Merge pull request #2425 from glitsj16/exfalso

Add exfalso profile
author: glitsj16 <glitsj16@users.noreply.github.com> 2019-02-20 03:28:44 +0000
committer: GitHub <noreply@github.com> 2019-02-20 03:28:44 +0000
commit: be6b03d9e14291b114b7473dd1759a840745c8f5 (patch)
tree: bd505e0a0cc5c67e066c3d09ac24a648b010e85b
parent: Merge pull request #2424 from glitsj16/gconf-editor (diff)
parent: Add exfalso to firecfg (diff)
download: firejail-be6b03d9e14291b114b7473dd1759a840745c8f5.tar.gz
firejail-be6b03d9e14291b114b7473dd1759a840745c8f5.tar.zst
firejail-be6b03d9e14291b114b7473dd1759a840745c8f5.zip
3 files changed, 54 insertions, 0 deletions
diff --git a/etc/disable-programs.inc b/etc/disable-programs.inc
index 6b0d0c7c4..5485550a8 100644
--- a/etc/disable-programs.inc
+++ b/etc/disable-programs.inc
@@ -513,6 +513,7 @@ blacklist ${HOME}/.pingus
 blacklist ${HOME}/.purple
 blacklist ${HOME}/.qemu-launcher
 blacklist ${HOME}/.qmmp
+blacklist ${HOME}/.quodlibet
 blacklist ${HOME}/.redeclipse
 blacklist ${HOME}/.remmina
 blacklist ${HOME}/.repo_.gitconfig.json
diff --git a/etc/exfalso.profile b/etc/exfalso.profile
new file mode 100644
index 000000000..58fd1b3b2
--- /dev/null
+++ b/etc/exfalso.profile
@@ -0,0 +1,52 @@
+# Firejail profile for exfalso
+# Description: GTK audio tag editor
+# This file is overwritten after every install/update
+# Persistent local customizations
+include exfalso.local
+# Persistent global definitions
+include globals.local
+noblacklist ${HOME}/.quodlibet
+noblacklist ${MUSIC}
+# Allow python (blacklisted by disable-interpreters.inc)
+noblacklist ${PATH}/python2*
+noblacklist ${PATH}/python3*
+noblacklist /usr/lib/python2*
+noblacklist /usr/lib/python3*
+include disable-common.inc
+include disable-devel.inc
+include disable-interpreters.inc
+include disable-passwdmgr.inc
+include disable-programs.inc
+include disable-xdg.inc
+caps.drop all
+# machine-id breaks audio; it should work fine in setups where sound is not required
+machine-id
+netfilter
+no3d
+nodbus
+nodvd
+nogroups
+nonewprivs
+noroot
+nosound
+notv
+nou2f
+novideo
+protocol unix,inet,inet6
+seccomp
+shell none
+private-bin exfalso,python*
+private-cache
+private-dev
+private-etc alternatives,fonts,group,passwd
+private-lib libatk-1.0.so.*,libgdk-3.so.*,libgdk_pixbuf-2.0.so.*,libgirepository-1.0.so.*,libgstreamer-1.0.so.*,libgtk-3.so.*,libgtksourceview-3.0.so.*,libpango-1.0.so.*,libpython*,libreadline.so.*,libsoup-2.4.so.*,libssl.so.1.*,python2*,python3*
+private-tmp
+# memory-deny-write-execute - Breaks on Arch
+noexec ${HOME}
+noexec /tmp
diff --git a/src/firecfg/firecfg.config b/src/firecfg/firecfg.config
index 3c89018ed..bd45d7802 100644
--- a/src/firecfg/firecfg.config
+++ b/src/firecfg/firecfg.config
@@ -139,6 +139,7 @@ evince
 evince-previewer
 evince-thumbnailer
 evolution
+exfalso
 exiftool
 falkon
 fbreader
author	glitsj16 <glitsj16@users.noreply.github.com>	2019-02-20 03:28:44 +0000
committer	GitHub <noreply@github.com>	2019-02-20 03:28:44 +0000
commit	be6b03d9e14291b114b7473dd1759a840745c8f5 (patch)
tree	bd505e0a0cc5c67e066c3d09ac24a648b010e85b
parent	Merge pull request #2424 from glitsj16/gconf-editor (diff)
parent	Add exfalso to firecfg (diff)
download	firejail-be6b03d9e14291b114b7473dd1759a840745c8f5.tar.gz firejail-be6b03d9e14291b114b7473dd1759a840745c8f5.tar.zst firejail-be6b03d9e14291b114b7473dd1759a840745c8f5.zip

diff --git a/etc/disable-programs.inc b/etc/disable-programs.inc index 6b0d0c7c4..5485550a8 100644 --- a/etc/disable-programs.inc +++ b/etc/disable-programs.inc
@@ -513,6 +513,7 @@ blacklist ${HOME}/.pingus
513	blacklist ${HOME}/.purple	513	blacklist ${HOME}/.purple
514	blacklist ${HOME}/.qemu-launcher	514	blacklist ${HOME}/.qemu-launcher
515	blacklist ${HOME}/.qmmp	515	blacklist ${HOME}/.qmmp
		516	blacklist ${HOME}/.quodlibet
516	blacklist ${HOME}/.redeclipse	517	blacklist ${HOME}/.redeclipse
517	blacklist ${HOME}/.remmina	518	blacklist ${HOME}/.remmina
518	blacklist ${HOME}/.repo_.gitconfig.json	519	blacklist ${HOME}/.repo_.gitconfig.json


diff --git a/etc/exfalso.profile b/etc/exfalso.profile new file mode 100644 index 000000000..58fd1b3b2 --- /dev/null +++ b/etc/exfalso.profile
@@ -0,0 +1,52 @@
		1	# Firejail profile for exfalso
		2	# Description: GTK audio tag editor
		3	# This file is overwritten after every install/update
		4	# Persistent local customizations
		5	include exfalso.local
		6	# Persistent global definitions
		7	include globals.local
		8
		9	noblacklist ${HOME}/.quodlibet
		10	noblacklist ${MUSIC}
		11
		12	# Allow python (blacklisted by disable-interpreters.inc)
		13	noblacklist ${PATH}/python2*
		14	noblacklist ${PATH}/python3*
		15	noblacklist /usr/lib/python2*
		16	noblacklist /usr/lib/python3*
		17
		18	include disable-common.inc
		19	include disable-devel.inc
		20	include disable-interpreters.inc
		21	include disable-passwdmgr.inc
		22	include disable-programs.inc
		23	include disable-xdg.inc
		24
		25	caps.drop all
		26	# machine-id breaks audio; it should work fine in setups where sound is not required
		27	machine-id
		28	netfilter
		29	no3d
		30	nodbus
		31	nodvd
		32	nogroups
		33	nonewprivs
		34	noroot
		35	nosound
		36	notv
		37	nou2f
		38	novideo
		39	protocol unix,inet,inet6
		40	seccomp
		41	shell none
		42
		43	private-bin exfalso,python*
		44	private-cache
		45	private-dev
		46	private-etc alternatives,fonts,group,passwd
		47	private-lib libatk-1.0.so.,libgdk-3.so.,libgdk_pixbuf-2.0.so.,libgirepository-1.0.so.,libgstreamer-1.0.so.,libgtk-3.so.,libgtksourceview-3.0.so.,libpango-1.0.so.,libpython,libreadline.so.,libsoup-2.4.so.,libssl.so.1.,python2,python3
		48	private-tmp
		49
		50	# memory-deny-write-execute - Breaks on Arch
		51	noexec ${HOME}
		52	noexec /tmp


diff --git a/src/firecfg/firecfg.config b/src/firecfg/firecfg.config index 3c89018ed..bd45d7802 100644 --- a/src/firecfg/firecfg.config +++ b/src/firecfg/firecfg.config
@@ -139,6 +139,7 @@ evince
139	evince-previewer	139	evince-previewer
140	evince-thumbnailer	140	evince-thumbnailer
141	evolution	141	evolution
		142	exfalso
142	exiftool	143	exiftool
143	falkon	144	falkon
144	fbreader	145	fbreader