Add new profile: drawio (#3058)

* Create drawio.profile

* Add drawio config to disable-programs.inc

* Add drawio to firecfg.config

2 files changed, 54 insertions, 0 deletions

diff --git a/etc/disable-programs.inc b/etc/disable-programs.inc
index 8b08d6051..c56f7a827 100644
--- a/etc/disable-programs.inc
+++ b/etc/disable-programs.inc
@@ -158,6 +158,7 @@ blacklist ${HOME}/.config/dkl
 blacklist ${HOME}/.config/dnox
 blacklist ${HOME}/.config/dolphinrc
 blacklist ${HOME}/.config/dragonplayerrc
+blacklist ${HOME}/.config/draw.io
 blacklist ${HOME}/.config/d-feet
 blacklist ${HOME}/.config/electron-mail
 blacklist ${HOME}/.config/emaildefaults
diff --git a/etc/drawio.profile b/etc/drawio.profile
new file mode 100644
index 000000000..b50fc6b66
--- /dev/null
+++ b/etc/drawio.profile
@@ -0,0 +1,53 @@
+# Firejail profile for drawio
+# Description: Diagram drawing application built on web technology - desktop version
+# This file is overwritten after every install/update
+# Persistent local customizations
+include drawio.local
+# Persistent global definitions
+include globals.local
+
+noblacklist ${HOME}/.config/draw.io
+
+whitelist ${DOWNLOADS}
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-passwdmgr.inc
+include disable-programs.inc
+include disable-xdg.inc
+
+mkdir ${HOME}/.config/draw.io
+whitelist ${HOME}/.config/draw.io
+
+include whitelist-common.inc
+include whitelist-usr-share-common.inc
+include whitelist-var-common.inc
+
+apparmor
+caps.drop all
+ipc-namespace
+machine-id
+net none
+nodbus
+nodvd
+nogroups
+nonewprivs
+noroot
+nosound
+notv
+nou2f
+novideo
+protocol unix
+seccomp !chroot
+shell none
+# tracelog - breaks on Arch
+
+private-bin drawio
+private-cache
+private-dev
+private-etc alternatives,fonts
+private-tmp
+
+# memory-deny-write-execute - breaks on Arch