From 2064c3c871bba96cc71abf20dfbf9cab66b3f42c Mon Sep 17 00:00:00 2001 From: glitsj16 Date: Sat, 24 Mar 2018 12:25:14 +0000 Subject: Create gnome-recipes.profile This needs an additional change in `disable-programs.inc` to blacklist ${HOME}/.local/share/gnome-recipes. Note: `private-lib` seems to be a WIP, especially for GNOMA apps. Hence I left it out here, although it works for me. Will come back to that issue later. --- etc/gnome-recipes.profile | 43 +++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 43 insertions(+) create mode 100644 etc/gnome-recipes.profile diff --git a/etc/gnome-recipes.profile b/etc/gnome-recipes.profile new file mode 100644 index 000000000..a546a60d2 --- /dev/null +++ b/etc/gnome-recipes.profile @@ -0,0 +1,43 @@ +# Firejail profile for gnome-recipes +# This file is overwritten after every install/update +# Persistent local customizations +include /etc/firejail/gnome-recipes.local +# Persistent global definitions +include /etc/firejail/globals.local + +mkdir ${HOME}/.cache/gnome-recipes +whitelist ${HOME}/.cache/gnome-recipes + +noblacklist ${HOME}/.local/share/gnome-recipes + +include /etc/firejail/disable-common.inc +include /etc/firejail/disable-devel.inc +include /etc/firejail/disable-passwdmgr.inc +include /etc/firejail/disable-programs.inc +include /etc/firejail/whitelist-common.inc + +caps.drop all +ipc-namespace +netfilter +nodvd +nogroups +nonewprivs +noroot +nosound +notv +novideo +protocol unix,inet,inet6 +seccomp +shell none + +disable-mnt +private-bin gnome-recipes,tar +private-dev +private-etc ca-certificates,fonts,ssl +# private-lib works for me with Gnome Shell 3.26.2, Mutter WM (Arch Linux) +# not widely tested though, leaving it to devs discretion to enable it later +#private-lib gdk-pixbuf-2.0,gio,gvfs/libgvfscommon.so,libgconf-2.so.4,libgnutls.so.30,libjpeg.so.8,libp11-kit.so.0,libproxy.so.1,librsvg-2.so.2 +private-tmp + +noexec ${HOME} +noexec /tmp -- cgit v1.2.3-54-g00ecf From e203d6353a5566e7a2ccdae25309c636b1fb76a0 Mon Sep 17 00:00:00 2001 From: glitsj16 Date: Sat, 24 Mar 2018 12:27:47 +0000 Subject: gnome-recipes profile --- etc/disable-programs.inc | 1 + 1 file changed, 1 insertion(+) diff --git a/etc/disable-programs.inc b/etc/disable-programs.inc index 0d542c6d8..30ab75d03 100644 --- a/etc/disable-programs.inc +++ b/etc/disable-programs.inc @@ -369,6 +369,7 @@ blacklist ${HOME}/.local/share/gnome-2048 blacklist ${HOME}/.local/share/gnome-chess blacklist ${HOME}/.local/share/gnome-music blacklist ${HOME}/.local/share/gnome-photos +blacklist ${HOME}/.local/share/gnome-recipes blacklist ${HOME}/.local/share/gnome-ring blacklist ${HOME}/.local/share/gnome-twitch blacklist ${HOME}/.local/share/gwenview -- cgit v1.2.3-54-g00ecf