New profiles: apostrophe & quadrapassel

author: rusty-snake <41237666+rusty-snake@users.noreply.github.com> 2020-06-10 21:56:36 +0200
committer: rusty-snake <41237666+rusty-snake@users.noreply.github.com> 2020-06-11 22:11:35 +0200
commit: 91a2bedaf42abcb947ef9370919b9d5503e84e47 (patch)
tree: 32bba6492b249d8afe8ab4c0d812c010699b52b2 /etc
parent: Add strawberry profile (#3459) (diff)
download: firejail-91a2bedaf42abcb947ef9370919b9d5503e84e47.tar.gz
firejail-91a2bedaf42abcb947ef9370919b9d5503e84e47.tar.zst
firejail-91a2bedaf42abcb947ef9370919b9d5503e84e47.zip
6 files changed, 97 insertions, 4 deletions
diff --git a/etc/inc/disable-programs.inc b/etc/inc/disable-programs.inc
index 32228b8f2..43c8292e0 100644
--- a/etc/inc/disable-programs.inc
+++ b/etc/inc/disable-programs.inc
@@ -636,6 +636,7 @@ blacklist ${HOME}/.local/share/pix
 blacklist ${HOME}/.local/share/plasma_notes
 blacklist ${HOME}/.local/share/profanity
 blacklist ${HOME}/.local/share/psi+
+blacklist ${HOME}/.local/share/quadrapassel
 blacklist ${HOME}/.local/share/qpdfview
 blacklist ${HOME}/.local/share/qutebrowser
 blacklist ${HOME}/.local/share/remmina
diff --git a/etc/profile-a-l/apostrophe.profile b/etc/profile-a-l/apostrophe.profile
new file mode 100644
index 000000000..5dfe034e0
--- /dev/null
+++ b/etc/profile-a-l/apostrophe.profile
@@ -0,0 +1,69 @@
+# Firejail profile for apostrophe
+# Description: Distraction free Markdown editor for GNU/Linux made with GTK+
+# This file is overwritten after every install/update
+# Persistent local customizations
+include apostrophe.local
+# Persistent global definitions
+include globals.local
+noblacklist ${DOCUMENTS}
+noblacklist ${PICTURES}
+# Allow python (blacklisted by disable-interpreters.inc)
+include allow-python3.inc
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-passwdmgr.inc
+include disable-programs.inc
+include disable-shell.inc
+include disable-xdg.inc
+whitelist /usr/share/apostrophe
+include whitelist-runuser-common.inc
+include whitelist-usr-share-common.inc
+include whitelist-var-common.inc
+apparmor
+caps.drop all
+machine-id
+net none
+no3d
+nodvd
+nogroups
+nonewprivs
+noroot
+nosound
+notv
+nou2f
+novideo
+protocol unix
+seccomp
+shell none
+tracelog
+disable-mnt
+private-bin apostrophe,python3*
+private-cache
+private-dev
+private-etc alternatives,dconf,fonts,gtk-3.0,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,pango,X11
+# private-etc templates (see also #1734, #2093)
+#  Common: alternatives,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,locale,locale.alias,locale.conf,localtime,mime.types,xdg
+#    Extra: magic,magic.mgc,passwd,group
+#  Networking: ca-certificates,ssl,pki,crypto-policies,nsswitch.conf,resolv.conf,hosts,host.conf,hostname,protocols,services,rpc
+#    Extra: proxychains.conf,gai.conf
+#  Sound: alsa,asound.conf,pulse,machine-id
+#  GUI: fonts,pango,X11
+#  GTK: dconf,gconf,gtk-2.0,gtk-3.0
+#  Qt: Trolltech.conf
+#  KDE: kde4rc,kde5rc
+#  3D: drirc,glvnd,bumblebee,nvidia
+#  D-Bus: dbus-1,machine-id
+private-tmp
+dbus-user filter
+dbus-user.own org.gnome.gitlab.somas.Apostrophe
+dbus-user.talk ca.desrt.dconf
+dbus-system none
diff --git a/etc/profile-a-l/emacs.profile b/etc/profile-a-l/emacs.profile
index de4ea97a4..226237b5b 100644
--- a/etc/profile-a-l/emacs.profile
+++ b/etc/profile-a-l/emacs.profile
@@ -19,10 +19,6 @@ include disable-common.inc
 include disable-passwdmgr.inc
 include disable-programs.inc
-# Comment out if you want an immutable configuration
-read-write ${HOME}/.emacs
-read-write ${HOME}/.emacs.d
 caps.drop all
 netfilter
 nodvd
@@ -33,3 +29,6 @@ notv
 novideo
 protocol unix,inet,inet6
 seccomp
+read-write ${HOME}/.emacs
+read-write ${HOME}/.emacs.d
diff --git a/etc/profile-a-l/file-roller.profile b/etc/profile-a-l/file-roller.profile
index 70dd030ee..745b8b8e9 100644
--- a/etc/profile-a-l/file-roller.profile
+++ b/etc/profile-a-l/file-roller.profile
@@ -42,3 +42,5 @@ private-cache
 private-dev
 private-etc dconf,fonts,gtk-3.0,xdg
 # private-tmp
+dbus-system none
diff --git a/etc/profile-m-z/quadrapassel.profile b/etc/profile-m-z/quadrapassel.profile
new file mode 100644
index 000000000..91e0d9d0d
--- /dev/null
+++ b/etc/profile-m-z/quadrapassel.profile
@@ -0,0 +1,20 @@
+# Firejail profile for quadrapassel
+# Description: Tetris-like game for GNOME
+# This file is overwritten after every install/update
+# Persistent local customizations
+include quadrapassel.local
+# Persistent global definitions
+include globals.local
+noblacklist ${HOME}/.local/share/quadrapassel
+mkdir ${HOME}/.local/share/quadrapassel
+whitelist ${HOME}/.local/share/quadrapassel
+whitelist /usr/share/quadrapassel
+private-bin quadrapassel
+dbus-user.own org.gnome.Quadrapassel
+# Redirect
+include gnome_games-common.profile
diff --git a/etc/profile-m-z/yelp.profile b/etc/profile-m-z/yelp.profile
index f643cf252..fd95ceb04 100644
--- a/etc/profile-m-z/yelp.profile
+++ b/etc/profile-m-z/yelp.profile
@@ -51,6 +51,8 @@ private-dev
 private-etc alsa,alternatives,asound.conf,crypto-policies,cups,dconf,drirc,fonts,gcrypt,gtk-3.0,machine-id,openal,os-release,pulse,sgml,xml
 private-tmp
+dbus-system none
 # read-only ${HOME} breaks some not necesarry featrues, comment it if
 # you need them or put 'ignore read-only ${HOME}' into your yelp.local.
 # broken features:
author	rusty-snake <41237666+rusty-snake@users.noreply.github.com>	2020-06-10 21:56:36 +0200
committer	rusty-snake <41237666+rusty-snake@users.noreply.github.com>	2020-06-11 22:11:35 +0200
commit	91a2bedaf42abcb947ef9370919b9d5503e84e47 (patch)
tree	32bba6492b249d8afe8ab4c0d812c010699b52b2 /etc
parent	Add strawberry profile (#3459) (diff)
download	firejail-91a2bedaf42abcb947ef9370919b9d5503e84e47.tar.gz firejail-91a2bedaf42abcb947ef9370919b9d5503e84e47.tar.zst firejail-91a2bedaf42abcb947ef9370919b9d5503e84e47.zip

diff --git a/etc/inc/disable-programs.inc b/etc/inc/disable-programs.inc index 32228b8f2..43c8292e0 100644 --- a/etc/inc/disable-programs.inc +++ b/etc/inc/disable-programs.inc
@@ -636,6 +636,7 @@ blacklist ${HOME}/.local/share/pix
636	blacklist ${HOME}/.local/share/plasma_notes	636	blacklist ${HOME}/.local/share/plasma_notes
637	blacklist ${HOME}/.local/share/profanity	637	blacklist ${HOME}/.local/share/profanity
638	blacklist ${HOME}/.local/share/psi+	638	blacklist ${HOME}/.local/share/psi+
		639	blacklist ${HOME}/.local/share/quadrapassel
639	blacklist ${HOME}/.local/share/qpdfview	640	blacklist ${HOME}/.local/share/qpdfview
640	blacklist ${HOME}/.local/share/qutebrowser	641	blacklist ${HOME}/.local/share/qutebrowser
641	blacklist ${HOME}/.local/share/remmina	642	blacklist ${HOME}/.local/share/remmina


diff --git a/etc/profile-a-l/apostrophe.profile b/etc/profile-a-l/apostrophe.profile new file mode 100644 index 000000000..5dfe034e0 --- /dev/null +++ b/etc/profile-a-l/apostrophe.profile
@@ -0,0 +1,69 @@
		1	# Firejail profile for apostrophe
		2	# Description: Distraction free Markdown editor for GNU/Linux made with GTK+
		3	# This file is overwritten after every install/update
		4	# Persistent local customizations
		5	include apostrophe.local
		6	# Persistent global definitions
		7	include globals.local
		8
		9	noblacklist ${DOCUMENTS}
		10	noblacklist ${PICTURES}
		11
		12	# Allow python (blacklisted by disable-interpreters.inc)
		13	include allow-python3.inc
		14
		15	include disable-common.inc
		16	include disable-devel.inc
		17	include disable-exec.inc
		18	include disable-interpreters.inc
		19	include disable-passwdmgr.inc
		20	include disable-programs.inc
		21	include disable-shell.inc
		22	include disable-xdg.inc
		23
		24	whitelist /usr/share/apostrophe
		25	include whitelist-runuser-common.inc
		26	include whitelist-usr-share-common.inc
		27	include whitelist-var-common.inc
		28
		29	apparmor
		30	caps.drop all
		31	machine-id
		32	net none
		33	no3d
		34	nodvd
		35	nogroups
		36	nonewprivs
		37	noroot
		38	nosound
		39	notv
		40	nou2f
		41	novideo
		42	protocol unix
		43	seccomp
		44	shell none
		45	tracelog
		46
		47	disable-mnt
		48	private-bin apostrophe,python3*
		49	private-cache
		50	private-dev
		51	private-etc alternatives,dconf,fonts,gtk-3.0,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,pango,X11
		52	# private-etc templates (see also #1734, #2093)
		53	# Common: alternatives,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,locale,locale.alias,locale.conf,localtime,mime.types,xdg
		54	# Extra: magic,magic.mgc,passwd,group
		55	# Networking: ca-certificates,ssl,pki,crypto-policies,nsswitch.conf,resolv.conf,hosts,host.conf,hostname,protocols,services,rpc
		56	# Extra: proxychains.conf,gai.conf
		57	# Sound: alsa,asound.conf,pulse,machine-id
		58	# GUI: fonts,pango,X11
		59	# GTK: dconf,gconf,gtk-2.0,gtk-3.0
		60	# Qt: Trolltech.conf
		61	# KDE: kde4rc,kde5rc
		62	# 3D: drirc,glvnd,bumblebee,nvidia
		63	# D-Bus: dbus-1,machine-id
		64	private-tmp
		65
		66	dbus-user filter
		67	dbus-user.own org.gnome.gitlab.somas.Apostrophe
		68	dbus-user.talk ca.desrt.dconf
		69	dbus-system none


diff --git a/etc/profile-a-l/emacs.profile b/etc/profile-a-l/emacs.profile index de4ea97a4..226237b5b 100644 --- a/etc/profile-a-l/emacs.profile +++ b/etc/profile-a-l/emacs.profile
@@ -19,10 +19,6 @@ include disable-common.inc
19	include disable-passwdmgr.inc	19	include disable-passwdmgr.inc
20	include disable-programs.inc	20	include disable-programs.inc
21		21
22	# Comment out if you want an immutable configuration
23	read-write ${HOME}/.emacs
24	read-write ${HOME}/.emacs.d
25
26	caps.drop all	22	caps.drop all
27	netfilter	23	netfilter
28	nodvd	24	nodvd
@@ -33,3 +29,6 @@ notv
33	novideo	29	novideo
34	protocol unix,inet,inet6	30	protocol unix,inet,inet6
35	seccomp	31	seccomp
		32
		33	read-write ${HOME}/.emacs
		34	read-write ${HOME}/.emacs.d


diff --git a/etc/profile-a-l/file-roller.profile b/etc/profile-a-l/file-roller.profile index 70dd030ee..745b8b8e9 100644 --- a/etc/profile-a-l/file-roller.profile +++ b/etc/profile-a-l/file-roller.profile
@@ -42,3 +42,5 @@ private-cache
42	private-dev	42	private-dev
43	private-etc dconf,fonts,gtk-3.0,xdg	43	private-etc dconf,fonts,gtk-3.0,xdg
44	# private-tmp	44	# private-tmp
		45
		46	dbus-system none


diff --git a/etc/profile-m-z/quadrapassel.profile b/etc/profile-m-z/quadrapassel.profile new file mode 100644 index 000000000..91e0d9d0d --- /dev/null +++ b/etc/profile-m-z/quadrapassel.profile
@@ -0,0 +1,20 @@
		1	# Firejail profile for quadrapassel
		2	# Description: Tetris-like game for GNOME
		3	# This file is overwritten after every install/update
		4	# Persistent local customizations
		5	include quadrapassel.local
		6	# Persistent global definitions
		7	include globals.local
		8
		9	noblacklist ${HOME}/.local/share/quadrapassel
		10
		11	mkdir ${HOME}/.local/share/quadrapassel
		12	whitelist ${HOME}/.local/share/quadrapassel
		13	whitelist /usr/share/quadrapassel
		14
		15	private-bin quadrapassel
		16
		17	dbus-user.own org.gnome.Quadrapassel
		18
		19	# Redirect
		20	include gnome_games-common.profile


diff --git a/etc/profile-m-z/yelp.profile b/etc/profile-m-z/yelp.profile index f643cf252..fd95ceb04 100644 --- a/etc/profile-m-z/yelp.profile +++ b/etc/profile-m-z/yelp.profile
@@ -51,6 +51,8 @@ private-dev
51	private-etc alsa,alternatives,asound.conf,crypto-policies,cups,dconf,drirc,fonts,gcrypt,gtk-3.0,machine-id,openal,os-release,pulse,sgml,xml	51	private-etc alsa,alternatives,asound.conf,crypto-policies,cups,dconf,drirc,fonts,gcrypt,gtk-3.0,machine-id,openal,os-release,pulse,sgml,xml
52	private-tmp	52	private-tmp
53		53
		54	dbus-system none
		55
54	# read-only ${HOME} breaks some not necesarry featrues, comment it if	56	# read-only ${HOME} breaks some not necesarry featrues, comment it if
55	# you need them or put 'ignore read-only ${HOME}' into your yelp.local.	57	# you need them or put 'ignore read-only ${HOME}' into your yelp.local.
56	# broken features:	58	# broken features: