From b4fa8e28581c29287d1c6849b83a522a0ed41b66 Mon Sep 17 00:00:00 2001 From: intika Date: Fri, 23 Mar 2018 18:54:58 +0100 Subject: Add support for the devil musixmatch --- etc/musixmatch.profile | 37 +++++++++++++++++++++++++++++++++++++ 1 file changed, 37 insertions(+) create mode 100644 etc/musixmatch.profile diff --git a/etc/musixmatch.profile b/etc/musixmatch.profile new file mode 100644 index 000000000..1e547d11c --- /dev/null +++ b/etc/musixmatch.profile @@ -0,0 +1,37 @@ +# Firejail profile for Musixmatch +# This file is overwritten after every install/update +# Persistent local customizations +include /etc/firejail/default.local +# Persistent global definitions +include /etc/firejail/globals.local + +# generic gui profile +# depending on your usage, you can enable some of the commands below: + +include /etc/firejail/disable-common.inc +include /etc/firejail/disable-devel.inc +include /etc/firejail/disable-passwdmgr.inc +include /etc/firejail/disable-programs.inc + +caps.drop all +ipc-namespace +netfilter +no3d +nodvd +nogroups +nonewprivs +noroot +nogroups +nosound +notv +novideo +protocol unix,inet,inet6,netlink +seccomp +shell none + +disable-mnt +private-dev +private-etc none + +noexec ${HOME} +noexec /tmp -- cgit v1.2.3-54-g00ecf From 6216347485573e9971497fcd427fb3e13636d266 Mon Sep 17 00:00:00 2001 From: glitsj16 Date: Sun, 1 Apr 2018 07:55:24 +0000 Subject: Fix private-lib This fixes https://github.com/netblue30/firejail/issues/1841. --- etc/gnome-calculator.profile | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/etc/gnome-calculator.profile b/etc/gnome-calculator.profile index d13208a1e..dbadc6519 100644 --- a/etc/gnome-calculator.profile +++ b/etc/gnome-calculator.profile @@ -6,7 +6,6 @@ include /etc/firejail/gnome-calculator.local # Persistent global definitions include /etc/firejail/globals.local - include /etc/firejail/disable-common.inc include /etc/firejail/disable-devel.inc include /etc/firejail/disable-passwdmgr.inc @@ -32,7 +31,7 @@ shell none disable-mnt private-bin gnome-calculator private-dev -private-lib +private-lib gdk-pixbuf-2.0,gio,girepository-1.0,gvfs,libgconf-2.so.4,libgnutls.so.30,libplotinus.so,libproxy.so.1,librsvg-2.so.2,libxml2.so.2 private-tmp #memory-deny-write-execute - breaks on Arch -- cgit v1.2.3-54-g00ecf From 620d3f93fb5e62016a4e7eebfacad4353f4472a4 Mon Sep 17 00:00:00 2001 From: glitsj16 Date: Sun, 1 Apr 2018 07:58:43 +0000 Subject: Fix the fix Forgot to take out [libplotinus.so](https://github.com/p-e-w/plotinus). Something I use myself in all GTK apps, but which isn't needed whatsoever for gnome-calculator. --- etc/gnome-calculator.profile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/etc/gnome-calculator.profile b/etc/gnome-calculator.profile index dbadc6519..a219ac644 100644 --- a/etc/gnome-calculator.profile +++ b/etc/gnome-calculator.profile @@ -31,7 +31,7 @@ shell none disable-mnt private-bin gnome-calculator private-dev -private-lib gdk-pixbuf-2.0,gio,girepository-1.0,gvfs,libgconf-2.so.4,libgnutls.so.30,libplotinus.so,libproxy.so.1,librsvg-2.so.2,libxml2.so.2 +private-lib gdk-pixbuf-2.0,gio,girepository-1.0,gvfs,libgconf-2.so.4,libgnutls.so.30,libproxy.so.1,librsvg-2.so.2,libxml2.so.2 private-tmp #memory-deny-write-execute - breaks on Arch -- cgit v1.2.3-54-g00ecf From 4926d6cd8501b1d7abd428c6ef5570fb0c87941f Mon Sep 17 00:00:00 2001 From: Fred-Barclay Date: Sun, 1 Apr 2018 12:01:14 -0500 Subject: merges --- README | 1 + 1 file changed, 1 insertion(+) diff --git a/README b/README index 80a133148..d20e956cd 100644 --- a/README +++ b/README @@ -247,6 +247,7 @@ geg2048 (https://github.com/geg2048) glitsj16 (https://github.com/glitsj16) - evince-previewer, evince-thumbnailer profiles - gnome-recipes, gnome-logs profiles + - fixed private-lib for gnome-calculator graywolf (https://github.com/graywolf) - spelling fix greigdp (https://github.com/greigdp) -- cgit v1.2.3-54-g00ecf From a06172ae3159028a819c17397861c8e091615719 Mon Sep 17 00:00:00 2001 From: glitsj16 Date: Sun, 1 Apr 2018 17:42:55 +0000 Subject: Fix private-lib again (#1852) for evince * Fix private-lib During conversation around an [earlier attempt at fixing evince] (https://github.com/netblue30/firejail/pull/1829) and the entailing [revert-commit](https://github.com/netblue30/firejail/pull/1829/commits/45732a22d1ea4ec0ade0775be7243e8669b7f850) this slipped through the cracks. The fix is tested on Gnome Shell 3.26.2 and 3.28.0 (on Arch). * Remove irrelevant comment on private-lib * Update private-lib comments Done! --- etc/evince.profile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/etc/evince.profile b/etc/evince.profile index 08c82086b..38c9ee9a9 100644 --- a/etc/evince.profile +++ b/etc/evince.profile @@ -37,7 +37,7 @@ private-dev private-etc fonts #private-lib - seems to be breaking on Gnome Shell 3.26.2, Mutter WM, issue 1711 -#private-lib evince,libpoppler-glib.so.8 +private-lib evince,gdk-pixbuf-2.0,gio,gvfs/libgvfscommon.so,libgconf-2.so.4,libpoppler-glib.so.8,librsvg-2.so.2 private-tmp -- cgit v1.2.3-54-g00ecf From 617ff40c9334929101c39d0a758fbaefad6a0f78 Mon Sep 17 00:00:00 2001 From: Melvin Vermeeren Date: Sun, 1 Apr 2018 21:57:32 +0200 Subject: add --noautopulse arg for complex pulse setups such as remote pulse servers or non-standard socket paths --- RELNOTES | 1 + src/firejail/firejail.h | 1 + src/firejail/main.c | 3 +++ src/firejail/profile.c | 4 ++++ src/firejail/sandbox.c | 2 +- src/firejail/usage.c | 1 + src/man/firejail-profile.txt | 4 ++++ src/man/firejail.txt | 11 +++++++++++ 8 files changed, 26 insertions(+), 1 deletion(-) diff --git a/RELNOTES b/RELNOTES index e76800f2c..4e4f768e7 100644 --- a/RELNOTES +++ b/RELNOTES @@ -1,5 +1,6 @@ firejail (0.9.53) baseline; urgency=low * work in progress + * add --noautopulse to disable automatic ~/.config/pulse (for complex setups) * modif: support for private-bin, private-lib and shell none has been disabled while running AppImage archives in order to be able to use our regular profile files with AppImages. diff --git a/src/firejail/firejail.h b/src/firejail/firejail.h index fdb5745cb..d6c39260b 100644 --- a/src/firejail/firejail.h +++ b/src/firejail/firejail.h @@ -357,6 +357,7 @@ extern int arg_private_lib; // private lib directory extern int arg_scan; // arp-scan all interfaces extern int arg_whitelist; // whitelist commad extern int arg_nosound; // disable sound +extern int arg_noautopulse; // disable automatic ~/.config/pulse init extern int arg_novideo; //disable video devices in /dev extern int arg_no3d; // disable 3d hardware acceleration extern int arg_quiet; // no output for scripting diff --git a/src/firejail/main.c b/src/firejail/main.c index 6dc19abdd..52f6af667 100644 --- a/src/firejail/main.c +++ b/src/firejail/main.c @@ -94,6 +94,7 @@ int arg_private_lib = 0; // private lib directory int arg_scan = 0; // arp-scan all interfaces int arg_whitelist = 0; // whitelist commad int arg_nosound = 0; // disable sound +int arg_noautopulse = 0; // disable automatic ~/.config/pulse init int arg_novideo = 0; //disable video devices in /dev int arg_no3d; // disable 3d hardware acceleration int arg_quiet = 0; // no output for scripting @@ -1727,6 +1728,8 @@ int main(int argc, char **argv) { env_store(argv[i] + 8, RMENV); else if (strcmp(argv[i], "--nosound") == 0) arg_nosound = 1; + else if (strcmp(argv[i], "--noautopulse") == 0) + arg_noautopulse = 1; else if (strcmp(argv[i], "--novideo") == 0) arg_novideo = 1; else if (strcmp(argv[i], "--no3d") == 0) diff --git a/src/firejail/profile.c b/src/firejail/profile.c index 2cb91964a..3ef9a1856 100644 --- a/src/firejail/profile.c +++ b/src/firejail/profile.c @@ -233,6 +233,10 @@ int profile_check_line(char *ptr, int lineno, const char *fname) { arg_nosound = 1; return 0; } + else if (strcmp(ptr, "noautopulse") == 0) { + arg_noautopulse = 1; + return 0; + } else if (strcmp(ptr, "notv") == 0) { arg_notv = 1; return 0; diff --git a/src/firejail/sandbox.c b/src/firejail/sandbox.c index 75dbc976d..1e60b6477 100644 --- a/src/firejail/sandbox.c +++ b/src/firejail/sandbox.c @@ -889,7 +889,7 @@ int sandbox(void* sandbox_arg) { // disable /dev/snd fs_dev_disable_sound(); } - else + else if (!arg_noautopulse) pulseaudio_init(); if (arg_no3d) diff --git a/src/firejail/usage.c b/src/firejail/usage.c index d0292f524..cefb63a85 100644 --- a/src/firejail/usage.c +++ b/src/firejail/usage.c @@ -143,6 +143,7 @@ void usage(void) { printf(" --noroot - install a user namespace with only the current user.\n"); #endif printf(" --nosound - disable sound system.\n"); + printf(" --noautopulse - disable automatic ~/.config/pulse init.\n"); printf(" --novideo - disable video devices.\n"); printf(" --nowhitelist=filename - disable whitelist for file or directory .\n"); printf(" --output=logfile - stdout logging and log rotation.\n"); diff --git a/src/man/firejail-profile.txt b/src/man/firejail-profile.txt index 77bdffb62..4b6e9766f 100644 --- a/src/man/firejail-profile.txt +++ b/src/man/firejail-profile.txt @@ -451,6 +451,10 @@ Enable IPC namespace. \fBnosound Disable sound system. .TP +\fBnoautopulse +Disable automatic ~/.config/pulse init, for complex setups such as remote +pulse servers or non-standard socket paths. +.TP \fBnotv Disable DVB (Digital Video Broadcasting) TV devices. .TP diff --git a/src/man/firejail.txt b/src/man/firejail.txt index f080c8c7b..f481f5c46 100644 --- a/src/man/firejail.txt +++ b/src/man/firejail.txt @@ -1198,6 +1198,17 @@ Example: .br $ firejail \-\-nosound firefox +.TP +\fB\-\-noautopulse +Disable automatic ~/.config/pulse init, for complex setups such as remote +pulse servers or non-standard socket paths. +.br + +.br +Example: +.br +$ firejail \-\-noautopulse firefox + .TP \fB\-\-notv Disable DVB (Digital Video Broadcasting) TV devices. -- cgit v1.2.3-54-g00ecf From fc76a9ca7b72612f943a13c8b3af7334c05ee99d Mon Sep 17 00:00:00 2001 From: netblue30 Date: Mon, 2 Apr 2018 08:37:07 -0400 Subject: merges --- README | 9 ++++++--- README.md | 2 +- src/firecfg/firecfg.config | 1 + 3 files changed, 8 insertions(+), 4 deletions(-) diff --git a/README b/README index d20e956cd..4f9bba945 100644 --- a/README +++ b/README @@ -34,10 +34,10 @@ Maintainer: Committers - Fred-Barclay (https://github.com/Fred-Barclay) -- Reiner Herrmann (https://github.com/reinerh) +- Reiner Herrmann (https://github.com/reinerh - Debian/Ubuntu maintainer) - smithsohu (https://github.com/smitsohu) - SkewedZeppelin (https://github.com/SkewedZeppelin) -- startx2017 (https://github.com/startx2017) - 0.9.38-LTS and *bugfixes branches maintainer +- startx2017 (https://github.com/startx2017) - 0.9.38-LTS and *bugfixes branches maintainer) - Topi Miettinen (https://github.com/topimiettinen) - Vincent43 (https://github.com/Vincent43) - netblue30 (netblue30@yahoo.com) @@ -276,6 +276,8 @@ iiotx (https://github.com/iiotx) - use generic.profile by default Impyy (https://github.com/Impyy) - added mumble profile +intika (https://github.com/intika) + - added musixmatch profile irregulator (https://github.com/irregulator) - thunderbird profile fixes for debian stretch Irvine (https://github.com/Irvinehimself) @@ -362,8 +364,9 @@ Matthew Gyurgyik (https://github.com/pyther) - rpm spec and several fixes maxice8 (https://github.com/maxice8) - fixed missing header -melvinvermeeren (https://github.com/melvinvermeeren) +Melvin Vermeeren (https://github.com/melvinvermeeren) - added teamspeak3 profile + - added --noautopulse command line option Michael Haas (https://github.com/mhaas) - bugfixes Mike Frysinger (vapier@gentoo.org) diff --git a/README.md b/README.md index 4d9727797..a464c2c09 100644 --- a/README.md +++ b/README.md @@ -308,4 +308,4 @@ Basilisk browser, Tor Browser language packs, PlayOnLinux, sylpheed, discord-can pycharm-community, pycharm-professional, Pitivi, OnionShare, Fritzing, Kaffeine, pdfchain, tilp, vivaldi-snapshot, bitcoin-qt, VS Code, falkon, gnome-builder, lobase, asunder, gnome-recipes, akonadi_control, evince-previewer, evince-thumbnailer, blender-2.8, -thunderbird-beta, ncdu, gnome-logs, gcloud +thunderbird-beta, ncdu, gnome-logs, gcloud, musixmatch diff --git a/src/firecfg/firecfg.config b/src/firecfg/firecfg.config index 1f56e2532..c06291294 100644 --- a/src/firecfg/firecfg.config +++ b/src/firecfg/firecfg.config @@ -262,6 +262,7 @@ mumble mupdf mupen64plus musescore +musixmatch mutt natron nautilus -- cgit v1.2.3-54-g00ecf From f62145322c0981cc02bac324dc3a9193565e638a Mon Sep 17 00:00:00 2001 From: netblue30 Date: Mon, 2 Apr 2018 08:37:53 -0400 Subject: merges --- RELNOTES | 1 + 1 file changed, 1 insertion(+) diff --git a/RELNOTES b/RELNOTES index 4e4f768e7..a560c79b9 100644 --- a/RELNOTES +++ b/RELNOTES @@ -32,6 +32,7 @@ firejail (0.9.53) baseline; urgency=low * new profiles: falkon, gnome-builder, asunder, VS Code, gnome-recipes * new profiles: akonadi_controle, evince-previewer, evince-thumbnailer, * new profiles: blender-2.8, thunderbird-beta, ncdu, gnome-logs, gcloud + * new profiles: musixmatch -- netblue30 Thu, 1 Mar 2018 08:00:00 -0500 firejail (0.9.52) baseline; urgency=low -- cgit v1.2.3-54-g00ecf