From 8638519a4a0d66263d4b198252f6964c226829c9 Mon Sep 17 00:00:00 2001 From: Tad Date: Mon, 25 Sep 2017 15:17:06 -0400 Subject: Add a profile for Android ROM compilation such as AOSP, LineageOS/CyanogenMod, etc. Use like: firejail --profile=/etc/firejail/aosp.profile /bin/bash --- README.md | 3 ++- etc/android-studio.profile | 2 ++ etc/aosp.profile | 42 ++++++++++++++++++++++++++++++++++++++++++ etc/disable-programs.inc | 4 ++++ etc/idea.sh.profile | 2 ++ 5 files changed, 52 insertions(+), 1 deletion(-) create mode 100644 etc/aosp.profile diff --git a/README.md b/README.md index ef4a18310..303bd3359 100644 --- a/README.md +++ b/README.md @@ -180,4 +180,5 @@ calligraflow, calligraplan, calligraplanwork, calligrasheets, calligrastage, calligrawords, cin, dooble, dooble-qt4, fetchmail, freecad, freecadcmd, google-earth, imagej, karbon, kdenlive, krita, linphone, lmms, macrofusion, mpd, natron, Natron, ricochet, shotcut, teamspeak3, tor, tor-browser-en, Viber, x-terminal-emulator, zart, -conky, arch-audit, ffmpeg, bluefish, cliqz, cinelerra, openshot-qt, pinta, uefitool +conky, arch-audit, ffmpeg, bluefish, cliqz, cinelerra, openshot-qt, pinta, uefitool, +aosp diff --git a/etc/android-studio.profile b/etc/android-studio.profile index 1e1953780..6be92e1c0 100644 --- a/etc/android-studio.profile +++ b/etc/android-studio.profile @@ -9,6 +9,8 @@ noblacklist ${HOME}/.AndroidStudio* noblacklist ${HOME}/.android noblacklist ${HOME}/.gitconfig noblacklist ${HOME}/.gradle +noblacklist ${HOME}/.jack-server +noblacklist ${HOME}/.jack-settings noblacklist ${HOME}/.java noblacklist ${HOME}/.local/share/JetBrains noblacklist ${HOME}/.ssh diff --git a/etc/aosp.profile b/etc/aosp.profile new file mode 100644 index 000000000..6109d1701 --- /dev/null +++ b/etc/aosp.profile @@ -0,0 +1,42 @@ +# Firejail profile for aosp +# This file is overwritten after every install/update +# Persistent local customizations +include /etc/firejail/aosp.local +# Persistent global definitions +include /etc/firejail/globals.local + + +noblacklist ${HOME}/.android +noblacklist ${HOME}/.bash_history +noblacklist ${HOME}/.gitconfig +noblacklist ${HOME}/.gradle +noblacklist ${HOME}/.jack-server +noblacklist ${HOME}/.jack-settings +noblacklist ${HOME}/.java +noblacklist ${HOME}/.repo_.gitconfig.json +noblacklist ${HOME}/.repoconfig +noblacklist ${HOME}/.ssh +noblacklist ${HOME}/.tooling + +include /etc/firejail/disable-common.inc +include /etc/firejail/disable-passwdmgr.inc +include /etc/firejail/disable-programs.inc + +include /etc/firejail/whitelist-var-common.inc + +caps.drop all +ipc-namespace +netfilter +no3d +nodvd +nogroups +nonewprivs +noroot +nosound +notv +novideo +protocol unix,inet,inet6 +seccomp +shell none + +private-tmp diff --git a/etc/disable-programs.inc b/etc/disable-programs.inc index 4779b0aae..40bca578f 100644 --- a/etc/disable-programs.inc +++ b/etc/disable-programs.inc @@ -222,6 +222,8 @@ blacklist ${HOME}/.hugin blacklist ${HOME}/.icedove blacklist ${HOME}/.imagej blacklist ${HOME}/.inkscape +blacklist ${HOME}/.jack-server +blacklist ${HOME}/.jack-settings blacklist ${HOME}/.java blacklist ${HOME}/.jitsi blacklist ${HOME}/.kde/share/apps/gwenview @@ -362,6 +364,8 @@ blacklist ${HOME}/.pingus blacklist ${HOME}/.purple blacklist ${HOME}/.qemu-launcher blacklist ${HOME}/.remmina +blacklist ${HOME}/.repo_.gitconfig.json +blacklist ${HOME}/.repoconfig blacklist ${HOME}/.retroshare blacklist ${HOME}/.scribus blacklist ${HOME}/.scribusrc diff --git a/etc/idea.sh.profile b/etc/idea.sh.profile index 928ec7327..caec416e9 100644 --- a/etc/idea.sh.profile +++ b/etc/idea.sh.profile @@ -9,6 +9,8 @@ noblacklist ${HOME}/.IdeaIC* noblacklist ${HOME}/.android noblacklist ${HOME}/.gitconfig noblacklist ${HOME}/.gradle +noblacklist ${HOME}/.jack-server +noblacklist ${HOME}/.jack-settings noblacklist ${HOME}/.java noblacklist ${HOME}/.local/share/JetBrains noblacklist ${HOME}/.ssh -- cgit v1.2.3-54-g00ecf