profiles: refactor log viewers (#5996)

* profiles: refactor log viewers

Introduces system-log-common.profile as a common profile for existing
GUI log viewer applications.

* system-log-common: enable no3d

1 files changed, 60 insertions, 0 deletions

diff --git a/etc/profile-m-z/profile-m-z/profile-m-z/system-log-common.profile b/etc/profile-m-z/profile-m-z/profile-m-z/system-log-common.profile
new file mode 100644
index 000000000..dda8bdc47
--- /dev/null
+++ b/etc/profile-m-z/profile-m-z/profile-m-z/system-log-common.profile
@@ -0,0 +1,60 @@
+# Firejail profile for system-log-common
+# Description: Common profile for GUI system log viewers
+# This file is overwritten after every install/update
+# Persistent local customizations
+include system-log-common.local
+# Persistent global definitions
+# added by caller profile
+#include globals.local
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-proc.inc
+include disable-programs.inc
+include disable-shell.inc
+include disable-xdg.inc
+
+whitelist /run/log/journal
+whitelist /var/log/journal
+include whitelist-common.inc
+include whitelist-run-common.inc
+include whitelist-runuser-common.inc
+include whitelist-usr-share-common.inc
+include whitelist-var-common.inc
+
+apparmor
+caps.drop all
+ipc-namespace
+net none
+no3d
+nodvd
+#nogroups
+noinput
+nonewprivs
+noprinters
+#noroot
+nosound
+notv
+nou2f
+novideo
+protocol unix
+seccomp
+seccomp.block-secondary
+tracelog
+
+disable-mnt
+private-cache
+private-dev
+private-etc machine-id
+private-tmp
+
+dbus-user none
+dbus-system none
+
+restrict-namespaces
+# Add 'ignore read-only ${HOME}' to your system-log-common.local
+# if you export logs to a file under your ${HOME}.
+read-only ${HOME}
+writable-var-log