From 7047e1a68955adc789d028ededdf0790a45d01f5 Mon Sep 17 00:00:00 2001 From: "Kelvin M. Klann" Date: Mon, 25 Mar 2024 06:42:07 +0000 Subject: New profile: qemu-common.profile (#6287) Add a common profile to deduplicate entries and make qemu-related profiles redirect to it. Relates to #6255. --- etc/profile-m-z/qemu-common.profile | 28 ++++++++++++++++++++++++++++ etc/profile-m-z/qemu-launcher.profile | 21 ++------------------- etc/profile-m-z/qemu-system-x86_64.profile | 21 ++------------------- etc/profile-m-z/tqemu.profile | 17 +++++------------ 4 files changed, 37 insertions(+), 50 deletions(-) create mode 100644 etc/profile-m-z/qemu-common.profile diff --git a/etc/profile-m-z/qemu-common.profile b/etc/profile-m-z/qemu-common.profile new file mode 100644 index 000000000..bf8c2b977 --- /dev/null +++ b/etc/profile-m-z/qemu-common.profile @@ -0,0 +1,28 @@ +# Firejail profile for QEMU +# Description: Machine & userspace emulator and virtualizer +# This file is overwritten after every install/update +# Persistent local customizations +include qemu-common.local +# Persistent global definitions +# added by caller profile +#include globals.local + +include disable-common.inc +include disable-programs.inc + +caps.drop all +netfilter +nodvd +nogroups +nonewprivs +noroot +notv +protocol unix,inet,inet6 +seccomp +tracelog + +private-cache +private-tmp + +noexec /tmp +restrict-namespaces diff --git a/etc/profile-m-z/qemu-launcher.profile b/etc/profile-m-z/qemu-launcher.profile index 8484d3705..5eab480dc 100644 --- a/etc/profile-m-z/qemu-launcher.profile +++ b/etc/profile-m-z/qemu-launcher.profile @@ -7,22 +7,5 @@ include globals.local noblacklist ${HOME}/.qemu-launcher -include disable-common.inc -include disable-programs.inc - -caps.drop all -netfilter -nodvd -nogroups -nonewprivs -noroot -notv -protocol unix,inet,inet6 -seccomp -tracelog - -private-cache -private-tmp - -noexec /tmp -restrict-namespaces +# Redirect +include qemu-common.profile diff --git a/etc/profile-m-z/qemu-system-x86_64.profile b/etc/profile-m-z/qemu-system-x86_64.profile index 495c469f7..27dd31af1 100644 --- a/etc/profile-m-z/qemu-system-x86_64.profile +++ b/etc/profile-m-z/qemu-system-x86_64.profile @@ -6,22 +6,5 @@ include qemu-system-x86_64.local # Persistent global definitions include globals.local -include disable-common.inc -include disable-programs.inc - -caps.drop all -netfilter -nodvd -nogroups -nonewprivs -noroot -notv -protocol unix,inet,inet6 -seccomp -tracelog - -private-cache -private-tmp - -noexec /tmp -restrict-namespaces +# Redirect +include qemu-common.profile diff --git a/etc/profile-m-z/tqemu.profile b/etc/profile-m-z/tqemu.profile index cf83202f7..d46cf15d9 100644 --- a/etc/profile-m-z/tqemu.profile +++ b/etc/profile-m-z/tqemu.profile @@ -6,21 +6,14 @@ include tqemu.local # Persistent global definitions include globals.local -include disable-common.inc -include disable-programs.inc +# breaks app +ignore restrict-namespaces # For host-only network sys_admin is needed. # See https://github.com/netblue30/firejail/issues/2868#issuecomment-518647630 +ignore caps.drop all caps.keep net_raw,sys_nice #caps.keep net_raw,sys_admin -netfilter -nodvd -notv -tracelog - -private-cache -private-tmp -noexec /tmp -# breaks app -#restrict-namespaces +# Redirect +include qemu-common.profile -- cgit v1.2.3-54-g00ecf