From 3af6c406834d5f18d1422ce95ebd02646862ce74 Mon Sep 17 00:00:00 2001 From: Dpeta Date: Sat, 24 Dec 2022 23:21:43 +0100 Subject: Add Chatterino profile --- etc/inc/disable-programs.inc | 1 + etc/profile-a-l/chatterino.profile | 116 +++++++++++++++++++++++++++++++++++++ src/firecfg/firecfg.config | 1 + 3 files changed, 118 insertions(+) create mode 100644 etc/profile-a-l/chatterino.profile diff --git a/etc/inc/disable-programs.inc b/etc/inc/disable-programs.inc index b52bcaa11..698ee7eca 100644 --- a/etc/inc/disable-programs.inc +++ b/etc/inc/disable-programs.inc @@ -876,6 +876,7 @@ blacklist ${HOME}/.local/share/caja-python blacklist ${HOME}/.local/share/calligragemini blacklist ${HOME}/.local/share/cantata blacklist ${HOME}/.local/share/cdprojektred +blacklist ${HOME}/.local/share/chatterino blacklist ${HOME}/.local/share/clipit blacklist ${HOME}/.local/share/com.github.johnfactotum.Foliate blacklist ${HOME}/.local/share/contacts diff --git a/etc/profile-a-l/chatterino.profile b/etc/profile-a-l/chatterino.profile new file mode 100644 index 000000000..bbb536827 --- /dev/null +++ b/etc/profile-a-l/chatterino.profile @@ -0,0 +1,116 @@ +# Firejail profile for Chatterino +# Description: Chat client for https://twitch.tv +# This file is overwritten after every install/update +# Persistent local customizations +include chatterino.local +# Persistent global definitions +include globals.local + +# Also allow access to mpv/vlc, they're usable via streamlink. +noblacklist ${HOME}/.cache/vlc +noblacklist ${HOME}/.config/aacs +noblacklist ${HOME}/.config/mpv +noblacklist ${HOME}/.config/pulse +noblacklist ${HOME}/.config/vlc +noblacklist ${HOME}/.local/share/chatterino +noblacklist ${HOME}/.local/share/vlc +# To upload images, whitelist/noblacklist their path in chatterino.local. +#noblacklist ${HOME}/Pictures/ +# For custom notification sounds, whitelist/noblacklist their path in chatterino.local. +#noblacklist ${HOME}/Music/ + +# Allow Python for Streamlink integration (blacklisted by disable-interpreters.inc) +include allow-python3.inc + +# Allow Lua for mpv (blacklisted by disable-interpreters.inc) +include allow-lua.inc + +# disable-*.inc includes +include disable-common.inc +include disable-devel.inc +include disable-exec.inc +include disable-interpreters.inc +include disable-proc.inc +include disable-programs.inc +include disable-xdg.inc + +# Also allow access to mpv/vlc, they're usable via streamlink. +mkdir ${HOME}/.cache/vlc +mkdir ${HOME}/.config/aacs +mkdir ${HOME}/.config/mpv +mkdir ${HOME}/.config/pulse +mkdir ${HOME}/.config/vlc +mkdir ${HOME}/.local/share/chatterino +mkdir ${HOME}/.local/share/vlc +whitelist ${HOME}/.cache/vlc +whitelist ${HOME}/.config/aacs +whitelist ${HOME}/.config/mpv +whitelist ${HOME}/.config/pulse +whitelist ${HOME}/.config/vlc +whitelist ${HOME}/.local/share/chatterino +whitelist ${HOME}/.local/share/vlc +# To upload images, whitelist/noblacklist their path in chatterino.local. +#whitelist ${HOME}/Pictures/ +# For custom notification sounds, whitelist/noblacklist their path in chatterino.local. +#whitelist ${HOME}/Music/ +# whitelist-*.inc includes +include whitelist-common.inc +include whitelist-run-common.inc +include whitelist-runuser-common.inc +include whitelist-usr-share-common.inc +include whitelist-var-common.inc + +# Streamlink+VLC doesn't seem to close properly with apparmor enabled. +#apparmor +caps.drop all +netfilter +nodvd +nogroups +nonewprivs +noprinters +noroot +notv +nou2f +# Netlink is required for streamlink integration. +protocol unix,inet,inet6,netlink +# Seccomp may break browser integration. +seccomp +seccomp.block-secondary +tracelog + +disable-mnt +# Add more private-bin lines for browsers or video players to chatterino.local if wanted. +private-bin chatterino,pgrep +private-bin ffmpeg,python*,streamlink +private-bin cvlc,nvlc,qvlc,rvlc,svlc,vlc +private-bin env,mpv,python*,waf,youtube-dl,yt-dlp +# private-cache may cause issues with mpv (see #2838) +private-cache +private-dev +private-etc alsa,alternatives,asound.conf,ca-certificates,dbus-1,fonts,hostname,hosts,kde4rc,kde5rc,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,locale,locale.alias,locale.conf,localtime,machine-id,nvidia,passwd,pulse,resolv.conf,rpc,services,ssl,Trolltech.conf,X11 +private-opt none +private-srv none +private-tmp + +dbus-user filter +dbus-user.own com.chatterino.* +# Session Bus Policy from flatpak +dbus-user.talk com.canonical.AppMenu.Registrar +dbus-user.talk org.kde.kconfig.notify +dbus-user.talk org.kde.KGlobalSettings +dbus-user.talk org.freedesktop.Flatpak +# Allow notifications. +dbus-user.talk org.freedesktop.Notifications +# For media player integration. +dbus-user.talk org.freedesktop.ScreenSaver +?ALLOW_TRAY: dbus-user.talk org.kde.StatusNotifierWatcher +dbus-user.talk org.mpris.MediaPlayer2.Player +dbus-system none + +# Prevents browsers/players from lingering after Chatterino is closed. +#deterministic-shutdown +# Add to chatterino.local to force Qt to use its wayland QPA plugin. +#env QT_QPA_PLATFORM=wayland +# memory-deny-write-execute may break streamlink and browser integration. +#memory-deny-write-execute +restrict-namespaces diff --git a/src/firecfg/firecfg.config b/src/firecfg/firecfg.config index 152263f04..15169f983 100644 --- a/src/firecfg/firecfg.config +++ b/src/firecfg/firecfg.config @@ -130,6 +130,7 @@ catfish cawbird celluloid chafa +chatterino checkbashisms cheese cherrytree -- cgit v1.2.3-70-g09d2 From 805b04ded35ed6d9f8904a4db283d7a38de729bd Mon Sep 17 00:00:00 2001 From: Dpeta Date: Sun, 25 Dec 2022 20:50:01 +0100 Subject: Apply commitable suggestions from code review I'll try the rest manually soon Co-authored-by: rusty-snake <41237666+rusty-snake@users.noreply.github.com> --- etc/profile-a-l/chatterino.profile | 10 +--------- 1 file changed, 1 insertion(+), 9 deletions(-) diff --git a/etc/profile-a-l/chatterino.profile b/etc/profile-a-l/chatterino.profile index bbb536827..a4f45b2ba 100644 --- a/etc/profile-a-l/chatterino.profile +++ b/etc/profile-a-l/chatterino.profile @@ -50,7 +50,7 @@ whitelist ${HOME}/.config/vlc whitelist ${HOME}/.local/share/chatterino whitelist ${HOME}/.local/share/vlc # To upload images, whitelist/noblacklist their path in chatterino.local. -#whitelist ${HOME}/Pictures/ +#whitelist ${HOME}/Pictures/pic1.png # For custom notification sounds, whitelist/noblacklist their path in chatterino.local. #whitelist ${HOME}/Music/ # whitelist-*.inc includes @@ -88,17 +88,11 @@ private-bin env,mpv,python*,waf,youtube-dl,yt-dlp private-cache private-dev private-etc alsa,alternatives,asound.conf,ca-certificates,dbus-1,fonts,hostname,hosts,kde4rc,kde5rc,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,locale,locale.alias,locale.conf,localtime,machine-id,nvidia,passwd,pulse,resolv.conf,rpc,services,ssl,Trolltech.conf,X11 -private-opt none private-srv none private-tmp dbus-user filter dbus-user.own com.chatterino.* -# Session Bus Policy from flatpak -dbus-user.talk com.canonical.AppMenu.Registrar -dbus-user.talk org.kde.kconfig.notify -dbus-user.talk org.kde.KGlobalSettings -dbus-user.talk org.freedesktop.Flatpak # Allow notifications. dbus-user.talk org.freedesktop.Notifications # For media player integration. @@ -109,8 +103,6 @@ dbus-system none # Prevents browsers/players from lingering after Chatterino is closed. #deterministic-shutdown -# Add to chatterino.local to force Qt to use its wayland QPA plugin. -#env QT_QPA_PLATFORM=wayland # memory-deny-write-execute may break streamlink and browser integration. #memory-deny-write-execute restrict-namespaces -- cgit v1.2.3-70-g09d2 From ecf6aca3fd862a07fcf05b17f69df7c4cb99261a Mon Sep 17 00:00:00 2001 From: Dpeta Date: Sun, 25 Dec 2022 21:54:17 +0100 Subject: Apply the other code review suggestions to chatterino.profile --- etc/profile-a-l/chatterino.profile | 31 ++++++++++--------------------- 1 file changed, 10 insertions(+), 21 deletions(-) diff --git a/etc/profile-a-l/chatterino.profile b/etc/profile-a-l/chatterino.profile index a4f45b2ba..f288d0561 100644 --- a/etc/profile-a-l/chatterino.profile +++ b/etc/profile-a-l/chatterino.profile @@ -7,17 +7,11 @@ include chatterino.local include globals.local # Also allow access to mpv/vlc, they're usable via streamlink. -noblacklist ${HOME}/.cache/vlc -noblacklist ${HOME}/.config/aacs noblacklist ${HOME}/.config/mpv noblacklist ${HOME}/.config/pulse noblacklist ${HOME}/.config/vlc noblacklist ${HOME}/.local/share/chatterino noblacklist ${HOME}/.local/share/vlc -# To upload images, whitelist/noblacklist their path in chatterino.local. -#noblacklist ${HOME}/Pictures/ -# For custom notification sounds, whitelist/noblacklist their path in chatterino.local. -#noblacklist ${HOME}/Music/ # Allow Python for Streamlink integration (blacklisted by disable-interpreters.inc) include allow-python3.inc @@ -34,25 +28,22 @@ include disable-proc.inc include disable-programs.inc include disable-xdg.inc -# Also allow access to mpv/vlc, they're usable via streamlink. -mkdir ${HOME}/.cache/vlc -mkdir ${HOME}/.config/aacs +# Also allow read-only access to mpv/VLC, they're usable via streamlink. mkdir ${HOME}/.config/mpv mkdir ${HOME}/.config/pulse mkdir ${HOME}/.config/vlc mkdir ${HOME}/.local/share/chatterino mkdir ${HOME}/.local/share/vlc -whitelist ${HOME}/.cache/vlc -whitelist ${HOME}/.config/aacs -whitelist ${HOME}/.config/mpv -whitelist ${HOME}/.config/pulse -whitelist ${HOME}/.config/vlc +# VLC preferences will fail to save with read-only set. whitelist ${HOME}/.local/share/chatterino -whitelist ${HOME}/.local/share/vlc +whitelist-ro ${HOME}/.config/mpv +whitelist-ro ${HOME}/.config/pulse +whitelist-ro ${HOME}/.config/vlc +whitelist-ro ${HOME}/.local/share/vlc # To upload images, whitelist/noblacklist their path in chatterino.local. -#whitelist ${HOME}/Pictures/pic1.png +#whitelist ${PICTURES}/pic1.png # For custom notification sounds, whitelist/noblacklist their path in chatterino.local. -#whitelist ${HOME}/Music/ +#whitelist ${MUSIC}/sound.ogg # whitelist-*.inc includes include whitelist-common.inc include whitelist-run-common.inc @@ -80,10 +71,7 @@ tracelog disable-mnt # Add more private-bin lines for browsers or video players to chatterino.local if wanted. -private-bin chatterino,pgrep -private-bin ffmpeg,python*,streamlink -private-bin cvlc,nvlc,qvlc,rvlc,svlc,vlc -private-bin env,mpv,python*,waf,youtube-dl,yt-dlp +private-bin chatterino,cvlc,env,ffmpeg,mpv,nvlc,pgrep,python*,qvlc,rvlc,streamlink,svlc,vlc,waf # private-cache may cause issues with mpv (see #2838) private-cache private-dev @@ -98,6 +86,7 @@ dbus-user.talk org.freedesktop.Notifications # For media player integration. dbus-user.talk org.freedesktop.ScreenSaver ?ALLOW_TRAY: dbus-user.talk org.kde.StatusNotifierWatcher +dbus-user.own org.mpris.MediaPlayer2.chatterino dbus-user.talk org.mpris.MediaPlayer2.Player dbus-system none -- cgit v1.2.3-70-g09d2 From 85c5e1c8be9fd0c5951fe9d9e2f7c40ad4c9b024 Mon Sep 17 00:00:00 2001 From: Dpeta Date: Sun, 25 Dec 2022 22:05:37 +0100 Subject: Fix music/pictures whitelist path in chatterino.profile --- etc/profile-a-l/chatterino.profile | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/etc/profile-a-l/chatterino.profile b/etc/profile-a-l/chatterino.profile index f288d0561..e410b3af4 100644 --- a/etc/profile-a-l/chatterino.profile +++ b/etc/profile-a-l/chatterino.profile @@ -41,9 +41,9 @@ whitelist-ro ${HOME}/.config/pulse whitelist-ro ${HOME}/.config/vlc whitelist-ro ${HOME}/.local/share/vlc # To upload images, whitelist/noblacklist their path in chatterino.local. -#whitelist ${PICTURES}/pic1.png +#whitelist ${PICTURES} # For custom notification sounds, whitelist/noblacklist their path in chatterino.local. -#whitelist ${MUSIC}/sound.ogg +#whitelist ${MUSIC} # whitelist-*.inc includes include whitelist-common.inc include whitelist-run-common.inc -- cgit v1.2.3-70-g09d2 From 34f33114749a4b20ac25506545eb5b9f1f2cc312 Mon Sep 17 00:00:00 2001 From: Dpeta Date: Sun, 25 Dec 2022 22:24:50 +0100 Subject: Remove unnecessary mkdir --- etc/profile-a-l/chatterino.profile | 4 ---- 1 file changed, 4 deletions(-) diff --git a/etc/profile-a-l/chatterino.profile b/etc/profile-a-l/chatterino.profile index e410b3af4..9f88a04ce 100644 --- a/etc/profile-a-l/chatterino.profile +++ b/etc/profile-a-l/chatterino.profile @@ -29,11 +29,7 @@ include disable-programs.inc include disable-xdg.inc # Also allow read-only access to mpv/VLC, they're usable via streamlink. -mkdir ${HOME}/.config/mpv -mkdir ${HOME}/.config/pulse -mkdir ${HOME}/.config/vlc mkdir ${HOME}/.local/share/chatterino -mkdir ${HOME}/.local/share/vlc # VLC preferences will fail to save with read-only set. whitelist ${HOME}/.local/share/chatterino whitelist-ro ${HOME}/.config/mpv -- cgit v1.2.3-70-g09d2 From 56ba182b7702220abcbe1a62639cbb86cc52f138 Mon Sep 17 00:00:00 2001 From: Dpeta Date: Sun, 25 Dec 2022 23:11:07 +0100 Subject: Apply suggestions from code review Co-authored-by: Kelvin M. Klann --- etc/profile-a-l/chatterino.profile | 2 -- 1 file changed, 2 deletions(-) diff --git a/etc/profile-a-l/chatterino.profile b/etc/profile-a-l/chatterino.profile index 9f88a04ce..014a6d92a 100644 --- a/etc/profile-a-l/chatterino.profile +++ b/etc/profile-a-l/chatterino.profile @@ -19,7 +19,6 @@ include allow-python3.inc # Allow Lua for mpv (blacklisted by disable-interpreters.inc) include allow-lua.inc -# disable-*.inc includes include disable-common.inc include disable-devel.inc include disable-exec.inc @@ -40,7 +39,6 @@ whitelist-ro ${HOME}/.local/share/vlc #whitelist ${PICTURES} # For custom notification sounds, whitelist/noblacklist their path in chatterino.local. #whitelist ${MUSIC} -# whitelist-*.inc includes include whitelist-common.inc include whitelist-run-common.inc include whitelist-runuser-common.inc -- cgit v1.2.3-70-g09d2 From cdeaff836b6601adeac5f2bed80bd690e0bc216f Mon Sep 17 00:00:00 2001 From: Dpeta Date: Sun, 25 Dec 2022 23:16:24 +0100 Subject: Apply code review suggestions to chatterino.profile - Remove waf from private-bin - Move optional commands to the top - Reorder allow lua/python --- etc/profile-a-l/chatterino.profile | 17 +++++++++-------- 1 file changed, 9 insertions(+), 8 deletions(-) diff --git a/etc/profile-a-l/chatterino.profile b/etc/profile-a-l/chatterino.profile index 014a6d92a..4dfd85740 100644 --- a/etc/profile-a-l/chatterino.profile +++ b/etc/profile-a-l/chatterino.profile @@ -6,6 +6,11 @@ include chatterino.local # Persistent global definitions include globals.local +# To upload images, whitelist/noblacklist their path in chatterino.local. +#whitelist ${PICTURES} +# For custom notification sounds, whitelist/noblacklist their path in chatterino.local. +#whitelist ${MUSIC} + # Also allow access to mpv/vlc, they're usable via streamlink. noblacklist ${HOME}/.config/mpv noblacklist ${HOME}/.config/pulse @@ -13,12 +18,12 @@ noblacklist ${HOME}/.config/vlc noblacklist ${HOME}/.local/share/chatterino noblacklist ${HOME}/.local/share/vlc -# Allow Python for Streamlink integration (blacklisted by disable-interpreters.inc) -include allow-python3.inc - # Allow Lua for mpv (blacklisted by disable-interpreters.inc) include allow-lua.inc +# Allow Python for Streamlink integration (blacklisted by disable-interpreters.inc) +include allow-python3.inc + include disable-common.inc include disable-devel.inc include disable-exec.inc @@ -35,10 +40,6 @@ whitelist-ro ${HOME}/.config/mpv whitelist-ro ${HOME}/.config/pulse whitelist-ro ${HOME}/.config/vlc whitelist-ro ${HOME}/.local/share/vlc -# To upload images, whitelist/noblacklist their path in chatterino.local. -#whitelist ${PICTURES} -# For custom notification sounds, whitelist/noblacklist their path in chatterino.local. -#whitelist ${MUSIC} include whitelist-common.inc include whitelist-run-common.inc include whitelist-runuser-common.inc @@ -65,7 +66,7 @@ tracelog disable-mnt # Add more private-bin lines for browsers or video players to chatterino.local if wanted. -private-bin chatterino,cvlc,env,ffmpeg,mpv,nvlc,pgrep,python*,qvlc,rvlc,streamlink,svlc,vlc,waf +private-bin chatterino,cvlc,env,ffmpeg,mpv,nvlc,pgrep,python*,qvlc,rvlc,streamlink,svlc,vlc # private-cache may cause issues with mpv (see #2838) private-cache private-dev -- cgit v1.2.3-70-g09d2