4 files changed, 72 insertions, 128 deletions
diff --git a/etc/profile-a-l/gnome-logs.profile b/etc/profile-a-l/gnome-logs.profile
index 61f4f4107..4d2681fbc 100644
--- a/etc/profile-a-l/gnome-logs.profile
+++ b/etc/profile-a-l/gnome-logs.profile
@@ -6,49 +6,15 @@ include gnome-logs.local
 # Persistent global definitions
 include globals.local
-include disable-common.inc
+whitelist /usr/share/gnome-logs
-include disable-devel.inc
-include disable-exec.inc
-include disable-interpreters.inc
-include disable-programs.inc
-include disable-shell.inc
-include disable-xdg.inc
-whitelist /var/log/journal
-include whitelist-runuser-common.inc
-include whitelist-usr-share-common.inc
-include whitelist-var-common.inc
-apparmor
-caps.drop all
-ipc-namespace
-net none
-no3d
-nodvd
-noinput
-nonewprivs
-nosound
-notv
-nou2f
-novideo
-protocol unix
-seccomp
-tracelog
-disable-mnt
 private-bin gnome-logs
-private-cache
-private-dev
-private-etc
 private-lib gdk-pixbuf-2.*,gio,gvfs/libgvfscommon.so,libgconf-2.so.*,librsvg-2.so.*
-private-tmp
-writable-var-log
 dbus-user filter
 dbus-user.own org.gnome.Logs
 dbus-user.talk ca.desrt.dconf
-dbus-system none
+ignore dbus-user none
-# Add 'ignore read-only ${HOME}' to your gnome-logs.local if you export logs to a file under your ${HOME}.
+# Redirect
-read-only ${HOME}
+include system-log-common.profile
-restrict-namespaces
diff --git a/etc/profile-a-l/gnome-system-log.profile b/etc/profile-a-l/gnome-system-log.profile
index b3bc7499c..0d6116f4f 100644
--- a/etc/profile-a-l/gnome-system-log.profile
+++ b/etc/profile-a-l/gnome-system-log.profile
@@ -6,51 +6,13 @@ include gnome-system-log.local
 # Persistent global definitions
 include globals.local
-include disable-common.inc
+# 'net none' breaks dbus
-include disable-devel.inc
+ignore net none
-include disable-exec.inc
-include disable-interpreters.inc
-include disable-programs.inc
-include disable-shell.inc
-include disable-xdg.inc
-whitelist /var/log
-include whitelist-common.inc
-include whitelist-usr-share-common.inc
-include whitelist-var-common.inc
-apparmor
-caps.drop all
-ipc-namespace
-#net none # breaks dbus
-no3d
-nodvd
-# When using 'volatile' storage (https://www.freedesktop.org/software/systemd/man/journald.conf.html),
-# put 'ignore nogroups' and 'ignore noroot' in your gnome-system-log.local.
-nogroups
-noinput
-nonewprivs
-noroot
-nosound
-notv
-nou2f
-novideo
-protocol unix
-seccomp
-disable-mnt
 private-bin gnome-system-log
-private-cache
-private-dev
-private-etc
 private-lib
-private-tmp
-writable-var-log
-#dbus-user none
-#dbus-system none
 memory-deny-write-execute
-# Add 'ignore read-only ${HOME}' to your gnome-system-log.local if you export logs to a file under your ${HOME}.
-read-only ${HOME}
+# Redirect
-restrict-namespaces
+include system-log-common.profile
diff --git a/etc/profile-a-l/journal-viewer.profile b/etc/profile-a-l/journal-viewer.profile
index f73595fb1..eb007b765 100644
--- a/etc/profile-a-l/journal-viewer.profile
+++ b/etc/profile-a-l/journal-viewer.profile
@@ -9,60 +9,16 @@ include globals.local
 noblacklist ${HOME}/.cache/journal-viewer
 noblacklist ${HOME}/.local/share/com.vmingueza.journal-viewer
-include disable-common.inc
-include disable-devel.inc
-include disable-exec.inc
-include disable-interpreters.inc
-include disable-proc.inc
-include disable-programs.inc
-include disable-shell.inc
-include disable-xdg.inc
 mkdir ${HOME}/.cache/journal-viewer
 mkdir ${HOME}/.local/share/com.vmingueza.journal-viewer
 whitelist ${HOME}/.cache/journal-viewer
 whitelist ${HOME}/.local/share/com.vmingueza.journal-viewer
-whitelist /run/log/journal
-whitelist /var/log/journal
-include whitelist-common.inc
-include whitelist-run-common.inc
-include whitelist-runuser-common.inc
-include whitelist-usr-share-common.inc
-include whitelist-var-common.inc
-apparmor
-caps.drop all
-ipc-namespace
-net none
-no3d
-nodvd
-nogroups
-noinput
-nonewprivs
-noprinters
-noroot
-nosound
-notv
-nou2f
-novideo
-protocol unix
-seccomp
-seccomp.block-secondary
-tracelog
-disable-mnt
 private-bin journal-viewer
-private-cache
-private-dev
-private-etc machine-id
 private-lib webkit2gtk-*
-private-tmp
-dbus-user none
-dbus-system none
-restrict-namespaces
-read-only ${HOME}
 read-write ${HOME}/.cache/journal-viewer
 read-write ${HOME}/.local/share/com.vmingueza.journal-viewer
-writable-var-log
+# Redirect
+include system-log-common.profile
diff --git a/etc/profile-m-z/profile-m-z/profile-m-z/system-log-common.profile b/etc/profile-m-z/profile-m-z/profile-m-z/system-log-common.profile
new file mode 100644
index 000000000..dda8bdc47
--- /dev/null
+++ b/etc/profile-m-z/profile-m-z/profile-m-z/system-log-common.profile
@@ -0,0 +1,60 @@
+# Firejail profile for system-log-common
+# Description: Common profile for GUI system log viewers
+# This file is overwritten after every install/update
+# Persistent local customizations
+include system-log-common.local
+# Persistent global definitions
+# added by caller profile
+#include globals.local
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-proc.inc
+include disable-programs.inc
+include disable-shell.inc
+include disable-xdg.inc
+whitelist /run/log/journal
+whitelist /var/log/journal
+include whitelist-common.inc
+include whitelist-run-common.inc
+include whitelist-runuser-common.inc
+include whitelist-usr-share-common.inc
+include whitelist-var-common.inc
+apparmor
+caps.drop all
+ipc-namespace
+net none
+no3d
+nodvd
+#nogroups
+noinput
+nonewprivs
+noprinters
+#noroot
+nosound
+notv
+nou2f
+novideo
+protocol unix
+seccomp
+seccomp.block-secondary
+tracelog
+disable-mnt
+private-cache
+private-dev
+private-etc machine-id
+private-tmp
+dbus-user none
+dbus-system none
+restrict-namespaces
+# Add 'ignore read-only ${HOME}' to your system-log-common.local
+# if you export logs to a file under your ${HOME}.
+read-only ${HOME}
+writable-var-log

diff --git a/etc/profile-a-l/gnome-logs.profile b/etc/profile-a-l/gnome-logs.profile index 61f4f4107..4d2681fbc 100644 --- a/etc/profile-a-l/gnome-logs.profile +++ b/etc/profile-a-l/gnome-logs.profile
@@ -6,49 +6,15 @@ include gnome-logs.local
6	# Persistent global definitions	6	# Persistent global definitions
7	include globals.local	7	include globals.local
8		8
9	include disable-common.inc	9	whitelist /usr/share/gnome-logs
10	include disable-devel.inc
11	include disable-exec.inc
12	include disable-interpreters.inc
13	include disable-programs.inc
14	include disable-shell.inc
15	include disable-xdg.inc
16		10
17	whitelist /var/log/journal
18	include whitelist-runuser-common.inc
19	include whitelist-usr-share-common.inc
20	include whitelist-var-common.inc
21
22	apparmor
23	caps.drop all
24	ipc-namespace
25	net none
26	no3d
27	nodvd
28	noinput
29	nonewprivs
30	nosound
31	notv
32	nou2f
33	novideo
34	protocol unix
35	seccomp
36	tracelog
37
38	disable-mnt
39	private-bin gnome-logs	11	private-bin gnome-logs
40	private-cache
41	private-dev
42	private-etc
43	private-lib gdk-pixbuf-2.,gio,gvfs/libgvfscommon.so,libgconf-2.so.,librsvg-2.so.*	12	private-lib gdk-pixbuf-2.,gio,gvfs/libgvfscommon.so,libgconf-2.so.,librsvg-2.so.*
44	private-tmp
45	writable-var-log
46		13
47	dbus-user filter	14	dbus-user filter
48	dbus-user.own org.gnome.Logs	15	dbus-user.own org.gnome.Logs
49	dbus-user.talk ca.desrt.dconf	16	dbus-user.talk ca.desrt.dconf
50	dbus-system none	17	ignore dbus-user none
51		18
52	# Add 'ignore read-only ${HOME}' to your gnome-logs.local if you export logs to a file under your ${HOME}.	19	# Redirect
53	read-only ${HOME}	20	include system-log-common.profile
54	restrict-namespaces


diff --git a/etc/profile-a-l/gnome-system-log.profile b/etc/profile-a-l/gnome-system-log.profile index b3bc7499c..0d6116f4f 100644 --- a/etc/profile-a-l/gnome-system-log.profile +++ b/etc/profile-a-l/gnome-system-log.profile
@@ -6,51 +6,13 @@ include gnome-system-log.local
6	# Persistent global definitions	6	# Persistent global definitions
7	include globals.local	7	include globals.local
8		8
9	include disable-common.inc	9	# 'net none' breaks dbus
10	include disable-devel.inc	10	ignore net none
11	include disable-exec.inc
12	include disable-interpreters.inc
13	include disable-programs.inc
14	include disable-shell.inc
15	include disable-xdg.inc
16		11
17	whitelist /var/log
18	include whitelist-common.inc
19	include whitelist-usr-share-common.inc
20	include whitelist-var-common.inc
21
22	apparmor
23	caps.drop all
24	ipc-namespace
25	#net none # breaks dbus
26	no3d
27	nodvd
28	# When using 'volatile' storage (https://www.freedesktop.org/software/systemd/man/journald.conf.html),
29	# put 'ignore nogroups' and 'ignore noroot' in your gnome-system-log.local.
30	nogroups
31	noinput
32	nonewprivs
33	noroot
34	nosound
35	notv
36	nou2f
37	novideo
38	protocol unix
39	seccomp
40
41	disable-mnt
42	private-bin gnome-system-log	12	private-bin gnome-system-log
43	private-cache
44	private-dev
45	private-etc
46	private-lib	13	private-lib
47	private-tmp
48	writable-var-log
49
50	#dbus-user none
51	#dbus-system none
52		14
53	memory-deny-write-execute	15	memory-deny-write-execute
54	# Add 'ignore read-only ${HOME}' to your gnome-system-log.local if you export logs to a file under your ${HOME}.	16
55	read-only ${HOME}	17	# Redirect
56	restrict-namespaces	18	include system-log-common.profile


diff --git a/etc/profile-a-l/journal-viewer.profile b/etc/profile-a-l/journal-viewer.profile index f73595fb1..eb007b765 100644 --- a/etc/profile-a-l/journal-viewer.profile +++ b/etc/profile-a-l/journal-viewer.profile
@@ -9,60 +9,16 @@ include globals.local
9	noblacklist ${HOME}/.cache/journal-viewer	9	noblacklist ${HOME}/.cache/journal-viewer
10	noblacklist ${HOME}/.local/share/com.vmingueza.journal-viewer	10	noblacklist ${HOME}/.local/share/com.vmingueza.journal-viewer
11		11
12	include disable-common.inc
13	include disable-devel.inc
14	include disable-exec.inc
15	include disable-interpreters.inc
16	include disable-proc.inc
17	include disable-programs.inc
18	include disable-shell.inc
19	include disable-xdg.inc
20
21	mkdir ${HOME}/.cache/journal-viewer	12	mkdir ${HOME}/.cache/journal-viewer
22	mkdir ${HOME}/.local/share/com.vmingueza.journal-viewer	13	mkdir ${HOME}/.local/share/com.vmingueza.journal-viewer
23	whitelist ${HOME}/.cache/journal-viewer	14	whitelist ${HOME}/.cache/journal-viewer
24	whitelist ${HOME}/.local/share/com.vmingueza.journal-viewer	15	whitelist ${HOME}/.local/share/com.vmingueza.journal-viewer
25	whitelist /run/log/journal
26	whitelist /var/log/journal
27	include whitelist-common.inc
28	include whitelist-run-common.inc
29	include whitelist-runuser-common.inc
30	include whitelist-usr-share-common.inc
31	include whitelist-var-common.inc
32
33	apparmor
34	caps.drop all
35	ipc-namespace
36	net none
37	no3d
38	nodvd
39	nogroups
40	noinput
41	nonewprivs
42	noprinters
43	noroot
44	nosound
45	notv
46	nou2f
47	novideo
48	protocol unix
49	seccomp
50	seccomp.block-secondary
51	tracelog
52		16
53	disable-mnt
54	private-bin journal-viewer	17	private-bin journal-viewer
55	private-cache
56	private-dev
57	private-etc machine-id
58	private-lib webkit2gtk-*	18	private-lib webkit2gtk-*
59	private-tmp
60		19
61	dbus-user none
62	dbus-system none
63
64	restrict-namespaces
65	read-only ${HOME}
66	read-write ${HOME}/.cache/journal-viewer	20	read-write ${HOME}/.cache/journal-viewer
67	read-write ${HOME}/.local/share/com.vmingueza.journal-viewer	21	read-write ${HOME}/.local/share/com.vmingueza.journal-viewer
68	writable-var-log	22
		23	# Redirect
		24	include system-log-common.profile


diff --git a/etc/profile-m-z/profile-m-z/profile-m-z/system-log-common.profile b/etc/profile-m-z/profile-m-z/profile-m-z/system-log-common.profile new file mode 100644 index 000000000..dda8bdc47 --- /dev/null +++ b/etc/profile-m-z/profile-m-z/profile-m-z/system-log-common.profile
@@ -0,0 +1,60 @@
		1	# Firejail profile for system-log-common
		2	# Description: Common profile for GUI system log viewers
		3	# This file is overwritten after every install/update
		4	# Persistent local customizations
		5	include system-log-common.local
		6	# Persistent global definitions
		7	# added by caller profile
		8	#include globals.local
		9
		10	include disable-common.inc
		11	include disable-devel.inc
		12	include disable-exec.inc
		13	include disable-interpreters.inc
		14	include disable-proc.inc
		15	include disable-programs.inc
		16	include disable-shell.inc
		17	include disable-xdg.inc
		18
		19	whitelist /run/log/journal
		20	whitelist /var/log/journal
		21	include whitelist-common.inc
		22	include whitelist-run-common.inc
		23	include whitelist-runuser-common.inc
		24	include whitelist-usr-share-common.inc
		25	include whitelist-var-common.inc
		26
		27	apparmor
		28	caps.drop all
		29	ipc-namespace
		30	net none
		31	no3d
		32	nodvd
		33	#nogroups
		34	noinput
		35	nonewprivs
		36	noprinters
		37	#noroot
		38	nosound
		39	notv
		40	nou2f
		41	novideo
		42	protocol unix
		43	seccomp
		44	seccomp.block-secondary
		45	tracelog
		46
		47	disable-mnt
		48	private-cache
		49	private-dev
		50	private-etc machine-id
		51	private-tmp
		52
		53	dbus-user none
		54	dbus-system none
		55
		56	restrict-namespaces
		57	# Add 'ignore read-only ${HOME}' to your system-log-common.local
		58	# if you export logs to a file under your ${HOME}.
		59	read-only ${HOME}
		60	writable-var-log