diff options
-rw-r--r-- | etc/inc/disable-programs.inc | 1 | ||||
-rw-r--r-- | etc/profile-a-l/gnome-boxes.profile | 75 | ||||
-rw-r--r-- | etc/profile-m-z/multimc5.profile | 11 | ||||
-rw-r--r-- | etc/profile-m-z/virt-manager.profile | 72 |
4 files changed, 159 insertions, 0 deletions
diff --git a/etc/inc/disable-programs.inc b/etc/inc/disable-programs.inc index f3b44ac3e..aa83691eb 100644 --- a/etc/inc/disable-programs.inc +++ b/etc/inc/disable-programs.inc | |||
@@ -227,6 +227,7 @@ blacklist ${HOME}/.cache/torbrowser | |||
227 | blacklist ${HOME}/.cache/transmission | 227 | blacklist ${HOME}/.cache/transmission |
228 | blacklist ${HOME}/.cache/ueberzugpp | 228 | blacklist ${HOME}/.cache/ueberzugpp |
229 | blacklist ${HOME}/.cache/ungoogled-chromium | 229 | blacklist ${HOME}/.cache/ungoogled-chromium |
230 | blacklist ${HOME}/.cache/virt-manager | ||
230 | blacklist ${HOME}/.cache/vivaldi | 231 | blacklist ${HOME}/.cache/vivaldi |
231 | blacklist ${HOME}/.cache/vivaldi-snapshot | 232 | blacklist ${HOME}/.cache/vivaldi-snapshot |
232 | blacklist ${HOME}/.cache/vlc | 233 | blacklist ${HOME}/.cache/vlc |
diff --git a/etc/profile-a-l/gnome-boxes.profile b/etc/profile-a-l/gnome-boxes.profile new file mode 100644 index 000000000..b16ffa142 --- /dev/null +++ b/etc/profile-a-l/gnome-boxes.profile | |||
@@ -0,0 +1,75 @@ | |||
1 | # Firejail profile for gnome-boxes | ||
2 | # Description: Simple GNOME application to access virtual systems | ||
3 | # This file is overwritten after every install/update | ||
4 | # Persistent local customizations | ||
5 | include gnome-boxes.local | ||
6 | # Persistent global definitions | ||
7 | include globals.local | ||
8 | |||
9 | noblacklist ${HOME}/.cache/gnome-boxes | ||
10 | noblacklist ${HOME}/.config/gnome-boxes | ||
11 | noblacklist ${HOME}/.local/share/gnome-boxes | ||
12 | noblacklist ${RUNUSER}/libvirt | ||
13 | |||
14 | noblacklist /sbin | ||
15 | noblacklist /usr/sbin | ||
16 | |||
17 | include disable-common.inc | ||
18 | include disable-devel.inc | ||
19 | include disable-exec.inc | ||
20 | include disable-interpreters.inc | ||
21 | # breaks app | ||
22 | #include disable-proc.inc | ||
23 | include disable-programs.inc | ||
24 | include disable-xdg.inc | ||
25 | |||
26 | mkdir ${HOME}/.cache/gnome-boxes | ||
27 | mkdir ${HOME}/.config/gnome-boxes | ||
28 | mkdir ${HOME}/.local/share/gnome-boxes | ||
29 | whitelist ${DOWNLOADS} | ||
30 | whitelist ${HOME}/.cache/gnome-boxes | ||
31 | whitelist ${HOME}/.config/gnome-boxes | ||
32 | whitelist ${HOME}/.local/share/gnome-boxes | ||
33 | whitelist ${RUNUSER}/libvirt | ||
34 | |||
35 | whitelist /run/libvirt | ||
36 | whitelist /usr/libexec/gnome-boxes* | ||
37 | whitelist /usr/share/gnome-boxes | ||
38 | whitelist /usr/share/libvirt | ||
39 | whitelist /usr/share/osinfo | ||
40 | whitelist /usr/share/qemu | ||
41 | whitelist /usr/share/seabios | ||
42 | whitelist /usr/share/vala* | ||
43 | # /usr/share/misc/usb.ids is a symlink to /var/lib/usbutils/usb.ids on Ubuntu 22.04 | ||
44 | whitelist /var/lib/usbutils/usb.ids | ||
45 | include whitelist-common.inc | ||
46 | include whitelist-run-common.inc | ||
47 | include whitelist-runuser-common.inc | ||
48 | include whitelist-usr-share-common.inc | ||
49 | include whitelist-var-common.inc | ||
50 | |||
51 | # breaks app | ||
52 | #apparmor | ||
53 | # For host-only network sys_admin is needed. | ||
54 | # See https://github.com/netblue30/firejail/issues/2868#issuecomment-518647630 | ||
55 | caps.keep net_raw,sys_nice | ||
56 | #caps.keep net_raw,sys_admin | ||
57 | netfilter | ||
58 | nodvd | ||
59 | notv | ||
60 | tracelog | ||
61 | |||
62 | private-cache | ||
63 | private-etc @network,@sound,@tls-ca,@x11 | ||
64 | private-tmp | ||
65 | |||
66 | dbus-user filter | ||
67 | dbus-user.own org.gnome.Boxes | ||
68 | dbus-user.talk ca.desrt.dconf | ||
69 | dbus-user.talk org.freedesktop.Notifications | ||
70 | ?ALLOW_TRAY: dbus-user.talk org.kde.StatusNotifierWatcher | ||
71 | dbus-system none | ||
72 | |||
73 | deterministic-shutdown | ||
74 | # breaks app | ||
75 | #restrict-namespaces | ||
diff --git a/etc/profile-m-z/multimc5.profile b/etc/profile-m-z/multimc5.profile index 41f82bd07..734d9c11f 100644 --- a/etc/profile-m-z/multimc5.profile +++ b/etc/profile-m-z/multimc5.profile | |||
@@ -8,11 +8,16 @@ include globals.local | |||
8 | noblacklist ${HOME}/.local/share/multimc | 8 | noblacklist ${HOME}/.local/share/multimc |
9 | noblacklist ${HOME}/.local/share/multimc5 | 9 | noblacklist ${HOME}/.local/share/multimc5 |
10 | noblacklist ${HOME}/.multimc5 | 10 | noblacklist ${HOME}/.multimc5 |
11 | noblacklist ${HOME}/.cache/JNA | ||
12 | noblacklist /tmp/lwjgl_* | ||
11 | 13 | ||
12 | # Ignore noexec on ${HOME} as MultiMC installs LWJGL native | 14 | # Ignore noexec on ${HOME} as MultiMC installs LWJGL native |
13 | # libraries in ${HOME}/.local/share/multimc | 15 | # libraries in ${HOME}/.local/share/multimc |
14 | ignore noexec ${HOME} | 16 | ignore noexec ${HOME} |
15 | 17 | ||
18 | # Ignore noexec on /tmp as LWJGL extracts libraries to /tmp | ||
19 | ignore noexec /tmp | ||
20 | |||
16 | # Allow java (blacklisted by disable-devel.inc) | 21 | # Allow java (blacklisted by disable-devel.inc) |
17 | include allow-java.inc | 22 | include allow-java.inc |
18 | 23 | ||
@@ -25,9 +30,12 @@ include disable-programs.inc | |||
25 | mkdir ${HOME}/.local/share/multimc | 30 | mkdir ${HOME}/.local/share/multimc |
26 | mkdir ${HOME}/.local/share/multimc5 | 31 | mkdir ${HOME}/.local/share/multimc5 |
27 | mkdir ${HOME}/.multimc5 | 32 | mkdir ${HOME}/.multimc5 |
33 | mkdir ${HOME}/.cache/JNA | ||
28 | whitelist ${HOME}/.local/share/multimc | 34 | whitelist ${HOME}/.local/share/multimc |
29 | whitelist ${HOME}/.local/share/multimc5 | 35 | whitelist ${HOME}/.local/share/multimc5 |
30 | whitelist ${HOME}/.multimc5 | 36 | whitelist ${HOME}/.multimc5 |
37 | whitelist ${HOME}/.cache/JNA | ||
38 | whitelist /tmp/lwjgl_* | ||
31 | include whitelist-common.inc | 39 | include whitelist-common.inc |
32 | 40 | ||
33 | caps.drop all | 41 | caps.drop all |
@@ -49,4 +57,7 @@ disable-mnt | |||
49 | private-dev | 57 | private-dev |
50 | private-tmp | 58 | private-tmp |
51 | 59 | ||
60 | dbus-user none | ||
61 | dbus-system none | ||
62 | |||
52 | #restrict-namespaces | 63 | #restrict-namespaces |
diff --git a/etc/profile-m-z/virt-manager.profile b/etc/profile-m-z/virt-manager.profile new file mode 100644 index 000000000..86fe63ef9 --- /dev/null +++ b/etc/profile-m-z/virt-manager.profile | |||
@@ -0,0 +1,72 @@ | |||
1 | # Firejail profile for virt-manager | ||
2 | # Description: Manage virtual machines | ||
3 | # This file is overwritten after every install/update | ||
4 | # Persistent local customizations | ||
5 | include virt-manager.local | ||
6 | # Persistent global definitions | ||
7 | include globals.local | ||
8 | |||
9 | noblacklist ${HOME}/.cache/virt-manager | ||
10 | noblacklist ${RUNUSER}/libvirt | ||
11 | |||
12 | noblacklist /sbin | ||
13 | noblacklist /usr/sbin | ||
14 | |||
15 | # Allow python 3 (blacklisted by disable-interpreters.inc) | ||
16 | include allow-python3.inc | ||
17 | |||
18 | include disable-common.inc | ||
19 | include disable-devel.inc | ||
20 | include disable-exec.inc | ||
21 | include disable-interpreters.inc | ||
22 | # breaks app | ||
23 | #include disable-proc.inc | ||
24 | include disable-programs.inc | ||
25 | include disable-xdg.inc | ||
26 | |||
27 | mkdir ${HOME}/.cache/virt-manager | ||
28 | whitelist ${DOWNLOADS} | ||
29 | whitelist ${HOME}/.cache/virt-manager | ||
30 | whitelist ${RUNUSER}/libvirt | ||
31 | whitelist /run/libvirt | ||
32 | |||
33 | whitelist /usr/share/libvirt | ||
34 | whitelist /usr/share/osinfo | ||
35 | whitelist /usr/share/qemu | ||
36 | whitelist /usr/share/seabios | ||
37 | whitelist /usr/share/virt-manager | ||
38 | # /usr/share/misc/usb.ids is a symlink to /var/lib/usbutils/usb.ids on Ubuntu 22.04 | ||
39 | whitelist /var/lib/usbutils/usb.ids | ||
40 | include whitelist-common.inc | ||
41 | include whitelist-run-common.inc | ||
42 | include whitelist-runuser-common.inc | ||
43 | include whitelist-usr-share-common.inc | ||
44 | include whitelist-var-common.inc | ||
45 | |||
46 | # breaks app | ||
47 | #apparmor | ||
48 | # For host-only network sys_admin is needed. | ||
49 | # See https://github.com/netblue30/firejail/issues/2868#issuecomment-518647630 | ||
50 | caps.keep net_raw,sys_nice | ||
51 | #caps.keep net_raw,sys_admin | ||
52 | netfilter | ||
53 | nodvd | ||
54 | notv | ||
55 | tracelog | ||
56 | |||
57 | private-cache | ||
58 | private-etc @network,@sound,@tls-ca,@x11 | ||
59 | private-tmp | ||
60 | writable-var | ||
61 | |||
62 | dbus-user filter | ||
63 | dbus-user.own org.virt-manager.virt-manager | ||
64 | dbus-user.talk ca.desrt.dconf | ||
65 | dbus-user.talk org.freedesktop.Notifications | ||
66 | ?ALLOW_TRAY: dbus-user.talk org.kde.StatusNotifierWatcher | ||
67 | dbus-system none | ||
68 | |||
69 | # breaks app | ||
70 | #deterministic-shutdown | ||
71 | # breaks app | ||
72 | #restrict-namespaces | ||