From fadaac29530845119e957d995c8d7e6470023c8c Mon Sep 17 00:00:00 2001
From: glitsj16 <glitsj16@users.noreply.github.com>
Date: Wed, 13 Feb 2019 22:48:33 +0000
Subject: Refactor snap.profile

---
 etc/snap.profile | 55 ++++++++++++++++++++++++++++++++++++++++++++++++++-----
 1 file changed, 50 insertions(+), 5 deletions(-)

diff --git a/etc/snap.profile b/etc/snap.profile
index 6d95e719a..ef4f3d3a6 100644
--- a/etc/snap.profile
+++ b/etc/snap.profile
@@ -1,17 +1,62 @@
 # Firejail profile for snap
-# Description: generic Ubuntu snap application profile
+# Description: Install, configure, refresh and remove snap packages
 # This file is overwritten after every install/update
+quiet
 # Persistent local customizations
 include snap.local
 # Persistent global definitions
 include globals.local
 
-# Generic Ubuntu snap application profile
+# Note: Snap packages have their own confinement mechanism relying on snapd and apparmor.
+# As such firejail is not able to deliver any additional sandboxing for snaps. This profile does sandbox
+# the snap tool which is used to interact with snap packages.
+# See https://docs.snapcraft.io/ for more detailed info.
+
+noblacklist ${HOME}/.snap
+noblacklist ${HOME}/snap
+noblacklist ${DOWNLOADS}
+
+noblacklist /var/cache/snapd
+noblacklist /var/lib/snapd
+noblacklist /var/snap
+
+mkdir ${HOME}/.snap
+mkdir ${HOME}/snap
+whitelist ${HOME}/.snap
+whitelist ${HOME}/snap
 
 include disable-common.inc
+include disable-devel.inc
+include disable-interpreters.inc
 include disable-passwdmgr.inc
 include disable-programs.inc
+include disable-xdg.inc
 
-whitelist ${DOWNLOADS}
-whitelist ${HOME}/snap
-include whitelist-common.inc
+caps.drop all
+ipc-namespace
+machine-id
+netfilter
+no3d
+nodbus
+nodvd
+nogroups
+nonewprivs
+noroot
+nosound
+notv
+nou2f
+novideo
+protocol unix,inet,inet6
+seccomp
+shell none
+
+disable-mnt
+private-bin snap
+private-dev
+private-etc group,passwd
+private-lib snapd
+private-tmp
+
+memory-deny-write-execute
+noexec ${HOME}
+noexec /tmp
-- 
cgit v1.2.3-70-g09d2


From b17921925bfd576d3cca2de96857179ae710649e Mon Sep 17 00:00:00 2001
From: glitsj16 <glitsj16@users.noreply.github.com>
Date: Wed, 13 Feb 2019 22:51:05 +0000
Subject: Add snap blacklist items to disable-common.inc

---
 etc/disable-common.inc | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/etc/disable-common.inc b/etc/disable-common.inc
index f98f247d5..ac95a7479 100644
--- a/etc/disable-common.inc
+++ b/etc/disable-common.inc
@@ -411,3 +411,10 @@ blacklist /usr/share/flatpak
 blacklist /var/lib/flatpak
 # most of the time bwrap is SUID binary
 blacklist ${PATH}/bwrap
+
+# snap
+blacklist ${HOME}/.snap
+blacklist ${HOME}/snap
+blacklist /var/cache/snapd
+blacklist /var/lib/snapd
+blacklist /var/snap
-- 
cgit v1.2.3-70-g09d2


From 6a0bf25381bd96c6bc2d68edff231e2a7a25bf02 Mon Sep 17 00:00:00 2001
From: glitsj16 <glitsj16@users.noreply.github.com>
Date: Thu, 14 Feb 2019 15:50:16 +0000
Subject: Retire snap.profile

---
 etc/disable-common.inc | 7 -------
 1 file changed, 7 deletions(-)

diff --git a/etc/disable-common.inc b/etc/disable-common.inc
index ac95a7479..f98f247d5 100644
--- a/etc/disable-common.inc
+++ b/etc/disable-common.inc
@@ -411,10 +411,3 @@ blacklist /usr/share/flatpak
 blacklist /var/lib/flatpak
 # most of the time bwrap is SUID binary
 blacklist ${PATH}/bwrap
-
-# snap
-blacklist ${HOME}/.snap
-blacklist ${HOME}/snap
-blacklist /var/cache/snapd
-blacklist /var/lib/snapd
-blacklist /var/snap
-- 
cgit v1.2.3-70-g09d2


From 3a69230a511c752a1b7c4aac250984acd43b5ac3 Mon Sep 17 00:00:00 2001
From: glitsj16 <glitsj16@users.noreply.github.com>
Date: Thu, 14 Feb 2019 15:51:28 +0000
Subject: Delete snap.profile

---
 etc/snap.profile | 62 --------------------------------------------------------
 1 file changed, 62 deletions(-)
 delete mode 100644 etc/snap.profile

diff --git a/etc/snap.profile b/etc/snap.profile
deleted file mode 100644
index ef4f3d3a6..000000000
--- a/etc/snap.profile
+++ /dev/null
@@ -1,62 +0,0 @@
-# Firejail profile for snap
-# Description: Install, configure, refresh and remove snap packages
-# This file is overwritten after every install/update
-quiet
-# Persistent local customizations
-include snap.local
-# Persistent global definitions
-include globals.local
-
-# Note: Snap packages have their own confinement mechanism relying on snapd and apparmor.
-# As such firejail is not able to deliver any additional sandboxing for snaps. This profile does sandbox
-# the snap tool which is used to interact with snap packages.
-# See https://docs.snapcraft.io/ for more detailed info.
-
-noblacklist ${HOME}/.snap
-noblacklist ${HOME}/snap
-noblacklist ${DOWNLOADS}
-
-noblacklist /var/cache/snapd
-noblacklist /var/lib/snapd
-noblacklist /var/snap
-
-mkdir ${HOME}/.snap
-mkdir ${HOME}/snap
-whitelist ${HOME}/.snap
-whitelist ${HOME}/snap
-
-include disable-common.inc
-include disable-devel.inc
-include disable-interpreters.inc
-include disable-passwdmgr.inc
-include disable-programs.inc
-include disable-xdg.inc
-
-caps.drop all
-ipc-namespace
-machine-id
-netfilter
-no3d
-nodbus
-nodvd
-nogroups
-nonewprivs
-noroot
-nosound
-notv
-nou2f
-novideo
-protocol unix,inet,inet6
-seccomp
-shell none
-
-disable-mnt
-private-bin snap
-private-dev
-private-etc group,passwd
-private-lib snapd
-private-tmp
-
-memory-deny-write-execute
-noexec ${HOME}
-noexec /tmp
-- 
cgit v1.2.3-70-g09d2