profiles: add loupe

Signed-off-by: Tavi <tavi@divested.dev>
author: Tavi <tavi@divested.dev> 2024-04-30 14:35:14 -0400
committer: SkewedZeppelin <8296104+SkewedZeppelin@users.noreply.github.com> 2024-05-01 14:17:30 +0000
commit: 9a0db13e12516efcbbd0d72ce25e8e111f5d3319 (patch)
tree: 7291b8b2b7142b68d854611c6ecf8988fc219386 /etc/profile-a-l
parent: add support for comm, coredump, and prctl procevents in firemon (diff)
download: firejail-9a0db13e12516efcbbd0d72ce25e8e111f5d3319.tar.gz
firejail-9a0db13e12516efcbbd0d72ce25e8e111f5d3319.tar.zst
firejail-9a0db13e12516efcbbd0d72ce25e8e111f5d3319.zip
1 files changed, 50 insertions, 0 deletions
diff --git a/etc/profile-a-l/loupe.profile b/etc/profile-a-l/loupe.profile
new file mode 100644
index 000000000..5d39341f5
--- /dev/null
+++ b/etc/profile-a-l/loupe.profile
@@ -0,0 +1,50 @@
+# Firejail profile for loupe
+# Description: GNOME's modern Image Viewer program
+# This file is overwritten after every install/update
+# Persistent local customizations
+include loupe.local
+# Persistent global definitions
+include globals.local
+noblacklist ${HOME}/.local/share/Trash
+noblacklist ${HOME}/.Steam
+noblacklist ${HOME}/.steam
+#include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-programs.inc
+include disable-write-mnt.inc
+#whitelist /usr/share/glycin-loaders
+include whitelist-runuser-common.inc
+#include whitelist-usr-share-common.inc
+include whitelist-var-common.inc
+apparmor
+caps.drop all
+ipc-namespace
+machine-id
+net none
+nodvd
+nogroups
+noinput
+nonewprivs
+noprinters
+noroot
+nosound
+notv
+nou2f
+novideo
+protocol unix,netlink
+#loupe decodes all images in their own sandbox via glycin
+#https://gitlab.gnome.org/sophie-h/glycin#sandboxing-and-inner-workings
+#seccomp
+seccomp.block-secondary
+tracelog
+private-cache
+private-dev
+private-etc @x11
+private-tmp
author	Tavi <tavi@divested.dev>	2024-04-30 14:35:14 -0400
committer	SkewedZeppelin <8296104+SkewedZeppelin@users.noreply.github.com>	2024-05-01 14:17:30 +0000
commit	9a0db13e12516efcbbd0d72ce25e8e111f5d3319 (patch)
tree	7291b8b2b7142b68d854611c6ecf8988fc219386 /etc/profile-a-l
parent	add support for comm, coredump, and prctl procevents in firemon (diff)
download	firejail-9a0db13e12516efcbbd0d72ce25e8e111f5d3319.tar.gz firejail-9a0db13e12516efcbbd0d72ce25e8e111f5d3319.tar.zst firejail-9a0db13e12516efcbbd0d72ce25e8e111f5d3319.zip

diff --git a/etc/profile-a-l/loupe.profile b/etc/profile-a-l/loupe.profile new file mode 100644 index 000000000..5d39341f5 --- /dev/null +++ b/etc/profile-a-l/loupe.profile
@@ -0,0 +1,50 @@
	1	# Firejail profile for loupe
	2	# Description: GNOME's modern Image Viewer program
	3	# This file is overwritten after every install/update
	4	# Persistent local customizations
	5	include loupe.local
	6	# Persistent global definitions
	7	include globals.local
	8
	9	noblacklist ${HOME}/.local/share/Trash
	10	noblacklist ${HOME}/.Steam
	11	noblacklist ${HOME}/.steam
	12
	13	#include disable-common.inc
	14	include disable-devel.inc
	15	include disable-exec.inc
	16	include disable-interpreters.inc
	17	include disable-programs.inc
	18	include disable-write-mnt.inc
	19
	20	#whitelist /usr/share/glycin-loaders
	21	include whitelist-runuser-common.inc
	22	#include whitelist-usr-share-common.inc
	23	include whitelist-var-common.inc
	24
	25	apparmor
	26	caps.drop all
	27	ipc-namespace
	28	machine-id
	29	net none
	30	nodvd
	31	nogroups
	32	noinput
	33	nonewprivs
	34	noprinters
	35	noroot
	36	nosound
	37	notv
	38	nou2f
	39	novideo
	40	protocol unix,netlink
	41	#loupe decodes all images in their own sandbox via glycin
	42	#https://gitlab.gnome.org/sophie-h/glycin#sandboxing-and-inner-workings
	43	#seccomp
	44	seccomp.block-secondary
	45	tracelog
	46
	47	private-cache
	48	private-dev
	49	private-etc @x11
	50	private-tmp