4 files changed, 159 insertions, 0 deletions
diff --git a/etc/inc/disable-programs.inc b/etc/inc/disable-programs.inc
index f3b44ac3e..aa83691eb 100644
--- a/etc/inc/disable-programs.inc
+++ b/etc/inc/disable-programs.inc
@@ -227,6 +227,7 @@ blacklist ${HOME}/.cache/torbrowser
 blacklist ${HOME}/.cache/transmission
 blacklist ${HOME}/.cache/ueberzugpp
 blacklist ${HOME}/.cache/ungoogled-chromium
+blacklist ${HOME}/.cache/virt-manager
 blacklist ${HOME}/.cache/vivaldi
 blacklist ${HOME}/.cache/vivaldi-snapshot
 blacklist ${HOME}/.cache/vlc
diff --git a/etc/profile-a-l/gnome-boxes.profile b/etc/profile-a-l/gnome-boxes.profile
new file mode 100644
index 000000000..b16ffa142
--- /dev/null
+++ b/etc/profile-a-l/gnome-boxes.profile
@@ -0,0 +1,75 @@
+# Firejail profile for gnome-boxes
+# Description: Simple GNOME application to access virtual systems
+# This file is overwritten after every install/update
+# Persistent local customizations
+include gnome-boxes.local
+# Persistent global definitions
+include globals.local
+noblacklist ${HOME}/.cache/gnome-boxes
+noblacklist ${HOME}/.config/gnome-boxes
+noblacklist ${HOME}/.local/share/gnome-boxes
+noblacklist ${RUNUSER}/libvirt
+noblacklist /sbin
+noblacklist /usr/sbin
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+# breaks app
+#include disable-proc.inc
+include disable-programs.inc
+include disable-xdg.inc
+mkdir ${HOME}/.cache/gnome-boxes
+mkdir ${HOME}/.config/gnome-boxes
+mkdir ${HOME}/.local/share/gnome-boxes
+whitelist ${DOWNLOADS}
+whitelist ${HOME}/.cache/gnome-boxes
+whitelist ${HOME}/.config/gnome-boxes
+whitelist ${HOME}/.local/share/gnome-boxes
+whitelist ${RUNUSER}/libvirt
+whitelist /run/libvirt
+whitelist /usr/libexec/gnome-boxes*
+whitelist /usr/share/gnome-boxes
+whitelist /usr/share/libvirt
+whitelist /usr/share/osinfo
+whitelist /usr/share/qemu
+whitelist /usr/share/seabios
+whitelist /usr/share/vala*
+# /usr/share/misc/usb.ids is a symlink to /var/lib/usbutils/usb.ids on Ubuntu 22.04
+whitelist /var/lib/usbutils/usb.ids
+include whitelist-common.inc
+include whitelist-run-common.inc
+include whitelist-runuser-common.inc
+include whitelist-usr-share-common.inc
+include whitelist-var-common.inc
+# breaks app
+#apparmor
+# For host-only network sys_admin is needed.
+# See https://github.com/netblue30/firejail/issues/2868#issuecomment-518647630
+caps.keep net_raw,sys_nice
+#caps.keep net_raw,sys_admin
+netfilter
+nodvd
+notv
+tracelog
+private-cache
+private-etc @network,@sound,@tls-ca,@x11
+private-tmp
+dbus-user filter
+dbus-user.own org.gnome.Boxes
+dbus-user.talk ca.desrt.dconf
+dbus-user.talk org.freedesktop.Notifications
+?ALLOW_TRAY: dbus-user.talk org.kde.StatusNotifierWatcher
+dbus-system none
+deterministic-shutdown
+# breaks app
+#restrict-namespaces
diff --git a/etc/profile-m-z/multimc5.profile b/etc/profile-m-z/multimc5.profile
index 41f82bd07..734d9c11f 100644
--- a/etc/profile-m-z/multimc5.profile
+++ b/etc/profile-m-z/multimc5.profile
@@ -8,11 +8,16 @@ include globals.local
 noblacklist ${HOME}/.local/share/multimc
 noblacklist ${HOME}/.local/share/multimc5
 noblacklist ${HOME}/.multimc5
+noblacklist ${HOME}/.cache/JNA
+noblacklist /tmp/lwjgl_*
 # Ignore noexec on ${HOME} as MultiMC installs LWJGL native
 # libraries in ${HOME}/.local/share/multimc
 ignore noexec ${HOME}
+# Ignore noexec on /tmp as LWJGL extracts libraries to /tmp
+ignore noexec /tmp
 # Allow java (blacklisted by disable-devel.inc)
 include allow-java.inc
@@ -25,9 +30,12 @@ include disable-programs.inc
 mkdir ${HOME}/.local/share/multimc
 mkdir ${HOME}/.local/share/multimc5
 mkdir ${HOME}/.multimc5
+mkdir ${HOME}/.cache/JNA
 whitelist ${HOME}/.local/share/multimc
 whitelist ${HOME}/.local/share/multimc5
 whitelist ${HOME}/.multimc5
+whitelist ${HOME}/.cache/JNA
+whitelist /tmp/lwjgl_*
 include whitelist-common.inc
 caps.drop all
@@ -49,4 +57,7 @@ disable-mnt
 private-dev
 private-tmp
+dbus-user none
+dbus-system none
 #restrict-namespaces
diff --git a/etc/profile-m-z/virt-manager.profile b/etc/profile-m-z/virt-manager.profile
new file mode 100644
index 000000000..86fe63ef9
--- /dev/null
+++ b/etc/profile-m-z/virt-manager.profile
@@ -0,0 +1,72 @@
+# Firejail profile for virt-manager
+# Description: Manage virtual machines
+# This file is overwritten after every install/update
+# Persistent local customizations
+include virt-manager.local
+# Persistent global definitions
+include globals.local
+noblacklist ${HOME}/.cache/virt-manager
+noblacklist ${RUNUSER}/libvirt
+noblacklist /sbin
+noblacklist /usr/sbin
+# Allow python 3 (blacklisted by disable-interpreters.inc)
+include allow-python3.inc
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+# breaks app
+#include disable-proc.inc
+include disable-programs.inc
+include disable-xdg.inc
+mkdir ${HOME}/.cache/virt-manager
+whitelist ${DOWNLOADS}
+whitelist ${HOME}/.cache/virt-manager
+whitelist ${RUNUSER}/libvirt
+whitelist /run/libvirt
+whitelist /usr/share/libvirt
+whitelist /usr/share/osinfo
+whitelist /usr/share/qemu
+whitelist /usr/share/seabios
+whitelist /usr/share/virt-manager
+# /usr/share/misc/usb.ids is a symlink to /var/lib/usbutils/usb.ids on Ubuntu 22.04
+whitelist /var/lib/usbutils/usb.ids
+include whitelist-common.inc
+include whitelist-run-common.inc
+include whitelist-runuser-common.inc
+include whitelist-usr-share-common.inc
+include whitelist-var-common.inc
+# breaks app
+#apparmor
+# For host-only network sys_admin is needed.
+# See https://github.com/netblue30/firejail/issues/2868#issuecomment-518647630
+caps.keep net_raw,sys_nice
+#caps.keep net_raw,sys_admin
+netfilter
+nodvd
+notv
+tracelog
+private-cache
+private-etc @network,@sound,@tls-ca,@x11
+private-tmp
+writable-var
+dbus-user filter
+dbus-user.own org.virt-manager.virt-manager
+dbus-user.talk ca.desrt.dconf
+dbus-user.talk org.freedesktop.Notifications
+?ALLOW_TRAY: dbus-user.talk org.kde.StatusNotifierWatcher
+dbus-system none
+# breaks app
+#deterministic-shutdown
+# breaks app
+#restrict-namespaces

diff --git a/etc/inc/disable-programs.inc b/etc/inc/disable-programs.inc index f3b44ac3e..aa83691eb 100644 --- a/etc/inc/disable-programs.inc +++ b/etc/inc/disable-programs.inc
@@ -227,6 +227,7 @@ blacklist ${HOME}/.cache/torbrowser
227	blacklist ${HOME}/.cache/transmission	227	blacklist ${HOME}/.cache/transmission
228	blacklist ${HOME}/.cache/ueberzugpp	228	blacklist ${HOME}/.cache/ueberzugpp
229	blacklist ${HOME}/.cache/ungoogled-chromium	229	blacklist ${HOME}/.cache/ungoogled-chromium
		230	blacklist ${HOME}/.cache/virt-manager
230	blacklist ${HOME}/.cache/vivaldi	231	blacklist ${HOME}/.cache/vivaldi
231	blacklist ${HOME}/.cache/vivaldi-snapshot	232	blacklist ${HOME}/.cache/vivaldi-snapshot
232	blacklist ${HOME}/.cache/vlc	233	blacklist ${HOME}/.cache/vlc


diff --git a/etc/profile-a-l/gnome-boxes.profile b/etc/profile-a-l/gnome-boxes.profile new file mode 100644 index 000000000..b16ffa142 --- /dev/null +++ b/etc/profile-a-l/gnome-boxes.profile
@@ -0,0 +1,75 @@
		1	# Firejail profile for gnome-boxes
		2	# Description: Simple GNOME application to access virtual systems
		3	# This file is overwritten after every install/update
		4	# Persistent local customizations
		5	include gnome-boxes.local
		6	# Persistent global definitions
		7	include globals.local
		8
		9	noblacklist ${HOME}/.cache/gnome-boxes
		10	noblacklist ${HOME}/.config/gnome-boxes
		11	noblacklist ${HOME}/.local/share/gnome-boxes
		12	noblacklist ${RUNUSER}/libvirt
		13
		14	noblacklist /sbin
		15	noblacklist /usr/sbin
		16
		17	include disable-common.inc
		18	include disable-devel.inc
		19	include disable-exec.inc
		20	include disable-interpreters.inc
		21	# breaks app
		22	#include disable-proc.inc
		23	include disable-programs.inc
		24	include disable-xdg.inc
		25
		26	mkdir ${HOME}/.cache/gnome-boxes
		27	mkdir ${HOME}/.config/gnome-boxes
		28	mkdir ${HOME}/.local/share/gnome-boxes
		29	whitelist ${DOWNLOADS}
		30	whitelist ${HOME}/.cache/gnome-boxes
		31	whitelist ${HOME}/.config/gnome-boxes
		32	whitelist ${HOME}/.local/share/gnome-boxes
		33	whitelist ${RUNUSER}/libvirt
		34
		35	whitelist /run/libvirt
		36	whitelist /usr/libexec/gnome-boxes*
		37	whitelist /usr/share/gnome-boxes
		38	whitelist /usr/share/libvirt
		39	whitelist /usr/share/osinfo
		40	whitelist /usr/share/qemu
		41	whitelist /usr/share/seabios
		42	whitelist /usr/share/vala*
		43	# /usr/share/misc/usb.ids is a symlink to /var/lib/usbutils/usb.ids on Ubuntu 22.04
		44	whitelist /var/lib/usbutils/usb.ids
		45	include whitelist-common.inc
		46	include whitelist-run-common.inc
		47	include whitelist-runuser-common.inc
		48	include whitelist-usr-share-common.inc
		49	include whitelist-var-common.inc
		50
		51	# breaks app
		52	#apparmor
		53	# For host-only network sys_admin is needed.
		54	# See https://github.com/netblue30/firejail/issues/2868#issuecomment-518647630
		55	caps.keep net_raw,sys_nice
		56	#caps.keep net_raw,sys_admin
		57	netfilter
		58	nodvd
		59	notv
		60	tracelog
		61
		62	private-cache
		63	private-etc @network,@sound,@tls-ca,@x11
		64	private-tmp
		65
		66	dbus-user filter
		67	dbus-user.own org.gnome.Boxes
		68	dbus-user.talk ca.desrt.dconf
		69	dbus-user.talk org.freedesktop.Notifications
		70	?ALLOW_TRAY: dbus-user.talk org.kde.StatusNotifierWatcher
		71	dbus-system none
		72
		73	deterministic-shutdown
		74	# breaks app
		75	#restrict-namespaces


diff --git a/etc/profile-m-z/multimc5.profile b/etc/profile-m-z/multimc5.profile index 41f82bd07..734d9c11f 100644 --- a/etc/profile-m-z/multimc5.profile +++ b/etc/profile-m-z/multimc5.profile
@@ -8,11 +8,16 @@ include globals.local
8	noblacklist ${HOME}/.local/share/multimc	8	noblacklist ${HOME}/.local/share/multimc
9	noblacklist ${HOME}/.local/share/multimc5	9	noblacklist ${HOME}/.local/share/multimc5
10	noblacklist ${HOME}/.multimc5	10	noblacklist ${HOME}/.multimc5
		11	noblacklist ${HOME}/.cache/JNA
		12	noblacklist /tmp/lwjgl_*
11		13
12	# Ignore noexec on ${HOME} as MultiMC installs LWJGL native	14	# Ignore noexec on ${HOME} as MultiMC installs LWJGL native
13	# libraries in ${HOME}/.local/share/multimc	15	# libraries in ${HOME}/.local/share/multimc
14	ignore noexec ${HOME}	16	ignore noexec ${HOME}
15		17
		18	# Ignore noexec on /tmp as LWJGL extracts libraries to /tmp
		19	ignore noexec /tmp
		20
16	# Allow java (blacklisted by disable-devel.inc)	21	# Allow java (blacklisted by disable-devel.inc)
17	include allow-java.inc	22	include allow-java.inc
18		23
@@ -25,9 +30,12 @@ include disable-programs.inc
25	mkdir ${HOME}/.local/share/multimc	30	mkdir ${HOME}/.local/share/multimc
26	mkdir ${HOME}/.local/share/multimc5	31	mkdir ${HOME}/.local/share/multimc5
27	mkdir ${HOME}/.multimc5	32	mkdir ${HOME}/.multimc5
		33	mkdir ${HOME}/.cache/JNA
28	whitelist ${HOME}/.local/share/multimc	34	whitelist ${HOME}/.local/share/multimc
29	whitelist ${HOME}/.local/share/multimc5	35	whitelist ${HOME}/.local/share/multimc5
30	whitelist ${HOME}/.multimc5	36	whitelist ${HOME}/.multimc5
		37	whitelist ${HOME}/.cache/JNA
		38	whitelist /tmp/lwjgl_*
31	include whitelist-common.inc	39	include whitelist-common.inc
32		40
33	caps.drop all	41	caps.drop all
@@ -49,4 +57,7 @@ disable-mnt
49	private-dev	57	private-dev
50	private-tmp	58	private-tmp
51		59
		60	dbus-user none
		61	dbus-system none
		62
52	#restrict-namespaces	63	#restrict-namespaces


diff --git a/etc/profile-m-z/virt-manager.profile b/etc/profile-m-z/virt-manager.profile new file mode 100644 index 000000000..86fe63ef9 --- /dev/null +++ b/etc/profile-m-z/virt-manager.profile
@@ -0,0 +1,72 @@
		1	# Firejail profile for virt-manager
		2	# Description: Manage virtual machines
		3	# This file is overwritten after every install/update
		4	# Persistent local customizations
		5	include virt-manager.local
		6	# Persistent global definitions
		7	include globals.local
		8
		9	noblacklist ${HOME}/.cache/virt-manager
		10	noblacklist ${RUNUSER}/libvirt
		11
		12	noblacklist /sbin
		13	noblacklist /usr/sbin
		14
		15	# Allow python 3 (blacklisted by disable-interpreters.inc)
		16	include allow-python3.inc
		17
		18	include disable-common.inc
		19	include disable-devel.inc
		20	include disable-exec.inc
		21	include disable-interpreters.inc
		22	# breaks app
		23	#include disable-proc.inc
		24	include disable-programs.inc
		25	include disable-xdg.inc
		26
		27	mkdir ${HOME}/.cache/virt-manager
		28	whitelist ${DOWNLOADS}
		29	whitelist ${HOME}/.cache/virt-manager
		30	whitelist ${RUNUSER}/libvirt
		31	whitelist /run/libvirt
		32
		33	whitelist /usr/share/libvirt
		34	whitelist /usr/share/osinfo
		35	whitelist /usr/share/qemu
		36	whitelist /usr/share/seabios
		37	whitelist /usr/share/virt-manager
		38	# /usr/share/misc/usb.ids is a symlink to /var/lib/usbutils/usb.ids on Ubuntu 22.04
		39	whitelist /var/lib/usbutils/usb.ids
		40	include whitelist-common.inc
		41	include whitelist-run-common.inc
		42	include whitelist-runuser-common.inc
		43	include whitelist-usr-share-common.inc
		44	include whitelist-var-common.inc
		45
		46	# breaks app
		47	#apparmor
		48	# For host-only network sys_admin is needed.
		49	# See https://github.com/netblue30/firejail/issues/2868#issuecomment-518647630
		50	caps.keep net_raw,sys_nice
		51	#caps.keep net_raw,sys_admin
		52	netfilter
		53	nodvd
		54	notv
		55	tracelog
		56
		57	private-cache
		58	private-etc @network,@sound,@tls-ca,@x11
		59	private-tmp
		60	writable-var
		61
		62	dbus-user filter
		63	dbus-user.own org.virt-manager.virt-manager
		64	dbus-user.talk ca.desrt.dconf
		65	dbus-user.talk org.freedesktop.Notifications
		66	?ALLOW_TRAY: dbus-user.talk org.kde.StatusNotifierWatcher
		67	dbus-system none
		68
		69	# breaks app
		70	#deterministic-shutdown
		71	# breaks app
		72	#restrict-namespaces