4 files changed, 150 insertions, 0 deletions
diff --git a/etc/dconf-editor.profile b/etc/dconf-editor.profile
new file mode 100644
index 000000000..72b4f7a77
--- /dev/null
+++ b/etc/dconf-editor.profile
@@ -0,0 +1,47 @@
+# Firejail profile for dconf-editor
+# Description: dconf configuration editor
+# This file is overwritten after every install/update
+# Persistent local customizations
+include dconf-editor.local
+# Persistent global definitions
+include globals.local
+include disable-common.inc
+include disable-devel.inc
+include disable-interpreters.inc
+include disable-passwdmgr.inc
+include disable-programs.inc
+include disable-xdg.inc
+include whitelist-common.inc
+apparmor
+caps.drop all
+machine-id
+net none
+no3d
+# nodbus - DBUS is needed to commit changes to dconf
+nodvd
+nogroups
+nonewprivs
+noroot
+nosound
+notv
+nou2f
+novideo
+protocol unix
+seccomp
+shell none
+tracelog
+disable-mnt
+private-bin dconf-editor
+private-cache
+private-dev
+private-etc alternatives,fonts
+private-lib
+private-tmp
+memory-deny-write-execute
+noexec ${HOME}
+noexec /tmp
diff --git a/etc/disable-programs.inc b/etc/disable-programs.inc
index ec22c1cec..6bcb5e46c 100644
--- a/etc/disable-programs.inc
+++ b/etc/disable-programs.inc
@@ -147,6 +147,7 @@ blacklist ${HOME}/.config/flowblade
 blacklist ${HOME}/.config/font-manager
 blacklist ${HOME}/.config/gajim
 blacklist ${HOME}/.config/galculator
+blacklist ${HOME}/.config/gconf
 blacklist ${HOME}/.config/geany
 blacklist ${HOME}/.config/gedit
 blacklist ${HOME}/.config/geeqie
@@ -513,6 +514,7 @@ blacklist ${HOME}/.pingus
 blacklist ${HOME}/.purple
 blacklist ${HOME}/.qemu-launcher
 blacklist ${HOME}/.qmmp
+blacklist ${HOME}/.quodlibet
 blacklist ${HOME}/.redeclipse
 blacklist ${HOME}/.remmina
 blacklist ${HOME}/.repo_.gitconfig.json
diff --git a/etc/exfalso.profile b/etc/exfalso.profile
new file mode 100644
index 000000000..58fd1b3b2
--- /dev/null
+++ b/etc/exfalso.profile
@@ -0,0 +1,52 @@
+# Firejail profile for exfalso
+# Description: GTK audio tag editor
+# This file is overwritten after every install/update
+# Persistent local customizations
+include exfalso.local
+# Persistent global definitions
+include globals.local
+noblacklist ${HOME}/.quodlibet
+noblacklist ${MUSIC}
+# Allow python (blacklisted by disable-interpreters.inc)
+noblacklist ${PATH}/python2*
+noblacklist ${PATH}/python3*
+noblacklist /usr/lib/python2*
+noblacklist /usr/lib/python3*
+include disable-common.inc
+include disable-devel.inc
+include disable-interpreters.inc
+include disable-passwdmgr.inc
+include disable-programs.inc
+include disable-xdg.inc
+caps.drop all
+# machine-id breaks audio; it should work fine in setups where sound is not required
+machine-id
+netfilter
+no3d
+nodbus
+nodvd
+nogroups
+nonewprivs
+noroot
+nosound
+notv
+nou2f
+novideo
+protocol unix,inet,inet6
+seccomp
+shell none
+private-bin exfalso,python*
+private-cache
+private-dev
+private-etc alternatives,fonts,group,passwd
+private-lib libatk-1.0.so.*,libgdk-3.so.*,libgdk_pixbuf-2.0.so.*,libgirepository-1.0.so.*,libgstreamer-1.0.so.*,libgtk-3.so.*,libgtksourceview-3.0.so.*,libpango-1.0.so.*,libpython*,libreadline.so.*,libsoup-2.4.so.*,libssl.so.1.*,python2*,python3*
+private-tmp
+# memory-deny-write-execute - Breaks on Arch
+noexec ${HOME}
+noexec /tmp
diff --git a/etc/gconf-editor.profile b/etc/gconf-editor.profile
new file mode 100644
index 000000000..a5132e937
--- /dev/null
+++ b/etc/gconf-editor.profile
@@ -0,0 +1,49 @@
+# Firejail profile for gconf-editor
+# Description: Graphical gconf registry editor
+# This file is overwritten after every install/update
+# Persistent local customizations
+include gconf-editor.local
+# Persistent global definitions
+include globals.local
+noblacklist ${HOME}/.config/gconf
+include disable-common.inc
+include disable-devel.inc
+include disable-interpreters.inc
+include disable-passwdmgr.inc
+include disable-programs.inc
+include disable-xdg.inc
+include whitelist-common.inc
+apparmor
+caps.drop all
+machine-id
+net none
+no3d
+# nodbus - DBUS is needed to commit changes to gconf
+nodvd
+nogroups
+nonewprivs
+noroot
+nosound
+notv
+nou2f
+novideo
+protocol unix
+seccomp
+shell none
+tracelog
+disable-mnt
+private-bin gconf-editor
+private-cache
+private-dev
+private-etc alternatives,fonts
+private-lib
+private-tmp
+memory-deny-write-execute
+noexec ${HOME}
+noexec /tmp

diff --git a/etc/dconf-editor.profile b/etc/dconf-editor.profile new file mode 100644 index 000000000..72b4f7a77 --- /dev/null +++ b/etc/dconf-editor.profile
@@ -0,0 +1,47 @@
		1	# Firejail profile for dconf-editor
		2	# Description: dconf configuration editor
		3	# This file is overwritten after every install/update
		4	# Persistent local customizations
		5	include dconf-editor.local
		6	# Persistent global definitions
		7	include globals.local
		8
		9	include disable-common.inc
		10	include disable-devel.inc
		11	include disable-interpreters.inc
		12	include disable-passwdmgr.inc
		13	include disable-programs.inc
		14	include disable-xdg.inc
		15
		16	include whitelist-common.inc
		17
		18	apparmor
		19	caps.drop all
		20	machine-id
		21	net none
		22	no3d
		23	# nodbus - DBUS is needed to commit changes to dconf
		24	nodvd
		25	nogroups
		26	nonewprivs
		27	noroot
		28	nosound
		29	notv
		30	nou2f
		31	novideo
		32	protocol unix
		33	seccomp
		34	shell none
		35	tracelog
		36
		37	disable-mnt
		38	private-bin dconf-editor
		39	private-cache
		40	private-dev
		41	private-etc alternatives,fonts
		42	private-lib
		43	private-tmp
		44
		45	memory-deny-write-execute
		46	noexec ${HOME}
		47	noexec /tmp


diff --git a/etc/disable-programs.inc b/etc/disable-programs.inc index ec22c1cec..6bcb5e46c 100644 --- a/etc/disable-programs.inc +++ b/etc/disable-programs.inc
@@ -147,6 +147,7 @@ blacklist ${HOME}/.config/flowblade
147	blacklist ${HOME}/.config/font-manager	147	blacklist ${HOME}/.config/font-manager
148	blacklist ${HOME}/.config/gajim	148	blacklist ${HOME}/.config/gajim
149	blacklist ${HOME}/.config/galculator	149	blacklist ${HOME}/.config/galculator
		150	blacklist ${HOME}/.config/gconf
150	blacklist ${HOME}/.config/geany	151	blacklist ${HOME}/.config/geany
151	blacklist ${HOME}/.config/gedit	152	blacklist ${HOME}/.config/gedit
152	blacklist ${HOME}/.config/geeqie	153	blacklist ${HOME}/.config/geeqie
@@ -513,6 +514,7 @@ blacklist ${HOME}/.pingus
513	blacklist ${HOME}/.purple	514	blacklist ${HOME}/.purple
514	blacklist ${HOME}/.qemu-launcher	515	blacklist ${HOME}/.qemu-launcher
515	blacklist ${HOME}/.qmmp	516	blacklist ${HOME}/.qmmp
		517	blacklist ${HOME}/.quodlibet
516	blacklist ${HOME}/.redeclipse	518	blacklist ${HOME}/.redeclipse
517	blacklist ${HOME}/.remmina	519	blacklist ${HOME}/.remmina
518	blacklist ${HOME}/.repo_.gitconfig.json	520	blacklist ${HOME}/.repo_.gitconfig.json


diff --git a/etc/exfalso.profile b/etc/exfalso.profile new file mode 100644 index 000000000..58fd1b3b2 --- /dev/null +++ b/etc/exfalso.profile
@@ -0,0 +1,52 @@
		1	# Firejail profile for exfalso
		2	# Description: GTK audio tag editor
		3	# This file is overwritten after every install/update
		4	# Persistent local customizations
		5	include exfalso.local
		6	# Persistent global definitions
		7	include globals.local
		8
		9	noblacklist ${HOME}/.quodlibet
		10	noblacklist ${MUSIC}
		11
		12	# Allow python (blacklisted by disable-interpreters.inc)
		13	noblacklist ${PATH}/python2*
		14	noblacklist ${PATH}/python3*
		15	noblacklist /usr/lib/python2*
		16	noblacklist /usr/lib/python3*
		17
		18	include disable-common.inc
		19	include disable-devel.inc
		20	include disable-interpreters.inc
		21	include disable-passwdmgr.inc
		22	include disable-programs.inc
		23	include disable-xdg.inc
		24
		25	caps.drop all
		26	# machine-id breaks audio; it should work fine in setups where sound is not required
		27	machine-id
		28	netfilter
		29	no3d
		30	nodbus
		31	nodvd
		32	nogroups
		33	nonewprivs
		34	noroot
		35	nosound
		36	notv
		37	nou2f
		38	novideo
		39	protocol unix,inet,inet6
		40	seccomp
		41	shell none
		42
		43	private-bin exfalso,python*
		44	private-cache
		45	private-dev
		46	private-etc alternatives,fonts,group,passwd
		47	private-lib libatk-1.0.so.,libgdk-3.so.,libgdk_pixbuf-2.0.so.,libgirepository-1.0.so.,libgstreamer-1.0.so.,libgtk-3.so.,libgtksourceview-3.0.so.,libpango-1.0.so.,libpython,libreadline.so.,libsoup-2.4.so.,libssl.so.1.,python2,python3
		48	private-tmp
		49
		50	# memory-deny-write-execute - Breaks on Arch
		51	noexec ${HOME}
		52	noexec /tmp


diff --git a/etc/gconf-editor.profile b/etc/gconf-editor.profile new file mode 100644 index 000000000..a5132e937 --- /dev/null +++ b/etc/gconf-editor.profile
@@ -0,0 +1,49 @@
		1	# Firejail profile for gconf-editor
		2	# Description: Graphical gconf registry editor
		3	# This file is overwritten after every install/update
		4	# Persistent local customizations
		5	include gconf-editor.local
		6	# Persistent global definitions
		7	include globals.local
		8
		9	noblacklist ${HOME}/.config/gconf
		10
		11	include disable-common.inc
		12	include disable-devel.inc
		13	include disable-interpreters.inc
		14	include disable-passwdmgr.inc
		15	include disable-programs.inc
		16	include disable-xdg.inc
		17
		18	include whitelist-common.inc
		19
		20	apparmor
		21	caps.drop all
		22	machine-id
		23	net none
		24	no3d
		25	# nodbus - DBUS is needed to commit changes to gconf
		26	nodvd
		27	nogroups
		28	nonewprivs
		29	noroot
		30	nosound
		31	notv
		32	nou2f
		33	novideo
		34	protocol unix
		35	seccomp
		36	shell none
		37	tracelog
		38
		39	disable-mnt
		40	private-bin gconf-editor
		41	private-cache
		42	private-dev
		43	private-etc alternatives,fonts
		44	private-lib
		45	private-tmp
		46
		47	memory-deny-write-execute
		48	noexec ${HOME}
		49	noexec /tmp