profiles: add profile for tin news reader (#4356)

author: Reiner Herrmann <reiner@reiner-h.de> 2021-06-12 18:39:48 +0000
committer: GitHub <noreply@github.com> 2021-06-12 20:39:48 +0200
commit: 6d559182d20ca49c7a276043a19d39b33cbcbda2 (patch)
tree: 6b0e9b5f622da37dc9f2b64351639e7392f0e357
parent: README.md: minor markdown improvements (diff)
download: firejail-6d559182d20ca49c7a276043a19d39b33cbcbda2.tar.gz
firejail-6d559182d20ca49c7a276043a19d39b33cbcbda2.tar.zst
firejail-6d559182d20ca49c7a276043a19d39b33cbcbda2.zip
3 files changed, 79 insertions, 0 deletions
diff --git a/etc/inc/disable-programs.inc b/etc/inc/disable-programs.inc
index 18d1978fc..6fb62e017 100644
--- a/etc/inc/disable-programs.inc
+++ b/etc/inc/disable-programs.inc
@@ -810,6 +810,7 @@ blacklist ${HOME}/.netactview
 blacklist ${HOME}/.neverball
 blacklist ${HOME}/.newsbeuter
 blacklist ${HOME}/.newsboat
+blacklist ${HOME}/.newsrc
 blacklist ${HOME}/.nicotine
 blacklist ${HOME}/.node-gyp
 blacklist ${HOME}/.npm
@@ -867,6 +868,7 @@ blacklist ${HOME}/.teeworlds
 blacklist ${HOME}/.texlive20*
 blacklist ${HOME}/.thunderbird
 blacklist ${HOME}/.tilp
+blacklist ${HOME}/.tin
 blacklist ${HOME}/.tooling
 blacklist ${HOME}/.tor-browser*
 blacklist ${HOME}/.torcs
diff --git a/etc/profile-m-z/rtin.profile b/etc/profile-m-z/rtin.profile
new file mode 100644
index 000000000..cd84ce05e
--- /dev/null
+++ b/etc/profile-m-z/rtin.profile
@@ -0,0 +1,8 @@
+# Firejail profile for rtin
+# Description: ncurses-based Usenet newsreader
+#              symlink to tin, same as `tin -r`
+# This file is overwritten after every install/update
+# Persistent local customizations
+include rtin.local
+include tin.profile
diff --git a/etc/profile-m-z/tin.profile b/etc/profile-m-z/tin.profile
new file mode 100644
index 000000000..e0ed3090a
--- /dev/null
+++ b/etc/profile-m-z/tin.profile
@@ -0,0 +1,69 @@
+# Firejail profile for tin
+# Description: ncurses-based Usenet newsreader
+# This file is overwritten after every install/update
+# Persistent local customizations
+include tin.local
+# Persistent global definitions
+include globals.local
+noblacklist ${HOME}/.newsrc
+noblacklist ${HOME}/.tin
+blacklist /tmp/.X11-unix
+blacklist ${RUNUSER}
+blacklist /usr/libexec
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-passwdmgr.inc
+include disable-programs.inc
+include disable-shell.inc
+include disable-xdg.inc
+mkdir ${HOME}/.tin
+mkfile ${HOME}/.newsrc
+# Note: files/directories directly in ${HOME} can't be whitelisted, as
+#       tin saves .newsrc by renaming a temporary file, which is not possible for
+#       bind-mounted files.
+#whitelist ${HOME}/.newsrc
+#whitelist ${HOME}/.tin
+#include whitelist-common.inc
+include whitelist-runuser-common.inc
+include whitelist-usr-share-common.inc
+include whitelist-var-common.inc
+apparmor
+caps.drop all
+ipc-namespace
+machine-id
+netfilter
+no3d
+nodvd
+nogroups
+noinput
+nonewprivs
+noroot
+nosound
+notv
+nou2f
+novideo
+protocol inet,inet6
+seccomp
+seccomp.block-secondary
+shell none
+tracelog
+disable-mnt
+private-bin rtin,tin
+private-cache
+private-dev
+private-etc passwd,resolv.conf,terminfo,tin
+private-lib terminfo
+private-tmp
+dbus-user none
+dbus-system none
+memory-deny-write-execute
author	Reiner Herrmann <reiner@reiner-h.de>	2021-06-12 18:39:48 +0000
committer	GitHub <noreply@github.com>	2021-06-12 20:39:48 +0200
commit	6d559182d20ca49c7a276043a19d39b33cbcbda2 (patch)
tree	6b0e9b5f622da37dc9f2b64351639e7392f0e357
parent	README.md: minor markdown improvements (diff)
download	firejail-6d559182d20ca49c7a276043a19d39b33cbcbda2.tar.gz firejail-6d559182d20ca49c7a276043a19d39b33cbcbda2.tar.zst firejail-6d559182d20ca49c7a276043a19d39b33cbcbda2.zip

diff --git a/etc/inc/disable-programs.inc b/etc/inc/disable-programs.inc index 18d1978fc..6fb62e017 100644 --- a/etc/inc/disable-programs.inc +++ b/etc/inc/disable-programs.inc
@@ -810,6 +810,7 @@ blacklist ${HOME}/.netactview
810	blacklist ${HOME}/.neverball	810	blacklist ${HOME}/.neverball
811	blacklist ${HOME}/.newsbeuter	811	blacklist ${HOME}/.newsbeuter
812	blacklist ${HOME}/.newsboat	812	blacklist ${HOME}/.newsboat
		813	blacklist ${HOME}/.newsrc
813	blacklist ${HOME}/.nicotine	814	blacklist ${HOME}/.nicotine
814	blacklist ${HOME}/.node-gyp	815	blacklist ${HOME}/.node-gyp
815	blacklist ${HOME}/.npm	816	blacklist ${HOME}/.npm
@@ -867,6 +868,7 @@ blacklist ${HOME}/.teeworlds
867	blacklist ${HOME}/.texlive20*	868	blacklist ${HOME}/.texlive20*
868	blacklist ${HOME}/.thunderbird	869	blacklist ${HOME}/.thunderbird
869	blacklist ${HOME}/.tilp	870	blacklist ${HOME}/.tilp
		871	blacklist ${HOME}/.tin
870	blacklist ${HOME}/.tooling	872	blacklist ${HOME}/.tooling
871	blacklist ${HOME}/.tor-browser*	873	blacklist ${HOME}/.tor-browser*
872	blacklist ${HOME}/.torcs	874	blacklist ${HOME}/.torcs


diff --git a/etc/profile-m-z/rtin.profile b/etc/profile-m-z/rtin.profile new file mode 100644 index 000000000..cd84ce05e --- /dev/null +++ b/etc/profile-m-z/rtin.profile
@@ -0,0 +1,8 @@
		1	# Firejail profile for rtin
		2	# Description: ncurses-based Usenet newsreader
		3	# symlink to tin, same as `tin -r`
		4	# This file is overwritten after every install/update
		5	# Persistent local customizations
		6	include rtin.local
		7
		8	include tin.profile


diff --git a/etc/profile-m-z/tin.profile b/etc/profile-m-z/tin.profile new file mode 100644 index 000000000..e0ed3090a --- /dev/null +++ b/etc/profile-m-z/tin.profile
@@ -0,0 +1,69 @@
		1	# Firejail profile for tin
		2	# Description: ncurses-based Usenet newsreader
		3	# This file is overwritten after every install/update
		4	# Persistent local customizations
		5	include tin.local
		6	# Persistent global definitions
		7	include globals.local
		8
		9	noblacklist ${HOME}/.newsrc
		10	noblacklist ${HOME}/.tin
		11
		12	blacklist /tmp/.X11-unix
		13	blacklist ${RUNUSER}
		14	blacklist /usr/libexec
		15
		16	include disable-common.inc
		17	include disable-devel.inc
		18	include disable-exec.inc
		19	include disable-interpreters.inc
		20	include disable-passwdmgr.inc
		21	include disable-programs.inc
		22	include disable-shell.inc
		23	include disable-xdg.inc
		24
		25	mkdir ${HOME}/.tin
		26	mkfile ${HOME}/.newsrc
		27	# Note: files/directories directly in ${HOME} can't be whitelisted, as
		28	# tin saves .newsrc by renaming a temporary file, which is not possible for
		29	# bind-mounted files.
		30	#whitelist ${HOME}/.newsrc
		31	#whitelist ${HOME}/.tin
		32	#include whitelist-common.inc
		33	include whitelist-runuser-common.inc
		34	include whitelist-usr-share-common.inc
		35	include whitelist-var-common.inc
		36
		37	apparmor
		38	caps.drop all
		39	ipc-namespace
		40	machine-id
		41	netfilter
		42	no3d
		43	nodvd
		44	nogroups
		45	noinput
		46	nonewprivs
		47	noroot
		48	nosound
		49	notv
		50	nou2f
		51	novideo
		52	protocol inet,inet6
		53	seccomp
		54	seccomp.block-secondary
		55	shell none
		56	tracelog
		57
		58	disable-mnt
		59	private-bin rtin,tin
		60	private-cache
		61	private-dev
		62	private-etc passwd,resolv.conf,terminfo,tin
		63	private-lib terminfo
		64	private-tmp
		65
		66	dbus-user none
		67	dbus-system none
		68
		69	memory-deny-write-execute