From 096b27c6b34801feb89748639e9588a0cf478aa7 Mon Sep 17 00:00:00 2001 From: Tad Date: Mon, 23 Nov 2020 16:51:27 -0500 Subject: Add a profile for Lutris - Lutris isn't added to firecfg just yet, needs more testing - aria2c profile has a comment regarding Lutris/Winetricks, but it shouldn't matter since it can't be nested - Add commented wusc to wine.profile - Add vulkan and zenity to wusc.inc --- README.md | 2 +- RELNOTES | 2 +- etc/inc/disable-programs.inc | 4 ++ etc/inc/whitelist-usr-share-common.inc | 2 + etc/profile-a-l/lutris.profile | 74 ++++++++++++++++++++++++++++++++++ etc/profile-m-z/wine.profile | 3 ++ 6 files changed, 85 insertions(+), 2 deletions(-) create mode 100644 etc/profile-a-l/lutris.profile diff --git a/README.md b/README.md index a9a89a63c..9df16da7e 100644 --- a/README.md +++ b/README.md @@ -194,4 +194,4 @@ Stats: ### New profiles: -spectacle, chromium-browser-privacy, gtk-straw-viewer, gtk-youtube-viewer, gtk2-youtube-viewer, gtk3-youtube-viewer, straw-viewer +spectacle, chromium-browser-privacy, gtk-straw-viewer, gtk-youtube-viewer, gtk2-youtube-viewer, gtk3-youtube-viewer, straw-viewer, lutris diff --git a/RELNOTES b/RELNOTES index 8662125f5..3d6fa5adb 100644 --- a/RELNOTES +++ b/RELNOTES @@ -4,7 +4,7 @@ firejail (0.9.65) baseline; urgency=low * allow AF_BLUETOOTH via --protocol=bluetooth * new profiles: spectacle, chromium-browser-privacy, gtk-straw-viewer * new profiles: gtk-youtube-viewer, gtk2-youtube-viewer, gtk3-youtube-viewer - * new profiles: straw-viewer + * new profiles: straw-viewer, lutris -- netblue30 Wed, 21 Oct 2020 09:00:00 -0500 diff --git a/etc/inc/disable-programs.inc b/etc/inc/disable-programs.inc index 976f988b2..942dbb2bc 100644 --- a/etc/inc/disable-programs.inc +++ b/etc/inc/disable-programs.inc @@ -293,6 +293,7 @@ blacklist ${HOME}/.config/libreoffice blacklist ${HOME}/.config/liferea blacklist ${HOME}/.config/linphone blacklist ${HOME}/.config/lugaru +blacklist ${HOME}/.config/lutris blacklist ${HOME}/.config/lximage-qt blacklist ${HOME}/.config/mailtransports blacklist ${HOME}/.local/share/man @@ -662,6 +663,7 @@ blacklist ${HOME}/.local/share/local-mail blacklist ${HOME}/.local/share/lollypop blacklist ${HOME}/.local/share/love blacklist ${HOME}/.local/share/lugaru +blacklist ${HOME}/.local/share/lutris blacklist ${HOME}/.local/share/mana blacklist ${HOME}/.local/share/maps-places.json blacklist ${HOME}/.local/share/meld @@ -933,6 +935,7 @@ blacklist ${HOME}/.cache/kube blacklist ${HOME}/.cache/kwin blacklist ${HOME}/.cache/libgweather blacklist ${HOME}/.cache/liferea +blacklist ${HOME}/.cache/lutris blacklist ${HOME}/.cache/Mendeley Ltd. blacklist ${HOME}/.cache/midori blacklist ${HOME}/.cache/minetest @@ -988,6 +991,7 @@ blacklist ${HOME}/.cache/vmware blacklist ${HOME}/.cache/warsow-2.1 blacklist ${HOME}/.cache/waterfox blacklist ${HOME}/.cache/wesnoth +blacklist ${HOME}/.cache/winetricks blacklist ${HOME}/.cache/xmms2 blacklist ${HOME}/.cache/xreader blacklist ${HOME}/.cache/yandex-browser diff --git a/etc/inc/whitelist-usr-share-common.inc b/etc/inc/whitelist-usr-share-common.inc index de4ae2101..785a1d7d4 100644 --- a/etc/inc/whitelist-usr-share-common.inc +++ b/etc/inc/whitelist-usr-share-common.inc @@ -60,6 +60,8 @@ whitelist /usr/share/texlive whitelist /usr/share/texmf whitelist /usr/share/themes whitelist /usr/share/thumbnail.so +whitelist /usr/share/vulkan whitelist /usr/share/X11 whitelist /usr/share/xml +whitelist /usr/share/zenity whitelist /usr/share/zoneinfo diff --git a/etc/profile-a-l/lutris.profile b/etc/profile-a-l/lutris.profile new file mode 100644 index 000000000..fabf57861 --- /dev/null +++ b/etc/profile-a-l/lutris.profile @@ -0,0 +1,74 @@ +# Firejail profile for lutris +# Description: Multi-library game handler with special support for Wine +# This file is overwritten after every install/update +# Persistent local customizations +include lutris.local +# Persistent global definitions +include globals.local + +noblacklist ${PATH}/llvm* +noblacklist ${HOME}/Games +noblacklist ${HOME}/.cache/lutris +noblacklist ${HOME}/.cache/winetricks +noblacklist ${HOME}/.config/lutris +noblacklist ${HOME}/.local/share/lutris +# noblacklist ${HOME}/.wine +noblacklist /tmp/.wine-* + +ignore noexec ${HOME} + +# Allow python (blacklisted by disable-interpreters.inc) +include allow-python2.inc +include allow-python3.inc + +include disable-common.inc +include disable-devel.inc +include disable-exec.inc +include disable-interpreters.inc +include disable-passwdmgr.inc +include disable-programs.inc +include disable-xdg.inc + +mkdir ${HOME}/Games +mkdir ${HOME}/.cache/lutris +mkdir ${HOME}/.cache/winetricks +mkdir ${HOME}/.config/lutris +mkdir ${HOME}/.local/share/lutris +# mkdir ${HOME}/.wine +whitelist ${HOME}/Downloads +whitelist ${HOME}/Games +whitelist ${HOME}/.cache/lutris +whitelist ${HOME}/.cache/winetricks +whitelist ${HOME}/.config/lutris +whitelist ${HOME}/.local/share/lutris +# whitelist ${HOME}/.wine +whitelist /usr/share/lutris +whitelist /usr/share/wine +include whitelist-common.inc +include whitelist-usr-share-common.inc +include whitelist-runuser-common.inc +include whitelist-var-common.inc + +# allow-debuggers +# apparmor +caps.drop all +ipc-namespace +# net none +netfilter +nodvd +nogroups +nonewprivs +noroot +notv +nou2f +novideo +protocol unix,inet,inet6,netlink +seccomp +shell none + +# comment the following line if you don't need controller support +# private-dev +private-tmp + +dbus-user none +dbus-system none diff --git a/etc/profile-m-z/wine.profile b/etc/profile-m-z/wine.profile index 901340052..6ac74b9da 100644 --- a/etc/profile-m-z/wine.profile +++ b/etc/profile-m-z/wine.profile @@ -6,6 +6,7 @@ include wine.local # Persistent global definitions include globals.local +noblacklist ${HOME}/.cache/winetricks noblacklist ${HOME}/.Steam noblacklist ${HOME}/.local/share/Steam noblacklist ${HOME}/.local/share/steam @@ -19,6 +20,8 @@ include disable-interpreters.inc include disable-passwdmgr.inc include disable-programs.inc +# whitelist /usr/share/wine +# include whitelist-usr-share-common.inc include whitelist-var-common.inc # some applications don't need allow-debuggers, comment the next line -- cgit v1.2.3-70-g09d2