diff options
Diffstat (limited to 'etc/profile-a-l')
-rw-r--r-- | etc/profile-a-l/chatterino.profile | 92 | ||||
-rw-r--r-- | etc/profile-a-l/electron-hardened.inc.profile | 10 | ||||
-rw-r--r-- | etc/profile-a-l/electron.profile | 4 | ||||
-rw-r--r-- | etc/profile-a-l/firefox-common.profile | 2 |
4 files changed, 106 insertions, 2 deletions
diff --git a/etc/profile-a-l/chatterino.profile b/etc/profile-a-l/chatterino.profile new file mode 100644 index 000000000..4dfd85740 --- /dev/null +++ b/etc/profile-a-l/chatterino.profile | |||
@@ -0,0 +1,92 @@ | |||
1 | # Firejail profile for Chatterino | ||
2 | # Description: Chat client for https://twitch.tv | ||
3 | # This file is overwritten after every install/update | ||
4 | # Persistent local customizations | ||
5 | include chatterino.local | ||
6 | # Persistent global definitions | ||
7 | include globals.local | ||
8 | |||
9 | # To upload images, whitelist/noblacklist their path in chatterino.local. | ||
10 | #whitelist ${PICTURES} | ||
11 | # For custom notification sounds, whitelist/noblacklist their path in chatterino.local. | ||
12 | #whitelist ${MUSIC} | ||
13 | |||
14 | # Also allow access to mpv/vlc, they're usable via streamlink. | ||
15 | noblacklist ${HOME}/.config/mpv | ||
16 | noblacklist ${HOME}/.config/pulse | ||
17 | noblacklist ${HOME}/.config/vlc | ||
18 | noblacklist ${HOME}/.local/share/chatterino | ||
19 | noblacklist ${HOME}/.local/share/vlc | ||
20 | |||
21 | # Allow Lua for mpv (blacklisted by disable-interpreters.inc) | ||
22 | include allow-lua.inc | ||
23 | |||
24 | # Allow Python for Streamlink integration (blacklisted by disable-interpreters.inc) | ||
25 | include allow-python3.inc | ||
26 | |||
27 | include disable-common.inc | ||
28 | include disable-devel.inc | ||
29 | include disable-exec.inc | ||
30 | include disable-interpreters.inc | ||
31 | include disable-proc.inc | ||
32 | include disable-programs.inc | ||
33 | include disable-xdg.inc | ||
34 | |||
35 | # Also allow read-only access to mpv/VLC, they're usable via streamlink. | ||
36 | mkdir ${HOME}/.local/share/chatterino | ||
37 | # VLC preferences will fail to save with read-only set. | ||
38 | whitelist ${HOME}/.local/share/chatterino | ||
39 | whitelist-ro ${HOME}/.config/mpv | ||
40 | whitelist-ro ${HOME}/.config/pulse | ||
41 | whitelist-ro ${HOME}/.config/vlc | ||
42 | whitelist-ro ${HOME}/.local/share/vlc | ||
43 | include whitelist-common.inc | ||
44 | include whitelist-run-common.inc | ||
45 | include whitelist-runuser-common.inc | ||
46 | include whitelist-usr-share-common.inc | ||
47 | include whitelist-var-common.inc | ||
48 | |||
49 | # Streamlink+VLC doesn't seem to close properly with apparmor enabled. | ||
50 | #apparmor | ||
51 | caps.drop all | ||
52 | netfilter | ||
53 | nodvd | ||
54 | nogroups | ||
55 | nonewprivs | ||
56 | noprinters | ||
57 | noroot | ||
58 | notv | ||
59 | nou2f | ||
60 | # Netlink is required for streamlink integration. | ||
61 | protocol unix,inet,inet6,netlink | ||
62 | # Seccomp may break browser integration. | ||
63 | seccomp | ||
64 | seccomp.block-secondary | ||
65 | tracelog | ||
66 | |||
67 | disable-mnt | ||
68 | # Add more private-bin lines for browsers or video players to chatterino.local if wanted. | ||
69 | private-bin chatterino,cvlc,env,ffmpeg,mpv,nvlc,pgrep,python*,qvlc,rvlc,streamlink,svlc,vlc | ||
70 | # private-cache may cause issues with mpv (see #2838) | ||
71 | private-cache | ||
72 | private-dev | ||
73 | private-etc alsa,alternatives,asound.conf,ca-certificates,dbus-1,fonts,hostname,hosts,kde4rc,kde5rc,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,locale,locale.alias,locale.conf,localtime,machine-id,nvidia,passwd,pulse,resolv.conf,rpc,services,ssl,Trolltech.conf,X11 | ||
74 | private-srv none | ||
75 | private-tmp | ||
76 | |||
77 | dbus-user filter | ||
78 | dbus-user.own com.chatterino.* | ||
79 | # Allow notifications. | ||
80 | dbus-user.talk org.freedesktop.Notifications | ||
81 | # For media player integration. | ||
82 | dbus-user.talk org.freedesktop.ScreenSaver | ||
83 | ?ALLOW_TRAY: dbus-user.talk org.kde.StatusNotifierWatcher | ||
84 | dbus-user.own org.mpris.MediaPlayer2.chatterino | ||
85 | dbus-user.talk org.mpris.MediaPlayer2.Player | ||
86 | dbus-system none | ||
87 | |||
88 | # Prevents browsers/players from lingering after Chatterino is closed. | ||
89 | #deterministic-shutdown | ||
90 | # memory-deny-write-execute may break streamlink and browser integration. | ||
91 | #memory-deny-write-execute | ||
92 | restrict-namespaces | ||
diff --git a/etc/profile-a-l/electron-hardened.inc.profile b/etc/profile-a-l/electron-hardened.inc.profile new file mode 100644 index 000000000..eacf5cebe --- /dev/null +++ b/etc/profile-a-l/electron-hardened.inc.profile | |||
@@ -0,0 +1,10 @@ | |||
1 | # Firejail profile alias for chrome-common-hardened.inc | ||
2 | # This file is overwritten after every install/update | ||
3 | # Persistent local customizations | ||
4 | include electron-hardened.inc.local | ||
5 | # Persistent global definitions | ||
6 | # added by caller profile | ||
7 | #include globals.local | ||
8 | |||
9 | # Redirect | ||
10 | include chrome-common-hardened.inc.profile | ||
diff --git a/etc/profile-a-l/electron.profile b/etc/profile-a-l/electron.profile index c1d337abd..c15e43399 100644 --- a/etc/profile-a-l/electron.profile +++ b/etc/profile-a-l/electron.profile | |||
@@ -22,8 +22,8 @@ include whitelist-runuser-common.inc | |||
22 | include whitelist-usr-share-common.inc | 22 | include whitelist-usr-share-common.inc |
23 | include whitelist-var-common.inc | 23 | include whitelist-var-common.inc |
24 | 24 | ||
25 | # Add the next line to your chromium-common.local if your kernel allows unprivileged userns clone. | 25 | # Add the next line to your electron.local if your kernel allows unprivileged userns clone. |
26 | #include chromium-common-hardened.inc.profile | 26 | #include electron-hardened.inc.profile |
27 | 27 | ||
28 | apparmor | 28 | apparmor |
29 | caps.keep sys_admin,sys_chroot | 29 | caps.keep sys_admin,sys_chroot |
diff --git a/etc/profile-a-l/firefox-common.profile b/etc/profile-a-l/firefox-common.profile index 13313cb67..60d64736e 100644 --- a/etc/profile-a-l/firefox-common.profile +++ b/etc/profile-a-l/firefox-common.profile | |||
@@ -35,6 +35,8 @@ include whitelist-runuser-common.inc | |||
35 | include whitelist-var-common.inc | 35 | include whitelist-var-common.inc |
36 | 36 | ||
37 | apparmor | 37 | apparmor |
38 | # Fixme! | ||
39 | apparmor-replace | ||
38 | caps.drop all | 40 | caps.drop all |
39 | # machine-id breaks pulse audio; add it to your firefox-common.local if sound is not required. | 41 | # machine-id breaks pulse audio; add it to your firefox-common.local if sound is not required. |
40 | #machine-id | 42 | #machine-id |