Merge branch 'master' of https://github.com/netblue30/firejail

11 files changed, 122 insertions, 7 deletions

diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml
index 37e5cc2d0..19dd2b320 100644
--- a/.gitlab-ci.yml
+++ b/.gitlab-ci.yml
@@ -9,8 +9,9 @@ build_ubuntu_package:
     image: ubuntu:rolling
     script:
         - apt-get update -qq
-        - apt-get install -y -qq build-essential lintian pkg-config
+        - apt-get install -y -qq build-essential lintian pkg-config python3
         - ./configure --prefix=/usr && make deb && dpkg -i firejail*.deb
+        - python3 contrib/sort.py etc/*.{profile,inc}
 
 build_debian_package:
     image: debian:jessie
@@ -32,14 +33,16 @@ build_fedora_package:
         - dnf update -y
         - dnf install -y rpm-build gcc make
         - ./configure --prefix=/usr && make rpms && rpm -i firejail*.rpm
+        - python3 contrib/sort.py etc/*.{profile,inc}
 
 build_src_package:
     image: alpine:latest
     script:
         - apk update
         - apk upgrade
-        - apk add build-base linux-headers
+        - apk add build-base linux-headers python3
         - ./configure --prefix=/usr && make && make install-strip
+        # - python3 contrib/sort.py etc/*.{profile,inc}
 
 build_apparmor:
     image: ubuntu:latest
diff --git a/README.md b/README.md
index b97d73e67..bd6ba406a 100644
--- a/README.md
+++ b/README.md
@@ -118,4 +118,4 @@ We also keep a list of profile fixes for previous released versions in [etc-fixe
 
 ## New profiles:
 
-gnome-sound-recorder, godot, jerry, keepassxc-cli, keepassxc-proxy, klatexformula, klatexformula_cmdl, links, newsbeuter, OpenArena, pandoc, qgis, rhythmbox-client, tcpdump, teams-for-linux, tshark, xlinks, zeal, mpg123, conplay, mpg123.bin, mpg123-alsa, mpg123-id3dump, mpg123-jack, mpg123-nas, mpg123-openal, mpg123-oss, mpg123-portaudio, mpg123-pulse, mpg123-strip, out123, pavucontrol-qt, gnome-characters, gnome-character-map, rsync, Whalebird, tor-browser (AUR), Zulip, tb-starter-wrapper, bzcat, kiwix-desktop
+gnome-sound-recorder, godot, jerry, keepassxc-cli, keepassxc-proxy, klatexformula, klatexformula_cmdl, links, newsbeuter, OpenArena, pandoc, qgis, rhythmbox-client, tcpdump, teams-for-linux, tshark, xlinks, zeal, mpg123, conplay, mpg123.bin, mpg123-alsa, mpg123-id3dump, mpg123-jack, mpg123-nas, mpg123-openal, mpg123-oss, mpg123-portaudio, mpg123-pulse, mpg123-strip, out123, pavucontrol-qt, gnome-characters, gnome-character-map, rsync, Whalebird, tor-browser (AUR), Zulip, tb-starter-wrapper, bzcat, kiwix-desktop, ar, gnome-latex, pngquant
diff --git a/RELNOTES b/RELNOTES
index 5c50195e0..cad0b974c 100644
--- a/RELNOTES
+++ b/RELNOTES
@@ -16,7 +16,7 @@ firejail (0.9.61) baseline; urgency=low
   * new profiles: gnome-characters, gnome-character-map, rsync, Whalebird,
   * new profiles: tor-browser (AUR), Zulip, tb-starter-wrapper, bzcat,
   * new profiles: kiwix-desktop, bzcat, zstd, pzstd, zstdcat, zstdgrep, zstdless
-  * new profiles: zstdmt, unzstd, i2p
+  * new profiles: zstdmt, unzstd, i2p, ar, gnome-latex, pngquant
  -- netblue30 <netblue30@yahoo.com>  Sat, 1 Jun 2019 08:00:00 -0500
 
 firejail (0.9.60) baseline; urgency=low
diff --git a/contrib/sort.py b/contrib/sort.py
index 97315fba8..f77e2a1fc 100755
--- a/contrib/sort.py
+++ b/contrib/sort.py
@@ -23,11 +23,13 @@ Exit-Codes:
 #  python >= 3.6
 from sys import argv
 
+
 def sort_alphabetical(raw_items):
     items = raw_items.split(",")
     items.sort(key=lambda s: s.casefold())
     return ",".join(items)
 
+
 def sort_protocol(protocols):
     """sort the given protocole into this scheme: unix,inet,inet6,netlink,packet"""
     # shortcut for common protocol lines
@@ -64,6 +66,7 @@ def sort_protocol(protocols):
         fixed_protocols += "packet,"
     return fixed_protocols[:-1]
 
+
 def fix_profile(filename):
     with open(filename, "r+") as profile:
         lines = profile.read().split("\n")
@@ -94,6 +97,7 @@ def fix_profile(filename):
             return 101
         return 0
 
+
 def main(args):
     exit_code = 0
     for filename in args:
@@ -103,15 +107,16 @@ def main(args):
             else:
                 fix_profile(filename)
         except FileNotFoundError:
-            print(f"[ Error ] Can't find {filename}")
+            print(f"[ Error ] Can't find `{filename}'")
             exit_code = 1
         except PermissionError:
-            print(f"[ Error ] Can't read/write {filename}")
+            print(f"[ Error ] Can't read/write `{filename}'")
             exit_code = 1
         except:
-            print(f"[ Error ] An error occurred while processing {filename}")
+            print(f"[ Error ] An error occurred while processing `{filename}'")
             exit_code = 1
     return exit_code
 
+
 if __name__ == "__main__":
     exit(main(argv[1:]))
diff --git a/etc/disable-programs.inc b/etc/disable-programs.inc
index e54b651a6..7dbe535fe 100644
--- a/etc/disable-programs.inc
+++ b/etc/disable-programs.inc
@@ -183,6 +183,7 @@ blacklist ${HOME}/.config/ghostwriter
 blacklist ${HOME}/.config/git
 blacklist ${HOME}/.config/globaltime
 blacklist ${HOME}/.config/gnome-builder
+blacklist ${HOME}/.config/gnome-latex
 blacklist ${HOME}/.config/gnome-mplayer
 blacklist ${HOME}/.config/gnome-mpv
 blacklist ${HOME}/.config/gnome-pie
@@ -502,6 +503,7 @@ blacklist ${HOME}/.local/share/gitg
 blacklist ${HOME}/.local/share/gnome-2048
 blacklist ${HOME}/.local/share/gnome-chess
 blacklist ${HOME}/.local/share/gnome-builder
+blacklist ${HOME}/.local/share/gnome-latex
 blacklist ${HOME}/.local/share/gnome-music
 blacklist ${HOME}/.local/share/gnome-photos
 blacklist ${HOME}/.local/share/gnome-recipes
diff --git a/etc/gnome-latex.profile b/etc/gnome-latex.profile
new file mode 100644
index 000000000..9cef9072c
--- /dev/null
+++ b/etc/gnome-latex.profile
@@ -0,0 +1,46 @@
+# Firejail profile for gnome-latex
+# Description: LaTeX editor for the GNOME desktop
+# This file is overwritten after every install/update
+# Persistent local customizations
+include gnome-latex.local
+# Persistent global definitions
+include globals.local
+
+noblacklist ${HOME}/.config/gnome-latex
+noblacklist ${HOME}/.local/share/gnome-latex
+
+# Allow perl (blacklisted by disable-interpreters.inc)
+include allow-perl.inc
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-passwdmgr.inc
+include disable-programs.inc
+
+# May cause issues.
+#include whitelist-var-common.inc
+
+apparmor
+caps.drop all
+machine-id
+net none
+no3d
+nodvd
+nogroups
+nonewprivs
+noroot
+nosound
+notv
+nou2f
+novideo
+protocol unix
+seccomp
+shell none
+tracelog
+
+private-cache
+private-dev
+# passwd,login.defs,firejail are a temporary workaround for #2877 and can be removed once it is fixed
+private-etc alternatives,dconf,fonts,gtk-3.0,latexmk.conf,login.defs,passwd,texlive
diff --git a/etc/inkscape.profile b/etc/inkscape.profile
index a1b3bce23..a968609a9 100644
--- a/etc/inkscape.profile
+++ b/etc/inkscape.profile
@@ -11,6 +11,10 @@ noblacklist ${HOME}/.config/inkscape
 noblacklist ${HOME}/.inkscape
 noblacklist ${DOCUMENTS}
 noblacklist ${PICTURES}
+# Allow exporting .xcf files
+noblacklist ${HOME}/.config/GIMP
+noblacklist ${HOME}/.gimp*
+
 
 # Allow python (blacklisted by disable-interpreters.inc)
 include allow-python2.inc
diff --git a/etc/pngquant.profile b/etc/pngquant.profile
new file mode 100644
index 000000000..8c06cef1a
--- /dev/null
+++ b/etc/pngquant.profile
@@ -0,0 +1,47 @@
+# Firejail profile for pngquant
+# Description: PNG converter and lossy image compressor
+# This file is overwritten after every install/update
+quiet
+# Persistent local customizations
+include pngquant.local
+# Persistent global definitions
+include globals.local
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-passwdmgr.inc
+include disable-programs.inc
+
+include whitelist-var-common.inc
+
+apparmor
+caps.drop all
+ipc-namespace
+machine-id
+net none
+no3d
+nodbus
+nodvd
+nogroups
+nonewprivs
+noroot
+nosound
+notv
+nou2f
+novideo
+# protocol can be empty, but this is not yet supported see #639
+protocol inet
+seccomp
+shell none
+tracelog
+x11 none
+
+private-bin pngquant
+private-cache
+private-dev
+private-etc alternatives
+private-tmp
+
+memory-deny-write-execute
diff --git a/etc/steam.profile b/etc/steam.profile
index 654ea825e..762cbd1b3 100644
--- a/etc/steam.profile
+++ b/etc/steam.profile
@@ -38,6 +38,8 @@ include disable-programs.inc
 
 include whitelist-var-common.inc
 
+# allow-debuggers needed for running some games with proton
+allow-debuggers
 caps.drop all
 #ipc-namespace
 netfilter
diff --git a/etc/whitelist-common.inc b/etc/whitelist-common.inc
index 717c82379..9c1b7b92c 100644
--- a/etc/whitelist-common.inc
+++ b/etc/whitelist-common.inc
@@ -20,6 +20,10 @@ whitelist ${HOME}/.local/share/icons
 whitelist ${HOME}/.local/share/mime
 whitelist ${HOME}/.mime.types
 
+# dconf
+mkdir ${HOME}/.config/dconf
+whitelist ${HOME}/.config/dconf
+
 # fonts
 whitelist ${HOME}/.cache/fontconfig
 whitelist ${HOME}/.config/fontconfig
diff --git a/src/firecfg/firecfg.config b/src/firecfg/firecfg.config
index 502449839..f90d6c6bc 100644
--- a/src/firecfg/firecfg.config
+++ b/src/firecfg/firecfg.config
@@ -242,6 +242,7 @@ gnome-clocks
 gnome-contacts
 gnome-documents
 gnome-font-viewer
+gnome-latex
 gnome-logs
 gnome-maps
 gnome-mplayer
@@ -473,6 +474,7 @@ pitivi
 pix
 playonlinux
 pluma
+pngquant
 polari
 ppsspp
 pragha