11 files changed, 159 insertions, 54 deletions
diff --git a/etc/inc/allow-common-devel.inc b/etc/inc/allow-common-devel.inc
index 011bbe226..4e460fc10 100644
--- a/etc/inc/allow-common-devel.inc
+++ b/etc/inc/allow-common-devel.inc
@@ -27,5 +27,8 @@ noblacklist ${HOME}/.python-history
 noblacklist ${HOME}/.python_history
 noblacklist ${HOME}/.pythonhist
+# Ruby
+noblacklist ${HOME}/.bundle
 # Rust
-noblacklist ${HOME}/.cargo/*
+noblacklist ${HOME}/.cargo
diff --git a/etc/inc/allow-ruby.inc b/etc/inc/allow-ruby.inc
index a8c701219..00276cac7 100644
--- a/etc/inc/allow-ruby.inc
+++ b/etc/inc/allow-ruby.inc
@@ -4,3 +4,4 @@ include allow-ruby.local
 noblacklist ${PATH}/ruby
 noblacklist /usr/lib/ruby
+noblacklist /usr/lib64/ruby
diff --git a/etc/inc/disable-interpreters.inc b/etc/inc/disable-interpreters.inc
index 5d8a236fb..804869e2a 100644
--- a/etc/inc/disable-interpreters.inc
+++ b/etc/inc/disable-interpreters.inc
@@ -48,6 +48,7 @@ blacklist /usr/share/php*
 # Ruby
 blacklist ${PATH}/ruby
 blacklist /usr/lib/ruby
+blacklist /usr/lib64/ruby
 # Programs using python: deluge, firefox addons, filezilla, cherrytree, xchat, hexchat, libreoffice, scribus
 # Python 2
diff --git a/etc/inc/disable-programs.inc b/etc/inc/disable-programs.inc
index 511d8730e..d7a32d9b4 100644
--- a/etc/inc/disable-programs.inc
+++ b/etc/inc/disable-programs.inc
@@ -49,8 +49,9 @@ blacklist ${HOME}/.bibletime
 blacklist ${HOME}/.bitcoin
 blacklist ${HOME}/.blobby
 blacklist ${HOME}/.bogofilter
+blacklist ${HOME}/.bundle
 blacklist ${HOME}/.bzf
-blacklist ${HOME}/.cargo/*
+blacklist ${HOME}/.cargo
 blacklist ${HOME}/.claws-mail
 blacklist ${HOME}/.cliqz
 blacklist ${HOME}/.clion*
diff --git a/etc/profile-a-l/build-systems-common.profile b/etc/profile-a-l/build-systems-common.profile
new file mode 100644
index 000000000..1b199d612
--- /dev/null
+++ b/etc/profile-a-l/build-systems-common.profile
@@ -0,0 +1,66 @@
+# Firejail profile for build-systems-common
+# This file is overwritten after every install/update
+# Persistent local customizations
+include build-systems-common.local
+# Persistent global definitions
+# added by caller profile
+#include globals.local
+ignore noexec ${HOME}
+ignore noexec /tmp
+# Allow /bin/sh (blacklisted by disable-shell.inc)
+include allow-bin-sh.inc
+# Allows files commonly used by IDEs
+include allow-common-devel.inc
+# Allow ssh (blacklisted by disable-common.inc)
+#include allow-ssh.inc
+blacklist ${RUNUSER}
+include disable-common.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-programs.inc
+include disable-shell.inc
+include disable-X11.inc
+include disable-xdg.inc
+#whitelist ${HOME}/Projects
+#include whitelist-common.inc
+whitelist /usr/share/pkgconfig
+include whitelist-run-common.inc
+include whitelist-usr-share-common.inc
+include whitelist-var-common.inc
+caps.drop all
+ipc-namespace
+machine-id
+# net none
+netfilter
+no3d
+nodvd
+nogroups
+noinput
+nonewprivs
+noroot
+nosound
+notv
+nou2f
+novideo
+protocol unix,inet,inet6
+seccomp
+seccomp.block-secondary
+shell none
+tracelog
+disable-mnt
+private-cache
+private-dev
+private-tmp
+dbus-user none
+dbus-system none
diff --git a/etc/profile-a-l/bundle.profile b/etc/profile-a-l/bundle.profile
new file mode 100644
index 000000000..bb82022b1
--- /dev/null
+++ b/etc/profile-a-l/bundle.profile
@@ -0,0 +1,23 @@
+# Firejail profile for bundle
+# Description: Ruby Dependency Management
+# This file is overwritten after every install/update
+quiet
+# Persistent local customizations
+include bundle.local
+# Persistent global definitions
+include globals.local
+noblacklist ${HOME}/.bundle
+# Allow ruby (blacklisted by disable-interpreters.inc)
+include allow-ruby.inc
+#whitelist ${HOME}/.bundle
+#whitelist ${HOME}/.gem
+#whitelist ${HOME}/.local/share/gem
+whitelist /usr/share/gems
+whitelist /usr/share/ruby
+whitelist /usr/share/rubygems
+# Redirect
+include build-systems-common.profile
diff --git a/etc/profile-a-l/cargo.profile b/etc/profile-a-l/cargo.profile
index ff46cd429..4c8afd895 100644
--- a/etc/profile-a-l/cargo.profile
+++ b/etc/profile-a-l/cargo.profile
@@ -7,66 +7,18 @@ include cargo.local
 # Persistent global definitions
 include globals.local
-ignore noexec ${HOME}
+ignore read-only ${HOME}/.cargo/bin
-ignore noexec /tmp
-blacklist /tmp/.X11-unix
-blacklist ${RUNUSER}
 noblacklist ${HOME}/.cargo/credentials
 noblacklist ${HOME}/.cargo/credentials.toml
-# Allows files commonly used by IDEs
-include allow-common-devel.inc
-# Allow ssh (blacklisted by disable-common.inc)
-#include allow-ssh.inc
-include disable-common.inc
-include disable-exec.inc
-include disable-interpreters.inc
-include disable-programs.inc
-include disable-xdg.inc
-#mkdir ${HOME}/.cargo
-#whitelist ${HOME}/YOUR_CARGO_PROJECTS
 #whitelist ${HOME}/.cargo
 #whitelist ${HOME}/.rustup
-#include whitelist-common.inc
-whitelist /usr/share/pkgconfig
-include whitelist-runuser-common.inc
-include whitelist-usr-share-common.inc
-include whitelist-var-common.inc
-caps.drop all
-ipc-namespace
-machine-id
-netfilter
-no3d
-nodvd
-nogroups
-noinput
-nonewprivs
-noroot
-nosound
-notv
-nou2f
-novideo
-protocol unix,inet,inet6
-seccomp
-seccomp.block-secondary
-shell none
-tracelog
-disable-mnt
 #private-bin cargo,rustc
-private-cache
-private-dev
 private-etc alternatives,ca-certificates,crypto-policies,group,host.conf,hostname,hosts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,locale,locale.alias,locale.conf,localtime,magic,magic.mgc,nsswitch.conf,passwd,pki,protocols,resolv.conf,rpc,services,ssl
-private-tmp
-dbus-user none
-dbus-system none
 memory-deny-write-execute
-read-write ${HOME}/.cargo/bin
+# Redirect
+include build-systems-common.profile
diff --git a/etc/profile-a-l/cmake.profile b/etc/profile-a-l/cmake.profile
new file mode 100644
index 000000000..26cc2a00a
--- /dev/null
+++ b/etc/profile-a-l/cmake.profile
@@ -0,0 +1,13 @@
+# Firejail profile for cargo
+# Description: The Rust package manager
+# This file is overwritten after every install/update
+quiet
+# Persistent local customizations
+include cargo.local
+# Persistent global definitions
+include globals.local
+memory-deny-write-execute
+# Redirect
+include build-systems-common.profile
diff --git a/etc/profile-m-z/make.profile b/etc/profile-m-z/make.profile
new file mode 100644
index 000000000..7e9638fe4
--- /dev/null
+++ b/etc/profile-m-z/make.profile
@@ -0,0 +1,13 @@
+# Firejail profile for make
+# Description: GNU make utility to maintain groups of programs
+# This file is overwritten after every install/update
+quiet
+# Persistent local customizations
+include make.local
+# Persistent global definitions
+include globals.local
+memory-deny-write-execute
+# Redirect
+include build-systems-common.profile
diff --git a/etc/profile-m-z/meson.profile b/etc/profile-m-z/meson.profile
new file mode 100644
index 000000000..b4909a9d8
--- /dev/null
+++ b/etc/profile-m-z/meson.profile
@@ -0,0 +1,14 @@
+# Firejail profile for meson
+# Description: A high productivity build system
+# This file is overwritten after every install/update
+quiet
+# Persistent local customizations
+include meson.local
+# Persistent global definitions
+include globals.local
+# Allow python3 (blacklisted by disable-interpreters.inc)
+include allow-python3.inc
+# Redirect
+include build-systems-common.profile
diff --git a/etc/profile-m-z/pip.profile b/etc/profile-m-z/pip.profile
new file mode 100644
index 000000000..a0926371f
--- /dev/null
+++ b/etc/profile-m-z/pip.profile
@@ -0,0 +1,18 @@
+# Firejail profile for pip
+# Description: package manager for Python packages
+# This file is overwritten after every install/update
+quiet
+# Persistent local customizations
+include meson.local
+# Persistent global definitions
+include globals.local
+ignore read-only ${HOME}/.local/lib
+# Allow python3 (blacklisted by disable-interpreters.inc)
+include allow-python3.inc
+#whitelist ${HOME}/.local/lib/python*
+# Redirect
+include build-systems-common.profile

diff --git a/etc/inc/allow-common-devel.inc b/etc/inc/allow-common-devel.inc index 011bbe226..4e460fc10 100644 --- a/etc/inc/allow-common-devel.inc +++ b/etc/inc/allow-common-devel.inc
@@ -27,5 +27,8 @@ noblacklist ${HOME}/.python-history
27	noblacklist ${HOME}/.python_history	27	noblacklist ${HOME}/.python_history
28	noblacklist ${HOME}/.pythonhist	28	noblacklist ${HOME}/.pythonhist
29		29
		30	# Ruby
		31	noblacklist ${HOME}/.bundle
		32
30	# Rust	33	# Rust
31	noblacklist ${HOME}/.cargo/*	34	noblacklist ${HOME}/.cargo


diff --git a/etc/inc/allow-ruby.inc b/etc/inc/allow-ruby.inc index a8c701219..00276cac7 100644 --- a/etc/inc/allow-ruby.inc +++ b/etc/inc/allow-ruby.inc
@@ -4,3 +4,4 @@ include allow-ruby.local
4		4
5	noblacklist ${PATH}/ruby	5	noblacklist ${PATH}/ruby
6	noblacklist /usr/lib/ruby	6	noblacklist /usr/lib/ruby
		7	noblacklist /usr/lib64/ruby


diff --git a/etc/inc/disable-interpreters.inc b/etc/inc/disable-interpreters.inc index 5d8a236fb..804869e2a 100644 --- a/etc/inc/disable-interpreters.inc +++ b/etc/inc/disable-interpreters.inc
@@ -48,6 +48,7 @@ blacklist /usr/share/php*
48	# Ruby	48	# Ruby
49	blacklist ${PATH}/ruby	49	blacklist ${PATH}/ruby
50	blacklist /usr/lib/ruby	50	blacklist /usr/lib/ruby
		51	blacklist /usr/lib64/ruby
51		52
52	# Programs using python: deluge, firefox addons, filezilla, cherrytree, xchat, hexchat, libreoffice, scribus	53	# Programs using python: deluge, firefox addons, filezilla, cherrytree, xchat, hexchat, libreoffice, scribus
53	# Python 2	54	# Python 2


diff --git a/etc/inc/disable-programs.inc b/etc/inc/disable-programs.inc index 511d8730e..d7a32d9b4 100644 --- a/etc/inc/disable-programs.inc +++ b/etc/inc/disable-programs.inc
@@ -49,8 +49,9 @@ blacklist ${HOME}/.bibletime
49	blacklist ${HOME}/.bitcoin	49	blacklist ${HOME}/.bitcoin
50	blacklist ${HOME}/.blobby	50	blacklist ${HOME}/.blobby
51	blacklist ${HOME}/.bogofilter	51	blacklist ${HOME}/.bogofilter
		52	blacklist ${HOME}/.bundle
52	blacklist ${HOME}/.bzf	53	blacklist ${HOME}/.bzf
53	blacklist ${HOME}/.cargo/*	54	blacklist ${HOME}/.cargo
54	blacklist ${HOME}/.claws-mail	55	blacklist ${HOME}/.claws-mail
55	blacklist ${HOME}/.cliqz	56	blacklist ${HOME}/.cliqz
56	blacklist ${HOME}/.clion*	57	blacklist ${HOME}/.clion*


diff --git a/etc/profile-a-l/build-systems-common.profile b/etc/profile-a-l/build-systems-common.profile new file mode 100644 index 000000000..1b199d612 --- /dev/null +++ b/etc/profile-a-l/build-systems-common.profile
@@ -0,0 +1,66 @@
		1	# Firejail profile for build-systems-common
		2	# This file is overwritten after every install/update
		3	# Persistent local customizations
		4	include build-systems-common.local
		5	# Persistent global definitions
		6	# added by caller profile
		7	#include globals.local
		8
		9	ignore noexec ${HOME}
		10	ignore noexec /tmp
		11
		12	# Allow /bin/sh (blacklisted by disable-shell.inc)
		13	include allow-bin-sh.inc
		14
		15	# Allows files commonly used by IDEs
		16	include allow-common-devel.inc
		17
		18	# Allow ssh (blacklisted by disable-common.inc)
		19	#include allow-ssh.inc
		20
		21	blacklist ${RUNUSER}
		22
		23	include disable-common.inc
		24	include disable-exec.inc
		25	include disable-interpreters.inc
		26	include disable-programs.inc
		27	include disable-shell.inc
		28	include disable-X11.inc
		29	include disable-xdg.inc
		30
		31	#whitelist ${HOME}/Projects
		32	#include whitelist-common.inc
		33
		34	whitelist /usr/share/pkgconfig
		35	include whitelist-run-common.inc
		36	include whitelist-usr-share-common.inc
		37	include whitelist-var-common.inc
		38
		39	caps.drop all
		40	ipc-namespace
		41	machine-id
		42	# net none
		43	netfilter
		44	no3d
		45	nodvd
		46	nogroups
		47	noinput
		48	nonewprivs
		49	noroot
		50	nosound
		51	notv
		52	nou2f
		53	novideo
		54	protocol unix,inet,inet6
		55	seccomp
		56	seccomp.block-secondary
		57	shell none
		58	tracelog
		59
		60	disable-mnt
		61	private-cache
		62	private-dev
		63	private-tmp
		64
		65	dbus-user none
		66	dbus-system none


diff --git a/etc/profile-a-l/bundle.profile b/etc/profile-a-l/bundle.profile new file mode 100644 index 000000000..bb82022b1 --- /dev/null +++ b/etc/profile-a-l/bundle.profile
@@ -0,0 +1,23 @@
		1	# Firejail profile for bundle
		2	# Description: Ruby Dependency Management
		3	# This file is overwritten after every install/update
		4	quiet
		5	# Persistent local customizations
		6	include bundle.local
		7	# Persistent global definitions
		8	include globals.local
		9
		10	noblacklist ${HOME}/.bundle
		11
		12	# Allow ruby (blacklisted by disable-interpreters.inc)
		13	include allow-ruby.inc
		14
		15	#whitelist ${HOME}/.bundle
		16	#whitelist ${HOME}/.gem
		17	#whitelist ${HOME}/.local/share/gem
		18	whitelist /usr/share/gems
		19	whitelist /usr/share/ruby
		20	whitelist /usr/share/rubygems
		21
		22	# Redirect
		23	include build-systems-common.profile


diff --git a/etc/profile-a-l/cargo.profile b/etc/profile-a-l/cargo.profile index ff46cd429..4c8afd895 100644 --- a/etc/profile-a-l/cargo.profile +++ b/etc/profile-a-l/cargo.profile
@@ -7,66 +7,18 @@ include cargo.local
7	# Persistent global definitions	7	# Persistent global definitions
8	include globals.local	8	include globals.local
9		9
10	ignore noexec ${HOME}	10	ignore read-only ${HOME}/.cargo/bin
11	ignore noexec /tmp
12
13	blacklist /tmp/.X11-unix
14	blacklist ${RUNUSER}
15		11
16	noblacklist ${HOME}/.cargo/credentials	12	noblacklist ${HOME}/.cargo/credentials
17	noblacklist ${HOME}/.cargo/credentials.toml	13	noblacklist ${HOME}/.cargo/credentials.toml
18		14
19	# Allows files commonly used by IDEs
20	include allow-common-devel.inc
21
22	# Allow ssh (blacklisted by disable-common.inc)
23	#include allow-ssh.inc
24
25	include disable-common.inc
26	include disable-exec.inc
27	include disable-interpreters.inc
28	include disable-programs.inc
29	include disable-xdg.inc
30
31	#mkdir ${HOME}/.cargo
32	#whitelist ${HOME}/YOUR_CARGO_PROJECTS
33	#whitelist ${HOME}/.cargo	15	#whitelist ${HOME}/.cargo
34	#whitelist ${HOME}/.rustup	16	#whitelist ${HOME}/.rustup
35	#include whitelist-common.inc
36	whitelist /usr/share/pkgconfig
37	include whitelist-runuser-common.inc
38	include whitelist-usr-share-common.inc
39	include whitelist-var-common.inc
40		17
41	caps.drop all
42	ipc-namespace
43	machine-id
44	netfilter
45	no3d
46	nodvd
47	nogroups
48	noinput
49	nonewprivs
50	noroot
51	nosound
52	notv
53	nou2f
54	novideo
55	protocol unix,inet,inet6
56	seccomp
57	seccomp.block-secondary
58	shell none
59	tracelog
60
61	disable-mnt
62	#private-bin cargo,rustc	18	#private-bin cargo,rustc
63	private-cache
64	private-dev
65	private-etc alternatives,ca-certificates,crypto-policies,group,host.conf,hostname,hosts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,locale,locale.alias,locale.conf,localtime,magic,magic.mgc,nsswitch.conf,passwd,pki,protocols,resolv.conf,rpc,services,ssl	19	private-etc alternatives,ca-certificates,crypto-policies,group,host.conf,hostname,hosts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,locale,locale.alias,locale.conf,localtime,magic,magic.mgc,nsswitch.conf,passwd,pki,protocols,resolv.conf,rpc,services,ssl
66	private-tmp
67
68	dbus-user none
69	dbus-system none
70		20
71	memory-deny-write-execute	21	memory-deny-write-execute
72	read-write ${HOME}/.cargo/bin	22
		23	# Redirect
		24	include build-systems-common.profile


diff --git a/etc/profile-a-l/cmake.profile b/etc/profile-a-l/cmake.profile new file mode 100644 index 000000000..26cc2a00a --- /dev/null +++ b/etc/profile-a-l/cmake.profile
@@ -0,0 +1,13 @@
		1	# Firejail profile for cargo
		2	# Description: The Rust package manager
		3	# This file is overwritten after every install/update
		4	quiet
		5	# Persistent local customizations
		6	include cargo.local
		7	# Persistent global definitions
		8	include globals.local
		9
		10	memory-deny-write-execute
		11
		12	# Redirect
		13	include build-systems-common.profile


diff --git a/etc/profile-m-z/make.profile b/etc/profile-m-z/make.profile new file mode 100644 index 000000000..7e9638fe4 --- /dev/null +++ b/etc/profile-m-z/make.profile
@@ -0,0 +1,13 @@
		1	# Firejail profile for make
		2	# Description: GNU make utility to maintain groups of programs
		3	# This file is overwritten after every install/update
		4	quiet
		5	# Persistent local customizations
		6	include make.local
		7	# Persistent global definitions
		8	include globals.local
		9
		10	memory-deny-write-execute
		11
		12	# Redirect
		13	include build-systems-common.profile


diff --git a/etc/profile-m-z/meson.profile b/etc/profile-m-z/meson.profile new file mode 100644 index 000000000..b4909a9d8 --- /dev/null +++ b/etc/profile-m-z/meson.profile
@@ -0,0 +1,14 @@
		1	# Firejail profile for meson
		2	# Description: A high productivity build system
		3	# This file is overwritten after every install/update
		4	quiet
		5	# Persistent local customizations
		6	include meson.local
		7	# Persistent global definitions
		8	include globals.local
		9
		10	# Allow python3 (blacklisted by disable-interpreters.inc)
		11	include allow-python3.inc
		12
		13	# Redirect
		14	include build-systems-common.profile


diff --git a/etc/profile-m-z/pip.profile b/etc/profile-m-z/pip.profile new file mode 100644 index 000000000..a0926371f --- /dev/null +++ b/etc/profile-m-z/pip.profile
@@ -0,0 +1,18 @@
		1	# Firejail profile for pip
		2	# Description: package manager for Python packages
		3	# This file is overwritten after every install/update
		4	quiet
		5	# Persistent local customizations
		6	include meson.local
		7	# Persistent global definitions
		8	include globals.local
		9
		10	ignore read-only ${HOME}/.local/lib
		11
		12	# Allow python3 (blacklisted by disable-interpreters.inc)
		13	include allow-python3.inc
		14
		15	#whitelist ${HOME}/.local/lib/python*
		16
		17	# Redirect
		18	include build-systems-common.profile