New profiles for alacarte,tootle,photoflare (#3816)

* New profiles for alacarte,tootle,photoflare * Fix dbus Co-authored-by: kortewegdevries <kortewegdevries@protonmail.ch>
author: kortewegdevries <62639087+kortewegdevries@users.noreply.github.com> 2020-12-16 18:12:48 +0000
committer: GitHub <noreply@github.com> 2020-12-16 18:12:48 +0000
commit: f3056a862a6eb9ccbd08760c1b8d7fa769f90e9f (patch)
tree: 071ecab873aa6e02620f5a71d11d8a5e946d66bf /etc
parent: archiver fixes (#3830) (diff)
download: firejail-f3056a862a6eb9ccbd08760c1b8d7fa769f90e9f.tar.gz
firejail-f3056a862a6eb9ccbd08760c1b8d7fa769f90e9f.tar.zst
firejail-f3056a862a6eb9ccbd08760c1b8d7fa769f90e9f.zip
4 files changed, 170 insertions, 0 deletions
diff --git a/etc/inc/disable-programs.inc b/etc/inc/disable-programs.inc
index 9b098f43c..59bd28f95 100644
--- a/etc/inc/disable-programs.inc
+++ b/etc/inc/disable-programs.inc
@@ -188,6 +188,7 @@ blacklist ${HOME}/.config/chromium-flags.conf
 blacklist ${HOME}/.config/clipit
 blacklist ${HOME}/.config/cliqz
 blacklist ${HOME}/.config/cmus
+blacklist ${HOME}/.config/com.github.bleakgrey.tootle
 blacklist ${HOME}/.config/corebird
 blacklist ${HOME}/.config/cower
 blacklist ${HOME}/.config/darktable
diff --git a/etc/profile-a-l/alacarte.profile b/etc/profile-a-l/alacarte.profile
new file mode 100644
index 000000000..5fabf8283
--- /dev/null
+++ b/etc/profile-a-l/alacarte.profile
@@ -0,0 +1,64 @@
+# Firejail profile for alacarte
+# Description: Create desktop and menu launchers easily
+# This file is overwritten after every install/update
+# Persistent local customizations
+include alacarte.local
+# Persistent global definitions
+include globals.local
+include allow-python2.inc
+include allow-python3.inc
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc 
+include disable-interpreters.inc
+include disable-programs.inc
+include disable-passwdmgr.inc
+include disable-xdg.inc
+# Whitelist your system icon directory,varies by distro
+whitelist /usr/share/alacarte
+whitelist /usr/share/app-info
+whitelist /usr/share/desktop-directories
+whitelist /usr/share/icons
+whitelist /var/lib/app-info/icons
+whitelist /var/lib/flatpak/exports/share/applications
+whitelist /var/lib/flatpak/exports/share/icons
+include whitelist-runuser-common.inc 
+include whitelist-usr-share-common.inc
+include whitelist-var-common.inc
+apparmor
+caps.drop all
+machine-id
+net none
+nodvd
+no3d
+nogroups
+nonewprivs
+noroot
+nosound
+notv
+nou2f
+novideo
+protocol unix
+seccomp
+seccomp.block-secondary
+shell none
+tracelog
+disable-mnt
+private-bin alacarte,bash,python*,sh
+private-cache
+private-dev
+private-etc alternatives,dconf,fonts,gtk-3.0,locale.alias,locale.conf,login.defs,mime.types,nsswitch.conf,passwd,pki,X11,xdg
+private-tmp
+dbus-user none
+dbus-system none
+read-write ${HOME}/.config/menus
+read-write ${HOME}/.gnome/apps
+read-write ${HOME}/.local/share/applications
+read-write ${HOME}/.local/share/flatpak/exports
diff --git a/etc/profile-a-l/com.github.bleakgrey.tootle.profile b/etc/profile-a-l/com.github.bleakgrey.tootle.profile
new file mode 100644
index 000000000..4de7eb497
--- /dev/null
+++ b/etc/profile-a-l/com.github.bleakgrey.tootle.profile
@@ -0,0 +1,55 @@
+# Firejail profile for com.github.bleakgrey.tootle
+# Description: Gtk Mastodon client
+# This file is overwritten after every install/update
+# Persistent local customizations
+include com.github.bleakgrey.tootle.local
+# Persistent global definitions
+include globals.local
+noblacklist ${HOME}/.config/com.github.bleakgrey.tootle
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-passwdmgr.inc
+include disable-programs.inc
+include disable-shell.inc
+include disable-xdg.inc
+mkdir ${HOME}/.config/com.github.bleakgrey.tootle
+whitelist ${DOWNLOADS}
+whitelist ${HOME}/.config/com.github.bleakgrey.tootle
+include whitelist-common.inc
+include whitelist-runuser-common.inc
+include whitelist-usr-share-common.inc
+include whitelist-var-common.inc
+apparmor
+caps.drop all
+machine-id
+netfilter
+nodvd
+nogroups
+nonewprivs
+noroot
+notv
+nou2f
+novideo
+protocol unix,inet,inet6
+seccomp
+shell none
+tracelog
+disable-mnt
+private-bin com.github.bleakgrey.tootle
+private-cache
+private-dev
+private-etc alsa,alternatives,asound.conf,ca-certificates,crypto-policies,dconf,fonts,gtk-2.0,gtk-3.0,host.conf,hostname,hosts,machine-id mime.types,nsswitch.conf,pki,pulse,resolv.conf,ssl,X11,xdg
+private-tmp
+# Settings are immutable
+# dbus-user filter
+# dbus-user.own com.github.bleakgrey.tootle
+# dbus-user.talk ca.desrt.dconf
+dbus-system none
diff --git a/etc/profile-m-z/photoflare.profile b/etc/profile-m-z/photoflare.profile
new file mode 100644
index 000000000..d9df3e3b3
--- /dev/null
+++ b/etc/profile-m-z/photoflare.profile
@@ -0,0 +1,50 @@
+# Firejail profile for photoflare
+# Description: Simple painting and editing program
+# This file is overwritten after every install/update
+# Persistent local customizations
+include photoflare.local
+# Persistent global definitions
+include photoflare.local
+noblacklist ${PICTURES}
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc 
+include disable-interpreters.inc
+include disable-passwdmgr.inc
+include disable-programs.inc
+include disable-shell.inc
+include disable-xdg.inc
+include whitelist-runuser-common.inc 
+include whitelist-usr-share-common.inc
+include whitelist-var-common.inc
+apparmor
+caps.drop all
+machine-id
+net none
+nodvd
+no3d
+nogroups
+nonewprivs
+noroot
+nosound
+notv
+nou2f
+novideo
+protocol unix
+seccomp
+shell none
+tracelog
+disable-mnt
+private-bin photoflare
+private-cache
+private-dev
+private-etc alternatives,fonts,locale,locale.alias,locale.conf,mime.types,X11
+private-tmp
+dbus-user none
+dbus-system none
author	kortewegdevries <62639087+kortewegdevries@users.noreply.github.com>	2020-12-16 18:12:48 +0000
committer	GitHub <noreply@github.com>	2020-12-16 18:12:48 +0000
commit	f3056a862a6eb9ccbd08760c1b8d7fa769f90e9f (patch)
tree	071ecab873aa6e02620f5a71d11d8a5e946d66bf /etc
parent	archiver fixes (#3830) (diff)
download	firejail-f3056a862a6eb9ccbd08760c1b8d7fa769f90e9f.tar.gz firejail-f3056a862a6eb9ccbd08760c1b8d7fa769f90e9f.tar.zst firejail-f3056a862a6eb9ccbd08760c1b8d7fa769f90e9f.zip

diff --git a/etc/inc/disable-programs.inc b/etc/inc/disable-programs.inc index 9b098f43c..59bd28f95 100644 --- a/etc/inc/disable-programs.inc +++ b/etc/inc/disable-programs.inc
@@ -188,6 +188,7 @@ blacklist ${HOME}/.config/chromium-flags.conf
188	blacklist ${HOME}/.config/clipit	188	blacklist ${HOME}/.config/clipit
189	blacklist ${HOME}/.config/cliqz	189	blacklist ${HOME}/.config/cliqz
190	blacklist ${HOME}/.config/cmus	190	blacklist ${HOME}/.config/cmus
		191	blacklist ${HOME}/.config/com.github.bleakgrey.tootle
191	blacklist ${HOME}/.config/corebird	192	blacklist ${HOME}/.config/corebird
192	blacklist ${HOME}/.config/cower	193	blacklist ${HOME}/.config/cower
193	blacklist ${HOME}/.config/darktable	194	blacklist ${HOME}/.config/darktable


diff --git a/etc/profile-a-l/alacarte.profile b/etc/profile-a-l/alacarte.profile new file mode 100644 index 000000000..5fabf8283 --- /dev/null +++ b/etc/profile-a-l/alacarte.profile
@@ -0,0 +1,64 @@
		1	# Firejail profile for alacarte
		2	# Description: Create desktop and menu launchers easily
		3	# This file is overwritten after every install/update
		4	# Persistent local customizations
		5	include alacarte.local
		6	# Persistent global definitions
		7	include globals.local
		8
		9	include allow-python2.inc
		10	include allow-python3.inc
		11
		12	include disable-common.inc
		13	include disable-devel.inc
		14	include disable-exec.inc
		15	include disable-interpreters.inc
		16	include disable-programs.inc
		17	include disable-passwdmgr.inc
		18	include disable-xdg.inc
		19
		20	# Whitelist your system icon directory,varies by distro
		21	whitelist /usr/share/alacarte
		22	whitelist /usr/share/app-info
		23	whitelist /usr/share/desktop-directories
		24	whitelist /usr/share/icons
		25	whitelist /var/lib/app-info/icons
		26	whitelist /var/lib/flatpak/exports/share/applications
		27	whitelist /var/lib/flatpak/exports/share/icons
		28	include whitelist-runuser-common.inc
		29	include whitelist-usr-share-common.inc
		30	include whitelist-var-common.inc
		31
		32	apparmor
		33	caps.drop all
		34	machine-id
		35	net none
		36	nodvd
		37	no3d
		38	nogroups
		39	nonewprivs
		40	noroot
		41	nosound
		42	notv
		43	nou2f
		44	novideo
		45	protocol unix
		46	seccomp
		47	seccomp.block-secondary
		48	shell none
		49	tracelog
		50
		51	disable-mnt
		52	private-bin alacarte,bash,python*,sh
		53	private-cache
		54	private-dev
		55	private-etc alternatives,dconf,fonts,gtk-3.0,locale.alias,locale.conf,login.defs,mime.types,nsswitch.conf,passwd,pki,X11,xdg
		56	private-tmp
		57
		58	dbus-user none
		59	dbus-system none
		60
		61	read-write ${HOME}/.config/menus
		62	read-write ${HOME}/.gnome/apps
		63	read-write ${HOME}/.local/share/applications
		64	read-write ${HOME}/.local/share/flatpak/exports


diff --git a/etc/profile-a-l/com.github.bleakgrey.tootle.profile b/etc/profile-a-l/com.github.bleakgrey.tootle.profile new file mode 100644 index 000000000..4de7eb497 --- /dev/null +++ b/etc/profile-a-l/com.github.bleakgrey.tootle.profile
@@ -0,0 +1,55 @@
		1	# Firejail profile for com.github.bleakgrey.tootle
		2	# Description: Gtk Mastodon client
		3	# This file is overwritten after every install/update
		4	# Persistent local customizations
		5	include com.github.bleakgrey.tootle.local
		6	# Persistent global definitions
		7	include globals.local
		8
		9	noblacklist ${HOME}/.config/com.github.bleakgrey.tootle
		10
		11	include disable-common.inc
		12	include disable-devel.inc
		13	include disable-exec.inc
		14	include disable-interpreters.inc
		15	include disable-passwdmgr.inc
		16	include disable-programs.inc
		17	include disable-shell.inc
		18	include disable-xdg.inc
		19
		20	mkdir ${HOME}/.config/com.github.bleakgrey.tootle
		21	whitelist ${DOWNLOADS}
		22	whitelist ${HOME}/.config/com.github.bleakgrey.tootle
		23	include whitelist-common.inc
		24	include whitelist-runuser-common.inc
		25	include whitelist-usr-share-common.inc
		26	include whitelist-var-common.inc
		27
		28	apparmor
		29	caps.drop all
		30	machine-id
		31	netfilter
		32	nodvd
		33	nogroups
		34	nonewprivs
		35	noroot
		36	notv
		37	nou2f
		38	novideo
		39	protocol unix,inet,inet6
		40	seccomp
		41	shell none
		42	tracelog
		43
		44	disable-mnt
		45	private-bin com.github.bleakgrey.tootle
		46	private-cache
		47	private-dev
		48	private-etc alsa,alternatives,asound.conf,ca-certificates,crypto-policies,dconf,fonts,gtk-2.0,gtk-3.0,host.conf,hostname,hosts,machine-id mime.types,nsswitch.conf,pki,pulse,resolv.conf,ssl,X11,xdg
		49	private-tmp
		50
		51	# Settings are immutable
		52	# dbus-user filter
		53	# dbus-user.own com.github.bleakgrey.tootle
		54	# dbus-user.talk ca.desrt.dconf
		55	dbus-system none


diff --git a/etc/profile-m-z/photoflare.profile b/etc/profile-m-z/photoflare.profile new file mode 100644 index 000000000..d9df3e3b3 --- /dev/null +++ b/etc/profile-m-z/photoflare.profile
@@ -0,0 +1,50 @@
		1	# Firejail profile for photoflare
		2	# Description: Simple painting and editing program
		3	# This file is overwritten after every install/update
		4	# Persistent local customizations
		5	include photoflare.local
		6	# Persistent global definitions
		7	include photoflare.local
		8
		9	noblacklist ${PICTURES}
		10
		11	include disable-common.inc
		12	include disable-devel.inc
		13	include disable-exec.inc
		14	include disable-interpreters.inc
		15	include disable-passwdmgr.inc
		16	include disable-programs.inc
		17	include disable-shell.inc
		18	include disable-xdg.inc
		19
		20	include whitelist-runuser-common.inc
		21	include whitelist-usr-share-common.inc
		22	include whitelist-var-common.inc
		23
		24	apparmor
		25	caps.drop all
		26	machine-id
		27	net none
		28	nodvd
		29	no3d
		30	nogroups
		31	nonewprivs
		32	noroot
		33	nosound
		34	notv
		35	nou2f
		36	novideo
		37	protocol unix
		38	seccomp
		39	shell none
		40	tracelog
		41
		42	disable-mnt
		43	private-bin photoflare
		44	private-cache
		45	private-dev
		46	private-etc alternatives,fonts,locale,locale.alias,locale.conf,mime.types,X11
		47	private-tmp
		48
		49	dbus-user none
		50	dbus-system none