Merge branch 'master' of https://github.com/netblue30/firejail

7 files changed, 45 insertions, 5 deletions

diff --git a/etc/cvlc.profile b/etc/cvlc.profile
index ee1346617..460966321 100644
--- a/etc/cvlc.profile
+++ b/etc/cvlc.profile
@@ -14,11 +14,9 @@ include /etc/firejail/disable-programs.inc
 
 caps.drop all
 netfilter
-nodvd
 nogroups
 nonewprivs
 noroot
-notv
 protocol unix,inet,inet6,netlink
 seccomp
 shell none
diff --git a/etc/disable-programs.inc b/etc/disable-programs.inc
index a54d2a739..7b0e6e9eb 100644
--- a/etc/disable-programs.inc
+++ b/etc/disable-programs.inc
@@ -44,6 +44,8 @@ blacklist ${HOME}/.config/Luminance
 blacklist ${HOME}/.config/Meltytech
 blacklist ${HOME}/.config/Mousepad
 blacklist ${HOME}/.config/Mumble
+blacklist ${HOME}/.config/MusE
+blacklist ${HOME}/.config/MuseScore
 blacklist ${HOME}/.config/Nylas Mail
 blacklist ${HOME}/.config/Qlipper
 blacklist ${HOME}/.config/QuiteRss
@@ -274,6 +276,8 @@ blacklist ${HOME}/.local/share/caja-python
 blacklist ${HOME}/.local/share/cdprojektred
 blacklist ${HOME}/.local/share/clipit
 blacklist ${HOME}/.local/share/data/Mumble
+blacklist ${HOME}/.local/share/data/MusE
+blacklist ${HOME}/.local/share/data/MuseScore
 blacklist ${HOME}/.local/share/dino
 blacklist ${HOME}/.local/share/dolphin
 blacklist ${HOME}/.local/share/epiphany
diff --git a/etc/konversation.profile b/etc/konversation.profile
index 8bc263d4d..212aa8817 100644
--- a/etc/konversation.profile
+++ b/etc/konversation.profile
@@ -15,9 +15,12 @@ caps.drop all
 netfilter
 nodvd
 nogroups
+nonewprivs
 noroot
 notv
+novideo
 protocol unix,inet,inet6
 seccomp
+tracelog
 
 private-tmp
diff --git a/etc/musescore.profile b/etc/musescore.profile
new file mode 100644
index 000000000..bd00bea69
--- /dev/null
+++ b/etc/musescore.profile
@@ -0,0 +1,30 @@
+# Firejail profile for musescore
+# This file is overwritten after every install/update
+# Persistent local customizations
+include /etc/firejail/musescore.local
+# Persistent global definitions
+include /etc/firejail/globals.local
+
+noblacklist ~/.config/MusE
+noblacklist ~/.config/MuseScore
+noblacklist ~/.local/share/data/MusE
+noblacklist ~/.local/share/data/MuseScore
+
+caps.drop all
+netfilter
+no3d
+nodvd
+nonewprivs
+noroot
+notv
+novideo
+protocol unix,inet,inet6
+seccomp
+shell none
+tracelog
+
+# private-bin musescore,mscore
+private-tmp
+
+noexec ${HOME}
+noexec /tmp
diff --git a/etc/skanlite.profile b/etc/skanlite.profile
index 0338bc452..1d590a142 100644
--- a/etc/skanlite.profile
+++ b/etc/skanlite.profile
@@ -12,6 +12,7 @@ include /etc/firejail/disable-passwdmgr.inc
 include /etc/firejail/disable-programs.inc
 
 caps.drop all
+# net none
 netfilter
 nodvd
 nogroups
@@ -19,11 +20,13 @@ nonewprivs
 noroot
 nosound
 notv
-# protocol unix,inet,inet6
-seccomp
+novideo
+protocol unix,netlink
+# skanlite makes ioperm system calls, which are blacklisted by default.
+seccomp.drop @clock,@cpu-emulation,@debug,@module,@obsolete,@reboot,@resources,@swap,acct,add_key,bpf,chroot,fanotify_init,io_cancel,io_destroy,io_getevents,io_setup,io_submit,iopl,ioprio_set,kcmp,keyctl,mount,name_to_handle_at,nfsservctl,ni_syscall,open_by_handle_at,pciconfig_iobase,pciconfig_read,pciconfig_write,personality,pivot_root,process_vm_readv,ptrace,remap_file_pages,request_key,s390_mmio_read,s390_mmio_write,setdomainname,sethostname,syslog,umount,umount2,userfaultfd,vhangup,vmsplice
 shell none
 
-# private-bin skanlite
+# private-bin skanlite,kbuildsycoca4
 # private-dev
 # private-etc
 # private-tmp
diff --git a/etc/tracker.profile b/etc/tracker.profile
index ded2ae2e5..f3dfb2d4e 100644
--- a/etc/tracker.profile
+++ b/etc/tracker.profile
@@ -23,6 +23,7 @@ nonewprivs
 noroot
 nosound
 notv
+novideo
 protocol unix
 seccomp
 shell none
diff --git a/etc/tuxguitar.profile b/etc/tuxguitar.profile
index ddbcce3f6..5b6a257f6 100644
--- a/etc/tuxguitar.profile
+++ b/etc/tuxguitar.profile
@@ -14,6 +14,7 @@ include /etc/firejail/disable-passwdmgr.inc
 include /etc/firejail/disable-programs.inc
 
 caps.drop all
+netfilter
 no3d
 nodvd
 nonewprivs