From 59ed39ec460743e97bcce22e62d27ba0a569b82f Mon Sep 17 00:00:00 2001 From: "Kelvin M. Klann" Date: Fri, 28 Jul 2023 12:48:01 -0300 Subject: build: fix shellcheck issues in mkrpm.sh/compile.sh --- platform/rpm/mkrpm.sh | 29 +++++++++++++++-------------- test/compile/compile.sh | 38 +++++++++++++++++++------------------- 2 files changed, 34 insertions(+), 33 deletions(-) diff --git a/platform/rpm/mkrpm.sh b/platform/rpm/mkrpm.sh index d32ccd360..de26ca8d1 100755 --- a/platform/rpm/mkrpm.sh +++ b/platform/rpm/mkrpm.sh @@ -8,18 +8,18 @@ # Builds rpms in a temporary directory then places the result in the # current working directory. -name=$1 +name="$1" # Strip any trailing prefix from the version like -rc1 etc -version=$(echo "$2" | sed 's/\-.*//g') -config_opt=$3 +version="$(printf '%s\n' "$2" | sed 's/\-.*//g')" +config_opt="$3" -if [[ ! -f platform/rpm/${name}.spec ]]; then - echo error: spec file not found for name \"${name}\" +if [[ ! -f "platform/rpm/${name}.spec" ]]; then + printf 'error: spec file not found for name %s\n' "${name}" >&2 exit 1 fi if [[ -z "${version}" ]]; then - echo error: version must be given + printf 'error: version must be given\n' >&2 exit 1 fi @@ -28,26 +28,27 @@ if [[ -z "${config_opt}" ]]; then fi # Make a temporary directory and arrange to clean up on exit -tmpdir=$(mktemp -d) -mkdir -p ${tmpdir}/{BUILD,RPMS,SOURCES,SPECS,SRPMS} +tmpdir="$(mktemp -d)" +mkdir -p "${tmpdir}"/{BUILD,RPMS,SOURCES,SPECS,SRPMS} function cleanup { - rm -rf ${tmpdir} + rm -rf "${tmpdir}" } trap cleanup EXIT # Create the spec file -tmp_spec_file=${tmpdir}/SPECS/${name}.spec +tmp_spec_file="${tmpdir}/SPECS/${name}.spec" sed -e "s/__NAME__/${name}/g" \ -e "s/__VERSION__/${version}/g" \ -e "s/__CONFIG_OPT__/${config_opt}/g" \ - platform/rpm/${name}.spec >${tmp_spec_file} + "platform/rpm/${name}.spec" >"${tmp_spec_file}" # FIXME: We could parse RELNOTES and create a %changelog section here # Copy the source to build into a tarball -tar --exclude='./.git*' --transform "s/^./${name}-${version}/" -czf ${tmpdir}/SOURCES/${name}-${version}.tar.gz . +tar --exclude='./.git*' --transform "s/^./${name}-${version}/" \ + -czf "${tmpdir}/SOURCES/${name}-${version}.tar.gz" . # Build the files (rpm, debug rpm and source rpm) -rpmbuild --quiet --define "_topdir ${tmpdir}" -ba ${tmp_spec_file} +rpmbuild --quiet --define "_topdir ${tmpdir}" -ba "${tmp_spec_file}" # Copy the results to cwd -mv ${tmpdir}/SRPMS/*.rpm ${tmpdir}/RPMS/*/*rpm . +mv "${tmpdir}/SRPMS"/*.rpm "${tmpdir}/RPMS"/*/*rpm . diff --git a/test/compile/compile.sh b/test/compile/compile.sh index da6e43a5a..06b4646a8 100755 --- a/test/compile/compile.sh +++ b/test/compile/compile.sh @@ -79,7 +79,7 @@ echo "$DIST" tar -xJvf ../../"$DIST.tar.xz" mv "$DIST" firejail -cd firejail +cd firejail || exit 1 ./configure --prefix=/usr --enable-fatal-warnings 2>&1 | tee ../output-configure make -j4 2>&1 | tee ../output-make cd .. @@ -95,7 +95,7 @@ rm output-configure output-make # - disable dbus proxy configuration #***************************************************************** print_title "${arr[2]}" -cd firejail +cd firejail || exit 1 make distclean ./configure --prefix=/usr --disable-dbusproxy --enable-fatal-warnings 2>&1 | tee ../output-configure make -j4 2>&1 | tee ../output-make @@ -112,7 +112,7 @@ rm output-configure output-make # - disable chroot configuration #***************************************************************** print_title "${arr[3]}" -cd firejail +cd firejail || exit 1 make distclean ./configure --prefix=/usr --disable-chroot --enable-fatal-warnings 2>&1 | tee ../output-configure make -j4 2>&1 | tee ../output-make @@ -129,7 +129,7 @@ rm output-configure output-make # - disable firetunnel configuration #***************************************************************** print_title "${arr[4]}" -cd firejail +cd firejail || exit 1 make distclean ./configure --prefix=/usr --disable-firetunnel --enable-fatal-warnings 2>&1 | tee ../output-configure make -j4 2>&1 | tee ../output-make @@ -146,7 +146,7 @@ rm output-configure output-make # - disable user namespace configuration #***************************************************************** print_title "${arr[5]}" -cd firejail +cd firejail || exit 1 make distclean ./configure --prefix=/usr --disable-userns --enable-fatal-warnings 2>&1 | tee ../output-configure make -j4 2>&1 | tee ../output-make @@ -164,7 +164,7 @@ rm output-configure output-make # - check compilation #***************************************************************** print_title "${arr[6]}" -cd firejail +cd firejail || exit 1 make distclean ./configure --prefix=/usr --disable-network --enable-fatal-warnings 2>&1 | tee ../output-configure make -j4 2>&1 | tee ../output-make @@ -181,7 +181,7 @@ rm output-configure output-make # - disable X11 support #***************************************************************** print_title "${arr[7]}" -cd firejail +cd firejail || exit 1 make distclean ./configure --prefix=/usr --disable-x11 --enable-fatal-warnings 2>&1 | tee ../output-configure make -j4 2>&1 | tee ../output-make @@ -198,7 +198,7 @@ rm output-configure output-make # - enable selinux #***************************************************************** print_title "${arr[8]}" -cd firejail +cd firejail || exit 1 make distclean ./configure --prefix=/usr --enable-selinux --enable-fatal-warnings 2>&1 | tee ../output-configure make -j4 2>&1 | tee ../output-make @@ -215,7 +215,7 @@ rm output-configure output-make # - disable file transfer #***************************************************************** print_title "${arr[9]}" -cd firejail +cd firejail || exit 1 make distclean ./configure --prefix=/usr --disable-file-transfer --enable-fatal-warnings 2>&1 | tee ../output-configure make -j4 2>&1 | tee ../output-make @@ -232,7 +232,7 @@ rm output-configure output-make # - disable whitelist #***************************************************************** print_title "${arr[10]}" -cd firejail +cd firejail || exit 1 make distclean ./configure --prefix=/usr --disable-whitelist --enable-fatal-warnings 2>&1 | tee ../output-configure make -j4 2>&1 | tee ../output-make @@ -249,7 +249,7 @@ rm output-configure output-make # - disable global config #***************************************************************** print_title "${arr[11]}" -cd firejail +cd firejail || exit 1 make distclean ./configure --prefix=/usr --disable-globalcfg --enable-fatal-warnings 2>&1 | tee ../output-configure make -j4 2>&1 | tee ../output-make @@ -266,7 +266,7 @@ rm output-configure output-make # - enable apparmor #***************************************************************** print_title "${arr[12]}" -cd firejail +cd firejail || exit 1 make distclean ./configure --prefix=/usr --enable-apparmor --enable-fatal-warnings 2>&1 | tee ../output-configure make -j4 2>&1 | tee ../output-make @@ -283,7 +283,7 @@ rm output-configure output-make # - enable busybox workaround #***************************************************************** print_title "${arr[13]}" -cd firejail +cd firejail || exit 1 make distclean ./configure --prefix=/usr --enable-busybox-workaround --enable-fatal-warnings 2>&1 | tee ../output-configure make -j4 2>&1 | tee ../output-make @@ -300,7 +300,7 @@ rm output-configure output-make # - disable overlayfs #***************************************************************** print_title "${arr[14]}" -cd firejail +cd firejail || exit 1 make distclean ./configure --prefix=/usr --disable-overlayfs --enable-fatal-warnings 2>&1 | tee ../output-configure make -j4 2>&1 | tee ../output-make @@ -317,7 +317,7 @@ rm output-configure output-make # - disable private home #***************************************************************** print_title "${arr[15]}" -cd firejail +cd firejail || exit 1 make distclean ./configure --prefix=/usr --disable-private-home --enable-fatal-warnings 2>&1 | tee ../output-configure make -j4 2>&1 | tee ../output-make @@ -334,7 +334,7 @@ rm output-configure output-make # - disable manpages #***************************************************************** print_title "${arr[16]}" -cd firejail +cd firejail || exit 1 make distclean ./configure --prefix=/usr --disable-man --enable-fatal-warnings 2>&1 | tee ../output-configure make -j4 2>&1 | tee ../output-make @@ -351,7 +351,7 @@ rm output-configure output-make # - disable tmpfs as regular user" #***************************************************************** print_title "${arr[17]}" -cd firejail +cd firejail || exit 1 make distclean ./configure --prefix=/usr --disable-usertmpfs --enable-fatal-warnings 2>&1 | tee ../output-configure make -j4 2>&1 | tee ../output-make @@ -368,7 +368,7 @@ rm output-configure output-make # - disable private home feature #***************************************************************** print_title "${arr[18]}" -cd firejail +cd firejail || exit 1 make distclean ./configure --prefix=/usr --disable-private-home --enable-fatal-warnings 2>&1 | tee ../output-configure make -j4 2>&1 | tee ../output-make @@ -385,7 +385,7 @@ rm output-configure output-make # - enable ids #***************************************************************** print_title "${arr[19]}" -cd firejail +cd firejail || exit 1 make distclean ./configure --prefix=/usr --enable-ids --enable-fatal-warnings 2>&1 | tee ../output-configure make -j4 2>&1 | tee ../output-make -- cgit v1.2.3-70-g09d2 From 200f389ed0f56ba42160fe135e3701757a8df94c Mon Sep 17 00:00:00 2001 From: "Kelvin M. Klann" Date: Fri, 28 Jul 2023 13:05:54 -0300 Subject: build: use config.sh in more scripts This removes the need to manually pass variables such as `$(TARNAME)` and `$(VERSION)` to shell scripts in the root Makefile. Relates to #5140. --- Makefile | 8 ++++---- mkasc.sh | 2 +- platform/rpm/mkrpm.sh | 11 +++++++---- test/compile/compile.sh | 5 +++-- 4 files changed, 15 insertions(+), 11 deletions(-) diff --git a/Makefile b/Makefile index 03ae71026..3055e226a 100644 --- a/Makefile +++ b/Makefile @@ -347,12 +347,12 @@ deb: dist config.sh ./mkdeb.sh .PHONY: test-compile -test-compile: dist config.mk - cd test/compile; ./compile.sh $(TARNAME)-$(VERSION) +test-compile: dist config.sh + cd test/compile; ./compile.sh .PHONY: rpms -rpms: src/man config.mk - ./platform/rpm/mkrpm.sh $(TARNAME) $(VERSION) +rpms: src/man config.sh + ./platform/rpm/mkrpm.sh .PHONY: extras extras: all diff --git a/mkasc.sh b/mkasc.sh index 62c1b1180..0314c20e5 100755 --- a/mkasc.sh +++ b/mkasc.sh @@ -3,7 +3,7 @@ # Copyright (C) 2014-2023 Firejail Authors # License GPL v2 -. "$(dirname "$0")/config.sh" +. "$(dirname "$0")/config.sh" || exit 1 printf 'Calculating SHA256 for all files in /transfer - %s version %s' "$TARNAME" "$VERSION" diff --git a/platform/rpm/mkrpm.sh b/platform/rpm/mkrpm.sh index de26ca8d1..0572480c6 100755 --- a/platform/rpm/mkrpm.sh +++ b/platform/rpm/mkrpm.sh @@ -3,15 +3,18 @@ # Copyright (C) 2014-2023 Firejail Authors # License GPL v2 # -# Usage: ./platform/rpm/mkrpm.sh firejail "" +# Usage: ./platform/rpm/mkrpm.sh # # Builds rpms in a temporary directory then places the result in the # current working directory. -name="$1" +# shellcheck source=config.sh +. "$(dirname "$0")/../../config.sh" || exit 1 + +name="$TARNAME" # Strip any trailing prefix from the version like -rc1 etc -version="$(printf '%s\n' "$2" | sed 's/\-.*//g')" -config_opt="$3" +version="$(printf '%s\n' "$VERSION" | sed 's/\-.*//g')" +config_opt="$*" if [[ ! -f "platform/rpm/${name}.spec" ]]; then printf 'error: spec file not found for name %s\n' "${name}" >&2 diff --git a/test/compile/compile.sh b/test/compile/compile.sh index 06b4646a8..0e3425f8d 100755 --- a/test/compile/compile.sh +++ b/test/compile/compile.sh @@ -11,7 +11,8 @@ # install contrib scripts # --enable-analyzer enable GCC 10 static analyzer - +# shellcheck source=config.sh +. "$(dirname "$0")/../../config.sh" || exit 1 arr[1]="TEST 1: standard compilation" arr[2]="TEST 2: compile dbus proxy disabled" @@ -51,7 +52,7 @@ print_title() { echo "**************************************************" } -DIST="$1" +DIST="$(TARNAME)-$(VERSION)" while [[ $# -gt 0 ]]; do # Until you run out of parameters . . . case "$1" in --clean) -- cgit v1.2.3-70-g09d2 From c9666ebd08d68c06189d6ec8847bdf3158d0ee95 Mon Sep 17 00:00:00 2001 From: "Kelvin M. Klann" Date: Sat, 29 Jul 2023 21:57:17 -0300 Subject: RELNOTES: add build items Relates to #5916 #5927. --- RELNOTES | 2 ++ 1 file changed, 2 insertions(+) diff --git a/RELNOTES b/RELNOTES index ac0136239..d6ffdc3b2 100644 --- a/RELNOTES +++ b/RELNOTES @@ -38,6 +38,8 @@ firejail (0.9.73) baseline; urgency=low make * build: simplify code related to man pages (#5898) * build: fix hardcoded make & remove unnecessary distclean targets (#5911) + * build: dist and asc improvements (#5916) + * build: fix some shellcheck issues & use config.sh in more scripts (#5927) * ci: always update the package db before installing packages (#5742) * ci: fix codeql unable to download its own bundle (#5783) * ci: split configure/build/install commands on gitlab (#5784) -- cgit v1.2.3-70-g09d2 From b4cef6dfbd209ee3b8ddec191ddd86f3dabde965 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 31 Jul 2023 06:43:29 +0000 Subject: build(deps): bump step-security/harden-runner from 2.4.1 to 2.5.0 Bumps [step-security/harden-runner](https://github.com/step-security/harden-runner) from 2.4.1 to 2.5.0. - [Release notes](https://github.com/step-security/harden-runner/releases) - [Commits](https://github.com/step-security/harden-runner/compare/55d479fb1c5bcad5a4f9099a5d9f37c8857b2845...cba0d00b1fc9a034e1e642ea0f1103c282990604) --- updated-dependencies: - dependency-name: step-security/harden-runner dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] --- .github/workflows/build-extra.yml | 10 +++++----- .github/workflows/build.yml | 2 +- .github/workflows/codeql-analysis.yml | 2 +- .github/workflows/profile-checks.yml | 2 +- 4 files changed, 8 insertions(+), 8 deletions(-) diff --git a/.github/workflows/build-extra.yml b/.github/workflows/build-extra.yml index 8754e7eff..0a9628d31 100644 --- a/.github/workflows/build-extra.yml +++ b/.github/workflows/build-extra.yml @@ -54,7 +54,7 @@ jobs: runs-on: ubuntu-22.04 steps: - name: Harden Runner - uses: step-security/harden-runner@55d479fb1c5bcad5a4f9099a5d9f37c8857b2845 + uses: step-security/harden-runner@cba0d00b1fc9a034e1e642ea0f1103c282990604 with: egress-policy: block allowed-endpoints: > @@ -84,7 +84,7 @@ jobs: runs-on: ubuntu-22.04 steps: - name: Harden Runner - uses: step-security/harden-runner@55d479fb1c5bcad5a4f9099a5d9f37c8857b2845 + uses: step-security/harden-runner@cba0d00b1fc9a034e1e642ea0f1103c282990604 with: egress-policy: block allowed-endpoints: > @@ -110,7 +110,7 @@ jobs: runs-on: ubuntu-22.04 steps: - name: Harden Runner - uses: step-security/harden-runner@55d479fb1c5bcad5a4f9099a5d9f37c8857b2845 + uses: step-security/harden-runner@cba0d00b1fc9a034e1e642ea0f1103c282990604 with: egress-policy: block allowed-endpoints: > @@ -132,7 +132,7 @@ jobs: runs-on: ubuntu-20.04 steps: - name: Harden Runner - uses: step-security/harden-runner@55d479fb1c5bcad5a4f9099a5d9f37c8857b2845 + uses: step-security/harden-runner@cba0d00b1fc9a034e1e642ea0f1103c282990604 with: egress-policy: block allowed-endpoints: > @@ -150,7 +150,7 @@ jobs: runs-on: ubuntu-22.04 steps: - name: Harden Runner - uses: step-security/harden-runner@55d479fb1c5bcad5a4f9099a5d9f37c8857b2845 + uses: step-security/harden-runner@cba0d00b1fc9a034e1e642ea0f1103c282990604 with: egress-policy: block allowed-endpoints: > diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 32dbaf8cc..a53260e64 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -46,7 +46,7 @@ jobs: SHELL: /bin/bash steps: - name: Harden Runner - uses: step-security/harden-runner@55d479fb1c5bcad5a4f9099a5d9f37c8857b2845 + uses: step-security/harden-runner@cba0d00b1fc9a034e1e642ea0f1103c282990604 with: egress-policy: block allowed-endpoints: > diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml index 34d5bcc27..73607fada 100644 --- a/.github/workflows/codeql-analysis.yml +++ b/.github/workflows/codeql-analysis.yml @@ -75,7 +75,7 @@ jobs: steps: - name: Harden Runner - uses: step-security/harden-runner@55d479fb1c5bcad5a4f9099a5d9f37c8857b2845 + uses: step-security/harden-runner@cba0d00b1fc9a034e1e642ea0f1103c282990604 with: disable-sudo: true egress-policy: block diff --git a/.github/workflows/profile-checks.yml b/.github/workflows/profile-checks.yml index 0e7403508..8d4e5ba28 100644 --- a/.github/workflows/profile-checks.yml +++ b/.github/workflows/profile-checks.yml @@ -24,7 +24,7 @@ jobs: runs-on: ubuntu-latest steps: - name: Harden Runner - uses: step-security/harden-runner@55d479fb1c5bcad5a4f9099a5d9f37c8857b2845 + uses: step-security/harden-runner@cba0d00b1fc9a034e1e642ea0f1103c282990604 with: disable-sudo: true egress-policy: block -- cgit v1.2.3-70-g09d2 From 5986fe1ae4b7bc32164690392acfdad7e14c05a5 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 31 Jul 2023 06:43:32 +0000 Subject: build(deps): bump github/codeql-action from 2.21.0 to 2.21.2 Bumps [github/codeql-action](https://github.com/github/codeql-action) from 2.21.0 to 2.21.2. - [Release notes](https://github.com/github/codeql-action/releases) - [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md) - [Commits](https://github.com/github/codeql-action/compare/1813ca74c3faaa3a2da2070b9b8a0b3e7373a0d8...0ba4244466797eb048eb91a6cd43d5c03ca8bd05) --- updated-dependencies: - dependency-name: github/codeql-action dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] --- .github/workflows/codeql-analysis.yml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml index 73607fada..4b9aaa7d6 100644 --- a/.github/workflows/codeql-analysis.yml +++ b/.github/workflows/codeql-analysis.yml @@ -93,7 +93,7 @@ jobs: # Initializes the CodeQL tools for scanning. - name: Initialize CodeQL - uses: github/codeql-action/init@1813ca74c3faaa3a2da2070b9b8a0b3e7373a0d8 + uses: github/codeql-action/init@0ba4244466797eb048eb91a6cd43d5c03ca8bd05 with: languages: ${{ matrix.language }} # If you wish to specify custom queries, you can do so here or in a config file. @@ -104,7 +104,7 @@ jobs: # Autobuild attempts to build any compiled languages (C/C++, C#, or Java). # If this step fails, then you should remove it and run the build manually (see below) - name: Autobuild - uses: github/codeql-action/autobuild@1813ca74c3faaa3a2da2070b9b8a0b3e7373a0d8 + uses: github/codeql-action/autobuild@0ba4244466797eb048eb91a6cd43d5c03ca8bd05 # ℹī¸ Command-line programs to run using the OS shell. # 📚 https://git.io/JvXDl @@ -118,4 +118,4 @@ jobs: # make release - name: Perform CodeQL Analysis - uses: github/codeql-action/analyze@1813ca74c3faaa3a2da2070b9b8a0b3e7373a0d8 + uses: github/codeql-action/analyze@0ba4244466797eb048eb91a6cd43d5c03ca8bd05 -- cgit v1.2.3-70-g09d2 From a7d92e1d8b541bffc2e2ceda4a070bc7cb4267e5 Mon Sep 17 00:00:00 2001 From: glitsj16 Date: Mon, 31 Jul 2023 11:22:31 +0000 Subject: thunderbird: D-Bus hardening (#5913) --- etc/profile-m-z/thunderbird.profile | 12 ++++++++++-- 1 file changed, 10 insertions(+), 2 deletions(-) diff --git a/etc/profile-m-z/thunderbird.profile b/etc/profile-m-z/thunderbird.profile index f2405a7d3..17e2f0856 100644 --- a/etc/profile-m-z/thunderbird.profile +++ b/etc/profile-m-z/thunderbird.profile @@ -8,9 +8,17 @@ include globals.local ignore include whitelist-runuser-common.inc -# writable-run-user and dbus are needed by enigmail +# TB stopped supporting enigmail in 2020 (v78) - let's harden D-Bus +# https://support.mozilla.org/en-US/kb/openpgp-thunderbird-howto-and-faq ignore dbus-user none -ignore dbus-system none +dbus-user filter +dbus-user.own org.mozilla.thunderbird.* +dbus-user.talk ca.desrt.dconf +dbus-user.talk org.freedesktop.Notifications +# allow D-Bus communication with firefox for opening links +dbus-user.talk org.mozilla.* +# e2ee email needs writable-run-user +# https://support.mozilla.org/en-US/kb/introduction-to-e2e-encryption writable-run-user # If you want to read local mail stored in /var/mail edit /etc/apparmor.d/firejail-default accordingly -- cgit v1.2.3-70-g09d2 From 95184d8c2ed5e41c6f44ecc442bf02f7b2371ae1 Mon Sep 17 00:00:00 2001 From: glitsj16 Date: Mon, 31 Jul 2023 11:23:19 +0000 Subject: gramps: bring in new config directory (#5933) * disable-programs.inc: add new gramps dir * gramps: add new config dir --- etc/inc/disable-programs.inc | 1 + etc/profile-a-l/gramps.profile | 3 +++ 2 files changed, 4 insertions(+) diff --git a/etc/inc/disable-programs.inc b/etc/inc/disable-programs.inc index b0d1b7a66..6e542d968 100644 --- a/etc/inc/disable-programs.inc +++ b/etc/inc/disable-programs.inc @@ -472,6 +472,7 @@ blacklist ${HOME}/.config/google-chrome blacklist ${HOME}/.config/google-chrome-beta blacklist ${HOME}/.config/google-chrome-unstable blacklist ${HOME}/.config/gpicview +blacklist ${HOME}/.config/gramps blacklist ${HOME}/.config/gthumb blacklist ${HOME}/.config/gummi blacklist ${HOME}/.config/guvcview2 diff --git a/etc/profile-a-l/gramps.profile b/etc/profile-a-l/gramps.profile index 5073e79c9..4b142e404 100644 --- a/etc/profile-a-l/gramps.profile +++ b/etc/profile-a-l/gramps.profile @@ -6,6 +6,7 @@ include gramps.local # Persistent global definitions include globals.local +noblacklist ${HOME}/.config/gramps noblacklist ${HOME}/.gramps # Allow python (blacklisted by disable-interpreters.inc) @@ -19,7 +20,9 @@ include disable-interpreters.inc include disable-programs.inc include disable-xdg.inc +mkdir ${HOME}/.config/gramps mkdir ${HOME}/.gramps +whitelist ${HOME}/.config/gramps whitelist ${HOME}/.gramps include whitelist-common.inc include whitelist-var-common.inc -- cgit v1.2.3-70-g09d2 From b76dc25f1b1fc12d784026e1e679834b6b4d3540 Mon Sep 17 00:00:00 2001 From: glitsj16 Date: Wed, 2 Aug 2023 19:53:00 +0000 Subject: New profile: daisy (#5935) * firecfg.config: add daisy support * Create daisy.profile --- etc/profile-a-l/daisy.profile | 64 +++++++++++++++++++++++++++++++++++++++++++ src/firecfg/firecfg.config | 1 + 2 files changed, 65 insertions(+) create mode 100644 etc/profile-a-l/daisy.profile diff --git a/etc/profile-a-l/daisy.profile b/etc/profile-a-l/daisy.profile new file mode 100644 index 000000000..4f1c80f23 --- /dev/null +++ b/etc/profile-a-l/daisy.profile @@ -0,0 +1,64 @@ +# Firejail profile for daisy +# Description: TUI scientific calculator with support for units +# This file is overwritten after every install/update +# Persistent local customizations +include daisy.local +# Persistent global definitions +include globals.local + +blacklist ${RUNUSER} + +include disable-common.inc +include disable-devel.inc +include disable-exec.inc +include disable-interpreters.inc +include disable-proc.inc +include disable-programs.inc +include disable-shell.inc +#include disable-X11.inc - x11 none +include disable-xdg.inc + +include whitelist-common.inc +include whitelist-run-common.inc +include whitelist-runuser-common.inc +include whitelist-usr-share-common.inc +include whitelist-var-common.inc + +apparmor +caps.drop all +ipc-namespace +machine-id +net none +no3d +nodvd +nogroups +noinput +nonewprivs +noprinters +noroot +nosound +notv +nou2f +novideo +# block socket syscall to simulate empty protocol option (see #639) +seccomp socket +seccomp.block-secondary +tracelog +x11 none + +disable-mnt +private +private-bin daisy +private-cache +private-dev +private-etc +private-lib +private-opt none +private-tmp + +dbus-user none +dbus-system none + +memory-deny-write-execute +read-only ${HOME} +restrict-namespaces diff --git a/src/firecfg/firecfg.config b/src/firecfg/firecfg.config index ce69738eb..6a0b46532 100644 --- a/src/firecfg/firecfg.config +++ b/src/firecfg/firecfg.config @@ -182,6 +182,7 @@ crow cryptocat cvlc cyberfox +daisy darktable dconf-editor ddgr -- cgit v1.2.3-70-g09d2 From 61351c0d06fea90c0c699ca80ec30ec00a430988 Mon Sep 17 00:00:00 2001 From: glitsj16 Date: Wed, 2 Aug 2023 19:54:29 +0000 Subject: New profile: reader (#5934) * Create reader.profile * firecfg.config: add reader support * reader: integrate review suggestions - blacklist whole ${RUNUSER} - drop x11 none * reader: fix 'x11 none' --- etc/profile-m-z/reader.profile | 63 ++++++++++++++++++++++++++++++++++++++++++ src/firecfg/firecfg.config | 1 + 2 files changed, 64 insertions(+) create mode 100644 etc/profile-m-z/reader.profile diff --git a/etc/profile-m-z/reader.profile b/etc/profile-m-z/reader.profile new file mode 100644 index 000000000..050c46d53 --- /dev/null +++ b/etc/profile-m-z/reader.profile @@ -0,0 +1,63 @@ +# Firejail profile for reader +# Description: Better readability of web pages on the CLI +# This file is overwritten after every install/update +# Persistent local customizations +include reader.local +# Persistent global definitions +include globals.local + +blacklist ${RUNUSER} + +include disable-common.inc +include disable-devel.inc +include disable-exec.inc +include disable-interpreters.inc +include disable-proc.inc +include disable-programs.inc +include disable-shell.inc +include disable-xdg.inc + +include whitelist-common.inc +include whitelist-run-common.inc +include whitelist-runuser-common.inc +include whitelist-usr-share-common.inc +include whitelist-var-common.inc + +apparmor +caps.drop all +ipc-namespace +machine-id +netfilter +no3d +nodvd +nogroups +noinput +nonewprivs +noprinters +noroot +nosound +notv +nou2f +novideo +protocol inet +seccomp +seccomp.block-secondary +tracelog +x11 none + +disable-mnt +private +private-bin reader +private-cache +private-dev +private-etc @network,@tls-ca +private-lib +private-opt none +private-tmp + +dbus-user none +dbus-system none + +memory-deny-write-execute +read-only ${HOME} +restrict-namespaces diff --git a/src/firecfg/firecfg.config b/src/firecfg/firecfg.config index 6a0b46532..a89add9d0 100644 --- a/src/firecfg/firecfg.config +++ b/src/firecfg/firecfg.config @@ -721,6 +721,7 @@ qupzilla qutebrowser raincat rambox +reader redeclipse rednotebook redshift -- cgit v1.2.3-70-g09d2 From 5e0f35b0cb62b434d2efe19996c194f70ab8b37b Mon Sep 17 00:00:00 2001 From: CodeWithMa <101021254+CodeWithMa@users.noreply.github.com> Date: Wed, 2 Aug 2023 08:32:11 +0200 Subject: mpv.profile: add new XDG_STATE_HOME path The new version of mpv changed the path of the watch_later folder to ~/.local/state/mpv/watch_later. See https://github.com/mpv-player/mpv/pull/10838 --- etc/inc/disable-programs.inc | 1 + etc/profile-m-z/mpv.profile | 3 +++ 2 files changed, 4 insertions(+) diff --git a/etc/inc/disable-programs.inc b/etc/inc/disable-programs.inc index 6e542d968..d2ae55867 100644 --- a/etc/inc/disable-programs.inc +++ b/etc/inc/disable-programs.inc @@ -1047,6 +1047,7 @@ blacklist ${HOME}/.local/share/xreader blacklist ${HOME}/.local/share/zathura blacklist ${HOME}/.local/state/ani-cli blacklist ${HOME}/.local/state/audacity +blacklist ${HOME}/.local/state/mpv blacklist ${HOME}/.local/state/pipewire blacklist ${HOME}/.lv2 blacklist ${HOME}/.lyx diff --git a/etc/profile-m-z/mpv.profile b/etc/profile-m-z/mpv.profile index fd35483be..d1bbdd167 100644 --- a/etc/profile-m-z/mpv.profile +++ b/etc/profile-m-z/mpv.profile @@ -28,6 +28,7 @@ noblacklist ${HOME}/.config/mpv noblacklist ${HOME}/.config/youtube-dl noblacklist ${HOME}/.config/yt-dlp noblacklist ${HOME}/.config/yt-dlp.conf +noblacklist ${HOME}/.local/state/mpv noblacklist ${HOME}/.netrc noblacklist ${HOME}/yt-dlp.conf noblacklist ${HOME}/yt-dlp.conf.txt @@ -50,11 +51,13 @@ include disable-shell.inc read-only ${DESKTOP} mkdir ${HOME}/.config/mpv +mkdir ${HOME}/.local/state/mpv mkfile ${HOME}/.netrc whitelist ${HOME}/.config/mpv whitelist ${HOME}/.config/youtube-dl whitelist ${HOME}/.config/yt-dlp whitelist ${HOME}/.config/yt-dlp.conf +whitelist ${HOME}/.local/state/mpv whitelist ${HOME}/.netrc whitelist ${HOME}/yt-dlp.conf whitelist ${HOME}/yt-dlp.conf.txt -- cgit v1.2.3-70-g09d2 From ff04543e93f4963cd21ee04e51ba5f99a4b2c8db Mon Sep 17 00:00:00 2001 From: "Kelvin M. Klann" Date: Thu, 3 Aug 2023 09:32:15 -0300 Subject: mpv.profile: add new XDG_CACHE_HOME path mpv v0.36.0 uses ~/.cache/mpv[1] [2]: Relates to #2838 #5936. [1] https://github.com/mpv-player/mpv/releases/tag/v0.36.0 [2] https://github.com/mpv-player/mpv/pull/10838 --- etc/inc/disable-programs.inc | 1 + etc/profile-m-z/mpv.profile | 3 +++ 2 files changed, 4 insertions(+) diff --git a/etc/inc/disable-programs.inc b/etc/inc/disable-programs.inc index d2ae55867..4dac9e3e4 100644 --- a/etc/inc/disable-programs.inc +++ b/etc/inc/disable-programs.inc @@ -171,6 +171,7 @@ blacklist ${HOME}/.cache/mirage blacklist ${HOME}/.cache/moonchild productions/basilisk blacklist ${HOME}/.cache/moonchild productions/pale moon blacklist ${HOME}/.cache/mozilla +blacklist ${HOME}/.cache/mpv blacklist ${HOME}/.cache/ms-excel-online blacklist ${HOME}/.cache/ms-office-online blacklist ${HOME}/.cache/ms-onenote-online diff --git a/etc/profile-m-z/mpv.profile b/etc/profile-m-z/mpv.profile index d1bbdd167..af8f00c0c 100644 --- a/etc/profile-m-z/mpv.profile +++ b/etc/profile-m-z/mpv.profile @@ -24,6 +24,7 @@ include globals.local #include allow-bin-sh.inc #private-bin sh +noblacklist ${HOME}/.cache/mpv noblacklist ${HOME}/.config/mpv noblacklist ${HOME}/.config/youtube-dl noblacklist ${HOME}/.config/yt-dlp @@ -50,9 +51,11 @@ include disable-programs.inc include disable-shell.inc read-only ${DESKTOP} +mkdir ${HOME}/.cache/mpv mkdir ${HOME}/.config/mpv mkdir ${HOME}/.local/state/mpv mkfile ${HOME}/.netrc +whitelist ${HOME}/.cache/mpv whitelist ${HOME}/.config/mpv whitelist ${HOME}/.config/youtube-dl whitelist ${HOME}/.config/yt-dlp -- cgit v1.2.3-70-g09d2 From f703bf62354cc5a5cece28ba0827d72750647b65 Mon Sep 17 00:00:00 2001 From: "Kelvin M. Klann" Date: Thu, 3 Aug 2023 10:11:27 -0300 Subject: mpsyt.profile: stop creating config paths for mpv/youtube-dl The programs in question do not create these files; they have to be created manually. --- etc/profile-m-z/mpsyt.profile | 2 -- 1 file changed, 2 deletions(-) diff --git a/etc/profile-m-z/mpsyt.profile b/etc/profile-m-z/mpsyt.profile index e73e3142c..dc6d64e83 100644 --- a/etc/profile-m-z/mpsyt.profile +++ b/etc/profile-m-z/mpsyt.profile @@ -32,8 +32,6 @@ include disable-shell.inc include disable-xdg.inc mkdir ${HOME}/.config/mps-youtube -mkdir ${HOME}/.config/mpv -mkdir ${HOME}/.config/youtube-dl mkdir ${HOME}/.mplayer mkdir ${HOME}/mps whitelist ${HOME}/.config/mps-youtube -- cgit v1.2.3-70-g09d2 From d765b69e1d4c6d6db011b35417658c3c0c453687 Mon Sep 17 00:00:00 2001 From: "Kelvin M. Klann" Date: Thu, 3 Aug 2023 10:15:02 -0300 Subject: profiles: add cache/state paths for mpv On the profiles that allow ~/.config/mpv. Relates to #5936. --- etc/profile-a-l/chatterino.profile | 2 ++ etc/profile-a-l/firefox-common-addons.profile | 4 ++++ etc/profile-m-z/QMediathekView.profile | 4 ++++ etc/profile-m-z/mediathekview.profile | 2 ++ etc/profile-m-z/mpsyt.profile | 4 ++++ etc/profile-m-z/rtv-addons.profile | 4 ++++ etc/profile-m-z/smtube.profile | 6 ++++-- etc/profile-m-z/youtube-viewers-common.profile | 2 ++ 8 files changed, 26 insertions(+), 2 deletions(-) diff --git a/etc/profile-a-l/chatterino.profile b/etc/profile-a-l/chatterino.profile index 2df03b10b..2a77b6fd6 100644 --- a/etc/profile-a-l/chatterino.profile +++ b/etc/profile-a-l/chatterino.profile @@ -12,11 +12,13 @@ include globals.local #whitelist ${MUSIC} # Also allow access to mpv/vlc, they're usable via streamlink. +noblacklist ${HOME}/.cache/mpv noblacklist ${HOME}/.config/mpv noblacklist ${HOME}/.config/pulse noblacklist ${HOME}/.config/vlc noblacklist ${HOME}/.local/share/chatterino noblacklist ${HOME}/.local/share/vlc +noblacklist ${HOME}/.local/state/mpv # Allow Lua for mpv (blacklisted by disable-interpreters.inc) include allow-lua.inc diff --git a/etc/profile-a-l/firefox-common-addons.profile b/etc/profile-a-l/firefox-common-addons.profile index f12750fda..566e88bf8 100644 --- a/etc/profile-a-l/firefox-common-addons.profile +++ b/etc/profile-a-l/firefox-common-addons.profile @@ -11,6 +11,7 @@ ignore include whitelist-runuser-common.inc ignore private-cache +noblacklist ${HOME}/.cache/mpv noblacklist ${HOME}/.cache/youtube-dl noblacklist ${HOME}/.config/kgetrc noblacklist ${HOME}/.config/mpv @@ -32,9 +33,11 @@ noblacklist ${HOME}/.local/share/kget noblacklist ${HOME}/.local/share/kxmlgui5/okular noblacklist ${HOME}/.local/share/okular noblacklist ${HOME}/.local/share/qpdfview +noblacklist ${HOME}/.local/state/mpv noblacklist ${HOME}/.netrc whitelist ${HOME}/.cache/gnome-mplayer/plugin +whitelist ${HOME}/.cache/mpv whitelist ${HOME}/.cache/youtube-dl/youtube-sigfuncs whitelist ${HOME}/.config/gnome-mplayer whitelist ${HOME}/.config/kgetrc @@ -62,6 +65,7 @@ whitelist ${HOME}/.local/share/kxmlgui5/okular whitelist ${HOME}/.local/share/okular whitelist ${HOME}/.local/share/qpdfview whitelist ${HOME}/.local/share/tridactyl +whitelist ${HOME}/.local/state/mpv whitelist ${HOME}/.netrc whitelist ${HOME}/.pentadactyl whitelist ${HOME}/.pentadactylrc diff --git a/etc/profile-m-z/QMediathekView.profile b/etc/profile-m-z/QMediathekView.profile index f8b5cec13..0e18b3cdf 100644 --- a/etc/profile-m-z/QMediathekView.profile +++ b/etc/profile-m-z/QMediathekView.profile @@ -9,6 +9,7 @@ include globals.local noblacklist ${HOME}/.config/QMediathekView noblacklist ${HOME}/.local/share/QMediathekView +noblacklist ${HOME}/.cache/mpv noblacklist ${HOME}/.config/mpv noblacklist ${HOME}/.config/smplayer noblacklist ${HOME}/.config/totem @@ -16,6 +17,7 @@ noblacklist ${HOME}/.config/vlc noblacklist ${HOME}/.config/xplayer noblacklist ${HOME}/.local/share/totem noblacklist ${HOME}/.local/share/xplayer +noblacklist ${HOME}/.local/state/mpv noblacklist ${HOME}/.mplayer noblacklist ${VIDEOS} @@ -35,6 +37,7 @@ whitelist ${HOME}/.local/share/QMediathekView whitelist ${DOWNLOADS} whitelist ${VIDEOS} +whitelist ${HOME}/.cache/mpv whitelist ${HOME}/.config/mpv whitelist ${HOME}/.config/smplayer whitelist ${HOME}/.config/totem @@ -42,6 +45,7 @@ whitelist ${HOME}/.config/vlc whitelist ${HOME}/.config/xplayer whitelist ${HOME}/.local/share/totem whitelist ${HOME}/.local/share/xplayer +whitelist ${HOME}/.local/state/mpv whitelist ${HOME}/.mplayer whitelist /usr/share/qtchooser include whitelist-common.inc diff --git a/etc/profile-m-z/mediathekview.profile b/etc/profile-m-z/mediathekview.profile index 19ce6fcd1..ef0c8bcc9 100644 --- a/etc/profile-m-z/mediathekview.profile +++ b/etc/profile-m-z/mediathekview.profile @@ -6,6 +6,7 @@ include mediathekview.local # Persistent global definitions include globals.local +noblacklist ${HOME}/.cache/mpv noblacklist ${HOME}/.config/mpv noblacklist ${HOME}/.config/smplayer noblacklist ${HOME}/.config/totem @@ -13,6 +14,7 @@ noblacklist ${HOME}/.config/vlc noblacklist ${HOME}/.config/xplayer noblacklist ${HOME}/.local/share/totem noblacklist ${HOME}/.local/share/xplayer +noblacklist ${HOME}/.local/state/mpv noblacklist ${HOME}/.mediathek3 noblacklist ${HOME}/.mplayer noblacklist ${VIDEOS} diff --git a/etc/profile-m-z/mpsyt.profile b/etc/profile-m-z/mpsyt.profile index dc6d64e83..e4f76855e 100644 --- a/etc/profile-m-z/mpsyt.profile +++ b/etc/profile-m-z/mpsyt.profile @@ -6,9 +6,11 @@ include mpsyt.local # Persistent global definitions include globals.local +noblacklist ${HOME}/.cache/mpv noblacklist ${HOME}/.config/mps-youtube noblacklist ${HOME}/.config/mpv noblacklist ${HOME}/.config/youtube-dl +noblacklist ${HOME}/.local/state/mpv noblacklist ${HOME}/.mplayer noblacklist ${HOME}/.netrc noblacklist ${HOME}/mps @@ -34,9 +36,11 @@ include disable-xdg.inc mkdir ${HOME}/.config/mps-youtube mkdir ${HOME}/.mplayer mkdir ${HOME}/mps +whitelist ${HOME}/.cache/mpv whitelist ${HOME}/.config/mps-youtube whitelist ${HOME}/.config/mpv whitelist ${HOME}/.config/youtube-dl +whitelist ${HOME}/.local/state/mpv whitelist ${HOME}/.mplayer whitelist ${HOME}/.netrc whitelist ${HOME}/mps diff --git a/etc/profile-m-z/rtv-addons.profile b/etc/profile-m-z/rtv-addons.profile index cc6db5043..3098cf0a0 100644 --- a/etc/profile-m-z/rtv-addons.profile +++ b/etc/profile-m-z/rtv-addons.profile @@ -11,13 +11,17 @@ ignore nosound ignore private-bin ignore dbus-user none +noblacklist ${HOME}/.cache/mpv noblacklist ${HOME}/.config/mpv +noblacklist ${HOME}/.local/state/mpv noblacklist ${HOME}/.mailcap noblacklist ${HOME}/.netrc noblacklist ${HOME}/.w3m +whitelist ${HOME}/.cache/mpv whitelist ${HOME}/.cache/youtube-dl/youtube-sigfuncs whitelist ${HOME}/.config/mpv +whitelist ${HOME}/.local/state/mpv whitelist ${HOME}/.mailcap whitelist ${HOME}/.netrc whitelist ${HOME}/.w3m diff --git a/etc/profile-m-z/smtube.profile b/etc/profile-m-z/smtube.profile index b617444af..7debd4057 100644 --- a/etc/profile-m-z/smtube.profile +++ b/etc/profile-m-z/smtube.profile @@ -6,12 +6,14 @@ include smtube.local # Persistent global definitions include globals.local +noblacklist ${HOME}/.cache/mpv +noblacklist ${HOME}/.config/mpv noblacklist ${HOME}/.config/smplayer noblacklist ${HOME}/.config/smtube -noblacklist ${HOME}/.config/mpv -noblacklist ${HOME}/.mplayer noblacklist ${HOME}/.config/vlc noblacklist ${HOME}/.local/share/vlc +noblacklist ${HOME}/.local/state/mpv +noblacklist ${HOME}/.mplayer noblacklist ${MUSIC} noblacklist ${VIDEOS} diff --git a/etc/profile-m-z/youtube-viewers-common.profile b/etc/profile-m-z/youtube-viewers-common.profile index c9d2ea53b..5950c3639 100644 --- a/etc/profile-m-z/youtube-viewers-common.profile +++ b/etc/profile-m-z/youtube-viewers-common.profile @@ -7,8 +7,10 @@ include youtube-viewers-common.local # added by caller profile #include globals.local +noblacklist ${HOME}/.cache/mpv noblacklist ${HOME}/.cache/youtube-dl noblacklist ${HOME}/.config/mpv +noblacklist ${HOME}/.local/state/mpv # Allow lua (blacklisted by disable-interpreters.inc) include allow-lua.inc -- cgit v1.2.3-70-g09d2 From 30f9ad908e10857d529dae1901a4b48bddf08bb7 Mon Sep 17 00:00:00 2001 From: "Kelvin M. Klann" Date: Sat, 5 Aug 2023 15:45:01 -0300 Subject: build: improve comments in firecfg.config Remove the space after `#` for commented code and use `#` instead of `-` for comments at the end of the line. Commands used to search and replace: $ f=src/firecfg/firecfg.config; printf '%s\n' "$(sed -E \ -e '3,9999s/^# /#/' \ -e '3,9999s/^#([^ ]+) --? /#\1 # /' \ "$f")" >"$f" --- src/firecfg/firecfg.config | 72 +++++++++++++++++++++++----------------------- 1 file changed, 36 insertions(+), 36 deletions(-) diff --git a/src/firecfg/firecfg.config b/src/firecfg/firecfg.config index a89add9d0..2c1219010 100644 --- a/src/firecfg/firecfg.config +++ b/src/firecfg/firecfg.config @@ -51,7 +51,7 @@ ani-cli anydesk apktool apostrophe -# ar - disable until we fix CLI archivers for makepkg on Arch (see discussion in #3095) +#ar # disable until we fix CLI archivers for makepkg on Arch (see discussion in #3095) arch-audit archaudit-report ardour4 @@ -63,9 +63,9 @@ arm artha assogiate asunder -# atom -# atom-beta -# atool - disable until we fix CLI archivers for makepkg on Arch (see discussion in #3095) +#atom +#atom-beta +#atool # disable until we fix CLI archivers for makepkg on Arch (see discussion in #3095) atril atril-previewer atril-thumbnailer @@ -112,10 +112,10 @@ brave-browser-beta brave-browser-dev brave-browser-nightly brave-browser-stable -# bunzip2 - disable until we fix CLI archivers for makepkg on Arch (see discussion in #3095) -# bzcat - disable until we fix CLI archivers for makepkg on Arch (see discussion in #3095) +#bunzip2 # disable until we fix CLI archivers for makepkg on Arch (see discussion in #3095) +#bzcat # disable until we fix CLI archivers for makepkg on Arch (see discussion in #3095) bzflag -# bzip2 - disable until we fix CLI archivers for makepkg on Arch (see discussion in #3095) +#bzip2 # disable until we fix CLI archivers for makepkg on Arch (see discussion in #3095) cachy-browser calibre calligra @@ -236,14 +236,14 @@ enpass eog eom ephemeral -#epiphany - see #2995 +#epiphany # see #2995 equalx et etr evince evince-previewer evince-thumbnailer -#evolution - see #3647 +#evolution # see #3647 exfalso exiftool falkon @@ -319,7 +319,7 @@ git-cola gitg github-desktop gitter -# gjs -- https://github.com/netblue30/firejail/issues/3333#issuecomment-612601102 +#gjs # https://github.com/netblue30/firejail/issues/3333#issuecomment-612601102 gl-117 glaxium globaltime @@ -440,7 +440,7 @@ karbon kate kazam kcalc -# kdeinit4 +#kdeinit4 kdenlive kdiff3 keepass @@ -450,7 +450,7 @@ keepassx2 keepassxc keepassxc-cli keepassxc-proxy -# kfind +#kfind kget kid3 kid3-cli @@ -467,15 +467,15 @@ kodi konversation kopete krita -# krunner +#krunner ktorrent ktouch kube -# kwin_x11 +#kwin_x11 kwrite lbry-viewer leafpad -# less - breaks man +#less # breaks man librecad libreoffice librewolf @@ -500,12 +500,12 @@ lollypop lomath loweb lowriter -# lrunzip - disable until we fix CLI archivers for makepkg on Arch (see discussion in #3095) -# lrz - disable until we fix CLI archivers for makepkg on Arch (see discussion in #3095) -# lrzcat - disable until we fix CLI archivers for makepkg on Arch (see discussion in #3095) -# lrzip - disable until we fix CLI archivers for makepkg on Arch (see discussion in #3095) -# lrztar - disable until we fix CLI archivers for makepkg on Arch (see discussion in #3095) -# lrzuntar - disable until we fix CLI archivers for makepkg on Arch (see discussion in #3095) +#lrunzip # disable until we fix CLI archivers for makepkg on Arch (see discussion in #3095) +#lrz # disable until we fix CLI archivers for makepkg on Arch (see discussion in #3095) +#lrzcat # disable until we fix CLI archivers for makepkg on Arch (see discussion in #3095) +#lrzip # disable until we fix CLI archivers for makepkg on Arch (see discussion in #3095) +#lrztar # disable until we fix CLI archivers for makepkg on Arch (see discussion in #3095) +#lrzuntar # disable until we fix CLI archivers for makepkg on Arch (see discussion in #3095) luminance-hdr lximage-qt lxmusic @@ -697,9 +697,9 @@ profanity psi psi-plus pybitmessage -# pycharm-community - FB note: may enable later -# pycharm-professional -# pzstd - disable until we fix CLI archivers for makepkg on Arch (see discussion in #3095) +#pycharm-community # FB note: may enable later +#pycharm-professional +#pzstd # disable until we fix CLI archivers for makepkg on Arch (see discussion in #3095) qbittorrent qcomicbook qemu-launcher @@ -787,7 +787,7 @@ spectral spotify sqlitebrowser ssh -# ssh-agent - problems on Arch with Fish shell (#1568) +#ssh-agent # problems on Arch with Fish shell (#1568) standardnotes-desktop start-tor-browser steam @@ -888,7 +888,7 @@ uget-gtk unbound unf unknown-horizons -# unzstd - disable until we fix CLI archivers for makepkg on Arch (see discussion in #3095) +#unzstd # disable until we fix CLI archivers for makepkg on Arch (see discussion in #3095) url-eater utox uudeview @@ -901,10 +901,10 @@ vivaldi-beta vivaldi-snapshot vivaldi-stable vlc -#vmplayer - unable to install kernel modules (see #5861) -#vmware - unable to install kernel modules (see #5861) -#vmware-player - unable to install kernel modules (see #5861) -#vmware-workstation - unable to install kernel modules (see #5861) +#vmplayer # unable to install kernel modules (see #5861) +#vmware # unable to install kernel modules (see #5861) +#vmware-player # unable to install kernel modules (see #5861) +#vmware-workstation # unable to install kernel modules (see #5861) vscodium vulturesclaw vultureseye @@ -979,10 +979,10 @@ zeal zim zlib-flate zoom -# zpaq - disable until we fix CLI archivers for makepkg on Arch (see discussion in #3095) -# zstd - disable until we fix CLI archivers for makepkg on Arch (see discussion in #3095) -# zstdcat - disable until we fix CLI archivers for makepkg on Arch (see discussion in #3095) -# zstdgrep - disable until we fix CLI archivers for makepkg on Arch (see discussion in #3095) -# zstdless - disable until we fix CLI archivers for makepkg on Arch (see discussion in #3095) -# zstdmt - disable until we fix CLI archivers for makepkg on Arch (see discussion in #3095) +#zpaq # disable until we fix CLI archivers for makepkg on Arch (see discussion in #3095) +#zstd # disable until we fix CLI archivers for makepkg on Arch (see discussion in #3095) +#zstdcat # disable until we fix CLI archivers for makepkg on Arch (see discussion in #3095) +#zstdgrep # disable until we fix CLI archivers for makepkg on Arch (see discussion in #3095) +#zstdless # disable until we fix CLI archivers for makepkg on Arch (see discussion in #3095) +#zstdmt # disable until we fix CLI archivers for makepkg on Arch (see discussion in #3095) zulip -- cgit v1.2.3-70-g09d2 From ac2bd3211d02587b5e5b61b1f2f931d1f9e2a0ed Mon Sep 17 00:00:00 2001 From: "Kelvin M. Klann" Date: Sat, 5 Aug 2023 15:54:33 -0300 Subject: build: use ASCII sort on firecfg and check for duplicates Currently the CI check does not consider certain special characters (such as `-`) when sorting due to `sort -d`. So remove `-d`, sort firecfg using `LC_ALL=C` and enforce that order. Also add `sort -u` to check for duplicates. This also allows the CI check to ignore normal comments (lines starting with `# `) anywhere in the file. Relates to #4643. --- ci/check/profiles/sort-firecfg.config.sh | 5 ++++- src/firecfg/firecfg.config | 28 +++++++++++++++------------- 2 files changed, 19 insertions(+), 14 deletions(-) diff --git a/ci/check/profiles/sort-firecfg.config.sh b/ci/check/profiles/sort-firecfg.config.sh index 17a595350..dbfbf24f5 100755 --- a/ci/check/profiles/sort-firecfg.config.sh +++ b/ci/check/profiles/sort-firecfg.config.sh @@ -1,2 +1,5 @@ #!/bin/sh -tail -n +4 "$1" | sed 's/^# /#/' | LC_ALL=C sort -c -d +# See ../../../src/firecfg/firecfg.config + +sed -E -e '/^#$/d' -e '/^# /d' -e 's/^#([^ ])/\1/' "$1" | +LC_ALL=C sort -c -u diff --git a/src/firecfg/firecfg.config b/src/firecfg/firecfg.config index 2c1219010..968ba7bf5 100644 --- a/src/firecfg/firecfg.config +++ b/src/firecfg/firecfg.config @@ -1,6 +1,8 @@ # /etc/firejail/firecfg.config - firecfg utility configuration file # This is the list of programs in alphabetical order handled by firecfg utility # +# Note: Normal comment lines should start with `# ` and commented code lines +# should start with just `#` (no spaces). 0ad 1password 2048-qt @@ -149,8 +151,8 @@ clamdscan clamdtop clamscan clamtk -clawsker claws-mail +clawsker clementine clion clion-eap @@ -182,6 +184,7 @@ crow cryptocat cvlc cyberfox +d-feet daisy darktable dconf-editor @@ -192,7 +195,6 @@ deluge desktopeditors devhelp dex2jar -d-feet dia dig digikam @@ -271,8 +273,8 @@ flacsplt flameshot flashpeak-slimjet flowblade -fontforge font-manager +fontforge fossamail four-in-a-row fractal @@ -384,12 +386,12 @@ gradio gramps gravity-beams-and-evaporating-stars gthumb -gtk2-youtube-viewer -gtk3-youtube-viewer gtk-lbry-viewer gtk-pipe-viewer gtk-straw-viewer gtk-youtube-viewer +gtk2-youtube-viewer +gtk3-youtube-viewer guayadeque gucharmap gummi @@ -410,8 +412,8 @@ icecat icedove iceweasel idea -ideaIC idea.sh +ideaIC imagej img2txt impressive @@ -559,7 +561,6 @@ mp3wrap mpDris2 mpg123 mpg123-alsa -mpg123.bin mpg123-id3dump mpg123-jack mpg123-nas @@ -568,6 +569,7 @@ mpg123-oss mpg123-portaudio mpg123-pulse mpg123-strip +mpg123.bin mplayer mpsyt mpv @@ -636,11 +638,11 @@ onionshare-cli onionshare-gui ooffice ooviewdoc +open-invaders openarena openarena_ded opencity openclonk -open-invaders openmw openmw-launcher openoffice.org @@ -780,8 +782,8 @@ sniffnet snox soffice sol -soundconverter sound-juicer +soundconverter spectacle spectral spotify @@ -794,8 +796,8 @@ steam steam-native steam-runtime stellarium -strawberry straw-viewer +strawberry strings studio.sh subdownloader @@ -826,7 +828,6 @@ thunderbird-beta thunderbird-wayland tilp tor-browser -torbrowser tor-browser-ar tor-browser-ca tor-browser-cs @@ -848,7 +849,6 @@ tor-browser-it tor-browser-ja tor-browser-ka tor-browser-ko -torbrowser-launcher tor-browser-nb tor-browser-nl tor-browser-pl @@ -859,6 +859,8 @@ tor-browser-tr tor-browser-vi tor-browser-zh-cn tor-browser-zh-tw +torbrowser +torbrowser-launcher torcs totem tracker @@ -968,8 +970,8 @@ yelp youtube youtube-dl youtube-dl-gui -youtubemusic-nativefier youtube-viewer +youtubemusic-nativefier yt-dlp ytmdesktop zaproxy -- cgit v1.2.3-70-g09d2 From 3a088f1e6941bdf4cd89c140cd0fdd4070bbc5fe Mon Sep 17 00:00:00 2001 From: glitsj16 Date: Thu, 10 Aug 2023 09:09:53 +0000 Subject: New profile: journal-viewer (#5943) --- etc/inc/disable-programs.inc | 2 + etc/profile-a-l/journal-viewer.profile | 68 ++++++++++++++++++++++++++++++++++ src/firecfg/firecfg.config | 1 + 3 files changed, 71 insertions(+) create mode 100644 etc/profile-a-l/journal-viewer.profile diff --git a/etc/inc/disable-programs.inc b/etc/inc/disable-programs.inc index 4dac9e3e4..38ab7221e 100644 --- a/etc/inc/disable-programs.inc +++ b/etc/inc/disable-programs.inc @@ -142,6 +142,7 @@ blacklist ${HOME}/.cache/inkscape blacklist ${HOME}/.cache/inox blacklist ${HOME}/.cache/io.github.lainsce.Notejot blacklist ${HOME}/.cache/iridium +blacklist ${HOME}/.cache/journal-viewer blacklist ${HOME}/.cache/kcmshell5 blacklist ${HOME}/.cache/kdenlive blacklist ${HOME}/.cache/keepassxc @@ -901,6 +902,7 @@ blacklist ${HOME}/.local/share/cdprojektred blacklist ${HOME}/.local/share/chatterino blacklist ${HOME}/.local/share/clipit blacklist ${HOME}/.local/share/com.github.johnfactotum.Foliate +blacklist ${HOME}/.local/share/com.vmingueza.journal-viewer blacklist ${HOME}/.local/share/contacts blacklist ${HOME}/.local/share/cor-games blacklist ${HOME}/.local/share/data/Mendeley Ltd. diff --git a/etc/profile-a-l/journal-viewer.profile b/etc/profile-a-l/journal-viewer.profile new file mode 100644 index 000000000..f73595fb1 --- /dev/null +++ b/etc/profile-a-l/journal-viewer.profile @@ -0,0 +1,68 @@ +# Firejail profile for journal-viewer +# Description: Visualize systemd logs +# This file is overwritten after every install/update +# Persistent local customizations +include journal-viewer.local +# Persistent global definitions +include globals.local + +noblacklist ${HOME}/.cache/journal-viewer +noblacklist ${HOME}/.local/share/com.vmingueza.journal-viewer + +include disable-common.inc +include disable-devel.inc +include disable-exec.inc +include disable-interpreters.inc +include disable-proc.inc +include disable-programs.inc +include disable-shell.inc +include disable-xdg.inc + +mkdir ${HOME}/.cache/journal-viewer +mkdir ${HOME}/.local/share/com.vmingueza.journal-viewer +whitelist ${HOME}/.cache/journal-viewer +whitelist ${HOME}/.local/share/com.vmingueza.journal-viewer +whitelist /run/log/journal +whitelist /var/log/journal +include whitelist-common.inc +include whitelist-run-common.inc +include whitelist-runuser-common.inc +include whitelist-usr-share-common.inc +include whitelist-var-common.inc + +apparmor +caps.drop all +ipc-namespace +net none +no3d +nodvd +nogroups +noinput +nonewprivs +noprinters +noroot +nosound +notv +nou2f +novideo +protocol unix +seccomp +seccomp.block-secondary +tracelog + +disable-mnt +private-bin journal-viewer +private-cache +private-dev +private-etc machine-id +private-lib webkit2gtk-* +private-tmp + +dbus-user none +dbus-system none + +restrict-namespaces +read-only ${HOME} +read-write ${HOME}/.cache/journal-viewer +read-write ${HOME}/.local/share/com.vmingueza.journal-viewer +writable-var-log diff --git a/src/firecfg/firecfg.config b/src/firecfg/firecfg.config index 968ba7bf5..71c03a5e6 100644 --- a/src/firecfg/firecfg.config +++ b/src/firecfg/firecfg.config @@ -432,6 +432,7 @@ jdownloader jerry jitsi jitsi-meet-desktop +journal-viewer jumpnbump jumpnbump-menu k3b -- cgit v1.2.3-70-g09d2 From f106c33e0c0c0def614820e79a305355ca85f346 Mon Sep 17 00:00:00 2001 From: glitsj16 Date: Thu, 10 Aug 2023 09:11:29 +0000 Subject: New profile: clac (#5947) * firecfg.config: add support for clac * Create clac.profile --- etc/profile-a-l/clac.profile | 63 ++++++++++++++++++++++++++++++++++++++++++++ src/firecfg/firecfg.config | 1 + 2 files changed, 64 insertions(+) create mode 100644 etc/profile-a-l/clac.profile diff --git a/etc/profile-a-l/clac.profile b/etc/profile-a-l/clac.profile new file mode 100644 index 000000000..b654b3890 --- /dev/null +++ b/etc/profile-a-l/clac.profile @@ -0,0 +1,63 @@ +# Firejail profile for clac +# Description: Simple command-line calculator +# This file is overwritten after every install/update +quiet +# Persistent local customizations +include clac.local +# Persistent global definitions +include globals.local + +blacklist ${RUNUSER} + +include disable-common.inc +include disable-devel.inc +include disable-exec.inc +include disable-interpreters.inc +include disable-proc.inc +include disable-programs.inc +include disable-shell.inc +#include disable-X11.inc - x11 none +include disable-xdg.inc + +#include whitelist-common.inc - see #903 +include whitelist-run-common.inc +include whitelist-runuser-common.inc +include whitelist-usr-share-common.inc +include whitelist-var-common.inc + +apparmor +caps.drop all +ipc-namespace +machine-id +net none +no3d +nodvd +nogroups +noinput +nonewprivs +noprinters +noroot +nosound +notv +nou2f +novideo +# block socket syscall to simulate empty protocol option (see #639) +seccomp socket +seccomp.block-secondary +tracelog +x11 none + +disable-mnt +private +private-bin clac +#private-cache +private-dev +private-etc +private-tmp + +dbus-user none +dbus-system none + +memory-deny-write-execute +read-only ${HOME} +restrict-namespaces diff --git a/src/firecfg/firecfg.config b/src/firecfg/firecfg.config index 71c03a5e6..7db4480b6 100644 --- a/src/firecfg/firecfg.config +++ b/src/firecfg/firecfg.config @@ -147,6 +147,7 @@ chromium-freeworld cin cinelerra cinelerra-gg +clac clamdscan clamdtop clamscan -- cgit v1.2.3-70-g09d2 From f17d2172c16c41c86f7a7dcb550d791bc84ca09f Mon Sep 17 00:00:00 2001 From: leukimi <54280236+leukimi@users.noreply.github.com> Date: Fri, 11 Aug 2023 05:36:10 +0200 Subject: 0ad.profile: fix libmozjs error on OpenSUSE Tumbleweed (#5944) This fixes 0ad not opening on OpenSUSE Tumbleweed due to a "Permission denied" error when trying to open "libmozjs-78.so.0". See this issue that describes it all: https://github.com/netblue30/firejail/issues/5938#issue-1833607321 --- etc/profile-a-l/0ad.profile | 3 +++ 1 file changed, 3 insertions(+) diff --git a/etc/profile-a-l/0ad.profile b/etc/profile-a-l/0ad.profile index 48a2afdf2..9ec2f2ad1 100644 --- a/etc/profile-a-l/0ad.profile +++ b/etc/profile-a-l/0ad.profile @@ -10,6 +10,9 @@ noblacklist ${HOME}/.cache/0ad noblacklist ${HOME}/.config/0ad noblacklist ${HOME}/.local/share/0ad +# Allow gjs (blacklisted by disable-interpreters.inc) +include allow-gjs.inc + blacklist /usr/libexec include disable-common.inc -- cgit v1.2.3-70-g09d2 From a3a41b8fff7763862b07db00b0357f20774687f5 Mon Sep 17 00:00:00 2001 From: glitsj16 Date: Fri, 11 Aug 2023 03:54:39 +0000 Subject: profiles: improvements to profiles using private (#5946) Changes: * comment `include whitelist-common.inc` when using `private` * drop `private` on profiles that access files in `${HOME}` * use `#` in comments Relates to #903. --- etc/profile-a-l/daisy.profile | 3 +-- etc/profile-a-l/dbus-send.profile | 5 ++--- etc/profile-a-l/drill.profile | 2 +- etc/profile-a-l/gapplication.profile | 2 +- etc/profile-a-l/gnome-calendar.profile | 2 +- etc/profile-a-l/gnubik.profile | 2 +- etc/profile-a-l/gravity-beams-and-evaporating-stars.profile | 2 +- etc/profile-a-l/ipcalc.profile | 2 +- etc/profile-m-z/Xephyr.profile | 2 +- etc/profile-m-z/Xvfb.profile | 2 +- etc/profile-m-z/mirrormagic.profile | 1 - etc/profile-m-z/notify-send.profile | 2 +- etc/profile-m-z/ping.profile | 2 +- etc/profile-m-z/reader.profile | 2 +- etc/profile-m-z/seahorse-adventures.profile | 2 +- etc/profile-m-z/wordwarvi.profile | 1 - etc/profile-m-z/xbill.profile | 2 +- 17 files changed, 16 insertions(+), 20 deletions(-) diff --git a/etc/profile-a-l/daisy.profile b/etc/profile-a-l/daisy.profile index 4f1c80f23..40b29a1f5 100644 --- a/etc/profile-a-l/daisy.profile +++ b/etc/profile-a-l/daisy.profile @@ -15,7 +15,7 @@ include disable-interpreters.inc include disable-proc.inc include disable-programs.inc include disable-shell.inc -#include disable-X11.inc - x11 none +#include disable-X11.inc # x11 none include disable-xdg.inc include whitelist-common.inc @@ -47,7 +47,6 @@ tracelog x11 none disable-mnt -private private-bin daisy private-cache private-dev diff --git a/etc/profile-a-l/dbus-send.profile b/etc/profile-a-l/dbus-send.profile index 80790bb0c..70bd7370d 100644 --- a/etc/profile-a-l/dbus-send.profile +++ b/etc/profile-a-l/dbus-send.profile @@ -19,7 +19,7 @@ include disable-shell.inc include disable-write-mnt.inc include disable-xdg.inc -include whitelist-common.inc +#include whitelist-common.inc # see #903 include whitelist-runuser-common.inc include whitelist-usr-share-common.inc include whitelist-var-common.inc @@ -28,8 +28,7 @@ apparmor caps.drop all ipc-namespace machine-id -# Breaks abstract sockets -#net none +#net none # breaks abstract sockets netfilter no3d nodvd diff --git a/etc/profile-a-l/drill.profile b/etc/profile-a-l/drill.profile index bd6fb6dcc..bea114dd6 100644 --- a/etc/profile-a-l/drill.profile +++ b/etc/profile-a-l/drill.profile @@ -19,7 +19,7 @@ include disable-exec.inc include disable-programs.inc include disable-xdg.inc -include whitelist-common.inc +#include whitelist-common.inc # see #903 include whitelist-usr-share-common.inc include whitelist-var-common.inc diff --git a/etc/profile-a-l/gapplication.profile b/etc/profile-a-l/gapplication.profile index baf8f614e..2d0511cf6 100644 --- a/etc/profile-a-l/gapplication.profile +++ b/etc/profile-a-l/gapplication.profile @@ -17,7 +17,7 @@ include disable-programs.inc include disable-shell.inc include disable-xdg.inc -include whitelist-common.inc +#include whitelist-common.inc # see #903 include whitelist-runuser-common.inc include whitelist-usr-share-common.inc include whitelist-var-common.inc diff --git a/etc/profile-a-l/gnome-calendar.profile b/etc/profile-a-l/gnome-calendar.profile index ddfe57879..e6fe27774 100644 --- a/etc/profile-a-l/gnome-calendar.profile +++ b/etc/profile-a-l/gnome-calendar.profile @@ -15,7 +15,7 @@ include disable-shell.inc include disable-xdg.inc whitelist /usr/share/libgweather -include whitelist-common.inc +#include whitelist-common.inc # see #903 include whitelist-runuser-common.inc include whitelist-usr-share-common.inc include whitelist-var-common.inc diff --git a/etc/profile-a-l/gnubik.profile b/etc/profile-a-l/gnubik.profile index 025cb74b6..0c4ca35ac 100644 --- a/etc/profile-a-l/gnubik.profile +++ b/etc/profile-a-l/gnubik.profile @@ -15,7 +15,7 @@ include disable-shell.inc include disable-xdg.inc whitelist /usr/share/gnubik -include whitelist-common.inc +#include whitelist-common.inc # see #903 include whitelist-runuser-common.inc include whitelist-usr-share-common.inc include whitelist-var-common.inc diff --git a/etc/profile-a-l/gravity-beams-and-evaporating-stars.profile b/etc/profile-a-l/gravity-beams-and-evaporating-stars.profile index 19af7c0b9..5ccce8447 100644 --- a/etc/profile-a-l/gravity-beams-and-evaporating-stars.profile +++ b/etc/profile-a-l/gravity-beams-and-evaporating-stars.profile @@ -15,7 +15,7 @@ include disable-shell.inc include disable-xdg.inc whitelist /usr/share/gravity-beams-and-evaporating-stars -include whitelist-common.inc +#include whitelist-common.inc # see #903 include whitelist-usr-share-common.inc include whitelist-var-common.inc diff --git a/etc/profile-a-l/ipcalc.profile b/etc/profile-a-l/ipcalc.profile index 7eabbca84..e73ca44a8 100644 --- a/etc/profile-a-l/ipcalc.profile +++ b/etc/profile-a-l/ipcalc.profile @@ -18,7 +18,7 @@ include disable-programs.inc include disable-write-mnt.inc include disable-xdg.inc -# include whitelist-common.inc +#include whitelist-common.inc # see #903 include whitelist-runuser-common.inc include whitelist-usr-share-common.inc include whitelist-var-common.inc diff --git a/etc/profile-m-z/Xephyr.profile b/etc/profile-m-z/Xephyr.profile index 2fc1d1b8a..0c3d4c1da 100644 --- a/etc/profile-m-z/Xephyr.profile +++ b/etc/profile-m-z/Xephyr.profile @@ -16,7 +16,7 @@ include globals.local # whitelist /var/lib/xkb -include whitelist-common.inc +#include whitelist-common.inc # see #903 caps.drop all # Xephyr needs to be allowed access to the abstract Unix socket namespace. diff --git a/etc/profile-m-z/Xvfb.profile b/etc/profile-m-z/Xvfb.profile index ee19fa3b0..2bb9f171a 100644 --- a/etc/profile-m-z/Xvfb.profile +++ b/etc/profile-m-z/Xvfb.profile @@ -19,7 +19,7 @@ include globals.local # whitelist /var/lib/xkb -include whitelist-common.inc +#include whitelist-common.inc # see #903 caps.drop all # Xvfb needs to be allowed access to the abstract Unix socket namespace. diff --git a/etc/profile-m-z/mirrormagic.profile b/etc/profile-m-z/mirrormagic.profile index 4943a80af..a8c6e3533 100644 --- a/etc/profile-m-z/mirrormagic.profile +++ b/etc/profile-m-z/mirrormagic.profile @@ -39,7 +39,6 @@ seccomp tracelog disable-mnt -private private-bin mirrormagic private-cache private-dev diff --git a/etc/profile-m-z/notify-send.profile b/etc/profile-m-z/notify-send.profile index f0f2cca2e..5ec81c2ac 100644 --- a/etc/profile-m-z/notify-send.profile +++ b/etc/profile-m-z/notify-send.profile @@ -18,7 +18,7 @@ include disable-shell.inc include disable-write-mnt.inc include disable-xdg.inc -include whitelist-common.inc +#include whitelist-common.inc # see #903 include whitelist-runuser-common.inc include whitelist-usr-share-common.inc include whitelist-var-common.inc diff --git a/etc/profile-m-z/ping.profile b/etc/profile-m-z/ping.profile index 4520ac2fa..d563064e1 100644 --- a/etc/profile-m-z/ping.profile +++ b/etc/profile-m-z/ping.profile @@ -18,7 +18,7 @@ include disable-programs.inc include disable-X11.inc include disable-xdg.inc -include whitelist-common.inc +#include whitelist-common.inc # see #903 include whitelist-run-common.inc include whitelist-runuser-common.inc include whitelist-usr-share-common.inc diff --git a/etc/profile-m-z/reader.profile b/etc/profile-m-z/reader.profile index 050c46d53..31c45fe84 100644 --- a/etc/profile-m-z/reader.profile +++ b/etc/profile-m-z/reader.profile @@ -17,7 +17,7 @@ include disable-programs.inc include disable-shell.inc include disable-xdg.inc -include whitelist-common.inc +#include whitelist-common.inc # see #903 include whitelist-run-common.inc include whitelist-runuser-common.inc include whitelist-usr-share-common.inc diff --git a/etc/profile-m-z/seahorse-adventures.profile b/etc/profile-m-z/seahorse-adventures.profile index 5985e0da3..49d98d9f5 100644 --- a/etc/profile-m-z/seahorse-adventures.profile +++ b/etc/profile-m-z/seahorse-adventures.profile @@ -23,7 +23,7 @@ include disable-xdg.inc whitelist /usr/share/seahorse-adventures whitelist /usr/share/games/seahorse-adventures -include whitelist-common.inc +#include whitelist-common.inc # see #903 include whitelist-usr-share-common.inc include whitelist-var-common.inc diff --git a/etc/profile-m-z/wordwarvi.profile b/etc/profile-m-z/wordwarvi.profile index 310e8b470..970063f93 100644 --- a/etc/profile-m-z/wordwarvi.profile +++ b/etc/profile-m-z/wordwarvi.profile @@ -40,7 +40,6 @@ seccomp tracelog disable-mnt -private private-bin wordwarvi private-cache private-dev diff --git a/etc/profile-m-z/xbill.profile b/etc/profile-m-z/xbill.profile index e85bb9f18..46e3e81bc 100644 --- a/etc/profile-m-z/xbill.profile +++ b/etc/profile-m-z/xbill.profile @@ -16,7 +16,7 @@ include disable-xdg.inc whitelist /usr/share/xbill whitelist /var/games/xbill/scores -include whitelist-common.inc +#include whitelist-common.inc # see #903 include whitelist-usr-share-common.inc include whitelist-var-common.inc -- cgit v1.2.3-70-g09d2