From 91a2bedaf42abcb947ef9370919b9d5503e84e47 Mon Sep 17 00:00:00 2001 From: rusty-snake <41237666+rusty-snake@users.noreply.github.com> Date: Wed, 10 Jun 2020 21:56:36 +0200 Subject: New profiles: apostrophe & quadrapassel --- README.md | 2 +- RELNOTES | 4 ++- etc/inc/disable-programs.inc | 1 + etc/profile-a-l/apostrophe.profile | 69 ++++++++++++++++++++++++++++++++++++ etc/profile-a-l/emacs.profile | 7 ++-- etc/profile-a-l/file-roller.profile | 2 ++ etc/profile-m-z/quadrapassel.profile | 20 +++++++++++ etc/profile-m-z/yelp.profile | 2 ++ src/firecfg/firecfg.config | 2 ++ 9 files changed, 103 insertions(+), 6 deletions(-) create mode 100644 etc/profile-a-l/apostrophe.profile create mode 100644 etc/profile-m-z/quadrapassel.profile diff --git a/README.md b/README.md index 96df50575..bc36d246f 100644 --- a/README.md +++ b/README.md @@ -196,4 +196,4 @@ gnome-screenshot, ripperX, sound-juicer, iagno, com.github.dahenson.agenda, gnom penguin-command, x2goclient, frogatto, gnome-mines, gnome-nibbles, lightsoff, ts3client_runscript.sh, warmux, ferdi, abiword, four-in-a-row, gnome-mahjongg, gnome-robots, gnome-sudoku, gnome-taquin, gnome-tetravex, blobwars, gravity-beams-and-evaporating-stars, hyperrogue, jumpnbump-menu, jumpnbump, magicor, mindless, mirrormagic, mrrescue, scorched3d-wrapper, scorchwentbonkers, -seahorse-adventures, wordwarvi, xbill, gnome-klotski, five-or-more, swell-foop, fdns, jitsi-meet-desktop, nicontine, steam-runtime +seahorse-adventures, wordwarvi, xbill, gnome-klotski, five-or-more, swell-foop, fdns, jitsi-meet-desktop, nicontine, steam-runtime, apostrophe, quadrapassel, dino-im diff --git a/RELNOTES b/RELNOTES index 9f97f8ab1..172850c7c 100644 --- a/RELNOTES +++ b/RELNOTES @@ -10,9 +10,11 @@ firejail (0.9.63) baseline; urgency=low With this version Nodbus is deprecated, in favor of dbus-user none and dbus-system none and will be removed in a future version. * DHCP client support + * firecfg only fix dektop-files if started with sudo * SELinux labeling support * custom 32-bit seccomp filter support * restrict ${RUNUSER} in several profiles + * blacklist shells such as bash in several profiles * whitelist globbing * mkdir and mkfile support for /run/user directory * new condition: HAS_NOSOUND @@ -33,7 +35,7 @@ firejail (0.9.63) baseline; urgency=low * new profiles: mirrormagic, mrrescue, scorched3d-wrapper, scorchwentbonkers * new profiles: seahorse-adventures, wordwarvi, xbill, gnome-klotski * new profiles: swell-foop, fdns, five-or-more, steam-runtime, jitsi-meet-desktop - * new profiles: nicotine, plv, mocp + * new profiles: nicotine, plv, mocp, apostrophe, quadrapassel, dino-im -- netblue30 Tue, 21 Apr 2020 08:00:00 -0500 firejail (0.9.62) baseline; urgency=low diff --git a/etc/inc/disable-programs.inc b/etc/inc/disable-programs.inc index 32228b8f2..43c8292e0 100644 --- a/etc/inc/disable-programs.inc +++ b/etc/inc/disable-programs.inc @@ -636,6 +636,7 @@ blacklist ${HOME}/.local/share/pix blacklist ${HOME}/.local/share/plasma_notes blacklist ${HOME}/.local/share/profanity blacklist ${HOME}/.local/share/psi+ +blacklist ${HOME}/.local/share/quadrapassel blacklist ${HOME}/.local/share/qpdfview blacklist ${HOME}/.local/share/qutebrowser blacklist ${HOME}/.local/share/remmina diff --git a/etc/profile-a-l/apostrophe.profile b/etc/profile-a-l/apostrophe.profile new file mode 100644 index 000000000..5dfe034e0 --- /dev/null +++ b/etc/profile-a-l/apostrophe.profile @@ -0,0 +1,69 @@ +# Firejail profile for apostrophe +# Description: Distraction free Markdown editor for GNU/Linux made with GTK+ +# This file is overwritten after every install/update +# Persistent local customizations +include apostrophe.local +# Persistent global definitions +include globals.local + +noblacklist ${DOCUMENTS} +noblacklist ${PICTURES} + +# Allow python (blacklisted by disable-interpreters.inc) +include allow-python3.inc + +include disable-common.inc +include disable-devel.inc +include disable-exec.inc +include disable-interpreters.inc +include disable-passwdmgr.inc +include disable-programs.inc +include disable-shell.inc +include disable-xdg.inc + +whitelist /usr/share/apostrophe +include whitelist-runuser-common.inc +include whitelist-usr-share-common.inc +include whitelist-var-common.inc + +apparmor +caps.drop all +machine-id +net none +no3d +nodvd +nogroups +nonewprivs +noroot +nosound +notv +nou2f +novideo +protocol unix +seccomp +shell none +tracelog + +disable-mnt +private-bin apostrophe,python3* +private-cache +private-dev +private-etc alternatives,dconf,fonts,gtk-3.0,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,pango,X11 +# private-etc templates (see also #1734, #2093) +# Common: alternatives,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,locale,locale.alias,locale.conf,localtime,mime.types,xdg +# Extra: magic,magic.mgc,passwd,group +# Networking: ca-certificates,ssl,pki,crypto-policies,nsswitch.conf,resolv.conf,hosts,host.conf,hostname,protocols,services,rpc +# Extra: proxychains.conf,gai.conf +# Sound: alsa,asound.conf,pulse,machine-id +# GUI: fonts,pango,X11 +# GTK: dconf,gconf,gtk-2.0,gtk-3.0 +# Qt: Trolltech.conf +# KDE: kde4rc,kde5rc +# 3D: drirc,glvnd,bumblebee,nvidia +# D-Bus: dbus-1,machine-id +private-tmp + +dbus-user filter +dbus-user.own org.gnome.gitlab.somas.Apostrophe +dbus-user.talk ca.desrt.dconf +dbus-system none diff --git a/etc/profile-a-l/emacs.profile b/etc/profile-a-l/emacs.profile index de4ea97a4..226237b5b 100644 --- a/etc/profile-a-l/emacs.profile +++ b/etc/profile-a-l/emacs.profile @@ -19,10 +19,6 @@ include disable-common.inc include disable-passwdmgr.inc include disable-programs.inc -# Comment out if you want an immutable configuration -read-write ${HOME}/.emacs -read-write ${HOME}/.emacs.d - caps.drop all netfilter nodvd @@ -33,3 +29,6 @@ notv novideo protocol unix,inet,inet6 seccomp + +read-write ${HOME}/.emacs +read-write ${HOME}/.emacs.d diff --git a/etc/profile-a-l/file-roller.profile b/etc/profile-a-l/file-roller.profile index 70dd030ee..745b8b8e9 100644 --- a/etc/profile-a-l/file-roller.profile +++ b/etc/profile-a-l/file-roller.profile @@ -42,3 +42,5 @@ private-cache private-dev private-etc dconf,fonts,gtk-3.0,xdg # private-tmp + +dbus-system none diff --git a/etc/profile-m-z/quadrapassel.profile b/etc/profile-m-z/quadrapassel.profile new file mode 100644 index 000000000..91e0d9d0d --- /dev/null +++ b/etc/profile-m-z/quadrapassel.profile @@ -0,0 +1,20 @@ +# Firejail profile for quadrapassel +# Description: Tetris-like game for GNOME +# This file is overwritten after every install/update +# Persistent local customizations +include quadrapassel.local +# Persistent global definitions +include globals.local + +noblacklist ${HOME}/.local/share/quadrapassel + +mkdir ${HOME}/.local/share/quadrapassel +whitelist ${HOME}/.local/share/quadrapassel +whitelist /usr/share/quadrapassel + +private-bin quadrapassel + +dbus-user.own org.gnome.Quadrapassel + +# Redirect +include gnome_games-common.profile diff --git a/etc/profile-m-z/yelp.profile b/etc/profile-m-z/yelp.profile index f643cf252..fd95ceb04 100644 --- a/etc/profile-m-z/yelp.profile +++ b/etc/profile-m-z/yelp.profile @@ -51,6 +51,8 @@ private-dev private-etc alsa,alternatives,asound.conf,crypto-policies,cups,dconf,drirc,fonts,gcrypt,gtk-3.0,machine-id,openal,os-release,pulse,sgml,xml private-tmp +dbus-system none + # read-only ${HOME} breaks some not necesarry featrues, comment it if # you need them or put 'ignore read-only ${HOME}' into your yelp.local. # broken features: diff --git a/src/firecfg/firecfg.config b/src/firecfg/firecfg.config index 43777da03..435dc8222 100644 --- a/src/firecfg/firecfg.config +++ b/src/firecfg/firecfg.config @@ -38,6 +38,7 @@ amule amuled android-studio anydesk +apostrophe apktool # ar - disable until we fix CLI archivers for makepkg on Arch (see discussion in #3095) arch-audit @@ -572,6 +573,7 @@ qmmp qpdfview qt-faststart qtox +quadrapassel quassel quiterss qupzilla -- cgit v1.2.3-70-g09d2