From a3307a905ce69baa44f63079fbac78a0967eeb4c Mon Sep 17 00:00:00 2001 From: rusty-snake Date: Tue, 9 Apr 2019 16:38:47 +0200 Subject: Add cheese.profile --- README | 4 ++-- README.md | 2 +- RELNOTES | 2 +- etc/Cheese.profile | 7 +++++++ etc/cheese.profile | 43 +++++++++++++++++++++++++++++++++++++++++++ 5 files changed, 54 insertions(+), 4 deletions(-) create mode 100644 etc/Cheese.profile create mode 100644 etc/cheese.profile diff --git a/README b/README index d41ae967a..6bb17d4f3 100644 --- a/README +++ b/README @@ -545,12 +545,12 @@ rusty-snake (https://github.com/rusty-snake) - added profiles: kid3-qt, kid3-cli, anki - fixed profiles: kdenlive, bibletime, rhythmbox, gajim, seahorse - fixed profiles: libreoffice, gnome-maps, wget, seahorse-tool - - fixed profiles: gnome-logs + - fixed profiles: gnome-logs, atom, brackets, gnome-builder, geany + - fixed profiles: vim, emacs, pycharm-community, gedit - hardened profiles: disable-common.inc, disable-programs.inc - hardened profiles: gajim, evince, ffmpeg, feh-network.inc, qtox - hardened profiles: gnome-clocks, meld, minetest, youtube-dl - gnome-mpv was renamed to celluloid - - updates for ~/.cargo and ~/.python-history Salvo 'LtWorf' Tomaselli (https://github.com/ltworf) - fixed ktorrent profile sarneaud (https://github.com/sarneaud) diff --git a/README.md b/README.md index 429f3362c..8509bf44d 100644 --- a/README.md +++ b/README.md @@ -102,4 +102,4 @@ We also keep a list of profile fixes for previous released versions in [etc-fixe ## Current development version: 0.9.59 ## New profiles: -anki, assogiate, autokey-gtk, autokey-qt, autokey-run, autokey-shell, bzflag, celluoid, code-oss, crawl, crawl-tiles, crow, d-feet, dconf, dconf-editor, devhelp, exfalso, font-manager, freeciv, freecol, freemind, gconf-editor, geekbench, gnome-keyring, gnome-nettool, gnome-system-log, gsettings, kid3, kid3-cli, kid3-qt, klavaro, lincity-ng, lugaru, Maelstrom, manaplus, megaglest, mpdris2, mypaint, nano, netactview, nomacs, nyx, opencity, openclonk, openttd, ostrichriders, pavucontrol, pioneer, pragha, redshift, regextester, seahorse, seahorse-tool, scorched3d, secret-tool, simplescreenrecorder, slashem, subdownloader, sysprof, sysprof-cli, teeworlds, torcs, tremulous, transgui, vulturesclaw, vultureseye, warsow, widelands, xfce4-mixer +anki, assogiate, autokey-gtk, autokey-qt, autokey-run, autokey-shell, bzflag, celluoid, code-oss, crawl, crawl-tiles, crow, d-feet, dconf, dconf-editor, devhelp, exfalso, font-manager, freeciv, freecol, freemind, gconf-editor, geekbench, gnome-keyring, gnome-nettool, gnome-system-log, gsettings, kid3, kid3-cli, kid3-qt, klavaro, lincity-ng, lugaru, Maelstrom, manaplus, megaglest, mpdris2, mypaint, nano, netactview, nomacs, nyx, opencity, openclonk, openttd, ostrichriders, pavucontrol, pioneer, pragha, redshift, regextester, seahorse, seahorse-tool, scorched3d, secret-tool, simplescreenrecorder, slashem, subdownloader, sysprof, sysprof-cli, teeworlds, torcs, tremulous, transgui, vulturesclaw, vultureseye, warsow, widelands, xfce4-mixer, cheese diff --git a/RELNOTES b/RELNOTES index a3cf6bea0..2238ee57d 100644 --- a/RELNOTES +++ b/RELNOTES @@ -11,7 +11,7 @@ firejail (0.9.59) baseline; urgency=low * new profiles: teeworlds, torcs, tremulous, warsow, lugaru, manaplus * new profiles: pioneer, scorched3d, widelands, freemind, kid3, kid3-qt * new profiles: kid3-cli, nomacs, freecol, opencity, openclonk, slashem - * new profiles: vultureseye, vulturesclaw, anki + * new profiles: vultureseye, vulturesclaw, anki, cheese * new profiles: autokey-gtk, autokey-qt, autokey-run, autokey-shell * memory-deny-write-execute now also blocks memfd_create * drop support for flatpak/snap packages diff --git a/etc/Cheese.profile b/etc/Cheese.profile new file mode 100644 index 000000000..4bfce53a9 --- /dev/null +++ b/etc/Cheese.profile @@ -0,0 +1,7 @@ +# Firejail profile for cheese +# This file is overwritten after every install/update + + +# Temporary fix for https://github.com/netblue30/firejail/issues/2624 +# Redirect +include cheese.profile diff --git a/etc/cheese.profile b/etc/cheese.profile new file mode 100644 index 000000000..b6cb0c9ce --- /dev/null +++ b/etc/cheese.profile @@ -0,0 +1,43 @@ +# Firejail profile for cheese +# Description: taking pictures and movies from a webcam +# This file is overwritten after every install/update +# Persistent local customizations +include cheese.local +# Persistent global definitions +include globals.local + +noblacklist ${VIDEOS} + +include disable-common.inc +include disable-devel.inc +include disable-exec.inc +include disable-interpreters.inc +include disable-passwdmgr.inc +include disable-programs.inc +include disable-xdg.inc + +whitelist ${VIDEOS} +include whitelist-common.inc +include whitelist-var-common.inc + +apparmor +caps.drop all +machine-id +net none +nodbus +nodvd +nogroups +nonewprivs +noroot +notv +nou2f +protocol unix +seccomp +shell none +tracelog + +disable-mnt +private-bin cheese +private-cache +private-etc alternatives,fonts,drirc,clutter-1.0,gtk-3.0,dconf +private-tmp -- cgit v1.2.3-54-g00ecf From 65eac73723cf4b137160249242b24e7ed93230e0 Mon Sep 17 00:00:00 2001 From: rusty-snake Date: Sat, 13 Apr 2019 13:46:54 +0200 Subject: Add to firecfg --- README | 2 +- src/firecfg/firecfg.config | 2 ++ 2 files changed, 3 insertions(+), 1 deletion(-) diff --git a/README b/README index a06ffe535..08b5180d2 100644 --- a/README +++ b/README @@ -549,7 +549,7 @@ rusty-snake (https://github.com/rusty-snake) - fixed profiles: libreoffice, gnome-maps, wget, seahorse-tool - fixed profiles: gnome-logs, atom, brackets, gnome-builder, geany - fixed profiles: vim, emacs, pycharm-community, gedit, klavaro - - fixed profiles: default + - fixed profiles: default - hardened profiles: disable-common.inc, disable-programs.inc - hardened profiles: gajim, evince, ffmpeg, feh-network.inc, qtox - hardened profiles: gnome-clocks, meld, minetest, youtube-dl diff --git a/src/firecfg/firecfg.config b/src/firecfg/firecfg.config index 7aec0f82a..097d03235 100644 --- a/src/firecfg/firecfg.config +++ b/src/firecfg/firecfg.config @@ -5,6 +5,7 @@ 0ad 2048-qt Builder +Cheese Cryptocat Cyberfox Discord @@ -93,6 +94,7 @@ calligrawords catfish celluloid checkbashisms +cheese cherrytree chromium chromium-browser -- cgit v1.2.3-54-g00ecf From ab78a250dbf889898427f46f52260425ccc8eda5 Mon Sep 17 00:00:00 2001 From: Tad Date: Sat, 13 Apr 2019 10:27:47 -0400 Subject: Add a conditional to control DRM/noexec exception for browsers --- etc/chromium-common.profile | 2 +- etc/firefox-common.profile | 2 +- etc/firejail.config | 9 ++++++--- etc/midori.profile | 2 +- etc/min.profile | 2 +- src/firejail/checkcfg.c | 1 + src/firejail/firejail.h | 1 + src/firejail/profile.c | 5 +++++ src/man/firejail-profile.txt | 2 +- 9 files changed, 18 insertions(+), 8 deletions(-) diff --git a/etc/chromium-common.profile b/etc/chromium-common.profile index 3c7423316..63983d93b 100644 --- a/etc/chromium-common.profile +++ b/etc/chromium-common.profile @@ -7,7 +7,7 @@ include chromium-common.local #include globals.local # noexec ${HOME} breaks DRM binaries. -ignore noexec ${HOME} +?BROWSER_ALLOW_DRM: ignore noexec ${HOME} noblacklist ${HOME}/.pki noblacklist ${HOME}/.local/share/pki diff --git a/etc/firefox-common.profile b/etc/firefox-common.profile index a2a34f33f..080d9e81a 100644 --- a/etc/firefox-common.profile +++ b/etc/firefox-common.profile @@ -7,7 +7,7 @@ include firefox-common.local #include globals.local # noexec ${HOME} breaks DRM binaries. -ignore noexec ${HOME} +?BROWSER_ALLOW_DRM: ignore noexec ${HOME} # Uncomment the following line to allow access to common programs/addons/plugins. #include firefox-common-addons.inc diff --git a/etc/firejail.config b/etc/firejail.config index b37edf7a5..497d9633e 100644 --- a/etc/firejail.config +++ b/etc/firejail.config @@ -5,9 +5,6 @@ # Enable AppArmor functionality, default enabled. # apparmor yes -# Disable U2F in browsers, default enabled. -# browser-disable-u2f yes - # Number of ARP probes sent when assigning an IP address for --net option, # default 2. This is a partial implementation of RFC 5227. A 0.5 seconds # timeout is implemented for each probe. Increase this number to 4 if your @@ -18,6 +15,12 @@ # Enable or disable bind support, default enabled. # bind yes +# Allow (DRM) execution in browsers, default disabled. +# browser-allow-drm no + +# Disable U2F in browsers, default enabled. +# browser-disable-u2f yes + # Enable or disable cgroup support, default enabled. # cgroup yes diff --git a/etc/midori.profile b/etc/midori.profile index d59a6a16b..e4d39cd70 100644 --- a/etc/midori.profile +++ b/etc/midori.profile @@ -14,7 +14,7 @@ noblacklist ${HOME}/.pki noblacklist ${HOME}/.local/share/pki # noexec ${HOME} breaks DRM binaries. -ignore noexec ${HOME} +?BROWSER_ALLOW_DRM: ignore noexec ${HOME} include disable-common.inc include disable-devel.inc diff --git a/etc/min.profile b/etc/min.profile index eec81677d..c89df0a95 100644 --- a/etc/min.profile +++ b/etc/min.profile @@ -12,7 +12,7 @@ noblacklist ${HOME}/.pki noblacklist ${HOME}/.local/share/pki # noexec ${HOME} breaks DRM binaries. -ignore noexec ${HOME} +?BROWSER_ALLOW_DRM: ignore noexec ${HOME} include disable-common.inc include disable-devel.inc diff --git a/src/firejail/checkcfg.c b/src/firejail/checkcfg.c index 54f6ea023..7ca72bf30 100644 --- a/src/firejail/checkcfg.c +++ b/src/firejail/checkcfg.c @@ -111,6 +111,7 @@ int checkcfg(int val) { PARSE_YESNO(CFG_DISABLE_MNT, "disable-mnt") PARSE_YESNO(CFG_XPRA_ATTACH, "xpra-attach") PARSE_YESNO(CFG_BROWSER_DISABLE_U2F, "browser-disable-u2f") + PARSE_YESNO(CFG_BROWSER_ALLOW_DRM, "browser-allow-drm") #undef PARSE_YESNO // netfilter diff --git a/src/firejail/firejail.h b/src/firejail/firejail.h index b2c18d79f..2e04084e3 100644 --- a/src/firejail/firejail.h +++ b/src/firejail/firejail.h @@ -702,6 +702,7 @@ enum { CFG_ARP_PROBES, CFG_XPRA_ATTACH, CFG_BROWSER_DISABLE_U2F, + CFG_BROWSER_ALLOW_DRM, CFG_PRIVATE_LIB, CFG_APPARMOR, CFG_DBUS, diff --git a/src/firejail/profile.c b/src/firejail/profile.c index 667b03652..c8619f7e2 100644 --- a/src/firejail/profile.c +++ b/src/firejail/profile.c @@ -151,10 +151,15 @@ static int check_disable_u2f(void) { return checkcfg(CFG_BROWSER_DISABLE_U2F) != 0; } +static int check_allow_drm(void) { + return checkcfg(CFG_BROWSER_ALLOW_DRM) != 0; +} + Cond conditionals[] = { {"HAS_APPIMAGE", check_appimage}, {"HAS_NODBUS", check_nodbus}, {"BROWSER_DISABLE_U2F", check_disable_u2f}, + {"BROWSER_ALLOW_DRM", check_allow_drm}, { NULL, NULL } }; diff --git a/src/man/firejail-profile.txt b/src/man/firejail-profile.txt index dde815d05..20b547355 100644 --- a/src/man/firejail-profile.txt +++ b/src/man/firejail-profile.txt @@ -94,7 +94,7 @@ Example: "?HAS_APPIMAGE: whitelist ${HOME}/special/appimage/dir" This example will load the whitelist profile line only if the \-\-appimage option has been specified on the command line. -Currently the only conditionals supported are HAS_APPIMAGE, HAS_NODBUS and BROWSER_DISABLE_U2F. +Currently the only conditionals supported are HAS_APPIMAGE, HAS_NODBUS, BROWSER_DISABLE_U2F, and BROWSER_ALLOW_DRM. The profile line may be any profile line that you would normally use in a profile \fBexcept\fR for "quiet" and "include" lines. -- cgit v1.2.3-54-g00ecf From 9c5619151dfa899ba7f4a912aa92036099d712c1 Mon Sep 17 00:00:00 2001 From: glitsj16 Date: Tue, 16 Apr 2019 02:09:53 +0000 Subject: Follow upstream changes in authenticator.profile (#2654) * Add authenticator cache to disable-programs.inc * Update authenticator.profile Follow upstream changes in authenticator.profile --- etc/authenticator.profile | 10 +++++----- etc/disable-programs.inc | 1 + 2 files changed, 6 insertions(+), 5 deletions(-) diff --git a/etc/authenticator.profile b/etc/authenticator.profile index f989ab1ba..5f1c64682 100644 --- a/etc/authenticator.profile +++ b/etc/authenticator.profile @@ -6,6 +6,7 @@ include authenticator.local # Persistent global definitions include globals.local +noblacklist ${HOME}/.cache/Authenticator noblacklist ${HOME}/.config/Authenticator # Allow python (blacklisted by disable-interpreters.inc) @@ -25,7 +26,7 @@ include disable-programs.inc # apparmor caps.drop all -net none +netfilter no3d # nodbus - makes settings immutable nodvd @@ -36,15 +37,14 @@ nosound notv nou2f # novideo -protocol unix +protocol unix,inet,inet6 seccomp shell none disable-mnt -# private-bin authenticator -private-cache +# private-bin authenticator,python* private-dev -private-etc alternatives,fonts,ld.so.cache +private-etc alternatives,ca-certificates,fonts,ld.so.cache,ssl private-tmp # memory-deny-write-execute - breaks on Arch diff --git a/etc/disable-programs.inc b/etc/disable-programs.inc index 96fd80daf..41c6eb53e 100644 --- a/etc/disable-programs.inc +++ b/etc/disable-programs.inc @@ -625,6 +625,7 @@ blacklist /tmp/ssh-* # ${HOME}/.cache directory blacklist ${HOME}/.cache/0ad blacklist ${HOME}/.cache/8pecxstudios +blacklist ${HOME}/.cache/Authenticator blacklist ${HOME}/.cache/Clementine blacklist ${HOME}/.cache/Enox blacklist ${HOME}/.cache/Franz -- cgit v1.2.3-54-g00ecf From f21561f89f3c5acf30510433e97398f97e8ce72b Mon Sep 17 00:00:00 2001 From: Senemu <10880819+Senemu@users.noreply.github.com> Date: Wed, 17 Apr 2019 04:41:23 +0000 Subject: Fix PostScript files opening in Evince (#2656) --- etc/evince.profile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/etc/evince.profile b/etc/evince.profile index b1f984784..1a429d673 100644 --- a/etc/evince.profile +++ b/etc/evince.profile @@ -43,7 +43,7 @@ private-bin evince,evince-previewer,evince-thumbnailer private-cache private-dev private-etc alternatives,fonts,group,machine-id,passwd -private-lib evince,gdk-pixbuf-2.*,gio,gvfs/libgvfscommon.so,libdjvulibre.so.*,libgconf-2.so.*,libpoppler-glib.so.*,librsvg-2.so.*,gconv +private-lib evince,gdk-pixbuf-2.*,gio,gvfs/libgvfscommon.so,libdjvulibre.so.*,libgconf-2.so.*,libpoppler-glib.so.*,librsvg-2.so.*,libspectre.so.*,gconv private-tmp # memory-deny-write-execute - might break application (https://github.com/netblue30/firejail/issues/1803) -- cgit v1.2.3-54-g00ecf From 11edb11c0d1620f753d43b1676077793a169b2d1 Mon Sep 17 00:00:00 2001 From: curiosity-seeker Date: Wed, 17 Apr 2019 07:00:13 +0000 Subject: Profiles for gramps, newsboat and freeoffice (#2652) * Update firecfg.config * Create gramps.profile * Update disable-programs.inc * Create newsboat.profile * Update disable-programs.inc * Update firecfg.config * Create freeoffice-planmaker * Create freeoffice-textmaker * Create freeoffice-presentations * Update disable-programs.inc * Update firecfg.config * Update newsboat.profile * Update newsboat.profile * Update gramps.profile * Update freeoffice-textmaker * Update freeoffice-planmaker * Update freeoffice-presentations * Update freeoffice-planmaker * Update freeoffice-presentations * Update freeoffice-textmaker * Rename freeoffice-planmaker to freeoffice-planmaker.profile * Rename freeoffice-presentations to freeoffice-presentations.profile * Rename freeoffice-textmaker to freeoffice-textmaker.profile * Update gramps.profile * Update freeoffice-planmaker.profile * Update freeoffice-presentations.profile * Update freeoffice-textmaker.profile * Update freeoffice-textmaker.profile * Update freeoffice-presentations.profile * Update newsboat.profile * Update gramps.profile * Update freeoffice-planmaker.profile * Update freeoffice-presentations.profile * Update freeoffice-textmaker.profile --- etc/disable-programs.inc | 3 ++ etc/freeoffice-planmaker.profile | 40 ++++++++++++++++++++++++++ etc/freeoffice-presentations.profile | 40 ++++++++++++++++++++++++++ etc/freeoffice-textmaker.profile | 40 ++++++++++++++++++++++++++ etc/gramps.profile | 55 ++++++++++++++++++++++++++++++++++++ etc/newsboat.profile | 48 +++++++++++++++++++++++++++++++ src/firecfg/firecfg.config | 5 ++++ 7 files changed, 231 insertions(+) create mode 100644 etc/freeoffice-planmaker.profile create mode 100644 etc/freeoffice-presentations.profile create mode 100644 etc/freeoffice-textmaker.profile create mode 100644 etc/gramps.profile create mode 100644 etc/newsboat.profile diff --git a/etc/disable-programs.inc b/etc/disable-programs.inc index 41c6eb53e..7e12b97b2 100644 --- a/etc/disable-programs.inc +++ b/etc/disable-programs.inc @@ -5,6 +5,7 @@ include disable-programs.local blacklist ${HOME}/Arduino blacklist ${HOME}/Monero/wallets blacklist ${HOME}/Nextcloud/Notes +blacklist ${HOME}/SoftMaker blacklist ${HOME}/Standard Notes Backups blacklist ${HOME}/wallet.dat blacklist ${HOME}/.*coin @@ -339,6 +340,7 @@ blacklist ${HOME}/.googleearth/Temp/ blacklist ${HOME}/.googleearth/myplaces.backup.kml blacklist ${HOME}/.googleearth/myplaces.kml blacklist ${HOME}/.gradle +blacklist ${HOME}/.gramps blacklist ${HOME}/.guayadeque blacklist ${HOME}/.hashcat blacklist ${HOME}/.hedgewars @@ -549,6 +551,7 @@ blacklist ${HOME}/.multimc5 blacklist ${HOME}/.nanorc blacklist ${HOME}/.netactview blacklist ${HOME}/.neverball +blacklist ${HOME}/.newsboat blacklist ${HOME}/.nv blacklist ${HOME}/.nylas-mail blacklist ${HOME}/.opencity diff --git a/etc/freeoffice-planmaker.profile b/etc/freeoffice-planmaker.profile new file mode 100644 index 000000000..e00acb278 --- /dev/null +++ b/etc/freeoffice-planmaker.profile @@ -0,0 +1,40 @@ +# Firejail profile for freeoffice-planmaker +# This file is overwritten after every install/update +# Persistent local customizations +include freeoffice-planmaker.local +# Persistent global definitions +include globals.local + +noblacklist ${HOME}/SoftMaker + +include disable-common.inc +include disable-devel.inc +include disable-exec.inc +include disable-interpreters.inc +include disable-passwdmgr.inc +include disable-programs.inc +# include disable-xdg.inc + +apparmor +caps.drop all +ipc-namespace +net none +no3d +nodbus +nodvd +nogroups +nonewprivs +noroot +notv +nou2f +novideo +protocol unix,inet,inet6 +seccomp +shell none +tracelog + +private-cache +private-dev +private-tmp + + diff --git a/etc/freeoffice-presentations.profile b/etc/freeoffice-presentations.profile new file mode 100644 index 000000000..c71418cce --- /dev/null +++ b/etc/freeoffice-presentations.profile @@ -0,0 +1,40 @@ +# Firejail profile for freeoffice-presentations +# This file is overwritten after every install/update +# Persistent local customizations +include freeoffice-presentations.local +# Persistent global definitions +include globals.local + +noblacklist ${HOME}/SoftMaker + +include disable-common.inc +include disable-devel.inc +include disable-exec.inc +include disable-interpreters.inc +include disable-passwdmgr.inc +include disable-programs.inc +# include disable-xdg.inc + +apparmor +caps.drop all +ipc-namespace +net none +no3d +nodbus +nodvd +nogroups +nonewprivs +noroot +notv +nou2f +novideo +protocol unix,inet,inet6 +seccomp +shell none +tracelog + +private-cache +private-dev +private-tmp + + diff --git a/etc/freeoffice-textmaker.profile b/etc/freeoffice-textmaker.profile new file mode 100644 index 000000000..0965cc70e --- /dev/null +++ b/etc/freeoffice-textmaker.profile @@ -0,0 +1,40 @@ +# Firejail profile for freeoffice-textmaker +# This file is overwritten after every install/update +# Persistent local customizations +include freeoffice-textmaker.local +# Persistent global definitions +include globals.local + +noblacklist ${HOME}/SoftMaker + +include disable-common.inc +include disable-devel.inc +include disable-exec.inc +include disable-interpreters.inc +include disable-passwdmgr.inc +include disable-programs.inc +# include disable-xdg.inc + +apparmor +caps.drop all +ipc-namespace +net none +no3d +nodbus +nodvd +nogroups +nonewprivs +noroot +notv +nou2f +novideo +protocol unix,inet,inet6 +seccomp +shell none +tracelog + +private-cache +private-dev +private-tmp + + diff --git a/etc/gramps.profile b/etc/gramps.profile new file mode 100644 index 000000000..46337d269 --- /dev/null +++ b/etc/gramps.profile @@ -0,0 +1,55 @@ +# Firejail profile for gramps +# Description: genealogy program +# This file is overwritten after every install/update +# Persistent local customizations +include gramps.local +# Persistent global definitions +include globals.local + +noblacklist ${HOME}/.gramps + +# Allow python (blacklisted by disable-interpreters.inc) +#noblacklist ${PATH}/python2* +noblacklist ${PATH}/python3* +#noblacklist /usr/lib/python2* +noblacklist /usr/lib/python3* +#noblacklist /usr/local/lib/python2* +noblacklist /usr/local/lib/python3* + +include disable-common.inc +include disable-devel.inc +include disable-exec.inc +include disable-interpreters.inc +include disable-passwdmgr.inc +include disable-programs.inc +include disable-xdg.inc + +mkdir ${HOME}/.gramps +whitelist ${HOME}/.gramps +include whitelist-common.inc +include whitelist-var-common.inc + +apparmor +caps.drop all +ipc-namespace +netfilter +no3d +nodbus +nodvd +nogroups +nonewprivs +noroot +nosound +notv +nou2f +novideo +protocol unix,inet,inet6 +seccomp +shell none + +disable-mnt +private-cache +private-dev +private-tmp + + diff --git a/etc/newsboat.profile b/etc/newsboat.profile new file mode 100644 index 000000000..0fed5bd06 --- /dev/null +++ b/etc/newsboat.profile @@ -0,0 +1,48 @@ +# Firejail profile for Newsboat +# Description: RSS program +# This file is overwritten after every install/update +# Persistent local customizations +include newsboat.local +# Persistent global definitions +include globals.local + +noblacklist ${HOME}/.newsboat + +include disable-common.inc +include disable-devel.inc +include disable-exec.inc +include disable-interpreters.inc +include disable-passwdmgr.inc +include disable-programs.inc +include disable-xdg.inc + +mkdir ${HOME}/.newsboat +whitelist ${HOME}/.newsboat +include whitelist-common.inc +include whitelist-var-common.inc + +caps.drop all +ipc-namespace +netfilter +no3d +nodbus +nodvd +nogroups +nonewprivs +noroot +notv +nou2f +novideo +protocol inet,inet6 +seccomp +shell none + +disable-mnt +private-bin newsboat +private-cache +private-dev +private-etc alternatives,ca-certificates,crypto-policies,pki,resolv.conf,ssl,terminfo +private-tmp + +memory-deny-write-execute + diff --git a/src/firecfg/firecfg.config b/src/firecfg/firecfg.config index 41b75ee81..44e8dc571 100644 --- a/src/firecfg/firecfg.config +++ b/src/firecfg/firecfg.config @@ -198,6 +198,9 @@ freeciv-gtk3 freeciv-mp-gtk3 freecol freemind +freeoffice-planmaker +freeoffice-presentations +freeoffice-textmaker freshclam frozen-bubble gajim @@ -254,6 +257,7 @@ gpa gpicview gpredict gradio +gramps gthumb guayadeque gucharmap @@ -385,6 +389,7 @@ netactview nethack netsurf neverball +newsboat nheko nitroshare nitroshare-cli -- cgit v1.2.3-54-g00ecf From a0b8f809c8b6fdcd95df0c61457fa8631ffab85f Mon Sep 17 00:00:00 2001 From: rusty-snake Date: Wed, 17 Apr 2019 09:04:55 +0200 Subject: remove blank lines at end of file --- etc/freeoffice-planmaker.profile | 2 -- etc/freeoffice-presentations.profile | 2 -- etc/freeoffice-textmaker.profile | 2 -- etc/gramps.profile | 2 -- etc/newsboat.profile | 1 - 5 files changed, 9 deletions(-) diff --git a/etc/freeoffice-planmaker.profile b/etc/freeoffice-planmaker.profile index e00acb278..c69c5cf55 100644 --- a/etc/freeoffice-planmaker.profile +++ b/etc/freeoffice-planmaker.profile @@ -36,5 +36,3 @@ tracelog private-cache private-dev private-tmp - - diff --git a/etc/freeoffice-presentations.profile b/etc/freeoffice-presentations.profile index c71418cce..f8004c4f4 100644 --- a/etc/freeoffice-presentations.profile +++ b/etc/freeoffice-presentations.profile @@ -36,5 +36,3 @@ tracelog private-cache private-dev private-tmp - - diff --git a/etc/freeoffice-textmaker.profile b/etc/freeoffice-textmaker.profile index 0965cc70e..144a29900 100644 --- a/etc/freeoffice-textmaker.profile +++ b/etc/freeoffice-textmaker.profile @@ -36,5 +36,3 @@ tracelog private-cache private-dev private-tmp - - diff --git a/etc/gramps.profile b/etc/gramps.profile index 46337d269..764c14b60 100644 --- a/etc/gramps.profile +++ b/etc/gramps.profile @@ -51,5 +51,3 @@ disable-mnt private-cache private-dev private-tmp - - diff --git a/etc/newsboat.profile b/etc/newsboat.profile index 0fed5bd06..e063abe53 100644 --- a/etc/newsboat.profile +++ b/etc/newsboat.profile @@ -45,4 +45,3 @@ private-etc alternatives,ca-certificates,crypto-policies,pki,resolv.conf,ssl,ter private-tmp memory-deny-write-execute - -- cgit v1.2.3-54-g00ecf From adea6f050f7b6c0f36c4b986aba751e70783e2a1 Mon Sep 17 00:00:00 2001 From: rusty-snake Date: Wed, 17 Apr 2019 10:38:52 +0200 Subject: fix network in freeoffice --- etc/freeoffice-planmaker.profile | 2 +- etc/freeoffice-presentations.profile | 2 +- etc/freeoffice-textmaker.profile | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/etc/freeoffice-planmaker.profile b/etc/freeoffice-planmaker.profile index c69c5cf55..8a53c63e3 100644 --- a/etc/freeoffice-planmaker.profile +++ b/etc/freeoffice-planmaker.profile @@ -18,7 +18,7 @@ include disable-programs.inc apparmor caps.drop all ipc-namespace -net none +netfilter no3d nodbus nodvd diff --git a/etc/freeoffice-presentations.profile b/etc/freeoffice-presentations.profile index f8004c4f4..63be4da7f 100644 --- a/etc/freeoffice-presentations.profile +++ b/etc/freeoffice-presentations.profile @@ -18,7 +18,7 @@ include disable-programs.inc apparmor caps.drop all ipc-namespace -net none +netfilter no3d nodbus nodvd diff --git a/etc/freeoffice-textmaker.profile b/etc/freeoffice-textmaker.profile index 144a29900..4bca5a98c 100644 --- a/etc/freeoffice-textmaker.profile +++ b/etc/freeoffice-textmaker.profile @@ -18,7 +18,7 @@ include disable-programs.inc apparmor caps.drop all ipc-namespace -net none +netfilter no3d nodbus nodvd -- cgit v1.2.3-54-g00ecf From a9c921c0ecd397284265f8b49000ec171b8c5196 Mon Sep 17 00:00:00 2001 From: rusty-snake Date: Thu, 18 Apr 2019 10:42:56 +0200 Subject: Update gajim.profile and mpv.profile --- etc/gajim.profile | 2 +- etc/mpv.profile | 2 ++ 2 files changed, 3 insertions(+), 1 deletion(-) diff --git a/etc/gajim.profile b/etc/gajim.profile index 36121c4b9..ee84a0994 100644 --- a/etc/gajim.profile +++ b/etc/gajim.profile @@ -42,7 +42,7 @@ nonewprivs noroot notv nou2f -protocol unix,inet,inet6 +protocol unix,inet,inet6,netlink seccomp shell none tracelog diff --git a/etc/mpv.profile b/etc/mpv.profile index c2ae9c6f9..34542b11b 100644 --- a/etc/mpv.profile +++ b/etc/mpv.profile @@ -1,6 +1,7 @@ # Firejail profile for mpv # Description: Video player based on MPlayer/mplayer2 # This file is overwritten after every install/update +quiet # Persistent local customizations include mpv.local # Persistent global definitions @@ -44,4 +45,5 @@ shell none tracelog private-bin mpv,youtube-dl,python*,env +private-cache private-dev -- cgit v1.2.3-54-g00ecf