Merge branch 'master' of https://github.com/netblue30/firejail

author: smitsohu <smitsohu@gmail.com> 2019-09-22 13:26:53 +0200
committer: smitsohu <smitsohu@gmail.com> 2019-09-22 13:26:53 +0200
commit: 04057a4652e889e23b66d95da770e7e7abf75ba5 (patch)
tree: 077d19a3bae185e66ee495abff143680ab978246 /etc
parent: minor optimization (diff)
parent: Inkscape: allow xcf export (diff)
download: firejail-04057a4652e889e23b66d95da770e7e7abf75ba5.tar.gz
firejail-04057a4652e889e23b66d95da770e7e7abf75ba5.tar.zst
firejail-04057a4652e889e23b66d95da770e7e7abf75ba5.zip
6 files changed, 105 insertions, 0 deletions
diff --git a/etc/disable-programs.inc b/etc/disable-programs.inc
index e54b651a6..7dbe535fe 100644
--- a/etc/disable-programs.inc
+++ b/etc/disable-programs.inc
@@ -183,6 +183,7 @@ blacklist ${HOME}/.config/ghostwriter
 blacklist ${HOME}/.config/git
 blacklist ${HOME}/.config/globaltime
 blacklist ${HOME}/.config/gnome-builder
+blacklist ${HOME}/.config/gnome-latex
 blacklist ${HOME}/.config/gnome-mplayer
 blacklist ${HOME}/.config/gnome-mpv
 blacklist ${HOME}/.config/gnome-pie
@@ -502,6 +503,7 @@ blacklist ${HOME}/.local/share/gitg
 blacklist ${HOME}/.local/share/gnome-2048
 blacklist ${HOME}/.local/share/gnome-chess
 blacklist ${HOME}/.local/share/gnome-builder
+blacklist ${HOME}/.local/share/gnome-latex
 blacklist ${HOME}/.local/share/gnome-music
 blacklist ${HOME}/.local/share/gnome-photos
 blacklist ${HOME}/.local/share/gnome-recipes
diff --git a/etc/gnome-latex.profile b/etc/gnome-latex.profile
new file mode 100644
index 000000000..9cef9072c
--- /dev/null
+++ b/etc/gnome-latex.profile
@@ -0,0 +1,46 @@
+# Firejail profile for gnome-latex
+# Description: LaTeX editor for the GNOME desktop
+# This file is overwritten after every install/update
+# Persistent local customizations
+include gnome-latex.local
+# Persistent global definitions
+include globals.local
+noblacklist ${HOME}/.config/gnome-latex
+noblacklist ${HOME}/.local/share/gnome-latex
+# Allow perl (blacklisted by disable-interpreters.inc)
+include allow-perl.inc
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-passwdmgr.inc
+include disable-programs.inc
+# May cause issues.
+#include whitelist-var-common.inc
+apparmor
+caps.drop all
+machine-id
+net none
+no3d
+nodvd
+nogroups
+nonewprivs
+noroot
+nosound
+notv
+nou2f
+novideo
+protocol unix
+seccomp
+shell none
+tracelog
+private-cache
+private-dev
+# passwd,login.defs,firejail are a temporary workaround for #2877 and can be removed once it is fixed
+private-etc alternatives,dconf,fonts,gtk-3.0,latexmk.conf,login.defs,passwd,texlive
diff --git a/etc/inkscape.profile b/etc/inkscape.profile
index a1b3bce23..a968609a9 100644
--- a/etc/inkscape.profile
+++ b/etc/inkscape.profile
@@ -11,6 +11,10 @@ noblacklist ${HOME}/.config/inkscape
 noblacklist ${HOME}/.inkscape
 noblacklist ${DOCUMENTS}
 noblacklist ${PICTURES}
+# Allow exporting .xcf files
+noblacklist ${HOME}/.config/GIMP
+noblacklist ${HOME}/.gimp*
 # Allow python (blacklisted by disable-interpreters.inc)
 include allow-python2.inc
diff --git a/etc/pngquant.profile b/etc/pngquant.profile
new file mode 100644
index 000000000..8c06cef1a
--- /dev/null
+++ b/etc/pngquant.profile
@@ -0,0 +1,47 @@
+# Firejail profile for pngquant
+# Description: PNG converter and lossy image compressor
+# This file is overwritten after every install/update
+quiet
+# Persistent local customizations
+include pngquant.local
+# Persistent global definitions
+include globals.local
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-passwdmgr.inc
+include disable-programs.inc
+include whitelist-var-common.inc
+apparmor
+caps.drop all
+ipc-namespace
+machine-id
+net none
+no3d
+nodbus
+nodvd
+nogroups
+nonewprivs
+noroot
+nosound
+notv
+nou2f
+novideo
+# protocol can be empty, but this is not yet supported see #639
+protocol inet
+seccomp
+shell none
+tracelog
+x11 none
+private-bin pngquant
+private-cache
+private-dev
+private-etc alternatives
+private-tmp
+memory-deny-write-execute
diff --git a/etc/steam.profile b/etc/steam.profile
index 654ea825e..762cbd1b3 100644
--- a/etc/steam.profile
+++ b/etc/steam.profile
@@ -38,6 +38,8 @@ include disable-programs.inc
 include whitelist-var-common.inc
+# allow-debuggers needed for running some games with proton
+allow-debuggers
 caps.drop all
 #ipc-namespace
 netfilter
diff --git a/etc/whitelist-common.inc b/etc/whitelist-common.inc
index 717c82379..9c1b7b92c 100644
--- a/etc/whitelist-common.inc
+++ b/etc/whitelist-common.inc
@@ -20,6 +20,10 @@ whitelist ${HOME}/.local/share/icons
 whitelist ${HOME}/.local/share/mime
 whitelist ${HOME}/.mime.types
+# dconf
+mkdir ${HOME}/.config/dconf
+whitelist ${HOME}/.config/dconf
 # fonts
 whitelist ${HOME}/.cache/fontconfig
 whitelist ${HOME}/.config/fontconfig
author	smitsohu <smitsohu@gmail.com>	2019-09-22 13:26:53 +0200
committer	smitsohu <smitsohu@gmail.com>	2019-09-22 13:26:53 +0200
commit	04057a4652e889e23b66d95da770e7e7abf75ba5 (patch)
tree	077d19a3bae185e66ee495abff143680ab978246 /etc
parent	minor optimization (diff)
parent	Inkscape: allow xcf export (diff)
download	firejail-04057a4652e889e23b66d95da770e7e7abf75ba5.tar.gz firejail-04057a4652e889e23b66d95da770e7e7abf75ba5.tar.zst firejail-04057a4652e889e23b66d95da770e7e7abf75ba5.zip

diff --git a/etc/disable-programs.inc b/etc/disable-programs.inc index e54b651a6..7dbe535fe 100644 --- a/etc/disable-programs.inc +++ b/etc/disable-programs.inc
@@ -183,6 +183,7 @@ blacklist ${HOME}/.config/ghostwriter
183	blacklist ${HOME}/.config/git	183	blacklist ${HOME}/.config/git
184	blacklist ${HOME}/.config/globaltime	184	blacklist ${HOME}/.config/globaltime
185	blacklist ${HOME}/.config/gnome-builder	185	blacklist ${HOME}/.config/gnome-builder
		186	blacklist ${HOME}/.config/gnome-latex
186	blacklist ${HOME}/.config/gnome-mplayer	187	blacklist ${HOME}/.config/gnome-mplayer
187	blacklist ${HOME}/.config/gnome-mpv	188	blacklist ${HOME}/.config/gnome-mpv
188	blacklist ${HOME}/.config/gnome-pie	189	blacklist ${HOME}/.config/gnome-pie
@@ -502,6 +503,7 @@ blacklist ${HOME}/.local/share/gitg
502	blacklist ${HOME}/.local/share/gnome-2048	503	blacklist ${HOME}/.local/share/gnome-2048
503	blacklist ${HOME}/.local/share/gnome-chess	504	blacklist ${HOME}/.local/share/gnome-chess
504	blacklist ${HOME}/.local/share/gnome-builder	505	blacklist ${HOME}/.local/share/gnome-builder
		506	blacklist ${HOME}/.local/share/gnome-latex
505	blacklist ${HOME}/.local/share/gnome-music	507	blacklist ${HOME}/.local/share/gnome-music
506	blacklist ${HOME}/.local/share/gnome-photos	508	blacklist ${HOME}/.local/share/gnome-photos
507	blacklist ${HOME}/.local/share/gnome-recipes	509	blacklist ${HOME}/.local/share/gnome-recipes


diff --git a/etc/gnome-latex.profile b/etc/gnome-latex.profile new file mode 100644 index 000000000..9cef9072c --- /dev/null +++ b/etc/gnome-latex.profile
@@ -0,0 +1,46 @@
		1	# Firejail profile for gnome-latex
		2	# Description: LaTeX editor for the GNOME desktop
		3	# This file is overwritten after every install/update
		4	# Persistent local customizations
		5	include gnome-latex.local
		6	# Persistent global definitions
		7	include globals.local
		8
		9	noblacklist ${HOME}/.config/gnome-latex
		10	noblacklist ${HOME}/.local/share/gnome-latex
		11
		12	# Allow perl (blacklisted by disable-interpreters.inc)
		13	include allow-perl.inc
		14
		15	include disable-common.inc
		16	include disable-devel.inc
		17	include disable-exec.inc
		18	include disable-interpreters.inc
		19	include disable-passwdmgr.inc
		20	include disable-programs.inc
		21
		22	# May cause issues.
		23	#include whitelist-var-common.inc
		24
		25	apparmor
		26	caps.drop all
		27	machine-id
		28	net none
		29	no3d
		30	nodvd
		31	nogroups
		32	nonewprivs
		33	noroot
		34	nosound
		35	notv
		36	nou2f
		37	novideo
		38	protocol unix
		39	seccomp
		40	shell none
		41	tracelog
		42
		43	private-cache
		44	private-dev
		45	# passwd,login.defs,firejail are a temporary workaround for #2877 and can be removed once it is fixed
		46	private-etc alternatives,dconf,fonts,gtk-3.0,latexmk.conf,login.defs,passwd,texlive


diff --git a/etc/inkscape.profile b/etc/inkscape.profile index a1b3bce23..a968609a9 100644 --- a/etc/inkscape.profile +++ b/etc/inkscape.profile
@@ -11,6 +11,10 @@ noblacklist ${HOME}/.config/inkscape
11	noblacklist ${HOME}/.inkscape	11	noblacklist ${HOME}/.inkscape
12	noblacklist ${DOCUMENTS}	12	noblacklist ${DOCUMENTS}
13	noblacklist ${PICTURES}	13	noblacklist ${PICTURES}
		14	# Allow exporting .xcf files
		15	noblacklist ${HOME}/.config/GIMP
		16	noblacklist ${HOME}/.gimp*
		17
14		18
15	# Allow python (blacklisted by disable-interpreters.inc)	19	# Allow python (blacklisted by disable-interpreters.inc)
16	include allow-python2.inc	20	include allow-python2.inc


diff --git a/etc/pngquant.profile b/etc/pngquant.profile new file mode 100644 index 000000000..8c06cef1a --- /dev/null +++ b/etc/pngquant.profile
@@ -0,0 +1,47 @@
		1	# Firejail profile for pngquant
		2	# Description: PNG converter and lossy image compressor
		3	# This file is overwritten after every install/update
		4	quiet
		5	# Persistent local customizations
		6	include pngquant.local
		7	# Persistent global definitions
		8	include globals.local
		9
		10	include disable-common.inc
		11	include disable-devel.inc
		12	include disable-exec.inc
		13	include disable-interpreters.inc
		14	include disable-passwdmgr.inc
		15	include disable-programs.inc
		16
		17	include whitelist-var-common.inc
		18
		19	apparmor
		20	caps.drop all
		21	ipc-namespace
		22	machine-id
		23	net none
		24	no3d
		25	nodbus
		26	nodvd
		27	nogroups
		28	nonewprivs
		29	noroot
		30	nosound
		31	notv
		32	nou2f
		33	novideo
		34	# protocol can be empty, but this is not yet supported see #639
		35	protocol inet
		36	seccomp
		37	shell none
		38	tracelog
		39	x11 none
		40
		41	private-bin pngquant
		42	private-cache
		43	private-dev
		44	private-etc alternatives
		45	private-tmp
		46
		47	memory-deny-write-execute


diff --git a/etc/steam.profile b/etc/steam.profile index 654ea825e..762cbd1b3 100644 --- a/etc/steam.profile +++ b/etc/steam.profile
@@ -38,6 +38,8 @@ include disable-programs.inc
38		38
39	include whitelist-var-common.inc	39	include whitelist-var-common.inc
40		40
		41	# allow-debuggers needed for running some games with proton
		42	allow-debuggers
41	caps.drop all	43	caps.drop all
42	#ipc-namespace	44	#ipc-namespace
43	netfilter	45	netfilter


diff --git a/etc/whitelist-common.inc b/etc/whitelist-common.inc index 717c82379..9c1b7b92c 100644 --- a/etc/whitelist-common.inc +++ b/etc/whitelist-common.inc
@@ -20,6 +20,10 @@ whitelist ${HOME}/.local/share/icons
20	whitelist ${HOME}/.local/share/mime	20	whitelist ${HOME}/.local/share/mime
21	whitelist ${HOME}/.mime.types	21	whitelist ${HOME}/.mime.types
22		22
		23	# dconf
		24	mkdir ${HOME}/.config/dconf
		25	whitelist ${HOME}/.config/dconf
		26
23	# fonts	27	# fonts
24	whitelist ${HOME}/.cache/fontconfig	28	whitelist ${HOME}/.cache/fontconfig
25	whitelist ${HOME}/.config/fontconfig	29	whitelist ${HOME}/.config/fontconfig