profiles: clarify and add opengl-game to profile.template (#6300)

To make it consistent with the other include profiles. See etc/templates/profile.template. With this, all `etc/inc/allow-*` files are listed in profile.template. The explanation is based on a comment by @rusty-snake[1]. Relates to #4071. This is a follow-up to #6299. [1] https://github.com/netblue30/firejail/pull/4071#issuecomment-822003473
author: Kelvin M. Klann <kmk3.code@protonmail.com> 2024-04-05 12:09:04 +0000
committer: GitHub <noreply@github.com> 2024-04-05 12:09:04 +0000
commit: 1cfa06b4c5517a89d1a5dafd80ee593f8ebf86ea (patch)
tree: bc08210c54287ccd7a895049f829b609b7279b29
parent: profiles: add allow-php.inc to profile.template (#6299) (diff)
download: firejail-1cfa06b4c5517a89d1a5dafd80ee593f8ebf86ea.tar.gz
firejail-1cfa06b4c5517a89d1a5dafd80ee593f8ebf86ea.tar.zst
firejail-1cfa06b4c5517a89d1a5dafd80ee593f8ebf86ea.zip
14 files changed, 23 insertions, 0 deletions
diff --git a/etc/inc/allow-opengl-game.inc b/etc/inc/allow-opengl-game.inc
index 5d2d6c5c1..5ec227348 100644
--- a/etc/inc/allow-opengl-game.inc
+++ b/etc/inc/allow-opengl-game.inc
@@ -2,6 +2,12 @@
 # Persistent customizations should go in a .local file.
 include allow-opengl-game.local
+# Explanation: Fedora (and maybe others) install a .desktop file that uses
+# `Exec=foo-wrapper` instead of `Exec=foo`.  Each /usr/bin/foo-wrapper is a
+# symlink to /usr/bin/opengl-game-wrapper.sh, which checks hardware
+# acceleration and then starts the game or notifies the user that there is a
+# problem.
 noblacklist ${PATH}/bash
 whitelist /usr/share/opengl-games-utils/opengl-game-functions.sh
 private-bin basename,bash,cut,glxinfo,grep,head,sed,zenity
diff --git a/etc/profile-a-l/alienarena-wrapper.profile b/etc/profile-a-l/alienarena-wrapper.profile
index b31996cd2..b05a6968d 100644
--- a/etc/profile-a-l/alienarena-wrapper.profile
+++ b/etc/profile-a-l/alienarena-wrapper.profile
@@ -6,6 +6,7 @@ include alienarena-wrapper.local
 # added by included profile
 #include globals.local
+# Allow opengl-game wrapper script (distribution-specific)
 include allow-opengl-game.inc
 private-bin alienarena-wrapper
diff --git a/etc/profile-a-l/ballbuster-wrapper.profile b/etc/profile-a-l/ballbuster-wrapper.profile
index 419dcaab5..64a78e154 100644
--- a/etc/profile-a-l/ballbuster-wrapper.profile
+++ b/etc/profile-a-l/ballbuster-wrapper.profile
@@ -6,6 +6,7 @@ include ballbuster-wrapper.local
 # added by included profile
 #include globals.local
+# Allow opengl-game wrapper script (distribution-specific)
 include allow-opengl-game.inc
 private-bin ballbuster-wrapper
diff --git a/etc/profile-a-l/colorful-wrapper.profile b/etc/profile-a-l/colorful-wrapper.profile
index 4b762047d..ebccffe09 100644
--- a/etc/profile-a-l/colorful-wrapper.profile
+++ b/etc/profile-a-l/colorful-wrapper.profile
@@ -6,6 +6,7 @@ include colorful-wrapper.local
 # added by included profile
 #include globals.local
+# Allow opengl-game wrapper script (distribution-specific)
 include allow-opengl-game.inc
 private-bin colorful-wrapper
diff --git a/etc/profile-a-l/etr-wrapper.profile b/etc/profile-a-l/etr-wrapper.profile
index 98f949918..66dcb3af1 100644
--- a/etc/profile-a-l/etr-wrapper.profile
+++ b/etc/profile-a-l/etr-wrapper.profile
@@ -6,6 +6,7 @@ include etr-wrapper.local
 # added by included profile
 #include globals.local
+# Allow opengl-game wrapper script (distribution-specific)
 include allow-opengl-game.inc
 private-bin etr-wrapper
diff --git a/etc/profile-a-l/gl-117-wrapper.profile b/etc/profile-a-l/gl-117-wrapper.profile
index d783940f3..52b812954 100644
--- a/etc/profile-a-l/gl-117-wrapper.profile
+++ b/etc/profile-a-l/gl-117-wrapper.profile
@@ -6,6 +6,7 @@ include gl-117-wrapper.local
 # added by included profile
 #include globals.local
+# Allow opengl-game wrapper script (distribution-specific)
 include allow-opengl-game.inc
 private-bin gl-117-wrapper
diff --git a/etc/profile-a-l/glaxium-wrapper.profile b/etc/profile-a-l/glaxium-wrapper.profile
index 7dc2cf65e..341f3ac4b 100644
--- a/etc/profile-a-l/glaxium-wrapper.profile
+++ b/etc/profile-a-l/glaxium-wrapper.profile
@@ -6,6 +6,7 @@ include glaxium-wrapper.local
 # added by included profile
 #include globals.local
+# Allow opengl-game wrapper script (distribution-specific)
 include allow-opengl-game.inc
 private-bin glaxium-wrapper
diff --git a/etc/profile-m-z/neverball-wrapper.profile b/etc/profile-m-z/neverball-wrapper.profile
index 534e41dd1..086bd6e5e 100644
--- a/etc/profile-m-z/neverball-wrapper.profile
+++ b/etc/profile-m-z/neverball-wrapper.profile
@@ -6,6 +6,7 @@ include neverball-wrapper.local
 # added by included profile
 #include globals.local
+# Allow opengl-game wrapper script (distribution-specific)
 include allow-opengl-game.inc
 private-bin neverball-wrapper
diff --git a/etc/profile-m-z/neverputt-wrapper.profile b/etc/profile-m-z/neverputt-wrapper.profile
index dacd113cc..d29809c9a 100644
--- a/etc/profile-m-z/neverputt-wrapper.profile
+++ b/etc/profile-m-z/neverputt-wrapper.profile
@@ -6,6 +6,7 @@ include neverputt-wrapper.local
 # added by included profile
 #include globals.local
+# Allow opengl-game wrapper script (distribution-specific)
 include allow-opengl-game.inc
 private-bin neverputt-wrapper
diff --git a/etc/profile-m-z/pinball-wrapper.profile b/etc/profile-m-z/pinball-wrapper.profile
index 2b5ed6e27..fec4c3132 100644
--- a/etc/profile-m-z/pinball-wrapper.profile
+++ b/etc/profile-m-z/pinball-wrapper.profile
@@ -6,6 +6,7 @@ include pinball-wrapper.local
 # added by included profile
 #include globals.local
+# Allow opengl-game wrapper script (distribution-specific)
 include allow-opengl-game.inc
 private-bin pinball-wrapper
diff --git a/etc/profile-m-z/scorched3d-wrapper.profile b/etc/profile-m-z/scorched3d-wrapper.profile
index e76caec1d..a8713edbf 100644
--- a/etc/profile-m-z/scorched3d-wrapper.profile
+++ b/etc/profile-m-z/scorched3d-wrapper.profile
@@ -3,6 +3,7 @@
 # Persistent local customizations
 include scorched3d-wrapper.local
+# Allow opengl-game wrapper script (distribution-specific)
 include allow-opengl-game.inc
 private-bin scorched3d-wrapper
diff --git a/etc/profile-m-z/supertuxkart-wrapper.profile b/etc/profile-m-z/supertuxkart-wrapper.profile
index af8d73deb..20744090c 100644
--- a/etc/profile-m-z/supertuxkart-wrapper.profile
+++ b/etc/profile-m-z/supertuxkart-wrapper.profile
@@ -6,6 +6,7 @@ include supertuxkart-wrapper.local
 # added by included profile
 #include globals.local
+# Allow opengl-game wrapper script (distribution-specific)
 include allow-opengl-game.inc
 private-bin supertuxkart-wrapper
diff --git a/etc/profile-m-z/xonotic.profile b/etc/profile-m-z/xonotic.profile
index 87e75986d..ad4ed4d8b 100644
--- a/etc/profile-m-z/xonotic.profile
+++ b/etc/profile-m-z/xonotic.profile
@@ -8,7 +8,10 @@ include globals.local
 noblacklist ${HOME}/.xonotic
+# Allow /bin/sh (blacklisted by disable-shell.inc)
 include allow-bin-sh.inc
+# Allow opengl-game wrapper script (distribution-specific)
 include allow-opengl-game.inc
 include disable-common.inc
diff --git a/etc/templates/profile.template b/etc/templates/profile.template
index 2188721b8..459baf51a 100644
--- a/etc/templates/profile.template
+++ b/etc/templates/profile.template
@@ -91,6 +91,9 @@ include globals.local
 # Allow nodejs (blacklisted by disable-interpreters.inc)
 #include allow-nodejs.inc
+# Allow opengl-game wrapper script (distribution-specific)
+#include allow-opengl-game.inc
 # Allow perl (blacklisted by disable-interpreters.inc)
 #include allow-perl.inc
author	Kelvin M. Klann <kmk3.code@protonmail.com>	2024-04-05 12:09:04 +0000
committer	GitHub <noreply@github.com>	2024-04-05 12:09:04 +0000
commit	1cfa06b4c5517a89d1a5dafd80ee593f8ebf86ea (patch)
tree	bc08210c54287ccd7a895049f829b609b7279b29
parent	profiles: add allow-php.inc to profile.template (#6299) (diff)
download	firejail-1cfa06b4c5517a89d1a5dafd80ee593f8ebf86ea.tar.gz firejail-1cfa06b4c5517a89d1a5dafd80ee593f8ebf86ea.tar.zst firejail-1cfa06b4c5517a89d1a5dafd80ee593f8ebf86ea.zip