Merge pull request #6226 from glitsj16/gnome-boxes

New profile: gnome-boxes
author: netblue30 <netblue30@protonmail.com> 2024-02-29 10:06:27 -0500
committer: GitHub <noreply@github.com> 2024-02-29 10:06:27 -0500
commit: d38e1e1cfcb785eddcc5090209711f88644e5411 (patch)
tree: 0c3eea27cc22b53f483f4117c721b3bf117110c9
parent: Merge pull request #6216 from powerjungle/master (diff)
parent: Create gnome-boxes.profile (diff)
download: firejail-d38e1e1cfcb785eddcc5090209711f88644e5411.tar.gz
firejail-d38e1e1cfcb785eddcc5090209711f88644e5411.tar.zst
firejail-d38e1e1cfcb785eddcc5090209711f88644e5411.zip
1 files changed, 75 insertions, 0 deletions
diff --git a/etc/profile-a-l/gnome-boxes.profile b/etc/profile-a-l/gnome-boxes.profile
new file mode 100644
index 000000000..b16ffa142
--- /dev/null
+++ b/etc/profile-a-l/gnome-boxes.profile
@@ -0,0 +1,75 @@
+# Firejail profile for gnome-boxes
+# Description: Simple GNOME application to access virtual systems
+# This file is overwritten after every install/update
+# Persistent local customizations
+include gnome-boxes.local
+# Persistent global definitions
+include globals.local
+noblacklist ${HOME}/.cache/gnome-boxes
+noblacklist ${HOME}/.config/gnome-boxes
+noblacklist ${HOME}/.local/share/gnome-boxes
+noblacklist ${RUNUSER}/libvirt
+noblacklist /sbin
+noblacklist /usr/sbin
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+# breaks app
+#include disable-proc.inc
+include disable-programs.inc
+include disable-xdg.inc
+mkdir ${HOME}/.cache/gnome-boxes
+mkdir ${HOME}/.config/gnome-boxes
+mkdir ${HOME}/.local/share/gnome-boxes
+whitelist ${DOWNLOADS}
+whitelist ${HOME}/.cache/gnome-boxes
+whitelist ${HOME}/.config/gnome-boxes
+whitelist ${HOME}/.local/share/gnome-boxes
+whitelist ${RUNUSER}/libvirt
+whitelist /run/libvirt
+whitelist /usr/libexec/gnome-boxes*
+whitelist /usr/share/gnome-boxes
+whitelist /usr/share/libvirt
+whitelist /usr/share/osinfo
+whitelist /usr/share/qemu
+whitelist /usr/share/seabios
+whitelist /usr/share/vala*
+# /usr/share/misc/usb.ids is a symlink to /var/lib/usbutils/usb.ids on Ubuntu 22.04
+whitelist /var/lib/usbutils/usb.ids
+include whitelist-common.inc
+include whitelist-run-common.inc
+include whitelist-runuser-common.inc
+include whitelist-usr-share-common.inc
+include whitelist-var-common.inc
+# breaks app
+#apparmor
+# For host-only network sys_admin is needed.
+# See https://github.com/netblue30/firejail/issues/2868#issuecomment-518647630
+caps.keep net_raw,sys_nice
+#caps.keep net_raw,sys_admin
+netfilter
+nodvd
+notv
+tracelog
+private-cache
+private-etc @network,@sound,@tls-ca,@x11
+private-tmp
+dbus-user filter
+dbus-user.own org.gnome.Boxes
+dbus-user.talk ca.desrt.dconf
+dbus-user.talk org.freedesktop.Notifications
+?ALLOW_TRAY: dbus-user.talk org.kde.StatusNotifierWatcher
+dbus-system none
+deterministic-shutdown
+# breaks app
+#restrict-namespaces
author	netblue30 <netblue30@protonmail.com>	2024-02-29 10:06:27 -0500
committer	GitHub <noreply@github.com>	2024-02-29 10:06:27 -0500
commit	d38e1e1cfcb785eddcc5090209711f88644e5411 (patch)
tree	0c3eea27cc22b53f483f4117c721b3bf117110c9
parent	Merge pull request #6216 from powerjungle/master (diff)
parent	Create gnome-boxes.profile (diff)
download	firejail-d38e1e1cfcb785eddcc5090209711f88644e5411.tar.gz firejail-d38e1e1cfcb785eddcc5090209711f88644e5411.tar.zst firejail-d38e1e1cfcb785eddcc5090209711f88644e5411.zip

diff --git a/etc/profile-a-l/gnome-boxes.profile b/etc/profile-a-l/gnome-boxes.profile new file mode 100644 index 000000000..b16ffa142 --- /dev/null +++ b/etc/profile-a-l/gnome-boxes.profile
@@ -0,0 +1,75 @@
	1	# Firejail profile for gnome-boxes
	2	# Description: Simple GNOME application to access virtual systems
	3	# This file is overwritten after every install/update
	4	# Persistent local customizations
	5	include gnome-boxes.local
	6	# Persistent global definitions
	7	include globals.local
	8
	9	noblacklist ${HOME}/.cache/gnome-boxes
	10	noblacklist ${HOME}/.config/gnome-boxes
	11	noblacklist ${HOME}/.local/share/gnome-boxes
	12	noblacklist ${RUNUSER}/libvirt
	13
	14	noblacklist /sbin
	15	noblacklist /usr/sbin
	16
	17	include disable-common.inc
	18	include disable-devel.inc
	19	include disable-exec.inc
	20	include disable-interpreters.inc
	21	# breaks app
	22	#include disable-proc.inc
	23	include disable-programs.inc
	24	include disable-xdg.inc
	25
	26	mkdir ${HOME}/.cache/gnome-boxes
	27	mkdir ${HOME}/.config/gnome-boxes
	28	mkdir ${HOME}/.local/share/gnome-boxes
	29	whitelist ${DOWNLOADS}
	30	whitelist ${HOME}/.cache/gnome-boxes
	31	whitelist ${HOME}/.config/gnome-boxes
	32	whitelist ${HOME}/.local/share/gnome-boxes
	33	whitelist ${RUNUSER}/libvirt
	34
	35	whitelist /run/libvirt
	36	whitelist /usr/libexec/gnome-boxes*
	37	whitelist /usr/share/gnome-boxes
	38	whitelist /usr/share/libvirt
	39	whitelist /usr/share/osinfo
	40	whitelist /usr/share/qemu
	41	whitelist /usr/share/seabios
	42	whitelist /usr/share/vala*
	43	# /usr/share/misc/usb.ids is a symlink to /var/lib/usbutils/usb.ids on Ubuntu 22.04
	44	whitelist /var/lib/usbutils/usb.ids
	45	include whitelist-common.inc
	46	include whitelist-run-common.inc
	47	include whitelist-runuser-common.inc
	48	include whitelist-usr-share-common.inc
	49	include whitelist-var-common.inc
	50
	51	# breaks app
	52	#apparmor
	53	# For host-only network sys_admin is needed.
	54	# See https://github.com/netblue30/firejail/issues/2868#issuecomment-518647630
	55	caps.keep net_raw,sys_nice
	56	#caps.keep net_raw,sys_admin
	57	netfilter
	58	nodvd
	59	notv
	60	tracelog
	61
	62	private-cache
	63	private-etc @network,@sound,@tls-ca,@x11
	64	private-tmp
	65
	66	dbus-user filter
	67	dbus-user.own org.gnome.Boxes
	68	dbus-user.talk ca.desrt.dconf
	69	dbus-user.talk org.freedesktop.Notifications
	70	?ALLOW_TRAY: dbus-user.talk org.kde.StatusNotifierWatcher
	71	dbus-system none
	72
	73	deterministic-shutdown
	74	# breaks app
	75	#restrict-namespaces