Merge branch 'master' of https://github.com/netblue30/firejail

author: smitsohu <smitsohu@gmail.com> 2018-03-24 17:12:01 +0100
committer: smitsohu <smitsohu@gmail.com> 2018-03-24 17:12:01 +0100
commit: ba1fc01cb77573a205e88d4d5c786398384382c7 (patch)
tree: 76e1eca9fdd598b8f9fa3d288727c22f0e83961a /etc
parent: add basic akonadi integration (diff)
parent: Fixup gnome-recipes and add it to firecfg (diff)
download: firejail-ba1fc01cb77573a205e88d4d5c786398384382c7.tar.gz
firejail-ba1fc01cb77573a205e88d4d5c786398384382c7.tar.zst
firejail-ba1fc01cb77573a205e88d4d5c786398384382c7.zip
3 files changed, 48 insertions, 1 deletions
diff --git a/etc/disable-programs.inc b/etc/disable-programs.inc
index 586c50a60..3f0d7b337 100644
--- a/etc/disable-programs.inc
+++ b/etc/disable-programs.inc
@@ -374,6 +374,7 @@ blacklist ${HOME}/.local/share/gnome-2048
 blacklist ${HOME}/.local/share/gnome-chess
 blacklist ${HOME}/.local/share/gnome-music
 blacklist ${HOME}/.local/share/gnome-photos
+blacklist ${HOME}/.local/share/gnome-recipes
 blacklist ${HOME}/.local/share/gnome-ring
 blacklist ${HOME}/.local/share/gnome-twitch
 blacklist ${HOME}/.local/share/gwenview
diff --git a/etc/gnome-recipes.profile b/etc/gnome-recipes.profile
new file mode 100644
index 000000000..2392440a6
--- /dev/null
+++ b/etc/gnome-recipes.profile
@@ -0,0 +1,45 @@
+# Firejail profile for gnome-recipes
+# This file is overwritten after every install/update
+# Persistent local customizations
+include /etc/firejail/gnome-recipes.local
+# Persistent global definitions
+include /etc/firejail/globals.local
+noblacklist ${HOME}/.local/share/gnome-recipes
+include /etc/firejail/disable-common.inc
+include /etc/firejail/disable-devel.inc
+include /etc/firejail/disable-passwdmgr.inc
+include /etc/firejail/disable-programs.inc
+mkdir ${HOME}/.cache/gnome-recipes
+whitelist ${HOME}/.cache/gnome-recipes
+include /etc/firejail/whitelist-common.inc
+include /etc/firejail/whitelist-var-common.inc
+caps.drop all
+ipc-namespace
+netfilter
+nodvd
+nogroups
+nonewprivs
+noroot
+nosound
+notv
+novideo
+protocol unix,inet,inet6
+seccomp
+shell none
+disable-mnt
+private-bin gnome-recipes,tar
+private-dev
+private-etc ca-certificates,fonts,ssl
+# private-lib works for me with Gnome Shell 3.26.2, Mutter WM (Arch Linux)
+# not widely tested though, leaving it to devs discretion to enable it later
+#private-lib gdk-pixbuf-2.0,gio,gvfs/libgvfscommon.so,libgconf-2.so.4,libgnutls.so.30,libjpeg.so.8,libp11-kit.so.0,libproxy.so.1,librsvg-2.so.2
+private-tmp
+noexec ${HOME}
+noexec /tmp
diff --git a/etc/libreoffice.profile b/etc/libreoffice.profile
index 8b801f11e..ceb680951 100644
--- a/etc/libreoffice.profile
+++ b/etc/libreoffice.profile
@@ -10,7 +10,8 @@ noblacklist /usr/local/sbin
 noblacklist ${HOME}/.config/libreoffice
 include /etc/firejail/disable-common.inc
-include /etc/firejail/disable-devel.inc
+# libreoffice uses java; if you don't care about java functionality, uncomment this line;
+#include /etc/firejail/disable-devel.inc
 include /etc/firejail/disable-passwdmgr.inc
 include /etc/firejail/disable-programs.inc
author	smitsohu <smitsohu@gmail.com>	2018-03-24 17:12:01 +0100
committer	smitsohu <smitsohu@gmail.com>	2018-03-24 17:12:01 +0100
commit	ba1fc01cb77573a205e88d4d5c786398384382c7 (patch)
tree	76e1eca9fdd598b8f9fa3d288727c22f0e83961a /etc
parent	add basic akonadi integration (diff)
parent	Fixup gnome-recipes and add it to firecfg (diff)
download	firejail-ba1fc01cb77573a205e88d4d5c786398384382c7.tar.gz firejail-ba1fc01cb77573a205e88d4d5c786398384382c7.tar.zst firejail-ba1fc01cb77573a205e88d4d5c786398384382c7.zip

diff --git a/etc/disable-programs.inc b/etc/disable-programs.inc index 586c50a60..3f0d7b337 100644 --- a/etc/disable-programs.inc +++ b/etc/disable-programs.inc
@@ -374,6 +374,7 @@ blacklist ${HOME}/.local/share/gnome-2048
374	blacklist ${HOME}/.local/share/gnome-chess	374	blacklist ${HOME}/.local/share/gnome-chess
375	blacklist ${HOME}/.local/share/gnome-music	375	blacklist ${HOME}/.local/share/gnome-music
376	blacklist ${HOME}/.local/share/gnome-photos	376	blacklist ${HOME}/.local/share/gnome-photos
		377	blacklist ${HOME}/.local/share/gnome-recipes
377	blacklist ${HOME}/.local/share/gnome-ring	378	blacklist ${HOME}/.local/share/gnome-ring
378	blacklist ${HOME}/.local/share/gnome-twitch	379	blacklist ${HOME}/.local/share/gnome-twitch
379	blacklist ${HOME}/.local/share/gwenview	380	blacklist ${HOME}/.local/share/gwenview


diff --git a/etc/gnome-recipes.profile b/etc/gnome-recipes.profile new file mode 100644 index 000000000..2392440a6 --- /dev/null +++ b/etc/gnome-recipes.profile
@@ -0,0 +1,45 @@
		1	# Firejail profile for gnome-recipes
		2	# This file is overwritten after every install/update
		3	# Persistent local customizations
		4	include /etc/firejail/gnome-recipes.local
		5	# Persistent global definitions
		6	include /etc/firejail/globals.local
		7
		8
		9	noblacklist ${HOME}/.local/share/gnome-recipes
		10
		11	include /etc/firejail/disable-common.inc
		12	include /etc/firejail/disable-devel.inc
		13	include /etc/firejail/disable-passwdmgr.inc
		14	include /etc/firejail/disable-programs.inc
		15
		16	mkdir ${HOME}/.cache/gnome-recipes
		17	whitelist ${HOME}/.cache/gnome-recipes
		18	include /etc/firejail/whitelist-common.inc
		19	include /etc/firejail/whitelist-var-common.inc
		20
		21	caps.drop all
		22	ipc-namespace
		23	netfilter
		24	nodvd
		25	nogroups
		26	nonewprivs
		27	noroot
		28	nosound
		29	notv
		30	novideo
		31	protocol unix,inet,inet6
		32	seccomp
		33	shell none
		34
		35	disable-mnt
		36	private-bin gnome-recipes,tar
		37	private-dev
		38	private-etc ca-certificates,fonts,ssl
		39	# private-lib works for me with Gnome Shell 3.26.2, Mutter WM (Arch Linux)
		40	# not widely tested though, leaving it to devs discretion to enable it later
		41	#private-lib gdk-pixbuf-2.0,gio,gvfs/libgvfscommon.so,libgconf-2.so.4,libgnutls.so.30,libjpeg.so.8,libp11-kit.so.0,libproxy.so.1,librsvg-2.so.2
		42	private-tmp
		43
		44	noexec ${HOME}
		45	noexec /tmp


diff --git a/etc/libreoffice.profile b/etc/libreoffice.profile index 8b801f11e..ceb680951 100644 --- a/etc/libreoffice.profile +++ b/etc/libreoffice.profile
@@ -10,7 +10,8 @@ noblacklist /usr/local/sbin
10	noblacklist ${HOME}/.config/libreoffice	10	noblacklist ${HOME}/.config/libreoffice
11		11
12	include /etc/firejail/disable-common.inc	12	include /etc/firejail/disable-common.inc
13	include /etc/firejail/disable-devel.inc	13	# libreoffice uses java; if you don't care about java functionality, uncomment this line;
		14	#include /etc/firejail/disable-devel.inc
14	include /etc/firejail/disable-passwdmgr.inc	15	include /etc/firejail/disable-passwdmgr.inc
15	include /etc/firejail/disable-programs.inc	16	include /etc/firejail/disable-programs.inc
16		17