Profile for jitsi-meet-desktop (#3362)

* Profile for Jitsi Meet desktop app (electron)

* Update description.

* Correctly include global definitions.

* Add jitsi-meet-desktop to firecfg.

* blacklist Jitsi-meet config directory in disable-programs.inc

* Disable more things.

disable-exec.inc not included, as the application shows some error if I
include it.

* Disable more stuff.

* No need to whitelist Downloads directory.

I don't think this application has any file sharing / downloading
feature.

* Use private-bin

I needed to allow the bash executable as well for this to work.

* Add some whitelist rules.

* Use private-cache option

* include disable-exec.inc

Apparently one needs to allow execution in /tmp for the program to work.

* Redirect to electron.profile.

* Use private-etc.

* Do not whitelist Downloads directory.

electron.profile does this, but I do not think this program needs it.

* Rearrange whitelisted files to alphabetical order.

* Move nonwhitelist to appropriate section.

* Newlines as section separators.

2 files changed, 40 insertions, 0 deletions

diff --git a/etc/disable-programs.inc b/etc/disable-programs.inc
index ffe60e283..9e6af8785 100644
--- a/etc/disable-programs.inc
+++ b/etc/disable-programs.inc
@@ -88,6 +88,7 @@ blacklist ${HOME}/.config/Google Play Music Desktop Player
 blacklist ${HOME}/.config/Gpredict
 blacklist ${HOME}/.config/INRIA
 blacklist ${HOME}/.config/InSilmaril
+blacklist ${HOME}/.config/Jitsi Meet
 blacklist ${HOME}/.config/Kid3
 blacklist ${HOME}/.config/Kingsoft
 blacklist ${HOME}/.config/Luminance
diff --git a/etc/jitsi-meet-desktop.profile b/etc/jitsi-meet-desktop.profile
new file mode 100644
index 000000000..c4121d835
--- /dev/null
+++ b/etc/jitsi-meet-desktop.profile
@@ -0,0 +1,39 @@
+# Firejail profile for jitsi-meet-desktop
+# Description: Jitsi Meet desktop application powered by Electron
+# This file is overwritten after every install/update
+# Persistent local customizations
+include jitsi-meet-desktop.local
+# Persistent global definitions
+include globals.local
+
+ignore noexec /tmp
+
+noblacklist ${HOME}/.config/Jitsi Meet
+
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-xdg.inc
+
+nowhitelist ${DOWNLOADS}
+
+mkdir ${HOME}/.config/Jitsi Meet
+
+whitelist ${HOME}/.config/Jitsi Meet
+
+include whitelist-common.inc
+include whitelist-usr-share-common.inc
+include whitelist-runuser-common.inc
+include whitelist-var-common.inc
+
+seccomp !chroot
+
+disable-mnt
+private-bin bash,jitsi-meet-desktop
+private-cache
+private-dev
+private-etc alsa,alternatives,asound.conf,bumblebee,ca-certificates,crypto-policies,drirc,fonts,glvnd,group,host.conf,hostname,hosts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,locale,locale.alias,locale.conf,localtime,machine-id,mime.types,nsswitch.conf,nvidia,pango,passwd,pki,protocols,pulse,resolv.conf,rpc,services,ssl,X11,xdg
+private-tmp
+
+# Redirect
+include electron.profile