From 8194f8fb2f4be6ae3515ccde08546c9c4ca4f645 Mon Sep 17 00:00:00 2001
From: Tad <tad@spotco.us>
Date: Sun, 18 Aug 2019 04:53:47 -0400
Subject: profiles: add kiwix-desktop

---
 README.md                  |  2 +-
 RELNOTES                   |  3 ++-
 etc/disable-programs.inc   |  2 ++
 etc/kiwix-desktop.profile  | 49 ++++++++++++++++++++++++++++++++++++++++++++++
 src/firecfg/firecfg.config |  1 +
 5 files changed, 55 insertions(+), 2 deletions(-)
 create mode 100644 etc/kiwix-desktop.profile

diff --git a/README.md b/README.md
index 89c4b9c53..9e0116350 100644
--- a/README.md
+++ b/README.md
@@ -116,4 +116,4 @@ We also keep a list of profile fixes for previous released versions in [etc-fixe
 
 ## New profiles:
 
-gnome-sound-recorder, godot, jerry, keepassxc-cli, keepassxc-proxy, klatexformula, klatexformula_cmdl, links, newsbeuter, OpenArena, pandoc, qgis, rhythmbox-client, tcpdump, teams-for-linux, tshark, xlinks, zeal, mpg123, conplay, mpg123.bin, mpg123-alsa, mpg123-id3dump, mpg123-jack, mpg123-nas, mpg123-openal, mpg123-oss, mpg123-portaudio, mpg123-pulse, mpg123-strip, out123, pavucontrol-qt, gnome-characters, gnome-character-map, rsync, Whalebird, tor-browser (AUR), Zulip, tb-starter-wrapper, bzcat
+gnome-sound-recorder, godot, jerry, keepassxc-cli, keepassxc-proxy, klatexformula, klatexformula_cmdl, links, newsbeuter, OpenArena, pandoc, qgis, rhythmbox-client, tcpdump, teams-for-linux, tshark, xlinks, zeal, mpg123, conplay, mpg123.bin, mpg123-alsa, mpg123-id3dump, mpg123-jack, mpg123-nas, mpg123-openal, mpg123-oss, mpg123-portaudio, mpg123-pulse, mpg123-strip, out123, pavucontrol-qt, gnome-characters, gnome-character-map, rsync, Whalebird, tor-browser (AUR), Zulip, tb-starter-wrapper, bzcat, kiwix-desktop
diff --git a/RELNOTES b/RELNOTES
index d639940bd..41a288bd0 100644
--- a/RELNOTES
+++ b/RELNOTES
@@ -12,7 +12,8 @@ firejail (0.9.61) baseline; urgency=low
   * new profiles: mpg123-jack, mpg123-nas, mpg123-openal, mpg123-oss
   * new profiles: mpg123-portaudio, mpg123-pulse, mpg123-strip, pavucontrol-qt
   * new profiles: gnome-characters, gnome-character-map, rsync, Whalebird,
-  * new profiles: tor-browser (AUR), Zulip, tb-starter-wrapper, bzcat
+  * new profiles: tor-browser (AUR), Zulip, tb-starter-wrapper, bzcat,
+  * new profiles: kiwix-desktop
  -- netblue30 <netblue30@yahoo.com>  Sat, 1 Jun 2019 08:00:00 -0500
 
 firejail (0.9.60) baseline; urgency=low
diff --git a/etc/disable-programs.inc b/etc/disable-programs.inc
index c0bf1f8d4..a3f7c570b 100644
--- a/etc/disable-programs.inc
+++ b/etc/disable-programs.inc
@@ -509,6 +509,8 @@ blacklist ${HOME}/.local/share/kaffeine
 blacklist ${HOME}/.local/share/kate
 blacklist ${HOME}/.local/share/kdenlive
 blacklist ${HOME}/.local/share/kget
+blacklist ${HOME}/.local/share/kiwix
+blacklist ${HOME}/.local/share/kiwix-desktop
 blacklist ${HOME}/.local/share/klavaro
 blacklist ${HOME}/.local/share/kmail2
 blacklist ${HOME}/.local/share/knotes
diff --git a/etc/kiwix-desktop.profile b/etc/kiwix-desktop.profile
new file mode 100644
index 000000000..db8f7880c
--- /dev/null
+++ b/etc/kiwix-desktop.profile
@@ -0,0 +1,49 @@
+# Firejail profile for kiwix-desktop
+# Description: view/manage ZIM files
+# This file is overwritten after every install/update
+# Persistent local customizations
+include kiwix-desktop.local
+# Persistent global definitions
+include globals.local
+
+noblacklist ${HOME}/.local/share/kiwix
+noblacklist ${HOME}/.local/share/kiwix-desktop
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-passwdmgr.inc
+include disable-programs.inc
+include disable-xdg.inc
+
+mkdir ${HOME}/.local/share/kiwix
+mkdir ${HOME}/.local/share/kiwix-desktop
+whitelist ${HOME}/.local/share/kiwix
+whitelist ${HOME}/.local/share/kiwix-desktop
+include whitelist-common.inc
+include whitelist-var-common.inc
+
+apparmor
+caps.drop all
+ipc-namespace
+netfilter
+# no3d
+nodbus
+nodvd
+nogroups
+nonewprivs
+noroot
+# nosound
+notv
+nou2f
+novideo
+protocol unix,inet,inet6,netlink
+seccomp.drop @clock,@cpu-emulation,@debug,@module,@obsolete,@raw-io,@reboot,@resources,@swap,acct,add_key,bpf,fanotify_init,io_cancel,io_destroy,io_getevents,io_setup,io_submit,ioprio_set,kcmp,keyctl,mount,name_to_handle_at,nfsservctl,ni_syscall,open_by_handle_at,personality,pivot_root,process_vm_readv,ptrace,remap_file_pages,request_key,setdomainname,sethostname,syslog,umount,umount2,userfaultfd,vhangup,vmsplice
+shell none
+
+disable-mnt
+private-cache
+private-dev
+private-etc alsa,alternatives,asound.conf,ca-certificates,crypto-policies,fonts,hostname,hosts,ld.so.cache,machine-id,pki,pulse,resolv.conf,ssl
+private-tmp
diff --git a/src/firecfg/firecfg.config b/src/firecfg/firecfg.config
index 59d64ceb4..daaa4919e 100644
--- a/src/firecfg/firecfg.config
+++ b/src/firecfg/firecfg.config
@@ -314,6 +314,7 @@ kid3
 kid3-cli
 kid3-qt
 kino
+kiwix-desktop
 klatexformula
 klatexformula_cmdl
 klavaro
-- 
cgit v1.2.3-54-g00ecf