Merge branch 'master' of https://github.com/netblue30/firejail

11 files changed, 50 insertions, 7 deletions

diff --git a/README.md b/README.md
index d12b9ee4e..8372841a5 100644
--- a/README.md
+++ b/README.md
@@ -207,4 +207,5 @@ curl, mplayer2, SMPlayer, Calibre, ebook-viewer, KWrite, Geary, Liferea, peek, s
 IntelliJ IDEA, Android Studio, electron, riot-web,
 Extreme Tux Racer, Frozen Bubble, Open Invaders, Pingus, Simutrans, SuperTux,
 telegram-desktop, arm, rambox, apktool, baobab, dex2jar, gitg, hashcat, obs, picard,
-remmina, sdat2img, soundconverter, sqlitebrowse, truecraft, gnome-twitch
+remmina, sdat2img, soundconverter, sqlitebrowse, truecraft, gnome-twitch, tuxguitar,
+musescore
diff --git a/RELNOTES b/RELNOTES
index 36dd39686..0e61019d9 100644
--- a/RELNOTES
+++ b/RELNOTES
@@ -19,7 +19,7 @@ firejail (0.9.49) baseline; urgency=low
   * new profiles: Frozen Bubble, Open Invaders, Pingus, Simutrans, SuperTux
   * new profiles: telegram-desktop, arm, rambox, apktool, baobab, dex2jar, gitg,
   * new profiles: hashcat, obs, picard, remmina, sdat2img, soundconverter, sqlitebrowse,
-  * new profiles: truecraft, gnome-twitch
+  * new profiles: truecraft, gnome-twitch, tuxguitar, musescore
   * bugfixes
  -- netblue30 <netblue30@yahoo.com>  Mon, 12 Jun 2017 20:00:00 -0500
 
diff --git a/etc/cvlc.profile b/etc/cvlc.profile
index ee1346617..460966321 100644
--- a/etc/cvlc.profile
+++ b/etc/cvlc.profile
@@ -14,11 +14,9 @@ include /etc/firejail/disable-programs.inc
 
 caps.drop all
 netfilter
-nodvd
 nogroups
 nonewprivs
 noroot
-notv
 protocol unix,inet,inet6,netlink
 seccomp
 shell none
diff --git a/etc/disable-programs.inc b/etc/disable-programs.inc
index a54d2a739..7b0e6e9eb 100644
--- a/etc/disable-programs.inc
+++ b/etc/disable-programs.inc
@@ -44,6 +44,8 @@ blacklist ${HOME}/.config/Luminance
 blacklist ${HOME}/.config/Meltytech
 blacklist ${HOME}/.config/Mousepad
 blacklist ${HOME}/.config/Mumble
+blacklist ${HOME}/.config/MusE
+blacklist ${HOME}/.config/MuseScore
 blacklist ${HOME}/.config/Nylas Mail
 blacklist ${HOME}/.config/Qlipper
 blacklist ${HOME}/.config/QuiteRss
@@ -274,6 +276,8 @@ blacklist ${HOME}/.local/share/caja-python
 blacklist ${HOME}/.local/share/cdprojektred
 blacklist ${HOME}/.local/share/clipit
 blacklist ${HOME}/.local/share/data/Mumble
+blacklist ${HOME}/.local/share/data/MusE
+blacklist ${HOME}/.local/share/data/MuseScore
 blacklist ${HOME}/.local/share/dino
 blacklist ${HOME}/.local/share/dolphin
 blacklist ${HOME}/.local/share/epiphany
diff --git a/etc/konversation.profile b/etc/konversation.profile
index 8bc263d4d..212aa8817 100644
--- a/etc/konversation.profile
+++ b/etc/konversation.profile
@@ -15,9 +15,12 @@ caps.drop all
 netfilter
 nodvd
 nogroups
+nonewprivs
 noroot
 notv
+novideo
 protocol unix,inet,inet6
 seccomp
+tracelog
 
 private-tmp
diff --git a/etc/musescore.profile b/etc/musescore.profile
new file mode 100644
index 000000000..bd00bea69
--- /dev/null
+++ b/etc/musescore.profile
@@ -0,0 +1,30 @@
+# Firejail profile for musescore
+# This file is overwritten after every install/update
+# Persistent local customizations
+include /etc/firejail/musescore.local
+# Persistent global definitions
+include /etc/firejail/globals.local
+
+noblacklist ~/.config/MusE
+noblacklist ~/.config/MuseScore
+noblacklist ~/.local/share/data/MusE
+noblacklist ~/.local/share/data/MuseScore
+
+caps.drop all
+netfilter
+no3d
+nodvd
+nonewprivs
+noroot
+notv
+novideo
+protocol unix,inet,inet6
+seccomp
+shell none
+tracelog
+
+# private-bin musescore,mscore
+private-tmp
+
+noexec ${HOME}
+noexec /tmp
diff --git a/etc/skanlite.profile b/etc/skanlite.profile
index 0338bc452..1d590a142 100644
--- a/etc/skanlite.profile
+++ b/etc/skanlite.profile
@@ -12,6 +12,7 @@ include /etc/firejail/disable-passwdmgr.inc
 include /etc/firejail/disable-programs.inc
 
 caps.drop all
+# net none
 netfilter
 nodvd
 nogroups
@@ -19,11 +20,13 @@ nonewprivs
 noroot
 nosound
 notv
-# protocol unix,inet,inet6
-seccomp
+novideo
+protocol unix,netlink
+# skanlite makes ioperm system calls, which are blacklisted by default.
+seccomp.drop @clock,@cpu-emulation,@debug,@module,@obsolete,@reboot,@resources,@swap,acct,add_key,bpf,chroot,fanotify_init,io_cancel,io_destroy,io_getevents,io_setup,io_submit,iopl,ioprio_set,kcmp,keyctl,mount,name_to_handle_at,nfsservctl,ni_syscall,open_by_handle_at,pciconfig_iobase,pciconfig_read,pciconfig_write,personality,pivot_root,process_vm_readv,ptrace,remap_file_pages,request_key,s390_mmio_read,s390_mmio_write,setdomainname,sethostname,syslog,umount,umount2,userfaultfd,vhangup,vmsplice
 shell none
 
-# private-bin skanlite
+# private-bin skanlite,kbuildsycoca4
 # private-dev
 # private-etc
 # private-tmp
diff --git a/etc/tracker.profile b/etc/tracker.profile
index ded2ae2e5..f3dfb2d4e 100644
--- a/etc/tracker.profile
+++ b/etc/tracker.profile
@@ -23,6 +23,7 @@ nonewprivs
 noroot
 nosound
 notv
+novideo
 protocol unix
 seccomp
 shell none
diff --git a/etc/tuxguitar.profile b/etc/tuxguitar.profile
index ddbcce3f6..5b6a257f6 100644
--- a/etc/tuxguitar.profile
+++ b/etc/tuxguitar.profile
@@ -14,6 +14,7 @@ include /etc/firejail/disable-passwdmgr.inc
 include /etc/firejail/disable-programs.inc
 
 caps.drop all
+netfilter
 no3d
 nodvd
 nonewprivs
diff --git a/platform/debian/conffiles b/platform/debian/conffiles
index d11f473ed..6473c6fef 100644
--- a/platform/debian/conffiles
+++ b/platform/debian/conffiles
@@ -216,6 +216,7 @@
 /etc/firejail/mumble.profile
 /etc/firejail/mupdf.profile
 /etc/firejail/mupen64plus.profile
+/etc/firejail/musescore.profile
 /etc/firejail/mutt.profile
 /etc/firejail/nautilus.profile
 /etc/firejail/nemo.profile
diff --git a/src/firecfg/firecfg.config b/src/firecfg/firecfg.config
index d66b026b0..15e95b9a7 100644
--- a/src/firecfg/firecfg.config
+++ b/src/firecfg/firecfg.config
@@ -193,6 +193,7 @@ multimc5
 mumble
 mupdf
 mupen64plus
+musescore
 mutt
 nautilus
 netsurf