Add a profile for Android ROM compilation

such as AOSP, LineageOS/CyanogenMod, etc. Use like: firejail --profile=/etc/firejail/aosp.profile /bin/bash
author: Tad <tad@spotco.us> 2017-09-25 15:17:06 -0400
committer: Tad <tad@spotco.us> 2017-09-25 15:21:29 -0400
commit: 8638519a4a0d66263d4b198252f6964c226829c9 (patch)
tree: 8bcbadccce2507a4fb7d13d6f7f7bb346ba2ae87
parent: Merge branch 'master' of http://github.com/netblue30/firejail (diff)
download: firejail-8638519a4a0d66263d4b198252f6964c226829c9.tar.gz
firejail-8638519a4a0d66263d4b198252f6964c226829c9.tar.zst
firejail-8638519a4a0d66263d4b198252f6964c226829c9.zip
5 files changed, 52 insertions, 1 deletions
diff --git a/README.md b/README.md
index ef4a18310..303bd3359 100644
--- a/README.md
+++ b/README.md
@@ -180,4 +180,5 @@ calligraflow, calligraplan, calligraplanwork, calligrasheets, calligrastage,
 calligrawords, cin, dooble, dooble-qt4, fetchmail, freecad, freecadcmd, google-earth,
 imagej, karbon, kdenlive, krita, linphone, lmms, macrofusion, mpd, natron, Natron,
 ricochet, shotcut, teamspeak3, tor, tor-browser-en, Viber, x-terminal-emulator, zart,
-conky, arch-audit, ffmpeg, bluefish, cliqz, cinelerra, openshot-qt, pinta, uefitool
+conky, arch-audit, ffmpeg, bluefish, cliqz, cinelerra, openshot-qt, pinta, uefitool,
+aosp
diff --git a/etc/android-studio.profile b/etc/android-studio.profile
index 1e1953780..6be92e1c0 100644
--- a/etc/android-studio.profile
+++ b/etc/android-studio.profile
@@ -9,6 +9,8 @@ noblacklist ${HOME}/.AndroidStudio*
 noblacklist ${HOME}/.android
 noblacklist ${HOME}/.gitconfig
 noblacklist ${HOME}/.gradle
+noblacklist ${HOME}/.jack-server
+noblacklist ${HOME}/.jack-settings
 noblacklist ${HOME}/.java
 noblacklist ${HOME}/.local/share/JetBrains
 noblacklist ${HOME}/.ssh
diff --git a/etc/aosp.profile b/etc/aosp.profile
new file mode 100644
index 000000000..6109d1701
--- /dev/null
+++ b/etc/aosp.profile
@@ -0,0 +1,42 @@
+# Firejail profile for aosp
+# This file is overwritten after every install/update
+# Persistent local customizations
+include /etc/firejail/aosp.local
+# Persistent global definitions
+include /etc/firejail/globals.local
+noblacklist ${HOME}/.android
+noblacklist ${HOME}/.bash_history
+noblacklist ${HOME}/.gitconfig
+noblacklist ${HOME}/.gradle
+noblacklist ${HOME}/.jack-server
+noblacklist ${HOME}/.jack-settings
+noblacklist ${HOME}/.java
+noblacklist ${HOME}/.repo_.gitconfig.json
+noblacklist ${HOME}/.repoconfig
+noblacklist ${HOME}/.ssh
+noblacklist ${HOME}/.tooling
+include /etc/firejail/disable-common.inc
+include /etc/firejail/disable-passwdmgr.inc
+include /etc/firejail/disable-programs.inc
+include /etc/firejail/whitelist-var-common.inc
+caps.drop all
+ipc-namespace
+netfilter
+no3d
+nodvd
+nogroups
+nonewprivs
+noroot
+nosound
+notv
+novideo
+protocol unix,inet,inet6
+seccomp
+shell none
+private-tmp
diff --git a/etc/disable-programs.inc b/etc/disable-programs.inc
index 4779b0aae..40bca578f 100644
--- a/etc/disable-programs.inc
+++ b/etc/disable-programs.inc
@@ -222,6 +222,8 @@ blacklist ${HOME}/.hugin
 blacklist ${HOME}/.icedove
 blacklist ${HOME}/.imagej
 blacklist ${HOME}/.inkscape
+blacklist ${HOME}/.jack-server
+blacklist ${HOME}/.jack-settings
 blacklist ${HOME}/.java
 blacklist ${HOME}/.jitsi
 blacklist ${HOME}/.kde/share/apps/gwenview
@@ -362,6 +364,8 @@ blacklist ${HOME}/.pingus
 blacklist ${HOME}/.purple
 blacklist ${HOME}/.qemu-launcher
 blacklist ${HOME}/.remmina
+blacklist ${HOME}/.repo_.gitconfig.json
+blacklist ${HOME}/.repoconfig
 blacklist ${HOME}/.retroshare
 blacklist ${HOME}/.scribus
 blacklist ${HOME}/.scribusrc
diff --git a/etc/idea.sh.profile b/etc/idea.sh.profile
index 928ec7327..caec416e9 100644
--- a/etc/idea.sh.profile
+++ b/etc/idea.sh.profile
@@ -9,6 +9,8 @@ noblacklist ${HOME}/.IdeaIC*
 noblacklist ${HOME}/.android
 noblacklist ${HOME}/.gitconfig
 noblacklist ${HOME}/.gradle
+noblacklist ${HOME}/.jack-server
+noblacklist ${HOME}/.jack-settings
 noblacklist ${HOME}/.java
 noblacklist ${HOME}/.local/share/JetBrains
 noblacklist ${HOME}/.ssh
author	Tad <tad@spotco.us>	2017-09-25 15:17:06 -0400
committer	Tad <tad@spotco.us>	2017-09-25 15:21:29 -0400
commit	8638519a4a0d66263d4b198252f6964c226829c9 (patch)
tree	8bcbadccce2507a4fb7d13d6f7f7bb346ba2ae87
parent	Merge branch 'master' of http://github.com/netblue30/firejail (diff)
download	firejail-8638519a4a0d66263d4b198252f6964c226829c9.tar.gz firejail-8638519a4a0d66263d4b198252f6964c226829c9.tar.zst firejail-8638519a4a0d66263d4b198252f6964c226829c9.zip

diff --git a/README.md b/README.md index ef4a18310..303bd3359 100644 --- a/README.md +++ b/README.md
@@ -180,4 +180,5 @@ calligraflow, calligraplan, calligraplanwork, calligrasheets, calligrastage,
180	calligrawords, cin, dooble, dooble-qt4, fetchmail, freecad, freecadcmd, google-earth,	180	calligrawords, cin, dooble, dooble-qt4, fetchmail, freecad, freecadcmd, google-earth,
181	imagej, karbon, kdenlive, krita, linphone, lmms, macrofusion, mpd, natron, Natron,	181	imagej, karbon, kdenlive, krita, linphone, lmms, macrofusion, mpd, natron, Natron,
182	ricochet, shotcut, teamspeak3, tor, tor-browser-en, Viber, x-terminal-emulator, zart,	182	ricochet, shotcut, teamspeak3, tor, tor-browser-en, Viber, x-terminal-emulator, zart,
183	conky, arch-audit, ffmpeg, bluefish, cliqz, cinelerra, openshot-qt, pinta, uefitool	183	conky, arch-audit, ffmpeg, bluefish, cliqz, cinelerra, openshot-qt, pinta, uefitool,
		184	aosp


diff --git a/etc/android-studio.profile b/etc/android-studio.profile index 1e1953780..6be92e1c0 100644 --- a/etc/android-studio.profile +++ b/etc/android-studio.profile
@@ -9,6 +9,8 @@ noblacklist ${HOME}/.AndroidStudio*
9	noblacklist ${HOME}/.android	9	noblacklist ${HOME}/.android
10	noblacklist ${HOME}/.gitconfig	10	noblacklist ${HOME}/.gitconfig
11	noblacklist ${HOME}/.gradle	11	noblacklist ${HOME}/.gradle
		12	noblacklist ${HOME}/.jack-server
		13	noblacklist ${HOME}/.jack-settings
12	noblacklist ${HOME}/.java	14	noblacklist ${HOME}/.java
13	noblacklist ${HOME}/.local/share/JetBrains	15	noblacklist ${HOME}/.local/share/JetBrains
14	noblacklist ${HOME}/.ssh	16	noblacklist ${HOME}/.ssh


diff --git a/etc/aosp.profile b/etc/aosp.profile new file mode 100644 index 000000000..6109d1701 --- /dev/null +++ b/etc/aosp.profile
@@ -0,0 +1,42 @@
		1	# Firejail profile for aosp
		2	# This file is overwritten after every install/update
		3	# Persistent local customizations
		4	include /etc/firejail/aosp.local
		5	# Persistent global definitions
		6	include /etc/firejail/globals.local
		7
		8
		9	noblacklist ${HOME}/.android
		10	noblacklist ${HOME}/.bash_history
		11	noblacklist ${HOME}/.gitconfig
		12	noblacklist ${HOME}/.gradle
		13	noblacklist ${HOME}/.jack-server
		14	noblacklist ${HOME}/.jack-settings
		15	noblacklist ${HOME}/.java
		16	noblacklist ${HOME}/.repo_.gitconfig.json
		17	noblacklist ${HOME}/.repoconfig
		18	noblacklist ${HOME}/.ssh
		19	noblacklist ${HOME}/.tooling
		20
		21	include /etc/firejail/disable-common.inc
		22	include /etc/firejail/disable-passwdmgr.inc
		23	include /etc/firejail/disable-programs.inc
		24
		25	include /etc/firejail/whitelist-var-common.inc
		26
		27	caps.drop all
		28	ipc-namespace
		29	netfilter
		30	no3d
		31	nodvd
		32	nogroups
		33	nonewprivs
		34	noroot
		35	nosound
		36	notv
		37	novideo
		38	protocol unix,inet,inet6
		39	seccomp
		40	shell none
		41
		42	private-tmp


diff --git a/etc/disable-programs.inc b/etc/disable-programs.inc index 4779b0aae..40bca578f 100644 --- a/etc/disable-programs.inc +++ b/etc/disable-programs.inc
@@ -222,6 +222,8 @@ blacklist ${HOME}/.hugin
222	blacklist ${HOME}/.icedove	222	blacklist ${HOME}/.icedove
223	blacklist ${HOME}/.imagej	223	blacklist ${HOME}/.imagej
224	blacklist ${HOME}/.inkscape	224	blacklist ${HOME}/.inkscape
		225	blacklist ${HOME}/.jack-server
		226	blacklist ${HOME}/.jack-settings
225	blacklist ${HOME}/.java	227	blacklist ${HOME}/.java
226	blacklist ${HOME}/.jitsi	228	blacklist ${HOME}/.jitsi
227	blacklist ${HOME}/.kde/share/apps/gwenview	229	blacklist ${HOME}/.kde/share/apps/gwenview
@@ -362,6 +364,8 @@ blacklist ${HOME}/.pingus
362	blacklist ${HOME}/.purple	364	blacklist ${HOME}/.purple
363	blacklist ${HOME}/.qemu-launcher	365	blacklist ${HOME}/.qemu-launcher
364	blacklist ${HOME}/.remmina	366	blacklist ${HOME}/.remmina
		367	blacklist ${HOME}/.repo_.gitconfig.json
		368	blacklist ${HOME}/.repoconfig
365	blacklist ${HOME}/.retroshare	369	blacklist ${HOME}/.retroshare
366	blacklist ${HOME}/.scribus	370	blacklist ${HOME}/.scribus
367	blacklist ${HOME}/.scribusrc	371	blacklist ${HOME}/.scribusrc


diff --git a/etc/idea.sh.profile b/etc/idea.sh.profile index 928ec7327..caec416e9 100644 --- a/etc/idea.sh.profile +++ b/etc/idea.sh.profile
@@ -9,6 +9,8 @@ noblacklist ${HOME}/.IdeaIC*
9	noblacklist ${HOME}/.android	9	noblacklist ${HOME}/.android
10	noblacklist ${HOME}/.gitconfig	10	noblacklist ${HOME}/.gitconfig
11	noblacklist ${HOME}/.gradle	11	noblacklist ${HOME}/.gradle
		12	noblacklist ${HOME}/.jack-server
		13	noblacklist ${HOME}/.jack-settings
12	noblacklist ${HOME}/.java	14	noblacklist ${HOME}/.java
13	noblacklist ${HOME}/.local/share/JetBrains	15	noblacklist ${HOME}/.local/share/JetBrains
14	noblacklist ${HOME}/.ssh	16	noblacklist ${HOME}/.ssh