1 files changed, 69 insertions, 0 deletions
diff --git a/etc/profile-m-z/tin.profile b/etc/profile-m-z/tin.profile
new file mode 100644
index 000000000..e0ed3090a
--- /dev/null
+++ b/etc/profile-m-z/tin.profile
@@ -0,0 +1,69 @@
+# Firejail profile for tin
+# Description: ncurses-based Usenet newsreader
+# This file is overwritten after every install/update
+# Persistent local customizations
+include tin.local
+# Persistent global definitions
+include globals.local
+noblacklist ${HOME}/.newsrc
+noblacklist ${HOME}/.tin
+blacklist /tmp/.X11-unix
+blacklist ${RUNUSER}
+blacklist /usr/libexec
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-passwdmgr.inc
+include disable-programs.inc
+include disable-shell.inc
+include disable-xdg.inc
+mkdir ${HOME}/.tin
+mkfile ${HOME}/.newsrc
+# Note: files/directories directly in ${HOME} can't be whitelisted, as
+#       tin saves .newsrc by renaming a temporary file, which is not possible for
+#       bind-mounted files.
+#whitelist ${HOME}/.newsrc
+#whitelist ${HOME}/.tin
+#include whitelist-common.inc
+include whitelist-runuser-common.inc
+include whitelist-usr-share-common.inc
+include whitelist-var-common.inc
+apparmor
+caps.drop all
+ipc-namespace
+machine-id
+netfilter
+no3d
+nodvd
+nogroups
+noinput
+nonewprivs
+noroot
+nosound
+notv
+nou2f
+novideo
+protocol inet,inet6
+seccomp
+seccomp.block-secondary
+shell none
+tracelog
+disable-mnt
+private-bin rtin,tin
+private-cache
+private-dev
+private-etc passwd,resolv.conf,terminfo,tin
+private-lib terminfo
+private-tmp
+dbus-user none
+dbus-system none
+memory-deny-write-execute

diff --git a/etc/profile-m-z/tin.profile b/etc/profile-m-z/tin.profile new file mode 100644 index 000000000..e0ed3090a --- /dev/null +++ b/etc/profile-m-z/tin.profile
@@ -0,0 +1,69 @@
	1	# Firejail profile for tin
	2	# Description: ncurses-based Usenet newsreader
	3	# This file is overwritten after every install/update
	4	# Persistent local customizations
	5	include tin.local
	6	# Persistent global definitions
	7	include globals.local
	8
	9	noblacklist ${HOME}/.newsrc
	10	noblacklist ${HOME}/.tin
	11
	12	blacklist /tmp/.X11-unix
	13	blacklist ${RUNUSER}
	14	blacklist /usr/libexec
	15
	16	include disable-common.inc
	17	include disable-devel.inc
	18	include disable-exec.inc
	19	include disable-interpreters.inc
	20	include disable-passwdmgr.inc
	21	include disable-programs.inc
	22	include disable-shell.inc
	23	include disable-xdg.inc
	24
	25	mkdir ${HOME}/.tin
	26	mkfile ${HOME}/.newsrc
	27	# Note: files/directories directly in ${HOME} can't be whitelisted, as
	28	# tin saves .newsrc by renaming a temporary file, which is not possible for
	29	# bind-mounted files.
	30	#whitelist ${HOME}/.newsrc
	31	#whitelist ${HOME}/.tin
	32	#include whitelist-common.inc
	33	include whitelist-runuser-common.inc
	34	include whitelist-usr-share-common.inc
	35	include whitelist-var-common.inc
	36
	37	apparmor
	38	caps.drop all
	39	ipc-namespace
	40	machine-id
	41	netfilter
	42	no3d
	43	nodvd
	44	nogroups
	45	noinput
	46	nonewprivs
	47	noroot
	48	nosound
	49	notv
	50	nou2f
	51	novideo
	52	protocol inet,inet6
	53	seccomp
	54	seccomp.block-secondary
	55	shell none
	56	tracelog
	57
	58	disable-mnt
	59	private-bin rtin,tin
	60	private-cache
	61	private-dev
	62	private-etc passwd,resolv.conf,terminfo,tin
	63	private-lib terminfo
	64	private-tmp
	65
	66	dbus-user none
	67	dbus-system none
	68
	69	memory-deny-write-execute