diff options
-rw-r--r-- | .github/workflows/build-extra.yml | 8 | ||||
-rw-r--r-- | .github/workflows/build.yml | 2 | ||||
-rw-r--r-- | .github/workflows/codeql-analysis.yml | 2 | ||||
-rw-r--r-- | .github/workflows/profile-checks.yml | 2 | ||||
-rw-r--r-- | RELNOTES | 1 | ||||
-rw-r--r-- | etc/profile-m-z/QMediathekView.profile | 24 |
6 files changed, 31 insertions, 8 deletions
diff --git a/.github/workflows/build-extra.yml b/.github/workflows/build-extra.yml index 839ba6f49..643832617 100644 --- a/.github/workflows/build-extra.yml +++ b/.github/workflows/build-extra.yml | |||
@@ -60,7 +60,7 @@ jobs: | |||
60 | allowed-endpoints: > | 60 | allowed-endpoints: > |
61 | azure.archive.ubuntu.com:80 | 61 | azure.archive.ubuntu.com:80 |
62 | github.com:443 | 62 | github.com:443 |
63 | - uses: actions/checkout@755da8c3cf115ac066823e79a1e1788f8940201b | 63 | - uses: actions/checkout@ac593985615ec2ede58e132d2e21d2b1cbd6127c |
64 | - name: install dependencies | 64 | - name: install dependencies |
65 | run: sudo apt-get install libapparmor-dev libselinux1-dev | 65 | run: sudo apt-get install libapparmor-dev libselinux1-dev |
66 | - name: configure | 66 | - name: configure |
@@ -81,7 +81,7 @@ jobs: | |||
81 | allowed-endpoints: > | 81 | allowed-endpoints: > |
82 | azure.archive.ubuntu.com:80 | 82 | azure.archive.ubuntu.com:80 |
83 | github.com:443 | 83 | github.com:443 |
84 | - uses: actions/checkout@755da8c3cf115ac066823e79a1e1788f8940201b | 84 | - uses: actions/checkout@ac593985615ec2ede58e132d2e21d2b1cbd6127c |
85 | - name: install clang-tools-14 and dependencies | 85 | - name: install clang-tools-14 and dependencies |
86 | run: sudo apt-get install clang-tools-14 libapparmor-dev libselinux1-dev | 86 | run: sudo apt-get install clang-tools-14 libapparmor-dev libselinux1-dev |
87 | - name: configure | 87 | - name: configure |
@@ -98,7 +98,7 @@ jobs: | |||
98 | allowed-endpoints: > | 98 | allowed-endpoints: > |
99 | azure.archive.ubuntu.com:80 | 99 | azure.archive.ubuntu.com:80 |
100 | github.com:443 | 100 | github.com:443 |
101 | - uses: actions/checkout@755da8c3cf115ac066823e79a1e1788f8940201b | 101 | - uses: actions/checkout@ac593985615ec2ede58e132d2e21d2b1cbd6127c |
102 | - name: install cppcheck | 102 | - name: install cppcheck |
103 | run: sudo apt-get install cppcheck | 103 | run: sudo apt-get install cppcheck |
104 | - name: cppcheck | 104 | - name: cppcheck |
@@ -115,7 +115,7 @@ jobs: | |||
115 | allowed-endpoints: > | 115 | allowed-endpoints: > |
116 | azure.archive.ubuntu.com:80 | 116 | azure.archive.ubuntu.com:80 |
117 | github.com:443 | 117 | github.com:443 |
118 | - uses: actions/checkout@755da8c3cf115ac066823e79a1e1788f8940201b | 118 | - uses: actions/checkout@ac593985615ec2ede58e132d2e21d2b1cbd6127c |
119 | - name: install cppcheck | 119 | - name: install cppcheck |
120 | run: sudo apt-get install cppcheck | 120 | run: sudo apt-get install cppcheck |
121 | - name: cppcheck | 121 | - name: cppcheck |
diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 852575532..ab15f42e7 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml | |||
@@ -56,7 +56,7 @@ jobs: | |||
56 | www.debian.org:443 | 56 | www.debian.org:443 |
57 | www.debian.org:80 | 57 | www.debian.org:80 |
58 | yahoo.com:1025 | 58 | yahoo.com:1025 |
59 | - uses: actions/checkout@755da8c3cf115ac066823e79a1e1788f8940201b | 59 | - uses: actions/checkout@ac593985615ec2ede58e132d2e21d2b1cbd6127c |
60 | - name: update package information | 60 | - name: update package information |
61 | run: sudo apt-get update | 61 | run: sudo apt-get update |
62 | - name: install dependencies | 62 | - name: install dependencies |
diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml index 47b4bfca3..bf08e01e9 100644 --- a/.github/workflows/codeql-analysis.yml +++ b/.github/workflows/codeql-analysis.yml | |||
@@ -84,7 +84,7 @@ jobs: | |||
84 | uploads.github.com:443 | 84 | uploads.github.com:443 |
85 | 85 | ||
86 | - name: Checkout repository | 86 | - name: Checkout repository |
87 | uses: actions/checkout@755da8c3cf115ac066823e79a1e1788f8940201b | 87 | uses: actions/checkout@ac593985615ec2ede58e132d2e21d2b1cbd6127c |
88 | 88 | ||
89 | # Initializes the CodeQL tools for scanning. | 89 | # Initializes the CodeQL tools for scanning. |
90 | - name: Initialize CodeQL | 90 | - name: Initialize CodeQL |
diff --git a/.github/workflows/profile-checks.yml b/.github/workflows/profile-checks.yml index 4acd94c96..0504a58fd 100644 --- a/.github/workflows/profile-checks.yml +++ b/.github/workflows/profile-checks.yml | |||
@@ -33,7 +33,7 @@ jobs: | |||
33 | allowed-endpoints: > | 33 | allowed-endpoints: > |
34 | github.com:443 | 34 | github.com:443 |
35 | 35 | ||
36 | - uses: actions/checkout@755da8c3cf115ac066823e79a1e1788f8940201b | 36 | - uses: actions/checkout@ac593985615ec2ede58e132d2e21d2b1cbd6127c |
37 | - name: sort.py | 37 | - name: sort.py |
38 | run: ./ci/check/profiles/sort.py etc/inc/*.inc etc/{profile-a-l,profile-m-z}/*.profile | 38 | run: ./ci/check/profiles/sort.py etc/inc/*.inc etc/{profile-a-l,profile-m-z}/*.profile |
39 | - name: private-etc-always-required.sh | 39 | - name: private-etc-always-required.sh |
@@ -58,6 +58,7 @@ firejail (0.9.72rc1) baseline; urgency=low | |||
58 | * docs: clarify that --appimage should appear before --profile (#5402 #5451) | 58 | * docs: clarify that --appimage should appear before --profile (#5402 #5451) |
59 | * docs: add more Firefox examples to the firejail-local AppArmor profile | 59 | * docs: add more Firefox examples to the firejail-local AppArmor profile |
60 | (#5493) | 60 | (#5493) |
61 | * docs: Fix broken Restrict-DBus wiki link on profile.template (#5554) | ||
61 | -- netblue30 <netblue30@yahoo.com> Sat, 11 Jun 2022 09:00:00 -0500 | 62 | -- netblue30 <netblue30@yahoo.com> Sat, 11 Jun 2022 09:00:00 -0500 |
62 | 63 | ||
63 | firejail (0.9.70) baseline; urgency=low | 64 | firejail (0.9.70) baseline; urgency=low |
diff --git a/etc/profile-m-z/QMediathekView.profile b/etc/profile-m-z/QMediathekView.profile index 1e9af5769..22c4c4631 100644 --- a/etc/profile-m-z/QMediathekView.profile +++ b/etc/profile-m-z/QMediathekView.profile | |||
@@ -27,10 +27,30 @@ include disable-programs.inc | |||
27 | include disable-shell.inc | 27 | include disable-shell.inc |
28 | include disable-xdg.inc | 28 | include disable-xdg.inc |
29 | 29 | ||
30 | mkdir ${HOME}/.config/QMediathekView | ||
31 | mkdir ${HOME}/.local/share/QMediathekView | ||
32 | whitelist ${HOME}/.config/QMediathekView | ||
33 | whitelist ${HOME}/.local/share/QMediathekView | ||
34 | |||
35 | whitelist ${DOWNLOADS} | ||
36 | whitelist ${VIDEOS} | ||
37 | |||
38 | whitelist ${HOME}/.config/mpv | ||
39 | whitelist ${HOME}/.config/smplayer | ||
40 | whitelist ${HOME}/.config/totem | ||
41 | whitelist ${HOME}/.config/vlc | ||
42 | whitelist ${HOME}/.config/xplayer | ||
43 | whitelist ${HOME}/.local/share/totem | ||
44 | whitelist ${HOME}/.local/share/xplayer | ||
45 | whitelist ${HOME}/.mplayer | ||
30 | whitelist /usr/share/qtchooser | 46 | whitelist /usr/share/qtchooser |
47 | include whitelist-common.inc | ||
48 | include whitelist-run-common.inc | ||
49 | include whitelist-runuser-common.inc | ||
31 | include whitelist-usr-share-common.inc | 50 | include whitelist-usr-share-common.inc |
32 | include whitelist-var-common.inc | 51 | include whitelist-var-common.inc |
33 | 52 | ||
53 | apparmor | ||
34 | caps.drop all | 54 | caps.drop all |
35 | netfilter | 55 | netfilter |
36 | # no3d | 56 | # no3d |
@@ -38,11 +58,12 @@ nodvd | |||
38 | nogroups | 58 | nogroups |
39 | noinput | 59 | noinput |
40 | nonewprivs | 60 | nonewprivs |
61 | noprinters | ||
41 | noroot | 62 | noroot |
42 | notv | 63 | notv |
43 | nou2f | 64 | nou2f |
44 | novideo | 65 | novideo |
45 | protocol unix,inet,inet6,netlink | 66 | protocol unix,inet,inet6 |
46 | seccomp | 67 | seccomp |
47 | tracelog | 68 | tracelog |
48 | 69 | ||
@@ -50,6 +71,7 @@ disable-mnt | |||
50 | private-bin mplayer,mpv,QMediathekView,smplayer,totem,vlc,xplayer | 71 | private-bin mplayer,mpv,QMediathekView,smplayer,totem,vlc,xplayer |
51 | private-cache | 72 | private-cache |
52 | private-dev | 73 | private-dev |
74 | private-etc alternatives,asound.conf,ca-certificates,crypto-policies,fonts,group,hostname,hosts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,login.defs,nsswitch.conf,passwd,pki,pulse,resolv.conf,ssl | ||
53 | private-tmp | 75 | private-tmp |
54 | 76 | ||
55 | dbus-user none | 77 | dbus-user none |