Create virt-manager.profile

author: glitsj16 <glitsj16@users.noreply.github.com> 2024-02-27 19:31:29 +0000
committer: GitHub <noreply@github.com> 2024-02-27 19:31:29 +0000
commit: 82e30a82919cdc1556f660abc96c6e8426aa0482 (patch)
tree: 7d16f1375df85fa2366de9fb886ee204a14ca416
parent: disable-programs.inc: add virt-manager support (diff)
download: firejail-82e30a82919cdc1556f660abc96c6e8426aa0482.tar.gz
firejail-82e30a82919cdc1556f660abc96c6e8426aa0482.tar.zst
firejail-82e30a82919cdc1556f660abc96c6e8426aa0482.zip
1 files changed, 72 insertions, 0 deletions
diff --git a/etc/profile-m-z/virt-manager.profile b/etc/profile-m-z/virt-manager.profile
new file mode 100644
index 000000000..86fe63ef9
--- /dev/null
+++ b/etc/profile-m-z/virt-manager.profile
@@ -0,0 +1,72 @@
+# Firejail profile for virt-manager
+# Description: Manage virtual machines
+# This file is overwritten after every install/update
+# Persistent local customizations
+include virt-manager.local
+# Persistent global definitions
+include globals.local
+noblacklist ${HOME}/.cache/virt-manager
+noblacklist ${RUNUSER}/libvirt
+noblacklist /sbin
+noblacklist /usr/sbin
+# Allow python 3 (blacklisted by disable-interpreters.inc)
+include allow-python3.inc
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+# breaks app
+#include disable-proc.inc
+include disable-programs.inc
+include disable-xdg.inc
+mkdir ${HOME}/.cache/virt-manager
+whitelist ${DOWNLOADS}
+whitelist ${HOME}/.cache/virt-manager
+whitelist ${RUNUSER}/libvirt
+whitelist /run/libvirt
+whitelist /usr/share/libvirt
+whitelist /usr/share/osinfo
+whitelist /usr/share/qemu
+whitelist /usr/share/seabios
+whitelist /usr/share/virt-manager
+# /usr/share/misc/usb.ids is a symlink to /var/lib/usbutils/usb.ids on Ubuntu 22.04
+whitelist /var/lib/usbutils/usb.ids
+include whitelist-common.inc
+include whitelist-run-common.inc
+include whitelist-runuser-common.inc
+include whitelist-usr-share-common.inc
+include whitelist-var-common.inc
+# breaks app
+#apparmor
+# For host-only network sys_admin is needed.
+# See https://github.com/netblue30/firejail/issues/2868#issuecomment-518647630
+caps.keep net_raw,sys_nice
+#caps.keep net_raw,sys_admin
+netfilter
+nodvd
+notv
+tracelog
+private-cache
+private-etc @network,@sound,@tls-ca,@x11
+private-tmp
+writable-var
+dbus-user filter
+dbus-user.own org.virt-manager.virt-manager
+dbus-user.talk ca.desrt.dconf
+dbus-user.talk org.freedesktop.Notifications
+?ALLOW_TRAY: dbus-user.talk org.kde.StatusNotifierWatcher
+dbus-system none
+# breaks app
+#deterministic-shutdown
+# breaks app
+#restrict-namespaces
author	glitsj16 <glitsj16@users.noreply.github.com>	2024-02-27 19:31:29 +0000
committer	GitHub <noreply@github.com>	2024-02-27 19:31:29 +0000
commit	82e30a82919cdc1556f660abc96c6e8426aa0482 (patch)
tree	7d16f1375df85fa2366de9fb886ee204a14ca416
parent	disable-programs.inc: add virt-manager support (diff)
download	firejail-82e30a82919cdc1556f660abc96c6e8426aa0482.tar.gz firejail-82e30a82919cdc1556f660abc96c6e8426aa0482.tar.zst firejail-82e30a82919cdc1556f660abc96c6e8426aa0482.zip

diff --git a/etc/profile-m-z/virt-manager.profile b/etc/profile-m-z/virt-manager.profile new file mode 100644 index 000000000..86fe63ef9 --- /dev/null +++ b/etc/profile-m-z/virt-manager.profile
@@ -0,0 +1,72 @@
	1	# Firejail profile for virt-manager
	2	# Description: Manage virtual machines
	3	# This file is overwritten after every install/update
	4	# Persistent local customizations
	5	include virt-manager.local
	6	# Persistent global definitions
	7	include globals.local
	8
	9	noblacklist ${HOME}/.cache/virt-manager
	10	noblacklist ${RUNUSER}/libvirt
	11
	12	noblacklist /sbin
	13	noblacklist /usr/sbin
	14
	15	# Allow python 3 (blacklisted by disable-interpreters.inc)
	16	include allow-python3.inc
	17
	18	include disable-common.inc
	19	include disable-devel.inc
	20	include disable-exec.inc
	21	include disable-interpreters.inc
	22	# breaks app
	23	#include disable-proc.inc
	24	include disable-programs.inc
	25	include disable-xdg.inc
	26
	27	mkdir ${HOME}/.cache/virt-manager
	28	whitelist ${DOWNLOADS}
	29	whitelist ${HOME}/.cache/virt-manager
	30	whitelist ${RUNUSER}/libvirt
	31	whitelist /run/libvirt
	32
	33	whitelist /usr/share/libvirt
	34	whitelist /usr/share/osinfo
	35	whitelist /usr/share/qemu
	36	whitelist /usr/share/seabios
	37	whitelist /usr/share/virt-manager
	38	# /usr/share/misc/usb.ids is a symlink to /var/lib/usbutils/usb.ids on Ubuntu 22.04
	39	whitelist /var/lib/usbutils/usb.ids
	40	include whitelist-common.inc
	41	include whitelist-run-common.inc
	42	include whitelist-runuser-common.inc
	43	include whitelist-usr-share-common.inc
	44	include whitelist-var-common.inc
	45
	46	# breaks app
	47	#apparmor
	48	# For host-only network sys_admin is needed.
	49	# See https://github.com/netblue30/firejail/issues/2868#issuecomment-518647630
	50	caps.keep net_raw,sys_nice
	51	#caps.keep net_raw,sys_admin
	52	netfilter
	53	nodvd
	54	notv
	55	tracelog
	56
	57	private-cache
	58	private-etc @network,@sound,@tls-ca,@x11
	59	private-tmp
	60	writable-var
	61
	62	dbus-user filter
	63	dbus-user.own org.virt-manager.virt-manager
	64	dbus-user.talk ca.desrt.dconf
	65	dbus-user.talk org.freedesktop.Notifications
	66	?ALLOW_TRAY: dbus-user.talk org.kde.StatusNotifierWatcher
	67	dbus-system none
	68
	69	# breaks app
	70	#deterministic-shutdown
	71	# breaks app
	72	#restrict-namespaces