1 files changed, 65 insertions, 0 deletions
diff --git a/etc/profile-a-l/gnome-schedule.profile b/etc/profile-a-l/gnome-schedule.profile
new file mode 100644
index 000000000..55913a2d7
--- /dev/null
+++ b/etc/profile-a-l/gnome-schedule.profile
@@ -0,0 +1,65 @@
+# Firejail profile for gnome-schedule
+# Description: Graphical interface to crontab and at for GNOME
+# This file is overwritten after every install/update
+# Persistent local customizations
+include gnome-schedule.local
+# Persistent global definitions
+include globals.local
+noblacklist ${HOME}/.gnome/gnome-schedule
+# Needs at and crontab to read/write user cron
+noblacklist ${PATH}/at
+noblacklist ${PATH}/crontab
+# Needs access to these files/dirs
+noblacklist /etc/cron.allow
+noblacklist /etc/cron.deny
+noblacklist /etc/shadow
+noblacklist /var/spool/cron
+# cron job testing needs a terminal, resulting in sandbox escape (see disable-common.inc)
+# add 'noblacklist ${PATH}/your-terminal' to gnome-schedule.local if you need that functionality
+# Allow python (blacklisted by disable-interpreters.inc)
+include allow-python2.inc
+include allow-python3.inc
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-passwdmgr.inc
+include disable-programs.inc
+include disable-xdg.inc
+mkfile ${HOME}/.gnome/gnome-schedule
+whitelist ${HOME}/.gnome/gnome-schedule
+whitelist /usr/share/gnome-schedule
+whitelist /var/spool/atd
+whitelist /var/spool/cron
+include whitelist-common.inc
+include whitelist-runuser-common.inc
+include whitelist-usr-share-common.inc
+include whitelist-var-common.inc
+apparmor
+caps.keep chown,dac_override,setgid,setuid
+ipc-namespace
+machine-id
+#net none - breaks on Ubuntu
+no3d
+nodvd
+nogroups
+nosound
+notv
+nou2f
+novideo
+shell none
+tracelog
+disable-mnt
+private-cache
+private-dev
+writable-var

diff --git a/etc/profile-a-l/gnome-schedule.profile b/etc/profile-a-l/gnome-schedule.profile new file mode 100644 index 000000000..55913a2d7 --- /dev/null +++ b/etc/profile-a-l/gnome-schedule.profile
@@ -0,0 +1,65 @@
	1	# Firejail profile for gnome-schedule
	2	# Description: Graphical interface to crontab and at for GNOME
	3	# This file is overwritten after every install/update
	4	# Persistent local customizations
	5	include gnome-schedule.local
	6	# Persistent global definitions
	7	include globals.local
	8
	9	noblacklist ${HOME}/.gnome/gnome-schedule
	10
	11	# Needs at and crontab to read/write user cron
	12	noblacklist ${PATH}/at
	13	noblacklist ${PATH}/crontab
	14
	15	# Needs access to these files/dirs
	16	noblacklist /etc/cron.allow
	17	noblacklist /etc/cron.deny
	18	noblacklist /etc/shadow
	19	noblacklist /var/spool/cron
	20
	21	# cron job testing needs a terminal, resulting in sandbox escape (see disable-common.inc)
	22	# add 'noblacklist ${PATH}/your-terminal' to gnome-schedule.local if you need that functionality
	23
	24	# Allow python (blacklisted by disable-interpreters.inc)
	25	include allow-python2.inc
	26	include allow-python3.inc
	27
	28	include disable-common.inc
	29	include disable-devel.inc
	30	include disable-exec.inc
	31	include disable-interpreters.inc
	32	include disable-passwdmgr.inc
	33	include disable-programs.inc
	34	include disable-xdg.inc
	35
	36	mkfile ${HOME}/.gnome/gnome-schedule
	37	whitelist ${HOME}/.gnome/gnome-schedule
	38	whitelist /usr/share/gnome-schedule
	39	whitelist /var/spool/atd
	40	whitelist /var/spool/cron
	41	include whitelist-common.inc
	42	include whitelist-runuser-common.inc
	43	include whitelist-usr-share-common.inc
	44	include whitelist-var-common.inc
	45
	46	apparmor
	47	caps.keep chown,dac_override,setgid,setuid
	48	ipc-namespace
	49	machine-id
	50	#net none - breaks on Ubuntu
	51	no3d
	52	nodvd
	53	nogroups
	54	nosound
	55	notv
	56	nou2f
	57	novideo
	58	shell none
	59	tracelog
	60
	61	disable-mnt
	62	private-cache
	63	private-dev
	64	writable-var
	65