added ffmpeg.profile, removed ssh-agent from firecfg

author: netblue30 <netblue30@yahoo.com> 2017-09-21 08:15:19 -0400
committer: netblue30 <netblue30@yahoo.com> 2017-09-21 08:15:19 -0400
commit: 0ec8ec63375efaf87a5f8af48c83eac560dacd20 (patch)
tree: 978dab36c48f26091d2e1919d1f561d522577737
parent: Fixup 17a2edf9be3d1144db1a262c5358bf190c9b272b (diff)
download: firejail-0ec8ec63375efaf87a5f8af48c83eac560dacd20.tar.gz
firejail-0ec8ec63375efaf87a5f8af48c83eac560dacd20.tar.zst
firejail-0ec8ec63375efaf87a5f8af48c83eac560dacd20.zip
4 files changed, 37 insertions, 2 deletions
diff --git a/README.md b/README.md
index c9e04ee3c..26f3dc3c5 100644
--- a/README.md
+++ b/README.md
@@ -180,4 +180,4 @@ calligraflow, calligraplan, calligraplanwork, calligrasheets, calligrastage,
 calligrawords, cin, dooble, dooble-qt4, fetchmail, freecad, freecadcmd, google-earth,
 imagej, karbon, kdenlive, krita, linphone, lmms, macrofusion, mpd, natron, Natron,
 ricochet, shotcut, teamspeak3, tor, tor-browser-en, Viber, x-terminal-emulator, zart,
-conky, arch-audit
+conky, arch-audit, ffmpeg
diff --git a/etc/ffmpeg.profile b/etc/ffmpeg.profile
new file mode 100644
index 000000000..e098c95e3
--- /dev/null
+++ b/etc/ffmpeg.profile
@@ -0,0 +1,33 @@
+# Firejail profile for default
+# This file is overwritten after every install/update
+quiet
+# Persistent local customizations
+include /etc/firejail/ffmpeg.local
+# Persistent global definitions
+include /etc/firejail/globals.local
+include /etc/firejail/disable-common.inc
+include /etc/firejail/disable-devel.inc
+include /etc/firejail/disable-passwdmgr.inc
+include /etc/firejail/disable-programs.inc
+caps.drop all
+net none
+no3d
+nodvd
+nosound
+notv
+novideo
+nonewprivs
+noroot
+# protocol none - needs to be implemented!
+seccomp
+# seccomp.keep futex,write,read,munmap,fstat,mprotect,mmap,open,close,stat,lseek,brk,rt_sigaction,rt_sigprocmask,ioctl,access,select,madvise,getpid,clone,execve,fcntl,getdents,readlink,getrlimit,getrusage,statfs,getpriority,setpriority,arch_prctl,sched_getaffinity,set_tid_address,set_robust_list,getrandom
+# memory-deny-write-execute - it breaks old versions of ffmpeg
+shell none
+tracelog
+private-tmp
+private-dev
+private-bin ffmpeg
+include /etc/firejail/whitelist-var-common.inc
diff --git a/platform/debian/conffiles b/platform/debian/conffiles
index af6547f7f..27623aee3 100644
--- a/platform/debian/conffiles
+++ b/platform/debian/conffiles
@@ -358,3 +358,4 @@
 /etc/firejail/yandex-browser.profile
 /etc/firejail/itch.profile
 /etc/firejail/whitelist-var-common.inc
+/etc/firejail/ffmpeg
diff --git a/src/firecfg/firecfg.config b/src/firecfg/firecfg.config
index e4e3e4972..5a36f5e3e 100644
--- a/src/firecfg/firecfg.config
+++ b/src/firecfg/firecfg.config
@@ -99,6 +99,7 @@ evolution
 exiftool
 fbreader
 feh
+ffmpeg
 file-roller
 filezilla
 firefox
@@ -292,7 +293,7 @@ soundconverter
 spotify
 sqlitebrowser
 ssh
-ssh-agent
+# ssh-agent - problems on Arch with Fish shell (#1568)
 start-tor-browser
 steam
 stellarium
author	netblue30 <netblue30@yahoo.com>	2017-09-21 08:15:19 -0400
committer	netblue30 <netblue30@yahoo.com>	2017-09-21 08:15:19 -0400
commit	0ec8ec63375efaf87a5f8af48c83eac560dacd20 (patch)
tree	978dab36c48f26091d2e1919d1f561d522577737
parent	Fixup 17a2edf9be3d1144db1a262c5358bf190c9b272b (diff)
download	firejail-0ec8ec63375efaf87a5f8af48c83eac560dacd20.tar.gz firejail-0ec8ec63375efaf87a5f8af48c83eac560dacd20.tar.zst firejail-0ec8ec63375efaf87a5f8af48c83eac560dacd20.zip

diff --git a/README.md b/README.md index c9e04ee3c..26f3dc3c5 100644 --- a/README.md +++ b/README.md
@@ -180,4 +180,4 @@ calligraflow, calligraplan, calligraplanwork, calligrasheets, calligrastage,
180	calligrawords, cin, dooble, dooble-qt4, fetchmail, freecad, freecadcmd, google-earth,	180	calligrawords, cin, dooble, dooble-qt4, fetchmail, freecad, freecadcmd, google-earth,
181	imagej, karbon, kdenlive, krita, linphone, lmms, macrofusion, mpd, natron, Natron,	181	imagej, karbon, kdenlive, krita, linphone, lmms, macrofusion, mpd, natron, Natron,
182	ricochet, shotcut, teamspeak3, tor, tor-browser-en, Viber, x-terminal-emulator, zart,	182	ricochet, shotcut, teamspeak3, tor, tor-browser-en, Viber, x-terminal-emulator, zart,
183	conky, arch-audit	183	conky, arch-audit, ffmpeg


diff --git a/etc/ffmpeg.profile b/etc/ffmpeg.profile new file mode 100644 index 000000000..e098c95e3 --- /dev/null +++ b/etc/ffmpeg.profile
@@ -0,0 +1,33 @@
		1	# Firejail profile for default
		2	# This file is overwritten after every install/update
		3	quiet
		4	# Persistent local customizations
		5	include /etc/firejail/ffmpeg.local
		6	# Persistent global definitions
		7	include /etc/firejail/globals.local
		8
		9	include /etc/firejail/disable-common.inc
		10	include /etc/firejail/disable-devel.inc
		11	include /etc/firejail/disable-passwdmgr.inc
		12	include /etc/firejail/disable-programs.inc
		13
		14	caps.drop all
		15	net none
		16	no3d
		17	nodvd
		18	nosound
		19	notv
		20	novideo
		21	nonewprivs
		22	noroot
		23	# protocol none - needs to be implemented!
		24	seccomp
		25	# seccomp.keep futex,write,read,munmap,fstat,mprotect,mmap,open,close,stat,lseek,brk,rt_sigaction,rt_sigprocmask,ioctl,access,select,madvise,getpid,clone,execve,fcntl,getdents,readlink,getrlimit,getrusage,statfs,getpriority,setpriority,arch_prctl,sched_getaffinity,set_tid_address,set_robust_list,getrandom
		26	# memory-deny-write-execute - it breaks old versions of ffmpeg
		27	shell none
		28	tracelog
		29
		30	private-tmp
		31	private-dev
		32	private-bin ffmpeg
		33	include /etc/firejail/whitelist-var-common.inc


diff --git a/platform/debian/conffiles b/platform/debian/conffiles index af6547f7f..27623aee3 100644 --- a/platform/debian/conffiles +++ b/platform/debian/conffiles
@@ -358,3 +358,4 @@
358	/etc/firejail/yandex-browser.profile	358	/etc/firejail/yandex-browser.profile
359	/etc/firejail/itch.profile	359	/etc/firejail/itch.profile
360	/etc/firejail/whitelist-var-common.inc	360	/etc/firejail/whitelist-var-common.inc
		361	/etc/firejail/ffmpeg


diff --git a/src/firecfg/firecfg.config b/src/firecfg/firecfg.config index e4e3e4972..5a36f5e3e 100644 --- a/src/firecfg/firecfg.config +++ b/src/firecfg/firecfg.config
@@ -99,6 +99,7 @@ evolution
99	exiftool	99	exiftool
100	fbreader	100	fbreader
101	feh	101	feh
		102	ffmpeg
102	file-roller	103	file-roller
103	filezilla	104	filezilla
104	firefox	105	firefox
@@ -292,7 +293,7 @@ soundconverter
292	spotify	293	spotify
293	sqlitebrowser	294	sqlitebrowser
294	ssh	295	ssh
295	ssh-agent	296	# ssh-agent - problems on Arch with Fish shell (#1568)
296	start-tor-browser	297	start-tor-browser
297	steam	298	steam
298	stellarium	299	stellarium