aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorLibravatar glitsj16 <glitsj16@users.noreply.github.com>2022-12-09 12:36:28 +0000
committerLibravatar GitHub <noreply@github.com>2022-12-09 12:36:28 +0000
commit0e133dc034543291a00151f28bca4dc73ba64ce4 (patch)
treec22a5725cd33d2a6ea4643fcd6dde2bbceef6092
parentsandbox.c: print the dir on failed chdir(cfg.homedir) (diff)
downloadfirejail-0e133dc034543291a00151f28bca4dc73ba64ce4.tar.gz
firejail-0e133dc034543291a00151f28bca4dc73ba64ce4.tar.zst
firejail-0e133dc034543291a00151f28bca4dc73ba64ce4.zip
New profile: tesseract (#5516)
* Add firecfg support for tesseract * Add tesseract to 'New profiles' section in README.md * Create tesseract.profile * tesseract: fix private-etc * tesseract: fix XDG black/whitelisting * tesseract: use 'seccomp socket' instead of 'protocol unix' As kindly suggested by @rusty-snake. * tesseract: add 'restrict-namespaces' As kindly suggested by @rusty-snake. * tesseract: use full seccomp filtering The tesseract application works fine without 'protocol' or 'seccomp socket'.
Diffstat
-rw-r--r--README.md2
-rw-r--r--etc/profile-m-z/tesseract.profile65
-rw-r--r--src/firecfg/firecfg.config1
3 files changed, 67 insertions, 1 deletions
diff --git a/README.md b/README.md
index a9df34c77..573db45a2 100644
--- a/README.md
+++ b/README.md
@@ -336,4 +336,4 @@ Stats:
336### New profiles: 336### New profiles:
337 337
338onionshare, onionshare-cli, opera-developer, songrec, gdu, makedeb, lbry-viewer, tuir, 338onionshare, onionshare-cli, opera-developer, songrec, gdu, makedeb, lbry-viewer, tuir,
339cinelerra-gg 339cinelerra-gg, tesseract
diff --git a/etc/profile-m-z/tesseract.profile b/etc/profile-m-z/tesseract.profile
new file mode 100644
index 000000000..11a21c471
--- /dev/null
+++ b/etc/profile-m-z/tesseract.profile
@@ -0,0 +1,65 @@
1# Firejail profile for tesseract
2# Description: An OCR program
3# This file is overwritten after every install/update
4# Persistent local customizations
5include tesseract.local
6# Persistent global definitions
7include globals.local
8
9blacklist ${RUNUSER}
10
11noblacklist ${DOCUMENTS}
12noblacklist ${PICTURES}
13include disable-common.inc
14include disable-devel.inc
15include disable-exec.inc
16include disable-interpreters.inc
17include disable-proc.inc
18include disable-programs.inc
19include disable-shell.inc
20include disable-xdg.inc
21
22whitelist ${DOCUMENTS}
23whitelist ${DOWNLOADS}
24whitelist ${PICTURES}
25include whitelist-common.inc
26include whitelist-run-common.inc
27include whitelist-runuser-common.inc
28whitelist /usr/share/tessdata
29include whitelist-usr-share-common.inc
30include whitelist-var-common.inc
31
32apparmor
33caps.drop all
34hostname tesseract
35ipc-namespace
36machine-id
37net none
38no3d
39nodvd
40nogroups
41noinput
42nonewprivs
43noprinters
44noroot
45nosound
46notv
47nou2f
48novideo
49seccomp
50tracelog
51x11 none
52
53#disable-mnt
54private-bin ambiguous_words,classifier_tester,cntraining,combine_lang_model,combine_tessdata,dawg2wordlist,lstmeval,lstmtraining,merge_unicharsets,mftraining,set_unicharset_properties,shapeclustering,tesseract,text2image,unicharset_extractor,wordlist2dawg
55private-cache
56private-dev
57private-etc alternatives,fonts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload
58#private-lib libtesseract.so.*
59private-tmp
60
61dbus-user none
62dbus-system none
63
64memory-deny-write-execute
65restrict-namespaces
diff --git a/src/firecfg/firecfg.config b/src/firecfg/firecfg.config
index 17563cde3..f061003b1 100644
--- a/src/firecfg/firecfg.config
+++ b/src/firecfg/firecfg.config
@@ -788,6 +788,7 @@ telegram
788telegram-desktop 788telegram-desktop
789telnet 789telnet
790terasology 790terasology
791tesseract
791textmaker18 792textmaker18
792textmaker18free 793textmaker18free
793thunderbird 794thunderbird
generated by cgit v1.2.3-54-g00ecf (git 2.45.1) at 2024-05-28 13:51:19 +0000