New profile: qemu-common.profile (#6287)

Add a common profile to deduplicate entries and make qemu-related profiles redirect to it. Relates to #6255.
author: Kelvin M. Klann <kmk3.code@protonmail.com> 2024-03-25 06:42:07 +0000
committer: GitHub <noreply@github.com> 2024-03-25 06:42:07 +0000
commit: 7047e1a68955adc789d028ededdf0790a45d01f5 (patch)
tree: 6b68bb17d28465f91d72f0640dc6138b9ef6b6df
parent: build(deps): bump github/codeql-action from 3.24.7 to 3.24.9 (diff)
download: firejail-7047e1a68955adc789d028ededdf0790a45d01f5.tar.gz
firejail-7047e1a68955adc789d028ededdf0790a45d01f5.tar.zst
firejail-7047e1a68955adc789d028ededdf0790a45d01f5.zip
4 files changed, 37 insertions, 50 deletions
diff --git a/etc/profile-m-z/qemu-common.profile b/etc/profile-m-z/qemu-common.profile
new file mode 100644
index 000000000..bf8c2b977
--- /dev/null
+++ b/etc/profile-m-z/qemu-common.profile
@@ -0,0 +1,28 @@
+# Firejail profile for QEMU
+# Description: Machine & userspace emulator and virtualizer
+# This file is overwritten after every install/update
+# Persistent local customizations
+include qemu-common.local
+# Persistent global definitions
+# added by caller profile
+#include globals.local
+include disable-common.inc
+include disable-programs.inc
+caps.drop all
+netfilter
+nodvd
+nogroups
+nonewprivs
+noroot
+notv
+protocol unix,inet,inet6
+seccomp
+tracelog
+private-cache
+private-tmp
+noexec /tmp
+restrict-namespaces
diff --git a/etc/profile-m-z/qemu-launcher.profile b/etc/profile-m-z/qemu-launcher.profile
index 8484d3705..5eab480dc 100644
--- a/etc/profile-m-z/qemu-launcher.profile
+++ b/etc/profile-m-z/qemu-launcher.profile
@@ -7,22 +7,5 @@ include globals.local
 noblacklist ${HOME}/.qemu-launcher
-include disable-common.inc
+# Redirect
-include disable-programs.inc
+include qemu-common.profile
-caps.drop all
-netfilter
-nodvd
-nogroups
-nonewprivs
-noroot
-notv
-protocol unix,inet,inet6
-seccomp
-tracelog
-private-cache
-private-tmp
-noexec /tmp
-restrict-namespaces
diff --git a/etc/profile-m-z/qemu-system-x86_64.profile b/etc/profile-m-z/qemu-system-x86_64.profile
index 495c469f7..27dd31af1 100644
--- a/etc/profile-m-z/qemu-system-x86_64.profile
+++ b/etc/profile-m-z/qemu-system-x86_64.profile
@@ -6,22 +6,5 @@ include qemu-system-x86_64.local
 # Persistent global definitions
 include globals.local
-include disable-common.inc
+# Redirect
-include disable-programs.inc
+include qemu-common.profile
-caps.drop all
-netfilter
-nodvd
-nogroups
-nonewprivs
-noroot
-notv
-protocol unix,inet,inet6
-seccomp
-tracelog
-private-cache
-private-tmp
-noexec /tmp
-restrict-namespaces
diff --git a/etc/profile-m-z/tqemu.profile b/etc/profile-m-z/tqemu.profile
index cf83202f7..d46cf15d9 100644
--- a/etc/profile-m-z/tqemu.profile
+++ b/etc/profile-m-z/tqemu.profile
@@ -6,21 +6,14 @@ include tqemu.local
 # Persistent global definitions
 include globals.local
-include disable-common.inc
+# breaks app
-include disable-programs.inc
+ignore restrict-namespaces
 # For host-only network sys_admin is needed.
 # See https://github.com/netblue30/firejail/issues/2868#issuecomment-518647630
+ignore caps.drop all
 caps.keep net_raw,sys_nice
 #caps.keep net_raw,sys_admin
-netfilter
-nodvd
-notv
-tracelog
-private-cache
-private-tmp
-noexec /tmp
+# Redirect
-# breaks app
+include qemu-common.profile
-#restrict-namespaces
author	Kelvin M. Klann <kmk3.code@protonmail.com>	2024-03-25 06:42:07 +0000
committer	GitHub <noreply@github.com>	2024-03-25 06:42:07 +0000
commit	7047e1a68955adc789d028ededdf0790a45d01f5 (patch)
tree	6b68bb17d28465f91d72f0640dc6138b9ef6b6df
parent	build(deps): bump github/codeql-action from 3.24.7 to 3.24.9 (diff)
download	firejail-7047e1a68955adc789d028ededdf0790a45d01f5.tar.gz firejail-7047e1a68955adc789d028ededdf0790a45d01f5.tar.zst firejail-7047e1a68955adc789d028ededdf0790a45d01f5.zip

diff --git a/etc/profile-m-z/qemu-common.profile b/etc/profile-m-z/qemu-common.profile new file mode 100644 index 000000000..bf8c2b977 --- /dev/null +++ b/etc/profile-m-z/qemu-common.profile
@@ -0,0 +1,28 @@
		1	# Firejail profile for QEMU
		2	# Description: Machine & userspace emulator and virtualizer
		3	# This file is overwritten after every install/update
		4	# Persistent local customizations
		5	include qemu-common.local
		6	# Persistent global definitions
		7	# added by caller profile
		8	#include globals.local
		9
		10	include disable-common.inc
		11	include disable-programs.inc
		12
		13	caps.drop all
		14	netfilter
		15	nodvd
		16	nogroups
		17	nonewprivs
		18	noroot
		19	notv
		20	protocol unix,inet,inet6
		21	seccomp
		22	tracelog
		23
		24	private-cache
		25	private-tmp
		26
		27	noexec /tmp
		28	restrict-namespaces


diff --git a/etc/profile-m-z/qemu-launcher.profile b/etc/profile-m-z/qemu-launcher.profile index 8484d3705..5eab480dc 100644 --- a/etc/profile-m-z/qemu-launcher.profile +++ b/etc/profile-m-z/qemu-launcher.profile
@@ -7,22 +7,5 @@ include globals.local
7		7
8	noblacklist ${HOME}/.qemu-launcher	8	noblacklist ${HOME}/.qemu-launcher
9		9
10	include disable-common.inc	10	# Redirect
11	include disable-programs.inc	11	include qemu-common.profile
12
13	caps.drop all
14	netfilter
15	nodvd
16	nogroups
17	nonewprivs
18	noroot
19	notv
20	protocol unix,inet,inet6
21	seccomp
22	tracelog
23
24	private-cache
25	private-tmp
26
27	noexec /tmp
28	restrict-namespaces


diff --git a/etc/profile-m-z/qemu-system-x86_64.profile b/etc/profile-m-z/qemu-system-x86_64.profile index 495c469f7..27dd31af1 100644 --- a/etc/profile-m-z/qemu-system-x86_64.profile +++ b/etc/profile-m-z/qemu-system-x86_64.profile
@@ -6,22 +6,5 @@ include qemu-system-x86_64.local
6	# Persistent global definitions	6	# Persistent global definitions
7	include globals.local	7	include globals.local
8		8
9	include disable-common.inc	9	# Redirect
10	include disable-programs.inc	10	include qemu-common.profile
11
12	caps.drop all
13	netfilter
14	nodvd
15	nogroups
16	nonewprivs
17	noroot
18	notv
19	protocol unix,inet,inet6
20	seccomp
21	tracelog
22
23	private-cache
24	private-tmp
25
26	noexec /tmp
27	restrict-namespaces


diff --git a/etc/profile-m-z/tqemu.profile b/etc/profile-m-z/tqemu.profile index cf83202f7..d46cf15d9 100644 --- a/etc/profile-m-z/tqemu.profile +++ b/etc/profile-m-z/tqemu.profile
@@ -6,21 +6,14 @@ include tqemu.local
6	# Persistent global definitions	6	# Persistent global definitions
7	include globals.local	7	include globals.local
8		8
9	include disable-common.inc	9	# breaks app
10	include disable-programs.inc	10	ignore restrict-namespaces
11		11
12	# For host-only network sys_admin is needed.	12	# For host-only network sys_admin is needed.
13	# See https://github.com/netblue30/firejail/issues/2868#issuecomment-518647630	13	# See https://github.com/netblue30/firejail/issues/2868#issuecomment-518647630
		14	ignore caps.drop all
14	caps.keep net_raw,sys_nice	15	caps.keep net_raw,sys_nice
15	#caps.keep net_raw,sys_admin	16	#caps.keep net_raw,sys_admin
16	netfilter
17	nodvd
18	notv
19	tracelog
20
21	private-cache
22	private-tmp
23		17
24	noexec /tmp	18	# Redirect
25	# breaks app	19	include qemu-common.profile
26	#restrict-namespaces