3 files changed, 52 insertions, 0 deletions
diff --git a/etc/disable-programs.inc b/etc/disable-programs.inc
index a546f05e3..a5a38afda 100644
--- a/etc/disable-programs.inc
+++ b/etc/disable-programs.inc
@@ -561,6 +561,7 @@ blacklist ${HOME}/.local/share/qutebrowser
 blacklist ${HOME}/.local/share/remmina
 blacklist ${HOME}/.local/share/rhythmbox
 blacklist ${HOME}/.local/share/scribus
+blacklist ${HOME}/.local/share/signal-cli
 blacklist ${HOME}/.local/share/spotify
 blacklist ${HOME}/.local/share/steam
 blacklist ${HOME}/.local/share/supertux2
diff --git a/etc/signal-cli.profile b/etc/signal-cli.profile
new file mode 100644
index 000000000..bb1bf732d
--- /dev/null
+++ b/etc/signal-cli.profile
@@ -0,0 +1,50 @@
+# Firejail profile for signal-cli
+# Description: signal-cli provides a commandline and dbus interface for signalapp/libsignal-service-java
+# This file is overwritten after every install/update
+# Persistent local customizations
+include signal-cli.local
+# Persistent global definitions
+include globals.local
+blacklist /tmp/.X11-unix
+noblacklist ${HOME}/.local/share/signal-cli
+include allow-java.inc
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-passwdmgr.inc
+include disable-programs.inc
+include disable-xdg.inc
+mkdir ${HOME}/.local/share/signal-cli
+whitelist ${HOME}/.local/share/signal-cli
+include whitelist-common.inc
+include whitelist-var-common.inc
+caps.drop all
+netfilter
+no3d
+nodvd
+nogroups
+nonewprivs
+noroot
+nosound
+notv
+nou2f
+novideo
+protocol unix,inet,inet6
+seccomp
+shell none
+tracelog
+disable-mnt
+private-bin java,sh,signal-cli
+private-cache
+private-dev
+# Does not work with all Java configurations. You will notice immediately, so you might want to give it a try
+#private-etc alternatives,ca-certificates,crypto-policies,dbus-1,host.conf,hostname,hosts,java-10-openjdk,java-7-openjdk,java-8-openjdk,java-9-openjdk,java.conf,machine-id,nsswitch.conf,passwd,pki,protocols,resolv.conf,rpc,services,ssl
+private-tmp
diff --git a/src/firecfg/firecfg.config b/src/firecfg/firecfg.config
index 1ab3efdd1..ac564f0d2 100644
--- a/src/firecfg/firecfg.config
+++ b/src/firecfg/firecfg.config
@@ -524,6 +524,7 @@ seamonkey-bin
 secret-tool
 shellcheck
 shotcut
+signal-cli
 signal-desktop
 silentarmy
 simple-scan

diff --git a/etc/disable-programs.inc b/etc/disable-programs.inc index a546f05e3..a5a38afda 100644 --- a/etc/disable-programs.inc +++ b/etc/disable-programs.inc
@@ -561,6 +561,7 @@ blacklist ${HOME}/.local/share/qutebrowser
561	blacklist ${HOME}/.local/share/remmina	561	blacklist ${HOME}/.local/share/remmina
562	blacklist ${HOME}/.local/share/rhythmbox	562	blacklist ${HOME}/.local/share/rhythmbox
563	blacklist ${HOME}/.local/share/scribus	563	blacklist ${HOME}/.local/share/scribus
		564	blacklist ${HOME}/.local/share/signal-cli
564	blacklist ${HOME}/.local/share/spotify	565	blacklist ${HOME}/.local/share/spotify
565	blacklist ${HOME}/.local/share/steam	566	blacklist ${HOME}/.local/share/steam
566	blacklist ${HOME}/.local/share/supertux2	567	blacklist ${HOME}/.local/share/supertux2


diff --git a/etc/signal-cli.profile b/etc/signal-cli.profile new file mode 100644 index 000000000..bb1bf732d --- /dev/null +++ b/etc/signal-cli.profile
@@ -0,0 +1,50 @@
		1	# Firejail profile for signal-cli
		2	# Description: signal-cli provides a commandline and dbus interface for signalapp/libsignal-service-java
		3	# This file is overwritten after every install/update
		4	# Persistent local customizations
		5	include signal-cli.local
		6	# Persistent global definitions
		7	include globals.local
		8
		9	blacklist /tmp/.X11-unix
		10
		11	noblacklist ${HOME}/.local/share/signal-cli
		12
		13	include allow-java.inc
		14
		15	include disable-common.inc
		16	include disable-devel.inc
		17	include disable-exec.inc
		18	include disable-interpreters.inc
		19	include disable-passwdmgr.inc
		20	include disable-programs.inc
		21	include disable-xdg.inc
		22
		23	mkdir ${HOME}/.local/share/signal-cli
		24	whitelist ${HOME}/.local/share/signal-cli
		25	include whitelist-common.inc
		26	include whitelist-var-common.inc
		27
		28	caps.drop all
		29	netfilter
		30	no3d
		31	nodvd
		32	nogroups
		33	nonewprivs
		34	noroot
		35	nosound
		36	notv
		37	nou2f
		38	novideo
		39	protocol unix,inet,inet6
		40	seccomp
		41	shell none
		42	tracelog
		43
		44	disable-mnt
		45	private-bin java,sh,signal-cli
		46	private-cache
		47	private-dev
		48	# Does not work with all Java configurations. You will notice immediately, so you might want to give it a try
		49	#private-etc alternatives,ca-certificates,crypto-policies,dbus-1,host.conf,hostname,hosts,java-10-openjdk,java-7-openjdk,java-8-openjdk,java-9-openjdk,java.conf,machine-id,nsswitch.conf,passwd,pki,protocols,resolv.conf,rpc,services,ssl
		50	private-tmp


diff --git a/src/firecfg/firecfg.config b/src/firecfg/firecfg.config index 1ab3efdd1..ac564f0d2 100644 --- a/src/firecfg/firecfg.config +++ b/src/firecfg/firecfg.config
@@ -524,6 +524,7 @@ seamonkey-bin
524	secret-tool	524	secret-tool
525	shellcheck	525	shellcheck
526	shotcut	526	shotcut
		527	signal-cli
527	signal-desktop	528	signal-desktop
528	silentarmy	529	silentarmy
529	simple-scan	530	simple-scan