/agenda
 blacklist ${HOME}/.config/akonadi*
diff --git a/etc/profile-m-z/peek.profile b/etc/profile-m-z/peek.profile
index 66fdd6496..28a7da404 100644
--- a/etc/profile-m-z/peek.profile
+++ b/etc/profile-m-z/peek.profile
@@ -17,7 +17,18 @@ include disable-passwdmgr.inc
 include disable-programs.inc
 include disable-xdg.inc
+#mkdir ${HOME}/.cache/peek
+#whitelist ${HOME}/.cache/peek
+#whitelist ${PICTURES}
+#whitelist ${VIDEOS}
+#include whitelist-common.inc
+include whitelist-runuser-common.inc
+include whitelist-usr-share-common.inc
+include whitelist-var-common.inc
+apparmor
 caps.drop all
+machine-id
 net none
 no3d
 nodvd
@@ -31,13 +42,20 @@ novideo
 protocol unix
 seccomp
 shell none
+tracelog
-# private-bin breaks gif mode, mp4 and webm mode work fine however
+disable-mnt
-# private-bin convert,ffmpeg,peek
+private-bin bash,convert,ffmpeg,firejail,fish,peek,sh,which,zsh
 private-dev
+private-etc dconf,firejail,fonts,gtk-3.0,login.defs,pango,passwd,X11
 private-tmp
-dbus-user none
+dbus-user filter
+dbus-user.own com.uploadedlobster.peek
+dbus-user.talk ca.desrt.dconf
+dbus-user.talk org.freedesktop.FileManager1
+dbus-user.talk org.freedesktop.Notifications
+dbus-user.talk org.gnome.Shell.Screencast
 dbus-system none
 memory-deny-write-execute
diff --git a/src/firecfg/firecfg.config b/src/firecfg/firecfg.config
index d16aa2ee9..906d86484 100644
--- a/src/firecfg/firecfg.config
+++ b/src/firecfg/firecfg.config
@@ -307,6 +307,7 @@ gnome-recipes
 gnome-robots
 gnome-schedule
 gnome-screenshot
+gnome-sound-recorder
 gnome-sudoku
 gnome-system-log
 gnome-taquin
author	rusty-snake <41237666+rusty-snake@users.noreply.github.com>	2020-10-23 14:06:37 +0200
committer	rusty-snake <41237666+rusty-snake@users.noreply.github.com>	2020-10-23 14:06:37 +0200
commit	582ae38e811a7a768d2cfbcf93e711ebbc984e07 (patch)
tree	f290de320d79ced20ee3e194e91e12cab0d0baea
parent	Merge pull request #3683 from jmetrius/vlc-aacs-fix (diff)
download	firejail-582ae38e811a7a768d2cfbcf93e711ebbc984e07.tar.gz firejail-582ae38e811a7a768d2cfbcf93e711ebbc984e07.tar.zst firejail-582ae38e811a7a768d2cfbcf93e711ebbc984e07.zip