aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorLibravatar kortewegdevries <kortewegdevries@protonmail.ch>2020-09-02 10:49:32 +0000
committerLibravatar GitHub <noreply@github.com>2020-09-02 10:49:32 +0000
commitc542881105c2126f7665b2e6ffbccc50045bddf2 (patch)
tree60dfbb2c99bd92e9104d009e4f8f831203791b03
parentFix private-etc of electron-mail, fix geary,minitube (#3588) (diff)
downloadfirejail-c542881105c2126f7665b2e6ffbccc50045bddf2.tar.gz
firejail-c542881105c2126f7665b2e6ffbccc50045bddf2.tar.zst
firejail-c542881105c2126f7665b2e6ffbccc50045bddf2.zip
New profile for man,psi,smuxi; fix pidgin (#3590)
* Profile for Psi * Fix pidgin buddy icon * Profile for man * Add profile for smuxi * Comment man in firecfg * Add pinentry programs * Update etc/profile-m-z/psi.profile Co-authored-by: rusty-snake <41237666+rusty-snake@users.noreply.github.com> Co-authored-by: rusty-snake <41237666+rusty-snake@users.noreply.github.com>
Diffstat
-rw-r--r--etc/inc/disable-programs.inc9
-rw-r--r--etc/profile-m-z/man.profile66
-rw-r--r--etc/profile-m-z/pidgin.profile2
-rw-r--r--etc/profile-m-z/psi.profile78
-rw-r--r--etc/profile-m-z/smuxi-frontend-gnome.profile55
-rw-r--r--src/firecfg/firecfg.config3
6 files changed, 213 insertions, 0 deletions
diff --git a/etc/inc/disable-programs.inc b/etc/inc/disable-programs.inc
index 6b0c16d5f..1264caf30 100644
--- a/etc/inc/disable-programs.inc
+++ b/etc/inc/disable-programs.inc
@@ -285,6 +285,7 @@ blacklist ${HOME}/.config/liferea
285blacklist ${HOME}/.config/lugaru 285blacklist ${HOME}/.config/lugaru
286blacklist ${HOME}/.config/lximage-qt 286blacklist ${HOME}/.config/lximage-qt
287blacklist ${HOME}/.config/mailtransports 287blacklist ${HOME}/.config/mailtransports
288blacklist ${HOME}/.local/share/man
288blacklist ${HOME}/.config/mana 289blacklist ${HOME}/.config/mana
289blacklist ${HOME}/.config/mate-calc 290blacklist ${HOME}/.config/mate-calc
290blacklist ${HOME}/.config/mate/eom 291blacklist ${HOME}/.config/mate/eom
@@ -337,6 +338,7 @@ blacklist ${HOME}/.config/pluma
337blacklist ${HOME}/.config/ppsspp 338blacklist ${HOME}/.config/ppsspp
338blacklist ${HOME}/.config/pragha 339blacklist ${HOME}/.config/pragha
339blacklist ${HOME}/.config/profanity 340blacklist ${HOME}/.config/profanity
341blacklist ${HOME}/.config/psi
340blacklist ${HOME}/.config/psi+ 342blacklist ${HOME}/.config/psi+
341blacklist ${HOME}/.config/qBittorrent 343blacklist ${HOME}/.config/qBittorrent
342blacklist ${HOME}/.config/qBittorrentrc 344blacklist ${HOME}/.config/qBittorrentrc
@@ -356,6 +358,7 @@ blacklist ${HOME}/.config/skypeforlinux
356blacklist ${HOME}/.config/slimjet 358blacklist ${HOME}/.config/slimjet
357blacklist ${HOME}/.config/smplayer 359blacklist ${HOME}/.config/smplayer
358blacklist ${HOME}/.config/smtube 360blacklist ${HOME}/.config/smtube
361blacklist ${HOME}/.config/smuxi
359blacklist ${HOME}/.config/snox 362blacklist ${HOME}/.config/snox
360blacklist ${HOME}/.config/sound-juicer 363blacklist ${HOME}/.config/sound-juicer
361blacklist ${HOME}/.config/specialmailcollectionsrc 364blacklist ${HOME}/.config/specialmailcollectionsrc
@@ -547,6 +550,7 @@ blacklist ${HOME}/.local/share/Kingsoft
547blacklist ${HOME}/.local/share/Mendeley Ltd. 550blacklist ${HOME}/.local/share/Mendeley Ltd.
548blacklist ${HOME}/.local/share/Mumble 551blacklist ${HOME}/.local/share/Mumble
549blacklist ${HOME}/.local/share/PBE 552blacklist ${HOME}/.local/share/PBE
553blacklist ${HOME}/.local/share/Psi
550blacklist ${HOME}/.local/share/QGIS 554blacklist ${HOME}/.local/share/QGIS
551blacklist ${HOME}/.local/share/QMediathekView 555blacklist ${HOME}/.local/share/QMediathekView
552blacklist ${HOME}/.local/share/QuiteRss 556blacklist ${HOME}/.local/share/QuiteRss
@@ -664,6 +668,7 @@ blacklist ${HOME}/.local/share/Paradox Interactive
664blacklist ${HOME}/.local/share/pix 668blacklist ${HOME}/.local/share/pix
665blacklist ${HOME}/.local/share/plasma_notes 669blacklist ${HOME}/.local/share/plasma_notes
666blacklist ${HOME}/.local/share/profanity 670blacklist ${HOME}/.local/share/profanity
671blacklist ${HOME}/.local/share/psi
667blacklist ${HOME}/.local/share/psi+ 672blacklist ${HOME}/.local/share/psi+
668blacklist ${HOME}/.local/share/quadrapassel 673blacklist ${HOME}/.local/share/quadrapassel
669blacklist ${HOME}/.local/share/qpdfview 674blacklist ${HOME}/.local/share/qpdfview
@@ -673,6 +678,7 @@ blacklist ${HOME}/.local/share/rhythmbox
673blacklist ${HOME}/.local/share/rtv 678blacklist ${HOME}/.local/share/rtv
674blacklist ${HOME}/.local/share/scribus 679blacklist ${HOME}/.local/share/scribus
675blacklist ${HOME}/.local/share/signal-cli 680blacklist ${HOME}/.local/share/signal-cli
681blacklist ${HOME}/.local/share/smuxi
676blacklist ${HOME}/.local/share/spotify 682blacklist ${HOME}/.local/share/spotify
677blacklist ${HOME}/.local/share/steam 683blacklist ${HOME}/.local/share/steam
678blacklist ${HOME}/.local/share/strawberry 684blacklist ${HOME}/.local/share/strawberry
@@ -832,6 +838,7 @@ blacklist ${HOME}/.cache/INRIA
832blacklist ${HOME}/.cache/MusicBrainz 838blacklist ${HOME}/.cache/MusicBrainz
833blacklist ${HOME}/.cache/NewsFlashGTK 839blacklist ${HOME}/.cache/NewsFlashGTK
834blacklist ${HOME}/.cache/Otter 840blacklist ${HOME}/.cache/Otter
841blacklist ${HOME}/.cache/Psi
835blacklist ${HOME}/.cache/QuiteRss 842blacklist ${HOME}/.cache/QuiteRss
836blacklist ${HOME}/.cache/Quotient/quaternion 843blacklist ${HOME}/.cache/Quotient/quaternion
837blacklist ${HOME}/.cache/Shortwave 844blacklist ${HOME}/.cache/Shortwave
@@ -932,12 +939,14 @@ blacklist ${HOME}/.cache/peek
932blacklist ${HOME}/.cache/pip 939blacklist ${HOME}/.cache/pip
933blacklist ${HOME}/.cache/plasmashell 940blacklist ${HOME}/.cache/plasmashell
934blacklist ${HOME}/.cache/plasmashellbookmarkrunnerfirefoxdbfile.sqlite* 941blacklist ${HOME}/.cache/plasmashellbookmarkrunnerfirefoxdbfile.sqlite*
942blacklist ${HOME}/.cache/psi
935blacklist ${HOME}/.cache/qBittorrent 943blacklist ${HOME}/.cache/qBittorrent
936blacklist ${HOME}/.cache/qupzilla 944blacklist ${HOME}/.cache/qupzilla
937blacklist ${HOME}/.cache/qutebrowser 945blacklist ${HOME}/.cache/qutebrowser
938blacklist ${HOME}/.cache/rhythmbox 946blacklist ${HOME}/.cache/rhythmbox
939blacklist ${HOME}/.cache/simple-scan 947blacklist ${HOME}/.cache/simple-scan
940blacklist ${HOME}/.cache/slimjet 948blacklist ${HOME}/.cache/slimjet
949blacklist ${HOME}/.cache/smuxi
941blacklist ${HOME}/.cache/snox 950blacklist ${HOME}/.cache/snox
942blacklist ${HOME}/.cache/spotify 951blacklist ${HOME}/.cache/spotify
943blacklist ${HOME}/.cache/strawberry 952blacklist ${HOME}/.cache/strawberry
diff --git a/etc/profile-m-z/man.profile b/etc/profile-m-z/man.profile
new file mode 100644
index 000000000..c62d797ea
--- /dev/null
+++ b/etc/profile-m-z/man.profile
@@ -0,0 +1,66 @@
1# Firejail profile for man
2# Description: manpage viewer
3quiet
4# This file is overwritten after every install/update
5# Persistent local customizations
6include man.local
7# Persistent global definitions
8include globals.local
9
10blacklist ${RUNUSER}
11
12noblacklist ${HOME}/.local/share/man
13
14include disable-common.inc
15include disable-devel.inc
16include disable-exec.inc
17include disable-interpreters.inc
18include disable-passwdmgr.inc
19include disable-programs.inc
20include disable-xdg.inc
21
22mkdir ${HOME}/.local/share/man
23whitelist ${HOME}/.local/share/man
24whitelist ${HOME}/.manpath
25whitelist /usr/share/groff
26whitelist /usr/share/info
27whitelist /usr/share/lintian
28whitelist /usr/share/locale
29whitelist /usr/share/man
30whitelist /var/cache/man
31include whitelist-common.inc
32include whitelist-usr-share-common.inc
33include whitelist-var-common.inc
34
35apparmor
36caps.drop all
37ipc-namespace
38machine-id
39net none
40no3d
41nodvd
42nogroups
43nonewprivs
44noroot
45nosound
46notv
47novideo
48nou2f
49protocol unix
50seccomp
51shell none
52tracelog
53x11 none
54
55disable-mnt
56private-bin apropos,bash,cat,catman,col,gpreconv,groff,grotty,gunzip,gzip,less,man,most,nroff,preconv,sed,sh,tbl,tr,troff,whatis,which,xtotroff,
57zcat,zsoelim
58private-cache
59private-dev
60private-etc alternatives,fonts,locale,locale.alias,locale.conf,man_db.conf,manpath.config,selinux,sysless,xdg
61private-tmp
62
63dbus-user none
64dbus-system none
65
66memory-deny-write-execute
diff --git a/etc/profile-m-z/pidgin.profile b/etc/profile-m-z/pidgin.profile
index 2e4215744..e81e78ca7 100644
--- a/etc/profile-m-z/pidgin.profile
+++ b/etc/profile-m-z/pidgin.profile
@@ -21,6 +21,8 @@ include disable-xdg.inc
21 21
22mkdir ${HOME}/.purple 22mkdir ${HOME}/.purple
23whitelist ${HOME}/.purple 23whitelist ${HOME}/.purple
24whitelist ${DOWNLOADS}
25whitelist ${PICTURES}
24include whitelist-common.inc 26include whitelist-common.inc
25include whitelist-usr-share-common.inc 27include whitelist-usr-share-common.inc
26include whitelist-var-common.inc 28include whitelist-var-common.inc
diff --git a/etc/profile-m-z/psi.profile b/etc/profile-m-z/psi.profile
new file mode 100644
index 000000000..d3112ae95
--- /dev/null
+++ b/etc/profile-m-z/psi.profile
@@ -0,0 +1,78 @@
1# Firejail profile for psi
2# Description: Native XMPP client with GPG support
3# This file is overwritten after every install/update
4# Persistent local customizations
5include psi.local
6# Persistent global definitions
7include globals.local
8
9# Uncomment for GPG
10# noblacklist ${HOME}/.gnupg
11noblacklist ${HOME}/.cache/psi
12noblacklist ${HOME}/.cache/Psi
13noblacklist ${HOME}/.config/psi
14noblacklist ${HOME}/.local/share/psi
15noblacklist ${HOME}/.local/share/Psi
16
17include disable-common.inc
18include disable-devel.inc
19include disable-exec.inc
20include disable-interpreters.inc
21include disable-passwdmgr.inc
22include disable-programs.inc
23include disable-shell.inc
24include disable-xdg.inc
25
26# Uncomment for GPG
27# mkdir ${HOME}/.gnupg
28mkdir ${HOME}/.cache/psi
29mkdir ${HOME}/.cache/Psi
30mkdir ${HOME}/.config/psi
31mkdir ${HOME}/.local/share/psi
32mkdir ${HOME}/.local/share/Psi
33# Uncomment for GPG
34# whitelist ${HOME}/.gnupg
35whitelist ${HOME}/.cache/psi
36whitelist ${HOME}/.cache/Psi
37whitelist ${HOME}/.config/psi
38whitelist ${HOME}/.local/share/psi
39whitelist ${HOME}/.local/share/Psi
40whitelist ${DOWNLOADS}
41# Uncomment for GPG
42# whitelist /usr/share/gnupg
43# whitelist /usr/share/gnupg2
44whitelist /usr/share/psi
45# Uncomment for GPG
46# whitelist ${RUNUSER}/gnupg
47# whitelist ${RUNUSER}/keyring
48include whitelist-common.inc
49include whitelist-runuser-common.inc
50include whitelist-usr-share-common.inc
51include whitelist-var-common.inc
52
53apparmor
54caps.drop all
55netfilter
56nodvd
57nogroups
58nonewprivs
59noroot
60notv
61novideo
62nou2f
63protocol unix,inet,inet6,netlink
64seccomp !chroot
65shell none
66# breaks on Arch
67# tracelog
68
69disable-mnt
70# Add "gpg,gpg2,gpg-agent,pinentry-curses,pinentry-emacs,pinentry-fltk,pinentry-gnome3,pinentry-gtk,pinentry-gtk2,pinentry-gtk-2,pinentry-qt,pinentry-qt4,pinentry-tty,pinentry-x2go,pinentry-kwallet" for GPG
71private-bin getopt,psi
72private-cache
73private-dev
74private-etc alsa,alternatives,asound.conf,ca-certificates,crypto-policies,drirc,fonts,gcrypt,group,hostname,hosts,ld.so.cache,ld.so.conf,machine-id,passwd,pki,pulse,resolv.conf,selinux,ssl,xdg
75private-tmp
76
77dbus-user none
78dbus-system none
diff --git a/etc/profile-m-z/smuxi-frontend-gnome.profile b/etc/profile-m-z/smuxi-frontend-gnome.profile
new file mode 100644
index 000000000..541e5a1c4
--- /dev/null
+++ b/etc/profile-m-z/smuxi-frontend-gnome.profile
@@ -0,0 +1,55 @@
1# Firejail profile for smuxi-frontend-gnome
2# Description: Multi protocol chat client with Twitter support
3# This file is overwritten after every install/update
4# Persistent local customizations
5include smuxi-frontend-gnome.local
6# Persistent global definitions
7include globals.local
8
9noblacklist ${HOME}/.cache/smuxi
10noblacklist ${HOME}/.config/smuxi
11noblacklist ${HOME}/.local/share/smuxi
12
13include disable-common.inc
14include disable-devel.inc
15include disable-exec.inc
16include disable-interpreters.inc
17include disable-passwdmgr.inc
18include disable-programs.inc
19include disable-xdg.inc
20
21mkdir ${HOME}/.cache/smuxi
22mkdir ${HOME}/.config/smuxi
23mkdir ${HOME}/.local/share/smuxi
24whitelist ${HOME}/.cache/smuxi
25whitelist ${HOME}/.config/smuxi
26whitelist ${HOME}/.local/share/smuxi
27whitelist ${DOWNLOADS}
28include whitelist-common.inc
29include whitelist-runuser-common.inc
30include whitelist-usr-share-common.inc
31include whitelist-var-common.inc
32
33apparmor
34caps.drop all
35netfilter
36nodvd
37nogroups
38nonewprivs
39noroot
40notv
41nou2f
42protocol unix,inet,inet6,netlink
43seccomp
44shell none
45tracelog
46
47disable-mnt
48private-bin bash,mono,mono-sgen,sh,smuxi-frontend-gnome
49private-cache
50private-dev
51private-etc alsa,alternatives,asound.conf,ca-certificates,crypto-policies,fonts,hostname,hosts,ld.so.cache,ld.so.conf,machine-id,mono,passwd,pki,pulse,resolv.conf,selinux,ssl,xdg
52private-tmp
53
54dbus-user none
55dbus-system none
diff --git a/src/firecfg/firecfg.config b/src/firecfg/firecfg.config
index 62b27aa06..54c568f27 100644
--- a/src/firecfg/firecfg.config
+++ b/src/firecfg/firecfg.config
@@ -439,6 +439,7 @@ lynx
439lyx 439lyx
440macrofusion 440macrofusion
441magicor 441magicor
442# man
442manaplus 443manaplus
443masterpdfeditor 444masterpdfeditor
444masterpdfeditor4 445masterpdfeditor4
@@ -591,6 +592,7 @@ pragha
591presentations18 592presentations18
592presentations18free 593presentations18free
593profanity 594profanity
595psi
594psi-plus 596psi-plus
595pybitmessage 597pybitmessage
596# pycharm-community - FB note: may enable later 598# pycharm-community - FB note: may enable later
@@ -654,6 +656,7 @@ slack
654slashem 656slashem
655smplayer 657smplayer
656smtube 658smtube
659smuxi-frontend-gnome
657snox 660snox
658soffice 661soffice
659sol 662sol
generated by cgit v1.2.3-54-g00ecf (git 2.45.2) at 2024-06-29 03:06:10 +0000