1 files changed, 52 insertions, 0 deletions
diff --git a/etc/exfalso.profile b/etc/exfalso.profile
new file mode 100644
index 000000000..58fd1b3b2
--- /dev/null
+++ b/etc/exfalso.profile
@@ -0,0 +1,52 @@
+# Firejail profile for exfalso
+# Description: GTK audio tag editor
+# This file is overwritten after every install/update
+# Persistent local customizations
+include exfalso.local
+# Persistent global definitions
+include globals.local
+noblacklist ${HOME}/.quodlibet
+noblacklist ${MUSIC}
+# Allow python (blacklisted by disable-interpreters.inc)
+noblacklist ${PATH}/python2*
+noblacklist ${PATH}/python3*
+noblacklist /usr/lib/python2*
+noblacklist /usr/lib/python3*
+include disable-common.inc
+include disable-devel.inc
+include disable-interpreters.inc
+include disable-passwdmgr.inc
+include disable-programs.inc
+include disable-xdg.inc
+caps.drop all
+# machine-id breaks audio; it should work fine in setups where sound is not required
+machine-id
+netfilter
+no3d
+nodbus
+nodvd
+nogroups
+nonewprivs
+noroot
+nosound
+notv
+nou2f
+novideo
+protocol unix,inet,inet6
+seccomp
+shell none
+private-bin exfalso,python*
+private-cache
+private-dev
+private-etc alternatives,fonts,group,passwd
+private-lib libatk-1.0.so.*,libgdk-3.so.*,libgdk_pixbuf-2.0.so.*,libgirepository-1.0.so.*,libgstreamer-1.0.so.*,libgtk-3.so.*,libgtksourceview-3.0.so.*,libpango-1.0.so.*,libpython*,libreadline.so.*,libsoup-2.4.so.*,libssl.so.1.*,python2*,python3*
+private-tmp
+# memory-deny-write-execute - Breaks on Arch
+noexec ${HOME}
+noexec /tmp

diff --git a/etc/exfalso.profile b/etc/exfalso.profile new file mode 100644 index 000000000..58fd1b3b2 --- /dev/null +++ b/etc/exfalso.profile
@@ -0,0 +1,52 @@
	1	# Firejail profile for exfalso
	2	# Description: GTK audio tag editor
	3	# This file is overwritten after every install/update
	4	# Persistent local customizations
	5	include exfalso.local
	6	# Persistent global definitions
	7	include globals.local
	8
	9	noblacklist ${HOME}/.quodlibet
	10	noblacklist ${MUSIC}
	11
	12	# Allow python (blacklisted by disable-interpreters.inc)
	13	noblacklist ${PATH}/python2*
	14	noblacklist ${PATH}/python3*
	15	noblacklist /usr/lib/python2*
	16	noblacklist /usr/lib/python3*
	17
	18	include disable-common.inc
	19	include disable-devel.inc
	20	include disable-interpreters.inc
	21	include disable-passwdmgr.inc
	22	include disable-programs.inc
	23	include disable-xdg.inc
	24
	25	caps.drop all
	26	# machine-id breaks audio; it should work fine in setups where sound is not required
	27	machine-id
	28	netfilter
	29	no3d
	30	nodbus
	31	nodvd
	32	nogroups
	33	nonewprivs
	34	noroot
	35	nosound
	36	notv
	37	nou2f
	38	novideo
	39	protocol unix,inet,inet6
	40	seccomp
	41	shell none
	42
	43	private-bin exfalso,python*
	44	private-cache
	45	private-dev
	46	private-etc alternatives,fonts,group,passwd
	47	private-lib libatk-1.0.so.,libgdk-3.so.,libgdk_pixbuf-2.0.so.,libgirepository-1.0.so.,libgstreamer-1.0.so.,libgtk-3.so.,libgtksourceview-3.0.so.,libpango-1.0.so.,libpython,libreadline.so.,libsoup-2.4.so.,libssl.so.1.,python2,python3
	48	private-tmp
	49
	50	# memory-deny-write-execute - Breaks on Arch
	51	noexec ${HOME}
	52	noexec /tmp